It seems like cmd.exe holds some internal table of it's current location in
the directory tree:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
C:\WINNT>cd \winnt\system32\drivers\etc
C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.....\
C:\>cd winnt
The filename, directory name, or volume label syntax is incorrect.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
However, if you now:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
C:\>cd .
C:\>cd winnt
C:\WINNT>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Therefore, it seems as though "." and "\" cause cmd.exe to reset it's
current location in the tree. There is also a limit to these fullstop
traversal problems:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
C:\WINNT\SYSTEM32\DRIVERS\ETC>cd
\..............................................
............................................................................
....
............................................................................
....
.................................................\
The system cannot find the path specified.
C:\WINNT\SYSTEM32\DRIVERS\ETC>cd
\..............................................
............................................................................
....
............................................................................
....
................................................\
C:\>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Here is some more odd behaviour:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
C:\>cd \winnt\system32\drivers\etc
C:\WINNT\SYSTEM32\DRIVERS\ETC>cd \.........\
C:\>cd winnt
The system cannot find the path specified.
C:\>echo test > test.tst
C:\>dir test.*
Volume in drive C has no label.
Volume Serial Number is 1CD6-96D5
Directory of C:\
08/02/2002 09:14 7 test.tst
1 File(s) 7 bytes
0 Dir(s) 1,429,721,600 bytes free
C:\>copy test.tst winnt
1 file(s) copied.
C:\>dir winnt\test.*
Volume in drive C has no label.
Volume Serial Number is 1CD6-96D5
Directory of C:\winnt
08/02/2002 09:14 7 test.tst
1 File(s) 7 bytes
0 Dir(s) 1,429,721,600 bytes free
C:\>dir test.*
Volume in drive C has no label.
Volume Serial Number is 1CD6-96D5
Directory of C:\
08/02/2002 09:14 7 test.tst
1 File(s) 7 bytes
0 Dir(s) 1,429,721,600 bytes free
C:\>del test.tst
C:\>cd winnt
The system cannot find the path specified.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
So copy and dir, both internal to cmd.exe can handle this, but whatever it
is that parses and controls the dir tree in cmd.exe can't. Very odd. I've
been trying to find out where cmd thinks it is after a \.......\, but so far
no luck.
Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company
> -----Original Message-----
> From: Piyush Agarwal [mailto:pvagarwalat_private]
> Sent: 07 February 2002 20:13
> To: Levenglick, Jeff; Jim Nanney; Strumpf Noir Society
> Cc: vuln-devat_private
> Subject: RE: directory traversal
>
>
> hi,
> It seems you are right...
> But here is something more that I found:
>
> (Running cmd.exe on Win2k)
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \.\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \..\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \...\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \....\
>
> C:\>cd winnt\system32
>
> C:\WINNT\system32>cd \.........\
>
> C:\>cd winnt\system32
> The system cannot find the path specified.
>
> C:\>cd winnt\system32
> The system cannot find the path specified.
>
> C:\>cd winnt
> The system cannot find the path specified.
>
> C:\>
>
> It seems that the cd command just stops working when I
> carried out the above steps......weird!! Anybody care
> to explain ?
>
> Regards,
> Piyush Agarwal
>
>
> --- "Levenglick, Jeff" <jlevenglickat_private>
> wrote:
> > I also tried it, but I think you might be missing
> > what it is doing.
> >
> > It looks like it takes the cd \ and ignores
> > everything after it.
> >
> > I tried cd \.\ and cd \..\ and got the same results
> >
> > -----Original Message-----
> > From: Piyush Agarwal [mailto:pvagarwalat_private]
> > Sent: Wednesday, February 06, 2002 1:31 PM
> > To: Jim Nanney; Strumpf Noir Society
> > Cc: vuln-devat_private
> > Subject: Re: directory traversal
> >
> >
> > On Win 2k (running cmd.exe)
> >
> > C:\>cd winnt
> >
> > C:\WINNT>cd system32
> >
> > C:\WINNT\system32>cd \...\
> >
> > C:\>
> >
> > On same machine (now running Command.com)
> >
> > C:\>cd winnt
> >
> > C:\WINNT>cd system32
> >
> > C:\WINNT\SYSTEM32>cd \...\
> > Invalid directory
> >
> > C:\WINNT\SYSTEM32>
> >
> > So u can see that on Win2K the triple dot traversal
> > works in cmd.exe but not in command.com......anyone
> > wanting to dig deeper in this ?? :-)
> >
> > - Piyush Agarwal
> >
> >
> > --- Jim Nanney <jnanneyat_private> wrote:
> > > I'm just a lurker here, but a simple thought...
> > >
> > > I saw this and thought well it probably has to do
> > > with cmd.exe of win2k
> > >
> > > On my win2k machine using cmd.exe:
> > > ************************************
> > >
> > > C:\>cd winnt\system32\drivers
> > >
> > > C:\WINNT\system32\drivers>cd \...\
> > >
> > > C:\>
> > >
> > > on my win98 machine using command.com
> > > *************************************
> > >
> > > C:\>cd windows\system32\drivers
> > >
> > > C:\WINDOWS\SYSTEM32\DRIVERS>cd \...\
> > > Bad command or file name
> > >
> > > C:\WINDOWS\SYSTEM32\DRIVERS>
> > >
> > > Can't give you reasons why, but given the little
> > > information supplied I
> > > would bet it would be system calls opening a shell
> > > and thus the reason for
> > > the /.../ working on win2k and not 98.
> > >
> > > --Jim Nanney
> > >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE Valentine eCards with Yahoo! Greetings!
> > http://greetings.yahoo.com
> >
> >
> ______________________________________________________________
> ______________
> > This e-mail message is private and may contain
> > confidential or privileged
> > information.
>
>
> __________________________________________________
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com
>
********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.
Internet communications are not secure and Softlab does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.
If you have received this email in error, or if you are concerned with
the content of this email please notify the IT helpdesk by telephone
on +44 (0)121 788 5480.
********************************************************************
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 15:59:10 PST