Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[Full Disclosure] More fun w/ XP SP 2

From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 25 Aug 2004 06:50:26 -0700 (PDT)
Hey, folks,

More on (no pun intended...well, maybe...) the
":Zone.Identifier" issue in XP SP 2.  I originally saw
this here:
http://www.heise.de/security/artikel/print/50051

Other Google hits refer back to this article. 
Interestingly enough, Microsoft doesn't mention
alternate data streams (ADSs) when searching their
site for references to ZoneIDs.  For information on
ADSs, see:
http://patriot.net/~carvdawg/perl.html

So, one has to ask, is this really a "security"
feature?  If it is, I can see why it has been stated
that this functionality has flaws...but I don't really
see it as a security feature at all.  

However, it does pose an interesting opportunity to
have fun with someone.  Remember the release of BO,
and how annoying it was to have your cup holder
constantly open and close on your system?  Well,
bringing that annoyance into the modern age, a couple
of lines at the command prompt, and write access to a
file, are all it takes to create the zoneID ADS on
arbitrary files:

C:\>echo [ZoneTransfer] > somefile:Zone.Identifier
C:\>echo zoneID=3 >> somefile:Zone.Identifier

This can easily be replicated in code (VBS, Perl,
etc).  So what happens when "somefile" is winword.exe,
sol.exe, or even iexplore.exe?  

So what's the point?  This new feature in XP SP 2
provides plenty of opportunity for mischief.  Yes,
yes, I know...if someone has write access to your
drive, you've got other things to worry about. 
However, the use of batch files like the one attached
at the end of this post in a corporate environment
could easily lead to a DoS attack on the helpdesk.

Anyway...

Harlan

PS:  shoutz out to P-Tricky @ ISS!!!  ;-)

---------------------------------------------------
# Batch file
@echo off
echo [ZoneTransfer] > %1:Zone.Identifer
echo zoneID >> %1:Zone.Identifer
---------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: