Full Disclosure mailing list archives
Re: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 22 Feb 2007 15:03:33 +0300
Dear Andres Tarasco, Agree, but actually, I mean to store sensitive data in different location (different network share). There will be one more advisory, it will demonstrate symlink-like attacks on Windows. In the same advisory I plan to discuss problem of secure data in insecure folder mode deeply. E.g. it's quite impossible for administrator to _create_ secure folder in insecure one without not-quite-race conditions this folder will be available for different bad things (without deleting network share, of cause). Under POSIX system this problem is solvable with umask, for Windows it seems it was never discussed. --Thursday, February 22, 2007, 2:29:49 PM, you wrote to 3APA3A () security nnov ru: AT> Hi, AT> You told that as a workaround that we should never allow "creation of more AT> secure folder in less secure ones." AT> I agree but, as i see.., that means that also allowing the "Bypass traverse AT> checking" policy is also a bad idea. AT> Anyway, there are several scenarios where we could not protect us against AT> that threat easily, like for example a shared environment with terminal AT> server/citrix where all our stored documents can be stolen. AT> In that case, only a software restriction policy will protect us. AT> regards, AT> Andres Tarasco AT> 2007/2/22, 3APA3A <3APA3A () security nnov ru>:
Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak Author: 3APA3A, http://securityvulns.com Affected: Microsoft Windows 2000,XP,2003,Vista Exploitable: Yes Type: Remote (from local network), authentication required (NULL session was not tested). Class: Information leak, insecure design CVE: CVE-2007-0843 Original Advisory: http://securityvulns.com/advisories/readdirectorychanges.asp SecurityVulns news: http://securityvulns.com/news/Microsoft/Windows/ReadDirector.html Intro: It's very simple yet interesting vulnerability. ReadDirectoryChangesW() API allows application to monitor directory changes in real time. bWatchSubtree parameter of this functions allows to monitor changes within whole directory tree with of monitored directory. To monitor changes directory must be open with LIST (READ) access. Function returns the list of modified files with a type of modification. File modification refers to any modification of file record in directory. Vulnerability: ReadDirectoryChangesW() doesn't check user's permissions for child child objects, making it's possible to retrieve information about objects user has no "LIST" permissions. Impact: Any unprivileged user with LIST access to parent directory can monitor any files in child directories regardless of subdirectories and files permissions. Because by default Windows updates access time of any accessed files on NTFS volumes, it makes it possible for user to gather information about NTFS-protected files, their names and time of access to the files (reading, writing, creation, deletion, renaming, etc). Filenames may contain sensitive information or leak information about user's behavior (e.g. cookies files). In addition to it's own impact, this vulnerability elevates impact of few different vulnerabilities and common practices, to be reported later. Exploit: http://securityvulns.com/files/spydir.c compiled version of Spydir is available from http://securityvulns.com/soft/ Usage example: spydir \\corpsrv\corpdata I believe you find this utility useful regardless of this security issue. It shows names of accessed/modified files for given directory in real time (it seems there are non-security bugs in ReadDirectoryChangesW implementations, e.g. you can not see non-ASCII names and some changes are missing). Workaround: Avoid creation of more secure folder in less secure ones. Avoid using sensitive data in documents naming. Vendor (Microsoft): January, 17 2006 Initial vendor notification January, 18 2006 Vendor reply (assigned) January, 26 2006 2nd vendor notification February, 7 2006 3rd vendor notification February, 9 2006 Vendor accepted vulnerability as "service pack class" for Windows XP and Windows 2003. February, 9 2006 Accepted to wait until SP February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3 SP2 and 2007 for XP SP3) February, 22 2007 Public release, because Windows Vista is released with same vulnerability. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- ~/ZARAZA http://securityvulns.com/ Æàëî ìíå íå ïîíàäîáèòñÿ (Ñ. Ëåì) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak 3APA3A (Feb 22)
- Re: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak Andres Tarasco (Feb 22)
- Re: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak 3APA3A (Feb 22)
- Re: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak Andres Tarasco (Feb 22)