Bugtraq mailing list archives
NT crash dump files insecure by default
From: Craig Boston <craig () wmhza gank org>
Date: Fri, 23 Mar 2001 09:59:02 -0600
Hi all, This thread has been on vuln-dev for a couple days; Aleph requested that a technical summary be posted here. First, thanks to -No Strezzz Cazzz for bringing this up and doing the preliminary work proving it to be a problem. Someone mentioned that this may have been brought up before on NTBugTraq; however their archive search seems to be broken so I can't see if it's been previously discovered... References to such a post that I can find have indicated that it was two years ago and the problem has still not been fixed, nor is it widely known. --------------- Background --------------- Windows NT includes a program called Dr. Watson, which is installed by default as the system debugger. When a user-mode program crashes, Dr. Watson is responsible for displaying the system error dialog familiar to many NT users. It also takes a snapshot of the process space and saves it to a file called user.dmp for debugging purposes. user.dmp can be opened by the windbg debugger for closer examination to see the memory and machine status (registers, call stack, etc.) at the time of the crash. This mechanism is very similar to the core files created on *nix systems. --------------- Vulnerability --------------- The problem arises in that NT's default location for user.dmp is world-readable. On NT4 systems, the default location is %SystemRoot%\user.dmp, which will usually end up being C:\WINNT\user.dmp. Default permissions on NT4 systems give Everyone Full Control on the WINNT directory. Crash dump files can often contain passwords and other sensitive information that was stored in memory and never intended to be written to disk in plain text. One example of this is the mail and news reader Outlook Express, which stores the user's mail account passwords in plain text (Unicode strings) in memory. OE also happens to be crash-prone when it encounters ill-formatted messages. Description of exploit: 1. Users Jim and Bob share the same NT workstation; both use OE to check mail 2. OE stores its saved mail and account information in the user's profile directory, which by default is set with permissions so that only the user it belongs to can access it. Hence, Jim cannot access Bob's mail directly because the OS won't let him into Bob's profile directory. 3. Bob is using OE and it crashes, either accidentally or caused by a message sent by someone designed to cause the crash; such as a buffer overflow / invalud HTML / scripting / ActiveX attack. 4. Jim can then open the user.dmp (world-readable) and sift through it to get Bob's password. A good utility for this is the Sysinternals (www.sysinternals.com) utility strings, which can extract a list of Unicode strings out of a binary file. Windows 2000 is also vulnerable, but in fewer circumstances. It's default location for user.dmp is C:\Documents and Settings\All Users\Documents\DrWatson\user.dmp. This location is world-readable by default, but not world-writable. Normal users will not have the user.dmp file created as they do not have write access, however users that are an administrator (possibly power users as well) of the local machine will be exposed to this vulnerability. --------------- Workaround --------------- Run drwtsn32.exe to set crash dump options. There are two ways to get around this problem (per-user): 1) Uncheck the "create crash dump file" checkbox. -OR- 2) Change the crash dump location to a directory that only you have access to. For a system-wide fix, delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger. This will cause Dr. Watson to be replaced with a simple "Application Error" box. If you have installed MSVC it will automatically make itself the system debugger, and it does not create crash dump files so you are not vulnerable. --------------- Fix --------------- MS needs to fix Dr. Watson so that it sets permissions correctly on the files it creates. A quick fix for the problem would be to make Dr. Watson's default crash dump location be somewhere inside the current user's profile. This of course will only work on NTFS file systems, but if you are using FAT or FAT32 for your filesystem there are much worse things that unprivileged users can do... --------------- Summary --------------- Systems Vulnerable: Windows NT 4.0 (All service packs) Windows 2000 (Release and SP1) Probably Windows NT 3.5x but untested I don't have access to the Whistler beta so I can't verify if it is vulnerable or not. Workaround: Yes Vendor-provided fix: No --------------- Credits --------------- Thanks again to -No Strezzz Cazzz (Butterphly6 () CAZZZ DEMON NL) for taking the time to dissect the file created by OE and write up the original report. You can see it in the vuln-dev archives (not there yet but should be shortly) for more info on the structure OE saves its passwords in memory. Thanks to Aleph1 for giving me the opportunity to post this to bugtraq :) And of course the patient folks in NTBugTraq who have probably discussed this 20 times by now. Regards, Craig Boston, CCNA Network Admin. Owen Oil Tools
Current thread:
- NT crash dump files insecure by default Craig Boston (Mar 23)