GnuPG from WEBSITE
Ryan Malayter
rmalayter@bai.org
Mon Oct 29 16:21:01 2001
Hmm... The "wscript.shell" process runs in the context of IWAM_MACHINENAME,
which has very limited privliges by default. Assuming the administrator
trusts the web developer to wite and manage ASP scripts, why wouldn't he
trust the developer to run shell code with the lowered privliges of
IWAM_MACHINENAME?
It would seem the only attacks immediately available would be
privlige-elevation exploits by the developer, which isn't much of a threat
at all. Security breaches which would allow an outside attacker to replace
the server's ASP code with malicious pages are certainly a risk, but I don't
think wscript.shell access from ASP makes these attacks easier or more
dangerous.
Do you propose that access to the FileSysem object be disallowed in ASP
pages as well?
I don't think using CGI POST or GET calls to access the CGI executable isn't
any more secure than using "wscript.shell". It seems "wscript.shell" access
is actually less dangerous, since an atttacker cannot access the EXE through
a HTTP post call or manipulate the EXE parameters as easliy as when
something is thrown directly into a cgi-bin directory.
Could you elaborate on what you feel is so dangerous about the configuration
I detailed for George?
Regards,
Ryan
> -----Original Message-----
> From: Owen Blacker [mailto:owen@flirble.org]
> Sent: Sunday, October 28, 2001 7:51 AM
> To: Ryan Malayter
> Cc: GPG Users list
> Subject: RE: GnuPG from WEBSITE
>
>
>
> *** PGP Signature Status: unknown
> *** Signer: Unknown, Key ID = 0xB48E805E
> *** Signed: 10/28/2001 7:51:12 AM
> *** Verified: 10/29/2001 8:56:52 AM
> *** BEGIN PGP VERIFIED MESSAGE ***
>
> Ryan Malayter wrote (2001-10-26 T 14:03 -0500):
> >
> > Installing GnuPG only involves copying firectories, so you
> should be able to
> > use it on your remote site.
> >
> > I think you can use GnuPG to do what you want if:
> > 1) Jmail can use any text file as a message body.
> > 2) you can copy the GNUpg dir to your server (after you've
> generated and
> > imported keys into the GNuPG keyring)
> > 3) you can run an operating system command from within your
> asp script, like
> > this:
> > Set sObj = createObject(wscript.shell)
> > sObj.Run("d:\gnupg gpg.exe --homedir d:\gpupg -e -a -r
> you@company.com -o
> > d:\temp\encryptedmsg.asc d:\temp\messagebody.txt",1,true)
> > 4) Have jmail use d:\temp\encryptedmsg.asc as the message body
>
> If all of that is possible, however, the system administrator
> should be
> sacked immediately. If the system administrator lets users
> instantiate
> Windows Script Host using a CreateObject("WScript.Shell") call (you
> missed out the quotes, btw :) then (s)he deserves to have the whole
> system trashed.
>
> Chances are you won't be able to do anything without
> installing software
> on the system, as anyone who set up the system in such a way to allow
> the suggested code to work should not be administering servers.
>
>
> O x
> --
> Owen Blacker | Senior Software Developer and InfoSecurity Consultant
> See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys
> Sig 0xb48e805e | 0e31 ac2a 4ff2 62a0 89da ddef 4223 99a6 b48e 805e
> --
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety --Benjamin Franklin, 1759
>
> *** END PGP VERIFIED MESSAGE ***
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>