Microsoft KB Archive/327522

= MS02-064: Windows 2000 default permissions may permit Trojan horse attack =

Article ID: 327522

Article Last Modified on 2/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 4

-



This article was previously published under Q327522



SYMPTOMS
In Windows 2000, the default permissions provide the Everyone group with Full access (Everyone:F) on the system root folder (typically, drive C). In most cases, the system root is not in the search path. However, under certain conditions -- for example, during logon or when you run programs directly from the Windows desktop by using the Start and Run commands -- the system root may be in the search path.

This scenario may permit an attacker to mount a Trojan horse attack against other users on the same system. To do this, the attacker creates a program in the system root with the same name as some frequently used program, and then waits for another user to log on to the system and run the program. The Trojan horse program is run with the user's own permissions. Therefore, the program can take any action that the user can take.

The simplest attack scenario is one in which the attacker knows that a particular system program is run by a logon script. In that case, the attacker can create a Trojan horse with the same name as the system program, which is then run by the logon script the next time that a user logs on to the system. Other scenarios require significantly more user interaction (and a degree of &quot;social engineering&quot; on the attacker's part). For example, an attacker would need to convince a user to start a particular program by using the Start and Run commands.

The systems most at risk from this vulnerability include:
 * Workstations that are shared between multiple users.
 * Local Terminal Server sessions.

The following systems are at significantly less risk:
 * Workstations that are not shared between users are at no risk, because the attacker must be able to log on to the system to plant the Trojan horse.
 * Servers are at no risk, assuming that standard best practices have been followed, which permit only trusted users to log on to them.
 * Remote Terminal Server sessions are at low risk, because each user's environment is isolated. In other words, the system root is never the current folder. Instead, the user's Documents and Settings folder is the current folder, but the permissions on this folder do not permit an attacker to plant a Trojan horse there.



WORKAROUND
To work around this issue, reset the permissions for the root directory on the system drive. The default permissions for Windows XP can serve as a guide for a set of permissions that have been thoroughly designed and tested. The following are the default permissions for the root directory on the system drive for Windows XP:
 * Administrators: Full (This Folder, Subfolders, and Files)
 * Creators Owners: Full (Subfolders and Files)
 * System: Full (This Folder, Subfolders, and Files)
 * Everyone: Read and Execute (This Folder Only)

You can also use security templates to apply the new permissions. If you use a security template, add the following to the [File Security] section to make the permissions the same as those for Windows XP: &quot;%SystemDrive%\&quot;,0,&quot;D:AR(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICIIO;GA;;;CO) (A;CIOI;GRGX;;;BU)(A;CI;0x00000004;;;BU)(A;CIIO;0x00000002;;;BU)(A;;GRGX;;;WD)&quot; Note The preceding code should all be on one line. It has been wrapped for readability.



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-064.mspx

Keywords: kbbug kbnofix kbsecvulnerability kbsecurity kbsecbulletin KB327522

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.