Microsoft Fax Service

Toggle sidebar Toggle sidebar
A

allen

Distinguished
Dec 31, 2007
77
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Windows 2000 server

I've found I believe to be a whole in security with
windows 2000. I haven't check 2003 yet. I also didn't find
this in Windows XP pro. Presume no fax devices are
installed..

Go to dos
At the root of c:\ type the command below
cd documents and settings \all users\documents\my faxes
then type "Dir"
All of the fax directories are visible when you do a dir

"Common Coverpages"
"received Faxes"
"Sent Faxes"

Directories are not viewable within Explorer GUI. Only
visible using the command line.

Any hacker can create/copy/execute files within any
directory
Example
C:\Documents and Settings\All Users\Documents\My
Faxes>copy con test.cmd
notepade.exe
^Z
1 file(s) copied.

C:\Documents and Settings\All Users\Documents\My Faxes>dir
Volume in drive C has no label.
Volume Serial Number is EC38-8C60

Directory of C:\Documents and Settings\All
Users\Documents\My Faxes

07/30/2004 12:26p <DIR> Common Coverpages
07/30/2004 12:32p <DIR> Received Faxes
07/30/2004 12:32p <DIR> Sent Faxes
08/27/2004 01:26p 14 test.cmd
1 File(s) 14 bytes
3 Dir(s) 2,328,305,664 bytes free

C:\Documents and Settings\All Users\Documents\My
Faxes>test.cmd

Notepad launches...

Any Ideas ???
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Are you logged on locally as the administrator?

If you are then you should have access to all of this and this is normal
Windows behavior. Secondly for this to really rise to the level of a
security issue you would have to be able to do this while not logged onto
the machine.
--
Curtis Koenig
Security Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------
>From: "Allen" <anonymous@discussions.microsoft.com>
>Subject: Microsoft Fax Service
>Date: Fri, 27 Aug 2004 11:44:16 -0700
>
>Windows 2000 server
>
>I've found I believe to be a whole in security with
>windows 2000. I haven't check 2003 yet. I also didn't find
>this in Windows XP pro. Presume no fax devices are
>installed..
>
>Go to dos
>At the root of c:\ type the command below
>cd documents and settings \all users\documents\my faxes
>then type "Dir"
>All of the fax directories are visible when you do a dir
>
>"Common Coverpages"
>"received Faxes"
>"Sent Faxes"
>
>Directories are not viewable within Explorer GUI. Only
>visible using the command line.
>
>Any hacker can create/copy/execute files within any
>directory
>Example
>C:\Documents and Settings\All Users\Documents\My
>Faxes>copy con test.cmd
>notepade.exe
>^Z
> 1 file(s) copied.
>
>C:\Documents and Settings\All Users\Documents\My Faxes>dir
> Volume in drive C has no label.
> Volume Serial Number is EC38-8C60
>
> Directory of C:\Documents and Settings\All
>Users\Documents\My Faxes
>
>07/30/2004 12:26p <DIR> Common Coverpages
>07/30/2004 12:32p <DIR> Received Faxes
>07/30/2004 12:32p <DIR> Sent Faxes
>08/27/2004 01:26p 14 test.cmd
> 1 File(s) 14 bytes
> 3 Dir(s) 2,328,305,664 bytes free
>
>C:\Documents and Settings\All Users\Documents\My
>Faxes>test.cmd
>
>Notepad launches...
>
>Any Ideas ???
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

What do you mean by any hacker, or do you mean user? Users can already write and
execute files from the profile folders, though I agree it may be undesirable to have
them be able to write to folders outside of their profile. --- Steve


"Any hacker can create/copy/execute files within any
directory
Example
C:\Documents and Settings\All Users\Documents\My
Faxes>copy con test.cmd
notepade.exe"

"Allen" <anonymous@discussions.microsoft.com> wrote in message
news:196701c48c65$dae012c0$a301280a@phx.gbl...
> Windows 2000 server
>
> I've found I believe to be a whole in security with
> windows 2000. I haven't check 2003 yet. I also didn't find
> this in Windows XP pro. Presume no fax devices are
> installed..
>
> Go to dos
> At the root of c:\ type the command below
> cd documents and settings \all users\documents\my faxes
> then type "Dir"
> All of the fax directories are visible when you do a dir
>
> "Common Coverpages"
> "received Faxes"
> "Sent Faxes"
>
> Directories are not viewable within Explorer GUI. Only
> visible using the command line.
>
> Any hacker can create/copy/execute files within any
> directory
> Example
> C:\Documents and Settings\All Users\Documents\My
> Faxes>copy con test.cmd
> notepade.exe
> ^Z
> 1 file(s) copied.
>
> C:\Documents and Settings\All Users\Documents\My Faxes>dir
> Volume in drive C has no label.
> Volume Serial Number is EC38-8C60
>
> Directory of C:\Documents and Settings\All
> Users\Documents\My Faxes
>
> 07/30/2004 12:26p <DIR> Common Coverpages
> 07/30/2004 12:32p <DIR> Received Faxes
> 07/30/2004 12:32p <DIR> Sent Faxes
> 08/27/2004 01:26p 14 test.cmd
> 1 File(s) 14 bytes
> 3 Dir(s) 2,328,305,664 bytes free
>
> C:\Documents and Settings\All Users\Documents\My
> Faxes>test.cmd
>
> Notepad launches...
>
> Any Ideas ???
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom