Vulnerability Development mailing list archives
RE: directory traversal
From: "Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>
Date: Fri, 8 Feb 2002 09:25:05 -0000
It seems like cmd.exe holds some internal table of it's current location in the directory tree: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C:\WINNT>cd \winnt\system32\drivers\etc C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.....\ C:\>cd winnt The filename, directory name, or volume label syntax is incorrect. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- However, if you now: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C:\>cd . C:\>cd winnt C:\WINNT> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Therefore, it seems as though "." and "\" cause cmd.exe to reset it's current location in the tree. There is also a limit to these fullstop traversal problems: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.............................................. ............................................................................ .... ............................................................................ .... .................................................\ The system cannot find the path specified. C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.............................................. ............................................................................ .... ............................................................................ .... ................................................\ C:\> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Here is some more odd behaviour: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C:\>cd \winnt\system32\drivers\etc C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.........\ C:\>cd winnt The system cannot find the path specified. C:\>echo test > test.tst C:\>dir test.* Volume in drive C has no label. Volume Serial Number is 1CD6-96D5 Directory of C:\ 08/02/2002 09:14 7 test.tst 1 File(s) 7 bytes 0 Dir(s) 1,429,721,600 bytes free C:\>copy test.tst winnt 1 file(s) copied. C:\>dir winnt\test.* Volume in drive C has no label. Volume Serial Number is 1CD6-96D5 Directory of C:\winnt 08/02/2002 09:14 7 test.tst 1 File(s) 7 bytes 0 Dir(s) 1,429,721,600 bytes free C:\>dir test.* Volume in drive C has no label. Volume Serial Number is 1CD6-96D5 Directory of C:\ 08/02/2002 09:14 7 test.tst 1 File(s) 7 bytes 0 Dir(s) 1,429,721,600 bytes free C:\>del test.tst C:\>cd winnt The system cannot find the path specified. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- So copy and dir, both internal to cmd.exe can handle this, but whatever it is that parses and controls the dir tree in cmd.exe can't. Very odd. I've been trying to find out where cmd thinks it is after a \.......\, but so far no luck. Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company
-----Original Message----- From: Piyush Agarwal [mailto:pvagarwal () yahoo com] Sent: 07 February 2002 20:13 To: Levenglick, Jeff; Jim Nanney; Strumpf Noir Society Cc: vuln-dev () securityfocus com Subject: RE: directory traversal hi, It seems you are right... But here is something more that I found: (Running cmd.exe on Win2k) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>cd winnt\system32 C:\WINNT\system32>cd \.\ C:\>cd winnt\system32 C:\WINNT\system32>cd \..\ C:\>cd winnt\system32 C:\WINNT\system32>cd \...\ C:\>cd winnt\system32 C:\WINNT\system32>cd \....\ C:\>cd winnt\system32 C:\WINNT\system32>cd \.........\ C:\>cd winnt\system32 The system cannot find the path specified. C:\>cd winnt\system32 The system cannot find the path specified. C:\>cd winnt The system cannot find the path specified. C:\> It seems that the cd command just stops working when I carried out the above steps......weird!! Anybody care to explain ? Regards, Piyush Agarwal --- "Levenglick, Jeff" <jlevenglick () fhlbatl com> wrote:I also tried it, but I think you might be missing what it is doing. It looks like it takes the cd \ and ignores everything after it. I tried cd \.\ and cd \..\ and got the same results -----Original Message----- From: Piyush Agarwal [mailto:pvagarwal () yahoo com] Sent: Wednesday, February 06, 2002 1:31 PM To: Jim Nanney; Strumpf Noir Society Cc: vuln-dev () securityfocus com Subject: Re: directory traversal On Win 2k (running cmd.exe) C:\>cd winnt C:\WINNT>cd system32 C:\WINNT\system32>cd \...\ C:\> On same machine (now running Command.com) C:\>cd winnt C:\WINNT>cd system32 C:\WINNT\SYSTEM32>cd \...\ Invalid directory C:\WINNT\SYSTEM32> So u can see that on Win2K the triple dot traversal works in cmd.exe but not in command.com......anyone wanting to dig deeper in this ?? :-) - Piyush Agarwal --- Jim Nanney <jnanney () datasync com> wrote:I'm just a lurker here, but a simple thought... I saw this and thought well it probably has to do with cmd.exe of win2k On my win2k machine using cmd.exe: ************************************ C:\>cd winnt\system32\drivers C:\WINNT\system32\drivers>cd \...\ C:\> on my win98 machine using command.com ************************************* C:\>cd windows\system32\drivers C:\WINDOWS\SYSTEM32\DRIVERS>cd \...\ Bad command or file name C:\WINDOWS\SYSTEM32\DRIVERS> Can't give you reasons why, but given the little information supplied I would bet it would be system calls opening a shell and thus the reason for the /.../ working on win2k and not 98. --Jim Nanney__________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com______________________________________________________________ ______________This e-mail message is private and may contain confidential or privileged information.__________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
Current thread:
- Re: directory traversal, (continued)
- Re: directory traversal Robert Collins (Feb 07)
- Re: directory traversal Steve (Feb 07)
- Re: directory traversal Michel Arboi (Feb 14)
- RE: directory traversal Levenglick, Jeff (Feb 07)
- Re: directory traversal E M (Feb 07)
- Re: directory traversal Robert Collins (Feb 07)
- Re: directory traversal Steve (Feb 07)
- RE: directory traversal Colby Marks (Feb 07)
- RE: directory traversal Kevin Tierney (Feb 08)
- Re: directory traversal Robert Collins (Feb 07)