NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

From: Patrick CHAMBET <pchambet@club-internet.fr>
- Z9 w# o1 |6 A3 Q2 y8 H  [
To: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
We knew that Windows NT passwords are stored in 7 different places across
( W" s1 O! m/ [/ dthe system. Here is a 8th place: the IIS 4.0 metabase.
7 ?4 M5 g! j) T- {  J- n+ I: ~  IIIS 4.0 uses its own configuration database, named "metabase", which can
. ], ]0 [% F0 B% C9 M7 ebe compared to the Windows Registry: the metabase is organised in Hives,
' ^* ~4 n. O/ m+ B5 FKeys and Values. It is stored in the following file:
& B5 w& n' b& JC:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
$ Z; V  J( u3 B6 M: J6 LMMC)
- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
your virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
Note that the usernames are in unicode, clear text, that the passwords are
6 b8 h" |, h/ P4 O6 E! Isrambled in the metabase.ini file, and that only Administrators and SYSTEM
5 s& E# d- N# U( m+ g' Ehave permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
1 C3 K2 j9 M% X8 c$ Tmalicious user to delete traces of his activities on the server.
' P. ~6 a7 V) X; [Obviously this represents a significant risk for Web servers that allow
6 M8 c) p4 v8 C4 R) p5 b% G2 E/ elogons and/or remote access, although I did not see any exploit of the
! N( A4 K- r5 @6 c$ g6 E, `- Oproblem I am reporting yet. Here is an example of what can be gathered:
"
" b9 Z6 y! c0 P5 ?4 q4 J, q, _IIS 4.0 Metabase
+ A7 r6 C' w4 e( j2 t7 T?Patrick Chambet 1998 - pchambet@club-internet.fr
% U0 J- ?$ F( P. K* m2 Y! P4 {--- UNC User ---
UNC User name: 'Lou'
3 `- p! @9 X( i3 d) X, M. b; g/ T" x, |: PUNC User password: 'Microsoft'
, h6 H9 c. T# H! _UNC Authentication Pass Through: 'False'
6 r2 n7 n: F) U$ v+ w--- Anonymous User ---
/ P& l0 N4 Z2 S# n0 h' f; w$ GAnonymous User name: 'IUSR_SERVER'
' M* ]) H' v) f( W2 V/ oAnonymous User password: 'x1fj5h_iopNNsp'
Password synchronization: 'False'
--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
2 \  q! s# a6 Z- s+ A7 Y6 X: Y* YODBC table name: 'InternetLog'
; ]5 s3 u5 M8 w5 ~ODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
--- Web Applications User ---
, r7 _1 J6 P3 O/ Q( W  mWAM User name: 'IWAM_SERVER'
WAM User password: 'Aj8_g2sAhjlk2'
9 C/ m" ?, n4 b7 e4 p) ODefault Logon Domain: ''
, _3 l2 |! u1 k2 _+ s, h& V"
For example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
6 {4 k. `0 B- v9 @$ k& qan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
3 h: J0 s- W! I3 e2 _) G( L. Fthe login name and password of the account used to access to a virtual
) D0 i* p( @3 }/ Kdirectory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
% _& b) Y9 x% ?* |4 j_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
/ r' Q7 E6 {+ u) j0 Z4 mInternet, Security and Microsoft solutions
6 l# Y5 `( l- w( b4 W: qe-business Services
% h. x) e$ x, y6 oIBM Global Services