發信人: iamQuidam@kkcity.com.tw (走!去看北極之光!) 日期: 09 Jan 2003 22:09:06 GMT 標題: 網管高手我有問題~~~~ 信群: tw.bbs.comp.www 看板: TWBBS/www/A0V1RSO2 來源: <44FI5I$M9C@bbs.kkcity.com.tw>:90027, bbs.kkcity.com.tw 組織: KKCITY 這下面十題是小妹期末考考題.... 幾乎看不懂在問什麼....>@"@< 我不是讀資工,資管本科系的 因為好奇所以去修網管的課...沒想到 真難說.. 希望各位網管高手大哥哥能可憐一下小妹我..... 幫我想一下,簡短敘述一下答案....幾個關鍵字也好 您的大恩大得...我會銘記在心的......^^ 題目很長...... 看不下去就不要看了.... 很累說... 我也會很難過... 1.下面列出一台 Win98 機器開機時和外界往來的一些 ARP 封包,請試著 解釋每一對 ARP request-reply 封包的意義。瞭解意義之後,如果要對 這台機器使用 ARP poison 的方式讓它不能正常的通訊,請問你會怎麼下 手?會有什麼效果?請以類似 tcpdump 輸出的封包往來格式來作答,並 適度加上註解。 17:19:04.142895 arp who-has 140.115.66.77 tell 140.115.66.77 17:19:13.932566 arp reply 140.115.192.17 is-at 0:e0:b1:62:e7:32 17:19:18.435544 arp who-has 140.115.1.13 tell 140.115.66.77 17:19:18.435933 arp reply 140.115.1.13 is-at 0:e0:b1:62:e7:32 17:22:37.507664 arp who-has 140.115.66.77 tell 140.115.66.197 17:24:13.537105 arp who-has 140.115.66.77 tell 140.115.64.254 17:24:13.537360 arp reply 140.115.66.77 is-at 0:50:ba:0:59:88 17:24:17.338185 arp who-has 140.115.65.13 tell 140.115.66.77 17:24:17.420235 arp who-has 140.115.50.65 tell 140.115.66.77 17:24:17.420613 arp reply 140.115.50.65 is-at 0:e0:b1:62:e7:32 17:25:56.078467 arp who-has 140.115.65.128 tell 140.115.66.77 17:28:57.110535 arp who-has 140.115.50.65 tell 140.115.66.77 17:28:57.110937 arp reply 140.115.50.65 is-at 0:e0:b1:62:e7:32 17:29:16.494523 arp who-has 140.115.66.77 tell 140.115.64.254 17:29:16.494770 arp reply 140.115.66.77 is-at 0:50:ba:0:59:88 17:34:20.450860 arp who-has 140.115.66.77 tell 140.115.64.254 17:34:20.451079 arp reply 140.115.66.77 is-at 0:50:ba:0:59:88 2.假設一支程式要送信到 tlyeh@cc.ncu.edu.tw,其中需要做的一件事是 查出必要的通訊位址:IP 與 MAC 位址。請查出從機械系館到該郵件伺服 器之間所要經過的 hops,以及封包在路程上的改變。(畫出邏輯上的路 徑示意圖,標明封包在何處改變,改變的內容為何) ※封包可以這樣表示: +-----+----+-------------+ | MAC | IP | Payload.... | +-----+----+-------------+ 3.為何 router 的每個 interface 都有不同的 MAC 位址(switch不用)?而每個 interface 也可以設定成不同的 IP 位址,請問用意為何? Note:我會在考前講解一下 ethernet 的運作方式,會對答題有些幫助。 4.備份情境題。請設計兩個一組的自動備份程式,把 /home 目錄下所有 檔案每週完整地備份一次,每天遞增式地備份一次。 (使用 crontab 與 find) 5.解釋 swap 在 Virtual Memory System 裡扮演的角色。swap file 與 swap partition 有何不同?為何說 partition 的存取效率優於 file? 而 MS-Windows 使用的是 swap file,請問你可以如何改進它的效率? 6.為什麼有些windows應用程式不需經過安裝程序就可以直接使用?這與 哪些東西相關?又或者換句話說,安裝程序做了哪些特別的事情?(別寫 白爛解) 7.在規劃檔案系統的時候,除了總容量以外,還要考慮所存放在其中的檔 案平均大小。假設你遇到這兩種情形:(1)檔案小,但數量很多(2)檔案數 量少,但每個的 size 都很大。請問你會調整哪些檔案系統的參數,讓它 的表現比較好? 8.目前國內幾乎每家銀行和證券商都有架設電子交易網站,提供帳戶餘額 查詢、轉帳交易等功能。而依據法規,交易網站上必須要提供交易過程中 所使用的安全機制名稱,並對客戶說明之。據觀察多家銀行的系統後,我 們發現除了最基本的帳號密碼驗證外,大部分的說明網頁都有提到 SSL 與 SET 這兩個關鍵字,請問你這兩個關鍵字指的是什麼東西?(說明功 能,運作方式等)又有些銀行規定使用 SET 後,網路轉帳的金額上限可以提高 ,你認為這樣的規定有何道理呢? << 第 9 題作廢 >> 9.程式碼閱讀測驗。所謂好的程式,除了基本要符合程式語言的語法讓編 譯器看得懂,達成需求的功能以外,還要能夠清楚地表達程式設計者的意 念:他想作什麼,他正在作什麼?或者簡單的講--程式除了讓機器看得懂 以外,也要讓人能看得懂,而且後者是更為重要的。ANYWAY,扯了一堆廢 話,現在請大家試著閱讀一個叫做 perlfect 的搜尋引擎程式碼(只有一 部份),雖然他是用 perl 語言寫成,但語法與 C 語言相似,語意則接 近英語的敘述,直接閱讀的障礙應該不大。請你找出其中的一個關鍵功能 ,這個功能是由台灣 BBS & BSD 的名人 woju 添加上去的。一般的用 php 或 perl 寫成的 CGI 在處理中文的時候因為內碼轉換的關係,遇到特定 的中文字如「功」、「許」等字的時候,會被解讀成兩個 byte 的字元, 為了避免這種情況的發生,wujo先生在程式碼裡作了一些處理,讓所有的 中文字都能順利輸入。請你找出來,並說明你鎖定這一行的理由。 10.一樣是閱讀測驗。以下有兩篇由安全組織 CERT 發出的安全通報,請從 兩篇中擇一閱讀以後,用中文通順地描述一下漏洞的成因,並且在網路上 搜尋一下此漏洞後續有何「發展」?(例如影響了那些東西?