Security & the RDISK Utility

The RDISK utility in Microsoft Windows NT is used to create an emergency repair disk that backs up, among other things, the system registry. Attackers could gain valuable information about a machine and its network environment by reading the registry, so most data stored there can only be read by administrators. To create a repair disk using RDISK, administrators must first use an RDISK feature to back up the system information to ensure that the most current registry data is saved. This information is saved to a file on the hard disk that has permission properly set, meaning that it can only be read by an administrator. The feature works as specified, and the software would likely be viewed as "correct" as labeled from its requirements. There is a security flaw here, however. During the back up process, RDISK creates a temporary file called "$$hive$$.tmp" that contains a complete enumeration of the registry. The creation of this file in itself doesn't create a security issue, but checking the permissions on this file reveals that it can be read by any user on the system. The creation of this file was an unspecified side effect of how developers chose to implement requirements.