Computer Security
[EN] securityvulns.ru
no-pyccku

  







Title:          Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
               informaton leak
Author:         3APA3A, http://securityvulns.com
Affected:       Microsoft Windows 2000,XP,2003,Vista
Exploitable:    Yes
Type:           Remote  (from  local  network), authentication required
               (NULL session was not tested).
Class:          Information leak
CVE:            CVE-2007-0843


Intro:

It's  very simple yet interesting vulnerability. ReadDirectoryChangesW()
API  allows  application  to  monitor  directory  changes  in real time.
bWatchSubtree  parameter  of  this  functions  allows to monitor changes
within  whole  directory  tree  with  a  root in monitored directory. To
monitor  changes  directory  must  be  open  with  LIST access. Function
returns  the  list  of  modified files with a type of modification. File
modification refers to any modification of file record in directory.

Vulnerability:

ReadDirectoryChangesW()  doesn't  check  user's  permissions  for  child
directories.

Impact:

Any  unprivileged  user with LIST access to parent directory can monitor
any  files in child directories regardless of files permissions. Because
by  default  Windows  updates  access time of any accessed files on NTFS
volumes,  it  makes  it  possible  for  user to gather information about
NTFS-protected  files,  their  names  and  time  of  access to the files
(reading,  writing,  creation,  deletion,  renaming, etc). Filenames may
contain  sensitive information or leak information about user's behavior
(e.g. cookies files).

Exploit:

http://securityvulns.com/files/spydir.c

Usage example:

spydir \\corpsrv\corpdata

I  believe  you  find  this  utility  useful regardless of this security
issue.  It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations,  e.g.  you can not see non-ASCII names and some changes
are missing).

Compiled version can be downloaded from http://securityvulns.com/soft/

Workaround:

Avoid  creation  of  more secure folder in less secure ones. Avoid using
sensitive data in documents naming.

Vendor (Microsoft):

January, 17 2006          Initial vendor notification
January, 18 2006          Vendor reply (assigned)
January, 26 2006          2nd vendor notification
February, 7 2006          3rd vendor notification
February, 9 2006          Vendor accepted vulnerability as "service pack
                         class" for Windows XP and Windows 2003.
February, 9 2006          Accepted to wait until SP
February, 22 2006         Vendor gives SP timelines (late 2006 for W2K3
                         SP2 and 2007 for XP SP3)
February, 22  2007        Public  release,  because  Windows Vista is
                         released with same vulnerability.



About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 
Links
benq w1070 refurbished
Dustin Hahn



Rating@Mail.ru