Recycle Bin Creation Vulnerability

On a shared computer, it may be possible for a user to create a folder in the %SystemRoot\Recycler folder that is then assigned to another user based on the Security Identifier (SID) number. If you do this, a malicious user may assign themselves extended rights to the newly created Recycle Bin folder before it is assigned to another user. This allows someone the ability to insert files into a user's Recycle Bin or permanently delete a user's files located in that specific Recycle Bin.

Issue

The Windows NT Recycle Bin for a given user maps to a folder, whose name is based on the owner's SID. The folder is created the first time the user deletes a file, and the owner is given sole permissions to it. However, if a malicious user could create the folder before the bona fide one were created, he or she could assign any desired permissions to it. This would allow him or her to create, modify or delete files in the Recycle Bin, but in most cases would not enable them to read files unless he or she already were able to.

There are several significant limitations that would make it difficult to exploit this vulnerability:

• The malicious user would need to create the bogus Recycle Bin before the user's bona fide one were created.
• The malicious user would need to share a machine with the other user. The vulnerability would only enable the malicious user to take action against the Recycle Bin on the particular machine, and the particular partition, that was attacked.
• The malicious user could add files to the Recycle Bin, but this vulnerability would not allow him or her to induce the other user to retrieve them.

Affected Products

• Windows NT Server, Enterprise and Workstation 4.0

Download

Patch: http://www.microsoft.com/downloads/release.asp?ReleaseID=22155

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 13, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<