Re: Microsoft Windows Vista/2003/XP/2000 file management security issues

["Roger A. Grimes" <roger () banneretcs com>]

But there is no difference in the treatment between this issue in Linux or Windows. In both systems, if I want to 
prevent attacks like this, I can do something ahead of time (i.e. umask or modify the Creator Owner SID, or 
inheritance). Only OpenBSD (and other BSD and hardened Linux's) do a better job by having a better default Umask. But 
in the typical Linux distro, I have to set the umask. He makes up a scenario of placing a secure folder insider of an 
insecure folder, and I'm somehow supposed to accept that as normal?

Mark, I respect you and your work greatly. I like a lot of 3APA3A's ideas and concerns....but they aren't in the realm 
of a real security concern.  Real security concerns are when I can't do anything with the default OS to stop the weird 
attack they mention. In this case, there are plenty of things I can do.  I don't have to buy software or be a security 
genius. I just have to not place a "secure" folder in an insecure folder.  

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************


-----Original Message-----
From: M. Burnett [mailto:mb () xato net] 
Sent: Friday, March 09, 2007 12:44 PM
To: Roger A. Grimes; '3APA3A'; bugtraq () securityfocus com; full-disclosure () lists grok org uk
Subject: RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues

> But we'll have to agree to disagree. Your security scenarios are just 
> bizarre. It's a lot easier to hack people then going through all the 
> interations you suggest.

Roger, don't be so hard on 3APA3A for this. You can't judge a vulnerability based on current scenarios because we 
really can't begin to imagine how these things might be exploited in future attacks. For example, the attack of 
deleting someone's folder and re-creating it before they set permissions sounds bizarre until someone makes a tool that 
does that automatically to all new folders. It changes everything when even the front desk secretary can pull off the 
attack. 

And even if it would be lame for someone to set up a folder where this would be possible, people will still set up 
folders where this is possible. It's important for us to be aware of the risks of these configurations. And you have to 
admit, it is pretty amazing he found something we all missed for the last ten years, despite how simple it is. 
 
Finally, I don't think 3APA3A is over hyping this issue beyond what it really is. He acknowledges that it isn't really 
a vulnerability and he's not submitting press releases to all the mainstream media. He gave Microsoft fair notice and 
awaited their decision and he's not screaming that everyone must abandon Windows. But he is informing the security 
community of something that we certainly should be aware of. 


