Bugtraq mailing list archives
Buffer Overflows with long file extensions in Windows
From: mjodeit () GMX DE (Moritz Jodeit)
Date: Fri, 26 May 2000 08:17:32 +0200
There is a buffer overflow in how Windows handles files, which have a very long file extension. In Windows 98, I created the following file: "x.xxxxxxxx[225 more x's]". If you keep your mouse a second over the file, you get a general protection fault in the EXPLORER process. EAX, EIP and EBP are overwritten with the x-values. I'm not aware of the fact, that this could be remotely exploited. This was tested on Windows 98 4.10.1998. Windows 2000 seems to have a similar bug. If you create the above file and make a copy of it to the same directory, so it should get the name "Copy of ...", there is some buffer overflow, too. I tested this on Windows 2000 Professional 5.00.2195. If you try this in Windows 98, you get a general protection fault in module SHELL32.DLL and EAX and ESI are overwritten with the x-values. In Windows 95, there is the same problem, as in Windows 98. I didn't have the chance, to test this on NT, but it should work there as well. -- Moritz Jodeit http://jodeit.exit.de Sent through GMX FreeMail - http://www.gmx.net
Current thread:
- Buffer Overflows with long file extensions in Windows Moritz Jodeit (May 25)