Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak

[3APA3A <3APA3A@xxxxxxxxxxxxxxxx>]

Title:          Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
                informaton leak
Author:         3APA3A, http://securityvulns.com
Affected:       Microsoft Windows 2000,XP,2003,Vista
Exploitable:    Yes
Type:           Remote  (from  local  network), authentication required
                (NULL session was not tested).
Class:          Information leak, insecure design
CVE:            CVE-2007-0843
Original
Advisory:       http://securityvulns.com/advisories/readdirectorychanges.asp
SecurityVulns
news:           
http://securityvulns.com/news/Microsoft/Windows/ReadDirector.html


Intro:

It's  very simple yet interesting vulnerability. ReadDirectoryChangesW()
API  allows  application  to  monitor  directory  changes  in real time.
bWatchSubtree  parameter  of  this  functions  allows to monitor changes
within  whole  directory  tree  with  of monitored directory. To monitor
changes directory must be open with LIST (READ) access. Function returns
the   list   of  modified  files  with  a  type  of  modification.  File
modification refers to any modification of file record in directory.

Vulnerability:

ReadDirectoryChangesW()  doesn't  check  user's  permissions  for  child
child  objects,  making  it's  possible  to  retrieve  information about
objects user has no "LIST" permissions.

Impact:

Any  unprivileged  user with LIST access to parent directory can monitor
any  files  in  child directories regardless of subdirectories and files
permissions.  Because  by  default  Windows  updates  access time of any
accessed  files on NTFS volumes, it makes it possible for user to gather
information  about  NTFS-protected files, their names and time of access
to  the  files  (reading,  writing,  creation, deletion, renaming, etc).
Filenames  may  contain  sensitive information or leak information about
user's behavior (e.g. cookies files).

In  addition  to  it's own impact, this vulnerability elevates impact of
few  different  vulnerabilities  and  common  practices,  to be reported
later.

Exploit:

http://securityvulns.com/files/spydir.c

 compiled version of Spydir is available from

http://securityvulns.com/soft/

 Usage example:

spydir \\corpsrv\corpdata

I  believe  you  find  this  utility  useful regardless of this security
issue.  It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations,  e.g.  you can not see non-ASCII names and some changes
are missing).

Workaround:

Avoid  creation  of  more secure folder in less secure ones. Avoid using
sensitive data in documents naming.

Vendor (Microsoft):

January, 17 2006          Initial vendor notification
January, 18 2006          Vendor reply (assigned)
January, 26 2006          2nd vendor notification
February, 7 2006          3rd vendor notification
February, 9 2006          Vendor accepted vulnerability as "service pack
                          class" for Windows XP and Windows 2003.
February, 9 2006          Accepted to wait until SP
February, 22 2006         Vendor gives SP timelines (late 2006 for W2K3
                          SP2 and 2007 for XP SP3)
February, 22  2007        Public  release,  because  Windows Vista is
                          released with same vulnerability.