Mark Burnett
http://xato.net

 
> For one, I've been a sys admin for 20 years and NEVER created a 
> private folder under a public folder. Not in my Novell days, not in my 
> Windows days. The only time I've seen a private folder created under a 
> public folder is the \Users folder, and in that case, the users only 
> have Read and List access to the parent \Users folder, and then Full 
> Control to their own folders.
>
> I mean let's debate why users get Full Control to their own folders in 
> the first place. That's a common scenario (it's on nearly every
> network) and its almost always too many permissions. Do I want my 
> regular end-users changing their folder's security permissions? No.
> Should any regular end-user have Full Control to any share? No, for 
> the same reason.  These are valid, common, security points that really 
> do beg further discussion.
>
> You're just making up crap up that isn't overly realistic in the 
> world, then going further to assume that a bonehead administrator 
> compounds the problem by making further insecure decisions.
>
> You are essentially say, "If you misconfigure your system and make 
> further insecure choices, someone can hack you." Duh.
>
> There's a reason why your "announcements" aren't making the news 
> media...because it isn't news.
>
> With that said, you have something valid to say, but so far it just 
> isn't a "security vulnerability" that people need to be aware of.
>
> You're a smart person, concentrate on issues that will really give us 
> bang for the buck discussions and issues.
>
> Roger
>
> *****************************************************************
> *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: 
> Security (2000/2003/MVP), CEH, yada...yada...
> *email: roger_grimes () infoworld com or roger () banneretcs com *Author of 
> Professional Windows Desktop and Server Hardening (Wrox)
> *http://www.amazon.com/gp/product/0764599909
> *****************************************************************
> http://winblogs.security-feed.com
> Server Hardening, NTFS
> -----Original Message-----
> From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU]
> Sent: Friday, March 09, 2007 7:09 AM
> To: Roger A. Grimes
> Cc: bugtraq () securityfocus com; full-disclosure () lists grok org uk
> Subject: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management 
> security issues
>
> Dear Roger A. Grimes,
>
> --Friday, March 9, 2007, 7:31:54 AM, you wrote to
> 3APA3A () SECURITY NNOV RU:
>
> RAG> If Alice deletes Bob's folder (which she could do in some
> scenarios
> RAG> because she has the write/modify permission) and re-creates it,
> she
> RAG> becomes  the Creator Owner and now Bob no longer has the ability
> to
> RAG> set permissions on it.
>
> As a folder owner Alice can give any permissions to Bob she wants.
>
> RAG> If I take your strange assumptions, Bob could re-discover the
> newly
> RAG> created folder that Alice made, just like she did (I mean if you 
> RAG> make up crap scenarios, why can't I), and do the same trick back
> to her.
>
> He can, if he knows he must.
>
> RAG> And Windows does have a umask-like function. It's called Creator
> Owner.
> RAG> It's a well known SID, and the default permissions for it can be 
> RAG> set so that any granular permission you want can be set to be
> default.
>
> I  see  nothing  similar  between Creator Owner and umask. BTW, the 
> same article  explains  why  Creator  Owner  is not 100% solution and 
> why you should not rely on Creator Owner in case of DFS replication.
>
> RAG> Vista does have symbolic links, and Windows has supported 
> RAG> Junction Points (similar to symbolic links) since Windows 2000. 
> RAG> The main difference is that Junction Points could only point to 
> RAG> local resources and symbolic links can do remote resources as well.
>
> Junction  points are very close to Unix mounts, I see no any likeness 
> to symbolic  links.  Junctions  points  (and  by default, symbolic 
> links in
> Vista)  can  only  be  created  by  administrators,  it prevents 
> symlink attack. And it's right choice.
>
> RAG> You've come up with some strange scenarios below, and in all 
> RAG> cases I could easily defeat the problem you are suggesting by 
> RAG> using basic, recommended, security settings.
>
>
> "You never know what is enough unless you know more than enough."
>                                                     William Blake
>
> It's  quite  hard  to defeat the threat without knowing it. I'm 
> disagree with  you about "recommended security settings". I never saw 
> "disconnect all  users and close access to the share" or "check you 
> are still folder owner before copy the data" in instructions on how to 
