Full Disclosure mailing list archives
Fix for NTFS permissions issue in QuickTime 7.x for Windows
From: Geoff Strickler <geoff.strickler () gmail com>
Date: Tue, 20 Sep 2011 16:42:51 -0600
In Dec 2010, Apple released QT 7.6.9. One of the included fixes was for CVE-2010-0530 <http://support.apple.com/kb/HT4447>, which I had reported to Apple. While 7.6.9 corrects the problem with new installations, it does not revoke the inappropriate NTFS permissions that may have been granted by previous installations of QT 7.6.8 or earlier. The problem goes back to at least 7.5.5, possibly earlier versions. Despite repeatedly pointing out to Apple that any fix needed to correct any permissions on existing installations, they did not do so, and it appears that they aren't going to. Therefore, I'm releasing the details of the vulnerability, and a batch file to correct (on most machines) the inappropriate NTFS permissions granted by earlier versions of QTWin. Below is a batch file that, when run as an administrator, will remove the inappropriate permissions from all accessible user profiles on a W2k, XP, Vista, or Win7 machine. If you're running NT4, running Windows Server, or have restricted access to any user profile directories, the following script may need modification. Network administrators who need support in correcting permissions on a large network of machines may contact the author for PAID support and/or scripts better suited to cleaning up permissions on a large number of computers. This software is offered as is, without warranty, and with no free support. Sincerely, Geoff Strickler On-line Transaction Consultants. Below is the text of the CVE-2010-0530-fix-perms-all-profiles-targeted.bat batch file. @echo off rem Version 1.00 - Sept 20, 2011 by Geoff Strickler. rem About the author: Geoff Strickler [geoff.strickler at rem gmail.com] is the person who originally found and reported rem the vulnerability now known as CVE-2010-0530. rem ---- Purpose: rem This program fixes removes the inappropriate permissions that were rem set by QuickTime for Windows versions prior to 7.6.9. rem Attempt to correct permissions in all user profiles on this machine. rem ---- Background: rem Apple provided a fix for CVE-2010-0530 in QuickTime 7.6.9, however, rem Apple's fix [http://support.apple.com/kb/HT4447] fails to correct rem the permissions in systems where inappropriate permissions have rem already been granted by previous versions of QuickTime. rem This fix is not needed on systems where where the volume containing rem the user profile directories is a FAT-32 volume since those rem don't support user ACLs. rem ---- Legal disclaimers: rem This software provided free of charge, as-is, with no warranties rem expressed or implied. You assume all liability for any damages, rem including incidental or consequential damages. no free support is rem available from the author as I've already spent far too much time rem finding and reporting the problem, and in developing this fix for rem what Apple didn't remedy. rem USE AT YOUR OWN RISK. rem ---- Compatibility notes: rem This script is believed to be safe for use on W2k, XP, Vista, and Win7 rem systems. rem The author has has only tested it on XP and Win7. rem It is NOT RECOMMENDED for Windows Servers rem It is NOT RECOMMENDED for NT4 systems, and might not be appropriate rem for W2k or XP systems that are an in-place upgrade from NT4 or rem earlier systems. rem For unsupported systems, either adapt it yourself, or contact the rem author for PAID support. rem ---- Operation and usage notes: rem This script uses a "targeted" approach that will remove explicit (but rem not inherited) permissions granted to specific subdirectories in all rem user profile directories for which the user who executes it has rem permissions to change permissions. Therefore, it's recommended that rem this be executed by an administrator. It can be executed by non- rem administrators, but in that case, it will typically only correct the rem permissions in the current user's profile since that's the only rem profile a non-administrator has access to change by default. rem The cacls command is deprecated in Vista and Win7, however, it still rem works correctly. icacls is the replacement command, however, it's not rem supported on XP and earlier system so cacls is used for maximum rem compatibility. rem ---- Start of script: rem Write a logfile to "CVE-2010-0530-log.txt" in the current user's rem temporary directory. echo %0 >%temp%\CVE-2010-0530-log.txt rem Make sure NT command extensions are enabled setlocal EnableExtensions rem Since there is no environment variable that gives the base directory rem containing all the user profiles, use the current user profile rem directory (%userprofile%), then append "\..\*.*" to access it's rem parent directory and get a list of all user profile directories. rem Iterate through all the user profile directories. for /D %%i in ("%userprofile%\..\*.*") do ( rem with NT4 and later, the command extensions allow some modification of rem environment variables. %%~i returns the same as %%i, but without the rem leading and trailing quotes. echo . >>%temp%\CVE-2010-0530-log.txt echo %%~i >>%temp%\CVE-2010-0530-log.txt echo %%~i rem -------- revoke permissions for XP and earlier systems rem from %userprofile%\Local Settings\Application Data\Apple Computer rem and it's "QuickTime" subdirectory. rem rem Notes on NT4 systems and possibly on W2k/XP systems that were rem created as in-place upgrades from NT4 or earlier systems: rem rem The author recommends using the "one-profile-shotgun" script on rem each possibly affected user on such systems rather than modifying rem this script for that purpose. rem rem Only remove permissions from the two directories known to be rem affected. Revoke permissions from: rem %%~i\Local Settings\Application Data\Apple Computer cacls "%%~i\Local Settings\Application Data\Apple Computer" /e /c /r "everyone" >>%temp%\CVE-2010-0530-log.txt rem rem and %%~i\Local Settings\Application Data\Apple Computer\QuickTime cacls "%%~i\Local Settings\Application Data\Apple Computer\QuickTime" /e /c /r "everyone" >>%temp%\CVE-2010-0530-log.txt rem rem -------- revoke permissions for Vista/Win7 systems rem from %userprofile%\AppData\LocalLow\Apple Computer rem and it's "QuickTime" subdirectory. rem rem You may replace the below commands with the equivalent icacls rem command, but it's not necessary. rem rem Only remove permissions from the two directories known to rem be affected. rem Revoke them from %%~i\AppData\LocalLow\Apple Computer cacls "%%~i\AppData\LocalLow\Apple Computer" /e /c /r "everyone"
%temp%\CVE-2010-0530-log.txt
rem and from %%~i\AppData\LocalLow\Apple Computer\QuickTime cacls "%%~i\AppData\LocalLow\Apple Computer\QuickTime" /e /c /r "everyone"
%temp%\CVE-2010-0530-log.txt
rem -------- rem If you have files or directories in this user profile that were rem affected by the cacls commands above, and you want them to be rem accessible by "everyone", add cacls command(s) below to allow rem that access. rem [your cacls command(s) here] rem -------- ) endlocal :end
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fix for NTFS permissions issue in QuickTime 7.x for Windows Geoff Strickler (Sep 20)
- Re: Fix for NTFS permissions issue in QuickTime 7.x for Windows Robert Kim App and Facebook Marketing (Sep 20)
- Re: Fix for NTFS permissions issue in QuickTime 7.x for Windows Travis Biehn (Sep 20)
- Re: Fix for NTFS permissions issue in QuickTime 7.xfor Windows Stefan Kanthak (Sep 22)
- Re: Fix for NTFS permissions issue in QuickTime 7.x for Windows Robert Kim App and Facebook Marketing (Sep 20)