Windows 2000 vulnerability Collection

苗得雨 Miao Yu

对于Windows 2000的强大的功能和全新的构架我们都不得不叹服微软的实力，可以预见Windows For the powerful features of Windows 2000 and a new structure that we had to gasp in admiration of the strength of Microsoft, Windows can be expected
2000将成为新一代服务器操作系统的主流，同时也成为黑客攻击的对象。 2000 will become the mainstream next-generation server operating system, as well as hacker attacks. 但是由于新的Windows2000的全新构架很大程度都依赖于Active However, due to the new architecture of new Windows2000 large extent depend on the Active
Directory(又称之为AD)，这使得许许多多的管理员在忙于适应新的操作系统，和对原来的资料进行系统的迁移，而对Windows Directory (also known as AD), which makes the many administrators are busy adapting to the new operating system, and the original data migration system, while Windows
2000的安全性问题还没有引起足够重视。 2000 security issues have not attracted sufficient attention.

本文详细介绍黑客在攻击Windows This paper describes the hacker to attack Windows
2000系统时经常利用的一些漏洞和具体步骤以及应对策略，让网络系统管理员在维护系统时尽量做到有的放矢。 2000 systems often use some of the holes and the specific steps and coping strategies, allowing network administrators to maintain the system as far as possible be targeted. 有一句话非常有道理：“世界上没有绝对愚蠢的系统，只有绝对愚蠢的管理员。”只要我们的网络管理员能够细心地维护系统，相信黑客们是没有可乘之机的。 There is a saying a lot of sense: "There is no absolutely stupid system, only the administrator is absolutely stupid." As long as our network administrators to carefully maintain the system, I believe that there is no opportunity for hackers.

登陆输入法漏洞 Log input vulnerabilities

这里我们首先介绍一个登录错误，也就是常说的输入法漏洞。 Here we first introduce a login error, it is often said input vulnerabilities. 当我们启动Windows2000进行到登录验证的提示界面时，任何用户都可以打开各种输入法的帮助栏，并且可以利用其中具有的一些功能访问文件系统，这也就是说我们可以绕过了Windows2000的用户登录验证机制，并且能以最高管理员权限访问整个系统。 When we start Windows2000 carried out to verify the login prompt interface, any user can open a variety of input methods to help bar, and can use some of the features of which have access to the file system, which means that we can bypass the user Windows2000 login authentication mechanism, and the highest administrator privileges can access the entire system. 所以说这个漏洞的危害性是很大的，而且当我们进入系统后，还可以利用Terminal So the vulnerability is a great danger, and when we enter the system, you can also use Terminal
Server远程通信这个漏洞对系统进行攻击。 Server remote communication system to attack the vulnerability. 默认的Windows2000系统自带的输入法中有这个漏洞的是：智能ABC,微软拼音,内码,全拼,双拼,郑码。 Windows2000 system comes with the default input method has the flaw is: Intelligent ABC, Microsoft Pinyin, internal code, spelling, Larry, Zheng code. 所以就我感觉而言这个漏洞是首要修补的漏洞。 So my feeling is first and foremost in terms of the vulnerability patched vulnerabilities.
1、把不需要的输入法删除掉，例如郑码等。 1, to delete unwanted input methods, such as Zheng codes.
2、但是毕竟我们不能把所有的自带输入法都删除，如果我们要使用有漏洞的输入法也可以把那个输入法的帮助文件删除掉。 2, but after all, we can not all own input method are deleted, if we want to use loopholes in the input method input method that can also delete the help file. 这些帮助文件通常在win2000的安装目录下(如:C:\WINNT)的\help目录下，对应的帮助文件是： These help files are usually in win2000 installation directory (eg: C: \ WINNT) of the \ help directory, the corresponding help files are:
※ WINIME.CHM 输入法操作指南 ※ WINIME.CHM Input Instructions
※ WINSP.CHM 双拼输入法帮助 ※ WINSP.CHM input to help Larry
※ WINZM.CHM 郑码输入法帮助 ※ WINZM.CHM Zheng code input method help
※ WINPY.CHM 全拼输入法帮助 ※ WINPY.CHM spelling of input method help
※ WINGB.CHM 内码输入法帮助 ※ WINGB.CHM internal code input method help
3、微软公司对于此问题发布了MS00-069安全公告，并在互联网上给出了简体中文Windows2000和英文版Windows2000的补丁。 3, Microsoft released for this issue MS00-069 security bulletin, and on the Internet shows the simplified Chinese and English Windows2000 Windows2000 patch. 所以请尽快打上补丁。 So the patch as soon as possible.