衍生出什麼 更恐怖的東西?) -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-07 Double Free Bug in zlib Compression Library Original release date: March 12, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Any software that is linked to zlib 1.1.3 or earlier may be affected * Data compression libraries derived from zlib 1.1.3 or earlier may contain a similar bug Overview There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure. I. Description There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program. The CERT/CC is tracking this issue as VU#368819. This reference number corresponds to CVE candidate CAN-2002-0059. II. Impact This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code. III. Solution Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Upgrade any software that is linked to or derived from an earlier version of zlib. The latest version of zlib is available at http://www.zlib.org These are the MD5 checksums for zlib version 1.1.4: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz 9bf1d36ced334b0cf1f996f5c8171018 zlib114.zip Apply a patch from your vendor The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server do not contain this vulnerability. Compaq Computer Corporation COMPAQ COMPUTER CORPORATION ----------------------------- x-ref: SSRT0818 zlib At the time of writing this document, Compaq continues to evaluate this potential problem and impacts to Compaq released software. Compaq will implement solutions based on the conclusion of this evaluation as necessary. Compaq will provide notice of any new patches as a result any required solution through standard patch notification procedures and be available from your normal Compaq Services support channel. COMPAQ COMPUTER CORPORATION ----------------------------- Conectiva Linux Conectiva Linux supported versions (5.0, 5.1, 6.0, 7.0, ferramentas graficas and ecomerce) are affected by the zlib vulnerability. Updates will be sent to our security mailing lists and be available at our ftp site and mirrors. The updates will include a new version of zlib itself and also other packages which include their own version of zlib or are linked statically to the system-wide copy of zlib. Engarde EnGarde Secure Linux Community and Professional are both vulnerable to the zlib bugs. Guardian Digital addressed this vulnerability in ESA-20020311-008 which may be found at: http://www.linuxsecurity.com/advisories/other_advisory-1960.html EnGarde Secure Professional users may upgrade their systems using the Guardian Digital Secure Network. FreeBSD FreeBSD is not vulnerable, as the FreeBSD malloc implementation detects and complains about several programming errors including this kind of double free. Fujitsu Fujitsu's UXP/V operating system is not affected by the zlib vulnerability because it does not support zlib. Hewlett-Packard Company HP is not vulnerable. IBM Corporation IBM's AIX operating system, version 5.1, ships with open source-originated zlib that is used with the Redhat Package Manager (rpm) to install applications that are included in the AIX-Linux Affinity Toolkit. zlib (libz.a) is a shared library in AIX. AIX 5.1 is susceptible to the described vulnerability. AIX 4.3.x does not ship with zlib, but customers who install zlib and use it will be similarly vulnerable. IBM will make the patched version of zlib available as soon as it is made available to us. OpenBSD OpenBSD is not vulnerable as OpenBSD's malloc implementation detects double freeing of memory. The zlib shipped with OpenBSD has been fixed in OpenBSD-current in January 2002. Openwall GNU/*/Linux All versions of Openwall GNU/*/Linux (Owl) prior to the 2002/02/15 Owl-current snapshot are affected by the zlib double-free vulnerability. Owl-current after 2002/02/15 includes the proper fixes in its userland packages. In order to not place the users of other vendors' products at additional risk, we have agreed to delay documenting this as a security change and including the fixes in Owl 0.1-stable until there's a coordinated public announcement. While we don't normally support this kind of a policy (releasing a fix before there's an announcement), this time handling the vulnerability in this way was consistent with the state of things by the time the (already publicly known) bug was first realized to be a security vulnerability. The zlib bug could affect the following Owl packages: gnupg, openssh, rpm, texinfo (not necessarily in a security sense). Of these, the OpenSSH could potentially allow for an active remote attack resulting in a root compromise. If only SSH protocol version 1 is allowed in the OpenSSH server this is reduced to a local attack, but reverse remote attack possibilities by a malicious server remain. Additionally, any third-party software that makes use of the provided zlib library could be affected. Parts of the Linux 2.2 kernel included in Owl were also affected by the vulnerability. Fortunately, those parts (Deflate compression support for PPP and the experimental Deflate compression extension to IrDA) are normally not used by the Owl userland. The bug has been corrected starting with Linux 2.2.20-ow2 which has been made public and a part of both Owl-current and Owl 0.1-stable on 2002/03/03. This change, however, will only be documented in the publicly-available change logs on the coordinated public announcement date. Red Hat, Inc. Red Hat Linux ships with a zlib library that is vulnerable to this issue. Although most packages in Red Hat Linux use the shared zlib library we have identified a number of packages that either statically link to zlib or contain an internal version of the zlib code. Updates to zlib and these packages as well as our advisory note are available from the following URL. Users of the Red Hat Network can use the up2date tool to automatically upgrade their systems. http://www.redhat.com/support/errata/RHSA-2002-026.html Red Hat would like to thank CERT/CC for their help in coordinating this issue with other vendors. SGI SGI acknowledges the zlib vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. XFree86 XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided version. XFree86 uses the system-provided zlib by default only on the following platforms: FreeBSD 2.2 and later NetBSD 1.2.2 and later OpenBSD Darwin Debian Linux The zlib code in XFree86 has been fixed in the CVS repository (trunk and the xf-4_2-branch branch) as of 14 February 2002. A source patch for XFree86 4.2.0 will be available from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/. The following XFree86 4.2.0 binary distributions provided by XFree86 include and use a vulnerable version of zlib: Linux-alpha-glibc22 Linux-ix86-glibc22 When updated binaries are available, it'll be documented at http://www.xfree86.org/4.2.0/UPDATES.html. To check if an installation of XFree86 includes zlib, see if the following file exists: /usr/X11R6/lib/libz.a To check if an XFree86 X server is dynamically linked with zlib, look for a line containing 'libz' in the output of 'ldd /usr/X11R6/bin/XFree86'. Various vendors repackage and distribute XFree86, and may use settings and configurations different from those described here. zlib.org All users of zlib versions 1.1.3 or earlier should obtain the latest version, 1.1.4 or later, from http://www.zlib.org, in order to avoid this vulnerability as well as other possible vulnerabilities in versions prior to 1.1.3 when decompressing invalid data. Appendix B. - References * http://bugzilla.gnome.org/show_bug.cgi?id=70594 * http://www.kb.cert.org/vuls/id/368819 * http://www.libpng.org/pub/png/pngapps.html * http://www.redhat.com/support/errata/RHSA-2002-026.html _________________________________________________________________ The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability. _________________________________________________________________ This document was written by Jeffrey P. Lanza. