Bugtraq mailing list archives
RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition
From: arne.vidstrom () NTSECURITY NU (Arne Vidstrom)
Date: Sat, 22 Jan 2000 00:04:23 +0100
Hi all, There exist a vulnerability in rdisk which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info. When rdisk updates the repair info it uses a temporary file called $$hive$$.tmp, which it puts in the repair directory and deletes when it's finished. The temporary file is used to store the contents of the hives during the update. This is especially interesting on Terminal Server, so I'll take that as an example. The \Wtsrv\repair directory contains backups of the hives, but these have the permissions: Administrators - Full Control, and SYSTEM - Full Control. Hard to get to those... but the $$hive$$.tmp file is a different thing. Everybody has Read permissions to it, so Everybody can get the contents of the hives during update. An ordinary user can leave a program running which checks for the temporary file constantly, and copies the content when it is created. Of course many restrict access to the repair directory already, but either way this is a vulnerability in rdisk. Microsoft has released a patch for this, and you can read more about it in their Security Bulletin at: http://www.microsoft.com/security/bulletins/ms00-004.asp You can also read this posting in the advisory archive at ntsecurity.nu: http://ntsecurity.nu/advisories/a12.shtml /Arne Vidstrom http://ntsecurity.nu
Current thread:
- Quick remedy for stream.c Brett Glass (Jan 20)
- Re: Quick remedy for stream.c Frasnelli, Dan (Jan 21)
- Re: Quick remedy for stream.c bella (Jan 21)
- RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Arne Vidstrom (Jan 21)
- Re: RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Andy Polyakov (Jan 24)