Penetration Testing mailing list archives
Re: IWAM: Writing temp files to \winnt\temp
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Tue, 03 Aug 2004 18:36:03 -0400
-----BEGIN PGP SIGNED MESSAGE-----
"Joey" == Joey Peloquin <joeyp () voteprivacy com> writes:
Joey> Since IWAM is making the call, temporary files are written to Joey> \winnt\temp, the value of the system %temp% and %tmp% Joey> variables. I've complained that I don't like the idea of Joey> granting write to an anonymous account on \winnt\temp, but Joey> have been unable to locate any specific information on the Joey> risk of doing so. There is nearly a decade of experience in Unix with the problems of a commonly writable temp. Windows doesn't really have symlinks, which makes the problem more interesting, but depending upon how you open the file, you may wind up following a .lnk file. And, there are windows file systems which *do* have a sort of symlink. Joey> From a pen-test perspective, what is the actual level of risk Joey> is associated with the developer's request? Do you know of Joey> any papers or other information that accurately discusses the Joey> risk, if any, of allowing IWAM to write to \winnt\temp? Depends upon what else is running, and what else has write permission to \winnt\temp. Joey> Changing the value of the system %temp% and %tmp% variables is Joey> not possible. Me, I'd give each account seperate temp areas, and I'd put it all on a ramdisk to improve performance, but I guess you can't do that. - -- ] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQRATUoqHRg3pndX9AQG8iwQA0lxKddEhRu0rjFlGmz4ulHqu1uTIBtQf GbKNZtaeDiVSFy4npagQTIz19vaFf26wrtMtYIoQHjFFvfF33XxbIcxJot8hcf8A J8WEnEkz/qJgPhygWhMhlsfYTyadsCL/Z733mq7G29Wb0TlS3WpTcfsYo3gEnQNw 8KkIn3UB7Zc= =1OW1 -----END PGP SIGNATURE-----
Current thread:
- IWAM: Writing temp files to \winnt\temp Joey Peloquin (Aug 03)
- RE: IWAM: Writing temp files to \winnt\temp Dinis Cruz (Aug 03)
- Re: IWAM: Writing temp files to \winnt\temp Michael Richardson (Aug 03)
- Re: IWAM: Writing temp files to \winnt\temp Tyler Durden (Aug 05)
- <Possible follow-ups>
- Re: IWAM: Writing temp files to \winnt\temp Joey Peloquin (Aug 22)