Bugtraq mailing list archives
RE: SurgeFTP vulnerabilities
From: "David LeBlanc" <dleblanc () mindspring com>
Date: Mon, 25 Jun 2001 10:13:48 -0700
-----Original Message----- From: Alun Jones [mailto:alun () texis com]
Exploit: 2.) Connect to the server with anonymous and type cd con/con(yes, this iswell know and works with MANY other too, but we think it should be filtered).
While filtering such a command line may be a worthy suggestion, and is certainly implemented in our own software, it is far from a perfect (or even appropriate) solution. CON/CON is easy to avoid - you just filter on CON/CON.
There is no system call (that I could find after several days of searching) that will enumerate the available DDNs
I'm not entirely sure how you'd do this on Win9x, but if you're dealing with a NT or Win2k system, the following will help: DOS Devices Control Entries The DosDevices subkey lists the built-in symbolic links to create at startup. The values are stored under this subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices Entries in this subkey have the data type of REG_SZ. The following list shows the default entries under this subkey. AUX=\DosDevices\COM1 MAILSLOT=\Device\MailSlot NUL=\Device\Null PIPE=\Device\NamedPipe PRN=\DosDevices\LPT1 TELNET=\Device\Telnet UNC=\Device\Mup I would imagine that a similar key exists on a Win9x system. Oh - while browsing the SDK looking for a work-around, here's the API you're looking for: "To retrieve the current mapping for a particular MS-DOS device name or to obtain a list of all MS-DOS devices known to the system, use the QueryDosDevice function." You should also be able to call CreateFile() on a directory with a flag of OPEN_EXISTING set, and check to see if it exists before handing it off to SetCurrentDirectory(). I don't know if that works around the problem, but it very well might. Something else to try would be to make a call to GetFileAttributes and see if the FILE_ATTRIBUTE_DIRECTORY bit is set. Or combine the two with CreateFile and GetFileInformationByHandle. Being an NT bigot, I have successfully avoided ever having to write an app that I had to support on Win9x, so I'm not sure which of these suggestions will help you avoid problems on that platform, but I did just check and QueryDosDevice is supported on Win98. Hope this helps.
Current thread:
- SurgeFTP vulnerabilities SDL Office (Jun 19)
- Re: SurgeFTP vulnerabilities Alun Jones (Jun 25)
- Re: SurgeFTP vulnerabilities Ewen McNeill (Jun 25)
- RE: SurgeFTP vulnerabilities David LeBlanc (Jun 25)
- Re: SurgeFTP vulnerabilities Alun Jones (Jun 25)