Bugtraq mailing list archives
Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
From: Paweł Goleń <p_golen () ks onet pl>
Date: Tue, 13 Mar 2007 21:34:53 +0100
3APA3A wrote:
Pre-open file attack is general and exploits vulnerability in Windows mandatory files locks. In standard case locking works: Process 1: Opens file for writing with FILE_SHARE_NONE Process 2: Attempts to open file for reading with FILE_SHARE_WRITE|FILE_SHARE_READ|FILE_SHARE_DELETE and fails. but in case of pre-open file locking fails: Process 1: Opens file for reading with FILE_SHARE_WRITE|FILE_SHARE_READ|FILE_SHARE_DELETE Process 2: Opens file for writing with FILE_SHARE_NONE and _succeeds_. With valid mandatory locking implementation process 2 _must fail_.
3APA3A, from one hand you are right this may be considered to be vulnerability in Windows mandatory file locks. But I'm not sure if file locks in Windows are mandatory. I've never considered "share modes" to be security feature. You are right that there are bugs related to this implementation, but... (and here comes my "other hand"). In all scenarios you made assumption that attacker opens file (after all you used term "preopen") first with FILE_SHARE_WRITE, FILE_SHARE_READ and FILE_SHARE_DELETE. Subsequent open operation on that opened file will succeeds, because they don't violates rules placed by first open operation (sharing for all operations is allowed). So if I want to create file AND not share it with another processess I should _create_ this file, not _open_ file created by someone else. Of course checking if file exists is not good solution, because my process is not the only process in the system and after checking and before creating my file someone may create this file for me :). In order to be sure I'm creating not opening file I would probably used CREATE_NEW as value for dwCreationDisposition attribute AND FILE_SHARE_NONE to prevent others processess to open my file. So at this moment I see two targets: - successfuly open file that is already opened with FILE_SHARE_NONE flag, - create file in that way, that creating file with the same name with CREATE_NEW will succeed. Am I correct or I'm missing something? And one question - which flag for dwCreationDisposition is used for example by Microsoft World during creating temporary files. -- Paweł Goleń mailto:p_golen () ks onet pl UGVybCBTVUNLUw==
Current thread:
- Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues, (continued)
- Message not available
- Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 12)
- Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 12)
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues M. Burnett (Mar 09)
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- RE: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Re: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 09)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 13)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Daniel Hazelton (Mar 13)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 15)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Paweł Goleń (Mar 13)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 14)