RE: directory traversal

["Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>]

It seems like cmd.exe holds some internal table of it's current location in
the directory tree:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

C:\WINNT>cd \winnt\system32\drivers\etc

C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.....\

C:\>cd winnt
The filename, directory name, or volume label syntax is incorrect.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

However, if you now:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

C:\>cd .

C:\>cd winnt

C:\WINNT>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Therefore, it seems as though "." and "\" cause cmd.exe to reset it's
current location in the tree. There is also a limit to these fullstop
traversal problems:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

C:\WINNT\SYSTEM32\DRIVERS\ETC>cd
\..............................................
............................................................................
....
............................................................................
....
.................................................\
The system cannot find the path specified.

C:\WINNT\SYSTEM32\DRIVERS\ETC>cd
\..............................................
............................................................................
....
............................................................................
....
................................................\

C:\>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Here is some more odd behaviour:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

C:\>cd \winnt\system32\drivers\etc

C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.........\

C:\>cd winnt
The system cannot find the path specified.

C:\>echo test > test.tst

C:\>dir test.*
 Volume in drive C has no label.
 Volume Serial Number is 1CD6-96D5

 Directory of C:\

08/02/2002  09:14                    7 test.tst
               1 File(s)              7 bytes
               0 Dir(s)   1,429,721,600 bytes free

C:\>copy test.tst winnt
        1 file(s) copied.

C:\>dir winnt\test.*
 Volume in drive C has no label.
 Volume Serial Number is 1CD6-96D5

 Directory of C:\winnt

08/02/2002  09:14                    7 test.tst
               1 File(s)              7 bytes
               0 Dir(s)   1,429,721,600 bytes free

C:\>dir test.*
 Volume in drive C has no label.
 Volume Serial Number is 1CD6-96D5

 Directory of C:\

08/02/2002  09:14                    7 test.tst
               1 File(s)              7 bytes
               0 Dir(s)   1,429,721,600 bytes free

C:\>del test.tst

C:\>cd winnt
The system cannot find the path specified.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

So copy and dir, both internal to cmd.exe can handle this, but whatever it
is that parses and controls the dir tree in cmd.exe can't. Very odd. I've
been trying to find out where cmd thinks it is after a \.......\, but so far
no luck.

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company


> -----Original Message-----
> From: Piyush Agarwal [mailto:pvagarwal () yahoo com]
> Sent: 07 February 2002 20:13
> To: Levenglick, Jeff; Jim Nanney; Strumpf Noir Society
> Cc: vuln-dev () securityfocus com
> Subject: RE: directory traversal
>
>
> hi,
> It seems you are right...
> But here is something more that I found:
>
> (Running cmd.exe on Win2k)
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \.\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \..\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \...\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \....\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \.........\
>
> C:\>cd winnt\system32
> The system cannot find the path specified.
>
> C:\>cd winnt\system32
> The system cannot find the path specified.
>
> C:\>cd winnt
> The system cannot find the path specified.
>
> C:\>
>
> It seems that the cd command just stops working when I
> carried out the above steps......weird!! Anybody care
> to explain ?
>
> Regards,
> Piyush Agarwal
>
>
> --- "Levenglick, Jeff" <jlevenglick () fhlbatl com>
> wrote:
> > I also tried it, but I think you might be missing
> > what it is doing.
> >
> > It looks like it takes the cd \  and ignores
> > everything after it.
> >
> > I tried  cd \.\ and cd \..\ and got the same results
> >
> > -----Original Message-----
> > From: Piyush Agarwal [mailto:pvagarwal () yahoo com]
> > Sent: Wednesday, February 06, 2002 1:31 PM
> > To: Jim Nanney; Strumpf Noir Society
> > Cc: vuln-dev () securityfocus com
> > Subject: Re: directory traversal
> >
> >
> > On Win 2k (running cmd.exe)
> >
> > C:\>cd winnt
> >
> > C:\WINNT>cd system32
> >
> > C:\WINNT\system32>cd \...\
> >
> > C:\>
> >
> > On same machine (now running Command.com)
> >
> > C:\>cd winnt
> >
> > C:\WINNT>cd system32
> >
> > C:\WINNT\SYSTEM32>cd \...\
> > Invalid directory
> >
> > C:\WINNT\SYSTEM32>
> >
> > So u can see that on Win2K the triple dot traversal
> > works in cmd.exe but not in command.com......anyone
> > wanting to dig deeper in this ?? :-)
> >
> > - Piyush Agarwal
> >
> >
> > --- Jim Nanney <jnanney () datasync com> wrote:
> > > I'm just a lurker here, but a simple thought...
> > >
> > > I saw this and thought well it probably has to do
> > > with cmd.exe of win2k
> > >
> > > On my win2k machine using cmd.exe:
> > > ************************************
> > >
> > > C:\>cd winnt\system32\drivers
> > >
> > > C:\WINNT\system32\drivers>cd \...\
> > >
> > > C:\>
> > >
> > > on my win98 machine using command.com
> > > *************************************
> > >
> > > C:\>cd windows\system32\drivers
> > >
> > > C:\WINDOWS\SYSTEM32\DRIVERS>cd \...\
> > > Bad command or file name
> > >
> > > C:\WINDOWS\SYSTEM32\DRIVERS>
> > >
> > > Can't give you reasons why, but given the little
> > > information supplied I
> > > would bet it would be system calls opening a shell
> > > and thus the reason for
> > > the /.../ working on win2k and not 98.
> > >
> > > --Jim Nanney
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE Valentine eCards with Yahoo! Greetings!
> > http://greetings.yahoo.com
> >  
> ______________________________________________________________
> ______________
> > This e-mail message is private and may contain
> > confidential or privileged
> > information.
>
>
> __________________________________________________
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com


******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************