lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FC86B492517540FC8843EB92659088DB@MoFo>
Date: Sun, 11 Mar 2007 10:46:14 -0700
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "3APA3A" <3APA3A@...URITY.NNOV.RU>, <bugtraq@...urityfocus.com>
Cc: "Roger A. Grimes" <roger@...neretcs.com>,
	"Tim" <tim-security@...tinelchicken.org>
Subject: Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

2 things:

My point is what apps SHOULD do- use the "user" temp variable, not the 
system temp variable if you want to easily have inherited, user-based 
security.  Not sure why your ABN AMRO client makes it files in 
%WINDIR%\temp, but that's not necessary.  It probably requires local admin 
too, given that.

Secondly, I said there is not a "global Full Control" directory, and there 
is not.  The %WINDIR%\Temp directory has "special" permissions.  For users, 
it is only Traverse Folder/Execute File, Create Files/Write Data, and Create 
Folders/ Append Data.  Not List Folder/ Read Data, no read add tributes, not 
write attributes, not delete, etc, etc.

And all subfolders in Temp inherit those permissions.  I know it's used 
extensively by system and admin installation, but that's not my point at 
all.  Someone chimed in about C:\temp and sensitive data, and blah blah, so 
I simply stated that user variables usage for temp files mitigate that. 
Also, there is no "Global Full Control" directory created by default temp 
files and there's not.  Sure you can create on if you want and use that 
(which obviously someone did for C:\temp because it does not exist by 
default) but that's more of Roger's point in that "if you do things 
insecurely and without thinking, then someone can take advantage of that." 
And I think he's right on that.

But as Mark said, the overall issue is interesting at some level, 
particularly if you can leverage it even with limited permissions in 
\windows\temp, though I also think many many things must go "wrong" first. 
But, that being said, I've seen enough of your posts to know that you know 
what you are doing, so I have respect for your work even though I may not 
totally agree all the time.

t

----------------
Learn to secure your Microsoft installations with Tim Mullen's
"Microsoft Ninjitsu Black Belt Edition" at Blackhat Vegas.  Registration 
open now.
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html





----- Original Message ----- 
From: "3APA3A" <3APA3A@...URITY.NNOV.RU>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: <bugtraq@...urityfocus.com>; "Roger A. Grimes" <roger@...neretcs.com>; 
"Tim" <tim-security@...tinelchicken.org>; 
<full-disclosure@...ts.grok.org.uk>
Sent: Saturday, March 10, 2007 2:32 PM
Subject: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file 
management security issues


Dear Thor (Hammer of God),

 You are wrong at least for Windows XP/2003. There is a common temporary
 directory

 %WINDIR%\Temp

 It's  used  as a %TEMP% if application is launched without local logon,
 e.g. system service.

 For  example, services launched with LocalSystem account will have this
 environment variables:

SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERPROFILE=C:\Documents and Settings\LocalService


 You  can  find  it's really used, because it's never empty. I see, e.g.
 files  related  to  different  Intel  drivers,  VMWare,  Microsoft .Net
 framework, Exchange and Sharepoint.

 Also,  I  remember  I  had  problems with securing ABN AMRO Bank client
 software installation, because it uses %WINDIR%\Temp for some reason.

 And now is most exciting: Users have permission to create files in this
 directory, that is pre-open attack is possible.

--Saturday, March 10, 2007, 7:28:27 PM, you wrote to 
bugtraq@...urityfocus.com:

THoG> Apps utilizing temporary files should always use the TEMP or TMP 
environment
THoG> variables, not a hard-coded path.  And by default, each user has their 
own
THoG> temp directory created (in XP/Server it is "\Documents and
THoG> Settings\username\Local Settings\temp" and in Vista it is
THoG> "\Users\username\AppData\Local\Temp") that only they have permissions 
to
THoG> (with SYSTEM and Administrators, of course).  It's not like there is 
some
THoG> global "Full Control" temp directory created by default.

THoG> t



THoG> ----- Original Message ----- 
THoG> From: "Roger A. Grimes" <roger@...neretcs.com>
THoG> To: "Tim" <tim-security@...tinelchicken.org>
THoG> Cc: <bugtraq@...urityfocus.com>;
THoG> <full-disclosure@...ts.grok.org.uk>
THoG> Sent: Friday, March 09, 2007 9:42 AM
THoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 
file
THoG> management security issues


THoG> So, let me get this. An app storing sensitive data doesn't make its 
own
THoG> temp storage folders in a secure location, and instead relies upon one
THoG> of the few folders in Windows that all users have Full Control to, and
THoG> this is a Windows problem?  In Linux, if an app uses \tmp, is that a
THoG> Linux issue?

THoG> Sounds like a developer issue to me.

THoG> Roger

THoG> -----Original Message-----
THoG> From: Tim [mailto:tim-security@...tinelchicken.org]
THoG> Sent: Friday, March 09, 2007 11:20 AM
THoG> To: Roger A. Grimes
THoG> Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
THoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 
file
THoG> management security issues


THoG> I find your assessment somewhat short-sighted.  I have conducted code
THoG> reviews on several commercial apps which use C:\TEMP in very insecure
THoG> ways to store sensitive data.  It seems some of these attacks would be
THoG> possible in those situations.

THoG> Sure, Windows is already pathetically insecure against an attackers
THoG> already on the local system, but this would be yet another attack
THoG> vector.

THoG> tim




-- 
~/ZARAZA http://securityvulns.com/
ÝÍÈÀÊàì - ïî ìîðäå!  (Ëåì)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