Knowing the existence of the COMSPEC variable and knowing its value are two different
issues. In the case of a directory traversal exploit I would need to know the value
of the COMSPSEC variable to use this exploit.
Denny
-----Original Message-----
From: "Saraga, Scott l" <[EMAIL PROTECTED]>
Sent: 11/13/02 10:37:59 AM
To: "NT 2000 Discussions" <[EMAIL PROTECTED]>
Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief.
Any knowledgeable hacker/cracker would know about the existence of the
COMSPEC variable.
-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@;ornl.gov]
Sent: Wednesday, November 13, 2002 10:09 AM
To: NT 2000 Discussions
Subject: RE: Securing Webserver was RE: Active Directory Password
Policy G rief.
How will an attacker find the COMSPEC variable in the first place.
Dennis
-----Original Message-----
From: "Lum, David" <[EMAIL PROTECTED]>
Sent: 11/13/02 9:55:32 AM
To: "NT 2000 Discussions" <[EMAIL PROTECTED]>
Subject: RE: Securing Webserver was RE: Active Directory Password Policy
G rief.
Wouldn't an attacker utilize the comspec variable to run the program in
the
first place?
Dave Lum - [EMAIL PROTECTED]
Sr. Network Specialist - Textron Financial
503-675-5510
-----Original Message-----
From: James Winzenz [mailto:james.winzenz@;inovis.com]
Sent: Wednesday, November 13, 2002 06:42 AM
To: NT 2000 Discussions
Subject: RE: Securing Webserver was RE: Active Directory Password Policy
G rief.
It may have been for IIS 4.0, but certainly isn't listed in Microsoft's
recommended steps for securing IIS 5.0 (at least, not that I saw). That
being said, to change the location for cmd.exe, you need to go into the
environmental variables (properties of my computer, advanced,
environmental
variables button). Under system variables, edit ComSpec (cmd.exe) and
change it to to the new location.
James Winzenz, MCSE, A+
Associate Systems Administrator
InovisTM, formerly Harbinger and Extricity
-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@;ornl.gov]
Sent: Wednesday, November 13, 2002 9:34 AM
To: NT 2000 Discussions
Subject: RE: Securing Webserver was RE: Active Directory Password Policy
G
rief.
Actually in securing NT 4.0, Microsoft recommended either moving these
files
to a different location or setting more restrictive ACLs on these files.
There was a hack for IIS called directory traversal. In this attack,
the
attacker utilizes the default location for webroot and the default
location
for the system files to traverse up the directory to c:\ and then back
to
cmd.exe. This can be done with no privledge elevation. If cmd.exe is
moved, or if the IUSR account doe not have execute priveleges, the
attacker
is not able to exploit the directory traversal vulnerability. This is
just
one example of a known vulnerability. The next vulnerability may also
utilize the known locations of certain tools. If the tools are moved,
the
attack is blocked. While I would not rely only on moving these tools,
it is
still a valid and effective defense.
Dennis Depp
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
