[Full-disclosure] Fix for NTFS permissions issue in QuickTime 7.x for Windows



In Dec 2010, Apple released QT 7.6.9. One of the included fixes was for
CVE-2010-0530 <http://support.apple.com/kb/HT4447>, which I had reported to
Apple. While 7.6.9 corrects the problem with new installations, it does not
revoke the inappropriate NTFS permissions that may have been granted by
previous installations of QT 7.6.8 or earlier. The problem goes back to at
least 7.5.5, possibly earlier versions.

Despite repeatedly pointing out to Apple that any fix needed to correct any
permissions on existing installations, they did not do so, and it appears
that they aren't going to. Therefore, I'm releasing the details of the
vulnerability, and a batch file to correct (on most machines) the
inappropriate NTFS permissions granted by earlier versions of QTWin.

Below is a batch file that, when run as an administrator, will remove the
inappropriate permissions from all accessible user profiles on a W2k, XP,
Vista, or Win7 machine. If you're running NT4, running Windows Server, or
have restricted access to any user profile directories, the following script
may need modification.

Network administrators who need support in correcting permissions on a large
network of machines may contact the author for PAID support and/or scripts
better suited to cleaning up permissions on a large number of computers.

This software is offered as is, without warranty, and with no free support.

Sincerely,
Geoff Strickler
On-line Transaction Consultants.

Below is the text of the
CVE-2010-0530-fix-perms-all-profiles-targeted.bat
batch file.

@echo off
rem Version 1.00 - Sept 20, 2011 by Geoff Strickler.
rem About the author: Geoff Strickler [geoff.strickler at
rem gmail.com] is the person who originally found and reported
rem the vulnerability now known as CVE-2010-0530.

rem ---- Purpose:
rem This program fixes removes the inappropriate permissions that were
rem set by QuickTime for Windows versions prior to 7.6.9.
rem Attempt to correct permissions in all user profiles on this machine.

rem ---- Background:
rem Apple provided a fix for CVE-2010-0530 in QuickTime 7.6.9, however,
rem Apple's fix [http://support.apple.com/kb/HT4447] fails to correct
rem the permissions in systems where inappropriate permissions have
rem already been granted by previous versions of QuickTime.

rem This fix is not needed on systems where where the volume containing
rem the user profile directories is a FAT-32 volume since those
rem don't support user ACLs.

rem ---- Legal disclaimers:
rem This software provided free of charge, as-is, with no warranties
rem expressed or implied. You assume all liability for any damages,
rem including incidental or consequential damages. no free support is
rem available from the author as I've already spent far too much time
rem finding and reporting the problem, and in developing this fix for
rem what Apple didn't remedy.

rem USE AT YOUR OWN RISK.

rem ---- Compatibility notes:
rem This script is believed to be safe for use on W2k, XP, Vista, and Win7
rem systems.

rem The author has has only tested it on XP and Win7.

rem It is NOT RECOMMENDED for Windows Servers

rem It is NOT RECOMMENDED for NT4 systems, and might not be appropriate
rem for W2k or XP systems that are an in-place upgrade from NT4 or
rem earlier systems.

rem For unsupported systems, either adapt it yourself, or contact the
rem author for PAID support.

rem ---- Operation and usage notes:
rem This script uses a "targeted" approach that will remove explicit (but
rem not inherited) permissions granted to specific subdirectories in all
rem user profile directories for which the user who executes it has
rem permissions to change permissions. Therefore, it's recommended that
rem this be executed by an administrator. It can be executed by non-
rem administrators, but in that case, it will typically only correct the
rem permissions in the current user's profile since that's the only
rem profile a non-administrator has access to change by default.

rem The cacls command is deprecated in Vista and Win7, however, it still
rem works correctly. icacls is the replacement command, however, it's not
rem supported on XP and earlier system so cacls is used for maximum
rem compatibility.

