Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Challenge: What can you do with funky directory names?

Published: 2012-04-11
Last Updated: 2012-04-11 02:51:10 UTC
by Mark Baggett (Version: 1)
11 comment(s)

Good day readers!   I've been playing around with creating unusual file names for a while.   (http://vimeo.com/9484706 , http://pauldotcom.com/2011/12/looking-for-stealth-ads-stream.html)   For example, did you know you can create a ".. "  (dot dot space) directory on Windows just like you can in Linux?   Want to try it?   Open up a command prompt and type this:

That's interesting.   Notice that our ".. " (dot dot space) directory is indistinguishable from the normal parent directory and is easily overlooked.   Attackers have been hiding in the "dot dot space" directory for a long time on the Linux platform.   Now try this from an administrative command prompt:

We created a ". "  (dot space) directory with a ".. " (dot dot space) subdirectory.  Then we put a copy of netcat in it.  (Your path to nc.exe may be different from this example).  As you see from the image above you can still execute netcat without any problems if you use a symbolic link.    Now try and browse to the c:\temp\  directory using the Windows Explorer GUI.   You will notice the SHORTCUT to NC.EXE in our c:\temp directory.    Double click on the ". " (dot space) directory.   You might expect that it take you into a directory containing our ".. " (dot dot space)  directory, but it doesn't!   Instead we are still in the c:\temp directory with our shortcut to nc.exe!   Double click the ". " (dot space) directory again.   This time we DO change to the directory containing ".. " (dot dot space).   Weird!    Now, Double click your ".. " (dot dot space) directory.   Where will that take you?  It takes you to the following error message:

Interesting.  Now try this.  Open your command prompt and change directories to the path "c:\temp\2628~1\45AA~1\" and do a directory listing.  This strange directory name has been consistent in my limited testing.  Is it the same for you?  There is your copy of nc.exe!   What the heck is that?

Your mission, should you choose to accept it, is to tell me what you can do with this.   What causes this behavior?  Post a comment!

HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th.   Sign up today!  http://www.sans.org/community/event/sec560-augusta-jun-2012

 

Keywords: challenge
11 comment(s)
Diary Archives