OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Crashing Win9x
From: Alun Jones (alunTEXIS.COM)
Date: Mon Mar 20 2000 - 14:48:54 CST

>I did some testing in school - basiclu every program (any
>daemon - ftp, http...) any user program... they all crush
>when request is issued for \con\con or anything else from
>this category.
>we did remote administration via novel (i just say remote
>execute c:\nul\nul, and voila). Sambar (4.something, i
>think) also crashes (when issued a request like
>GET /nul/ul HTTP1.0\n\n via telnet, or simply in browser
>[i used <A TARGET=nonlocal
>HREF="/external/http://computer.addres//nul/nul">
>http://computer.addres//nul/nul> from any browser.]).
>The only thing that was not vulnerable was apahe (1.3.12 i
>thing, with php extenzion, but that shouldn't matter). I
>will try other suff, and proably put on some page i I find
>something else that's not vulerable, or other ways to use
>this

This has been a known awkwardness in Windows (and indeed
anything based on the DOS underpinnings) for some time -
we've had code that specifically checks for "CON", "PRN"
or "AUX" for several years now, although one of our
competitors actually makes a selling point of the idea that
users can come in and write directly to your printer
through their FTP server!

Essentially, the word from Microsoft has so far been for
apps not to create files called CON, PRN, AUX, COM1-4, LPT1-
3, or CLOCK$ (sorry if I've missed any). There are,
however, a few ways and means to create files of such a
name, and they've proven traditionally to be a little
tricky to remove (of the same order of trickery as creating
a file on Unix with a leading '-' character).

Sadly, there's no function that I'm aware of to tell you
whether a file name is reserved or not, and each such
device name is assumed by the OS to exist in every folder
on your system.

Alun.
~~~~