Dr. Watson's a Big Mouth:
By Brandon Wirtz
One of the duties of Dr. Watson, a Windows NT default system debugger, is to
take a snapshot of the process space when a user-mode program crashes.
Unfortunately, like Sherlock Holmes' friend, Windows' Dr. Watson is well-meaning
but dim. It puts the snapshot in a file called user.dmp and saves it by default
to a world-readable location.
On NT4 systems, the default location is %SystemRoot%\user.dmp, which will
usually end up being C:\WINNT\user.dmp. Default permissions on NT4 systems give
everyone full control on the WINNT directory. Crash dump files can often contain
passwords and other sensitive information that was stored in memory and was
never meant to be written to disk in plain text. For example, crash-prone
Outlook Express stores the user's mail account passwords in plain text (Unicode
strings) in memory. A malicious user who sent an ill-formatted message and
crashed another user's email could then sift through the information in user.dmp
to find passwords and user IDs.
Windows 2000 is also vulnerable, but in fewer circumstances. Its default
location for user.dmp is C:\Documents and Settings\All Users\Documents\DrWatson\user.dmp.
This location is world-readable by default, but not world-writable. Normal users
will not have the user.dmp file created as they do not have write access,
however users that are an administrator (possibly power users as well) of the
local machine will be exposed to this vulnerability.
As a workaround, run drwtsn32.exe to set crash dump options. There are two
ways to get around this problem (per-user): uncheck the "create crash dump
file" checkbox, or change the crash dump location to a directory to which
only you have access.
For a system-wide fix, delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AeDebug\Debugger. Dr. Watson will be replaced by a simple
"Application Error" box.
If you have installed MSVC it will automatically make itself the system
debugger. It does not create crash dump files so you are not vulnerable.
As for a fix, Microsoft still hasn't updated Dr. Watson so that it sets
permissions correctly on the files it creates. A quick fix for the problem would
be to make Dr. Watson's default crash dump location be somewhere inside the
current user's profile. This will only work on NTFS file systems, but if you are
using FAT or FAT32 for your filesystem there are much worse things that
unprivileged users can do.
Windows NT 4.0 (All service packs), Windows 2000 (Release and SP1). Windows
NT 3.5x is probably vulnerable but hasn't been tested.
| 