[10758] in bugtraq
Re: Windows NT 4.0, 95, 98 (?) networked PRN flaw
daemon@ATHENA.MIT.EDU (Jefferson Ogata)
Wed Jun 9 14:08:48 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <375D5D50.538F22CB@nodc.noaa.gov>
Date: Tue, 8 Jun 1999 14:13:36 -0400
Reply-To: jogata@NODC.NOAA.GOV
From: Jefferson Ogata <jogata@NODC.NOAA.GOV>
To: BUGTRAQ@NETSPACE.ORG
Along similar lines, I've discovered (through bad code) that certain NFS
implementations will allow you to create files with a / in their names.
Obviously, it's pretty difficult to get rid of these files after the fact.
As far as I've been able to tell, all UNIX system calls parse paths, and
will always treat a path like "a/b" as the file "b" in the directory "a",
rather than the file "a/b" in the current directory. Not even rm -r on the
directory could clean this up.
The only way I've found to get rid of these files is by using the same NFS
client code that was used to create them (whew!). Note that this code has
to be "buggy" in the sense that it doesn't correctly parse paths. Yes, I
did make a mistake. Erp!
This could be used to create a pretty nasty DoS, if an attacker has write
access to your NFS filesystem (this is more common than you might think).
I wonder what would happen if I created a file called "/etc/passwd" in
the current directory... probably nothing. But who knows?
--
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
