Penetration Testing mailing list archives

Re: IWAM: Writing temp files to \winnt\temp


From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Tue, 03 Aug 2004 18:36:03 -0400

-----BEGIN PGP SIGNED MESSAGE-----


"Joey" == Joey Peloquin <joeyp () voteprivacy com> writes:
    Joey> Since IWAM is making the call, temporary files are written to
    Joey> \winnt\temp, the value of the system %temp% and %tmp%
    Joey> variables.  I've complained that I don't like the idea of
    Joey> granting write to an anonymous account on \winnt\temp, but
    Joey> have been unable to locate any specific information on the
    Joey> risk of doing so.

  There is nearly a decade of experience in Unix with the problems of 
a commonly writable temp.

  Windows doesn't really have symlinks, which makes the problem more
interesting, but depending upon how you open the file, you may wind up
following a .lnk file.
  And, there are windows file systems which *do* have a sort of symlink.

    Joey>  From a pen-test perspective, what is the actual level of risk
    Joey> is associated with the developer's request?  Do you know of
    Joey> any papers or other information that accurately discusses the
    Joey> risk, if any, of allowing IWAM to write to \winnt\temp?

  Depends upon what else is running, and what else has write permission
to \winnt\temp.

    Joey> Changing the value of the system %temp% and %tmp% variables is
    Joey> not possible.

  Me, I'd give each account seperate temp areas, and I'd put it all on a
ramdisk to improve performance, but I guess you can't do that.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQRATUoqHRg3pndX9AQG8iwQA0lxKddEhRu0rjFlGmz4ulHqu1uTIBtQf
GbKNZtaeDiVSFy4npagQTIz19vaFf26wrtMtYIoQHjFFvfF33XxbIcxJot8hcf8A
J8WEnEkz/qJgPhygWhMhlsfYTyadsCL/Z733mq7G29Wb0TlS3WpTcfsYo3gEnQNw
8KkIn3UB7Zc=
=1OW1
-----END PGP SIGNATURE-----


Current thread: