Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Another IE trick (Re: IE sucks : sun java virtual machine insecure tmp file creation)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 10 Jul 2004 12:40:46 +1200

"Eric Paynter" <eric () arcticbears com> wrote:

I think:

mount /dev/xxxx /tmp -o noexec

would reduce the risk significantly. Can you do something equivalent in
Windows?

You can specifically remove the "execute" permission (depending how you 
handle such things "Traverse Folder/Execute File" or FILE_EXECUTE) on 
the %TEMP% folder.  However, doing so is likely to break all manner of 
stuff, particularly installers that simply expect to be able to 
decompress their archived contents into a dir under %TEMP% and then 
execute one or more of those unpacked files to kick-off the 
installation for real.

Something else that I suspect is a difference between *nix "noexec" and 
the Windows FILE_EXECUTE permission is that the latter does not prevent 
execution of scripts (either Windows "shell scripts" such as .BAT and 
.CMD files, or scripts for any WSH-hosted scripting engines such as 
.JS, .VBS & .PL).  So long as such script files residing in a 
FILE_EXECUTE denied dir (and that have inherited that permission or 
have had it explicitly applied) also have "Read Data" (FILE_READ_DATA) 
and "Read Extended Attributes" (FILE_READ_EA) -- the minimum necessary 
to list their contents with the default shell's "type" command or to 
open them with Notepad -- those scripts can be run.  Somewhat oddly 
(perhaps -- this is Windows after all...) simply trying to invoke them 
from a shell commandline results in an "Access is denied" error (Win2K 
SP4 -- YMMV) yet using a command of the form:

   <script_interpreter> <script_filename>

(e.g. "cscript test.js" or "perl test.pl") or simply entering the 
script's filename into the Start/Run applet or double-clicking the 
script in Explorer sees the script "execute" just fine.  Of course, if 
the decision of whether to execute the contents of a script is left up 
to the interpreter, the flaw here is as much in the interpreter as 
anywhere -- there are obvious parallels with NetWare's "execute-only" 
attribute, which was of course dependent solely on the client-end of 
the connection playing ball for its enforcement to work.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]