Информационная безопасность
[RU] switch to English


Дополнительная информация

  Слабые разрешения системного раздела в Windows 2000 (weak permissions)

  Microsoft Security Bulletin MS02-064: Windows 2000 Default Permissions Could Allow Trojan Horse Program (Q327522)

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:3 августа 2002 г.
Subject:SECURITY.NNOV: Windows 2000 system partition weak default permissions


Title:                  Windows 2000 system partition weak default
                       permissions
Affected:               Windows 2000
Vendor:                 Microsoft
Author:                 ZARAZA <[email protected]>
Date:                   August, 03 2002
Risk:                   Average
Exploitable:            Yes
Remote:                 No
Vendor notified:        few months ago
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To  protect  system  files  located  in  the  root  of  system partition
(boot.ini,  ntdetect.com, ntldr, etc) Windows 2000 setup program applies
NTFS  permissions  to  only  allow  administrators and advanced users to
access this files.

II. Vulnerability:

System partition itself has Everyone/Full Control access permission.

III. Details:

For  POSIX  compatibility  user  with  Full  Control NTFS permission for
folder  may  delete  any  file from this folder regardless of individual
file  permissions.  It makes it possible for user to become owner and to
get  full control to any system file located in root of system partition
with next scenario:

1. Delete original file (only delete, because putting file into recycle
bin requires read permission).
2. Put new file with the same name. Now user is owner for this new file
and  he  has  Full Control permission for this file inherited from root
folder.

It  makes  it  possible  to  trojan system files to execute some code in
kernel space and/or to change boot sequence.

IV. Solution

Replace  Full  Control permission for Everyone group with any reasonable
set of permissions for all root folders.




--
http://www.security.nnov.ru
        /\_/\
       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                   |/
You know my name - look up my number (The Beatles)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород