Full Disclosure mailing list archives
Re: Re: [VulnWatch] Microsoft Windows NTFS Information Disclosure
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Fri, 01 Jul 2005 22:19:58 -0500
James Tucker wrote:
cacls *.chk /G administrator:F in shared environments where for some reason your users have access to their drives.
...which doesn't solve a thing.That workaround won't impact anything. It will simply mark existing CHK files with that ACL. Any new ones that are created in the future will not have it. Generally, by the time you're executing that command, damage is already done.
In any case, .CHK files aren't any part of the exploit. To my knowledge, NTFS generates no such files (as file operations are journaled, and therefore, reversible if they aren't completed). Something is awry in the shutdown/recovery process of XP that causes it to append re-used and uninitialized disk or cache blocks to files open for write at shutdown. These files appear as *normal* files. I've seen this type of "garbage" (some of it in fact, very sensitive) in logs for IIS, for instance.
--"Education is a weapon whose effects depend on who holds it in his hands and at whom it is aimed."
-- Joseph Stalin
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: [VulnWatch] Microsoft Windows NTFS Information Disclosure James Tucker (Jul 01)
- Re: Re: [VulnWatch] Microsoft Windows NTFS Information Disclosure Matthew Murphy (Jul 01)