??? - PowerPoint PPT Presentation

1 / 66
About This Presentation
Title:

???

Description:

Title: PowerPoint Author: flora Last modified by: chihyao Created Date: 3/31/2003 1:38:30 AM Document presentation format: Company – PowerPoint PPT presentation

Number of Views:120
Avg rating:3.0/5.0
Slides: 67
Provided by: Flo27
Category:
Tags: freebsd

less

Transcript and Presenter's Notes

Title: ???


1

??????????? ???  ???????? ?????? ??? ICU,
TCAE, CCSA  2003/12/05 ??????http//www.icst.org
.tw/
2
??
1. Nimda ?? 2. Apache Chunked ??(Unix,
Windows/Apache) 3. IIS 5.0 WebDAV overflow
??(MS03-007) (Windows/IIS) 4.
??????????????(Windows) 5. MS-SQL
?????????(Windows) 6. FrontPage Server Extension
(FPSE) ???? (Windows/IIS)
3
??(?)
  • 7. Microsoft RPC DCOM ??(MS03-039)(Windows)
  • 8. SNMP ?? Community Name ??(SNMP)
  • 9. Sendmail Prescan() overflow ??(Unix, Windows)
  • 10. Bind Overflow ??(Unix)
  • ??Microsoft SUS service????
  • ??

4
1.Nimda ??( Windows/IIS )
  • ????
  • Nimda??????????????????????????,??Nimda???????,???
    ????????,?Nimda????????????,???
  • ???????Email???
  • ?????????
  • ?????????
  • ????IIS???????

5
1.Nimda ??( Windows/IIS )(?)
  • ????????????,??????Nimda???
  • ??????admin.dll,????????C\?D\?,??????57K?
  • ?????readme.eml (???????????readme.wav?readme.com)
    ?
  • ?C\Windows\Temp???????mepXXXX.tmp.exe (XXXX
    ?????)
  • ?????????load.exe,??????57344 bytes?
  • ????riched32.dll?????57344 bytes?
  • ???????????,??????( C\?D\?E\?) ????,???????

6
1.Nimda ??( Windows/IIS )(?)
  • IIS Log???????/ctftp20-i20x.x.x.x20GET20Admi
    n.dll 20DAdmin.dll 200
  • ?wininit.ini??mepXXXX.tmp.exe????(XXXX?????)
  • ?system.ini?????Shell explorer.exe load.exe
    ontrunold
  • ???? guest ??,??????Administrator?
  • ?? (?????) ??? JavaScript,??????????,??????????
    (html?thm?htt?asp?shtml?shtm) ?????

7
1.Nimda ??( Windows/IIS )(?)
  • ????
  • ??Nimda???????
  • ????? fixnimda.com
  • http//securityresponse.symantec.com/avcenter/venc
    /data/w32.nimda.a_at_mm.removal.tool.html
  • ????? FIX_NIMDA4.0.COM
  • http//www.trend.com.tw/corporate/techsupport/clea
    nutil/index.htm
  • ? C\WINDOWS\SYSTEM.INI ????SHELL explorer.exe
    load.exe dontrunold ?? SHELL explorer.exe

8
1.Nimda ??( Windows/IIS )(?)
  • ??????????,??????????????????,??????????????
    (???????????)
  • ? administrator ???? guest ????? (?????)
  • ?? Nimda???iis worm??codered????????????,??????IE?
    ????????,??????????????
  • http//www.microsoft.com/technet/security/bulletin
    /MS01-020.asp
  • http//www.microsoft.com/technet/security/bulletin
    /MS01-44.asp

9
2.Apache Chunked ??(Unix, Windows/Apache)
  • ????
  • Apache web server????Chunked???????,?????????buffe
    r?????,????buffer overflow??race
    condition???,??????????????????????????????Apache
    1.2.2??????,??Apache 1.3?1.3.24???,?Apache
    2.0?2.0.36????
  • ????????????????????????

10
2.Apache Chunked ??(Unix, Windows/Apache)(?)
  • ????
  • ?????Eeye Digital?Apache chunk???????????,???
  • http//www.eeye.com/html/Research/Tools/RetinaApac
    heChunked.exe
  • ??Nessus??????,???
  • http//www.nessus.org/
  • ????Apache???????????????

11
2.Apache Chunked ??(Unix, Windows/Apache)(?)
  • ????
  • ????????Apache 1.3.26??????,??Apache
    2.0.39????????????http//www.apache.org
  • RedHat linux ???up2date????????apache?????,???htt
    p//www.redhat.com/apps/support/errata/ ??,?????
    rpm -Fvh .rpm ???????

