SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows NTFS Vendors:   Microsoft
Macintosh Cients Using Windows 2000 NTFS Volumes May Modify Directory Permissions in Certain Cases
SecurityTracker Alert ID:  1002626
SecurityTracker URL:  http://securitytracker.com/id/1002626
CVE Reference:   CVE-2001-1515   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Oct 23 2001
Impact:   Modification of system information
Vendor Confirmed:  Yes  
Version(s): Windows 2000 server SP1 with a Mac client using OS 9.x and UAM version 5.
Description:   A vulnerability was reported in Macintosh clients using NTFS volumes on a Windows 2000 server. The Mac clients will modify permissions in certain cases.

It is reported that Macintosh clients automatically modify inherited NTFS permissions when creating subdirectory within a volume.


It is reported that this bug has been reproduced by Microsoft.

An description of the issue is provided below:

Data - root folder
1. shared as data
2. share permissions = Everyone (change)
3. NTFS permissions = Administrators (full), Everyone (list)

External - subdirectory
1. NTFS permissions = Administrators (full), Everyone (list)
2. Allow inheritable permissions is checked.

XYZ - subdirectory (team folder)
1. NTFS permissions = Administrators (full), Everyone (list), XYZ
Global Group (modify)
2. Allow inheritable permissions is checked.

Comps_for_site_dev - subdirectory
1. NTFS permissions = Adminstrators (full), Everyone (list), XYZ Global
Group (modify)
2. Allow inheritable permissions is checked.

Global_elements - subdirectory
1. This is the directory created by the Macintosh.
2. NTFS permissions = Administrators (full), Domain Users (read & execute), Everyone (read & execute), XYZ Global Group (modify), SYSTEM (modify), MacintoshUsername (full)
3. Allow inheritable permissions is checked.
4. None of the above permissions were assigned in addition to the ones in comps_for_site_dev. All additional users, groups, and permissions were automatically granted and/or modified when the Mac user created the folder.

Impact:   A remote user with a Mac client creating a subdirectory on a Windows 2000 NTFS volume may modify the inherited permissions.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Folders created by Mac clients override inherited NTFS permission


Macintosh clients automatically modify inherited NTFS permissions when
creating subdirectory within a volume. This occurs on Windows 2000 server
SP1 with a Mac client using OS 9.x and UAM version 5. This bug has been
reproduced by Microsoft as shown below and is still currently being met with
resistance to fix the code as the developers encountered several other
issues within the protocol stack when the bug was fixed in the lab:
***The name of the folder is contained to the left of the folder
description.

Data - root folder
1.      shared as data
2.      share permissions = Everyone (change)
3.      NTFS permissions = Administrators (full), Everyone (list)

External - subdirectory
1.      NTFS permissions = Administrators (full), Everyone (list)
2.      Allow inheritable permissions is checked.

XYZ - subdirectory (team folder)
1.      NTFS permissions = Administrators (full), Everyone (list), XYZ
Global Group (modify)
2.      Allow inheritable permissions is checked.

Comps_for_site_dev - subdirectory
1.      NTFS permissions = Adminstrators (full), Everyone (list), XYZ Global
Group (modify)
2.      Allow inheritable permissions is checked.

Global_elements - subdirectory
1.      This is the directory created by the Macintosh.
2.      NTFS permissions = Administrators (full), Domain Users (read &
execute), Everyone (read & execute), XYZ Global Group (modify), SYSTEM
(modify), MacintoshUsername (full)
3.      Allow inheritable permissions is checked.
4.      None of the above permissions were assigned in addition to the ones
in comps_for_site_dev. All additional users, groups, and permissions were
automatically granted and/or modified when the Mac user created the folder.

-Alan Finn

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC