lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44BCF08555564035A6A8E306C2684090@W340>
Date: Sat, 13 Dec 2014 15:36:10 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 23): two quotes or
	not to quote...

Hi @ll,

some Windows commands/programs fail when (one of) their
command line argument(s) is/are enclosed in quotes; for
example:

%SystemRoot%\System32\FontView.Exe "<pathname>.TTF"
%SystemRoot%\System32\FONTVIEW.Exe /P "<filename>.TTF"
%SystemRoot%\System32\RunDLL32.Exe %SystemRoot%\System32\SetupAPI.Dll,InstallHinfSection <section> <flags> "<pathname>.INF"

The failure messages shown by both commands are priceless,
they dont give the slightest hint why they fail at all.-(

JFTR: both commands support (like NOTEPAD.EXE or CreateProcess(),
      see <http://msdn.microsoft.com/library/ms682425.aspx>)
      "long" but unquoted file/pathnames containing spaces!


Another example:

>"%TEMP%\just a test.eml" Echo Subject: Just a test

"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllEML:"%TEMP%\just a test.eml"

>"%TEMP%\just a test.nws" Echo Subject: Just a test

"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllNWS:"%TEMP%\just a test.nws"

show the error message

"The File ""...\just a test.eml"" could not be opened because it does
 not exist or is being used by another application. (0x800CCF65, 123)"

At least this message gives a very slight hint: the Win32 error '123'
alias ERROR_INVALID_NAME is
"The filename, directory name, or volume label syntax is incorrect";
see <http://msdn.microsoft.com/library/ms681382.aspx> or run
NET.EXE HelpMsg 123

Again, same as above: this program works when the argument is not
quoted, despite the "long" pathname containing spaces:

"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:%TEMP%\just a test.eml
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:%TEMP%\just a test.nws

BUT:
"%ProgramFiles%\Windows Mail\WinMail.Exe" /MailURL:"mailto:mailbox@...mple.com?subject=..."
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NewsURL:"mailto:mailbox@...mple.com?subject=..."
both work with a quoted argument!

JFTR: if you dont have "Windows Mail", but "Windows Live Mail" or
      "Outlook Express": they too show the same inconsistent and
      surprising behaviour.

      I have not checked whether "Outlook" has the same bug, but
      I'm confident it has.-(

WTF?
Microsoft, can't you afford a QA?


And one more:

the "AppInit_DLLs" registry entry
(see <https://support.microsoft.com/kb/197571> as well as
<https://msdn.microsoft.com/library/dd744762.aspx>).

JFTR: although AppInit_DLLs are only supported on Windows NT
      (see <https://support.microsoft.com/kb/134655>) a braindead
      developer choose not to use a REG_MULTI_SZ value (avoiding
      the need to interpret spaces as separator and thus supporting
      "long" filenames).


have fun
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