Vulnerability Note VU#361065

The default NTFS permissions are not applied to a converted boot partition on Microsoft Windows 2000 and Windows XP systems when CONVERT.EXE is used

Original Release date: 19 Nov 2002 | Last revised: 19 Nov 2002

Overview

Several commercial desktops and laptops from OEM distributors ship with insecure permissions set on files and directories. It has been confirmed that this is due to the use of Microsoft's CONVERT.EXE utility.

Description

Microsoft's CONVERT.EXE program is used to convert FAT32 file systems to NTFS. There is an insecure directory permission vulnerability introduced when the CONVERT.EXE utility is used on Windows 2000 and Windows XP systems. It has been confirmed that OEM distributors of Microsoft Windows XP and Windows 2000 use this utility and subsequently ship some desktop and laptop machines with the insecure permissions. Laptops and desktops that ship with the OEM version of these operating systems may be vulnerable.

Microsoft's KB article Q237399 discusses this issue with relation to Windows 2000.

Impact

A local attacker may be able to execute arbitrary code with elevated privileges. This would require another user to log in to the system.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Check the permissions set on system critical directories such as C:\, C:\Documents and Settings\All Users, C:\Documents and Settings\All Users\Desktop, C:\Documents and Settings\All Users\Start Menu, and the System Restore directories.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DellAffected07 Oct 200219 Nov 2002
Microsoft CorporationAffected10 Oct 200218 Nov 2002
Compaq Computer CorporationUnknown18 Oct 200219 Nov 2002
Hewlett-Packard CompanyUnknown18 Oct 200219 Nov 2002
IBMUnknown18 Oct 200218 Nov 2002
NEC CorporationUnknown18 Oct 200218 Nov 2002
Sony CorporationUnknown18 Oct 200218 Nov 2002
Toshiba International CorporationUnknown18 Oct 200218 Nov 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Douglas Swiggum for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: CAN-2002-0034
  • Date Public: 30 Oct 2002
  • Date First Published: 19 Nov 2002
  • Date Last Updated: 19 Nov 2002
  • Severity Metric: 6.75
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.