[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44BCF08555564035A6A8E306C2684090@W340>
Date: Sat, 13 Dec 2014 15:36:10 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 23): two quotes or
not to quote...
Hi @ll,
some Windows commands/programs fail when (one of) their
command line argument(s) is/are enclosed in quotes; for
example:
%SystemRoot%\System32\FontView.Exe "<pathname>.TTF"
%SystemRoot%\System32\FONTVIEW.Exe /P "<filename>.TTF"
%SystemRoot%\System32\RunDLL32.Exe %SystemRoot%\System32\SetupAPI.Dll,InstallHinfSection <section> <flags> "<pathname>.INF"
The failure messages shown by both commands are priceless,
they dont give the slightest hint why they fail at all.-(
JFTR: both commands support (like NOTEPAD.EXE or CreateProcess(),
see <http://msdn.microsoft.com/library/ms682425.aspx>)
"long" but unquoted file/pathnames containing spaces!
Another example:
>"%TEMP%\just a test.eml" Echo Subject: Just a test
"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllEML:"%TEMP%\just a test.eml"
>"%TEMP%\just a test.nws" Echo Subject: Just a test
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllNWS:"%TEMP%\just a test.nws"
show the error message
"The File ""...\just a test.eml"" could not be opened because it does
not exist or is being used by another application. (0x800CCF65, 123)"
At least this message gives a very slight hint: the Win32 error '123'
alias ERROR_INVALID_NAME is
"The filename, directory name, or volume label syntax is incorrect";
see <http://msdn.microsoft.com/library/ms681382.aspx> or run
NET.EXE HelpMsg 123
Again, same as above: this program works when the argument is not
quoted, despite the "long" pathname containing spaces:
"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:%TEMP%\just a test.eml
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:%TEMP%\just a test.nws
BUT:
"%ProgramFiles%\Windows Mail\WinMail.Exe" /MailURL:"mailto:mailbox@...mple.com?subject=..."
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NewsURL:"mailto:mailbox@...mple.com?subject=..."
both work with a quoted argument!
JFTR: if you dont have "Windows Mail", but "Windows Live Mail" or
"Outlook Express": they too show the same inconsistent and
surprising behaviour.
I have not checked whether "Outlook" has the same bug, but
I'm confident it has.-(
WTF?
Microsoft, can't you afford a QA?
And one more:
the "AppInit_DLLs" registry entry
(see <https://support.microsoft.com/kb/197571> as well as
<https://msdn.microsoft.com/library/dd744762.aspx>).
JFTR: although AppInit_DLLs are only supported on Windows NT
(see <https://support.microsoft.com/kb/134655>) a braindead
developer choose not to use a REG_MULTI_SZ value (avoiding
the need to interpret spaces as separator and thus supporting
"long" filenames).
have fun
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists