<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<BODY BGCOLOR="#000000" TEXT="#FFFFFF"><PRE>
<FONT COLOR="#CC0000">COMMAND</FONT>

    rdisk

<FONT COLOR="#CC0000">SYSTEMS AFFECTED</FONT>

    WinNT 4.0 TSE

<FONT COLOR="#CC0000">PROBLEM</FONT>

    Arne Vidstrom  found following.   There exist  a vulnerability  in
    rdisk  which  causes  the  contents  of  the  registry hives to be
    exposed to  Everyone during  updating of  the repair  info.   When
    rdisk updates  the repair  info it  uses a  temporary file  called
    $$hive$$.tmp, which it  puts in the  repair directory and  deletes
    when  it's  finished.   The  temporary  file  is used to store the
    contents  of  the  hives  during  the  update.  This is especially
    interesting on Terminal Server, so we'll take that as an example.

    The \Wtsrv\repair  directory contains  backups of  the hives,  but
    these have  the permissions:  Administrators -  Full Control,  and
    SYSTEM  -  Full  Control.   Hard  to  get  to  those...  but   the
    $$hive$$.tmp  file  is  a  different  thing.   Everybody  has Read
    permissions to it, so Everybody can get the contents of the  hives
    during update.  An ordinary user can leave a program running which
    checks for the temporary  file constantly, and copies  the content
    when it is created.  Of course many restrict access to the  repair
    directory  already,  but  either  way  this  is a vulnerability in
    rdisk.

<FONT COLOR="#CC0000">SOLUTION</FONT>

    Patch availability:
<FONT COLOR="#00FF00">
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384
</FONT>
</PRE></BODY>
</HTML>