Bugtraq mailing list archives
Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
From: Daniel Hazelton <dhazelton () enter net>
Date: Tue, 13 Mar 2007 13:29:39 -0400
On Tuesday 13 March 2007 12:01:51 3APA3A wrote:
Dear Steven M. Christey, --Tuesday, March 13, 2007, 2:14:36 AM, you wrote to bugtraq () securityfocus com: SMC> 3APA3A said:I. There is no symlinks under Windows. Symlink attacks are not possible.SMC> I'm not a Windows expert, but... There have been some past SMC> vulnerabilities where an attacker could upload a shortcut (.lnk) file SMC> and access files outside of the intended directory. In cases of FTP SMC> servers or mail clients, this makes symlink style attacks remotely SMC> feasible. Some previously reported examples are SMC> CVE-2004-2672/CVE-2005-0519/CVE-2005-0520 (argosoft), CVE-2005-2184 SMC> (eRoom), CVE-2005-0587 (Firefox), and CVE-2001-1386 (WFTPD). SMC> So, issues *like* symlink vulnerabilities can happen on Windows - but SMC> whether they're under-reported is unknown. These attacks are remote and have attack vector absolutely different from Unix symlink attacks. Standard Windows files API doesn't handle .lnk files, application must be specially written to support them. Symlink attack is also possible against e.g. Cygwin-ported application.
I haven't used Vista at all, but from reading the MS documentation about the new version of NTFS that it uses it appears that Unix style symlinks are supported. (From what I can tell they've been possible since the start, just not implemented) So for any WIndows system that shares the new NTFS code with Vista this is a valid vuln. Although I'm not positive about whether MS actually released tools along with Vista to use this feature, I'm more than certain that it does exist. (However, this may be a moot point. MS might still flag a cross-reference like a Unix-style symlink as a filesystem error) DRH
Current thread:
- Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues, (continued)
- Message not available
- Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 10)
- RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 10)
- Message not available
- Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 12)
- Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 12)
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues M. Burnett (Mar 09)
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- RE: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Re: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 09)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 13)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Daniel Hazelton (Mar 13)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 15)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Paweł Goleń (Mar 13)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 14)