Vulnerability Development mailing list archives
Re: Crashing Win9x
From: mmarschall () VOICERITE COM (Michael Marschall)
Date: Thu, 23 Mar 2000 09:44:34 -0500
(of the same order of trickery as creating a file on Unix with a leading '-' character). This is really not that difficult. You just need to use the absolute path to delete the file. Alun Jones wrote:
I did some testing in school - basiclu every program (any daemon - ftp, http...) any user program... they all crush when request is issued for \con\con or anything else from this category. we did remote administration via novel (i just say remote execute c:\nul\nul, and voila). Sambar (4.something, i think) also crashes (when issued a request like GET /nul/ul HTTP1.0\n\n via telnet, or simply in browser [i used <A TARGET=nonlocal HREF="/external/http://computer.addres//nul/nul";> <A HREF="http://computer.addres//nul/nul</A">http://computer.addres//nul/nul</A</A>> from any browser.]). The only thing that was not vulnerable was apahe (1.3.12 i thing, with php extenzion, but that shouldn't matter). I will try other suff, and proably put on some page i I find something else that's not vulerable, or other ways to use thisThis has been a known awkwardness in Windows (and indeed anything based on the DOS underpinnings) for some time - we've had code that specifically checks for "CON", "PRN" or "AUX" for several years now, although one of our competitors actually makes a selling point of the idea that users can come in and write directly to your printer through their FTP server! Essentially, the word from Microsoft has so far been for apps not to create files called CON, PRN, AUX, COM1-4, LPT1- 3, or CLOCK$ (sorry if I've missed any). There are, however, a few ways and means to create files of such a name, and they've proven traditionally to be a little tricky to remove (of the same order of trickery as creating a file on Unix with a leading '-' character). Sadly, there's no function that I'm aware of to tell you whether a file name is reserved or not, and each such device name is assumed by the OS to exist in every folder on your system. Alun. ~~~~
-- Michael Marschall Infrastructure Manager VoiceRite, Inc. 7725 NW 48th St. Miami, Florida 33166 Phone / Fax / Pager : 305 436 1574
Current thread:
- Re: Crashing Win9x PCbob - Slobodan miskoviC (Mar 15)
- Re: Crashing Win9x Alun Jones (Mar 20)
- Re: Crashing Win9x Michael Marschall (Mar 23)
- Re: Crashing Win9x Alun Jones (Mar 23)
- MS IIS - HTR still a problem? Pete Philips (Mar 23)
- Re: Crashing Win9x Troy Ablan (Mar 23)
- Re: Crashing Win9x Alexander Sanda (Mar 27)
- Re: Crashing Win9x Michael Marschall (Mar 23)
- Re: Crashing Win9x Alun Jones (Mar 20)