ICACLS.EXE Destroys SE_DACL_PROTECTED/SE_SACL_PROTECTED

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047484 漏洞类型
发布时间 2012-05-15 更新时间 2012-05-15
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012050107
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Hi @ll,

since Windows Vista resp. Windows Server 2003 Service Pack 2, the
command line tool to modify/set file/directory permissions is
ICACLS.EXE [0][1][2][3][4].

Main advantage over the previous command line tools CACLS.EXE [5],
XCACLS.EXE [6] and XCACLS.VBS [7] is the ability to specify
inheritance and to process/propagate inheritable permissions.

But exactly the handling of inheritance is severely broken: in an
objects security descriptor both DACLs and SACLs can be marked as
"PROTECTED", meaning that inheritable ACEs from the parent object
are NOT to be applied to an object and its children [8][9].

ICACLS.EXE, when operating on an object with protected ACLs, but
1. ignores this protection,
2. resets/destroys the protection
   and
3. applies/propagates the inheritable permissions from the parent
   to the object and its children.

This (typically) results in lesser protection of the modified object
and its children, since ACLs that were neither present on the object
before nor specified as arguments to ICACLS.EXE are added to the
object and (propagated to) its children.

The following batch demonstrates the bug (the "D:P" in the SDDL [10]
representation of the security descriptors gets changed to "D:") and
reverts the changes^Wdamage done:

--- *.CMD ---
For %%X In ("%USERPROFILE%"
            "%ALLUSERSPROFILE%"
            "%SystemRoot%\Connection Wizard"
            "%SystemRoot%\Debug\UserMode"
            "%SystemRoot%\System32\Config\SystemProfile"
            "%SystemRoot%\System32\SPOOL\Printers) Do Call :ICACLS "%%~fX\."
Rem "\." is necessary due to another bug in ICACLS.EXE:
Rem  /Restore interprets pathnames different from /Save when the pathname
Rem   is a directory!
Exit /B

:ICACLS
"%SystemRoot%\System32\ICACLS.EXE" "%~1" /Save "%TEMP%\BEFORE.ACL" /C /T
"%SystemRoot%\System32\ICACLS.EXE" "%~1" /Deny *S-1-1-0:(OI)(IO)(X)
"%SystemRoot%\System32\ICACLS.EXE" "%~1" /Save "%TEMP%\AFTER.ACL" /C /T
"%SystemRoot%\System32\ICACLS.EXE" "%~1" /Restore "%TEMP%\BEFORE.ACL" /C
"%SystemRoot%\System32\FC.EXE" /U "%TEMP%\BEFORE.ACL" "%TEMP%\AFTER.ACL"
Del "%TEMP%\BEFORE.ACL" "%TEMP%\AFTER.ACL"
--- EOF ---

Vendor was informed and has acknowledged the bug, but won't neither
issue an immediate fix nor even a warning note stating the bug.


regards
Stefan Kanthak


[0] <http://support.microsoft.com/kb/919240>
[1] <http://support.microsoft.com/kb/943043>
[2] <http://support.microsoft.com/kb/944820>
[3] <http://support.microsoft.com/kb/947870>
[4] <http://support.microsoft.com/kb/2028627>
[5] <http://support.microsoft.com/kb/135268>
[6] <http://support.microsoft.com/kb/318754>
[7] <http://support.microsoft.com/kb/825751>
[8] <http://msdn.microsoft.com/library/aa374920.aspx>
[9] <http://msdn.microsoft.com/library/aa379566.aspx>
[10] <http://msdn.microsoft.com/library/aa379570.aspx>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/