OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: Mon Aug 05 2002 - 10:52:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Title: Windows 2000 system partition weak default
                            permissions
    Affected: Windows 2000
    Vendor: Microsoft
    Author: ZARAZA <3APA3Asecurity.nnov.ru>
    Date: August, 03 2002
    Risk: High
    Exploitable: Yes
    Remote: No
    Vendor notified: May, 17, 2002
    SECURITY.NNOV URL: http://www.security.nnov.ru
    Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205

    I. Introduction:

    To protect system files located in the root of system partition
    (boot.ini, ntdetect.com, ntldr, autoexec.bat etc) Windows 2000 applies
    security template with NTFS permissions to only allow administrators and
    advanced users to access this files.

    II. Vulnerability:

    System partition itself has Everyone/Full Control access permission.
    Microsoft (and NIST draft) documents also recommend Everyone/Full
    Control or Authenticated Users/Full Control permissions.

    III. Details:

    For POSIX compatibility user with Full Control NTFS permission for
    folder may delete any file from this folder regardless of file
    permissions. It makes it possible for user to become owner and to get
    full control to any system file located in root of system partition with
    next scenario:

     1. Delete original file (only delete, because putting file into recycle
     bin requires read permission).
     2. Create new file with the same name. Now user is owner for this new
     file and he has Full Control permission for this file inherited from
     root folder.

    It makes it possible to trojan system files to execute some code in
    kernel space and/or to change boot sequence. It's not so hard as it
    seems to be: it's trivial to exploit this problem to get system level
    access or to run application in logged user's context without
    programming/debugging skills (hint: 'strings ntldr').

    IV. Solution

    Workaround is very easy. Replace Full Control permission for Everyone
    group with any reasonable set of permissions for all root folders
    including system partition. You can replace Full Control permission with
    full set of special permissions. For NTFS it will have same effect
    except user will not be able to remove any files if he has no delete
    permission for this file.

    Installing hisec*.inf security template doesn't solve this problem.

    V. Vendor

    Microsoft was informed on May, 17. Reply was also on May, 17:
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Dear Zaraza

    Many thanks for your email. We have received reports already on this
    issue and we are actively investigating this.

    Many thanks again for taking the time to email us.

    Tony.
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    It looks like there is still no patch for Windows 2000. Security
    templates and documentation are not corrected. 

    --
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)