Possible Vulnerabilities with Win2K File Caching

by Russ Rogers - 1/22/00

Like most people in the security world, I've been actively reading and researching the latest weapon in Microsoft's arsenal towards world domination, Windows 2000. And, like most new systems, Windows 2000 offers unique new vulnerabilities for individuals to exploits. In this article, I'm going to address a couple of issues of concern in the Offline File Caching "feature" inside Windows 2000. Before I continue, I should point out that these vulnerabilities are completely theoretical and have not been tested.

If you've spent any time at all surfing the "Net", then you should be well aware of the fact that web browsers cache web pages and images into a directory on your local hard drive. This feature speeds up the retrieval of web pages that you visit often or recently visited. Microsoft has implemented a similar feature for corporate network users that it refers to as "Offline Files."

Users sometimes need to work with files that are located on network servers somewhere else on the LAN. If they access those files frequently, they may choose to have them "cached" to the local disk. Caching the files allows them to work with the files if the file server has gone down. Once the server comes back online, the local workstation will send the updated files to the network server.

Let's consider a local user who routinely edits financial data that exists on a network server elsewhere in the building. Due to recent network problems, which we all know don't really ever occur, the user highlights the filenames of files that he/she works with consistently, right clicks and scrolls down to the "Make Available Offline" feature. This simple action means that this network file has just been saved into the c:\winnt\csc directory so that it can be accessed more quickly. You can also specify a location to cache those files. Cached files can be seen in the \My Computer\Tools\Folder Options\Offline Files Tab.

For scenario 1: From a "Local Threat" viewpoint, improper permissions on the directories containing these cached files can allow other users , with login ability to the local machine, to view these files. Individuals who have physical access to the box (nightly cleaning crews or intruders with a password change utility on floppy) can potentially access those proprietary files. This could simplify corporate espionage.

For scenario 2: From a "Network Threat" viewpoint we should consider trojan programs or subversive information insertion. Windows 2000 offers a syncronization function for these Offline files. When the date/time stamp changes on a cached file or the file size changes the system automatically syncronizes the file both locally and via the network. An intruder who can access these files can potentially alter the file by changing the information located in the file or by adding virus information or trojan programs to the file. Other users accessing this file are thus mislead by the erroneous information or they unknowingly release the trojan or virus on to the network.

Mark accesses a Microsoft Word document from across the network and marks it to save for Offline Access. While Mark is at lunch, Herb (Mark's best friend at work), access this same file from Mark's computer. Herb adds a common Word macro virus to the document because he was recently passed over for a promotion. Windows 2000 sees the change in file size and time stamp and thus saves the file locally AND to the network server. Each user that access that file from the network server now unleashes the macro virus on their local machine.

File and directory permissions should be exercised to decrease the chance of exploit. Only allow access to users who NEED access to the file. Limit directory permissions to ONLY those users allowed to log in to the local machine. Continue using virus scanning software and KEEP it updated