> create file/folder with restricted access inside public one. Or "xcopy 
> /O doesn't guarantee file  can  not  be  accessed  during  copy 
> operation" or "Do not rely on Creator Owner in case of replication".
>
> RAG> Why  do  you spend your time coming up with such weird scenarios
> to
> RAG> focus  on?
>
> Roger,  have  you  ever  used  robocopy  or  xcopy  /O? I'm not 
> security columnist,  I  am  system  administrator/engineer.  For  last 
> 10 years I
> develop   and   implement  a  lot  of  corporate  directory
> structures,
> replications,  and  backup/restore  policies  for  many  very 
> different organizations.  I explain mistakes I can personally make and 
> sometimes I personally  did (mixing secure and insecure data, 
> implementing automatic replication  to  unprotected folders, 
> implementing data restore policies where  user  can  ask  system 
> administrator  to  restore some directory structure  to  user 
> accessible folder, etc). May be I'm only dumb person who  does 
> mistakes  like  that,  most probably not. I call it "properly placed 
> rakes to step on".
>
> RAG> You're  obviously  a  creative  guy  with  some Windows security 
> RAG> smarts.
>
> Thanks.
>
> RAG> Why  not  focus on more realistic scenarios with more  real-world 
> RAG> use? There's plenty of them for us to focus on and to try and 
> RAG> solve.
>
> Roger,  of  cause  next  time  I  should  concentrate on a single- 
> packet exploitable overflow in IPv6 stack to interest InfoWorld 
> readers. I will not,  because  it's  nothing interesting for me in 
> searching yet another buffer  overflow.  Let  another  creative  guys 
> who are professional in vulnerability  researching  to  dig it. They 
> have tools, time and money.
> For me, most valuable vulnerability is one simple enough to be 
> exploited with notepad, because it can be noted by everyone, but was 
> unnoticed for 10 years.
>
> RAG> Roger
>
> RAG> *****************************************************************
> RAG> *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE:
> RAG> Security (2000/2003/MVP), CEH, yada...yada...
>
> 3APA3A. MCSE/MCT since Windows NT 4.0.
>
> RAG> *email: roger_grimes () infoworld com or roger () banneretcs com 
> RAG> *Author of Professional Windows Desktop and Server Hardening 
> RAG> (Wrox)
> RAG> *http://www.amazon.com/gp/product/0764599909
> RAG> *****************************************************************
>
>
> RAG> -----Original Message-----
> RAG> From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU]
> RAG> Sent: Thursday, March 08, 2007 2:59 PM
> RAG> To: bugtraq () securityfocus com; full-disclosure () lists grok org uk
> RAG> Subject: Microsoft Windows Vista/2003/XP/2000 file management 
> RAG> security issues
>
>
> RAG> This   is   an   article   I   promised   to   publish   after
> Windows
> RAG> ReadDirectoryChangesW  (CVE-2007-0843)  [1] issue. It should 
> RAG> explain why you must never place secure data inside insecure
> directory.
>
>
>
> RAG> Title: Microsoft Windows Vista/2003/XP/2000 file management 
> RAG> security issues
> RAG> Author: 3APA3A, http://securityvulns.com/
> RAG> Vendor: Microsoft (and potentially another vendors)
> RAG> Products:  Microsoft  Windows Vista/2003/XP/2000, Microsoft
> resource kit
> RAG>            for Windows 2000 and different utilities.
> RAG> Access Vector: Local
> RAG> Type: multiple/complex (weak design, insecure file operations,
> etc)
> RAG> Original advisory:
> http://securityvulns.com/advisories/winfiles.asp
> RAG> Securityvulns.com news:
> RAG> http://security.nnov.ru/news/Microsoft/Windows/files.html
>
> RAG> 0. Intro
>
> RAG> This  article contains a set of attack scenarios to demonstrate 
> RAG> security weakness in few very common Windows management practices.
> RAG> Neither of the problem  explained  is critical, yet combined
> together they should force
> RAG> you   to   review   your   security   practices.   I   can't  even
> say
> RAG> "vulnerabilities"   because   there   is   no  something  you can
> call
> RAG> "vulnerability". It's just something you believe is secure and
> it's not.
>
> RAG> 1.1 Problem: inability to create secured file / folder in public
> one.
> RAG>     Attack: folder hijack attack
>
> RAG> First,  it's simply impossible with standard Windows interface to 
> RAG> create something secured in insecure folder.
>
> RAG>  Scenario  1.1:
>
> RAG>  Bob  wishes  to  create "Bob private data" folder in "Public"
> RAG> folder to place  few private files. "Public" has at least "Write"
> RAG> permissions for "User" group. Bob:
>
> RAG>      I   Creates "Bob private data" folder
> RAG>      II  Sets permission for folder to only allow access to 
> RAG> folder himself
