Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions.

[zoa_chien () INAME COM (Zoa_Chien)]

> The batch file in the original post doesn't work correct.
> You must remove the space between "------Buffer" and
> "overflow-----------" in
> order to get it working.

Looks like I screwed things up on that .bat file.
I tried to copy and paste my batch file into the advisory, but the original
batch file contains some ALT-codes (since the original bug report was
ALT-codes in filename related and i recycled some of that code), and that
copy and paste (or maybe the mailing list?) seems to filter those out or
replace them with spaces.

I should have attached that .bat file to the mail as an external file to
avoid problems.
Sorry for that. (I'm at home right now, but as soon as i get back to my
study home, i'll post the .bat file itself.)

Meanwhile, you will have to do with this extra info:

The first filename in that file is just a filename with 1 byte of overflow,
You can add +/- 117 more A's to that filename.
I noticed that with this minimum overflow, only explorer.exe on '98 seems
to crash, but when you add extra A's (up to 247 in total) several (most)
other programs would crash if they try to  handle that filename (without
using the explorer.exe) like when U use an FTP client, or when U download
you mail.

And even more interesting, this (247 A's thing) also works in NT4 (sp4
tested) and probably even in win2k. (i tried this on eudora on my NT home
computer.)
I don't have the time myself right now to check out those buffer overflow's
in those other programs, so i don't know if it is the kernel that is
causing troubles or the program itself.
I hope to check this later this week. Maybe i'll do some debugging too then.

Could someone start counting the amount of A's needed to crash FTP clients
and Eudora clients ? and could every1 copy and paste the error report that
will show up when the buffer overflow occurs ? that would make things much
easier for me.

Looks like a real danger if you ask me !.

> I tested it on two different systems:
>
> 1. Windows 98 (German)
> The explorer crashed after moving the mouse cursor over the filename.
> Using the cursor keys and ENTER to open the file didn't lead to unusual
> behaviour.

Explorer.exe doesn't crash on trying to open the file, but when you move
over it or highlight it.
(in both cases you have to wait some time before the crash occurs, So, if
you are fast enough with the double click you can access the file without
any problems.)

> The normal dialog to choose the application to open the file with was
> diplayed.
>
> I think the problem is the little tool tip window that shows the whole
> filename
> when the mouse is moved over a file which's name is to long to be
> entirely displayed.
>
> 2. Windows 95 OSR2 (German)
> Nothing happened here. Neither moving the cursor over the filename nor
> clicking on
> the file yielded unusual behaviour.
>
> Note: Windows 95 doesn't use these tool tip windows.

Now, that's something strange, i get reports from people who claim it does
work on '95 and others who say it doesn't.
Maybe there's a difference between 95 and OSR2.. Could every1 include the
full version number ?

For those who care: Although I almost didn't study my Analysis exam at all
due to the discovery of that bug, everything went well... (Mmm.. that
professor was lucky... you never know what filename i'd have e-mailed him
if things went bad :-)

Zoa_Chien

www.securax.org
(When i am at my study home, i can be found on #securax on EFNET)