???

1

??????????? ???  ???????? ?????? ??? ICU,
TCAE, CCSA  2003/12/05 ??????http//www.icst.org
.tw/
2
??
1. Nimda ?? 2. Apache Chunked ??(Unix,
Windows/Apache) 3. IIS 5.0 WebDAV overflow
??(MS03-007) (Windows/IIS) 4.
??????????????(Windows) 5. MS-SQL
?????????(Windows) 6. FrontPage Server Extension
(FPSE) ???? (Windows/IIS)
3
??(?)

• 7. Microsoft RPC DCOM ??(MS03-039)(Windows)
• 8. SNMP ?? Community Name ??(SNMP)
• 9. Sendmail Prescan() overflow ??(Unix, Windows)
• 10. Bind Overflow ??(Unix)
• ??Microsoft SUS service????
• ??

4
1.Nimda ??( Windows/IIS )

• ????
• Nimda??????????????????????????,??Nimda???????,???
  ????????,?Nimda????????????,???
• ???????Email???
• ?????????
• ?????????
• ????IIS???????

5
1.Nimda ??( Windows/IIS )(?)

• ????????????,??????Nimda???
• ??????admin.dll,????????C\?D\?,??????57K?
• ?????readme.eml (???????????readme.wav?readme.com)
  ?
• ?C\Windows\Temp???????mepXXXX.tmp.exe (XXXX
  ?????)
• ?????????load.exe,??????57344 bytes?
• ????riched32.dll?????57344 bytes?
• ???????????,??????( C\?D\?E\?) ????,???????

6
1.Nimda ??( Windows/IIS )(?)

• IIS Log???????/ctftp20-i20x.x.x.x20GET20Admi
  n.dll 20DAdmin.dll 200
• ?wininit.ini??mepXXXX.tmp.exe????(XXXX?????)
• ?system.ini?????Shell explorer.exe load.exe
  ontrunold
• ???? guest ??,??????Administrator?
• ?? (?????) ??? JavaScript,??????????,??????????
  (html?thm?htt?asp?shtml?shtm) ?????

7
1.Nimda ??( Windows/IIS )(?)

• ????
• ??Nimda???????
• ????? fixnimda.com
• http//securityresponse.symantec.com/avcenter/venc
  /data/w32.nimda.a_at_mm.removal.tool.html
• ????? FIX_NIMDA4.0.COM
• http//www.trend.com.tw/corporate/techsupport/clea
  nutil/index.htm
• ? C\WINDOWS\SYSTEM.INI ????SHELL explorer.exe
  load.exe dontrunold ?? SHELL explorer.exe

8
1.Nimda ??( Windows/IIS )(?)

• ??????????,??????????????????,??????????????
  (???????????)
• ? administrator ???? guest ????? (?????)
• ?? Nimda???iis worm??codered????????????,??????IE?
  ????????,??????????????
• http//www.microsoft.com/technet/security/bulletin
  /MS01-020.asp
• http//www.microsoft.com/technet/security/bulletin
  /MS01-44.asp

9
2.Apache Chunked ??(Unix, Windows/Apache)

• ????
• Apache web server????Chunked???????,?????????buffe
  r?????,????buffer overflow??race
  condition???,??????????????????????????????Apache
  1.2.2??????,??Apache 1.3?1.3.24???,?Apache
  2.0?2.0.36????
• ????????????????????????

10
2.Apache Chunked ??(Unix, Windows/Apache)(?)

• ????
• ?????Eeye Digital?Apache chunk???????????,???
• http//www.eeye.com/html/Research/Tools/RetinaApac
  heChunked.exe
• ??Nessus??????,???
• http//www.nessus.org/
• ????Apache???????????????

11
2.Apache Chunked ??(Unix, Windows/Apache)(?)

• ????
• ????????Apache 1.3.26??????,??Apache
  2.0.39????????????http//www.apache.org
• RedHat linux ???up2date????????apache?????,???htt
  p//www.redhat.com/apps/support/errata/ ??,?????
  rpm -Fvh .rpm ???????

12
2.Apache Chunked ??(Unix, Windows/Apache)(?)

