Penetration Testing mailing list archives

RE: IWAM: Writing temp files to \winnt\temp

From: "Dinis Cruz" <dinis () ddplus net>
Date: Tue, 3 Aug 2004 17:47:32 +0100

Hello Joey

It is refreshing to hear somebody worrying about those issues (btw what is
being written to the c:\winnt\temp folder?).

Unfortunately that is the least of your problems.

Download the tools that I have developed for OWASP (i.e. ANSA and SAM'SHE)
and see how many vulnerabilities your system has (I'm assuming that you are
running your code with Full Trust):
http://www.owasp.org/software/dotnet.html

Regarding ACL Issues the worse ones are:

 - the fact that (by default) all IWAM accounts have Full Access to the
"Temporary Asp.Net Folder" and 

 - the fact that (by default) all IWAM accounts have Read Access to the
entire Metabase.

Let me know what you think of these OWASP tools

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus

-----Original Message-----
From: Joey Peloquin [mailto:joeyp () voteprivacy com]
Sent: 03 August 2004 12:04
To: pen-test () securityfocus com
Subject: IWAM: Writing temp files to \winnt\temp

Greetings,
I'm a security analyst with a large retail company.

Our web application developers are writing a web service, which is called
by
COM.  It is written in dotnet, and they are impersonating IWAM.

Since IWAM is making the call, temporary files are written to \winnt\temp,
the value of the system %temp% and %tmp% variables.  I've complained that
I
don't like the idea of granting write to an anonymous account on
\winnt\temp, but have been unable to locate any specific information on
the
risk of doing so.

Since the ASPNET account already has write to the directory (this is
apparently done when the framework is installed?), and I cannot find any
instances of other security practitioners having a problem with it, I am
losing this fight.  To compound matters, all of the references I've found
to
\winnt\temp and serialization have lead to posts decreeing the resolution
of
permission woes by granting 'write' on \winnt\temp for IWAM.

 From a pen-test perspective, what is the actual level of risk is
associated
with the developer's request?  Do you know of any papers or other
information that accurately discusses the risk, if any, of allowing IWAM
to
write to \winnt\temp?

Changing the value of the system %temp% and %tmp% variables is not
possible.

Thanks for any insight.

Joey

Current thread:

IWAM: Writing temp files to \winnt\temp Joey Peloquin (Aug 03)
- RE: IWAM: Writing temp files to \winnt\temp Dinis Cruz (Aug 03)
- Re: IWAM: Writing temp files to \winnt\temp Michael Richardson (Aug 03)
- Re: IWAM: Writing temp files to \winnt\temp Tyler Durden (Aug 05)
- <Possible follow-ups>
- Re: IWAM: Writing temp files to \winnt\temp Joey Peloquin (Aug 22)