#73 Bug with fileeffectiverights53

Version 5.6
closed-fixed
5
2009-10-07
2009-10-02
No

Hi,

I found a bug while trying to collect effectives rights using "fileeffectiverights53" to windows.

The file to be collectd is at.exe (C:\Windows\system32\at.exe)
I tryed to collect for 3 sid´s:
S-1-5-32-544 (Administrators)
S-1-5-18 ( System)
S-1-5-32-545 (Users)

I Changed the permission of file at.exe as below:
Administrators - read & execute.
System - read & execute.
Users - read & execute.

But after the collect, the line "<standard_write_dac datatype="boolean">" is different to 3 sid´s.
S-1-5-32-544 was: <standard_write_dac datatype="boolean">1</standard_write_dac>
S-1-5-18 was: <standard_write_dac datatype="boolean">1</standard_write_dac>
S-1-5-32-545 was: <standard_write_dac datatype="boolean">0</standard_write_dac>

See below:

<fileeffectiverights_item id="253" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">
<path>C:\Windows\system32</path>
<filename>at.exe</filename>
<trustee_sid>S-1-5-32-544</trustee_sid>
<standard_delete datatype="boolean">0</standard_delete>
<standard_read_control datatype="boolean">1</standard_read_control>
<standard_write_dac datatype="boolean">1</standard_write_dac>
<standard_write_owner datatype="boolean">0</standard_write_owner>
<standard_synchronize datatype="boolean">1</standard_synchronize>
<access_system_security datatype="boolean">0</access_system_security>
<generic_read datatype="boolean">1</generic_read>
<generic_write datatype="boolean">0</generic_write>
<generic_execute datatype="boolean">1</generic_execute>
<generic_all datatype="boolean">1</generic_all>
<file_read_data datatype="boolean">1</file_read_data>
<file_write_data datatype="boolean">0</file_write_data>
<file_append_data datatype="boolean">0</file_append_data>
<file_read_ea datatype="boolean">1</file_read_ea>
<file_write_ea datatype="boolean">0</file_write_ea>
<file_execute datatype="boolean">1</file_execute>
<file_delete_child datatype="boolean">0</file_delete_child>
<file_read_attributes datatype="boolean">1</file_read_attributes>
<file_write_attributes datatype="boolean">0</file_write_attributes>
</fileeffectiverights_item>

<fileeffectiverights_item id="254" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">
<path>C:\Windows\system32</path>
<filename>at.exe</filename>
<trustee_sid>S-1-5-18</trustee_sid>
<standard_delete datatype="boolean">0</standard_delete>
<standard_read_control datatype="boolean">1</standard_read_control>
<standard_write_dac datatype="boolean">1</standard_write_dac>
<standard_write_owner datatype="boolean">0</standard_write_owner>
<standard_synchronize datatype="boolean">1</standard_synchronize>
<access_system_security datatype="boolean">0</access_system_security>
<generic_read datatype="boolean">1</generic_read>
<generic_write datatype="boolean">0</generic_write>
<generic_execute datatype="boolean">1</generic_execute>
<generic_all datatype="boolean">1</generic_all>
<file_read_data datatype="boolean">1</file_read_data>
<file_write_data datatype="boolean">0</file_write_data>
<file_append_data datatype="boolean">0</file_append_data>
<file_read_ea datatype="boolean">1</file_read_ea>
<file_write_ea datatype="boolean">0</file_write_ea>
<file_execute datatype="boolean">1</file_execute>
<file_delete_child datatype="boolean">0</file_delete_child>
<file_read_attributes datatype="boolean">1</file_read_attributes>
<file_write_attributes datatype="boolean">0</file_write_attributes>
</fileeffectiverights_item>

<fileeffectiverights_item id="255" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">
<path>C:\Windows\system32</path>
<filename>at.exe</filename>
<trustee_sid>S-1-5-32-545</trustee_sid>
<standard_delete datatype="boolean">0</standard_delete>
<standard_read_control datatype="boolean">1</standard_read_control>
<standard_write_dac datatype="boolean">0</standard_write_dac>
<standard_write_owner datatype="boolean">0</standard_write_owner>
<standard_synchronize datatype="boolean">1</standard_synchronize>
<access_system_security datatype="boolean">0</access_system_security>
<generic_read datatype="boolean">1</generic_read>
<generic_write datatype="boolean">0</generic_write>
<generic_execute datatype="boolean">1</generic_execute>
<generic_all datatype="boolean">1</generic_all>
<file_read_data datatype="boolean">1</file_read_data>
<file_write_data datatype="boolean">0</file_write_data>
<file_append_data datatype="boolean">0</file_append_data>
<file_read_ea datatype="boolean">1</file_read_ea>
<file_write_ea datatype="boolean">0</file_write_ea>
<file_execute datatype="boolean">1</file_execute>
<file_delete_child datatype="boolean">0</file_delete_child>
<file_read_attributes datatype="boolean">1</file_read_attributes>
<file_write_attributes datatype="boolean">0</file_write_attributes>
</fileeffectiverights_item>

In attachment is the definitions.xml

Discussion

  • Moreno Gontijo

    Moreno Gontijo - 2009-10-02

    definitions.xml

     
  • Danny Haynes

    Danny Haynes - 2009-10-07
    • assigned_to: nobody --> djhaynes
    • status: open --> closed-fixed
     
  • Danny Haynes

    Danny Haynes - 2009-10-07

    This did not end up being a bug in OVALDI. The different results of the write_dac entity, even though S-1-5-32-544 (Administrators), S-1-5-18 ( System), and S-1-5-32-545 (Users) were all assigned 'read and execute' rights, is due to the fact that the owner of a object is automatically assigned write_dac and read control rights. Please see http://n2.nabble.com/Bug-with-fileeffectiverights53-tp3757179ef20093.html for more information.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks