lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <42C607DE.7060400@kc.rr.com>
Date: Fri, 01 Jul 2005 22:19:58 -0500
From: Matthew Murphy <mattmurphy@...rr.com>
To: James Tucker <jftucker@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	vulndiscuss@...nwatch.org, news@...uriteam.com
Subject: Re: Re: [VulnWatch] Microsoft Windows NTFS
	Information Disclosure

James Tucker wrote:

>cacls *.chk /G administrator:F
>in shared environments where for some reason your users have access to
>their drives.
>
>  
>
...which doesn't solve a thing.

That workaround won't impact anything.  It will simply mark existing CHK 
files with that ACL.  Any new ones that are created in the future will 
not have it.  Generally, by the time you're executing that command, 
damage is already done.

In any case, .CHK files aren't any part of the exploit.  To my 
knowledge, NTFS generates no such files (as file operations are 
journaled, and therefore, reversible if they aren't completed).  
Something is awry in the shutdown/recovery process of XP that causes it 
to append re-used and uninitialized disk or cache blocks to files open 
for write at shutdown.  These files appear as *normal* files.  I've seen 
this type of "garbage" (some of it in fact, very sensitive) in logs for 
IIS, for instance.

-- 
"Education is a weapon whose effects 
depend on who holds it in his hands 
and at whom it is aimed."
                    -- Joseph Stalin


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (2789 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