File ACL Vulnerability 101

The most basic scenario when it comes to file ACL attacks is the lay in wait attack. In Windows, for each file, there is a security description for the users allowed to touch or disallowed to touch that file. The description involves things such as read ability, write ability, modify ability, and so on. Most files in Windows have read ability set to on for all users. However, there are certain folders that by default do not have write privilege granted to all users. The examples are the Program Files folder and the Windows folder. This is done so that a regular user does not have the access to modify applications installed or the windows binaries.

Imagine a scenario at a university lab. As the lab admin, you want to grant students the ability to run Matlab, but you do not want them to modify the Matlab executable into some malicious trojan for the next user that uses the computer. So you grant read access and deny write access to the Matlab folder for students. File ACL vulnerability could happen if that admin forgets to deny write access to the Matlab folder. Student A could then overwrite matlab.exe with a keylogger that has the same name. Now, when student B logs on, or even better, when the lab admin logs on and attempt to run Matlab, you now have a keylogger running on the lab computer. The cleaver hackers will start the keylogger and then start Matlab, so none of this is ever detected.