SECURITY.NNOV: Windows 2000 system partition weak default permissions

2002-08-03T00:00:00
ID SECURITYVULNS:DOC:3323
Type securityvulns
Reporter Securityvulns
Modified 2002-08-03T00:00:00

Description

Title: Windows 2000 system partition weak default permissions Affected: Windows 2000 Vendor: Microsoft Author: ZARAZA <3APA3A@security.nnov.ru> Date: August, 03 2002 Risk: Average Exploitable: Yes Remote: No Vendor notified: few months ago SECURITY.NNOV URL: http://www.security.nnov.ru Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To protect system files located in the root of system partition (boot.ini, ntdetect.com, ntldr, etc) Windows 2000 setup program applies NTFS permissions to only allow administrators and advanced users to access this files.

II. Vulnerability:

System partition itself has Everyone/Full Control access permission.

III. Details:

For POSIX compatibility user with Full Control NTFS permission for folder may delete any file from this folder regardless of individual file permissions. It makes it possible for user to become owner and to get full control to any system file located in root of system partition with next scenario:

  1. Delete original file (only delete, because putting file into recycle bin requires read permission).
  2. Put new file with the same name. Now user is owner for this new file and he has Full Control permission for this file inherited from root folder.

It makes it possible to trojan system files to execute some code in kernel space and/or to change boot sequence.

IV. Solution

Replace Full Control permission for Everyone group with any reasonable set of permissions for all root folders.

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)