nt.case.symbolic.txt

1999-08-17T00:00:00
ID PACKETSTORM:12154
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Fri, 12 Mar 1999 13:03:57 -0700  
From: Mark <mark@NTSHOP.NET>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: [ ALERT ] Case Sensitivity and Symbolic Links  
  
Prasad Dabak of Cybermedia Software Private Limited has discovered yet  
another security risk in Windows NT involving the operating system's case  
sensitivity. According to the report, using the permissions on the "\??"  
object directory and by exploiting the case sensitivity of object manager,  
it is possible to trojan any system executables.  
  
Any ordinary user has write permissions on \?? Object directory. This is to  
allow user to map network drives or use "subst" utility to alias a directory  
to a new drive letter. Each system drive has an entry into \?? object  
directory. Each entry is actually a symbolic link which points to the device  
associated with that drive (ergo: Symbolic link \??\C: will typically point  
to a device such as \Device\HardDisk0\Partition1). It is possible to create  
a trojaned version of this symbolic link using the different character  
case -- for example, it is possible to create a symbolic link such as \??\c:  
(notice the small letter "c".) By doing this, all the requests to drive C  
get routed through the trojaned symbolic link.  
  
Please visit the following URL, where you'll find the further details along  
with links to a demonstration of the problem.  
http://www.ntsecurity.net/scripts/load.asp?iD=/security/casesensitive.htm  
  
Mark  
  
----------------------------------------------------------------------------  
  
Date: Sat, 13 Mar 1999 00:32:19 +0100  
From: Alexandre Stervinou <stervino@INFO.ENSERB.U-BORDEAUX.FR>  
To: BUGTRAQ@netspace.org  
Subject: New Security Vulnerability in WinNT  
  
A new security vulnerability in Windows NT4 has been released, I was  
just surfin' on http://www.cybermedia.co.in/, when I saw this:  
  
<quote>  
  
CSPL has uncovered most serious Case Sensitivity vulnerability in  
Microsoft's Windows NT operating system. This security hole allows you  
to get "Administrator" access on a machine while logged in as "guest" or  
any ordinary user  
  
[...]  
  
Description:  
Using the permissions on the "\??" object directory and by exploiting  
the case sensitivity of object manager it is possible to trojan any  
system executables.  
  
</quote>  
  
--  
Alexandre Stervinou  
mailto:stervino@info.enserb.u-bordeaux.fr  
  
----------------------------------------------------------------------------  
  
http://www.cybermedia.co.in/  
  
Case Sensitivity vulnerability:  
  
Description:   
Using the permissions on the "\??" object directory and by exploiting the   
case sensitivity of object manager it is possible to trojan any system   
executables.   
  
Problem:   
Any ordinary user has write permissions on \?? Object directory. This is to   
allow user to map network drives or use "subst" utility to alias a directory   
to a new drive letter. Each drive on the system (let it be local/network/substed)   
has an entry into \?? object directory. Each entry is actually a symbolic link  
which points to the device associated with that drive. (e.g Symbolic link \??\C:   
will typically point to a device such as \Device\HardDisk0\Partition1). It is   
possible to create a trojaned version of this symbolic link using the different   
case. e.g it is possible to create a symbolic link such as \??\c: (notice the  
small letter ‘c’). By doing this, all the requests to drive C gets routed through   
the trojaned symbolic link. (e.g If you get the contents of symbolic link \??\D:   
and create a symbolic link say \??\c: and put those contents there, then   
executing dir command on drive C will give you directory listing for drive D).   
So effectively you can route the traffic on drive C to drive D. This is exactly   
what the simulation program exploits.   
  
Simulation:   
The description of simulation assumes that you have unzipped the files from the   
demo in a directory called C:\FOO and your Windows NT System directory is   
C:\WINNT\SYSTEM32.   
  
The simulation works on latest service packs of all Windows NT versions (3.51, 4.0, 5.0)  
  
When you execute BESYSADM.EXE. The program follows the following steps.   
  
Create an indentical directory structure of Windows system directory under   
the directory C:\FOO. i.e it will create a directory structure such as  
C:\FOO\WINNT\SYSTEM32   
Copy all the POSIX subsystem binaries and required DLLs (except PSXSS.EXE)   
from C:\WINNT\SYSTEM32 directory to  
C:\FOO\WINNT\SYSTEM32   
Copy the trojaned version of PSXSS.EXE and a dummy posix application   
DUMMYAPP.EXE from C:\FOO to C:\FOO\WINNT\SYSTEM32   
Get the contents of the symbolic link \??\C: and append \FOO to it. i.e if   
the contents of symbolic link \??\C: is \Device\HardDisk0\Partition1  
then new name formed will be \Device\HardDisk0\Partition1\FOO   
Create a symbolic link \??\c: (note small c) with the contents as   
\Device\HardDisk0\Partition1\FOO   
Hence effectively executing a dir command on drive C will now give   
directory listing of C:\FOO   
Next the program starts a posix application DUMMYAPP.EXE as "POSIX /c DUMMYAPP.EXE"   
This results in SMSS.EXE starting POSIX subsystem which effectively loads   
trojaned version of PSXSS.EXE.   
This trojaned version inherits security context of SMSS.EXE and hence our   
PSXSS.EXE runs in root privilege.   
This trojaned version adds the logged in user to the local administrator group. T   
The name of the logged in user is passed through a file called u.ini that   
is created in C:\FOO\WINNT directory.   
  
