« toStaticHTML: The Second Encounter (CVE-2012-1858) | Main | Android DNS Poisoning: Randomness gone bad (CVE-2012-2808) »

July 16, 2012

Comments

丸子

good post,and this might be an good idea to bypass some limitation of webshell uploading

ct

nice one

jp

Windows does support this behavior if you set the value via a registry key re:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares]
"for \"xxx & calc.exe"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,\
3d,00,30,00,00,00,4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,\
00,39,00,34,00,39,00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,\
68,00,3d,00,43,00,3a,00,5c,00,54,00,65,00,73,00,74,00,00,00,50,00,65,00,72,\
00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,00,73,00,3d,00,30,00,00,00,52,00,\
65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,53,00,68,00,61,00,72,00,65,00,4e,\
00,61,00,6d,00,65,00,3d,00,66,00,6f,00,72,00,20,00,22,00,78,00,78,00,78,00,\
20,00,26,00,20,00,63,00,61,00,6c,00,63,00,2e,00,65,00,78,00,65,00,00,00,54,\
00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

Adi Cohen

Very nice, I suspected this could be possible but haven't got around to it. thanks for sharing

Nick

You might be able to add
"mangled names = no"
to your smb.conf. That should prevent what you have in figure 2.

Adi Cohen

Hi Nick,
That's a great catch.

This could allow for a file with the following name to exist:
a/a.txt" .html

When a user double-click this file, the registered application will get access to a file named 'a.txt' under a folder named 'a'.
The attached image shows this scenario.
http://img821.imageshack.us/img821/8010/36262549.png


Updated machines will not accept a file whose name contains a double-quote sign.
Therefore breaking out of the string surrounding the path in order to add arguments or just truncate the path string itself (used in the example above) will not work.
However, it is possible to use the following file name:
a/a.html

To produce a case where patched systems will still open the file 'a.html' under the folder 'a' instead of the real file.

The comments to this entry are closed.

Follow us on Twitter

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Become a Fan