Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 fi
Dear Thor (Hammer of God),
You are wrong at least for Windows XP/2003. There is a common temporary
directory
%WINDIR%\Temp
It's used as a %TEMP% if application is launched without local logon,
e.g. system service.
For example, services launched with LocalSystem account will have this
environment variables:
SystemRoot=3DC:\WINDOWS
TEMP=3DC:\WINDOWS\TEMP
TMP=3DC:\WINDOWS\TEMP
USERPROFILE=3DC:\Documents and Settings\LocalService
=20
You can find it's really used, because it's never empty. I see, e.g.
files related to different Intel drivers, VMWare, Microsoft .Net
framework, Exchange and Sharepoint.
Also, I remember I had problems with securing ABN AMRO Bank client
software installation, because it uses %WINDIR%\Temp for some reason.
And now is most exciting: Users have permission to create files in this
directory, that is pre-open attack is possible.
--Saturday, March 10, 2007, 7:28:27 PM, you wrote to bugtraq@securityfocu=
s.com:
THoG> Apps utilizing temporary files should always use the TEMP or TMP en=
vironment
THoG> variables, not a hard-coded path. And by default, each user has th=
eir own
THoG> temp directory created (in XP/Server it is "\Documents and=20
THoG> Settings\username\Local Settings\temp" and in Vista it is=20
THoG> "\Users\username\AppData\Local\Temp") that only they have permissio=
ns to
THoG> (with SYSTEM and Administrators, of course). It's not like there i=
s some
THoG> global "Full Control" temp directory created by default.
THoG> t
THoG> ----- Original Message -----=20
THoG> From: "Roger A. Grimes" <roger@banneretcs.com>
THoG> To: "Tim" <tim-security@sentinelchicken.org>
THoG> Cc: <bugtraq@securityfocus.com>;
THoG> <full-disclosure@lists.grok.org.uk>
THoG> Sent: Friday, March 09, 2007 9:42 AM
THoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000=
file
THoG> management security issues
THoG> So, let me get this. An app storing sensitive data doesn't make its=
own
THoG> temp storage folders in a secure location, and instead relies upon =
one
THoG> of the few folders in Windows that all users have Full Control to, =
and
THoG> this is a Windows problem? In Linux, if an app uses \tmp, is that =
a
THoG> Linux issue?
THoG> Sounds like a developer issue to me.
THoG> Roger
THoG> -----Original Message-----
THoG> From: Tim [mailto:tim-security@sentinelchicken.org]
THoG> Sent: Friday, March 09, 2007 11:20 AM
THoG> To: Roger A. Grimes
THoG> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
THoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000=
file
THoG> management security issues
THoG> I find your assessment somewhat short-sighted. I have conducted co=
de
THoG> reviews on several commercial apps which use C:\TEMP in very insecu=
re
THoG> ways to store sensitive data. It seems some of these attacks would=
be
THoG> possible in those situations.
THoG> Sure, Windows is already pathetically insecure against an attackers
THoG> already on the local system, but this would be yet another attack
THoG> vector.
THoG> tim
--=20
~/ZARAZA http://securityvulns.com/
=DD=CD=C8=C0=CA=E0=EC - =EF=EE =EC=EE=F0=E4=E5! (=CB=E5=EC)
討論串 (同標題文章)
完整討論串 (本文為第 2 之 2 篇):