Thursday, October 18, 2007

Package information leakage through the Q drive

We all know that if you are a local administrator on a machine that has a SoftGrid client, then you can see all the applications that have data in the local sftfs.fsd cache file by opening the SoftGrid Client Management Console and finding all the applications that don't have a "Idle (0%)" package status. This is because local administrators can see all applications that are defined on a machine in the Client Management Console, whether or not they actually have the proper group memberships or SoftGrid access to be able to start the application.

A colleague (thanks Anthony) pointed me out to another interesting way of finding out what applications have cached data on a SoftGrid client, but that doesn't require administrative privileges. Simply go to the root of the Q drive inside a bubble and look at what asset directories you can see!

It turns out that a user can see all the asset directories of all applications that have some data cached at the client, even if the user doesn't have access to the applications themselves (note: of course you cannot see the contents of these directories since this is prohibited by the isolation; you can only see their existence).

As an illustration, notice on the figure below how the user only has access to Office 2000 and still can see the asset directories of Office 2003 and Office 97 on the Q drive.


You can do this test yourself as an end-user by modifying a locally cached OSD file (hey, they are in the All Users profile with write access for all!) and using the following script tag:

<SCRIPT TIMING="PRE" EVENT="LAUNCH" PROTECT="TRUE" WAIT="TRUE">
<SCRIPTBODY>
@echo off \n
dir q: \n
pause \n
</SCRIPTBODY>
</SCRIPT>

Then (as a local administrator), perform an unload of one of the applications that you don't have access to as a regular user and witness how the next time you use the script above under the user's account, the asset directory has vanished!


Note on motivation:

So you might be thinking... big deal, so what? Who cares about that asset directory being visible or not?

It was important for one of our customers, because they wanted to prevent users from seeing what applications were installed on a machine (locally installed and virtualized). One reason for that was security: knowledge of applications installed might open ways to use certain exploits. Another reason was cost: they had a very peculiar licensing system for a set of applications that required them to cough up the license fee from the moment an end-user could see that the application was installed. I suppose they didn't want to enter a legal dispute whether the visibility off the asset directory would mean they have to start paying license fees ;).

No comments: