Re: MS-DOS Filename/Directory Vulnerability

[Alun Jones <alun () texis com>]

At 06:32 PM 8/16/2001, Seth Arnold wrote:
> On Thu, Aug 16, 2001 at 07:08:16PM -0700, Felipe Moniz wrote:
> > I tested this in the PWS (based on IIS 4) and it worked.
> >
> > I created a file called "clientlist2001.txt" and with client~1.txt
> > (www.site.com/client~1.txt) I get the clientlist2001.txt without know the
> > complete name of the file. The problem occurs also when I type
> > "postin~1.htm" for access "postinfo.html" file.
>
> This is a known problem. There is a switch that can be thrown somewhere
> (possibly only in the registry, but I thought I have seen a checkbox for
> this somewhere...) that does not generate the MSDOS names on NTFS
> partitions.
>
> Microsoft has written a guide to securing WinNT; I bet they have updated
> it for Win2k as well. They detail how to turn off the MSDOS filename
> support in that document.

As a general point, this is one place where numerous attacks have succeeded 
in the past, especially with programs that apply their own security onto 
the base Windows model.  The example given by Felipe only works because he 
has access to the document in question - but this isn't always the case.  A 
couple of frequently occurring vulnerabilities that have been found and 
fixed in various products, but might still occur in others:

A file protected as "long file name", but accessed as "longfi~1" eludes the 
protections that were supposed to be assigned to it.
A file originally created on NTFS and then moved to FAT (or vice-versa) 
will often have a _different_ short file name on the new volume than it did 
on the old.  Sometimes, even moving files (or more specifically, copying, 
whether followed by deletion of the original or not) from one location to 
another in the same file system will change the short file name.

If protection of any sort is assigned on the short path name, there are 
several possibilities that might cause failure of security (imagine, for 
instance, if your home directories are created as "home for eric", "home 
for fred", etc, then a move to a new system, or perhaps even a restore from 
a not-too-cleverly-written backup (e.g. "just copy from another drive") 
could swap the two homes around, in terms of access by their short path name.

Win32 platforms have long had an API call to turn a long path into a short 
path (GetShortPathName), but only relatively recently has their been an API 
call to do the reverse.

To users that are concerned about removing short path name functionality 
using the switch that Seth mentions, it's worth noting that Windows 2000 
and XP, at least, have command-line completion capabilities that can be 
used in place of trying to remember which tilde-number combination to 
use.  Running "CMD /?" in a command-prompt window will tell you how to 
enable the completion keys, and how to set them - either by a switch in a 
call to CMD, or by a registry setting.

Alun.
~~~~
P.S. Needless to say, we think we've been pretty careful about this for 
some time, but there's always room for error - please let us know about any 
vulnerabilities you find.
--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun () texis com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.