lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <441968866.20070309234805@SECURITY.NNOV.RU>
Date: Fri, 9 Mar 2007 23:48:05 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Michele Cicciotti" <mc@...msa.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows Vista/2003/XP/2000 file
	management security issues

Dear Michele Cicciotti,

--Friday, March 9, 2007, 9:00:05 PM, you wrote to full-disclosure@...ts.grok.org.uk:

>>  Scenario  1.1:
>> 
>>  Bob  wishes  to  create "Bob private data" folder in "Public" folder to
>>  place  few private files. "Public" has at least "Write" permissions for
>>  "User" group. Bob:

MC> This is, of course, wrong. You muddy the issue with the "Write
MC> permissions for User group" red herring and we are all supposed to
MC> oooh and aaah at your sleigh-of-hand trickery. Of course, a proper
MC> public repository for private folders should have saner settings
MC> than that, to begin with.

First,  Bob's private data was just an example. A problem itself belongs
to any case where data with more restrictive permissions is created in a
folder  with  less restrictive permissions. And despite Mr. Grimes says,
this  is  quite common case under Windows and can be found in almost any
real  corporate  directory  structure. If you ever removed "Inherit from
parent"  checkbox in advanced security settings - you most probably were
vulnerable to attack. Show me administrator who never did.

Second,   "Preopen  file  attack"  and  everything  below will work with
saner  "Add  and  read permission for User group". Any usage of "Creator
owner" group is a case where this can be exploited.


-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