Vulnerability Development mailing list archives
Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions.
From: zoa_chien () INAME COM (Zoa_Chien)
Date: Sun, 23 Apr 2000 09:39:33 +0200
The batch file in the original post doesn't work correct. You must remove the space between "------Buffer" and "overflow-----------" in order to get it working.
Looks like I screwed things up on that .bat file. I tried to copy and paste my batch file into the advisory, but the original batch file contains some ALT-codes (since the original bug report was ALT-codes in filename related and i recycled some of that code), and that copy and paste (or maybe the mailing list?) seems to filter those out or replace them with spaces. I should have attached that .bat file to the mail as an external file to avoid problems. Sorry for that. (I'm at home right now, but as soon as i get back to my study home, i'll post the .bat file itself.) Meanwhile, you will have to do with this extra info: The first filename in that file is just a filename with 1 byte of overflow, You can add +/- 117 more A's to that filename. I noticed that with this minimum overflow, only explorer.exe on '98 seems to crash, but when you add extra A's (up to 247 in total) several (most) other programs would crash if they try to handle that filename (without using the explorer.exe) like when U use an FTP client, or when U download you mail. And even more interesting, this (247 A's thing) also works in NT4 (sp4 tested) and probably even in win2k. (i tried this on eudora on my NT home computer.) I don't have the time myself right now to check out those buffer overflow's in those other programs, so i don't know if it is the kernel that is causing troubles or the program itself. I hope to check this later this week. Maybe i'll do some debugging too then. Could someone start counting the amount of A's needed to crash FTP clients and Eudora clients ? and could every1 copy and paste the error report that will show up when the buffer overflow occurs ? that would make things much easier for me. Looks like a real danger if you ask me !.
I tested it on two different systems: 1. Windows 98 (German) The explorer crashed after moving the mouse cursor over the filename. Using the cursor keys and ENTER to open the file didn't lead to unusual behaviour.
Explorer.exe doesn't crash on trying to open the file, but when you move over it or highlight it. (in both cases you have to wait some time before the crash occurs, So, if you are fast enough with the double click you can access the file without any problems.)
The normal dialog to choose the application to open the file with was diplayed. I think the problem is the little tool tip window that shows the whole filename when the mouse is moved over a file which's name is to long to be entirely displayed. 2. Windows 95 OSR2 (German) Nothing happened here. Neither moving the cursor over the filename nor clicking on the file yielded unusual behaviour. Note: Windows 95 doesn't use these tool tip windows.
Now, that's something strange, i get reports from people who claim it does work on '95 and others who say it doesn't. Maybe there's a difference between 95 and OSR2.. Could every1 include the full version number ? For those who care: Although I almost didn't study my Analysis exam at all due to the discovery of that bug, everything went well... (Mmm.. that professor was lucky... you never know what filename i'd have e-mailed him if things went bad :-) Zoa_Chien www.securax.org (When i am at my study home, i can be found on #securax on EFNET)
Current thread:
- Re: No-Exec Stack Smashing 101, (continued)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
- Re: No-Exec Stack Smashing 101 Mariusz Woloszyn (Apr 21)
- Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 23)
- koules again Kotz (Apr 21)
- Re: koules again Ron DuFresne (Apr 21)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
- limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
- Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
- long file names in explorer.exe kj (Apr 26)
- Re: long file names in explorer.exe Rory Savage (Apr 28)
- Re: long file names in explorer.exe kj (Apr 28)