lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Mar 2007 02:08:00 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Paweł Goleń <p_golen@...onet.pl>
Cc: bugtraq@...urityfocus.com
Subject: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear Paweł Goleń,

--Tuesday, March 13, 2007, 11:34:53 PM, you wrote to bugtraq@...urityfocus.com:

>>
>> Process 1: Opens file for reading with
>> FILE_SHARE_WRITE|FILE_SHARE_READ|FILE_SHARE_DELETE
>> Process 2: Opens file for writing with FILE_SHARE_NONE and _succeeds_.
>> 
>> With valid mandatory locking implementation process 2 _must fail_.

PG> 3APA3A, from one hand you are right this may be considered to be
PG> vulnerability in Windows mandatory file locks. But I'm not sure if file
PG> locks in Windows are mandatory. I've never considered "share modes" to
PG> be security feature.

It was advised in original article.

PG> In  order  to be sure I'm creating not opening file I would probably
PG> used  CREATE_NEW  as  value  for dwCreationDisposition attribute AND
PG> FILE_SHARE_NONE to prevent others processess to open my file.

...

PG> Am I correct or I'm missing something?

You are right, and again it was  advised in article.

You've  only  missed  the fact, sometimes you need to create a file with
given  name.  The  examples  were  demonstrated  -  file copy operation,
archive  extraction, restore from backup, file replications and creation
of any persistent file (e.g. new document). And you get a problem - what
to do with existing file, you can not simply create new one.

At  my opinion, if CREATE_NEW fails because file exists and user asks to
overwrite  file,  application  should  try  to  remove existing file and
re-create it with CREATE_NEW and fail, if second attempt with CREATE_NEW
fails.  But:  ALL TESTED APPLICATIONS FAILED to act like this. It's true
even  for  application  you may expect to operate in secure way, because
they  restore  original  file permissions and may be used to copy secret
information.

Namely:

xcopy     (standard utility) with /Y opens existing file without attempt
          to delete it.
robocopy  (from resource kit) opens existing file
ntbackup  (if "replace file" option is on during restore) opens existing
          file
rar       opens existing file

PG> And one question - which flag for dwCreationDisposition is used for
PG> example by Microsoft World during creating temporary files.

According  to  tests  I  recently made, Word correctly behaves with both
original  file  (it  doesn't edit original file, but renames it, creates
new  one  and  copies  content)  and  temporary  file  (also new file is
created).  It  may be slow, but it's safe :) It may be possible to catch
race  condition  between old file is renamed and new one is created, but
it's a bit harder to test.

-- 
~/ZARAZA http://securityvulns.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