WinXP Pro(Gold) Insecure System Restore File Permissions
On the Windows XP Professional(Gold), the "System Restore" files
are not protected properly by NTFS ACL, so every local user can
access these important files.
System Restore files are stored in the "System Volume Information"
directory, and this directory itself is well protected by ACL so
normal users can not access to System Restore files generally.
But System Restore Directory, along with their sub-directories,
is not protected by NTFS ACL(everyone:full), so that, every local
user can access to System Restore files by specifying the path
directly.
You can find the path of the System Restore Directory by following
command line.
c:\> reg query "HKLM\System\CurrentControlSet\Control\BackupRestore
\FilesNotToBackup" /v "System Restore"
And then, you can cd to the System Restore Directory.
(example)
c:\> cd \System Volume Information\_restore{8716531F-212F-45F1-8BAA-
FB69F0C7FAEF}
Within Restore Point Directories(RP0, RP1, ...), you will find a
directory called "snapshot" including registry hive data.
_REGISTRY_MACHINE_SAM
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_USER_.DEFAULT
_REGISTRY_USER_NTUSER_S-1-5-18
.....
These hive files are also freely accessible by every local user.
Malicious local user may modify SOFTWARE hive (ex. add evil Run
registry entry) expecting the administrator to execute System Restore
and the modification will take effect.
This problem is fixed by applying Windows XP SP1. But I couldn't
find out this issue in the "List of Fixes".
Makoto Shiotsuki
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 10:38:11 PDT