Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions.

[john () THREEBS COM (John Swensson)]

Nothing weird under command prompt, but when i increased the length of the
file extention
and tried to delete it. (this is under Win2000) I got a "Error Deleting
File or Folder"  "Cannot delete _ :This network connection does not
exist."
renaming it, to something shorter allowed me to delete it. I was able to
delete in the Command Prompt.

as far as in the dos prompt under win98, there was the same listing, and I
was also able to delete it. I was able to crash Explorer with a double
click on the file (win98).

(win2000)

C:\Documents and Settings\jupiter\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 8834-A5F6

 Directory of C:\Documents and Settings\jupiter\Desktop

04/22/2000  05:15p      <DIR>          .
04/22/2000  05:15p      <DIR>          ..
04/22/2000  02:28p               1,144 test.BAT
04/22/2000  05:15p                 621_.------Bufferoverflow-----------aaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaa
               2 File(s)          1,765 bytes
               2 Dir(s)  11,400,445,952 bytes free

(win98) dos prompt

TEST     BAT           632  04-22-00  4:36p test.bat
__~1     _--         1,948  04-22-00  4:36p
__._------Bufferoverflow-----------a
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
        15 file(s)        213,668 bytes
        13 dir(s)     853,651,456 bytes free

John Swensson
john () threebs com

On Sat, 22 Apr 2000, Ron DuFresne wrote:

> Here's another question:
>
> how dos a dos prompt handle such files?
>
> Thanks,
>
> Ron DuFresne
>
> On Sat, 22 Apr 2000, John Swensson wrote:
>
> > I have tested this on Win2000 , and failed to reproduce any problems.
> > I was using the server not the workstation, but that should not make a
> > difference. However I was not able to open the file with notepad or
> > wordpad, even after adding a .txt to the end of the file name. I'm
> > guessing this is just a limitation of notepad and wordpad.
> >
> >
> > On Sun, 23 Apr 2000, Thomas Dullien wrote:
> >
> > > On Sat, 22 Apr 2000 09:02:35 -0500, Ron DuFresne wrote:
> > >
> > > > Bob,
> > > >
> > > > Thanks for the info.  Just what I was asking about fer sure.  And then it
> > > > seems that EI is not the sole culprit in this little nasty.  Has anyone
> > > > looked to see if this works on NT and or 2000?
> > >
> > > Under my NT configuration I cannot reproduce any problems :)
> > > As 2k is basically NT on DirectX I _assume_ this shouldn't produce
> > > any problems either.
> > > I have had a short look at the capability of exploiting the long filenames
> > > under 98 in the explorer. In my case, a single click will already be enough
> > > to kill it, but I assume this could vary on 95.
> > > Exploiting is gonna be a bitch as no registers point to our buffers. If you
> > > walk the stack upwards you can under certain circumstances find a
> > > pointer into the extension at ESP+0x1CC or ESP+0x1EC or the like,
> > > this could already provide us with the pointer we need. I will look at
> > > it on monday. Anyone wanna do a joint disassembly/analysis of the
> > > prblem ?
> > >
> > >
> > >
> > > Thomas Dullien
> > > dullien () gmx de
> > > Win32 Security Consultant ;-> Hire me !
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
>       ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.