RecyclerSnooper(MS00-007)

From: Nobuo Miwa (n-miwaat_private)
Date: Tue Feb 01 2000 - 15:23:47 PST

Next message: Security: "SARA Security Auditor -- a new tool"

Previous message: Theo de Raadt: "Re: Tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I made a small program.
This makes a lots of folders under Recycler folder.
I mean ANY users can make folders under Recycler folder.

Like this....

  When some user("user1")'s SID is
      S-1-5-21-823518204-813497703-1708537768-1004,
  my program will make
      S-1-5-21-823518204-813497703-1708537768-1001
      S-1-5-21-823518204-813497703-1708537768-1002
      S-1-5-21-823518204-813497703-1708537768-1003
      ...
      ...
      S-1-5-21-823518204-813497703-1708537768-1199
      S-1-5-21-823518204-813497703-1708537768-1200

  In this case its parameter is "RecyclerSnooper.exe 200 C".
  After that another user("user2", SID=...1006) throw garbage
  away FIRST time, user1 can read it.
  Yeah, user1 can read another user's garbages in case another
  user didn't throw garbage yet. It's minor problem.

You can download and test from
http://www.lac.co.jp/security/test/files/RecyclerSnooper.exe
This could be available on WinNT and Win2K.

I reported this to MS on 31st Oct,'99...
I waited with Arne Vidstrom for few months !

See Microsoft Security Bulletin (MS00-007).


<Nobuo Miwa> n-miwaat_private      ( @ @ ) http://www.lac.co.jp/security/
------------------------------o00o--(. .)--o00o--------------------------

Next message: Security: "SARA Security Auditor -- a new tool"
Previous message: Theo de Raadt: "Re: Tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:53 PDT