Re: IWAM: Writing temp files to \winnt\temp

From: Michael Richardson (mcr@sandelman.ottawa.on.ca)
Date: Tue Aug 03 2004 - 18:36:03 EDT

• Next message: Jeff Gercken: "Info collection"
• Previous message: Dinis Cruz: "RE: IWAM: Writing temp files to \winnt\temp"
• Maybe in reply to: Joey Peloquin: "IWAM: Writing temp files to \winnt\temp"
• Next in thread: Tyler Durden: "Re: IWAM: Writing temp files to \winnt\temp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Joey" == Joey Peloquin <joeyp@voteprivacy.com> writes:
    Joey> Since IWAM is making the call, temporary files are written to
    Joey> \winnt\temp, the value of the system %temp% and %tmp%
    Joey> variables. I've complained that I don't like the idea of
    Joey> granting write to an anonymous account on \winnt\temp, but
    Joey> have been unable to locate any specific information on the
    Joey> risk of doing so.

  There is nearly a decade of experience in Unix with the problems of
a commonly writable temp.

  Windows doesn't really have symlinks, which makes the problem more
interesting, but depending upon how you open the file, you may wind up
following a .lnk file.
  And, there are windows file systems which *do* have a sort of symlink.

    Joey> From a pen-test perspective, what is the actual level of risk
    Joey> is associated with the developer's request? Do you know of
    Joey> any papers or other information that accurately discusses the
    Joey> risk, if any, of allowing IWAM to write to \winnt\temp?

  Depends upon what else is running, and what else has write permission
to \winnt\temp.

    Joey> Changing the value of the system %temp% and %tmp% variables is
    Joey> not possible.

  Me, I'd give each account seperate temp areas, and I'd put it all on a
ramdisk to improve performance, but I guess you can't do that.

- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQRATUoqHRg3pndX9AQG8iwQA0lxKddEhRu0rjFlGmz4ulHqu1uTIBtQf
GbKNZtaeDiVSFy4npagQTIz19vaFf26wrtMtYIoQHjFFvfF33XxbIcxJot8hcf8A
J8WEnEkz/qJgPhygWhMhlsfYTyadsCL/Z733mq7G29Wb0TlS3WpTcfsYo3gEnQNw
8KkIn3UB7Zc=
=1OW1
-----END PGP SIGNATURE-----

• Next message: Jeff Gercken: "Info collection"
• Previous message: Dinis Cruz: "RE: IWAM: Writing temp files to \winnt\temp"
• Maybe in reply to: Joey Peloquin: "IWAM: Writing temp files to \winnt\temp"
• Next in thread: Tyler Durden: "Re: IWAM: Writing temp files to \winnt\temp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT