RE: directory traversal

From: Levenglick, Jeff (jlevenglick@fhlbatl.com)
Date: 02/07/02 

From: "Levenglick, Jeff" <jlevenglick@fhlbatl.com>
To: "'Piyush Agarwal'" <pvagarwal@yahoo.com>, "Levenglick, Jeff" <jlevenglick@fhlbatl.com>, Jim Nanney <jnanney@datasync.com>, Strumpf Noir Society <vuln-dev@labs.secureance.com>
Date: Thu, 7 Feb 2002 15:25:43 -0500

Interesting.. <<not sure why i'm spending time on this.. but>> :)

I did a few tests and found, I think, why you are getting your results. It
looks like it
is some sort of overflow. I'm assuming that MS added code to stop a crash of
cmd, but might
of missing something.

From testing and debuging I have found that after putting an overflow, in
this case ....'s the system
'forgets' the drive. ie: It does not think it is on the C: drive any more.

To prove this.. after your \............\'s do a cd winnt and it will fail.
then do a cd c:\winnt\system32
and it will work. Do a cd \ and it will work. Do a cd \winnt\system32 again
and it works. (until you do
the ..'s again)

Jeff

-----Original Message-----
From: Piyush Agarwal [mailto:pvagarwal@yahoo.com]
Sent: Thursday, February 07, 2002 3:13 PM
To: Levenglick, Jeff; Jim Nanney; Strumpf Noir Society
Cc: vuln-dev@securityfocus.com
Subject: RE: directory traversal

hi,
It seems you are right...
But here is something more that I found:

(Running cmd.exe on Win2k)
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>cd winnt\system32

C:\WINNT\system32>cd \.\

C:\>cd winnt\system32

C:\WINNT\system32>cd \..\

C:\>cd winnt\system32

C:\WINNT\system32>cd \...\

C:\>cd winnt\system32

C:\WINNT\system32>cd \....\

C:\>cd winnt\system32

C:\WINNT\system32>cd \.........\

C:\>cd winnt\system32
The system cannot find the path specified.

C:\>cd winnt\system32
The system cannot find the path specified.

C:\>cd winnt
The system cannot find the path specified.

C:\>

It seems that the cd command just stops working when I
carried out the above steps......weird!! Anybody care
to explain ?

Regards,
Piyush Agarwal

--- "Levenglick, Jeff" <jlevenglick@fhlbatl.com>
wrote:
> I also tried it, but I think you might be missing
> what it is doing.
>
> It looks like it takes the cd \ and ignores
> everything after it.
>
> I tried cd \.\ and cd \..\ and got the same results
>
> -----Original Message-----
> From: Piyush Agarwal [mailto:pvagarwal@yahoo.com]
> Sent: Wednesday, February 06, 2002 1:31 PM
> To: Jim Nanney; Strumpf Noir Society
> Cc: vuln-dev@securityfocus.com
> Subject: Re: directory traversal
>
>
> On Win 2k (running cmd.exe)
>
> C:\>cd winnt
>
> C:\WINNT>cd system32
>
> C:\WINNT\system32>cd \...\
>
> C:\>
>
> On same machine (now running Command.com)
>
> C:\>cd winnt
>
> C:\WINNT>cd system32
>
> C:\WINNT\SYSTEM32>cd \...\
> Invalid directory
>
> C:\WINNT\SYSTEM32>
>
> So u can see that on Win2K the triple dot traversal
> works in cmd.exe but not in command.com......anyone
> wanting to dig deeper in this ?? :-)
>
> - Piyush Agarwal
>
>
> --- Jim Nanney <jnanney@datasync.com> wrote:
> > I'm just a lurker here, but a simple thought...
> >
> > I saw this and thought well it probably has to do
> > with cmd.exe of win2k
> >
> > On my win2k machine using cmd.exe:
> > ************************************
> >
> > C:\>cd winnt\system32\drivers
> >
> > C:\WINNT\system32\drivers>cd \...\
> >
> > C:\>
> >
> > on my win98 machine using command.com
> > *************************************
> >
> > C:\>cd windows\system32\drivers
> >
> > C:\WINDOWS\SYSTEM32\DRIVERS>cd \...\
> > Bad command or file name
> >
> > C:\WINDOWS\SYSTEM32\DRIVERS>
> >
> > Can't give you reasons why, but given the little
> > information supplied I
> > would bet it would be system calls opening a shell
> > and thus the reason for
> > the /.../ working on win2k and not 98.
> >
> > --Jim Nanney
> >
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE Valentine eCards with Yahoo! Greetings!
> http://greetings.yahoo.com
>
>
____________________________________________________________________________
> This e-mail message is private and may contain
> confidential or privileged
> information.

__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
 
____________________________________________________________________________
This e-mail message is private and may contain confidential or privileged
information.

Relevant Pages

  • RE: directory traversal
    ... C:\>cd winnt ... So u can see that on Win2K the triple dot traversal ... > Can't give you reasons why, ... Send FREE Valentine eCards with Yahoo! ...
    (Vuln-Dev)
  • RE: directory traversal
    ... (Running cmd.exe on Win2k) ... Microsoft Windows 2000 ... > C:\>cd winnt ... > Send FREE Valentine eCards with Yahoo! ...
    (Vuln-Dev)
  • Re: directory traversal
    ... C:\>cd winnt ... So u can see that on Win2K the triple dot traversal ... > Can't give you reasons why, ... Send FREE Valentine eCards with Yahoo! ...
    (Vuln-Dev)
  • Re: install says copied files missing/corrupt
    ... hardware's working with Win98, is absolutely *NO* indication of its ... suitability for use with WinNT, Win2K, or WinXP. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101
    ... >"Stack based overflow, ... >Tested working on Win2K, This public version crash on any WinXP, read ... >"Why Win2k only? ... >even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I ...
    (Full-Disclosure)