lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 13 Dec 2014 15:36:10 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Defense in depth -- the Microsoft way (part 23): two quotes or
	not to quote...

Hi @ll,

some Windows commands/programs fail when (one of) their
command line argument(s) is/are enclosed in quotes; for

%SystemRoot%\System32\FontView.Exe "<pathname>.TTF"
%SystemRoot%\System32\FONTVIEW.Exe /P "<filename>.TTF"
%SystemRoot%\System32\RunDLL32.Exe %SystemRoot%\System32\SetupAPI.Dll,InstallHinfSection <section> <flags> "<pathname>.INF"

The failure messages shown by both commands are priceless,
they dont give the slightest hint why they fail at all.-(

JFTR: both commands support (like NOTEPAD.EXE or CreateProcess(),
      see <>)
      "long" but unquoted file/pathnames containing spaces!

Another example:

>"%TEMP%\just a test.eml" Echo Subject: Just a test

"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllEML:"%TEMP%\just a test.eml"

>"%TEMP%\just a test.nws" Echo Subject: Just a test

"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllNWS:"%TEMP%\just a test.nws"

show the error message

"The File ""...\just a test.eml"" could not be opened because it does
 not exist or is being used by another application. (0x800CCF65, 123)"

At least this message gives a very slight hint: the Win32 error '123'
"The filename, directory name, or volume label syntax is incorrect";
see <> or run
NET.EXE HelpMsg 123

Again, same as above: this program works when the argument is not
quoted, despite the "long" pathname containing spaces:

"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:%TEMP%\just a test.eml
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:%TEMP%\just a test.nws

"%ProgramFiles%\Windows Mail\WinMail.Exe" /MailURL:""
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NewsURL:""
both work with a quoted argument!

JFTR: if you dont have "Windows Mail", but "Windows Live Mail" or
      "Outlook Express": they too show the same inconsistent and
      surprising behaviour.

      I have not checked whether "Outlook" has the same bug, but
      I'm confident it has.-(

Microsoft, can't you afford a QA?

And one more:

the "AppInit_DLLs" registry entry
(see <> as well as

JFTR: although AppInit_DLLs are only supported on Windows NT
      (see <>) a braindead
      developer choose not to use a REG_MULTI_SZ value (avoiding
      the need to interpret spaces as separator and thus supporting
      "long" filenames).

have fun
Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists