search menu icon-carat-right cmu-wordmark

CERT Coordination Center


The default NTFS permissions are not applied to a converted boot partition on Microsoft Windows 2000 and Windows XP systems when CONVERT.EXE is used

Vulnerability Note VU#361065

Original Release Date: 2002-11-19 | Last Revised: 2002-11-19

Overview

Several commercial desktops and laptops from OEM distributors ship with insecure permissions set on files and directories. It has been confirmed that this is due to the use of Microsoft's CONVERT.EXE utility.

Description

Microsoft's CONVERT.EXE program is used to convert FAT32 file systems to NTFS. There is an insecure directory permission vulnerability introduced when the CONVERT.EXE utility is used on Windows 2000 and Windows XP systems. It has been confirmed that OEM distributors of Microsoft Windows XP and Windows 2000 use this utility and subsequently ship some desktop and laptop machines with the insecure permissions. Laptops and desktops that ship with the OEM version of these operating systems may be vulnerable.

Microsoft's KB article Q237399 discusses this issue with relation to Windows 2000.

Impact

A local attacker may be able to execute arbitrary code with elevated privileges. This would require another user to log in to the system.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Check the permissions set on system critical directories such as C:\, C:\Documents and Settings\All Users, C:\Documents and Settings\All Users\Desktop, C:\Documents and Settings\All Users\Start Menu, and the System Restore directories.

Vendor Information

361065
Expand all

Dell

Notified:  October 07, 2002 Updated:  November 19, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  October 10, 2002 Updated:  November 18, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  October 18, 2002 Updated:  November 19, 2002

Status

  Unknown

Vendor Statement

SOURCE:


    Hewlett-Packard Company
    HP Services
    Software Security Response Team

x-ref:SSRT2395 default NTFS permissions Microsoft Windows 2000 (convert.exe)

At the time of writing this document, HP is currently investigating the potential impact to HP's products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  October 18, 2002 Updated:  November 19, 2002

Status

  Unknown

Vendor Statement

SOURCE:


    Hewlett-Packard Company
    HP Services
    Software Security Response Team

x-ref:SSRT2395 default NTFS permissions Microsoft Windows 2000 (convert.exe)

At the time of writing this document, HP is currently investigating the potential impact to HP's products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  October 18, 2002 Updated:  November 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  October 18, 2002 Updated:  November 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  October 18, 2002 Updated:  November 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Toshiba International Corporation

Notified:  October 18, 2002 Updated:  November 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Douglas Swiggum for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2002-0034
Severity Metric: 6.75
Date Public: 2002-10-30
Date First Published: 2002-11-19
Date Last Updated: 2002-11-19 20:12 UTC
Document Revision: 21

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.