Bugtraq mailing list archives
Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sun, 11 Mar 2007 10:46:14 -0700
2 things:My point is what apps SHOULD do- use the "user" temp variable, not the system temp variable if you want to easily have inherited, user-based security. Not sure why your ABN AMRO client makes it files in %WINDIR%\temp, but that's not necessary. It probably requires local admin too, given that.
Secondly, I said there is not a "global Full Control" directory, and there is not. The %WINDIR%\Temp directory has "special" permissions. For users, it is only Traverse Folder/Execute File, Create Files/Write Data, and Create Folders/ Append Data. Not List Folder/ Read Data, no read add tributes, not write attributes, not delete, etc, etc.
And all subfolders in Temp inherit those permissions. I know it's used extensively by system and admin installation, but that's not my point at all. Someone chimed in about C:\temp and sensitive data, and blah blah, so I simply stated that user variables usage for temp files mitigate that. Also, there is no "Global Full Control" directory created by default temp files and there's not. Sure you can create on if you want and use that (which obviously someone did for C:\temp because it does not exist by default) but that's more of Roger's point in that "if you do things insecurely and without thinking, then someone can take advantage of that." And I think he's right on that.
But as Mark said, the overall issue is interesting at some level, particularly if you can leverage it even with limited permissions in \windows\temp, though I also think many many things must go "wrong" first. But, that being said, I've seen enough of your posts to know that you know what you are doing, so I have respect for your work even though I may not totally agree all the time.
t ---------------- Learn to secure your Microsoft installations with Tim Mullen's"Microsoft Ninjitsu Black Belt Edition" at Blackhat Vegas. Registration open now.
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html----- Original Message ----- From: "3APA3A" <3APA3A () SECURITY NNOV RU>
To: "Thor (Hammer of God)" <thor () hammerofgod com>Cc: <bugtraq () securityfocus com>; "Roger A. Grimes" <roger () banneretcs com>; "Tim" <tim-security () sentinelchicken org>; <full-disclosure () lists grok org uk>
Sent: Saturday, March 10, 2007 2:32 PMSubject: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
Dear Thor (Hammer of God), You are wrong at least for Windows XP/2003. There is a common temporary directory %WINDIR%\Temp It's used as a %TEMP% if application is launched without local logon, e.g. system service. For example, services launched with LocalSystem account will have this environment variables: SystemRoot=C:\WINDOWS TEMP=C:\WINDOWS\TEMP TMP=C:\WINDOWS\TEMP USERPROFILE=C:\Documents and Settings\LocalService You can find it's really used, because it's never empty. I see, e.g. files related to different Intel drivers, VMWare, Microsoft .Net framework, Exchange and Sharepoint. Also, I remember I had problems with securing ABN AMRO Bank client software installation, because it uses %WINDIR%\Temp for some reason. And now is most exciting: Users have permission to create files in this directory, that is pre-open attack is possible.--Saturday, March 10, 2007, 7:28:27 PM, you wrote to bugtraq () securityfocus com:
THoG> Apps utilizing temporary files should always use the TEMP or TMP environment THoG> variables, not a hard-coded path. And by default, each user has their own
THoG> temp directory created (in XP/Server it is "\Documents and THoG> Settings\username\Local Settings\temp" and in Vista it isTHoG> "\Users\username\AppData\Local\Temp") that only they have permissions to THoG> (with SYSTEM and Administrators, of course). It's not like there is some
THoG> global "Full Control" temp directory created by default. THoG> tTHoG> ----- Original Message ----- THoG> From: "Roger A. Grimes" <roger () banneretcs com>
THoG> To: "Tim" <tim-security () sentinelchicken org> THoG> Cc: <bugtraq () securityfocus com>; THoG> <full-disclosure () lists grok org uk> THoG> Sent: Friday, March 09, 2007 9:42 AMTHoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file
THoG> management security issuesTHoG> So, let me get this. An app storing sensitive data doesn't make its own
THoG> temp storage folders in a secure location, and instead relies upon one THoG> of the few folders in Windows that all users have Full Control to, and THoG> this is a Windows problem? In Linux, if an app uses \tmp, is that a THoG> Linux issue? THoG> Sounds like a developer issue to me. THoG> Roger THoG> -----Original Message----- THoG> From: Tim [mailto:tim-security () sentinelchicken org] THoG> Sent: Friday, March 09, 2007 11:20 AM THoG> To: Roger A. Grimes THoG> Cc: bugtraq () securityfocus com; full-disclosure () lists grok org ukTHoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file
THoG> management security issues THoG> I find your assessment somewhat short-sighted. I have conducted code THoG> reviews on several commercial apps which use C:\TEMP in very insecure THoG> ways to store sensitive data. It seems some of these attacks would be THoG> possible in those situations. THoG> Sure, Windows is already pathetically insecure against an attackers THoG> already on the local system, but this would be yet another attack THoG> vector. THoG> tim -- ~/ZARAZA http://securityvulns.com/ ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
Current thread:
- RE: Microsoft Windows Vista/2003/XP/2000 file management security issues, (continued)
- RE: Microsoft Windows Vista/2003/XP/2000 file management security issues M. Burnett (Mar 09)
- RE: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Laundrup, Jens (Mar 09)
- Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Message not available
- Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 10)
- RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 10)
- Message not available
- Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 12)
- Message not available
- Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 12)
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues M. Burnett (Mar 09)
- RE: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- RE: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Re: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues Thor (Hammer of God) (Mar 09)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 13)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Daniel Hazelton (Mar 13)
- Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 15)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Paweł Goleń (Mar 13)