根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
' _$ h8 v% N- _. h' a( n! f }# m7 \+ Q8 @% n- M' o
From: Patrick CHAMBET <pchambet@club-internet.fr>( ]" B2 Q p; J) }2 G# C6 ^
$ D: }6 q4 O* Y; [3 d, m) ZTo: sans@clark.net
' M, H# s! b4 t BSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
% {; z% R) Y' p: U/ ]Hi all,
( i: S$ q' r% r2 U1 HWe knew that Windows NT passwords are stored in 7 different places across5 h# `9 ?+ i1 E3 E2 S: U6 k& Z
the system. Here is a 8th place: the IIS 4.0 metabase.: `% ]# ]6 v( ~3 h; g
IIS 4.0 uses its own configuration database, named "metabase", which can
9 o2 h F6 g7 E8 Kbe compared to the Windows Registry: the metabase is organised in Hives,
2 n6 ?, I1 N$ b& o- B6 zKeys and Values. It is stored in the following file:" |6 `1 ^0 p( c" z1 j" n$ m
C:\WINNT\system32\inetsrv\MetaBase.bin6 C6 H; Z! _7 Z4 @3 @& h7 R: s
The IIS 4.0 metabase contains these passwords:
! A6 e6 l2 I2 a. a6 H: R- IUSR_ComputerName account password (only if you have typed it in the! @7 x, ?7 p) d) Y& U4 ]/ _
MMC)& x% r/ c- u* e( y c
- IWAM_ComputerName account password (ALWAYS !)
. N' Q+ p j2 O' h0 u6 N. f- UNC username and password used to connect to another server if one of/ @% z+ D+ ^% q) O4 Y. z2 p
your virtual directories is located there.8 A1 ?" E4 ]2 D2 X/ s) A( I! r
- The user name and password used to connect to the ODBC DSN called- r+ p1 f" m8 A
"HTTPLOG" (if you chose to store your Logs into a database).
% t* b8 v- ]5 w$ Y. O! o. wNote that the usernames are in unicode, clear text, that the passwords are$ q' f6 m5 E* n0 Q6 e/ s0 n
srambled in the metabase.ini file, and that only Administrators and SYSTEM
9 ?1 h0 w3 u0 A; R, }# z2 {have permissions on this file.
* d; \7 f, c7 q( J s3 X& RBUT a few lines of script in a WSH script or in an ASP page allow to print, i- @9 D! H% n% U9 B w. e
these passwords in CLEAR TEXT.2 x0 X/ K3 A3 q" U" e. i! j" m% Q
The user name and password used to connect to the Logs DSN could allow a* D8 A+ Q9 R4 M* C8 F
malicious user to delete traces of his activities on the server.
: A& Q! u2 n( |$ u& ZObviously this represents a significant risk for Web servers that allow: p# b9 p2 h$ F' I
logons and/or remote access, although I did not see any exploit of the
7 X+ |- j9 j7 L) y5 sproblem I am reporting yet. Here is an example of what can be gathered:9 _/ T1 \/ g9 W4 K
"
* ~0 \4 s0 t/ ?% j( Q2 @IIS 4.0 Metabase
- c( ?1 [; i" G?Patrick Chambet 1998 - pchambet@club-internet.fr. e& ~3 u9 A6 K! v1 ~7 h- P: h8 t
--- UNC User ---$ j: Z/ y T" J( J% z# F B- |
UNC User name: 'Lou'
- I9 `4 B$ w! D8 y8 WUNC User password: 'Microsoft'8 g3 @5 Q( x6 `" _
UNC Authentication Pass Through: 'False'
/ a2 D& P* J* q3 O$ W! ?--- Anonymous User ---" r0 Y% ]! i. i5 Q4 O
Anonymous User name: 'IUSR_SERVER'
0 c ^9 V0 d- _) z6 e; |( cAnonymous User password: 'x1fj5h_iopNNsp', l9 H8 i( D3 c9 j1 t: X0 J/ n" |
Password synchronization: 'False', |5 i7 F8 g+ R$ a% a# N! `. @
--- IIS Logs DSN User ---# M% E# q4 w b
ODBC DSN name: 'HTTPLOG'$ S' e. y. J/ F) \) C/ y
ODBC table name: 'InternetLog'; _5 m6 b+ F/ O+ R# Y
ODBC User name: 'InternetAdmin'
; [- B3 S& ?/ i9 U0 Q* fODBC User password: 'xxxxxx'& Z8 s- Y* C. ~: Q9 i2 F
--- Web Applications User ---
% d. N4 l, g* M) e. CWAM User name: 'IWAM_SERVER'6 H" c* b! m6 C& ?4 a6 ~) Q
WAM User password: 'Aj8_g2sAhjlk2'9 t! P' D- u/ E
Default Logon Domain: ''
3 q# I: N- b4 V ~* O5 m" j/ j"$ F; z' ] Y& ~! O1 b. }
For example, you can imagine the following scenario:" z8 @: }9 S( E7 `6 O1 n
A user Bob is allowed to logon only on a server hosting IIS 4.0, say. a# O# D- R' s2 L) ?! r
server (a). He need not to be an Administrator. He can be for example* G% Q: h( |$ h$ j1 z
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts6 I( m% B# Q; w, c3 U
the login name and password of the account used to access to a virtual0 Q+ v1 I) }1 g3 q8 x, L R
directory located on another server, say (b).5 o2 [( x" K3 n; P. Y
Now, Bob can use these login name and passord to logon on server (b).
+ [- s0 `9 }- b* x0 F* ]And so forth...* d. ~2 j) ~- }5 q3 [; t
Microsoft was informed of this vulnerability.4 l/ h \: q- \+ {6 f
_______________________________________________________________________
' w0 I: U, b" L+ WPatrick CHAMBET - pchambet@club-internet.fr
% Z! e" r# t0 l4 D9 t& X! ^$ C2 ZMCP NT 4.0! O# [, B$ e2 @/ r8 u9 J
Internet, Security and Microsoft solutions( a) i1 k9 x6 k8 I8 G; T" C
e-business Services
2 L- l8 ^( p9 I, X0 E2 HIBM Global Services
+ K) @; `6 D& o& c; Q- B6 S |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2011-1-12 21:01:17
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