SECURITY.NNOV: Windows 2000 system partition weak default permissions

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 08/05/02


Date:         Mon, 5 Aug 2002 19:52:01 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Title: Windows 2000 system partition weak default
                        permissions
Affected: Windows 2000
Vendor: Microsoft
Author: ZARAZA <3APA3A@security.nnov.ru>
Date: August, 03 2002
Risk: High
Exploitable: Yes
Remote: No
Vendor notified: May, 17, 2002
SECURITY.NNOV URL: http://www.security.nnov.ru
Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To protect system files located in the root of system partition
(boot.ini, ntdetect.com, ntldr, autoexec.bat etc) Windows 2000 applies
security template with NTFS permissions to only allow administrators and
advanced users to access this files.

II. Vulnerability:

System partition itself has Everyone/Full Control access permission.
Microsoft (and NIST draft) documents also recommend Everyone/Full
Control or Authenticated Users/Full Control permissions.

III. Details:

For POSIX compatibility user with Full Control NTFS permission for
folder may delete any file from this folder regardless of file
permissions. It makes it possible for user to become owner and to get
full control to any system file located in root of system partition with
next scenario:

 1. Delete original file (only delete, because putting file into recycle
 bin requires read permission).
 2. Create new file with the same name. Now user is owner for this new
 file and he has Full Control permission for this file inherited from
 root folder.

It makes it possible to trojan system files to execute some code in
kernel space and/or to change boot sequence. It's not so hard as it
seems to be: it's trivial to exploit this problem to get system level
access or to run application in logged user's context without
programming/debugging skills (hint: 'strings ntldr').

IV. Solution

Workaround is very easy. Replace Full Control permission for Everyone
group with any reasonable set of permissions for all root folders
including system partition. You can replace Full Control permission with
full set of special permissions. For NTFS it will have same effect
except user will not be able to remove any files if he has no delete
permission for this file.

Installing hisec*.inf security template doesn't solve this problem.

V. Vendor

Microsoft was informed on May, 17. Reply was also on May, 17:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dear Zaraza

Many thanks for your email. We have received reports already on this
issue and we are actively investigating this.

Many thanks again for taking the time to email us.

Tony.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
It looks like there is still no patch for Windows 2000. Security
templates and documentation are not corrected.

--
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)



Relevant Pages