12
2.Apache Chunked ??(Unix, Windows/Apache)(?)
  • FreeBSD ??????Apache,??port???Apache,port???/usr
    /port/www/apache13/?/usr/port/www/apache13-modssl/
    ,?/usr/port/www/apache2/?????????portupgrade????,?
    ????portupgrade apache??,???? portupgrade
    a???????
  • ???????????????,???
  • http//online.securityfocus.com/bid/5033/solution/
  • http//www.kb.cert.org/vuls/id/944335

13
3.IIS 5.0 WebDAV overflow ?? (MS03-007)
(Windows/IIS)
  • ????
  • WebDAV?World Wide Web Distributed Authoring and
    Versioning???,??HTTP??????WebDAV????web???????????
    ?,?windows 2000?????????????????WebDAV
    request?Ntdll.dll?????request??????,??????????????
    ???????????IIS service???(???????LocalSystem??)???
    ????????????????
  • ????????windows 2000????

14
3.IIS 5.0 WebDAV overflow ??
(MS03-007) (Windows/IIS)(?)
  • ????
  • ?????register key????(???????????,???regedit??????
    ??)?
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind
    ows 2000\SP4\Q815021
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind
    ows 2000\SP5
  • ????????????????MS 03-007,?????????????????,?????
    ????

15
3.IIS 5.0 WebDAV overflow ??
(MS03-007) (Windows/IIS)(?)
  • ????
  • ????????,???http//microsoft.com/downloads/details
    .aspx?FamilyIdC9A38D45-5145-4844-B62E-C69D32AC929
    Bdisplaylangen
  • ?????Service Pack 4 ,????? http//www.microsoft.c
    om/windows2000/downloads/servicepacks/sp4/default.
    asp

16
3.IIS 5.0 WebDAV overflow ??
(MS03-007) (Windows/IIS)(?)
  • ?????WebDAV???,??????
  • ??registry key??
  • ??????HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\W3SVC\Parameters
  • ????registry value Value name
    DisableWebDAVData type DWORDValue data 1
  • ????IIS??????server??????
  • ????
  • http//www.microsoft.com/technet/treeview/?url/te
    chnet/security/bulletin/MS03-007.asp
  • http//support.microsoft.com/default.aspx?scidkb
    en-us815021

17
4.??????????????(Windows)
  • ????
  • Windows????Server Message Block (SMB)??,???Common
    Internet File System (CIFS)???,?windows???????Wind
    ows???????????????????,?????????????????????Intern
    et??,????????Windows??????????????????(???????????
    ????????)???????????

18
4.??????????????(Windows)(?)
  • ??SMB??????????,????????Windows??(????????????????
    )???????????????,????????????????????,????????????
    ??????2001???Nimda?????????????????????????(??????
    ??)?Windows???,???????????????????????????????????
    ,??????

19
4.??????????????(Windows)(?)
  • ????
  • ??????????????????????,??????????????,?????????,??
    ??????????????(1)???????(2)???????(3)???(4)?????
    !???,??????8??????????????????????????

20
4.??????????????(Windows)(?)
  • ????
  • ??????????
  • ???????Internet?????,????????????????????????ports
    ???(?IIS????port 80),??????Windows????????ports(?p
    ort 135?137-139?445)???????????ports,??????????

21
4.??????????????(Windows)(?)
  • ??????
  • ???Windows?????????????????????
  • NT 4???????CtrlAltDel,???????????????,????????
    ?????????lt??gt?lt???gt?lt??????(??)gt?lt????????gt?lt?????
    ???gt,?????????????????

22
4.??????????????(Windows)(?)
  • Windows 2000???????CtrlAltDel,???????????????,?
    ????????????????lt??gt?lt???gt?lt??????gt?lt????gt?lt??????
    ??gt,?????????????????,?????????Windows 2000
    professional?,??lt??????gt???Windows 2000
    server??,??lt???gt?????????lt???gt???lt??????gt?????????
    ??
  • ????
  • http//www.sans.org/top20/W7

23
4.??????????????(Windows)(?)
  • ??????????????,??????????????????,?????Administra
    tor??????????????????(Domain Controller)??,???????
    ??????,??????(Domain member)????????????????????(D
    omain member)??,???????????????????

24
5.MS-SQL ?????????(Windows)
  • ????
  • ???SQL 7??SQL 2000???????,?????SQL??????sa,???????
    (?????????????sa??????,?????????)
  • ????????????????,??????????????,??????SQL?????,???
    ????????????,????MS-SQL???????????(????????MS-DOS?
    ?,???????register key??)???,????????MS-SQL??????,?
    ???????????

