RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition

[arne.vidstrom () NTSECURITY NU (Arne Vidstrom)]

Hi all,

There exist a vulnerability in rdisk which causes the contents of the
registry hives to be exposed to Everyone during updating of the repair info.

When rdisk updates the repair info it uses a temporary file called
$$hive$$.tmp, which it puts in the repair directory and deletes when it's
finished. The temporary file is used to store the contents of the hives
during the update. This is especially interesting on Terminal Server, so
I'll take that as an example.

The \Wtsrv\repair directory contains backups of the hives, but these have
the permissions: Administrators - Full Control, and SYSTEM - Full Control.
Hard to get to those... but the $$hive$$.tmp file is a different thing.
Everybody has Read permissions to it, so Everybody can get the contents of
the hives during update. An ordinary user can leave a program running which
checks for the temporary file constantly, and copies the content when it is
created.

Of course many restrict access to the repair directory already, but either
way this is a vulnerability in rdisk.

Microsoft has released a patch for this, and you can read more about it in
their Security Bulletin at:

http://www.microsoft.com/security/bulletins/ms00-004.asp

You can also read this posting in the advisory archive at ntsecurity.nu:

http://ntsecurity.nu/advisories/a12.shtml

/Arne Vidstrom

http://ntsecurity.nu