But I am trying to understand how a hacker could use this variable to open a command prompt. I have figured it out. If I go to start->run and enter %COMSPEC%, a command prompt will open. Now I understand the moving cmd.exe is useless on Winodws 2000.
Dennis -----Original Message----- From: Saraga, Scott l [mailto:Scott.Saraga@;Nav-International.com] Sent: Wednesday, November 13, 2002 4:32 PM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. The whole purpose of it being a variable is so you don't have to know the value when you use it. -----Original Message----- From: Depp, Dennis M. [mailto:deppdm@;ornl.gov] Sent: Wednesday, November 13, 2002 10:48 AM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. Knowing the existence of the COMSPEC variable and knowing its value are two different issues. In the case of a directory traversal exploit I would need to know the value of the COMSPSEC variable to use this exploit. Denny -----Original Message----- From: "Saraga, Scott l" <[EMAIL PROTECTED]> Sent: 11/13/02 10:37:59 AM To: "NT 2000 Discussions" <[EMAIL PROTECTED]> Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. Any knowledgeable hacker/cracker would know about the existence of the COMSPEC variable. -----Original Message----- From: Depp, Dennis M. [mailto:deppdm@;ornl.gov] Sent: Wednesday, November 13, 2002 10:09 AM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. How will an attacker find the COMSPEC variable in the first place. Dennis -----Original Message----- From: "Lum, David" <[EMAIL PROTECTED]> Sent: 11/13/02 9:55:32 AM To: "NT 2000 Discussions" <[EMAIL PROTECTED]> Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. Wouldn't an attacker utilize the comspec variable to run the program in the first place? Dave Lum - [EMAIL PROTECTED] Sr. Network Specialist - Textron Financial 503-675-5510 -----Original Message----- From: James Winzenz [mailto:james.winzenz@;inovis.com] Sent: Wednesday, November 13, 2002 06:42 AM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. It may have been for IIS 4.0, but certainly isn't listed in Microsoft's recommended steps for securing IIS 5.0 (at least, not that I saw). That being said, to change the location for cmd.exe, you need to go into the environmental variables (properties of my computer, advanced, environmental variables button). Under system variables, edit ComSpec (cmd.exe) and change it to to the new location. James Winzenz, MCSE, A+ Associate Systems Administrator InovisTM, formerly Harbinger and Extricity -----Original Message----- From: Depp, Dennis M. [mailto:deppdm@;ornl.gov] Sent: Wednesday, November 13, 2002 9:34 AM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. Actually in securing NT 4.0, Microsoft recommended either moving these files to a different location or setting more restrictive ACLs on these files. There was a hack for IIS called directory traversal. In this attack, the attacker utilizes the default location for webroot and the default location for the system files to traverse up the directory to c:\ and then back to cmd.exe. This can be done with no privledge elevation. If cmd.exe is moved, or if the IUSR account doe not have execute priveleges, the attacker is not able to exploit the directory traversal vulnerability. This is just one example of a known vulnerability. The next vulnerability may also utilize the known locations of certain tools. If the tools are moved, the attack is blocked. While I would not rely only on moving these tools, it is still a valid and effective defense. Dennis Depp ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
