My name is Backspace



  • I like bash. It's the closest thing to a modern command line environment one can get on SunOs. My favorite feature: the magical tab-autocomplete.

    I  logged in to a server today, and went looking for some files to install. "Oh, they're stored in /export/home/initech/deployments/deployment_5.0.0/" - wrote Joe, our connection with Initech. "No problem" - I thought. Let's cd to that directory.

    $ cd /ex[tab]

    $ cd /export/ho[tab]

    $ cd /export/home/[tab] [tab]
    ^H^H^H^H^H^H^H^Hadmin     initech    initrode

    WHAT? List please!

    $ ls /export/home/

    admin

    initech

    initrode

    I must have been mistaken, let's try again:

    $ cd /export/home/[tab][tab]

    ^H^H^H^H^H^H^H^Hadmin     initech    initrode

     No. Someone *did* in fact create a directory that has backspaces in its name.



  • I've seen rootkits that create directories or files with control character names.  Done properly, it keeps them from showing up in ls, which seems to be the case here.  Something you might consider.



  • Doesn't work on ubuntu: it shows question marks instead of any control character.



  • @Kiss me I'm Polish said:

    WHAT? List please!

    $ ls /export/home/

    admin

    initech

    initrode


    What about "ls -l"?



  • GNU ls, excerpts from man page:

           -b, --escape
                  print octal escapes for nongraphic characters
           -N, --literal
                  print raw entry names (don't treat e.g. control characters specially)
           -q, --hide-control-chars
                  print ? instead of non graphic characters
           --show-control-chars
                  show non graphic characters as-is (default unless program is `ls' and output is a terminal)
    

    NetBSD 4.0.1 ls, excerpts from man page:

         -B      Force printing of non-graphic characters in file names as \xxx,
                 where xxx is the numeric value of the character in octal.
         -b      As -B, but use C escape codes whenever possible.
         -q      Force printing of non-printable characters in file names as the
                 character `?'; this is the default when output is to a terminal.
    



  • @Quietust said:

    @Kiss me I'm Polish said:

    WHAT? List please!

    $ ls /export/home/

    admin

    initech

    initrode

    What about "ls -l"?
    "ls -l" shows the same content, with the usual drwxr-xr-x where applicable. The "admin" directory has been in use for a long time, so I think I can rule out the rootkit theory. Also, I believe the "ls" here is not GNU, as it's on a SunOs.



  • This is more fun than creating files called " ". I'm using HP-UX's ls throwback here. With a sufficient amount of backspaces, you can make a file totally invisible to even ll (aka ls -l). ls | wc -l still sees it, but if you have a simple security script that just diff's ll output, you can still hide your rwsrwsrwt shell owned by root. (And if you think diffing ll output is a terrible idea for security, so I do, but I've seen comp sci professors advocate it! TRWTF.)

    Now .... how do I remove the files I just made? Ah, what'd I'd give for GNU tools on this box.



  • @Xyro said:

    Now .... how do I remove the files I just made?
    rm -rf / is the classic solution, but for HP-UX you might get more pleasure out of mediainit.



  • @Xyro said:

    This is more fun than creating files called " ". I'm using HP-UX's ls throwback here.

    On Windows you can create a file called " ". That's ASCII 0xA0 or non-breaking space, you can type that with ALT-160. You cannot delete or rename the file with explorer.exe or cmd.exe. The only way is to write a program that uses the win32 API to delete it (even .NET cannot delete it).



  • @SlyEcho said:

    You cannot delete or rename the file with explorer.exe or cmd.exe.
     

    TRWTF is that Explorer has arbitrary filename limitations that do not necessarily apply to the  file system. For example, the 255 char path length limit.



  •  @SlyEcho said:

    On Windows you can create a file called " ". That's ASCII 0xA0 or non-breaking space, you can type that with ALT-160. You cannot delete or rename the file with explorer.exe or cmd.exe. The only way is to write a program that uses the win32 API to delete it (even .NET cannot delete it).
    It requires alt+0160 on my machine (alt+160 gets me a "á"), but I can delete it fine with explorer.exe.  If I make a folder with that name, I can even cd into it from cmd.exe as long as I double-quote it.  File properties and other views of the spacey files are handled fine.

    Now if only I could create a file called "com1"...



  • @SlyEcho said:

    On Windows you can create a file called " ". That's ASCII 0xA0 or non-breaking space, you can type that with ALT-160. You cannot delete or rename the file with explorer.exe or cmd.exe. The only way is to write a program that uses the win32 API to delete it (even .NET cannot delete it).

     

    At least on Vista, cmd.exe can handle those files if you put the filename in quotes. The "short" file name works as well, although it is actually longer in this case (dir /x will tell you; the short name for " " should be something like 0A00~1). Using long UNC paths like "\\?\c:\temp\ ", you can even create a file called " " (yes, that's ASCII 0x20).



  • @fatbull said:

    Using long UNC paths like "\?\c:\temp\ ", you can even create a file called " " (yes, that's ASCII 0x20).
    This isn't an UNC path, but a native Win32 path. Also, it's much more fun when you create a file named con or aux or some other device name this way.


  • Discourse touched me in a no-no place

    @ender said:

    Also, it's much more fun when you create a file named con or aux or some other
    device name this way.
    <AOL> Ahh. the memories of chat room sounds that consisted of people trying to play aux/aux, and the furore that followed....</AOL>


    <=Windows 98 IIRC. Walled garden was shit (with hindsight) even back then. (For the thankfully ignorant, it crashed windows. Not just AOL - the whole OS.)



  • @ender said:

    This isn't an UNC path, but a native Win32 path.
    I got the "long UNC" term from a random wikipedia article because I couldn't find anything more specific than "prefix" in MSDN.



  • @PJH said:

    @ender said:
    Also, it's much more fun when you create a file named con or aux or some other device name this way.
    <AOL> Ahh. the memories of chat room sounds that consisted of people trying to play aux/aux, and the furore that followed....</AOL>

    <=Windows 98 IIRC. Walled garden was shit (with hindsight) even back then. (For the thankfully ignorant, it crashed windows. Not just AOL - the whole OS.)

    Heh.  It used occasionally to be remotely vulnerable back in those days as well.  Someone once tried to flood a usenet group I was in through an open HTTP CONNECT proxy.  I connected to it and asked it to fetch me "GET /aux HTTP/1.0".

    End of flood :-)




  • Oh great, now my Explorer processes are totally hosed. Thanks a lot for provoking me to write this.

    #!/usr/bin/perl

    use strict; use warnings;
    use Cwd;

    my @reserved_names = qw(CON PRN AUX NUL COM1 COM2 COM3 COM4 COM5 COM6 COM7 COM8 COM9 LPT1 LPT2 LPT3 LPT4 LPT5 LPT6 LPT7 LPT8 LPT9);
    my $dir = '//?/'.cwd().'/';

    print "Creating mayhem in $dir\n";

    for (@reserved_names) {
        print $dir.$_, "\n";
        open FH, '>', $dir.$_ or warn $! and next;
        print FH $_;
        close FH or warn $! and next;
    }



  • @Xyro said:

    #!/usr/bin/perl

    I lol'ed.



  • @derula said:

    @Xyro said:
    #!/usr/bin/perl

    I lol'ed.

    sheddup. It's not a proper main:: without a shebang. It's discipline, I tell you. Or good practice. It's the industry-wide enterprise standard. I mean, it's best practices. My OCD has a medical label, and therefore a socially excusable.

    Bah!



  • @Xyro said:

    @derula said:
    @Xyro said:
    #!/usr/bin/perl

    I lol'ed.

    sheddup. It's not a proper main:: without a shebang. It's discipline, I tell you. Or good practice. It's the industry-wide enterprise standard. I mean, it's best practices.

    You wrote a script to pwn explorer. It will be run exactly once. On Windows. Just sayin.


Log in to reply