25
5.MS-SQL ?????????(Windows)(?)
  • ????
  • ??????MS-SQL?????sa????,?????????????MS-SQL???????
  • ????
  • ??????MS-SQL??????
  • Port 1433(TCP)
  • ??MS-SQL???????????,?????????Internet??port???????
    ???
  • Port 1434(UDP)
  • ???slammer worm????

26
5.MS-SQL ?????????(Windows)(?)
  • ??sa?????
  • SQL 2000
  • ??SQL?Enterprise Manager

27
5.MS-SQL ?????????(Windows)(?)
  • ?????SQL Server Group

28
5.MS-SQL ?????????(Windows)(?)
  • ???????????,??????security

29
5.MS-SQL ?????????(Windows)(?)
  • ??Logins,??sa,??????

30
5.MS-SQL ?????????(Windows)(?)
  • ??MS-SQL?????????????MS-SQL????????????http//ww
    w.microsoft.com/sql/
  • ????
  • http//www.microsoft.com/sql/

31
6.FrontPage Server Extension (FPSE)
????(Windows/IIS)
  • ????
  • ??FPSE??????????????,?????FPSE?????,??????????????
    ??,?????????FPSE???????????,??????????IIS???(?FPSE
    ??)?
  • ????
  • ???FPSE???IIS???,?????????Administrator?????????,
    ????????,??????????????????????,???????FPSE???????
    ???????

32
6.FrontPage Server Extension
(FPSE)????(Windows/IIS)(?)
  • ????
  • ???????,???????
  • ??FPSE
  • ????????????http//www.icst.org.tw/template/ncert
    /leakrepair.zip
  • ??????????????_vti_bin????(????lt??gt?lt??gt??),????
    ?FPSE????,????????,???_vti_bin??,?????????,??_v
    ti_bin??_vti_bin_remove??????,????FPSE?????

33
6.FrontPage Server Extension (FPSE)
????(Windows/IIS)(?)
  • ??FPSE?????everyone?????,????????(???Administrat
    or??)???
  • ????FPSE?????everyone????????FPSE???????????????
    ?????FPSE???everyone???????????????????????
    ?????,????everyone????????????(???????4???)
  • ?????????????????????????,??FPSE???????????,??????
    ???????????????????????????????????,??????????
  • ????
  • http//www.icst.org.tw/template/ncert/leakrepair.z
    ip

34
7.Microsoft RPC DCOM ??(MS03-039)(Windows)
  • ????
  • ????RPC???7???????MS03-026,???MSBlast(??)?????????
    ?
  • ?????MS03-026 ????RPC???????????,?????MS03-039????
    ?Windows NT/2000/XP/2003 ???????,?????????

35
7.Microsoft RPC DCOM ??(MS03-039)(Windows)(?)
  • ????
  • ?????????????,??????? Hotfix KB824146
    (Q824146)??????????????????????
  • http//www.microsoft.com/downloads/details.aspx?di
    splaylangzh-twFamilyID13AE421B-7BAB-41A2-843B-F
    AD838FE472E
  • ????????????? ProgramFiles\KB824146Scan
    ????,??KB824146Scan.exe host ????????,??KB824146Sc
    an.exe network_address/cidr_mask ?????????,????
    192.168.0.0 ?????,??? KB824146Scan.exe
    192.168.0.0/24?

36
7.Microsoft RPC DCOM ??(MS03-039)(Windows)(?)
  • ????
  • ??????? MS03-039 ????http//www.microsoft.com/taiw
    an/security/bulletins/MS03-039.asp
  • ??????????????? TCP/UDP Port 135 ???,?????UDP
    Port 137/138/445 ? TCP Port 139/445/593?
  • ????
  • http//www.microsoft.com/taiwan/security/bulletins
    /MS03-039.asp
  • http//www.cert.org/advisories/CA-2003-23.html

37
8.SNMP ?? Community Name ??(SNMP)
  • ????
  • SNMP ( Simple Network Management Protocol )
    ??????????????????,??????????????
  • SNMP??Community Name??????,???????????????,???????
    ???Community Name,??public?????Community
    Name,?private??????Community Name?
  • ??????????Community Name,?????????????????????Com
    munity Name,??????????????????91?2???,??SNMP??????
    ???DoS???

38
8.SNMP ?? Community Name ??(SNMP)(?)
  • ????
  • ???????Nessus,???????Community Names???,???????SNM
    P???????
  • ????
  • ??????SNMP,??????????????SNMP,?????????Community
    Name,????????????SNMP????TCP Prot 161?UDP Port
    161/162?

