WinXP Pro(Gold) Insecure System Restore File Permissions

[Makoto Shiotsuki <shio () st rim or jp>]

WinXP Pro(Gold) Insecure System Restore File Permissions

On the Windows XP Professional(Gold), the "System Restore" files
are not protected properly by NTFS ACL, so every local user can 
access these important files.

System Restore files are stored in the "System Volume Information" 
directory, and this directory itself is well protected by ACL so 
normal users can not access to System Restore files generally.
But System Restore Directory, along with their sub-directories, 
is not protected by NTFS ACL(everyone:full), so that, every local
user can access to System Restore files by specifying the path 
directly.

You can find the path of the System Restore Directory by following
command line.

 c:\> reg query "HKLM\System\CurrentControlSet\Control\BackupRestore
\FilesNotToBackup" /v "System Restore"

And then, you can cd to the System Restore Directory.

 (example)
 c:\> cd \System Volume Information\_restore{8716531F-212F-45F1-8BAA-
FB69F0C7FAEF}

Within Restore Point Directories(RP0, RP1, ...), you will find a
directory called "snapshot" including registry hive data.

  _REGISTRY_MACHINE_SAM
  _REGISTRY_MACHINE_SECURITY
  _REGISTRY_MACHINE_SOFTWARE
  _REGISTRY_MACHINE_SYSTEM
  _REGISTRY_USER_.DEFAULT
  _REGISTRY_USER_NTUSER_S-1-5-18
  .....

These hive files are also freely accessible by every local user.
Malicious local user may modify SOFTWARE hive (ex. add evil Run
registry entry) expecting the administrator to execute System Restore
and the modification will take effect.

This problem is fixed by applying Windows XP SP1.  But I couldn't
find out this issue in the "List of Fixes".

Makoto Shiotsuki