Title: Windows 2000 system partition weak default
Affected: Windows 2000
Author: ZARAZA <[email protected]>
Date: August, 03 2002
Vendor notified: May, 17 2002
SECURITY.NNOV URL: http://www.security.nnov.ru
Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205
To protect system files located in the root of system partition
(boot.ini, ntdetect.com, ntldr, autoexec.bat etc) Windows 2000 applies
security template with NTFS permissions to only allow administrators and
advanced users to access this files.
System partition itself has Everyone/Full Control access permission.
Microsoft (and NIST draft) documents also recommend Everyone/Full
Control or Authenticated Users/Full Control permissions.
For POSIX compatibility user with Full Control NTFS permission for
folder may delete any file from this folder regardless of file
permissions. It makes it possible for user to become owner and to get
full control to any system file located in root of system partition with
1. Delete original file (only delete, because putting file into recycle
bin requires read permission).
2. Create new file with the same name. Now user is owner for this new
file and he has Full Control permission for this file inherited from
It makes it possible to trojan system files to execute some code in
kernel space and/or to change boot sequence. It's not so hard as it
seems to be: it's trivial to exploit this problem to get system level
access or to run application in logged user's context without
programming/debugging skills (hint: 'strings ntldr').
Workaround is very easy. Replace Full Control permission for Everyone
group with any reasonable set of permissions for all root folders
including system partition. You can replace Full Control permission with
full set of special permissions. For NTFS it will have same effect
except user will not be able to remove any files if he has no delete
permission for this file.
Installing hisec*.inf security template doesn't solve this problem.
Microsoft was informed on May, 17. Reply was also on May, 17:
Many thanks for your email. We have received reports already on this
issue and we are actively investigating this.
Many thanks again for taking the time to email us.
It looks like there is still no patch for Windows 2000. Security
templates and documentation are not corrected.