RE: SurgeFTP vulnerabilities

["David LeBlanc" <dleblanc () mindspring com>]

> -----Original Message-----
> From: Alun Jones [mailto:alun () texis com]

> > Exploit:
> > 2.) Connect to the server with anonymous and type cd con/con
> (yes, this is
> > well know and works with MANY other too, but we think it should be
> > filtered).

> While filtering such a command line may be a worthy
> suggestion, and is
> certainly implemented in our own software, it is far from a
> perfect (or
> even appropriate) solution.
>
> CON/CON is easy to avoid - you just filter on CON/CON.

> There is no system call (that I could find after several days
> of searching) that will enumerate the available DDNs

I'm not entirely sure how you'd do this on Win9x, but if you're dealing with
a NT or Win2k system, the following will help:

DOS Devices Control Entries
The DosDevices subkey lists the built-in symbolic links to create at
startup. The values are stored under this subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS
Devices
Entries in this subkey have the data type of REG_SZ. The following list
shows the default entries under this subkey.

AUX=\DosDevices\COM1
MAILSLOT=\Device\MailSlot
NUL=\Device\Null
PIPE=\Device\NamedPipe
PRN=\DosDevices\LPT1
TELNET=\Device\Telnet
UNC=\Device\Mup

I would imagine that a similar key exists on a Win9x system.

Oh - while browsing the SDK looking for a work-around, here's the API you're
looking for:
"To retrieve the current mapping for a particular MS-DOS device name or to
obtain a list of all MS-DOS devices known to the system, use the
QueryDosDevice function."

You should also be able to call CreateFile() on a directory with a flag of
OPEN_EXISTING set, and check to see if it exists before handing it off to
SetCurrentDirectory(). I don't know if that works around the problem, but it
very well might. Something else to try would be to make a call to
GetFileAttributes and see if the FILE_ATTRIBUTE_DIRECTORY bit is set. Or
combine the two with CreateFile and GetFileInformationByHandle.

Being an NT bigot, I have successfully avoided ever having to write an app
that I had to support on Win9x, so I'm not sure which of these suggestions
will help you avoid problems on that platform, but I did just check and
QueryDosDevice is supported on Win98.

Hope this helps.