> RAG>      III Copies private files into folder
>
> RAG>   Alice wants to get access to folder Bob created. She
>
> RAG>      Ia  Immediately  after  folder  is  created,  deletes "Bob
> private
> RAG>          data"  folder  and creates "Bob private data" folder
> again (or
> RAG>          simply  takes  ownership  under  "Bob  private data"
> folder if
> RAG>          permissions allow). It makes Alice folder owner.
> RAG>      IIa Immediately  after  Bob  sets permissions, she grants
> herself
> RAG>          full control under folder. She can do it as a folder
> owner.
> RAG>      IIIa  Reads  Bob's  private  files,  because  files
> permissions are
> RAG>          inherited from folder
>
> RAG>   Alice   can  use  "Spydir"
> RAG> (http://securityvulns.com/soft/)  tool  to
> RAG>   monitor  files  access  and automate this process. As you can
> see, [1]
> RAG>   elevates this problem significantly.
>
> RAG>   This   is  not  new  attack.  Unix  has  "umask"  command  to
> protect
> RAG>   administrators and users. Currently, Windows has nothing
> similar.
>
> RAG>   CreateFile() API supports setting file ACL on file creation
> (just like
> RAG>   open()  allows  to set mode on POSIX systems). ACL can be
> securely set
> RAG>   only  on  newly  created  files.  This raises a problem of
> secure file
> RAG>   creation.
>
> RAG> 1.2  Problem: Inability to lock / securely change permissions of
> already
> RAG>      created file
> RAG>      Attack: pre-open file/directory attack.
>
> RAG>   There  are  few  classes  of insecure file creation attack
> (attempt to
> RAG>   open   existing  file),  exploitable  under  Unix  with
> hardlinks  or
> RAG>   symlinks.  It's  believed  Windows  is  not vulnerable to this
> attacks
> RAG>   because
>
> RAG>     I.  There  is  no  symlinks  under Windows. Symlink attacks
> are not
> RAG>         possible.
> RAG>     II. Security  information  in  NTFS  is  not  stored  as  a
> part of
> RAG>         directory entry, it's a part of file data. Hard link
> attacks are
> RAG>         not possible.
> RAG>     III. File  locks  in  Windows  are  mandatory.  It  means,  
> RAG> if
> one
> RAG>          application  locks  the file, another application can 
> RAG> not
> open
> RAG>          this  file, if user doesn't have backup privileges. It
> mitigate
> RAG>          different file-based attacks.
>
> RAG>   There  is at least one scenario, attacker can succeed without
> symbolic
> RAG>   link:  to  steal  data  written to file created without check
> for file
> RAG>   existence regardless of file locks and permissions.
>
> RAG>   Attack description: if attacker can predict filename to be
> written, he
> RAG>   can  create file, open it and share this file for all types of
> access.
> RAG>   Because  locking  and  permissions  are  only  checked  on  
> RAG> file
> open,
> RAG>   attacker  retain  access  to  the  file  even  if it's locked
> and it's
> RAG>   permissions are changed to deny file access to attacker.
>
> RAG>   Exploit (or useful tool):
> RAG> http://securityvulns.com/files/spyfile.c
>
> RAG>   Opens  file, shares it for different types of access and logs
> changes,
> RAG>   keeping the file open.
>
> RAG>   Compiled version is available from
> http://securityvulns.com/soft/
>
> RAG>   Scenario 1.2.1:
>
> RAG>    Bob is now aware about folder hijack attack. He use xcopy /O 
> RAG> /U
> /S to
> RAG>    synchronize  his  files  to  newly  created  folder.  xcopy /O
> copies
> RAG>    security  information (ownership and permissions) before
> writing data
> RAG>    to file.
>
> RAG>    Alice  use  "Spydir"  to  monitor  newly created folders and
> files in
> RAG>    Bob's  directory.  She  use Spyfile to create spoofed files in
> target
> RAG>    directory  and  waits for Bob to run xcopy. Now, she has full
> control
> RAG>    under  content of Bob's files despite the fact she has no
> permissions
> RAG>    to access these files.
>
> RAG>    In  a  same  way  directory  content  may be monitored by pre-
> opening
> RAG>    directory.
>
> RAG>   Scenario 1.2.2:
>
> RAG>    Enterprise  directory  structure  is  replicated every day to
> another
> RAG>    user-writable  location  in  order  to alow users to recover
> suddenly
> RAG>    deleted  or  modified files. xcopy or robocopy (from resource
> kit) is
> RAG>    used  for  replication.  Attacker can hijack content of newly
> created
> RAG>    files in newly created folders.
>
> RAG>   Same problem may happen on archive extraction or backup
> restoration.
>
> RAG>   Vulnerable  applications:
> RAG>     xcopy (from all Windows versions),
> RAG>     robocopy (Windows  2000  Resource Kit),
> RAG>     different archivers
> RAG>     backup restoration utilities
>
