Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16139
HistoryFeb 22, 2007 - 12:00 a.m.

Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak

2007-02-2200:00:00
vulners.com
43
JSON

Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
informaton leak
Author: 3APA3A, http://securityvulns.com
Affected: Microsoft Windows 2000,XP,2003,Vista
Exploitable: Yes
Type: Remote (from local network), authentication required
(NULL session was not tested).
Class: Information leak
CVE: CVE-2007-0843

Intro:

It's very simple yet interesting vulnerability. ReadDirectoryChangesW()
API allows application to monitor directory changes in real time.
bWatchSubtree parameter of this functions allows to monitor changes
within whole directory tree with a root in monitored directory. To
monitor changes directory must be open with LIST access. Function
returns the list of modified files with a type of modification. File
modification refers to any modification of file record in directory.

Vulnerability:

ReadDirectoryChangesW() doesn't check user's permissions for child
directories.

Impact:

Any unprivileged user with LIST access to parent directory can monitor
any files in child directories regardless of files permissions. Because
by default Windows updates access time of any accessed files on NTFS
volumes, it makes it possible for user to gather information about
NTFS-protected files, their names and time of access to the files
(reading, writing, creation, deletion, renaming, etc). Filenames may
contain sensitive information or leak information about user's behavior
(e.g. cookies files).

Exploit:

http://securityvulns.com/files/spydir.c

Usage example:

spydir \\corpsrv\corpdata

I believe you find this utility useful regardless of this security
issue. It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations, e.g. you can not see non-ASCII names and some changes
are missing).

Compiled version can be downloaded from http://securityvulns.com/soft/

Workaround:

Avoid creation of more secure folder in less secure ones. Avoid using
sensitive data in documents naming.

Vendor (Microsoft):

January, 17 2006 Initial vendor notification
January, 18 2006 Vendor reply (assigned)
January, 26 2006 2nd vendor notification
February, 7 2006 3rd vendor notification
February, 9 2006 Vendor accepted vulnerability as "service pack
class" for Windows XP and Windows 2003.
February, 9 2006 Accepted to wait until SP
February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3
SP2 and 2007 for XP SP3)
February, 22 2007 Public release, because Windows Vista is
released with same vulnerability.

Related

zaraza 1
securityvulns 2
prion 1
security_vulns 1
cve 1
zaraza
zaraza
Microsoft Windows Vista/2003/XP/2000 file management security issues
2007-07-03 00:00:00
securityvulns
securityvulns
Microsoft Windows ReadDirectoryChangesW information leak
2007-02-22 00:00:00
Microsoft Windows Vista/2003/XP/2000 file management security issues
2007-03-07 00:00:00
prion
prion
Design/Logic Flaw
2007-02-23 02:28:00
security_vulns
security_vulns
Microsoft Windows Vista/2003/XP/2000 file management security issues
2007-07-03 00:00:00
cve
cve
CVE-2007-0843
2007-02-23 02:28:00
JSON
Related for SECURITYVULNS:DOC:16139
zaraza1securityvulns2prion1security_vulns1cve1