Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Recycle Bin Pre-created Folder Vulnerability

vendor:

Windows NT

by:

Unknown

7.5

CVSS

HIGH

Recycle Bin Pre-created Folder Vulnerability

269

CWE

Product Name: Windows NT

Affected Version From: Windows NT 4.0

Affected Version To: Windows NT 4.0 SP6

Patch Exists: NO

Related CWE:

CPE: o:microsoft:windows_nt:4.0:sp6

Metasploit:

Other Scripts:

Platforms Tested: Windows

Unknown

Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Recycle Bin Pre-created Folder Vulnerability

When an NT user uses the Recycle Bin for the first time on a given partition, a folder is created in the Recycler folder on that partition with the name of the new folder set to the user's SID. When this happens, appropriate permissions are set to prevent other users from accessing files in that folder. However, if that folder does not yet exist, a local attacker can create it, set arbitrary permissions, and then later access any files deleted by the user. The files themselves will retain their original permissions, but if the attacker gives him/herself Full Access to the user's Recycler folder they can overwrite files with arbitrary content.This vulnerability only applies to NTFS partitions, as there is no local access control on any files on a FAT partition.

Mitigation:

Upgrade to a supported version of Windows. Microsoft has discontinued support for Windows NT 4.0, and it is recommended to upgrade to a newer, supported version of Windows.

Source

Exploit-DB raw data:

Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Recycle Bin Pre-created Folder Vulnerability

source: https://www.securityfocus.com/bid/963/info


When an NT user uses the Recycle Bin for the first time on a given partition, a folder is created in the \Recycler folder on that partition with the name of the new folder set to the user's SID. When this happens, appropriate permissions are set to prevent other users from accessing files in that folder. However, if that folder does not yet exist, a local attacker can create it, set arbitrary permissions, and then later access any files deleted by the user. The files themselves will retain their original permissions, but if the attacker gives him/herself Full Access to the user's Recycler folder they can overwrite files with arbitrary content.

This vulnerability only applies to NTFS partitions, as there is no local access control on any files on a FAT partition. 

This exploit will create a range of folders in th e\Recyycler folder of the selected partition, with names based on projected SID numbers erived from the user's own SID.

Usage: RecyclerSnooper #_of_folders driveletter
Example: RecyclerSnooper 200 C 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19739.exe