Re: Disk (over)quota in Windows 2000

[dknight () CSUCHICO EDU (Bret Piatt)]

----- Original Message -----
From: "Peter Gutmann" <pgut001 () cs auckland ac nz>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Tuesday, February 29, 2000 5:55 PM
Subject: Re: Disk (over)quota in Windows 2000

> Dave Tarbatt - ACS <D.A.Tarbatt () BOLTON AC UK> writes:
>
> > I've been looking into disk quotas under Windows 2000 and have uncovered
a
> > few anomalies. On top of a few peculiarities there appears to be a bug
which
> > allows a user to exceed their disk quota by as much as they wish.
> >
> > [...]
> >
> > I discovered by experiment that new files can be created upto a size of
> > (Quota - UsedSpace  + 2KB - 1byte), i.e. they can go overquota by up to
2047
> > bytes. Not too much of a problem. Extending existing files can be up to
> > (Quota - UsedSpace +1KB -1byte) i.e. up to 1023 bytes overquota - nothing
> > much to be worried about.
>
> Isn't this just a cluster-size filling issue?  It looks like accounting is
> being done on a bytes-used basis but files are managed on a per-cluster
basis,
> so it's possible to extend files out to fill the cluster without coming
into
> conflict with the quota system.
>
> Peter.

This makes it any less of a bug how?  The main issue here isn't the fact
that
he can stretch the files up to X bytes its the fact that he can keep
creating
files when he's already exceeded his quota because 0 byte files still take
up 1 block on the disk (512 bytes based on the NTFS system).  The Win2k
quota system should count each file a user creates at that minimum size
even if the size is actually smaller.  This will not change how the normal
user works but will deny this attack and allow for more accurate accounting.

Bret Piatt - bpiatt () flash net/dknight () csuchico edu
Systems Engineer [CCNA/CCDA/MCP]
PacifiCom - (530) 342-8999