SECURITY.NNOV: Windows 2000 system partition weak default permissions

From: 3APA3A (3APA3Aat_private)
Date: Mon Aug 05 2002 - 08:52:02 PDT

Next message: Christopher G. Lewis: "RE: Bypassing cookie restrictions in IE 5+6"

Previous message: Loki: "Fate Research Labs Advisory: Retrieve SHOUTcast Admin Password Through GET /"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Title:                  Windows 2000 system partition weak default
                        permissions
Affected:               Windows 2000
Vendor:                 Microsoft
Author:                 ZARAZA <3APA3Aat_private>
Date:                   August, 03 2002
Risk:                   High
Exploitable:            Yes
Remote:                 No
Vendor notified:        May, 17, 2002
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To  protect  system  files  located  in  the  root  of  system partition
(boot.ini,  ntdetect.com,  ntldr, autoexec.bat etc) Windows 2000 applies
security template with NTFS permissions to only allow administrators and
advanced users to access this files.

II. Vulnerability:

System  partition  itself  has  Everyone/Full Control access permission.
Microsoft  (and  NIST  draft)  documents  also  recommend  Everyone/Full
Control or Authenticated Users/Full Control permissions.

III. Details:

For  POSIX  compatibility  user  with  Full  Control NTFS permission for
folder  may  delete  any  file  from  this  folder  regardless  of  file
permissions.  It  makes  it possible for user to become owner and to get
full control to any system file located in root of system partition with
next scenario:

 1. Delete original file (only delete, because putting file into recycle
 bin requires read permission).
 2.  Create  new file with the same name. Now user is owner for this new
 file  and  he  has Full Control permission for this file inherited from
 root folder.

It  makes  it  possible  to  trojan system files to execute some code in
kernel  space  and/or  to  change  boot sequence. It's not so hard as it
seems  to  be:  it's trivial to exploit this problem to get system level
access   or   to  run  application  in  logged  user's  context  without
programming/debugging skills (hint: 'strings ntldr').

IV. Solution

Workaround  is  very  easy. Replace Full Control permission for Everyone
group  with  any  reasonable  set  of  permissions  for all root folders
including system partition. You can replace Full Control permission with
full  set  of  special  permissions.  For  NTFS it will have same effect
except  user  will  not  be able to remove any files if he has no delete
permission for this file.

Installing hisec*.inf security template doesn't solve this problem.

V. Vendor

Microsoft was informed on May, 17. Reply was also on May, 17:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dear Zaraza

Many thanks for your email. We have received reports already on this
issue and we are actively investigating this.

Many thanks again for taking the time to email us.

Tony.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
It  looks  like  there  is  still  no  patch  for Windows 2000. Security
templates and documentation are not corrected.

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: Christopher G. Lewis: "RE: Bypassing cookie restrictions in IE 5+6"
Previous message: Loki: "Fate Research Labs Advisory: Retrieve SHOUTcast Admin Password Through GET /"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 15:21:17 PDT