| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Nov 17 19:59:00 2005 From: pferrie at symantec.com (Peter Ferrie) Subject: another filename bypass vulnerability - from cmd.exe > Was doing some testing [xfocus-AD-051115] > The system is windows 2000 sp4 srp5 with > all other patches upto date. > At the command prompt cmd.exe execute > the following with the results. > > E:\TEMP>cd test > E:\TEMP\test>copy %windir%\system32\calc.exe > 1 file(s) copied. > E:\TEMP\test>ren calc.exe calc.exe.zip > E:\TEMP\test>dir /b > calc.exe.zip > E:\TEMP\test>calc.exe.zip > E:\TEMP\test> > ------------------------------------------------------------------- > This bring up the calc.exe on the screen. But this is old and well-known. Any file can be executed from the command-line by supplying the full name+extension. It has been so since Windows NT was released. Windows opens the file, and if Windows sees that it's a Windows executable, Windows runs it. However, it's not limited to executable files. Create a text file, name it "blah.txt", then type "blah.txt" and Notepad will open it. In that case, Windows sees that it's not a Windows file, and checks the registry for a handler. 8^) p.
Powered by blists - more mailing lists