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-07.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History Mar 12, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPI5JsqCVPMXQI2HJAQFAvAP/f380BKQqJmAVsjL/482b86Mw8RL5k+Ov +ww1YfccKHTJdDlsqpIgX8LV59OII4KL31lAYrMrT2wJopY7wn7OSUvX7Z2aOLYE 0XQyjm5rT2mP9IKybBsHkXwHlTWZOi9iGnd9zSDndBgEaBifolcOh87z4zkE+noS OzDiRjPbg7s= =zhZM -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS Original release date: May 15, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft IIS Overview A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. I. Description URIs may be encoded according to RFC 2396. Among other things, this RFC provides an encoding for arbitrary octets using the percent sign (%) and hexadecimal characters. Quoting from RFC 2396: An escaped octet is encoded as a character triplet, consisting of the percent character "%" followed by the two hexadecimal digits representing the octet code. For example, "%20" is the escaped encoding for the US-ASCII space character. escaped = "%" hex hex hex = digit | "A" | "B" | "C" | "D" | "E" | "F" Like all web servers, Microsoft IIS decodes input URIs to a canonical format. Thus, the following encoded string: A%20Filename%20With%20Spaces will get decoded to A Filename With Spaces Unfortunately, IIS decodes some of the input twice. The second decoding is superfluous. Security checks are applied to the results of the first decoding, but IIS utilizes the results of the second decoding. If the results of the first decoding pass the security checks and the results of the second decoding refer to a valid file, access will be granted to the file even if it should not be. More information is available at http://www.microsoft.com/technet/security/bulletin/MS01-026.asp http://www.nsfocus.com/english/homepage/sa01-02.htm http://www.kb.cert.org/vuls/id/789543 Note that this does not permit intruders to bypass ACLs enforced by the filesystem, only security checks performed by IIS. We encourage you to configure your web server according to the guidelines provided in http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/iischk.asp http://www.microsoft.com/technet/security/tools.asp Theses guidelines can help you reduce your exposure to this problem, and possibly to problems that have not yet been discovered. This issue was discovered by NSFocus. The CVE Project has assigned the following identifier to this vulnerability: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333 This vulnerability has many similarities to the Web Server Folder Directory Traversal Vulnerability, which has been widely exploited. For more information on that vulnerability, see http://www.kb.cert.org/vuls/id/111677 II. Impact Intruders can run arbitrary commands with the privileges of the IUSR_machinename account. III. Solutions Apply a patch from your vendor Information on patches from Microsoft is available at http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Authors: Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-12.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 15, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOwFD9wYcfu8gsZJZAQEc0AP6A7XLQiQ7to6uzTeOyFRb+vXUBI1zBmT1 TvVwLodq6wfeS0vG/+Ta0KC28CFthDs9vUrw6HTnVeeFilKRqUhPgR8Izgd56ePc SKalqxv41DRvkusTlvrygFw1IUzdCJ0/EzWUiRpqu1QV7ZWmNTTVG4ycoEM++cLh 67h5IqMR/iU= =z3yR -----END PGP SIGNATURE----- -- ┌─────◆KKCITY◆─────┐  ╱  ╱   ̄ ▌ ̄  ̄ ╲╱ BBS 城邦 │ bbs.kkcity.com.tw │  ╲  ╲  ╴ ▌ ▌ ▏ KK免費撥接 └──《From:61.231.110.67 》──┘ http://www.kkcity.com.tw/freeisp/  .