• FreeBSD ??????Apache,??port???Apache,port???/usr
  /port/www/apache13/?/usr/port/www/apache13-modssl/
  ,?/usr/port/www/apache2/?????????portupgrade????,?
  ????portupgrade apache??,???? portupgrade
  a???????
• ???????????????,???
• http//online.securityfocus.com/bid/5033/solution/
  
• http//www.kb.cert.org/vuls/id/944335

13
3.IIS 5.0 WebDAV overflow ?? (MS03-007)
(Windows/IIS)

• ????
• WebDAV?World Wide Web Distributed Authoring and
  Versioning???,??HTTP??????WebDAV????web???????????
  ?,?windows 2000?????????????????WebDAV
  request?Ntdll.dll?????request??????,??????????????
  ???????????IIS service???(???????LocalSystem??)???
  ????????????????
• ????????windows 2000????

14
3.IIS 5.0 WebDAV overflow ??
(MS03-007) (Windows/IIS)(?)

• ????
• ?????register key????(???????????,???regedit??????
  ??)?
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind
  ows 2000\SP4\Q815021
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind
  ows 2000\SP5
• ????????????????MS 03-007,?????????????????,?????
  ????

15
3.IIS 5.0 WebDAV overflow ??
(MS03-007) (Windows/IIS)(?)

• ????
• ????????,???http//microsoft.com/downloads/details
  .aspx?FamilyIdC9A38D45-5145-4844-B62E-C69D32AC929
  Bdisplaylangen
• ?????Service Pack 4 ,????? http//www.microsoft.c
  om/windows2000/downloads/servicepacks/sp4/default.
  asp

16
3.IIS 5.0 WebDAV overflow ??
(MS03-007) (Windows/IIS)(?)

• ?????WebDAV???,??????
• ??registry key??
• ??????HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\W3SVC\Parameters
• ????registry value Value name
  DisableWebDAVData type DWORDValue data 1
• ????IIS??????server??????
• ????
• http//www.microsoft.com/technet/treeview/?url/te
  chnet/security/bulletin/MS03-007.asp
• http//support.microsoft.com/default.aspx?scidkb
  en-us815021

17
4.??????????????(Windows)

• ????
• Windows????Server Message Block (SMB)??,???Common
  Internet File System (CIFS)???,?windows???????Wind
  ows???????????????????,?????????????????????Intern
  et??,????????Windows??????????????????(???????????
  ????????)???????????

18
4.??????????????(Windows)(?)

• ??SMB??????????,????????Windows??(????????????????
  )???????????????,????????????????????,????????????
  ??????2001???Nimda?????????????????????????(??????
  ??)?Windows???,???????????????????????????????????
  ,??????

19
4.??????????????(Windows)(?)

• ????
• ??????????????????????,??????????????,?????????,??
  ??????????????(1)???????(2)???????(3)???(4)?????
  !???,??????8??????????????????????????

20
4.??????????????(Windows)(?)

• ????
• ??????????
• ???????Internet?????,????????????????????????ports
  ???(?IIS????port 80),??????Windows????????ports(?p
  ort 135?137-139?445)???????????ports,??????????

21
4.??????????????(Windows)(?)

• ??????
• ???Windows?????????????????????
• NT 4???????CtrlAltDel,???????????????,????????
  ?????????lt??gt?lt???gt?lt??????(??)gt?lt????????gt?lt?????
  ???gt,?????????????????

22
4.??????????????(Windows)(?)

• Windows 2000???????CtrlAltDel,???????????????,?
  ????????????????lt??gt?lt???gt?lt??????gt?lt????gt?lt??????
  ??gt,?????????????????,?????????Windows 2000
  professional?,??lt??????gt???Windows 2000
  server??,??lt???gt?????????lt???gt???lt??????gt?????????
  ??
• ????
• http//www.sans.org/top20/W7

23
4.??????????????(Windows)(?)

• ??????????????,??????????????????,?????Administra
  tor??????????????????(Domain Controller)??,???????
  ??????,??????(Domain member)????????????????????(D
  omain member)??,???????????????????

24
5.MS-SQL ?????????(Windows)

• ????
• ???SQL 7??SQL 2000???????,?????SQL??????sa,???????
  (?????????????sa??????,?????????)
• ????????????????,??????????????,??????SQL?????,???
  ????????????,????MS-SQL???????????(????????MS-DOS?
  ?,???????register key??)???,????????MS-SQL??????,?
  ???????????

25
5.MS-SQL ?????????(Windows)(?)

• ????
• ??????MS-SQL?????sa????,?????????????MS-SQL???????
  
• ????
• ??????MS-SQL??????
• Port 1433(TCP)
• ??MS-SQL???????????,?????????Internet??port???????
  ???
• Port 1434(UDP)
• ???slammer worm????

26
5.MS-SQL ?????????(Windows)(?)

• ??sa?????
• SQL 2000
• ??SQL?Enterprise Manager

27
5.MS-SQL ?????????(Windows)(?)

• ?????SQL Server Group

28
5.MS-SQL ?????????(Windows)(?)

• ???????????,??????security

29
5.MS-SQL ?????????(Windows)(?)

• ??Logins,??sa,??????

30
5.MS-SQL ?????????(Windows)(?)

• ??MS-SQL?????????????MS-SQL????????????http//ww
  w.microsoft.com/sql/
• ????
• http//www.microsoft.com/sql/

31
6.FrontPage Server Extension (FPSE)
????(Windows/IIS)

• ????
• ??FPSE??????????????,?????FPSE?????,??????????????
  ??,?????????FPSE???????????,??????????IIS???(?FPSE
  ??)?
• ????
• ???FPSE???IIS???,?????????Administrator?????????,
  ????????,??????????????????????,???????FPSE???????
  ???????

32
6.FrontPage Server Extension
(FPSE)????(Windows/IIS)(?)

• ????
• ???????,???????
• ??FPSE
• ????????????http//www.icst.org.tw/template/ncert
  /leakrepair.zip
• ??????????????_vti_bin????(????lt??gt?lt??gt??),????
  ?FPSE????,????????,???_vti_bin??,?????????,??_v
  ti_bin??_vti_bin_remove??????,????FPSE?????

33
6.FrontPage Server Extension (FPSE)
????(Windows/IIS)(?)

• ??FPSE?????everyone?????,????????(???Administrat
  or??)???
• ????FPSE?????everyone????????FPSE???????????????
  ?????FPSE???everyone???????????????????????
  ?????,????everyone????????????(???????4???)
• ?????????????????????????,??FPSE???????????,??????
  ???????????????????????????????????,??????????
• ????
• http//www.icst.org.tw/template/ncert/leakrepair.z
  ip

34
7.Microsoft RPC DCOM ??(MS03-039)(Windows)

• ????
• ????RPC???7???????MS03-026,???MSBlast(??)?????????
  ?
• ?????MS03-026 ????RPC???????????,?????MS03-039????
  ?Windows NT/2000/XP/2003 ???????,?????????

35
7.Microsoft RPC DCOM ??(MS03-039)(Windows)(?)

• ????
• ?????????????,??????? Hotfix KB824146
  (Q824146)??????????????????????
• http//www.microsoft.com/downloads/details.aspx?di
  splaylangzh-twFamilyID13AE421B-7BAB-41A2-843B-F
  AD838FE472E
• ????????????? ProgramFiles\KB824146Scan
  ????,??KB824146Scan.exe host ????????,??KB824146Sc
  an.exe network_address/cidr_mask ?????????,????
  192.168.0.0 ?????,??? KB824146Scan.exe
  192.168.0.0/24?

36
7.Microsoft RPC DCOM ??(MS03-039)(Windows)(?)

• ????
• ??????? MS03-039 ????http//www.microsoft.com/taiw
  an/security/bulletins/MS03-039.asp
• ??????????????? TCP/UDP Port 135 ???,?????UDP
  Port 137/138/445 ? TCP Port 139/445/593?
• ????
• http//www.microsoft.com/taiwan/security/bulletins
  /MS03-039.asp
• http//www.cert.org/advisories/CA-2003-23.html

37
8.SNMP ?? Community Name ??(SNMP)

• ????
• SNMP ( Simple Network Management Protocol )
  ??????????????????,??????????????
• SNMP??Community Name??????,???????????????,???????
  ???Community Name,??public?????Community
  Name,?private??????Community Name?
• ??????????Community Name,?????????????????????Com
  munity Name,??????????????????91?2???,??SNMP??????
  ???DoS???

38
8.SNMP ?? Community Name ??(SNMP)(?)

• ????
• ???????Nessus,???????Community Names???,???????SNM
  P???????
• ????
• ??????SNMP,??????????????SNMP,?????????Community
  Name,????????????SNMP????TCP Prot 161?UDP Port
  161/162?

39
8.SNMP ?? Community Name ??(SNMP)(?)

