[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikQHsPvg02VlvLv1ljaB7_vwfiD2CLTXmbpCuca@mail.gmail.com>
Date: Thu, 8 Jul 2010 13:56:54 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Juan Galiana <jgaliana@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows XP bug
Just a small note that platform bugs are a poor excuse to sloppy coding like
Juan mentioned.
Allowing unfiltered web user input for use in path names is always a bad
idea.
Filtering out path delimiters would already be a huge improvement.
Nice find by the way.
Regards,
Chris.
On Thu, Jul 8, 2010 at 1:37 PM, Juan Galiana <jgaliana@...il.com> wrote:
> This "feature" is useful to exploit path traversal in windows
> environments through web applications.
>
> In this case (I saw it plenty of times):
>
> <?php require_once("help/help_".$_GET['lang'] .".php"); ?>
>
>
> You can exploit it in windows with this PoC:
>
> http://server/file.php?a=/../../../../../../boot.ini%00
>
>
> because help/help_/../../../../../../boot.ini exists for windows and
> the non-existing help_ directory is not breaking the instruction.
>
>
> Otherwise, in linux is not possible to perform this kind of attacks
> due we can't reference non-existing directories
>
> $ ls -l noexist/../
> ls: cannot access noexist/../: No such file or directory
>
>
> An attack like http://server/file.php?a=/../../../../../../etc/passwd%00
> won't work
>
> Good approach!
>
> Best Regards,
>
> On Thu, Jul 8, 2010 at 10:13 AM, Vipul Agarwal <vipul@...tygeeks.com>
> wrote:
> > First, the bug seems to be useless but you deployed it cleverly in the
> > PoC. It could be something rare but makes web apps on Windows
> > vulnerable with some exceptions.
> >
> > Nice work!
> >
> > On Thu, Jul 8, 2010 at 1:08 PM, Sagar Belure <sagar.belure@...il.com>
> wrote:
> >> On Wed, Jul 7, 2010 at 10:54 AM, BlackHawk <hawkgotyou@...il.com>
> wrote:
> >>> Hi list, i recently discovered a very small Windows XP bug, kind of
> >>> useless alone but that could be usefull in some scenarios.
> >>>
> >>> Explanation:
> >>>
> >>> when you try to access a non existing directory though shell command
> >>> "cd", XP returns an error (obviously), but if you cd to a non-existing
> >>> & move one directory up, you'll not get any error.
> >>>
> >>> Example:
> >>> ---
> >>> C:\>cd ./somerandomchars <-- Will give an error
> >>> Impossibile trovare il percorso specificato.
> >>>
> >>> C:\>cd ./somerandomchars/../ <-- Everything is ok
> >>>
> >>> C:\>
> >>> ---
> >>>
> >>> PoC on how to make this thing usefull:
> >>>
> http://www.scribd.com/doc/28080332/Podcast-Generator-1-3-Arbitrary-File-Download-Windows
> >>>
> >>> Hope this could be useful for you in some way..
> >>>
> >>> --
> >>> BlackHawk - hawkgotyou@...il.com
> >>>
> >>> Sent with Gmail
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >>
> >> Never seen this before.
> >> But, it's very obvious, as you are 'changing directory'(cd
> >> thisdoesntexist/) to a non existing folder and then getting out of
> >> it(../).
> >>
> >> But, there is difference with evaluation/calculation in windows and
> linux.
> >> Here is how...
> >>
> >> On Windows Box...
> >>
> >> C:\>cd thisdoesntexist/
> >> The system cannot find the path specified.
> >>
> >> C:\>cd thisdoesntexist/../
> >>
> >> C:\>cd thisdoesntexist/thisonetoo/../
> >> The system cannot find the path specified.
> >>
> >> C:\>cd thisdoesntexist/thisonetoo/../../
> >>
> >> C:\>
> >>
> >>
> >> On Linux box...
> >>
> >> one@...ntubox:~$ cd thisdoesntexist/
> >> -bash: cd: thisdoesntexist: No such file or directory
> >> one@...ntubox:~$ cd thisdoesntexist/../
> >> -bash: cd: thisdoesntexist/../: No such file or directory
> >> one@...ntubox:~$
> >>
> >>
> >> --
> >> Thanks,
> >> Sagar Belure
> >> Security Analyst
> >> Secfence Technologies
> >> www.secfence.com
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > --
> > Thanks and Regards,
> > Vipul Agarwal
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists