Information
Assurance
|
Douglas Finley
|
Information Assurance
Bugtraq Analysis
Exploit on
the 1st floor computer lab |
What the
Problem Is: The
computers on the first floor of the library are supposed to restrict the user
from creating shortcuts or accessing the command line. If you try it from the
desktop, a window pops up that tells you that you do not have
the proper permissions to create a shortcut. If you go to a folder that you have write access, and attempt
to create a shortcut. The system will let you. Then, the address for the
shortcut is just “cmd”.
You now have a shortcut to the command line. The “dir” command gives a long list of the
directories that are accessible. What could
have been Prevented:
The command
line should be disabled. For example, in the computers in the ICC. When you
log in and try the same exploit, the screen reads “command
prompt has been disabled by your administrator.” The difference was that the command
line in the library is not disabled. Only the access to it from certain
locations. What can
be done to work around it: The
administrator is not assuming that someone wants access to the directories on
the system. The restrictions on the account are mainly to deter the average
user from accessing the command line. |