NetBIOS的信息泄漏 NetBIOS information leakage

接下来我们谈一下NetBIOS的共享入侵.这个问题从NT刚发行到现在就从来没有解决。 Next we talk about the invasion of NetBIOS sharing and this problem has just issued from the NT to now has never resolved. 而且它一直由来都是NT系统构架最常见的入侵手段。 And it has been the origin of the system architecture is the most common NT invasion means. 特别值得一提的就是那个IPC$Null session(空会话)在NT系统里都是已知的安全隐患。 It is particularly worth mentioning is that IPC $ Null session (null session) in the NT system are known security risks. 虽然打了SP3后可以通过修改注册表来对其进行限制。 Although the fight With SP3 can modify the registry to its limit. 但不知道为什么Windows2000还是原封不动地保留着这个空对话。 But do not know why Windows2000 or keep intact the empty dialogue. 那么就让我们来看看空会话能给入侵者带来什么样的信息： So let us look at a null session to give the intruder what kind of information:

net use \\server\IPC$ "" /user:"" //此命令用来建立一个空会话 net use \ \ server \ IPC $ "" / user: "" / / This command is used to establish a null session

net view \\server //此命令用来查看远程服务器的共享资源 net view \ \ server / / this command to the remote server to share resources

服务器名称注释 Note the server name

------------------------------------------------------- -------------------------------------------------- -----
\\pc1 \ \ Pc1
\\pc2 \ \ Pc2
命令成功完成。 The command completed successfully.

net time \\server //此命令用来得到一个远程服务器的当前时间。 net time \ \ server / / This command is used to get a remote server's current time.


nbtstat -A server //此命令用来得到远程服务器的NetBIOS用户名字表 nbtstat-A server / / This command is used to get users to the remote server's NetBIOS name table

NetBIOS Remote Machine Name Table NetBIOS Remote Machine Name Table

Name Type Status Name Type Status
--------------------------------------------- ---------------------------------------------
NULL <00> UNIQUE Registered NULL <00> UNIQUE Registered
NULL <20> UNIQUE Registered NULL <20> UNIQUE Registered
INTERNET <00> GROUP Registered INTERNET <00> GROUP Registered
XIXI <03> UNIQUE Registered XIXI <03> UNIQUE Registered
INet~Services <1C> GROUP Registered INet ~ Services <1C> GROUP Registered
IS~NULL...... <00> UNIQUE Registered IS ~ NULL ...... <00> UNIQUE Registered
INTERNET <1E> GROUP Registered INTERNET <1E> GROUP Registered
ADMINISTATOR <03> UNIQUE Registered ADMINISTATOR <03> UNIQUE Registered
INTERNET <1D> UNIQUE Registered INTERNET <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered .. __MSBROWSE__. <01> GROUP Registered

MAC Address = 00-54-4F-34-D8-80 MAC Address = 00-54-4F-34-D8-80

看看，只不过用了几个系统自带的命令就得到了如此多的信息，那么我们有什么办法可以不让别人轻易得到这么多信息哪？ Look, but the system comes with a few commands to get so much information, then we can not let someone else have any way to easily get information about which so much?

仅靠单纯的修改注册表是一劳永逸的。 Alone is simply to modify the registry once and for all.

HKEY-LOCAL_MACHINE\SYSTEM\CurrentControSet\Control\LSA HKEY-LOCAL_MACHINE \ SYSTEM \ CurrentControSet \ Control \ LSA
Value Name: RestrictAnonymous Value Name: RestrictAnonymous
Data Type: REG_DWORD Data Type: REG_DWORD
Value: 1 Value: 1

但如果一些服务你并不需要开放共享的话。 But if you do not need to open some services to share it. 那为什么不禁止它呢？ So why not ban it? 在Windows2000里的方法和NT4的略有不同。 In Windows2000 in the slightly different methods and NT4. 它没有限制TCP/IP绑定在NetBISO上，但是我们可以在Internet协议(TCP/IP)属性的设置面板里选取高级(V)选项，然后选择TCP /IP 筛选，接着点选启用TCP/IP筛选，最后在TCP端口点选只允许，然后就可以添加你所想开放的服务的端口了。 It does not limit TCP / IP binding in NetBISO on, but we can in the Internet Protocol (TCP / IP) Properties panel select Advanced settings (V) option, then select TCP / IP filtering, and then click Enable TCP / IP screening, and finally click on TCP port only, then you can add the services you want to open the port.


奇怪的系统崩溃特性 Strange properties of a system crash

此外Windows 2000有一个比较奇怪的特性，使用系统的终端用户可以通过按住右Ctrl，同时Press两次Scrool Lock按键，就轻易可以让整个Windows2000系统完全的崩溃。 In addition, Windows 2000 has a rather strange feature, end users can use the system by holding down the right Ctrl, while Press twice Scrool Lock button, you can easily crash the whole system is fully Windows2000. 但同时又在C:\WinNT\下dump完整的当前系统内存记录，内存记录文件名是memory.dmp。 But also in C: \ WinNT \ under the current system memory dump complete record, the memory log file name is memory.dmp. 当然，这个奇怪的特性默认状态下是关闭的，但是我们可以通过修改注册表的方法把它激活： Of course, this strange feature is off by default, but we can modify the registry method to activate it:

1、运行regedt32.exe （Windows2000的32位注册表编辑器） 1, run regedt32.exe (Windows2000 32-bit registry editor)
2、选择主键： 2, select the primary key:
HKEY_LOCAL_MACHINE\ HKEY_LOCAL_MACHINE \
然后找到SYSTEM\下的CurrentControlSet\ Then find SYSTEM \ under the CurrentControlSet \
选择Services\ Choose Services \
进入i8042prt\中的Parameters Into i8042prt \ Parameters in the
3、新建一个双字节值 3, create a new DWORD value
4、将键名为CrashOnCtrlScroll 4, the key named CrashOnCtrlScroll
5、然后在设置一个不为零的值。 5, and then set up a non-zero value.
6、退出重启 6, exit reboot

当这一切做完后，你就可以尝试让系统崩溃了，按下按键后的效果为黑屏，将会出现以下信息： When all done, you can try to let the system collapse, the effect after pressing the button for the black screen will appear the following information:

*** STOP: 0x000000E2 (0x00000000,0x00000000,0x00000000,0x00000000) *** STOP: 0x000000E2 (0x00000000, 0x00000000, 0x00000000, 0x00000000)
The end-user manually generated the crashdump. The end-user manually generated the crashdump.

值得注意的是，这个奇怪的特性在WindowsNT4中也存在，不知道是不是微软程序员作测试的一个小功能。 It is noteworthy that this strange feature WindowsNT4 in there, do not know if Microsoft programmers for testing a small function. 不过要是有黑客或者病毒利用它，也是很危险的。 But if a hacker or virus to use it, is very dangerous.

Telnet的拒绝服务攻击 Telnet denial of service attacks

Windows中的Telnet一直以来都是网络管理员们最喜爱的网络实用工具之一，但是一个新的漏洞表明，在Windows2000中Telnet在守护其进程时，在已经被初始化的会话还未被复位的情况下很容易受到一种普通的拒绝服务攻击。 Telnet in Windows network administrator who has always been a favorite one of the network utility, but a new vulnerability that, in Windows2000 Telnet to guard the process, has been initialized in the session has not been reset circumstances are vulnerable to a common denial of service attacks. 而在2000年的2月份，拒绝服务攻击几乎成为了所有大型网站的恶梦。 In February 2000, denial of service attacks almost all the major sites of the nightmare.

Telnet连接后，在初始化的对话还未被复位的情况下，在一定的时间间隔之后，此时如果连接用户还没有提供登录的用户名及密码，Telnet的对话将会超时。 Telnet connection, the initialization of the dialogue in the case has not been reset, after a certain time interval, then if the connection does not provide users logged on user name and password, Telnet dialogue will timeout. 直到用户输入一个字符之后连接才会被复位。 Until the user enters a character only after the connection was reset. 如果恶意用户连接到Windows2000的Telnet守护进程中，并且对该连接不进行复位的话，他就可以有效地拒绝其他的任何用户连接该Telnet服务器，主要是因为此时Telnet的客户连接数的最大值是1。 If a malicious user to connect to a Telnet daemon in Windows2000, and reset the connection is not the case, he can effectively reject any other user to connect to the Telnet server, mainly because Telnet clients at this time is the maximum number of connections 1. 在此期间任何其他试图连接该Telnet服务器的用户都将会收到如下错误信息： During this period any other attempts to connect to the Telnet server, users will receive the following error message:

Microsoft Windows Workstation allows only 1 Telnet Client LicenseServer has closed connection Microsoft Windows Workstation allows only 1 Telnet Client LicenseServer has closed connection

察看“列出当前用户”选项时并不会显示超时的会话，因为该会话还没有成功地通过认证。 Look "lists the current user" option does not display a session timeout, because the session has not successfully passed certification.