Comments   
The program actually uses \DosDevices everywhere instead of \??, since Windows NT 3.51   
does not have \?? object directoy and has DosDevices object directory. Starting from   
Windows NT 4.0, \DosDevices is actually a symbolic link which points to \??. Hence using   
DosDevices allows the program to run on all Windows NT versions.   
  
Instructions for Demo  
  
Fresh boot the machine.   
Login as any ordinary user (guest will also do)   
Unzip the files in attached .ZIP file in some directory on any local hard drive   
on your machine   
Run BESYSADM.EXE   
  
Note:   
If you are using Non-English version of Windows NT OR name of the local administrator   
group is renamed, then specify the name of the local administrator group as a command   
line to BESYSADM.EXE. If no arguments are specified the program assumes that you are   
runnning on English version and the name of the local administrator group is "Administrators".   
  
----------------------------------------------------------------------------  
  
Date: Sat, 13 Mar 1999 01:07:18 -0800  
From: Dominique Brezinski <dom_brezinski@SECURECOMPUTING.COM>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: Re: [ ALERT ] Case Sensitivity and Symbolic Links  
  
At 01:03 PM 3/12/99 -0700, Mark wrote:  
>Any ordinary user has write permissions on \?? Object directory. This is to  
>allow user to map network drives or use "subst" utility to alias a directory  
>to a new drive letter. Each system drive has an entry into \?? object  
>directory. Each entry is actually a symbolic link which points to the device  
>associated with that drive (ergo: Symbolic link \??\C: will typically point  
>to a device such as \Device\HardDisk0\Partition1). It is possible to create  
>a trojaned version of this symbolic link using the different character  
>case -- for example, it is possible to create a symbolic link such as \??\c:  
>(notice the small letter "c".) By doing this, all the requests to drive C  
>get routed through the trojaned symbolic link.  
  
Well, the exploit does not work on my machine--it fails with "Internal  
error..." when run in my test configuration. I am running NT 4.0  
Workstation, SP4, ProtectionMode set to 1, file and registry permissions  
set to those recommended in Steve Sutton's NSA guide, Guest user enabled  
and allowed to log on locally, %SystemRoot% is on the C partition, and the  
exploit executables on the D partition (the only place writable by guest on  
my system). I enabled auditing on the \?? object and no access was  
attempted. So, it appears that something about my configuration stopped  
the exploit in its tracks ;) When I run it from an admin account, it  
returns a message saying that the account is already a member of the  
administrators group. Oh yeah, I had to enable the Posix subsystem too.  
  
As with the KnownDLLs exploit, good system administration should impede  
these kinds of exploits. Though, they are doing a good job of scratching  
the surface of huge classes of local privilege escalation attacks for NT.  
  
Dominique Brezinski CISSP (206) 898-8254  
Secure Computing http://www.securecomputing.com  
  
----------------------------------------------------------------------------  
  
Date: Wed, 17 Mar 1999 07:26:31 -0600  
From: Peter da Silva <peter@TARONGA.COM>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: Re: AW: [ ALERT ] Case Sensitivity and Symbolic Links  
  
In article <c=DE%a=_%p=k.u.k._Datentech%l=NT-990314190548Z-718@nt>,  
Robert Heinig <kuk@COMPUSERVE.COM> wrote:  
> "Note: Drive letters and device names defined at system boot time are  
>protected from redefinition and deletion unless the user is an  
>administrator."  
  
Apparently when you log on and establish your network drive mappings, there are  
circumstances where the mappings are being established by an administrator. At  
any rate, I've had a box lose access to new hard drives (after boot) when some  
user who previously had a network share on the same drive letter logged in.  
  
Rebooting didn't help. The user logged in, the drive mapping vanished.  
  
This was on an NT server running NTerprise, a competing multiuser package to  
Citrix.  
  
--  
This is The Reverend Peter da Silva's Boring Sig File - there are no references  
to Wolves, Kibo, Discordianism, or The Church of the Subgenius in this document  
"[I]f we can make a society that's reasonably safe for women then men should be  
reasonably safe from the occasional same-gender advance too." -- Anthony DeBoer  
  
`