Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
Author: 3APA3A, http://securityvulns.com
Affected: Microsoft Windows 2000,XP,2003,Vista
Type: Remote (from local network), authentication required
(NULL session was not tested).
Class: Information leak
It's very simple yet interesting vulnerability. ReadDirectoryChangesW()
API allows application to monitor directory changes in real time.
bWatchSubtree parameter of this functions allows to monitor changes
within whole directory tree with a root in monitored directory. To
monitor changes directory must be open with LIST access. Function
returns the list of modified files with a type of modification. File
modification refers to any modification of file record in directory.
ReadDirectoryChangesW() doesn't check user's permissions for child
Any unprivileged user with LIST access to parent directory can monitor
any files in child directories regardless of files permissions. Because
by default Windows updates access time of any accessed files on NTFS
volumes, it makes it possible for user to gather information about
NTFS-protected files, their names and time of access to the files
(reading, writing, creation, deletion, renaming, etc). Filenames may
contain sensitive information or leak information about user's behavior
(e.g. cookies files).
I believe you find this utility useful regardless of this security
issue. It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations, e.g. you can not see non-ASCII names and some changes
Compiled version can be downloaded from http://securityvulns.com/soft/
Avoid creation of more secure folder in less secure ones. Avoid using
sensitive data in documents naming.
January, 17 2006 Initial vendor notification
January, 18 2006 Vendor reply (assigned)
January, 26 2006 2nd vendor notification
February, 7 2006 3rd vendor notification
February, 9 2006 Vendor accepted vulnerability as "service pack
class" for Windows XP and Windows 2003.
February, 9 2006 Accepted to wait until SP
February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3
SP2 and 2007 for XP SP3)
February, 22 2007 Public release, because Windows Vista is
released with same vulnerability.