Full Disclosure mailing list archives
[Full Disclosure] More fun w/ XP SP 2
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 25 Aug 2004 06:50:26 -0700 (PDT)
Hey, folks, More on (no pun intended...well, maybe...) the ":Zone.Identifier" issue in XP SP 2. I originally saw this here: http://www.heise.de/security/artikel/print/50051 Other Google hits refer back to this article. Interestingly enough, Microsoft doesn't mention alternate data streams (ADSs) when searching their site for references to ZoneIDs. For information on ADSs, see: http://patriot.net/~carvdawg/perl.html So, one has to ask, is this really a "security" feature? If it is, I can see why it has been stated that this functionality has flaws...but I don't really see it as a security feature at all. However, it does pose an interesting opportunity to have fun with someone. Remember the release of BO, and how annoying it was to have your cup holder constantly open and close on your system? Well, bringing that annoyance into the modern age, a couple of lines at the command prompt, and write access to a file, are all it takes to create the zoneID ADS on arbitrary files: C:\>echo [ZoneTransfer] > somefile:Zone.Identifier C:\>echo zoneID=3 >> somefile:Zone.Identifier This can easily be replicated in code (VBS, Perl, etc). So what happens when "somefile" is winword.exe, sol.exe, or even iexplore.exe? So what's the point? This new feature in XP SP 2 provides plenty of opportunity for mischief. Yes, yes, I know...if someone has write access to your drive, you've got other things to worry about. However, the use of batch files like the one attached at the end of this post in a corporate environment could easily lead to a DoS attack on the helpdesk. Anyway... Harlan PS: shoutz out to P-Tricky @ ISS!!! ;-) --------------------------------------------------- # Batch file @echo off echo [ZoneTransfer] > %1:Zone.Identifer echo zoneID >> %1:Zone.Identifer --------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full Disclosure] More fun w/ XP SP 2 Harlan Carvey (Aug 25)