IIS服务泄漏文件内容 Leakage of contents of the file IIS service

这是一个NSFOCUS安全小组发现的漏洞。 This is a NSFOCUS Security Team discovered vulnerabilities. 当微软IIS 4.0/5.0(远东地区版本)在处理包含有不完整的双字节编码字符的HTTP命令请求时，会导致WEB目录下的文件内容被泄漏给远程攻击者。 When Microsoft IIS 4.0/5.0 (Far East versions) includes incomplete processing of double-byte character encoding for HTTP request command will cause the contents of the file under the WEB directory to be leaked to remote attackers.

Microsoft IIS远东地区版本包括中文(简体/繁体),日文，韩文版，由于特定的文字格式使它们都是使用的双字节编码格式。 Microsoft IIS version of the Far East, including Chinese (Simplified / Traditional), Japanese, Korean, due to a specific text format so that they are using double-byte encoding. 而当IIS接收到用户提交的一个HTTP请求时，如果文件名中包含非ASCII字符，IIS会检查这个字符是否为双字节编码中的前导字符(例如，日文的前导字符包含两段字符：0x81-0x9F, 0xE0-0xFC)。 When IIS receives an HTTP request submitted by the user, if the file name contains non-ASCII characters, IIS checks whether the character encoding of the leading double-byte characters (for example, the leading characters include two Japanese characters: 0x81-0x9F, 0xE0-0xFC). 如果是前导字符，它会继续检查下一个字符是否为结尾字符。 If the leading character, it will continue to check the end of the next character is a character. 如果没有下一个字符，IIS会简单地丢弃这个前导字符，因为它并没有构成一个完整的双字节编码。 If the next character, IIS will simply discard the leading character, because it does not form a complete double-byte encoding. 然而，这种处理将导致IIS打开不同的文件而不是用户在请求中指定的文件。 However, this treatment causes IIS to open different file rather than the user specified in the request file.

攻击者通过提交一个特殊格式的URL, 可以使IIS使用某个ISAPI动态链接库打开某种它所不能解释的类型的文件，并获得该文件的内容。 Attacker by submitting a specially formatted URL, you can make use of an IIS ISAPI DLL can not explain it to open certain types of files, and access to the contents of the file. 依赖于系统安装的ISAPI应用程序的类型，攻击者可能获得WEB根目录或者虚拟目录下的文件内容，这些文件可以是普通文本文件(.asp, .ini, .asa等等)，也可以是二进制文件(.exe等等)。 Depends on the system installed ISAPI application type, the attacker may gain WEB virtual directory under the root directory or the contents of the file, these files can be plain text files (. Asp,. Ini,. Asa, etc.), or binary file (. exe, etc.).

黑客们会使用Unicode的方法利用这个漏洞： Hackers will use the Unicode exploit this method:

Unicode（统一的字符编码标准, 采用双字节对字符进行编码）可以说是近一段时期以来最为流行的攻击入侵手段，仅国内近期就有江民公司等几个大的网站被这种入侵手段攻击。 Unicode (Unicode standard, characters are encoded using double-byte) can be said that the recent period since the invasion of the most popular means of attack, only recently have Jiangmin domestic companies and several other sites by this means the invasion attack. 那我们就来谈一下这个很容易的利用Unicode漏洞配合IIS的漏洞进行入侵吧。 Then we talk about this very easy to use with the IIS Unicode vulnerability vulnerability invasion it.

上面我们提到过由于某些双字节的Windows2000在处理某些特殊字符时与英文版本不同，然而利用这种IIS的漏洞，攻击者就可以通过这些特殊字符绕过IIS的目录审计远程执行任意命令。 We mentioned above Windows2000 due to some double-byte characters in dealing with certain special and English versions, however, use this IIS vulnerability, an attacker can bypass these special characters in IIS directory audit remote execution of arbitrary the command.

http://server/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ http://server/scripts/ ..% c1% 1c../winnt/system32/cmd.exe? / c + dir + c: \

黑客们其实只要下面两句很简单的指令绕过IIS的审计就能够对网站的页面进行改写，所谓的黑了一个网站就是这么的简单。 Hackers are actually very simple as long as the following two commands to bypass the IIS audit will be able to rewrite the pages of the site, a so-called black sites is so simple.

http://server/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+d:\inetpub\scripts\123.exe http://server/scripts/ ..% c1% 1c../winnt/system32/cmd.exe? / c + copy + c: \ winnt \ system32 \ cmd.exe + d: \ inetpub \ scripts \ 123. exe
http://server/scripts/123.exe?/c+echo+黑掉啦?+>+c:\inetpub\wwwroot\default.asp http://server/scripts/123.exe?/c+echo+ black out friends? +> + c: \ inetpub \ wwwroot \ default.asp

这个问题已经在IIS 4.0 + SP6中得到解决，然而微软却让它在IIS 5.0中再度出现。 The problem in IIS 4.0 + SP6 has been resolved, however, Microsoft has it again in IIS 5.0.

