|
Title:MicrosoftWindows2000/XP/2003/VistaReadDirectoryChangesW
informatonleak
Author:3APA3A,http://securityvulns.com
Affected:MicrosoftWindows2000,XP,2003,Vista
Exploitable:Yes
Type:Remote(fromlocalnetwork),authenticationrequired
(NULLsessionwasnottested).
Class:Informationleak,insecuredesign
CVE:CVE-2007-0843
Original
Advisory:http://securityvulns.com/advisories/readdirectorychanges.asp
SecurityVulns
news:http://securityvulns.com/news/Microsoft/Windows/ReadDirector.html
Intro:
It'sverysimpleyetinterestingvulnerability.ReadDirectoryChangesW()
APIallowsapplicationtomonitordirectorychangesinrealtime.
bWatchSubtreeparameterofthisfunctionsallowstomonitorchanges
withinwholedirectorytreewithofmonitoreddirectory.Tomonitor
changesdirectorymustbeopenwithLIST(READ)access.Functionreturns
thelistofmodifiedfileswithatypeofmodification.File
modificationreferstoanymodificationoffilerecordindirectory.
Vulnerability:
ReadDirectoryChangesW()doesn'tcheckuser'spermissionsforchild
childobjects,makingit'spossibletoretrieveinformationabout
objectsuserhasno"LIST"permissions.
Impact:
AnyunprivilegeduserwithLISTaccesstoparentdirectorycanmonitor
anyfilesinchilddirectoriesregardlessofsubdirectoriesandfiles
permissions.BecausebydefaultWindowsupdatesaccesstimeofany
accessedfilesonNTFSvolumes,itmakesitpossibleforusertogather
informationaboutNTFS-protectedfiles,theirnamesandtimeofaccess
tothefiles(reading,writing,creation,deletion,renaming,etc).
Filenamesmaycontainsensitiveinformationorleakinformationabout
user'sbehavior(e.g.cookiesfiles).
Inadditiontoit'sownimpact,thisvulnerabilityelevatesimpactof
fewdifferentvulnerabilitiesandcommonpractices,tobereported
later.
Exploit:
http://securityvulns.com/files/spydir.c
compiledversionofSpydirisavailablefrom
http://securityvulns.com/soft/
Usageexample:
spydir\\corpsrv\corpdata
Ibelieveyoufindthisutilityusefulregardlessofthissecurity
issue.Itshowsnamesofaccessed/modifiedfilesforgivendirectoryin
realtime(itseemstherearenon-securitybugsinReadDirectoryChangesW
implementations,e.g.youcannotseenon-ASCIInamesandsomechanges
aremissing).
Workaround:
Avoidcreationofmoresecurefolderinlesssecureones.Avoidusing
sensitivedataindocumentsnaming.
Vendor(Microsoft):
January,172006Initialvendornotification
January,182006Vendorreply(assigned)
January,2620062ndvendornotification
February,720063rdvendornotification
February,92006Vendoracceptedvulnerabilityas"servicepack
class"forWindowsXPandWindows2003.
February,92006AcceptedtowaituntilSP
February,222006VendorgivesSPtimelines(late2006forW2K3
SP2and2007forXPSP3)
February,222007Publicrelease,becauseWindowsVistais
releasedwithsamevulnerability.
|
当前位置:
