Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3323
HistoryAug 03, 2002 - 12:00 a.m.

SECURITY.NNOV: Windows 2000 system partition weak default permissions

2002-08-0300:00:00
vulners.com
34

Title: Windows 2000 system partition weak default
permissions
Affected: Windows 2000
Vendor: Microsoft
Author: ZARAZA <[email protected]>
Date: August, 03 2002
Risk: Average
Exploitable: Yes
Remote: No
Vendor notified: few months ago
SECURITY.NNOV URL: http://www.security.nnov.ru
Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To protect system files located in the root of system partition
(boot.ini, ntdetect.com, ntldr, etc) Windows 2000 setup program applies
NTFS permissions to only allow administrators and advanced users to
access this files.

II. Vulnerability:

System partition itself has Everyone/Full Control access permission.

III. Details:

For POSIX compatibility user with Full Control NTFS permission for
folder may delete any file from this folder regardless of individual
file permissions. It makes it possible for user to become owner and to
get full control to any system file located in root of system partition
with next scenario:

  1. Delete original file (only delete, because putting file into recycle
    bin requires read permission).
  2. Put new file with the same name. Now user is owner for this new file
    and he has Full Control permission for this file inherited from root
    folder.

It makes it possible to trojan system files to execute some code in
kernel space and/or to change boot sequence.

IV. Solution

Replace Full Control permission for Everyone group with any reasonable
set of permissions for all root folders.


http://www.security.nnov.ru
/\_/\
{ , . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
±------------o66o–+ /
|/
You know my name - look up my number (The Beatles)