Full Disclosure mailing list archives
Re: Windows XP bug
From: Christian Sciberras <uuf6429 () gmail com>
Date: Thu, 8 Jul 2010 13:56:54 +0200
Just a small note that platform bugs are a poor excuse to sloppy coding like Juan mentioned. Allowing unfiltered web user input for use in path names is always a bad idea. Filtering out path delimiters would already be a huge improvement. Nice find by the way. Regards, Chris. On Thu, Jul 8, 2010 at 1:37 PM, Juan Galiana <jgaliana () gmail com> wrote:
This "feature" is useful to exploit path traversal in windows environments through web applications. In this case (I saw it plenty of times): <?php require_once("help/help_".$_GET['lang'] .".php"); ?> You can exploit it in windows with this PoC: http://server/file.php?a=/../../../../../../boot.ini%00 because help/help_/../../../../../../boot.ini exists for windows and the non-existing help_ directory is not breaking the instruction. Otherwise, in linux is not possible to perform this kind of attacks due we can't reference non-existing directories $ ls -l noexist/../ ls: cannot access noexist/../: No such file or directory An attack like http://server/file.php?a=/../../../../../../etc/passwd%00 won't work Good approach! Best Regards, On Thu, Jul 8, 2010 at 10:13 AM, Vipul Agarwal <vipul () nuttygeeks com> wrote:First, the bug seems to be useless but you deployed it cleverly in the PoC. It could be something rare but makes web apps on Windows vulnerable with some exceptions. Nice work! On Thu, Jul 8, 2010 at 1:08 PM, Sagar Belure <sagar.belure () gmail com>wrote:On Wed, Jul 7, 2010 at 10:54 AM, BlackHawk <hawkgotyou () gmail com>wrote:Hi list, i recently discovered a very small Windows XP bug, kind of useless alone but that could be usefull in some scenarios. Explanation: when you try to access a non existing directory though shell command "cd", XP returns an error (obviously), but if you cd to a non-existing & move one directory up, you'll not get any error. Example: --- C:\>cd ./somerandomchars <-- Will give an error Impossibile trovare il percorso specificato. C:\>cd ./somerandomchars/../ <-- Everything is ok C:\> --- PoC on how to make this thing usefull:http://www.scribd.com/doc/28080332/Podcast-Generator-1-3-Arbitrary-File-Download-WindowsHope this could be useful for you in some way.. -- BlackHawk - hawkgotyou () gmail com Sent with Gmail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Never seen this before. But, it's very obvious, as you are 'changing directory'(cd thisdoesntexist/) to a non existing folder and then getting out of it(../). But, there is difference with evaluation/calculation in windows andlinux.Here is how... On Windows Box... C:\>cd thisdoesntexist/ The system cannot find the path specified. C:\>cd thisdoesntexist/../ C:\>cd thisdoesntexist/thisonetoo/../ The system cannot find the path specified. C:\>cd thisdoesntexist/thisonetoo/../../ C:\> On Linux box... one@ubuntubox:~$ cd thisdoesntexist/ -bash: cd: thisdoesntexist: No such file or directory one@ubuntubox:~$ cd thisdoesntexist/../ -bash: cd: thisdoesntexist/../: No such file or directory one@ubuntubox:~$ -- Thanks, Sagar Belure Security Analyst Secfence Technologies www.secfence.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Thanks and Regards, Vipul Agarwal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Windows XP bug BlackHawk (Jul 07)
- Re: Windows XP bug T Biehn (Jul 07)
- Re: Windows XP bug Duboucher Thomas (Jul 08)
- Re: Windows XP bug Sagar Belure (Jul 08)
- Re: Windows XP bug Vipul Agarwal (Jul 08)
- Re: Windows XP bug Juan Galiana (Jul 08)
- Re: Windows XP bug Christian Sciberras (Jul 08)
- Re: Windows XP bug Vipul Agarwal (Jul 08)
- Re: Windows XP bug Robert Święcki (Jul 08)
- Re: Windows XP bug T Biehn (Jul 07)