> RAG>   By  default,  xcopy warns user the file exists, unless /Y or /U
> key is
> RAG>   specified.  But
> RAG>     I.  /Y  is  always  specified  for replication
> RAG>     II. /Y  can  be specified via COPYCMD environment variable.
> COPYCMD
> RAG>     environment    variable   can  be  created  in  autoexec.bat
> file.
> RAG>     Different situations are possible, where autoexec.bat is
> writable by
> RAG>     attacker, if:
> RAG>      - Default Windows 2000 permissions are used or applied with
> domain
> RAG>      policy [2].
> RAG>      - One can try to re-create autoexec.bat using POSIX subsystem
> RAG>     III.  Neither  xcopy  nor  other  utilities  warn user on
> existing
> RAG>     directory. Pre-open directory attack will always succeed.
>
> RAG>   As you can see, [1] again dramatically elevates this problem.
>
> RAG> 1.3 Problem: user can completely block access to the files
> RAG>     Attack: open file deletion
> RAG>     (including Windows file replication service DoS)
>
> RAG>     If files is deleted while it's open, it still present in file
> system
> RAG>     under  it's  old  name  until  close.  Any  operation  on 
> RAG> this
> file
> RAG>     (including  attributes  requests)  fails,  regardless of
> application
> RAG>     rights and permissions (including backup ones).
>
> RAG>     Exploit:  use  spyfile,  delete  file while it's spied. Now,
> without
> RAG>     closing  spyfile,  attempt  any  operation on this file (e.g.
> try to
> RAG>     find it's ownership).
>
> RAG>     Scenario 1.3.1
>
> RAG>     Now Bob found an copy application to securely copy files. It
> deletes
> RAG>     old file before creating new one. But it fails if Alice tries
> to spy
> RAG>     on  Bob  files,  because  attempt  to delete file succeeds,
> but file
> RAG>     still present and is unmanageable.
>
> RAG>     Scenario 1.3.2
>
> RAG>     Windows  file  replication  service  (FRS) is used to
> replicate data
> RAG>     between  2  public  DFS  folders  to  distribute  load.
> Folder  has
> RAG>     permissions:
> RAG>      Everyone: Add & read
> RAG>      Creator Owner: Full Control
> RAG>     Thouse, Alice has no permissions to delete files created by
> Bob.
>
> RAG>     Replicated  folder  is  available as a share on 2 different
> servers:
> RAG>     \\SERVER1\Share    and    \\SERVER2\Share.    Bob    is
> connected
> RAG>     to \\SERVER1\Share.
>
> RAG>     Alice uses "Spydir" to monitor files creation by Bob. Every
> time Bob
> RAG>     creates  new  file  on  \\SERVER1\Share, Alice use spyfile to
> create
> RAG>     file  with same name on \\SERVER2\Share. It effectively leads
> to FRS
> RAG>     collision.  While  trying  to resolve collision, FRS fails to
> delete
> RAG>     file  created  by  Alice  and  Bob file is deleted (original
> file is
> RAG>     moved to special hidden folder only accessible by
> administrator).
>
> RAG>     Workaround:  never  try  to  use  creator-owner based
> permissions in
> RAG>     replicated folders.
>
> RAG>     Again, [1] seriously escalates this problem.
>
> RAG> 2. Conclusion:
>
> RAG>   It's  simply impossible to securely create something in public
> folder.
> RAG>   At least DoS conditions are always possible.
> RAG>   Developers should  not  consider mandatory file locking as a
> security
> RAG>   feature.
> RAG>   Developers  should  care about secure file creation to store
> sensitive
> RAG>   information.  CREATE_NEW  should  always be used and ACL should
> be set
> RAG>   with  lpSecurityAttributes  of CreateFile. No attempt to open
> existing
> RAG>   file should be made.
> RAG>   Never  try  to  create secure folder in public one. If you are
> forced,
> RAG>   disconnect     all   users   before   this   operation.
> RAG>   Never  use  replication,  archive  extraction  or  backup
> restore  to
> RAG>   user-accessible folder.
> RAG>   Bob and Alice should finally marry.
>
> RAG> 3. Vendor:
>
> RAG>   All timelines are same with [1].
>
> http://passwords.security-feed.com
> RAG> [1]. Microsoft Windows ReadDirectoryChangesW information leak
> RAG> (CVE-2007-0843)
> RAG> http://security.nnov.ru/news/Microsoft/Windows/ReadDirector.html
> RAG> [2]. Windows 2000 system partition weak default permissions 
> RAG> http://securityvulns.ru/news2205.html
> http://xato.net
> RAG> --
> RAG> http://securityvulns.com/
> RAG>          /\_/\
> RAG>         { , . }     |\
> RAG> +--oQQo->{ ^ }<-----+ \
> RAG> |  ZARAZA  U  3APA3A   } You know my name - look up my number (The
> RAG> Beatles)
> RAG> +-------------o66o--+ /
> RAG>                     |/
>
>
>
> --
> ~/ZARAZA http://securityvulns.com/
> Но ведь кому угодно могут прийти в голову яйца, пятки и епископы. 
> (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/