[Full-disclosure] Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak
atarasco at gmail.com
Thu Feb 22 11:29:49 GMT 2007
You told that as a workaround that we should never allow "creation of more
secure folder in less secure ones."
I agree but, as i see.., that means that also allowing the "Bypass traverse
checking" policy is also a bad idea.
Anyway, there are several scenarios where we could not protect us against
that threat easily, like for example a shared environment with terminal
server/citrix where all our stored documents can be stolen.
In that case, only a software restriction policy will protect us.
2007/2/22, 3APA3A <3APA3A at security.nnov.ru>:
> Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
> informaton leak
> Author: 3APA3A, http://securityvulns.com
> Affected: Microsoft Windows 2000,XP,2003,Vista
> Exploitable: Yes
> Type: Remote (from local network), authentication required
> (NULL session was not tested).
> Class: Information leak, insecure design
> CVE: CVE-2007-0843
> It's very simple yet interesting vulnerability. ReadDirectoryChangesW()
> API allows application to monitor directory changes in real time.
> bWatchSubtree parameter of this functions allows to monitor changes
> within whole directory tree with of monitored directory. To monitor
> changes directory must be open with LIST (READ) access. Function returns
> the list of modified files with a type of modification. File
> modification refers to any modification of file record in directory.
> ReadDirectoryChangesW() doesn't check user's permissions for child
> child objects, making it's possible to retrieve information about
> objects user has no "LIST" permissions.
> Any unprivileged user with LIST access to parent directory can monitor
> any files in child directories regardless of subdirectories and files
> permissions. Because by default Windows updates access time of any
> accessed files on NTFS volumes, it makes it possible for user to gather
> information about NTFS-protected files, their names and time of access
> to the files (reading, writing, creation, deletion, renaming, etc).
> Filenames may contain sensitive information or leak information about
> user's behavior (e.g. cookies files).
> In addition to it's own impact, this vulnerability elevates impact of
> few different vulnerabilities and common practices, to be reported
> compiled version of Spydir is available from
> Usage example:
> spydir \\corpsrv\corpdata
> I believe you find this utility useful regardless of this security
> issue. It shows names of accessed/modified files for given directory in
> real time (it seems there are non-security bugs in ReadDirectoryChangesW
> implementations, e.g. you can not see non-ASCII names and some changes
> are missing).
> Avoid creation of more secure folder in less secure ones. Avoid using
> sensitive data in documents naming.
> Vendor (Microsoft):
> January, 17 2006 Initial vendor notification
> January, 18 2006 Vendor reply (assigned)
> January, 26 2006 2nd vendor notification
> February, 7 2006 3rd vendor notification
> February, 9 2006 Vendor accepted vulnerability as "service pack
> class" for Windows XP and Windows 2003.
> February, 9 2006 Accepted to wait until SP
> February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3
> SP2 and 2007 for XP SP3)
> February, 22 2007 Public release, because Windows Vista is
> released with same vulnerability.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.