WinXP Pro(Gold) Insecure System Restore File Permissions

From: Makoto Shiotsuki (shio@st.rim.or.jp)
Date: 10/04/02


From: Makoto Shiotsuki <shio@st.rim.or.jp>
Date: Fri, 04 Oct 2002 22:36:10 +0900
To: bugtraq@securityfocus.com

WinXP Pro(Gold) Insecure System Restore File Permissions

On the Windows XP Professional(Gold), the "System Restore" files
are not protected properly by NTFS ACL, so every local user can
access these important files.

System Restore files are stored in the "System Volume Information"
directory, and this directory itself is well protected by ACL so
normal users can not access to System Restore files generally.
But System Restore Directory, along with their sub-directories,
is not protected by NTFS ACL(everyone:full), so that, every local
user can access to System Restore files by specifying the path
directly.

You can find the path of the System Restore Directory by following
command line.

 c:\> reg query "HKLM\System\CurrentControlSet\Control\BackupRestore
\FilesNotToBackup" /v "System Restore"

And then, you can cd to the System Restore Directory.

 (example)
 c:\> cd \System Volume Information\_restore{8716531F-212F-45F1-8BAA-
FB69F0C7FAEF}

Within Restore Point Directories(RP0, RP1, ...), you will find a
directory called "snapshot" including registry hive data.

  _REGISTRY_MACHINE_SAM
  _REGISTRY_MACHINE_SECURITY
  _REGISTRY_MACHINE_SOFTWARE
  _REGISTRY_MACHINE_SYSTEM
  _REGISTRY_USER_.DEFAULT
  _REGISTRY_USER_NTUSER_S-1-5-18
  .....

These hive files are also freely accessible by every local user.
Malicious local user may modify SOFTWARE hive (ex. add evil Run
registry entry) expecting the administrator to execute System Restore
and the modification will take effect.

This problem is fixed by applying Windows XP SP1. But I couldn't
find out this issue in the "List of Fixes".

Makoto Shiotsuki



Relevant Pages

  • >>>> SYSTEM RESTORE <<<<
    ... System Restore Not Working ... Windows Xp System Restore ... Windows Vista System Restore ... Where Are System Restore Files ...
    (sci.lang)
  • Re: AVG
    ... Well you did have a virus of some sort at one time ... It now resides in your System Restore files ... System Restore files to eliminate the prompt. ...
    (microsoft.public.security.virus)
  • Re: Trojan in System restore files
    ... up in my system restore files. ... It does nothing but waste space on drives that do not have system files on them, but windows defaults it to every drive on your system. ... save some disk space allocation on the other drives. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Defragmenter
    ... Gerry, Yes the user's problem could indicate limited or minimal free disk space but, by removing the system restore files, which he has done, he has gained sufficient space, assuming space was indeed the problem, to finish the defragment pass. ... Either way he would have had two option to have increased his free space: a) remove as many unwanted applications or files as possible, or b) remove the system restore files. ... No warranty of any kind, either expressed or implied, is made in relation to the accuracy, reliability or content of this mail/post. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: How to remove Virus from System Restore File?
    ... the System Restore directory. ... and the virus checker can't delete it. ... (reformatting the HD is not a favoured option!) ... Turn off system restore reboot and turn it on again, or just put up to it ...
    (uk.comp.misc)