Sunday, 18 August 2019, 11:42 BST  

IMG



About
Download
Links
Advisories
What's New
IMG
IMG Site Navigation Menu
What's New
Advisories
  Win NT
    subst problem
    disk (over)quota
  Other
Links
Download
About
IMG
Advisories for Microsoft Windows NT and Windows 2000 operating systems

SUBST problem - e-mail posted to Bugtraq and NTBugtraq on Tue 30th November 1999
I've not seen this mentioned on any of the security mailing lists (NTBUGTRAQ, BUGTRAQ etc.) and I cannot find reference to it by searching microsoft.com. I've e-mailed Microsoft about it on the 13th October but apart from a reply saying "we'll look into it", no reply as yet.

*** The problem:
Tested with NT4WS SP3 and SP5. SUBSTed drives are persistent between different logged on users. Users can be misled into saving data somewhere other than where they first thought, running trojaned executables etc.

*** To recreate (typical example):
An ordinary user logs onto the NT workstation and maps a drive to a subdirectory:

SUBST M: C:\TEMP

They log off.

A second user logs onto the same workstation. The SUBSTed drive is still in effect. Their profile defines that M: be their home directory, mapped to \\SERVER\USERNAME$. It doesn't get connected and there is no error message. The user saves their documents to what they believe to be their home drive (M:) but in actual fact they end up in C:\TEMP.

They log off.

The first user comes back and reads their saved documents from C:\TEMP. There are many other possible exploits that this could be used for.

*** Workaround/fix:
None known. You could delete %WINDIR%\SYSTEM32\SUBST.EXE but someone could always just run their own version from a floppy, network drive or whatever. If you reboot the machine every time before you log in, SUBSTed drives are removed. Maybe practical on workstations where you have EXEs run from network drives at login, not too practical on servers (but if you can't trust the people who have access to them anyway....)

Dave,
http://redirect.to/null/
PGP fingerprint: AE23 A19C 3E5E 74F4 2193 4BB3 E154 54AF 1350 F4FC

Related Links: Bugtraq ; NTBugtraq ; Microsoft Bugfix ;

Disk (over)quota in Windows 2000 - e-mail posted to Bugtraq and NTBugtraq on Mon 28th February 2000
I've been looking into disk quotas under Windows 2000 and have uncovered a few anomalies. On top of a few peculiarities there appears to be a bug which allows a user to exceed their disk quota by as much as they wish.

*** The problem:
Tested with Windows 2000 Professional build 2195 (release version). Existing files can be extended even if a user is over quota. If exploited by a malicious user then at best it is a nuisance at worst it may act as a DoS if the disk if filled.

*** Description:
After playing around with the newly introduced disk quotas in Windows 2000 I soon uncovered a bug which would allow an ordinary, unprivileged user to exceed their allocated disk quota and fill a disk/partition. Under normal circumstances when a user is under quota I discovered by experiment that new files can be created upto a size of (Quota - UsedSpace  + 2KB - 1byte), i.e. they can go overquota by up to 2047 bytes. Not too much of a problem. Extending existing files can be up to (Quota - UsedSpace +1KB -1byte) i.e. up to 1023 bytes overquota - nothing much to be worried about.

However, if you are overquota new file creation is only possible upto 728 bytes if (UsedSpace < Quota+1KB), i.e. you havn't gone more than 1KB overquota. Exisiting files can be extended by up to 736 bytes up until (UsedSpace >= Quota+1KB). Using this point alone, I created a lot of files with "echo.>file0000" at 2 bytes each to use up the user allocated diskquota and extended them up to the 736 byte limit per file - I was now way over quota.

The limit of how far over quota I could go depended on my initial quota and how many tiny files I could create up until I hit the quota then extending them all. Then I thought "What if I create 0 byte files?".

Oh dear! If you are under quota you can create as many 0 byte files as you wish. They count towards nothing. Then extend these files by 736 bytes and your disk starts filling up and up and up...

*** To recreate (typical example):
Create an ordinary unprivileged user and give them a diskquota of, say, 1MB. Open a command prompt and using whatever means you wish, create a lot of 0 byte files (e.g. SHIFT>FILE0000). Then append/extend those files by up to 736 bytes (e.g. ECHO 736-characters-here>>FILE0000). If you try and extend beyond 736 bytes the file and it's contents get chopped off at 674 bytes so for speed disk filling with fewer files don't try and go beyond 736 bytes.

See attachment for a batch file to create 10,000 of 0 byte files then extend them all to 736 bytes.

*** Workaround/fix:
None known. However, to prevent DoS on servers you should not permit people to write to the same partiton that the operating system resides on.

Dave,
http://redirect.to/null/
PGP fingerprint: AE23 A19C 3E5E 74F4 2193 4BB3 E154 54AF 1350 F4FC

Related Links: Bugtraq ; NTBugtraq ; Download exploit ;