39
8.SNMP ?? Community Name ??(SNMP)(?)
  • ? Cisco IOS ??,???? SNMP,???no snmp-server
  • ??????SNMP Community,??no snmp-server community
    string
  • ????? public???Community,???no snmp-server
    community public
  • ???????SNMP Community,???snmp-server community
    string rorw
  • ????? strong_community ??????,???snmp-server
    community strong_community rw

40
8.SNMP ?? Community Name ??(SNMP)(?)
  • Windows ??????SNMP?,??????? Simple Network
    Management Protocol,????????????????
  • RedHat Linux ????????? snmpservice snmpd
    stopchkconfig snmpd off
  • ????SNMP?????????????

41
8.SNMP ?? Community Name ??(SNMP)(?)
  • ????
  • http//www.sans.org/top20/w10
  • http//www.sans.org/top20/u7
  • http//www.cisco.com/univercd/cc/td/doc/product/so
    ftware/ios123/123cgcr/fun_r/cfr_1g10.htm1034652
  • http//www.cert.org/advisories/CA-2002-03.html

42
9.Sendmail Prescan() overflow ??(Unix,
Windows)
  • ????
  • Sendmail????MTA??,????9?????????????,???????presca
    n()????????????????????,?????????sendmail
    daemon?????????????,????????root?????????sendmail
    8.12.10???(??5.79?8.12.9),??????sendmail????????,?
    ??Sendmail Switch, Sendmail Advanced Message
    Server (SAMS), and Sendmail for NT?
  • ????????????????????,??????????,?????????sendmail?
    ??????MTA??(?Exchange),???????????????sendmail,???
    ????????

43
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • ????
  • SolarisSolaris 7?8?9???????,?????????/usr/bin/mco
    nnect??,??????
  • ??Solaris 7?8??,???????8.11.7Sun??????sendmail???
    ??,????????8.11.7p1Sun,???????????
  • ???Solaris 9??,???????8.12.9Sun,??????sendmail???
    ??,8.12.10Sun????????????

44
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • RedHat Linux???????RedHat Linux?????7.1?7.2?7.3?8
    .0?9?(??????????,?????????),???????????????????,??
    ?rpm q sendmail??,???????
  • 7.1? sendmail-8.11.6-27.71
  • 7.2? sendmail-8.11.6-27.72
  • 7.3? sendmail-8.11.6-27.73
  • 8.0? sendmail-8.12.8-9.80
  • 9? sendmail-8.12.8-9.90
  • ?????????

45
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • ???????release??(?????sendmail-8.11.6-x.ZZ?sendmai
    l-8.12.8-y.ZZ??x?y??,????x27, y9)???????????,???
    ??????,?????,??????????????,??????????,???????????
    ?????????(???????????????sendmail??????,?????????,
    ???????????)?

46
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • FreeBSD??????????4.7?4.8?4.9?5.0?5.1?,4-stable?,?
    ??????????
  • http//www.freebsd.org/doc/en_US.ISO8859-1/books/h
    andbook/cutting-edge.html
  • ?????????,??? pkg_info grep sendmail
  • ?????sendmail???,??????8.12.10?,??????sendmail????
    ?
  • ???????????sendmail???,?????/usr/libexec/sendmail
    /sendmail???,?????????2003?9?17???,???????????

47
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • ????
  • Solaris
  • ????http//sunsolve.sun.com/pub-cgi/retrieve.pl?d
    ocfsalert/56860???????,????????????(?SPARC?x386)?
    ??,???????,???????,??patchadd????????,???patchadd
    lt /var/spool/patch/patch_file,??/var/spool/patch??
    ?????????,patch_file????????,?110615?

48
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • ????????????????,?????????????,??????????????????
    ??(??????????,??????????????),??,?????????????????
    ??,?????????????????????,??????Solaris?Recommend.z
    ip????,Recommend.zip?????????(???)?????,???http/
    /sunsolve.sun.com/pub-cgi/show.pl,??????????????

49
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • RedHat Linux
  • ??https//rhn.redhat.com/errata/RHSA-2003-283.html
    ?????sendmail?????,???????x386??????,?????????i38
    6???????????(????????????rpm?,???/var/rpm??),?????
    ???,??rpm Fvh .rpm
  • ??????????????????,????up2date??,???????????????,?
    ?????????(http//www.icst.org.tw)??RedHat
    linux??????????

50
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • FreeBSD
  • ????sendmail daemon,????????????(?????????sendmail
    ???,???????????),????ports???(???/usr/port/mail/se
    ndmail)?
  • Sendmail????????????????????source
    code??????,???,??????????????,?????patch??,???????
    ???,????

