COMMAND

	Windows XP Insecure System Restore File Permissions

SYSTEMS AFFECTED

	WinXP Pro(Gold)

PROBLEM

	Makoto Shiotsuki found :
	

	On the Windows XP Professional(Gold), the  "System  Restore"  files  are
	not protected properly by NTFS ACL,  so  every  local  user  can  access
	these important files.
	

	System Restore files are  stored  in  the  "System  Volume  Information"
	directory, and this directory itself is well protected by ACL so  normal
	users can not access to  System  Restore  files  generally.  But  System
	Restore Directory, along with their sub-directories,  is  not  protected
	by NTFS ACL(everyone:full), so that, every  local  user  can  access  to
	System Restore files by specifying the path directly.
	

	You can find the path of  the  System  Restore  Directory  by  following
	command line.
	

	 c:\> reg query "HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup" /v "System Restore"

	

	And then, you can cd to the System Restore Directory.
	

	 (example)

	 c:\> cd \System Volume Information\_restore{8716531F-212F-45F1-8BAA-FB69F0C7FAEF}

	

	Within Restore  Point  Directories(RP0,  RP1,  ...),  you  will  find  a
	directory called "snapshot" including registry hive data.
	

	  _REGISTRY_MACHINE_SAM

	  _REGISTRY_MACHINE_SECURITY

	  _REGISTRY_MACHINE_SOFTWARE

	  _REGISTRY_MACHINE_SYSTEM

	  _REGISTRY_USER_.DEFAULT

	  _REGISTRY_USER_NTUSER_S-1-5-18

	  .....

	

	These hive files  are  also  freely  accessible  by  every  local  user.
	Malicious local  user  may  modify  SOFTWARE  hive  (ex.  add  evil  Run
	registry entry) expecting the administrator to  execute  System  Restore
	and the modification will take effect.

SOLUTION

	Apply SP1