logo
line
HOME
TOOLBOX
ON MY MIND RIGHT NOW
MISC
ABOUT
line
forest

RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition

There exist a vulnerability in rdisk which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info.

When rdisk updates the repair info it uses a temporary file called $$hive$$.tmp, which it puts in the repair directory and deletes when it's finished. The temporary file is used to store the contents of the hives during the update. This is especially interesting on Terminal Server, so I'll take that as an example.

The \Wtsrv\repair directory contains backups of the hives, but these have the permissions: Administrators - Full Control, and SYSTEM - Full Control. Hard to get to those... but the $$hive$$.tmp file is a different thing. Everybody has Read permissions to it, so Everybody can get the contents of the hives during update. An ordinary user can leave a program running which checks for the temporary file constantly, and copies the contents when the file is created.

Microsoft has released a security bulletin about this issue.



© Arne Vidstrom. All rights reserved.