[Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

[3APA3A]

Dear Michele Cicciotti,

--Friday, March 9, 2007, 9:00:05 PM, you wrote to full-disclosure at lists.grok.org.uk:

>>  Scenario  1.1:
>> 
>>  Bob  wishes  to  create "Bob private data" folder in "Public" folder to
>>  place  few private files. "Public" has at least "Write" permissions for
>>  "User" group. Bob:

MC> This is, of course, wrong. You muddy the issue with the "Write
MC> permissions for User group" red herring and we are all supposed to
MC> oooh and aaah at your sleigh-of-hand trickery. Of course, a proper
MC> public repository for private folders should have saner settings
MC> than that, to begin with.

First,  Bob's private data was just an example. A problem itself belongs
to any case where data with more restrictive permissions is created in a
folder  with  less restrictive permissions. And despite Mr. Grimes says,
this  is  quite common case under Windows and can be found in almost any
real  corporate  directory  structure. If you ever removed "Inherit from
parent"  checkbox in advanced security settings - you most probably were
vulnerable to attack. Show me administrator who never did.

Second,   "Preopen  file  attack"  and  everything  below will work with
saner  "Add  and  read permission for User group". Any usage of "Creator
owner" group is a case where this can be exploited.


-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен)