COMMAND

    \?? Object directory

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Prasad Dabak of Cybermedia Software Private Limited has discovered
    yet another security  risk in Windows  NT involving the  operating
    system's  case  sensitivity.  According  to  the report, using the
    permissions on the  "\??" object directory  and by exploiting  the
    case sensitivity of object manager,  it is possible to trojan  any
    system executables.   Any ordinary user  has write permissions  on
    \?? Object directory.  This is to allow user to map network drives
    or use "subst" utility to alias a directory to a new drive letter.
    Each system drive  has an entry  into \?? object  directory.  Each
    entry  is  actually  a  symbolic  link  which points to the device
    associated  with  that  drive  (ergo:  Symbolic  link  \??\C: will
    typically point to a device such as \Device\HardDisk0\Partition1).
    It is possible to create a trojaned version of this symbolic  link
    using the different character case -- for example, it is  possible
    to create a symbolic link such as \??\c:  (notice the small letter
    "c".)   By doing  this, all  the requests  to drive  C get  routed
    through the trojaned symbolic link.

    Please  visit  the  following  URL,  where you'll find the further
    details along with links to a demonstration of the problem:

        http://www.ntsecurity.net/scripts/load.asp?iD=/security/casesensitive.htm

    Nothe that the exploit may fail on your system because guest can't
    write to the directory that contains the exploit.  It needs to  do
    so to build a psuedo %SystemRoot% directory structure to link to.

SOLUTION

    As with the KnownDLLs  exploit, good system administration  should
    impede these kinds of exploits.  Though, they are doing a good job
    of  scratching  the  surface  of  huge  classes of local privilege
    escalation attacks for NT.

    Microsoft  received  several  reports   about  this  issue,   some
    reporting  that  the  fix  for  the Case Sensitivity vulnerability
    isn't present in SP5 and  others reporting that's missing in  SP6.
    They  verified  that  the  fix  is  present in both service packs.
    However, the fix is not  activated unless base system objects  are
    strongly  protected.   To  enable  base  system object protection,
    you'll need to set

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ProtectionMode

    is set to 1, as discussed in

        http://support.microsoft.com/support/kb/articles/Q218/4/73.ASP

    The  confusion  probably  results   because  base  system   object
    protection is  disabled by  default.   This is  done because  many
    applications have problems running under the restrictions that  it
    imposes.