rem ---- Start of script:
rem Write a logfile to "CVE-2010-0530-log.txt" in the current user's
rem temporary directory.
echo %0 >%temp%\CVE-2010-0530-log.txt

rem Make sure NT command extensions are enabled
setlocal EnableExtensions

rem Since there is no environment variable that gives the base directory
rem containing all the user profiles, use the current user profile
rem directory (%userprofile%), then append "\..\*.*" to access it's
rem parent directory and get a list of all user profile directories.

rem Iterate through all the user profile directories.
for /D %%i in ("%userprofile%\..\*.*") do (
rem with NT4 and later, the command extensions allow some modification of
rem environment variables. %%~i returns the same as %%i, but without the
rem leading and trailing quotes.
echo . >>%temp%\CVE-2010-0530-log.txt
echo %%~i >>%temp%\CVE-2010-0530-log.txt
echo %%~i

rem -------- revoke permissions for XP and earlier systems
rem from %userprofile%\Local Settings\Application Data\Apple Computer
rem and it's "QuickTime" subdirectory.
rem
rem Notes on NT4 systems and possibly on W2k/XP systems that were
rem created as in-place upgrades from NT4 or earlier systems:
rem
rem The author recommends using the "one-profile-shotgun" script on
rem each possibly affected user on such systems rather than modifying
rem this script for that purpose.
rem
rem Only remove permissions from the two directories known to be
rem affected. Revoke permissions from:
rem %%~i\Local Settings\Application Data\Apple Computer
cacls "%%~i\Local Settings\Application Data\Apple Computer" /e /c /r
"everyone" >>%temp%\CVE-2010-0530-log.txt
rem
rem and %%~i\Local Settings\Application Data\Apple Computer\QuickTime
cacls "%%~i\Local Settings\Application Data\Apple Computer\QuickTime" /e /c
/r "everyone" >>%temp%\CVE-2010-0530-log.txt
rem
rem -------- revoke permissions for Vista/Win7 systems
rem from %userprofile%\AppData\LocalLow\Apple Computer
rem and it's "QuickTime" subdirectory.
rem
rem You may replace the below commands with the equivalent icacls
rem command, but it's not necessary.
rem
rem Only remove permissions from the two directories known to
rem be affected.
rem Revoke them from %%~i\AppData\LocalLow\Apple Computer
cacls "%%~i\AppData\LocalLow\Apple Computer" /e /c /r "everyone"
%temp%\CVE-2010-0530-log.txt
rem and from %%~i\AppData\LocalLow\Apple Computer\QuickTime
cacls "%%~i\AppData\LocalLow\Apple Computer\QuickTime" /e /c /r "everyone"
%temp%\CVE-2010-0530-log.txt

rem --------
rem If you have files or directories in this user profile that were
rem affected by the cacls commands above, and you want them to be
rem accessible by "everyone", add cacls command(s) below to allow
rem that access.
rem [your cacls command(s) here]
rem --------
)
endlocal
:end

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Add an user group in the tab security
    ... Here's a very old script I dug up to create users, their home directories, ... rem @Echo Off ... @Rem Alternatively you can use ADDUSERS from the Resource Kit ... @Rem Set specific share permissions with RMTSHARE (RK Suppl. ...
    (microsoft.public.windows.server.scripting)
  • Re: Add an user group in the tab security
    ... Ok Thanks George for this. ... > the share and setting security permissions. ... > rem @Echo Off ... > @Rem You're better off using Rersource Kit command RMTSHARE ...
    (microsoft.public.windows.server.scripting)
  • RE: setting "List" (RX-unspecified) with xcacls.exe
    ... I just recently removed the execute permissions from all of my users home ... echo Assigning Permissions for %1 ... rem remove any possible existing.... ...
    (Focus-Microsoft)
  • Re: MEX, IBM rational clearcase
    ... Therefor, ... rem New line for Multi-threaded debug ... Then at the end of the file in Resource compiler parameters: ...
    (comp.soft-sys.matlab)