栏目导航: 首页 > 漏洞预警 > 程序漏洞 > 内容

Windows 2k/xp/03/Vista ReadDirectoryChangesW informaton leak

www.hx99.net    时间: 2007-07-09    阅读: 次     整理: 华西安全网
Title:MicrosoftWindows2000/XP/2003/VistaReadDirectoryChangesW
informatonleak
Author:3APA3A,http://securityvulns.com
Affected:MicrosoftWindows2000,XP,2003,Vista
Exploitable:Yes
Type:Remote(fromlocalnetwork),authenticationrequired
(NULLsessionwasnottested).
Class:Informationleak,insecuredesign
CVE:CVE-2007-0843
Original
Advisory:http://securityvulns.com/advisories/readdirectorychanges.asp
SecurityVulns
news:http://securityvulns.com/news/Microsoft/Windows/ReadDirector.html

Intro:

It'sverysimpleyetinterestingvulnerability.ReadDirectoryChangesW()
APIallowsapplicationtomonitordirectorychangesinrealtime.
bWatchSubtreeparameterofthisfunctionsallowstomonitorchanges
withinwholedirectorytreewithofmonitoreddirectory.Tomonitor
changesdirectorymustbeopenwithLIST(READ)access.Functionreturns
thelistofmodifiedfileswithatypeofmodification.File
modificationreferstoanymodificationoffilerecordindirectory.

Vulnerability:

ReadDirectoryChangesW()doesn'tcheckuser'spermissionsforchild
childobjects,makingit'spossibletoretrieveinformationabout
objectsuserhasno"LIST"permissions.

Impact:

AnyunprivilegeduserwithLISTaccesstoparentdirectorycanmonitor
anyfilesinchilddirectoriesregardlessofsubdirectoriesandfiles
permissions.BecausebydefaultWindowsupdatesaccesstimeofany
accessedfilesonNTFSvolumes,itmakesitpossibleforusertogather
informationaboutNTFS-protectedfiles,theirnamesandtimeofaccess
tothefiles(reading,writing,creation,deletion,renaming,etc).
Filenamesmaycontainsensitiveinformationorleakinformationabout
user'sbehavior(e.g.cookiesfiles).

Inadditiontoit'sownimpact,thisvulnerabilityelevatesimpactof
fewdifferentvulnerabilitiesandcommonpractices,tobereported
later.

Exploit:

http://securityvulns.com/files/spydir.c

compiledversionofSpydirisavailablefrom

http://securityvulns.com/soft/

Usageexample:

spydircorpsrvcorpdata

Ibelieveyoufindthisutilityusefulregardlessofthissecurity
issue.Itshowsnamesofaccessed/modifiedfilesforgivendirectoryin
realtime(itseemstherearenon-securitybugsinReadDirectoryChangesW
implementations,e.g.youcannotseenon-ASCIInamesandsomechanges
aremissing).

Workaround:

Avoidcreationofmoresecurefolderinlesssecureones.Avoidusing
sensitivedataindocumentsnaming.

Vendor(Microsoft):

January,172006Initialvendornotification
January,182006Vendorreply(assigned)
January,2620062ndvendornotification
February,720063rdvendornotification
February,92006Vendoracceptedvulnerabilityas"servicepack
class"forWindowsXPandWindows2003.
February,92006AcceptedtowaituntilSP
February,222006VendorgivesSPtimelines(late2006forW2K3
SP2and2007forXPSP3)
February,222007Publicrelease,becauseWindowsVistais
releasedwithsamevulnerability.
本文来源:华西安全网[http://www.hx99.net]
发表评论】【告诉QQ好友】【错误报告】【加入收藏】【关闭