Windows 2000 system vulnerability full solution 2

zhaozj2021-02-08  212

Strange system crash characteristics

In addition, Windows 2000 has a strange feature that uses the system's end users to press the right Ctrl, and the Press twice Scrool Lock button can easily let the entire Windows2000 system completely crash. But at the same time, at C: Winnt Dump Complete Current System Memory Record, the memory record file name is Memory.dmp. Of course, this strange feature is closed by default, but we can activate it by modifying the registry:

1. Run regedt32.exe (32-bit registry editor of Windows2000)

2, select the primary key:

HKEY_LOCAL_MACHINE

Then find the currentcontrolset under System under SYSTEM

Select Services

Parameters in I8042PRT

3, create a new double-byte value

4, the key is called CrashonCtrlscroll

5, then set a value that is not zero.

6, exit restart

When all this is finished, you can try to let the system crash, press the effect after pressing the button, the following information will appear:

*** STOP: 0x000000E2 (0x00000000, 0x0000000000, 0x00000000, 0x00000000)

The end-user manually generated the cremedup.

It is worth noting that this strange feature also exists in WindowsNT4, I don't know if it is a small feature of Microsoft programmers. However, if there is a hacker or virus, it is very dangerous.

Telnet's denial service attack

Telnet in Windows has always been one of the favorite network utilities of network administrators, but a new vulnerability indicates that the Telnet in Windows 2000 is guarding the process of being initialized, has not been reset. It is easy to receive an ordinary denial of service attack. In February 2000, the refusal service attack almost became the nightmare of all large websites.

After the Telnet connection, in the case where the initialization dialog has not been reset, after a certain time interval, if the connection user has not provided a username and password, Telnet's dialogue will time out. The connection will be reset until the user enters a character. If the malicious user is connected to the Telnet daemon of the Windows2000, and if the connection does not reset, he can effectively reject any other user to connect the Telnet server, mainly because the maximum number of customer connections in Telnet at this time is 1. During this period, any other user who tries to connect to the Telnet server will receive the following error message:

Microsoft Windows Workstation Allows Only 1 Telnet Client Licenseserver Has Closed Connection

When the "List Current User" option does not display the timeout session, because the session has not successfully passed the certification.

IIS service leak file content

This is a vulnerability found by the NSFOCUS security team. When Microsoft IIS 4.0 / 5.0 (Far East Version) When processing HTTP command requests containing incomplete double-byte coding characters, the file content in the web directory will lead to remote attackers.

The Microsoft IIS Far East Region includes Chinese (Simplified / Traditional), Japanese, Korean Edition, which makes them use the double-byte encoding format due to specific text formats. When IIS receives an HTTP request submitted by the user, if the file name contains a non-ASCII character, IIS checks if this character is a leading character in double-byte encoding (for example, the Japanese leader characters contains two characters: 0x81 -0x9f, 0xE0-0xFC). If it is a front lead character, it will continue to check if the next character is end character. If there is no next character, IIS will simply discard this leader, because it does not constitute a complete double-byte encoding. However, this process will cause IIS to open different files instead of the file specified in the request. By submitting a special format URL, IIS allows IIS to open some of the type of file that it does not explain in a certain ISAPI dynamic link library, and obtains the content of the file. Depending on the type of ISAPI application installed, an attacker may get the file content in the web root directory or virtual directory, which can be a normal text file (.asp, .ini, .asa, etc.) or two-way Document (.exe, etc.).

The hacker will use this vulnerability using Unicode:

Unicode (unified character coding standard, encoding the double-byte) can be said to be the most popular attack intrusion in recent periods, only in the near future, there are several large websites such as Jiangmin Company in the near future by this intrusion attack. Then let's talk about this easy to use the Unicode vulnerability to invade IIS.

Above we mentioned that due to certain double-bytes of Windows2000, we have different English versions when handling certain special characters, however, using this IIS vulnerability, an attacker can bypass the Directory audit of IIS. command.

http://server/scripts/..

转载请注明原文地址:https://www.9cbs.com/read-2023.html

New Post(0)