51
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • cd /usr/src patch lt /path/to/patch cd
    /usr/src/lib/libsm make obj make depend
    make cd /usr/src/lib/libsmutil make obj
    make depend make cd /usr/src/usr.sbin/sendma
    il make obj make depend make make
    install
  • ????,??ftp//ftp.freebsd.org/pub/FreeBSD/CERT/advi
    sories/FreeBSD-SA-0313.sendmail.asc

52
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • Sendmail??ports??????????cvsup????ports????,????
    cvsup?????,??http//www.freebsd.org/doc/en_US.ISO8
    859-1/books/handbook/cvsup.html???????sendmail??(
    ??pkg_delete filename????,filename????pkg_info????
    ),??/usr/ports/mail/sendmail???,??make
    install?????sendmail???

53
9.Sendmail Prescan() overflow ??(Unix,
Windows)(?)
  • ?????????????????????,??????????????,???cvsup????
    ??source codes???,???make world?????????????????
    ?????http//www.freebsd.org/doc/en_US.ISO8859-1/b
    ooks/handbook/cutting-edge.html
  • ????sendmail
  • ???????????,??????????
  • ????
  • http//www.cert.org/advisories/CA-2003-25.html
  • http//www.securityfocus.com/archive/1/337839

54
10.Bind Overflow ??(Unix)
  • ??
  • DNS(Domain Name System)??????
  • DNS??????????????,??DNS??,?????????????,????????,?
    ??????????DNS?????(?????ip?????)????
  • ?DNS???,?Bind (Berkley Internet Name
    Domain)???,?????????,?Bind??????,???????????DoS???
    ??,????????Bind???????,??????????(buffer
    overflow)??,??????,??????????????Bind?????(????roo
    t??,??????Unix??),??????????,???????,?????????????
    ??

55
10.Bind Overflow ??(Unix)(?)
  • ????
  • ???dig??????????Bind????,???
  • dig _at_target version.bind chaos txt
  • ???target?ip??,??192.168.0.1?
  • ????????named v,?????Bind????????????????????????
    ??????

56
10.Bind Overflow ??(Unix)(?)
  • ????
  • ???????Bind,??????????,???Bind???,???http//www.i
    sc.org/products/BIND/
  • ??????(?Solaris?RedHat Linux?)???Bind??,??????????
    ??????????????,?????????????Bind?????????????,????
    ???????(?????????Bind???,????????????),????

57
10.Bind Overflow ??(Unix)(?)
  • Sun Solaris??Sun????????(????????????,???Recommen
    d.zip????),???http//sunsolve.sun.com/pub-cgi/sho
    w.pl?targetpatchpage?
  • RedHat Linux??up2date??,???????????????,?????????
    ?(http//www.icst.org.tw)??RedHat linux??????????

58
10.Bind Overflow ??(Unix)(?)
  • FreeBSD??http//www.freebsd.org/security/????????
    ???,????cvsup??????source codes???,???make
    world???????????????http//www.freebsd.org/doc/
    en_US.ISO8859-1/books/handbook/cutting-edge.html
  • ????
  • http//www.cert.org/archive/pdf/dns.pdf
  • http//www.cert.org/advisories/CA-2002-31.html
  • http//www.sans.org/rr/catindex.php?cat_id17

59
??Microsoft SUS service????
  • ??
  • ?server(SUS server)?client(windows????Automatic
    Update service)?????????,server????????client?
  • ????
  • SUS server?????http//www.microsoft.com/windows20
    00/windowsupdate/sus/
  • ????http//www.microsoft.com/windows2000/docs/SUS
    _Deployguide_sp1.doc
  • ??????(????)
  • http//www.icst.org.tw/group/application/ncert/we
    ak.php
  • ??SUS???????windows 2000??????,windows NT
    4??????????SUS??????

60
??Microsoft SUS service????(?)
  • SUS server??

61
??Microsoft SUS service????(?)
  • SUS server??

62
??Microsoft SUS service????(?)
  • Automatic Update(AU) service??

63
??Microsoft SUS service????(?)
  • ??????????wuau.adm

64
??Microsoft SUS service????(?)
  • ?????????

65
??Microsoft SUS service????(?)
  • ??SUS server
  • AU????????

66
??
  • ???????????
  • ??????????
  • Unix like???????????
  • Windows?????Windows Update?????,????SUS????windows
    ?????????
  • ??????,??????
  • ?????,???????????????
  • ??????
  • ??????
  • ????
  • ????????
  • ?????????????
  • ????????????????
  • ????????
Write a Comment
User Comments (0)
About PowerShow.com