Title: Windows 2000 system partition weak default
permissions
Affected: Windows 2000
Vendor: Microsoft
Author: ZARAZA <[email protected]>
Date: August, 03 2002
Risk: Average
Exploitable: Yes
Remote: No
Vendor notified: few months ago
SECURITY.NNOV URL: http://www.security.nnov.ru
Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205
I. Introduction:
To protect system files located in the root of system partition
(boot.ini, ntdetect.com, ntldr, etc) Windows 2000 setup program applies
NTFS permissions to only allow administrators and advanced users to
access this files.
II. Vulnerability:
System partition itself has Everyone/Full Control access permission.
III. Details:
For POSIX compatibility user with Full Control NTFS permission for
folder may delete any file from this folder regardless of individual
file permissions. It makes it possible for user to become owner and to
get full control to any system file located in root of system partition
with next scenario:
It makes it possible to trojan system files to execute some code in
kernel space and/or to change boot sequence.
IV. Solution
Replace Full Control permission for Everyone group with any reasonable
set of permissions for all root folders.
–
http://www.security.nnov.ru
/\_/\
{ , . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
±------------o66o–+ /
|/
You know my name - look up my number (The Beatles)