|
COMMAND Windows 2000 system partition weak default permissions SYSTEMS AFFECTED Windows 2000 PROBLEM /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } of [http://www.security.nnov.ru] says : +-------------o66o--+ / |/ Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205 To protect system files located in the root of system partition (boot.ini, ntdetect.com, ntldr, autoexec.bat etc) Windows 2000 applies security template with NTFS permissions to only allow administrators and advanced users to access this files. Vulnerability System partition itself has Everyone/Full Control access permission. Microsoft (and NIST draft) documents also recommend Everyone/Full Control or Authenticated Users/Full Control permissions. Details For POSIX compatibility user with Full Control NTFS permission for folder may delete any file from this folder regardless of file permissions. It makes it possible for user to become owner and to get full control to any system file located in root of system partition with next scenario: 1. Delete original file (only delete, because putting file into recycle bin requires read permission). 2. Create new file with the same name. Now user is owner for this new file and he has Full Control permission for this file inherited from root folder. It makes it possible to trojan system files to execute some code in kernel space and/or to change boot sequence. It's not so hard as it seems to be: it's trivial to exploit this problem to get system level access or to run application in logged user's context without programming/debugging skills (hint: 'strings ntldr'). SOLUTION Workaround is very easy. Replace Full Control permission for Everyone group with any reasonable set of permissions for all root folders including system partition. You can replace Full Control permission with full set of special permissions. For NTFS it will have same effect except user will not be able to remove any files if he has no delete permission for this file.