lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <28915501A44DBA4587FE1019D675F98307C740@grfint.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: Jamming communication [COM] ports in windows...

> ---Description---
> In windows filenames like CON, AUX, PRN, CLOCK$ ,COM* , LPT* 
> [ "*" stands for 1, 2, 3, 4 etc... ] can't be created cauz 
> it's reserved for "System Device Driver" NAMES by OS itself.

Yes, and don't forget to mention that the file extension does not count.
So COM1.jpg is still serial port 1. ;)

> ---Exploit---

That is by design and - as far as I remember - stems back to CP/M.
Question is if it is smart do still stupport it in the way it is, but
that's another one... It's an publised API we had fun with around 1985,
too.

Please note that there are many legitimate useses for this and removing
it would break a lot of things.

The root issue is that no path is reserved for devices (like /dev in
*nix). Obviously, that wasn't necessary in DOS 1.0 & CP/M as there were
not pathes at all... But with recent advancements made in DOS 2.0 (or
was it 3.0? ;)), it now has become an issue. It might have been clever
to support it in /DEV/COMx only, but this is not done (by design).
Again, many legitimate uses for this... (for example "copy con com1" is
actually often very helpful. As is "echo SomeThingMalicious > COM2" ;-).

> Well, using simple command "say"
> 
> edit COM*                  [ "*" stands for 1, 2, 3, 4 etc... ]

Its astonishing, though, that Microsoft does not check this on its own
applications...

> ---<Example>---
> 
> c:\> edit COM8         < Here COM8 was actually reserved by 
> my MODEM in my computer >
> 
> type it in CMD prompt or "RUN" etc... Using this Any/EVERY 
> available communication port's in WINDOWS could be JAMMMED! 
> By using JUST the privileges of a "GUEST" account.
> 
> ---Summery---
> The exploits have been successfully tried in Windows xp pro. 
> and windows 98. I assume! It works in all versions of 
> windows. While trying the exploit THE COM* should not be in use.
  ^^^^^^^^
I don't have OS/2 at hand, but I think it works there, too. As I wrote,
it of course works on DOS. And /dev/xxx works on *nix ;).

> ---[Background Information]---
> These bug's were originally discovered by hUNT3R, [myself] a 
> member of 01 Security Submission. The vendor was notified via email.
> http://www.ysgnet.com/hn

Keep it straight: it's not a code bug in Windows. If it is a bug, than
it is a design bug. The bad thing is that there are many applications
out there not doing proper checks. I sent one example last week with the
ZIP file handlers. You send another one today. I quickly tested around
10 applications I had readily at hand, including open source tools. Many
failed. Microsoft office - at least - said "invalid file name (reserved
system name)".

Bottom line: application developers please be aware that those special
names are around. Of course, this eases porting applications ;)

Rainer


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