Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 14 Mar 2007 02:08:00 +0300
Dear Paweł Goleń,

--Tuesday, March 13, 2007, 11:34:53 PM, you wrote to bugtraq () securityfocus com:



Process 1: Opens file for reading with
FILE_SHARE_WRITE|FILE_SHARE_READ|FILE_SHARE_DELETE
Process 2: Opens file for writing with FILE_SHARE_NONE and _succeeds_.

With valid mandatory locking implementation process 2 _must fail_.


PG> 3APA3A, from one hand you are right this may be considered to be
PG> vulnerability in Windows mandatory file locks. But I'm not sure if file
PG> locks in Windows are mandatory. I've never considered "share modes" to
PG> be security feature.

It was advised in original article.

PG> In  order  to be sure I'm creating not opening file I would probably
PG> used  CREATE_NEW  as  value  for dwCreationDisposition attribute AND
PG> FILE_SHARE_NONE to prevent others processess to open my file.

...

PG> Am I correct or I'm missing something?

You are right, and again it was  advised in article.

You've  only  missed  the fact, sometimes you need to create a file with
given  name.  The  examples  were  demonstrated  -  file copy operation,
archive  extraction, restore from backup, file replications and creation
of any persistent file (e.g. new document). And you get a problem - what
to do with existing file, you can not simply create new one.

At  my opinion, if CREATE_NEW fails because file exists and user asks to
overwrite  file,  application  should  try  to  remove existing file and
re-create it with CREATE_NEW and fail, if second attempt with CREATE_NEW
fails.  But:  ALL TESTED APPLICATIONS FAILED to act like this. It's true
even  for  application  you may expect to operate in secure way, because
they  restore  original  file permissions and may be used to copy secret
information.

Namely:

xcopy     (standard utility) with /Y opens existing file without attempt
          to delete it.
robocopy  (from resource kit) opens existing file
ntbackup  (if "replace file" option is on during restore) opens existing
          file
rar       opens existing file

PG> And one question - which flag for dwCreationDisposition is used for
PG> example by Microsoft World during creating temporary files.

According  to  tests  I  recently made, Word correctly behaves with both
original  file  (it  doesn't edit original file, but renames it, creates
new  one  and  copies  content)  and  temporary  file  (also new file is
created).  It  may be slow, but it's safe :) It may be possible to catch
race  condition  between old file is renamed and new one is created, but
it's a bit harder to test.

-- 
~/ZARAZA http://securityvulns.com/
Previous By Date Next
Previous By Thread Next

Current thread: