NT 回收站与创建文件夹漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105695 漏洞类型 其他
发布时间 2000-02-01 更新时间 2006-04-19
CVE编号 CVE-2000-0121 CNNVD-ID CNNVD-200002-004
漏洞平台 Windows CVSS评分 3.6
|漏洞来源
https://www.exploit-db.com/exploits/19739
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-004
|漏洞详情
WindowsNT和Windows2000中RecycleBin工具存在漏洞。本地用户通过在回收目录中创建含有受害人SID的子目录可以读取或修改文件。
|漏洞EXP
Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Recycle Bin Pre-created Folder Vulnerability

source: http://www.securityfocus.com/bid/963/info


When an NT user uses the Recycle Bin for the first time on a given partition, a folder is created in the \Recycler folder on that partition with the name of the new folder set to the user's SID. When this happens, appropriate permissions are set to prevent other users from accessing files in that folder. However, if that folder does not yet exist, a local attacker can create it, set arbitrary permissions, and then later access any files deleted by the user. The files themselves will retain their original permissions, but if the attacker gives him/herself Full Access to the user's Recycler folder they can overwrite files with arbitrary content.

This vulnerability only applies to NTFS partitions, as there is no local access control on any files on a FAT partition. 

This exploit will create a range of folders in th e\Recyycler folder of the selected partition, with names based on projected SID numbers erived from the user's own SID.

Usage: RecyclerSnooper #_of_folders driveletter
Example: RecyclerSnooper 200 C 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19739.exe
|参考资料

来源:MSKB
名称:Q248399
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q248399
来源:BID
名称:963
链接:http://www.securityfocus.com/bid/963
来源:MS
名称:MS00-007
链接:http://www.microsoft.com/technet/security/bulletin/ms00-007.mspx