Hi all, There exist a vulnerability in rdisk which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info. When rdisk updates the repair info it uses a temporary file called $$hive$$.tmp, which it puts in the repair directory and deletes when it's finished. The temporary file is used to store the contents of the hives during the update. This is especially interesting on Terminal Server, so I'll take that as an example. The \Wtsrv\repair directory contains backups of the hives, but these have the permissions: Administrators - Full Control, and SYSTEM - Full Control. Hard to get to those... but the $$hive$$.tmp file is a different thing. Everybody has Read permissions to it, so Everybody can get the contents of the hives during update. An ordinary user can leave a program running which checks for the temporary file constantly, and copies the content when it is created. Of course many restrict access to the repair directory already, but either way this is a vulnerability in rdisk. Microsoft has released a patch for this, and you can read more about it in their Security Bulletin at: http://www.microsoft.com/security/bulletins/ms00-004.asp You can also read this posting in the advisory archive at ntsecurity.nu: http://ntsecurity.nu/advisories/a12.shtml /Arne Vidstrom http://ntsecurity.nu
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:50 PDT