Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello Antti,

Friday, February 16, 2001, 8:05:29 PM, you wrote:


AH> Yes. The file therefore ofcourse is deleted by the ftp.exe not the server,
AH> but it doesn't matter.
AH> In any way, it is still high security risk.

There  is  no security risk. In order to use it you must have a chance
to  force  user to run ftp.exe and request file with specially crafted
very long name. It's much easier to ask someone to format his drive.

If  you  mean security risk of deleting the files you have "No Access"
to  -  you must know that NTFS "Full Control" permission for directory
grants  user  a  right to delete any files inside this directory, even
ones  with  "No  Access".  Probably  it's your case. I can't reproduce
deleting  of  the  files  I  have  no right to delete directly. And it
can't,  because ftp.exe is trivial user-mode application which runs in
security context of launching user.


--
 /3APA3A
Êëÿíóñü ëûñèíîé ïðîðîêà Ìîèñåÿ - ÿ òåáÿ ñåé÷àñ ñúåì. (Òâåí)