Microsoft Windows NT 4.0 - Recycle Bin Pre-created Folder

EDB-ID:

19739




Platform:

Windows

Date:

2000-02-01


Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Recycle Bin Pre-created Folder Vulnerability

source: https://www.securityfocus.com/bid/963/info


When an NT user uses the Recycle Bin for the first time on a given partition, a folder is created in the \Recycler folder on that partition with the name of the new folder set to the user's SID. When this happens, appropriate permissions are set to prevent other users from accessing files in that folder. However, if that folder does not yet exist, a local attacker can create it, set arbitrary permissions, and then later access any files deleted by the user. The files themselves will retain their original permissions, but if the attacker gives him/herself Full Access to the user's Recycler folder they can overwrite files with arbitrary content.

This vulnerability only applies to NTFS partitions, as there is no local access control on any files on a FAT partition. 

This exploit will create a range of folders in th e\Recyycler folder of the selected partition, with names based on projected SID numbers erived from the user's own SID.

Usage: RecyclerSnooper #_of_folders driveletter
Example: RecyclerSnooper 200 C 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19739.exe