Version 1.1 of AccessGain has been released, containing a bugfix (see readme.txt for details).
Special thanks to Christian Morrone for reporting and helping us with reproducing this bug.
As multiple people requested it, we are releasing a tool which will help you bypass NTFS security permissions, using the method we described in our previous article.
This could be useful when you plug in an old hard-drive with messed up NTFS permissions or in case of an old Windows installation sitting on another partition.
If you just want to download the tool and skip the article then click here
Here is a technique that can be succesfully used to bypass NTFS security in Windows. It is not a security hole because it requires a kernel mode driver in order to work. However, its security implications are interesting (more about this in the PDF document at the end of this page).
Let’s say that multiple users share a computer and use NTFS security permissions in order to prevent others from accessing their private data. If one of the users is allowed to load a kernel mode driver, then he/she can bypass NTFS security and see all the data on that computer, including files he/she didn’t previously had access to (like other user’s files).
We built a file system filter driver which fools the file system into opening any file, including files we shouldn’t be able access due to the security permissions set on them. This driver uses only documented techniques and there are only 3 lines of code needed to enable this method. So no complicated hooking or patching is involved.
Microsoft has been notified about this and replied (as expected) that they do not consider this a security hole because it requires a kernel mode driver to be loaded. However, there are lots of examples of malware which is able to run code in kernel mode (for example rootkits), so that’s why we considered it is important to share this method. These types of malware can disguise into powerful antiviruses and fool the user into letting them install and load their kernel-mode drivers.
Moreover, there are a number of file security products on the market claiming they can “guard” your files against any modification. This method can also be used to bypass them.
In case this method would be used by a malware (virus, rootkit) it would enable it to access any file on the system and even overwrite executables which are currently running on the system.
Forensic analysis tools could also use this technique to easily access files on drives mounted as read-only, where they are not able to change permissions or take ownership of those files.
Here is a video demonstration of how this works:
.
For those interested in advanced details on how this works, here is a document that you can read:
Q: “Why can’t I simply right click on the file/folder and take ownership?”
A: You could do that, but there are times when that is not possible (on a read-only hard-drive for example). Taking ownership also takes a lot of time if you have lots of files.
Q: “Why can’t I just write code to take ownership of a file/folder?”
A: Yes, you could do that, but we thought it would be easier to use an existing tool. From a developer’s point of view, this method requires only 3 lines of code in a kernel-mode driver.
Q: “I can do raw reads to the disk and access the contents of a protected file”
A: Yes, that can also be an option if you are willing to put in this amount of effort.
LATER EDIT: You can download the tool that uses this technique here
