exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

readirchange.txt

readirchange.txt
Posted Feb 24, 2007
Authored by 3APA3A | Site securityvulns.com

ReadDirectoryChangesW() in Microsoft Windows 2000/XP/2003/Vista does not check a user's permissions for child objects, making it possible to retrieve information about objects that a user has no LIST permissions for.

tags | advisory
systems | windows
advisories | CVE-2007-0843
SHA-256 | 28c243a93150e7391b8dd5ee991fbdddfc48cde9df598f7cf90b32d70425b91a

readirchange.txt

Change Mirror Download


Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
informaton leak
Author: 3APA3A, http://securityvulns.com
Affected: Microsoft Windows 2000,XP,2003,Vista
Exploitable: Yes
Type: Remote (from local network), authentication required
(NULL session was not tested).
Class: Information leak, insecure design
CVE: CVE-2007-0843
Original
Advisory: http://securityvulns.com/advisories/readdirectorychanges.asp
SecurityVulns
news: http://securityvulns.com/news/Microsoft/Windows/ReadDirector.html


Intro:

It's very simple yet interesting vulnerability. ReadDirectoryChangesW()
API allows application to monitor directory changes in real time.
bWatchSubtree parameter of this functions allows to monitor changes
within whole directory tree with of monitored directory. To monitor
changes directory must be open with LIST (READ) access. Function returns
the list of modified files with a type of modification. File
modification refers to any modification of file record in directory.

Vulnerability:

ReadDirectoryChangesW() doesn't check user's permissions for child
child objects, making it's possible to retrieve information about
objects user has no "LIST" permissions.

Impact:

Any unprivileged user with LIST access to parent directory can monitor
any files in child directories regardless of subdirectories and files
permissions. Because by default Windows updates access time of any
accessed files on NTFS volumes, it makes it possible for user to gather
information about NTFS-protected files, their names and time of access
to the files (reading, writing, creation, deletion, renaming, etc).
Filenames may contain sensitive information or leak information about
user's behavior (e.g. cookies files).

In addition to it's own impact, this vulnerability elevates impact of
few different vulnerabilities and common practices, to be reported
later.

Exploit:

http://securityvulns.com/files/spydir.c

compiled version of Spydir is available from

http://securityvulns.com/soft/

Usage example:

spydir \\corpsrv\corpdata

I believe you find this utility useful regardless of this security
issue. It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations, e.g. you can not see non-ASCII names and some changes
are missing).

Workaround:

Avoid creation of more secure folder in less secure ones. Avoid using
sensitive data in documents naming.

Vendor (Microsoft):

January, 17 2006 Initial vendor notification
January, 18 2006 Vendor reply (assigned)
January, 26 2006 2nd vendor notification
February, 7 2006 3rd vendor notification
February, 9 2006 Vendor accepted vulnerability as "service pack
class" for Windows XP and Windows 2003.
February, 9 2006 Accepted to wait until SP
February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3
SP2 and 2007 for XP SP3)
February, 22 2007 Public release, because Windows Vista is
released with same vulnerability.


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    19 Files
  • 25
    Jun 25th
    5 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close