Vulnerability Development mailing list archives
Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions.
From: Rudy.Schockaert () COMPAQ COM (Schockaert, Rudy)
Date: Tue, 25 Apr 2000 07:11:26 +0100
Just tested this on my Windows 2000 Professional. I created the file 1_.Buffer_Overflow_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA Right-clicking it causes DrWatson to do its work. I can open it with notepad, but I cannot attach it using Outlook 2000 (The system cannot find the specified file). Removing one 'A' from the filename does allow me to select it. -----Original Message----- From: Zoa_Chien [mailto:zoa_chien () INAME COM] Sent: zondag 23 april 2000 9:40 To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions.
The batch file in the original post doesn't work correct. You must remove the space between "------Buffer" and "overflow-----------" in order to get it working.
Looks like I screwed things up on that .bat file. I tried to copy and paste my batch file into the advisory, but the original batch file contains some ALT-codes (since the original bug report was ALT-codes in filename related and i recycled some of that code), and that copy and paste (or maybe the mailing list?) seems to filter those out or replace them with spaces. I should have attached that .bat file to the mail as an external file to avoid problems. Sorry for that. (I'm at home right now, but as soon as i get back to my study home, i'll post the .bat file itself.) Meanwhile, you will have to do with this extra info: The first filename in that file is just a filename with 1 byte of overflow, You can add +/- 117 more A's to that filename. I noticed that with this minimum overflow, only explorer.exe on '98 seems to crash, but when you add extra A's (up to 247 in total) several (most) other programs would crash if they try to handle that filename (without using the explorer.exe) like when U use an FTP client, or when U download you mail. And even more interesting, this (247 A's thing) also works in NT4 (sp4 tested) and probably even in win2k. (i tried this on eudora on my NT home computer.) I don't have the time myself right now to check out those buffer overflow's in those other programs, so i don't know if it is the kernel that is causing troubles or the program itself. I hope to check this later this week. Maybe i'll do some debugging too then. Could someone start counting the amount of A's needed to crash FTP clients and Eudora clients ? and could every1 copy and paste the error report that will show up when the buffer overflow occurs ? that would make things much easier for me. Looks like a real danger if you ask me !.
I tested it on two different systems: 1. Windows 98 (German) The explorer crashed after moving the mouse cursor over the filename. Using the cursor keys and ENTER to open the file didn't lead to unusual behaviour.
Explorer.exe doesn't crash on trying to open the file, but when you move over it or highlight it. (in both cases you have to wait some time before the crash occurs, So, if you are fast enough with the double click you can access the file without any problems.)
The normal dialog to choose the application to open the file with was diplayed. I think the problem is the little tool tip window that shows the whole filename when the mouse is moved over a file which's name is to long to be entirely displayed. 2. Windows 95 OSR2 (German) Nothing happened here. Neither moving the cursor over the filename nor clicking on the file yielded unusual behaviour. Note: Windows 95 doesn't use these tool tip windows.
Now, that's something strange, i get reports from people who claim it does work on '95 and others who say it doesn't. Maybe there's a difference between 95 and OSR2.. Could every1 include the full version number ? For those who care: Although I almost didn't study my Analysis exam at all due to the discovery of that bug, everything went well... (Mmm.. that professor was lucky... you never know what filename i'd have e-mailed him if things went bad :-) Zoa_Chien www.securax.org (When i am at my study home, i can be found on #securax on EFNET) <HR NOSHADE> <UL> <LI>application/octet-stream attachment: 1_.Buffer_Overflow_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA </UL>
Current thread:
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. LiGHTNiNG (Apr 24)
- Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions. Markus Kern (Apr 25)
- <Possible follow-ups>
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Schockaert, Rudy (Apr 24)
- Netaddress and amexmail Arturo Busleiman (Apr 25)
- Re: Netaddress and amexmail Fabio Pietrosanti (Apr 27)
- Re: Netaddress and amexmail Blue Boar (Apr 27)
- Re: Netaddress and amexmail Marc Slemko (Apr 28)
- Re: Netaddress and amexmail Arturo Busleiman (Apr 28)
- Netaddress and amexmail Arturo Busleiman (Apr 25)
- Re: Netaddress and amexmail Stone (Apr 27)
- Exploit Ease Level Rory Savage (Apr 25)
- Re: Exploit Ease Level Max Vision (Apr 26)
- Re: Exploit Ease Level Rory Savage (Apr 28)
- Using php to bounce scan Thiebaut (Apr 28)