lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200703131329.39954.dhazelton@enter.net>
Date: Tue, 13 Mar 2007 13:29:39 -0400
From: Daniel Hazelton <dhazelton@...er.net>
To: bugtraq@...urityfocus.com, 3APA3A <3APA3A@...urity.nnov.ru>
Cc: "Steven M. Christey" <coley@...re.org>
Subject: Re: Microsoft Windows Vista/2003/XP/2000 file management security issues

On Tuesday 13 March 2007 12:01:51 3APA3A wrote:
> Dear Steven M. Christey,
>
> --Tuesday, March 13, 2007, 2:14:36 AM, you wrote to
> bugtraq@...urityfocus.com:
>
> SMC> 3APA3A said:
> >>I. There is no symlinks under Windows. Symlink attacks are not
> >>possible.
>
> SMC> I'm not a Windows expert, but...  There have been some past
> SMC> vulnerabilities where an attacker could upload a shortcut (.lnk) file
> SMC> and access files outside of the intended directory.  In cases of FTP
> SMC> servers or mail clients, this makes symlink style attacks remotely
> SMC> feasible.  Some previously reported examples are
> SMC> CVE-2004-2672/CVE-2005-0519/CVE-2005-0520 (argosoft), CVE-2005-2184
> SMC> (eRoom), CVE-2005-0587 (Firefox), and CVE-2001-1386 (WFTPD).
> SMC> So, issues *like* symlink vulnerabilities can happen on Windows - but
> SMC> whether they're under-reported is unknown.
>
> These  attacks  are  remote  and have attack vector absolutely different
> from  Unix  symlink  attacks.  Standard Windows files API doesn't handle
> .lnk files, application must be specially written to support them.
>
> Symlink  attack is also possible against e.g. Cygwin-ported application.

I haven't used Vista at all, but from reading the MS documentation about the 
new version of NTFS that it uses it appears that Unix style symlinks are 
supported. (From what I can tell they've been possible since the start, just 
not implemented)

So for any WIndows system that shares the new NTFS code with Vista this is a 
valid vuln. Although I'm not positive about whether MS actually released 
tools along with Vista to use this feature, I'm more than certain that it 
does exist. (However, this may be a moot point. MS might still flag a 
cross-reference like a Unix-style symlink as a filesystem error)

DRH

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