• ? Cisco IOS ??,???? SNMP,???no snmp-server
• ??????SNMP Community,??no snmp-server community
  string
• ????? public???Community,???no snmp-server
  community public
• ???????SNMP Community,???snmp-server community
  string rorw
• ????? strong_community ??????,???snmp-server
  community strong_community rw

40
8.SNMP ?? Community Name ??(SNMP)(?)

• Windows ??????SNMP?,??????? Simple Network
  Management Protocol,????????????????
• RedHat Linux ????????? snmpservice snmpd
  stopchkconfig snmpd off
• ????SNMP?????????????

41
8.SNMP ?? Community Name ??(SNMP)(?)

• ????
• http//www.sans.org/top20/w10
• http//www.sans.org/top20/u7
• http//www.cisco.com/univercd/cc/td/doc/product/so
  ftware/ios123/123cgcr/fun_r/cfr_1g10.htm1034652
• http//www.cert.org/advisories/CA-2002-03.html

42
9.Sendmail Prescan() overflow ??(Unix,
Windows)

• ????
• Sendmail????MTA??,????9?????????????,???????presca
  n()????????????????????,?????????sendmail
  daemon?????????????,????????root?????????sendmail
  8.12.10???(??5.79?8.12.9),??????sendmail????????,?
  ??Sendmail Switch, Sendmail Advanced Message
  Server (SAMS), and Sendmail for NT?
• ????????????????????,??????????,?????????sendmail?
  ??????MTA??(?Exchange),???????????????sendmail,???
  ????????

43
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• ????
• SolarisSolaris 7?8?9???????,?????????/usr/bin/mco
  nnect??,??????
• ??Solaris 7?8??,???????8.11.7Sun??????sendmail???
  ??,????????8.11.7p1Sun,???????????
• ???Solaris 9??,???????8.12.9Sun,??????sendmail???
  ??,8.12.10Sun????????????

44
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• RedHat Linux???????RedHat Linux?????7.1?7.2?7.3?8
  .0?9?(??????????,?????????),???????????????????,??
  ?rpm q sendmail??,???????
• 7.1? sendmail-8.11.6-27.71
• 7.2? sendmail-8.11.6-27.72
• 7.3? sendmail-8.11.6-27.73
• 8.0? sendmail-8.12.8-9.80
• 9? sendmail-8.12.8-9.90
• ?????????

45
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• ???????release??(?????sendmail-8.11.6-x.ZZ?sendmai
  l-8.12.8-y.ZZ??x?y??,????x27, y9)???????????,???
  ??????,?????,??????????????,??????????,???????????
  ?????????(???????????????sendmail??????,?????????,
  ???????????)?

46
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• FreeBSD??????????4.7?4.8?4.9?5.0?5.1?,4-stable?,?
  ??????????
• http//www.freebsd.org/doc/en_US.ISO8859-1/books/h
  andbook/cutting-edge.html
• ?????????,??? pkg_info grep sendmail
• ?????sendmail???,??????8.12.10?,??????sendmail????
  ?
• ???????????sendmail???,?????/usr/libexec/sendmail
  /sendmail???,?????????2003?9?17???,???????????

47
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• ????
• Solaris
• ????http//sunsolve.sun.com/pub-cgi/retrieve.pl?d
  ocfsalert/56860???????,????????????(?SPARC?x386)?
  ??,???????,???????,??patchadd????????,???patchadd
  lt /var/spool/patch/patch_file,??/var/spool/patch??
  ?????????,patch_file????????,?110615?

48
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• ????????????????,?????????????,??????????????????
  ??(??????????,??????????????),??,?????????????????
  ??,?????????????????????,??????Solaris?Recommend.z
  ip????,Recommend.zip?????????(???)?????,???http/
  /sunsolve.sun.com/pub-cgi/show.pl,??????????????

49
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• RedHat Linux
• ??https//rhn.redhat.com/errata/RHSA-2003-283.html
  ?????sendmail?????,???????x386??????,?????????i38
  6???????????(????????????rpm?,???/var/rpm??),?????
  ???,??rpm Fvh .rpm
• ??????????????????,????up2date??,???????????????,?
  ?????????(http//www.icst.org.tw)??RedHat
  linux??????????

50
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• FreeBSD
• ????sendmail daemon,????????????(?????????sendmail
  ???,???????????),????ports???(???/usr/port/mail/se
  ndmail)?
• Sendmail????????????????????source
  code??????,???,??????????????,?????patch??,???????
  ???,????

