Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer Overflows with long file extensions in Windows

From: mjodeit () GMX DE (Moritz Jodeit)
Date: Fri, 26 May 2000 08:17:32 +0200

There is a buffer overflow in how Windows handles files, which have a very
long file extension. In Windows 98, I created the following file:
"x.xxxxxxxx[225 more x's]". If you keep your mouse a second over the file, you get a
general protection fault in the EXPLORER process. EAX, EIP and EBP are
overwritten with the x-values. I'm not aware of the fact, that this could be
remotely exploited. This was tested on Windows 98 4.10.1998. Windows 2000 seems
to have a similar bug. If you create the above file and make a copy of it to
the same directory, so it should get the name "Copy of ...", there is some
buffer overflow, too. I tested this on Windows 2000 Professional 5.00.2195.
If you try this in Windows 98, you get a general protection fault in module
SHELL32.DLL and EAX and ESI are overwritten with the x-values. In Windows 95,
there is the same problem, as in Windows 98. I didn't have the chance, to
test this on NT, but it should work there as well.

--
Moritz Jodeit
http://jodeit.exit.de

Sent through GMX FreeMail - http://www.gmx.net
Previous By Date Next
Previous By Thread Next

Current thread: