Penetration Testing mailing list archives

Re: IWAM: Writing temp files to \winnt\temp

From: Tyler Durden <fadingreality414 () yahoo com>
Date: Tue, 3 Aug 2004 22:03:36 -0700 (PDT)

Theres one crazy idea I have about that. Now remember,
this is a long shot. Since some program somewhere has
to delete whats in temp, if the account with write
permission to the directory crafted a filename (or
just file possibly) so long that it was just
disgusting, it might be able to cause the program to
hang. That could be a DOS in itself. Besides that, it
could fill up disk space. Lets say the site allows
users to register. Their information has to be stored
SOMEWHERE. Now if theres no more disk space, how might
the registration information be saved?

This was all abstract, and just a what-if.

--Oedipus

--- Joey Peloquin <joeyp () voteprivacy com> wrote:

Greetings,
I'm a security analyst with a large retail company.

Our web application developers are writing a web
service, which is called by 
COM.  It is written in dotnet, and they are
impersonating IWAM.

Since IWAM is making the call, temporary files are
written to \winnt\temp, 
the value of the system %temp% and %tmp% variables. 
I've complained that I 
don't like the idea of granting write to an
anonymous account on 
\winnt\temp, but have been unable to locate any
specific information on the 
risk of doing so.

Since the ASPNET account already has write to the
directory (this is 
apparently done when the framework is installed?),
and I cannot find any 
instances of other security practitioners having a
problem with it, I am 
losing this fight.  To compound matters, all of the
references I've found to 
\winnt\temp and serialization have lead to posts
decreeing the resolution of 
permission woes by granting 'write' on \winnt\temp
for IWAM.

 From a pen-test perspective, what is the actual
level of risk is associated 
with the developer's request?  Do you know of any
papers or other 
information that accurately discusses the risk, if
any, of allowing IWAM to 
write to \winnt\temp?

Changing the value of the system %temp% and %tmp%
variables is not possible.

Thanks for any insight.

Joey




                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Current thread:

IWAM: Writing temp files to \winnt\temp Joey Peloquin (Aug 03)
- RE: IWAM: Writing temp files to \winnt\temp Dinis Cruz (Aug 03)
- Re: IWAM: Writing temp files to \winnt\temp Michael Richardson (Aug 03)
- Re: IWAM: Writing temp files to \winnt\temp Tyler Durden (Aug 05)
- <Possible follow-ups>
- Re: IWAM: Writing temp files to \winnt\temp Joey Peloquin (Aug 22)