[Windows Public Folders] Perhaps an interesting topic... or not

Sometime ago I worked on a relative's laptop security (Windows 7 Ultimate).

I separated tasks between different standard user accounts. Specially for general web browsing and e-mail (two different accounts, that is.).

Considering I wanted my relative to use two different user accounts for those tasks, I told my relative to make use of the Public folders to share files between those two accounts, such as links received in the e-mail to see in the general web browsing account, or to send links to friends. My relative opens Notepad and copies and pastes the link(s) and saves it in a Public folder.

Back then, my relative asked me why different user accounts. I answered that, as long as some malware that manages to execute, does it only within the user account context (that is, no admin. rights), then it won't spread to other user accounts.

Moments ago, my relative asked me, what I believe to be a pertinent question, related to it.

If I can write from one account to the Public folder and execute in another, can't viruses (my relative knows only the word virus... not bad, I say... ) do the same? Can't they make use of Public folders and write and execute to the other user accounts, hence spreading this way?

I answered Don't worry, execution is being blocked, even to administrators. Nothing can execute.

So, this made me think about something.

I've seen people advising other average users only to use a standard user account with an AV, and even if an infection happens, it won't spread to other accounts.

My question is: What about the Public folders?

My understanding is that if the user can write from one account and access/execute from another one (the purpose of a Public folder), then so can malware.

So, does a limited/standard user account suffice to prevent malware spreading from one account to the other? (Let's forget about privilege escalation.)

Maybe it doesn't happen, because there are other proven and more than efficient ways. Nonetheless, wouldn't you consider this to be a hole to cover?

What are your thoughts? I just never see anyone mentioning to be careful about the Public folders (maybe I missed such discussion) when suggesting a simple approach such as limited/standard user account and an AV.


Thanks

 

Since everyone has full permission in the Public folder, it can be infected by malware. The malware shouldn't touch other users or the system unless they have permission.

Once another user executes something user-mode malicious from the Public folder, then they'll obviously be infected (without other security in place).
Browsing inactive malware shouldn't be an issue, unless something like an unpatched .LNK exploit appears.
I'm not sure what will happen when an infected user switches out and someone else logs in though.

 

I think I know how this might be exploitable..

1) Replace shortcut in Public Desktop (say, for IE). Point it to a piece of malware being stored somewhere in the public profile.

2) When another user logs on, they try to launch the replaced shortcut (IE), thus infecting themselves.

Its not automatic by any means, but its certainly an easy way to spread an infection. Without anyone noticing.. (hypothetically, they could also create the shortcut with the "Run as Administrator" option... It could appear you are giving UAC access to a known good program.. thus rootkitting the entire machine).

However, for the record, only administrators have access to this folder AFAIK..

 

Do you mean the Public folder? Users can access it just fine. They can create objects and containers, and they will become the owners (with full rights*) of such objects and containers.

* Unless rights are taken away.

 

Are we talking about Users/Public ?

EDIT: Ahh, I figured it out... you are talking about when you enable public folder sharing for the network... This will open them up to everyone. For me though, with file sharing off and no public folder sharing, they are not accessible..

Either way, its only the documents, pictures, music and videos... Nothing really exploitable. I thought you meant about exploiting C:\users\public in its entirety. That could cause some damage.. but having a few folders with shared access is no different than having access to a thumb drive that everyone can use (in fact its safe due to no autoplay on the shared folders).

 

C:\Users\Public has full control for everyone on mine. It's not shared or modified.

I've replicated this on a clean Windows 7 64-bit Pro virtual machine, but not Windows Server 2008 where your statement is true.

 

Yes, I'm talking about C:\Users\Public.

Any user is free to place there whatever they want. They're not restricted to creating new folders and place stuff there. They can do whatever they want. Delete, etc. Anything place there from an account, will be accessible when using different user accounts. It's the reason why I'm allowing my relative to make use of such folder(s), as a convenient way of sharing files between limited user accounts. I'm blocking execution, though.

What you previously mentioned still applies:

I made a relative elevate a fake Internet Explorer shortcut (pointing to a different executable), and elevate rights.

Obviously, my relative noticed something was wrong because it was pointing to a process name called TCPView.exe (the executable I used) and, normally IE9 wouldn't ask for administrator privileges. But, cyber criminals are not without their tricks.

 

Hrmm.. I could have made changes, but do not remember doing so.. I will probably take your word for it, considering I'm not sure what tinkering I've done here..

 

I'm not sure why my permissions are so different. I'm going to just go with the assumption that my computer is not operating on the "clean install" defaults.

As far as the attack though, the malware doesn't necessarily have to prompt for admin rights. It would be far more stealthy for it not to operate that way.. but it is a way it could get full control if it wanted to.

It could also make it appear as if you are really launching IE. Its fairly easy to make an executable that launches another. I've even done it, and I'm not a programmer. The malicious EXE would simply execute, launch IE, and it would spread to multiple users without any hint of infection.

Personally, I'm glad I did whatever I did to make public folder sharing NOT work. This could potentially be nasty.

 

Having different user accounts only prevents things jumping from one account to another automatically, simply from some user screwing up with their own account. That's to say, if user Dave runs malware in his account, that malware won't infect Helen's user account (assuming, as usual, that there's no privilege escalation). Dave's account will be infected, sure, but that'll be that. But obviously the malware running in Dave's account can write anywhere Dave can, including any "All Users" / "Public" type folders where pretty much anyone has write access. So, the malware can create its files in such places and then hope that Helen comes along and stupidly executes some file of unknown origin in a location where other users (who may be infected) can write. But that's not a case of the malware writing into other accounts or jumping into other accounts by itself, without user interaction. That's a case of Helen being unwise and infecting her account on her own. If she's going to do stuff like execute files from untrusted sources, then these "shared folders" really aren't much of an issue: she's going to infect her account very well indeed just by opening malware attachments in email or being conned by social engineering tricks on the web sites she views.

What malware can do is create infected files in places where multiple users can read&write, and then hope that some of the other users are stupid enough to go and execute them and in so doing infect their accounts. In other words, hope and troll for serious user error. Malware can't just up and execute itself from a different account than the one it is already running in: malware running as Dave deciding to execute itself as Helen now, to infect her account. For that to happen, Helen needs to be stupid and run the malware herself.

As long as there aren't privilege escalation exploits, and as long as the users aren't executing random stuff created by other users, sure, it will suffice. And if users are executing random stuff created by other users, then nothing will suffice.

It's a social engineering issue, really. User accounts are barriers between users, preventing one user account from going and changing a different user account. User accounts are not meant to prevent users from changing their own accounts, for example, by running some file created by another user in a filesystem location that both users can access.


To summarize, obviously having different user accounts doesn't prevent the users from infecting themselves by intentionally opening stuff that was created by other users. You have to be careful with what you execute. If you don't know what it is, then don't touch it.

 

I never mentioned that malware would be able to execute by itself from one account to the other.

Still, there's room for the user to be tricked. And, let's face it, the user is the weakest link. But, I don't believe stupidity has to be the only keyword here.

What's your take on what user hpmnick previously mentioned:

And, as hpmnick mentioned it would be easy to make it look like the real deal. I don't see a user falling for this being stupid. How could he/she know?

Sure, if the user isn't careful when executes something, it may end up with the user account infected. But, the infection could also have as a source an exploit, when visiting a website, for example. And, this infection could spread to other accounts, hoping the user would execute something. Again, I don't believe stupidity has to be the only keyword.

So, while using one account will prevent malware from automatically spreading to others (as long as it only runs with the same privileges), malware will be able to write to Public folder. From there, well... it could either be a situation where the user would be stupid enough to deliberately execute something or tricked into executing something, while thinking he/she was actually executing something they always have done before.

Which is why it's important to cover every hole, and that includes prevent execution in the Public folder. If it can't execute (user stupidity or tricked), then it can't do any harm.

Anyway, that's just my take on it. I was only intrigued that I very rarely see people mentioning anything about the Public folders.

 

Yeah, I was just a little uncertain with the meaning of this bit

so I thought I'd throw that in to make sure everyone's on the same page, as it were. Anyway...

Well, perhaps stupidity is a harsh word for it, but that's what I'd call it, really. Another option: being careless. The idea is not to execute stuff from untrusted sources. If one does, then one knowingly takes the risk of getting owned by whatever is in that stuff obtained from untrusted sources (such as, say, some P2P network or just a user on the same computer that you think may not be entirely clean).

As for hpmnick's scenario, if it requires admin rights, then it's not an exploit. Admins by definition can already do anything and they already own the system. If malware can mess around with the All Users Desktop folder, then it's already got admin rights, it already owns the entire system and every single one of the accounts, and messing about with shortcuts in the Desktop folder would be just a waste of time at worst or at best a kind of a prank. So, no issue.

And as far as tricking the user is concerned, I don't really see a way, as such. Aside from exploits like the recent shortcut file processing code execution vulnerability, the user would have to knowingly 1) browse the public folder and then knowingly 2) open a file from that location for any infection to be possible. Sure, one might "trick" the user by trying to make the file look harmless, with the usual tricks of naming and so on, but really, the user would still know that they're opening stuff from an untrusted source, and that is taking a risk. If the user has taken a habit of executing stuff from folders shared with untrusted users, then that in itself is already very unwise.

But as you say, if one denies executing, then there's no harm even if the user does make mistakes - with the exception of some very rare exploits, perhaps.

 

Off Topic

Hey Windchild,
I'm very happy to see you back here
I missed you and your postings.

back to topic

 

Thanks.

I've been busy out working and enjoying spring and summer, but sometimes I do sneak around.