While playing around with TeraCopy 3.9.7, I noticed I am able to copy over folders that a regular user has no permission to access. This essentially led to arbitrary file read.
Running accesschk.exe I see that even files I had no permission for as a regular user, have become RW on the copy.
I understand removing ACLs is a feature of the program, but I don’t believe TeraCopyService.exe is verifying the permissions of source directories, as shown on the screenshots below.
PS C:\Tools\SysinternalsSuite> C:\Tools\SysinternalsSuite\accesschk.exe C:\ProgramData\Microsoft\SmsRouter\
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
No matching objects found.
PS C:\Tools\SysinternalsSuite>
I then try to copy the C:\ProgramData\Microsoft\SmsRouter folder.
After a copy with TeraCopy, running as a regular user with no Administrator privileges:
PS C:\Tools\SysinternalsSuite> C:\Tools\SysinternalsSuite\accesschk.exe C:\Users\User\Desktop\MicrosoftBackup\Microsoft\SmsRouter\
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\User\Desktop\MicrosoftBackup\Microsoft\SmsRouter\MessageStore
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
RW DESKTOP-2AH7CAI\User
Another example where I copy over C:\Windows\System32\config:
PS C:\Tools\SysinternalsSuite> C:\Tools\SysinternalsSuite\accesschk.exe C:\Users\User\Desktop\configBackup\config\SAM
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\User\Desktop\configBackup\config\SAM
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
RW DESKTOP-2AH7CAI\User