但该漏洞不会影响包括英语版在内的其他语言版本的IIS 4.0/5.0。 However, the vulnerability does not affect, including English language, including other versions of IIS 4.0/5.0.


MS SQL Server的SA空密码攻击 MS SQL Server password for the SA Air Attack

在Windows2000中，企业级的用户一般都会用到另一个微软的产品，这个产品就是数据库管理软件MS SQL Server，但是在与MS SQL Server配合使用中，我们发现了很多的问题。 In Windows2000, enterprise users will generally use other Microsoft products, this product is the database management software MS SQL Server, but in conjunction with MS SQL Server, we found a lot of problems. 最后我们就简单讲一下安装了MS SQL Server的Windows2000的网络操作系统普遍面临的安全问题。 Finally, we simply talk about the MS SQL Server installed on the Windows2000 network operating system security issues commonly faced.

在安装MS SQL Server后，MS SQL Server会将产生一个默认的SA用户，而且初始密码在管理员没有设置的情况下为空。 After installing the MS SQL Server, MS SQL Server will generate a default SA user and administrator initial password is not set in the case is empty. 但是SA是SQL Server中非常重要的安全模块成员，这样一来黑客们就可以通过SQL Server的客户端进行数据库远程连接，然后再通过SQL的远程数据库管理命令xp_cmdshell stored procedure(扩展存储过程)来进行命令操作: But SA is very important in SQL Server security module members, so that hackers can, through the SQL Server database client to connect remotely, then remote database management via SQL command xp_cmdshell stored procedure (extended stored procedures) for commands:

xp_cmdshell "net user id password /add" xp_cmdshell "net user id password / add"
Xp_cmdshell "net localgroup Administrators id /add" Xp_cmdshell "net localgroup Administrators id / add"

就以上两条简单的命令入侵者就能在MS SQL Server的服务器上马上新建一个管理员级别的Administrators组的用户。 The above two simple commands the intruder will be able to MS SQL Server on the server immediately create a new administrator-level users to the Administrators group. 所以我们这里提醒各位网管大人，在安装好SQL Server您需要做的第一件事就是把SA的空密码立即进行修改。 So we here remind adults network, the SQL Server installed first thing you need to do is to empty the SA password is immediately changed. 这个问题就不要我告诉你应该在哪里改了吧? This problem should not I tell you where to change it?

而且在一般情况下，一些功能对管理员来说也是没有必要的。 And in general, some of the features of the administrator is also not necessary. 如果你不需要MS SQL Server 的xp_cmdshell(use sp_dropextendedproc "xp_cmdshell")这项功能就不要把xp_cmdshell extended stored proc(扩展存储过程)命令功能留着。 If you do not need MS SQL Server's xp_cmdshell (use sp_dropextendedproc "xp_cmdshell") This function is not necessary to xp_cmdshell extended stored proc (extended stored procedures) keep the command function.

我们只需要在isql窗口中输入： We only need to enter in isql window:

use master use master
sp_dropextendedproc 'xp_cmdshell' sp_dropextendedproc 'xp_cmdshell'

然后打上Service Pack 3，这里提醒管理员们一下，一定要经常留意微软的补丁包文件，并且注意及时的把系统和软件更新到最新的补丁。 Then marked with Service Pack 3, click here to remind the administrators, we must always pay attention to Microsoft's patch file and note the time of the system and software updates to the latest patch.

本文中我们讲述了几个近期来最为流行的漏洞和攻击方法，他们实现入侵是如此的方便，这里可有不少的网友会认为Windows2000是一个不安全的操作系统，但如果你这样的认为那就说明我的文章还没有写明白，所以在最后我要强调一下，只要我们常打补丁包，正确的给系统加设密码，我们的安全率就在85％左右。 In this paper we describe a few recent to the most popular vulnerabilities and attack methods, they realize the invasion is so easy to have a lot of friends here think that Windows2000 is an insecure operating system, but if you think that such to illustrate my article has not yet writing about, so in the end I want to emphasize that as long as we often patch package, plus the correct password to the system, our security is about 85% rate.