Interesting.. <<not sure why i'm spending time on this.. but>> :) I did a few tests and found, I think, why you are getting your results. It looks like it is some sort of overflow. I'm assuming that MS added code to stop a crash of cmd, but might of missing something. From testing and debuging I have found that after putting an overflow, in this case ....'s the system 'forgets' the drive. ie: It does not think it is on the C: drive any more. To prove this.. after your \............\'s do a cd winnt and it will fail. then do a cd c:\winnt\system32 and it will work. Do a cd \ and it will work. Do a cd \winnt\system32 again and it works. (until you do the ..'s again) Jeff -----Original Message----- From: Piyush Agarwal [mailto:pvagarwalat_private] Sent: Thursday, February 07, 2002 3:13 PM To: Levenglick, Jeff; Jim Nanney; Strumpf Noir Society Cc: vuln-devat_private Subject: RE: directory traversal hi, It seems you are right... But here is something more that I found: (Running cmd.exe on Win2k) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>cd winnt\system32 C:\WINNT\system32>cd \.\ C:\>cd winnt\system32 C:\WINNT\system32>cd \..\ C:\>cd winnt\system32 C:\WINNT\system32>cd \...\ C:\>cd winnt\system32 C:\WINNT\system32>cd \....\ C:\>cd winnt\system32 C:\WINNT\system32>cd \.........\ C:\>cd winnt\system32 The system cannot find the path specified. C:\>cd winnt\system32 The system cannot find the path specified. C:\>cd winnt The system cannot find the path specified. C:\> It seems that the cd command just stops working when I carried out the above steps......weird!! Anybody care to explain ? Regards, Piyush Agarwal --- "Levenglick, Jeff" <jlevenglickat_private> wrote: > I also tried it, but I think you might be missing > what it is doing. > > It looks like it takes the cd \ and ignores > everything after it. > > I tried cd \.\ and cd \..\ and got the same results > > -----Original Message----- > From: Piyush Agarwal [mailto:pvagarwalat_private] > Sent: Wednesday, February 06, 2002 1:31 PM > To: Jim Nanney; Strumpf Noir Society > Cc: vuln-devat_private > Subject: Re: directory traversal > > > On Win 2k (running cmd.exe) > > C:\>cd winnt > > C:\WINNT>cd system32 > > C:\WINNT\system32>cd \...\ > > C:\> > > On same machine (now running Command.com) > > C:\>cd winnt > > C:\WINNT>cd system32 > > C:\WINNT\SYSTEM32>cd \...\ > Invalid directory > > C:\WINNT\SYSTEM32> > > So u can see that on Win2K the triple dot traversal > works in cmd.exe but not in command.com......anyone > wanting to dig deeper in this ?? :-) > > - Piyush Agarwal > > > --- Jim Nanney <jnanneyat_private> wrote: > > I'm just a lurker here, but a simple thought... > > > > I saw this and thought well it probably has to do > > with cmd.exe of win2k > > > > On my win2k machine using cmd.exe: > > ************************************ > > > > C:\>cd winnt\system32\drivers > > > > C:\WINNT\system32\drivers>cd \...\ > > > > C:\> > > > > on my win98 machine using command.com > > ************************************* > > > > C:\>cd windows\system32\drivers > > > > C:\WINDOWS\SYSTEM32\DRIVERS>cd \...\ > > Bad command or file name > > > > C:\WINDOWS\SYSTEM32\DRIVERS> > > > > Can't give you reasons why, but given the little > > information supplied I > > would bet it would be system calls opening a shell > > and thus the reason for > > the /.../ working on win2k and not 98. > > > > --Jim Nanney > > > > > > __________________________________________________ > Do You Yahoo!? > Send FREE Valentine eCards with Yahoo! Greetings! > http://greetings.yahoo.com > > ____________________________________________________________________________ > This e-mail message is private and may contain > confidential or privileged > information. __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ____________________________________________________________________________ This e-mail message is private and may contain confidential or privileged information.
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 13:03:45 PST