RE: IWAM: Writing temp files to \winnt\temp

From: Dinis Cruz (dinis_at_ddplus.net)
Date: 08/03/04

  • Next message: Michael Richardson: "Re: IWAM: Writing temp files to \winnt\temp"
    To: <pen-test@securityfocus.com>, <joeyp@voteprivacy.com>
    Date: Tue, 3 Aug 2004 17:47:32 +0100
    
    

    Hello Joey

    It is refreshing to hear somebody worrying about those issues (btw what is
    being written to the c:\winnt\temp folder?).

    Unfortunately that is the least of your problems.

    Download the tools that I have developed for OWASP (i.e. ANSA and SAM'SHE)
    and see how many vulnerabilities your system has (I'm assuming that you are
    running your code with Full Trust):
    http://www.owasp.org/software/dotnet.html

    Regarding ACL Issues the worse ones are:

     - the fact that (by default) all IWAM accounts have Full Access to the
    "Temporary Asp.Net Folder" and

     - the fact that (by default) all IWAM accounts have Read Access to the
    entire Metabase.

    Let me know what you think of these OWASP tools

    Best regards

    Dinis Cruz
    .Net Security Consultant
    DDPlus

    > -----Original Message-----
    > From: Joey Peloquin [mailto:joeyp@voteprivacy.com]
    > Sent: 03 August 2004 12:04
    > To: pen-test@securityfocus.com
    > Subject: IWAM: Writing temp files to \winnt\temp
    >
    > Greetings,
    > I'm a security analyst with a large retail company.
    >
    > Our web application developers are writing a web service, which is called
    > by
    > COM. It is written in dotnet, and they are impersonating IWAM.
    >
    > Since IWAM is making the call, temporary files are written to \winnt\temp,
    > the value of the system %temp% and %tmp% variables. I've complained that
    > I
    > don't like the idea of granting write to an anonymous account on
    > \winnt\temp, but have been unable to locate any specific information on
    > the
    > risk of doing so.
    >
    > Since the ASPNET account already has write to the directory (this is
    > apparently done when the framework is installed?), and I cannot find any
    > instances of other security practitioners having a problem with it, I am
    > losing this fight. To compound matters, all of the references I've found
    > to
    > \winnt\temp and serialization have lead to posts decreeing the resolution
    > of
    > permission woes by granting 'write' on \winnt\temp for IWAM.
    >
    > From a pen-test perspective, what is the actual level of risk is
    > associated
    > with the developer's request? Do you know of any papers or other
    > information that accurately discusses the risk, if any, of allowing IWAM
    > to
    > write to \winnt\temp?
    >
    > Changing the value of the system %temp% and %tmp% variables is not
    > possible.
    >
    > Thanks for any insight.
    >
    > Joey
    >
    >
    >


  • Next message: Michael Richardson: "Re: IWAM: Writing temp files to \winnt\temp"

    Relevant Pages

    • Re: data access
      ... Permissions for folder and dsatabase file changed to write for IUSR and IWAM ...
      (microsoft.public.inetserver.asp.db)
    • Re: IWAM: Writing temp files to winnt emp
      ... Theres one crazy idea I have about that. ... if the account with write ... > impersonating IWAM. ... > risk of doing so. ...
      (Pen-Test)
    • IWAM: Writing temp files to winnt emp
      ... I'm a security analyst with a large retail company. ... Our web application developers are writing a web service, ... and they are impersonating IWAM. ... what is the actual level of risk is associated ...
      (Pen-Test)
    • Re: ASP IIS components with IWAM
      ... I did enable auditing and found that the IUSR is accessing the /temp ... But it should be the IWAM - the virtual directory i am using is ... I don't understand - the folder permissions don't ...
      (microsoft.public.inetserver.iis.security)