One of the duties of Dr. Watson, a Windows NT/2000/XP default system debugger, is to take a snapshot of the process space when a user-mode program crashes. Unfortunately, like Sherlock Holmes’ friend, Windows’ Dr. Watson is well-meaning but dim. It puts the snapshot in a file called user.dmp and saves it by default to a world-readable location.
On NT4 systems, the default location is %SystemRoot%\user.dmp, which will usually end up being C:\WINNT\user.dmp. Default permissions on NT4 systems give everyone full control on the WINNT directory. Crash dump files can often contain passwords and other sensitive information that was stored in memory and was never meant to be written to disk in plain text. For example, crash-prone Outlook Express stores the user’s mail account passwords in plain text (Unicode strings) in memory. A malicious user who sent an ill-formatted message and crashed another user’s email could then sift through the information in user.dmp to find passwords and user IDs.
Windows 2000 is also vulnerable, but in fewer circumstances. Its default location for user.dmp is C:\Documents and Settings\All Users\Documents\DrWatson\user.dmp. This location is world-readable by default, but not world-writable. Normal users will not have the user.dmp file created as they do not have write access, however users that are an administrator (possibly power users as well) of the local machine will be exposed to this vulnerability.
As a workaround, run drwtsn32.exe to set crash dump options. There are two ways to get around this problem (per-user): uncheck the “create crash dump file” checkbox, or change the crash dump location to a directory to which only you have access.
For a system-wide fix, delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger. Dr. Watson will be replaced by a simple “Application Error” box.
If you have installed MSVC it will automatically make itself the system debugger. It does not create crash dump files so you are not vulnerable.
As for a fix, Microsoft still hasn’t updated Dr. Watson so that it sets permissions correctly on the files it creates. A quick fix for the problem would be to make Dr. Watson’s default crash dump location be somewhere inside the current user’s profile. This will only work on NTFS file systems, but if you are using FAT or FAT32 for your filesystem there are much worse things that unprivileged users can do.
Windows NT 4.0 (All service packs), Windows 2000 (Release and SP1).Windows XP. Windows NT 3.5x is probably vulnerable but hasn’t been tested.