Re: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak

["Andres Tarasco" <atarasco () gmail com>]

Hi,

You told that as a  workaround that we should never allow "creation of  more
secure folder in less secure ones."

I agree but, as i see..,  that means that also allowing the "Bypass traverse
checking" policy is also a bad idea.

Anyway, there are several scenarios where we could not protect us against
that threat easily, like for example a shared environment with terminal
server/citrix where all our stored documents can be stolen.
In that case, only a software restriction policy will protect us.

regards,

Andres Tarasco



2007/2/22, 3APA3A <3APA3A () security nnov ru>:
> Title:          Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
>                 informaton leak
> Author:         3APA3A, http://securityvulns.com
> Affected:       Microsoft Windows 2000,XP,2003,Vista
> Exploitable:    Yes
> Type:           Remote  (from  local  network), authentication required
>                 (NULL session was not tested).
> Class:          Information leak, insecure design
> CVE:            CVE-2007-0843
> Original
> Advisory:
> http://securityvulns.com/advisories/readdirectorychanges.asp
> SecurityVulns
> news:
> http://securityvulns.com/news/Microsoft/Windows/ReadDirector.html
>
>
> Intro:
>
> It's  very simple yet interesting vulnerability. ReadDirectoryChangesW()
> API  allows  application  to  monitor  directory  changes  in real time.
> bWatchSubtree  parameter  of  this  functions  allows to monitor changes
> within  whole  directory  tree  with  of monitored directory. To monitor
> changes directory must be open with LIST (READ) access. Function returns
> the   list   of  modified  files  with  a  type  of  modification.  File
> modification refers to any modification of file record in directory.
>
> Vulnerability:
>
> ReadDirectoryChangesW()  doesn't  check  user's  permissions  for  child
> child  objects,  making  it's  possible  to  retrieve  information about
> objects user has no "LIST" permissions.
>
> Impact:
>
> Any  unprivileged  user with LIST access to parent directory can monitor
> any  files  in  child directories regardless of subdirectories and files
> permissions.  Because  by  default  Windows  updates  access time of any
> accessed  files on NTFS volumes, it makes it possible for user to gather
> information  about  NTFS-protected files, their names and time of access
> to  the  files  (reading,  writing,  creation, deletion, renaming, etc).
> Filenames  may  contain  sensitive information or leak information about
> user's behavior (e.g. cookies files).
>
> In  addition  to  it's own impact, this vulnerability elevates impact of
> few  different  vulnerabilities  and  common  practices,  to be reported
> later.
>
> Exploit:
>
> http://securityvulns.com/files/spydir.c
>
> compiled version of Spydir is available from
>
> http://securityvulns.com/soft/
>
> Usage example:
>
> spydir \\corpsrv\corpdata
>
> I  believe  you  find  this  utility  useful regardless of this security
> issue.  It shows names of accessed/modified files for given directory in
> real time (it seems there are non-security bugs in ReadDirectoryChangesW
> implementations,  e.g.  you can not see non-ASCII names and some changes
> are missing).
>
> Workaround:
>
> Avoid  creation  of  more secure folder in less secure ones. Avoid using
> sensitive data in documents naming.
>
> Vendor (Microsoft):
>
> January, 17 2006          Initial vendor notification
> January, 18 2006          Vendor reply (assigned)
> January, 26 2006          2nd vendor notification
> February, 7 2006          3rd vendor notification
> February, 9 2006          Vendor accepted vulnerability as "service pack
>                           class" for Windows XP and Windows 2003.
> February, 9 2006          Accepted to wait until SP
> February, 22 2006         Vendor gives SP timelines (late 2006 for W2K3
>                           SP2 and 2007 for XP SP3)
> February, 22  2007        Public  release,  because  Windows Vista is
>                           released with same vulnerability.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
Andres Tarasco

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/