I’m rebuilding my new Sony Vaio Z with Windows XP, and as usual there are a load of tweaks I need to make to the OS before I feel “at home” again. Since the fingerprint reader software on the new build has an annoying habit of popping up info balloons on every boot - regardless of how often I click them - I felt the need to Disable Notification Area Balloon Tips in Windows XP.
Much better.
And sorry Vista, I tried, I really did. I liked how your hot-swap driver support meant I could switch between stamina and speed modes without a reboot, but I hated your poor network performance against my NAS (even with SP1). Maybe I’ll try again on the next new laptop. Oh, and Sony? Thank you for my XP downgrade CD and drivers. Lovely.
Recently I needed to write a script that could locate a folder on a system that had particular characteristics. I was looking for hidden folders that the logged on user had rights to read, write/append and execute on. ie, they can drop a binary into the folder and then run it.
This is the script I came up with. It uses a WMI query and method to first locate all the hidden folders on the system, and then compare each ones effective permissions to a mask I created:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" & strComputer & "rootcimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from Win32_Directory Where Hidden = True")
wscript.echo "Hidden folders which you can write to..."
intW = 0 ' initialise Writable folder count
' Iterate through each hidden folder on the computer
For Each objFile in colFiles
' Ignore some well known hidden folders
If InStr(lcase(objFile.Name), "documents and settings") or _
InStr(lcase(objFile.Name), "$nt") or _
InStr(lcase(objFile.Name), "$hf_mig$") or _
InStr(lcase(objFile.Name), "ie7updates") or _
InStr(lcase(objFile.Name), "visual studio") or _
InStr(lcase(objFile.Name), "dllcache") or _
InStr(lcase(objFile.Name), "$patchcache$") Then
Else
' Can we read (1), write (2, 4), and execute (32) in this folder?
intPermissions = 39
' Use WMI method to compare permissions
If objFile.GetEffectivePermission(intPermissions) Then
wscript.echo objFile.Name
intW = intW + 1
End If
End If
Next
wscript.echo intW & " vulnerable folders."
This was important as part of a wider effort to prove a particular vulnerability existed. Imagine the scenario where a standard user is prevented from running unknown binaries except for one hidden folder somewhere on the system which is excluded from this protection. If one could quickly find that folder, the user could run whatever he liked.
I’m aware that there are plenty of command line tools that would have helped in this endeavour (such as AccessChk) but remember: this is a system where unauthorised apps can not be run. It’s VBScript or nothing.
Recent Comments