[21189] in bugtraq
RE: SurgeFTP vulnerabilities
daemon@ATHENA.MIT.EDU (David LeBlanc)
Mon Jun 25 18:41:34 2001
Reply-To: <dleblanc@mindspring.com>
From: "David LeBlanc" <dleblanc@mindspring.com>
To: "'Alun Jones'" <alun@texis.com>, "'SDL Office'" <bugtraq@sentry-labs.com>
Cc: <bugtraq@securityfocus.com>
Date: Mon, 25 Jun 2001 10:13:48 -0700
Message-ID: <000a01c0fd9a$9c24c420$0100a8c0@davenet.local>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <4.3.2.7.2.20010625093714.02218ef0@mail.io.com>
> -----Original Message-----
> From: Alun Jones [mailto:alun@texis.com]
> >Exploit:
> >2.) Connect to the server with anonymous and type cd con/con
> (yes, this is
> >well know and works with MANY other too, but we think it should be
> >filtered).
> While filtering such a command line may be a worthy
> suggestion, and is
> certainly implemented in our own software, it is far from a
> perfect (or
> even appropriate) solution.
>
> CON/CON is easy to avoid - you just filter on CON/CON.
> There is no system call (that I could find after several days
> of searching) that will enumerate the available DDNs
I'm not entirely sure how you'd do this on Win9x, but if you're dealing with
a NT or Win2k system, the following will help:
DOS Devices Control Entries
The DosDevices subkey lists the built-in symbolic links to create at
startup. The values are stored under this subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS
Devices
Entries in this subkey have the data type of REG_SZ. The following list
shows the default entries under this subkey.
AUX=\DosDevices\COM1
MAILSLOT=\Device\MailSlot
NUL=\Device\Null
PIPE=\Device\NamedPipe
PRN=\DosDevices\LPT1
TELNET=\Device\Telnet
UNC=\Device\Mup
I would imagine that a similar key exists on a Win9x system.
Oh - while browsing the SDK looking for a work-around, here's the API you're
looking for:
"To retrieve the current mapping for a particular MS-DOS device name or to
obtain a list of all MS-DOS devices known to the system, use the
QueryDosDevice function."
You should also be able to call CreateFile() on a directory with a flag of
OPEN_EXISTING set, and check to see if it exists before handing it off to
SetCurrentDirectory(). I don't know if that works around the problem, but it
very well might. Something else to try would be to make a call to
GetFileAttributes and see if the FILE_ATTRIBUTE_DIRECTORY bit is set. Or
combine the two with CreateFile and GetFileInformationByHandle.
Being an NT bigot, I have successfully avoided ever having to write an app
that I had to support on Win9x, so I'm not sure which of these suggestions
will help you avoid problems on that platform, but I did just check and
QueryDosDevice is supported on Win98.
Hope this helps.
