Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Checkpoint Research found a path traversal bug in the Microsoft RDP client. The research came back up once again this same bug was found in the MacOs client.

Microsoft fixed the path traversal using the Windows API function PathCchCanonicalize. This function gets the absolute path of a path. According to the official Windows API documentation, this is the main way to prevent path traversal.

In Windows, paths use ' \' . However, both forward slashes and backslashes are valid in Windows paths. What Checkpoint Research discovered was absolutely startling...

PathCchCanonicalize only recognizes ' \' and not ' /'! This means that path traversal can still be performed, even after Microsoft's suggested mitigation. Microsoft will NOT be fixing this; they have to keep things like this for legacy.

In the future, while looking at Windows applications, make sure to check for path traversal. It is likely that the developers think that PathCchCanonicalize fixes the problem (even though it actually does not).