Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions.

[swadlow () UTDALLAS EDU (Su Wadlow)]

--On Saturday, April 22, 2000 9:02 AM -0500 Ron DuFresne
<dufresne () WINTERNET COM> wrote:

> Has anyone looked to see if this works on NT and or 2000?

Something I noticed was that the batch file created *two* files.  One
was the
'_á.á------Buffer overflow----blah' file.  The other was *supposed* to
be
something called
'_á.á------Blue-screen-of-death------aa....aa12345678?AAAAAAAAAA'
but I couldn't get that one in my trials.

Note that I don't have a Win98 box to mess with here, so I had to limit
myself to Win95 and NT4. :-)

First machine: Win95
--------------------

My first attempt was with the batch file verbatim, which as we've found
by now, doesn't work.  So I changed the ' ' to a '-' and ran the batch
file again.  I got the '_á.á------Buffer-overflow--blah' file, but when
the batch file got to the other one all I got was a "File creation
error".
Back in Explorer I tried clicking the 'Buffer-overflow' file -- nothing.
Double clicking it just brought up the Windows 'Open With' dialog box --
nothing unusual.  And I've had no trouble opening this file with either
Notepad or WordPad -- I've tried several times both using the Windows
'Open With' box and the apps' Open dialog boxes.

Remembering the comment by Markus Kern about the little tool tip thingy
(Windows *apps* do use it, even Explorer's toolbar) I looked for
something
to which to add the file I had gotten, and noticed my Office Shortcut
Bar.
I was unable to add it there -- I got a message that the file couldn't
be
added because "The combined lenght of the path to the toolbar folder and
the file name must be less than 260 characters."

As I had nothing else on my Win95 box to which I could add this
filename,
to try the tool tip thingy, I decided to move on to NT.  Since there's
no
email app on it, I decided to use FTP to get the .bat file to my NT
machine,
so I fired up WS_FTP95LE.  Enter a brief interlude of surprised,
semi-maniacal laughter when I change to the directory containing the
.bat
file (which also contains the 'Buffer-overflow' file :-) as WS_FTP95LE
crashes . . . .

WS_FPT95 caused an invalid page fault in
module <unknown> at 0000:00000009.
Registers:
EAX=00000001 CS=0137 EIP=00000009 EFLGS=00010286
EBX=0000002b SS=013f ESP=0067f958 EBP=0067fa0e
ECX=86064500 DS=013f ESI=0000039f FS=0e9f
EDX=00551000 ES=013f EDI=00000230 GS=0000
Bytes at CS:EIP:
00 5a 09 65 04 70 00 65 04 70 00 54 ff 00 f0 bf
Stack dump:
0000013f 00000000 00000300 0067fa0e 0067f99c
0067f984 000089f2 0067f9ce 00417ec2 00000230
bff73663 00000230 0000002b 0000039f 0067fa0e
89cc306f

Might *this* be useful in some way?

Second machine: NT4.0, SP5
--------------------------

Again, only the 'Buffer-overflow file was created.  For the other, NT
says that "The filename, directory name, or volume label syntax is
incorrect."  And I can double click on it and open it in Notepad or
Wordpad without a problem.

I had wanted to try to FTP the 'Buffer-overflow' file to my Linux box
to see what would happen there, but as I had already determined that
it would crash my Windows GUI FTP app, and the Windows command line FTP
doesn't support passive mode, I had to drop that idea . . . .

--
Su Wadlow
swadlow () utdallas edu
    If I have to explain, you wouldn't understand . . . . :-)