51
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• cd /usr/src patch lt /path/to/patch cd
  /usr/src/lib/libsm make obj make depend
  make cd /usr/src/lib/libsmutil make obj
  make depend make cd /usr/src/usr.sbin/sendma
  il make obj make depend make make
  install
• ????,??ftp//ftp.freebsd.org/pub/FreeBSD/CERT/advi
  sories/FreeBSD-SA-0313.sendmail.asc

52
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• Sendmail??ports??????????cvsup????ports????,????
  cvsup?????,??http//www.freebsd.org/doc/en_US.ISO8
  859-1/books/handbook/cvsup.html???????sendmail??(
  ??pkg_delete filename????,filename????pkg_info????
  ),??/usr/ports/mail/sendmail???,??make
  install?????sendmail???

53
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)

• ?????????????????????,??????????????,???cvsup????
  ??source codes???,???make world?????????????????
  ?????http//www.freebsd.org/doc/en_US.ISO8859-1/b
  ooks/handbook/cutting-edge.html
• ????sendmail
• ???????????,??????????
• ????
• http//www.cert.org/advisories/CA-2003-25.html
• http//www.securityfocus.com/archive/1/337839

54
10.Bind Overflow ??(Unix)

• ??
• DNS(Domain Name System)??????
• DNS??????????????,??DNS??,?????????????,????????,?
  ??????????DNS?????(?????ip?????)????
• ?DNS???,?Bind (Berkley Internet Name
  Domain)???,?????????,?Bind??????,???????????DoS???
  ??,????????Bind???????,??????????(buffer
  overflow)??,??????,??????????????Bind?????(????roo
  t??,??????Unix??),??????????,???????,?????????????
  ??

55
10.Bind Overflow ??(Unix)(?)

• ????
• ???dig??????????Bind????,???
• dig _at_target version.bind chaos txt
• ???target?ip??,??192.168.0.1?
• ????????named v,?????Bind????????????????????????
  ??????

56
10.Bind Overflow ??(Unix)(?)

• ????
• ???????Bind,??????????,???Bind???,???http//www.i
  sc.org/products/BIND/
• ??????(?Solaris?RedHat Linux?)???Bind??,??????????
  ??????????????,?????????????Bind?????????????,????
  ???????(?????????Bind???,????????????),????

57
10.Bind Overflow ??(Unix)(?)

• Sun Solaris??Sun????????(????????????,???Recommen
  d.zip????),???http//sunsolve.sun.com/pub-cgi/sho
  w.pl?targetpatchpage?
• RedHat Linux??up2date??,???????????????,?????????
  ?(http//www.icst.org.tw)??RedHat linux??????????

58
10.Bind Overflow ??(Unix)(?)

• FreeBSD??http//www.freebsd.org/security/????????
  ???,????cvsup??????source codes???,???make
  world???????????????http//www.freebsd.org/doc/
  en_US.ISO8859-1/books/handbook/cutting-edge.html
• ????
• http//www.cert.org/archive/pdf/dns.pdf
• http//www.cert.org/advisories/CA-2002-31.html
• http//www.sans.org/rr/catindex.php?cat_id17

59
??Microsoft SUS service????

• ??
• ?server(SUS server)?client(windows????Automatic
  Update service)?????????,server????????client?
• ????
• SUS server?????http//www.microsoft.com/windows20
  00/windowsupdate/sus/
• ????http//www.microsoft.com/windows2000/docs/SUS
  _Deployguide_sp1.doc
• ??????(????)
• http//www.icst.org.tw/group/application/ncert/we
  ak.php
• ??SUS???????windows 2000??????,windows NT
  4??????????SUS??????

60
??Microsoft SUS service????(?)

• SUS server??

61
??Microsoft SUS service????(?)

• SUS server??

62
??Microsoft SUS service????(?)

• Automatic Update(AU) service??

63
??Microsoft SUS service????(?)

• ??????????wuau.adm

64
??Microsoft SUS service????(?)

• ?????????

65
??Microsoft SUS service????(?)

• ??SUS server
• AU????????

66
??

• ???????????
• ??????????
• Unix like???????????
• Windows?????Windows Update?????,????SUS????windows
  ?????????
• ??????,??????
• ?????,???????????????
• ??????
• ??????
• ????
• ????????
• ?????????????
• ????????????????
• ????????