NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
; `8 w( h5 r- x: Y% }
# ~( G, m' Q) j0 ]From: Patrick CHAMBET <pchambet@club-internet.fr>

To: sans@clark.net
1 c0 e+ w8 Z# ESubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
( B! q- i6 N+ _( P9 DWe knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
4 A$ I, T" u- C0 S, {  a( u+ Ube compared to the Windows Registry: the metabase is organised in Hives,
" Z3 z$ K& u# CKeys and Values. It is stored in the following file:
6 c- z! D- G$ u. o; A5 jC:\WINNT\system32\inetsrv\MetaBase.bin
) ?& q0 u+ l8 e3 lThe IIS 4.0 metabase contains these passwords:
2 z5 E- N: `1 H1 @2 S7 z* d- IUSR_ComputerName account password (only if you have typed it in the
$ }" [0 M/ Q! dMMC)
- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
your virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
% Q/ u+ C8 \+ [1 Y3 V; r"HTTPLOG" (if you chose to store your Logs into a database).
* }8 D/ W9 _5 i5 P8 P- @6 nNote that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
8 n7 \" e, N; d  c% n; rhave permissions on this file.
4 g1 c6 O7 W; O7 M& {BUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
- N9 V6 N, A  l) t: U& k+ emalicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
: X  a3 x7 |+ h1 W% Y% Mproblem I am reporting yet. Here is an example of what can be gathered:
# M! }0 K! m. I$ a  S"
IIS 4.0 Metabase
" |; a, {- S0 c! c4 L?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
% Y2 p$ E# P; E# {UNC User name: 'Lou'
) b5 j; w$ R, Q' \UNC User password: 'Microsoft'
6 m+ g2 {/ X7 O9 x, c9 n! H3 `UNC Authentication Pass Through: 'False'
--- Anonymous User ---
7 W) [4 H" d6 n/ _: O! c4 L5 jAnonymous User name: 'IUSR_SERVER'
3 z3 i4 ~4 w  |9 k* \  ^Anonymous User password: 'x1fj5h_iopNNsp'
2 S8 ^% y7 u5 ?3 I: X; f. S% E  SPassword synchronization: 'False'
9 D/ p: F2 r6 y--- IIS Logs DSN User ---
* ]- M$ U' t" B4 Q2 ~' P" S1 PODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
! p/ f% r( C7 N: B+ p4 v7 V* E) m- JODBC User password: 'xxxxxx'
--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
" n/ W, f- H) SWAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
& w/ S0 F  W' {$ r: v"
9 g& K8 W" a3 E1 \For example, you can imagine the following scenario:
. _0 |! w3 ~0 @2 w) F7 v( O. hA user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
* B' x8 L( C% i. athe login name and password of the account used to access to a virtual
8 E& }  z0 D  M4 t- fdirectory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
_______________________________________________________________________
! d8 {/ m* H2 R  NPatrick CHAMBET - pchambet@club-internet.fr
& F9 d) J1 f* f/ @MCP NT 4.0
7 ^$ `0 v" w# ~+ a; L! `+ {Internet, Security and Microsoft solutions
+ x8 ?% W1 v+ ~) M: V  ze-business Services
  p# _) X5 y- z" qIBM Global Services
! f! f/ x' C) o1 I6 C* E" ]