From: Michael Richardson (mcr@sandelman.ottawa.on.ca)
Date: Tue Aug 03 2004 - 18:36:03 EDT
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Joey" == Joey Peloquin <joeyp@voteprivacy.com> writes:
Joey> Since IWAM is making the call, temporary files are written to
Joey> \winnt\temp, the value of the system %temp% and %tmp%
Joey> variables. I've complained that I don't like the idea of
Joey> granting write to an anonymous account on \winnt\temp, but
Joey> have been unable to locate any specific information on the
Joey> risk of doing so.
There is nearly a decade of experience in Unix with the problems of
a commonly writable temp.
Windows doesn't really have symlinks, which makes the problem more
interesting, but depending upon how you open the file, you may wind up
following a .lnk file.
And, there are windows file systems which *do* have a sort of symlink.
Joey> From a pen-test perspective, what is the actual level of risk
Joey> is associated with the developer's request? Do you know of
Joey> any papers or other information that accurately discusses the
Joey> risk, if any, of allowing IWAM to write to \winnt\temp?
Depends upon what else is running, and what else has write permission
to \winnt\temp.
Joey> Changing the value of the system %temp% and %tmp% variables is
Joey> not possible.
Me, I'd give each account seperate temp areas, and I'd put it all on a
ramdisk to improve performance, but I guess you can't do that.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQRATUoqHRg3pndX9AQG8iwQA0lxKddEhRu0rjFlGmz4ulHqu1uTIBtQf
GbKNZtaeDiVSFy4npagQTIz19vaFf26wrtMtYIoQHjFFvfF33XxbIcxJot8hcf8A
J8WEnEkz/qJgPhygWhMhlsfYTyadsCL/Z733mq7G29Wb0TlS3WpTcfsYo3gEnQNw
8KkIn3UB7Zc=
=1OW1
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT