NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
4 x5 I9 q, z+ z# I+ h3 T
! b, {% n/ S, G3 n. J, M/ aFrom: Patrick CHAMBET <pchambet@club-internet.fr>
; ~( s2 j! u" d  R+ S7 z! V, k
/ U- X3 t/ [% |4 sTo: sans@clark.net
) I: b  I  ]* U9 C$ FSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
) [5 s" j6 ]2 D& n  zHi all,
! e% M5 W0 K( N* |  ^We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
1 p# g$ p! q: k! nbe compared to the Windows Registry: the metabase is organised in Hives,
& }3 D0 ]  B( ^  B) \8 L" \) qKeys and Values. It is stored in the following file:
- k9 N, Y' m! o2 k  t# ?. z" YC:\WINNT\system32\inetsrv\MetaBase.bin
' O- n- q* S  s# W$ X* QThe IIS 4.0 metabase contains these passwords:
, U5 p% \: d3 M7 J) C- IUSR_ComputerName account password (only if you have typed it in the
  p/ R& y/ O2 `: H* [MMC)
- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
your virtual directories is located there.
/ Z4 s! Z. D8 K  N; p- The user name and password used to connect to the ODBC DSN called
8 q$ {; o8 r% `7 D8 J"HTTPLOG" (if you chose to store your Logs into a database).
' _7 d6 e! ^, ^7 tNote that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
have permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
$ @- p& Z( u% d' S! B3 ^& i0 \these passwords in CLEAR TEXT.
1 {! |1 T9 `0 L  xThe user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
# F/ T/ k7 w$ e/ L- j6 j( I  ]0 YObviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
"
) C3 L2 C) ^4 ~1 ~0 xIIS 4.0 Metabase
/ A6 s7 L' M! U+ |' P4 V?Patrick Chambet 1998 - pchambet@club-internet.fr
) i/ I' M4 A" a) F--- UNC User ---
UNC User name: 'Lou'
8 O" V/ n2 J; EUNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
) b; y9 J- D6 |/ h1 m& W7 w) h! K% P--- Anonymous User ---
( E. e5 h3 y/ X! |4 \! ^* YAnonymous User name: 'IUSR_SERVER'
+ B+ m$ s) i/ c8 H3 g% FAnonymous User password: 'x1fj5h_iopNNsp'
; y- n( n. C  w. a! vPassword synchronization: 'False'
# M( E$ N' P  R" c3 k7 H$ v--- IIS Logs DSN User ---
% t8 b, r0 ~0 Z* B! g/ ]3 \4 g0 `8 V8 A0 iODBC DSN name: 'HTTPLOG'
5 C6 a/ g% i! g& QODBC table name: 'InternetLog'
; p* _% G/ }* C2 @, @0 [8 M4 iODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
7 }0 X: G1 U: y. h- U: t8 x% B! {: M--- Web Applications User ---
% J+ U) B  W4 W$ g& lWAM User name: 'IWAM_SERVER'
WAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
"
For example, you can imagine the following scenario:
% m  v$ p8 n0 ]5 {3 zA user Bob is allowed to logon only on a server hosting IIS 4.0, say
5 e( `2 S/ Q% g9 o- z* m" Sserver (a). He need not to be an Administrator. He can be for example
/ F2 ~" U$ X9 T+ |$ Man IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
$ ]+ W. x) }( o- X. _the login name and password of the account used to access to a virtual
7 c, s5 @' o. n1 Hdirectory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
_______________________________________________________________________
9 u# T; y. n; ^. l$ gPatrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
Internet, Security and Microsoft solutions
  ^# g8 D9 y0 h: r8 [8 Q% `0 }4 Fe-business Services
- \/ r  R9 r6 H' X! n- k5 _IBM Global Services
$ r! I6 ]) k$ T( h6 k3 O