| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42C607DE.7060400@kc.rr.com>
Date: Sat Jul 2 04:18:15 2005
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Re: [VulnWatch] Microsoft Windows NTFS
Information Disclosure
James Tucker wrote:
>cacls *.chk /G administrator:F
>in shared environments where for some reason your users have access to
>their drives.
>
>
>
...which doesn't solve a thing.
That workaround won't impact anything. It will simply mark existing CHK
files with that ACL. Any new ones that are created in the future will
not have it. Generally, by the time you're executing that command,
damage is already done.
In any case, .CHK files aren't any part of the exploit. To my
knowledge, NTFS generates no such files (as file operations are
journaled, and therefore, reversible if they aren't completed).
Something is awry in the shutdown/recovery process of XP that causes it
to append re-used and uninitialized disk or cache blocks to files open
for write at shutdown. These files appear as *normal* files. I've seen
this type of "garbage" (some of it in fact, very sensitive) in logs for
IIS, for instance.
--
"Education is a weapon whose effects
depend on who holds it in his hands
and at whom it is aimed."
-- Joseph Stalin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2789 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050701/0a3063f3/smime.bin
Powered by blists - more mailing lists