SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows NTFS Vendors:   Microsoft
Windows 2000 Operating System Default Permissions for the System Partition Lets Local Users Bypass Individual File Permissions and Replace Key System Files
SecurityTracker Alert ID:  1004937
SecurityTracker URL:  http://securitytracker.com/id/1004937
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Aug 6 2002
Original Entry Date:  Aug 4 2002
Impact:   Modification of system information
Exploit Included:  Yes  

Description:   A default configuration vulnerability was reported in Windows 2000. A local user in the 'Everyone' group can replace files in the system partition.

SECURITY.NNOV reported that the Windows 2000 system partition uses weak default permissions. According to the report, the system partition itself has 'Everyone/Full Control' access permissions by default. Users with Full Control NTFS permissions for a folder can reportedly delete any file from the folder regardless of the individual file permissions (this is reportedly for POSIX compliance).

A local user can gain ownership rights and get full control over any system file located in root of system partition. A demonstration exploit transcript is provided:

1. Delete the target file (delete the file rather than placing it in the recycle bin, because additional permissions are required to place files in the recycle bin requires read permission).

2. Create a new file with the same name as the previously deleted file. The local user is now the owner of this newly created file and has Full Control permission for this file inherited from root folder.

A local user can replace critical system files with trojan files.

Another user has separately reported that this behavior may occur if the Windows installation is upgraded from a previous operating system (e.g., NT). However, if the system disks on Windows systems are re-formatted during Windows 2000 setup (i.e., clean-installed workstations and servers) the user reports that NTFS permissions will be hardened for the system partition.

Impact:   A local user in the 'Everyone' group can replace files in the system partition.
Solution:   No solution was available at the time of this entry.

As a solution, the author of the report indicates that you can replace Full Control permissions for the Everyone group with any reasonable set of permissions for all root folders.

Vendor URL:  www.security.nnov.ru/search/news.asp?binid=2205 (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix Instructions) Windows 2000 Operating System Default Permissions for the System Partition Lets Local Users Bypass Individual File Permissions and Replace Key System Files
The vendor has released instructions for fixing the issue.



 Source Message Contents

Subject:  Windows 2000 system partition weak default permissions


http://www.security.nnov.ru/search/news.asp?binid=2205

Title:                  Windows 2000 system partition weak default
                        permissions
Affected:               Windows 2000
Vendor:                 Microsoft
Author:                 ZARAZA <3APA3A@security.nnov.ru>
Date:                   August, 03 2002
Risk:                   Average
Exploitable:            Yes
Remote:                 No
Vendor notified:        few months ago
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:         
http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To  protect  system  files  located  in  the  root  of  system partition
(boot.ini,  ntdetect.com, ntldr, etc) Windows 2000 setup program applies
NTFS  permissions  to  only  allow  administrators and advanced users to
access this files.

II. Vulnerability:

System partition itself has Everyone/Full Control access permission.

III. Details:

For  POSIX  compatibility  user  with  Full  Control NTFS permission for
folder  may  delete  any  file from this folder regardless of individual
file  permissions.  It makes it possible for user to become owner and to
get  full control to any system file located in root of system partition
with next scenario:

 1. Delete original file (only delete, because putting file into recycle
 bin requires read permission).
 2. Put new file with the same name. Now user is owner for this new file
 and  he  has  Full Control permission for this file inherited from root
 folder.

It  makes  it  possible  to  trojan system files to execute some code in
kernel space and/or to change boot sequence.

IV. Solution

Replace  Full  Control permission for Everyone group with any reasonable
set of permissions for all root folders.


 

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC