NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
/ H* v3 v) S/ N8 Z
From: Patrick CHAMBET <pchambet@club-internet.fr>
5 d1 t& T  u9 Y( `
To: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
! |1 g, Y" a  ?% \" _! V& `4 bHi all,
We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
/ n: O1 {0 c! X- ~. R( bIIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
/ h9 m! v9 z9 V0 \C:\WINNT\system32\inetsrv\MetaBase.bin
' Y' m0 C$ u! ^' f' y( AThe IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
MMC)
- IWAM_ComputerName account password (ALWAYS !)
4 s/ D9 v; H6 {" }, y- K- UNC username and password used to connect to another server if one of
  c6 P0 h! |# _" C! o0 iyour virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
Note that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
, X" h) }: E( ?5 N; Ehave permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
2 i/ q. ~7 O9 _( Imalicious user to delete traces of his activities on the server.
& y5 w3 O0 R' c; `: cObviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
" E& `3 |/ l- }4 t5 o/ P1 r' c/ ^"
; I, g  x9 D$ I  M, sIIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
UNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
2 O' M9 K# \  |, E--- Anonymous User ---
( C0 A8 ]* K8 S$ S9 ?" R! M5 M( GAnonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
3 v) f3 i6 L" n6 MPassword synchronization: 'False'
--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
8 t# q4 r. e/ Q+ I, _7 fODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
; F  |1 j7 A0 |, X3 r5 DODBC User password: 'xxxxxx'
" Q4 O  Y7 v" |4 _4 D, S--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
; n3 l& N8 w' N& qWAM User password: 'Aj8_g2sAhjlk2'
4 h2 y( R( v+ H2 ^! ?# u2 zDefault Logon Domain: ''
"
For example, you can imagine the following scenario:
, o& w7 f* W1 eA user Bob is allowed to logon only on a server hosting IIS 4.0, say
. j# j4 E3 J# D& w/ ^' Oserver (a). He need not to be an Administrator. He can be for example
6 E7 k6 U, ?7 R' h+ y. fan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
, j& D5 m. L* C' Ithe login name and password of the account used to access to a virtual
directory located on another server, say (b).
2 ^  W$ P) l9 y6 NNow, Bob can use these login name and passord to logon on server (b).
& ?' M5 `& T) J6 X1 X" [' BAnd so forth...
( n8 b* u* f) Y2 n1 N4 p& K3 UMicrosoft was informed of this vulnerability.
_______________________________________________________________________
6 R& @2 K1 J3 c8 dPatrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
Internet, Security and Microsoft solutions
e-business Services
- I$ R. @: _2 |9 u7 D! z, QIBM Global Services
9 Q. S! s- C! }/ K- J8 ^