Vulnerability Development mailing list archives

Re: Explorer crashes when it sees this .lnk file

From: furrm () KENYON EDU (Mike Furr)
Date: Wed, 29 Mar 2000 16:21:04 +0000


Parity Error wrote:

Hi all,

Explorer crashes when it "sees" this .lnk file in a directory. Looks like some
decoding code for .lnk files crashes when it sees this. The code
seems to be in a shared dll. U cannot edit this file using any windows based
hex editor. All apps crash when they see this. This may be exploitable, ....

  ------------------------------------------------------------------------
                Name: check.lnk
   check.lnk    Type: unspecified type (application/octet-stream)
            Encoding: base64


sounds like the shorcut vulnerability posted to bugtraq a little over a month
ago:

  The Windows API that handles shortcut navigation is susceptible to
   buffer overflow attacks. The API, "SHGetPathFromIDList" will
   parse a shortcut file (.lnk) to find the target file, directory or URL. A
   specifically malformed link will cause any program using the API to
   follow that shortcut to crash.

   NOTE: While this vulnerability listing, as well as the exploit and the
   original USSR advisory only mention Serv-U FTP server, any
   Windows, Microsoft, or 3rd party program that uses the API could
   be vulnerable to this.

see bugtraq id 970 for more info

-mike

Current thread:

Re: spoofing the ethernet address (license managers) Michael Wojcik (Mar 27)
- Re: spoofing the ethernet address (license managers) Forrest W. Christian (Mar 27)
  - Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 29)
    - Re: spoofing the ethernet address (license managers) Forrest W. Christian (Mar 29)
- Explorer crashes when it sees this .lnk file Parity Error (Mar 28)
  - Re: Explorer crashes when it sees this .lnk file Vladimir Dubrovin (Mar 29)
  - Re: Explorer crashes when it sees this .lnk file Mike Furr (Mar 29)
  - TCP Sequence Prediction Dean Michael Dorman (Mar 29)
    - Re: TCP Sequence Prediction H D Moore (Mar 29)
    - Re: TCP Sequence Prediction Seth R Arnold (Mar 29)
    - Re: TCP Sequence Prediction Vladimir Dubrovin (Mar 30)
    - Re: TCP Sequence Prediction Maxime Rousseau (Mar 30)
    - Re: TCP Sequence Prediction Paul Taylor (Mar 30)
  - Re: Explorer crashes when it sees this .lnk file AnorEXia (Mar 30)
    - Re: Explorer crashes when it sees this .lnk file Vladimir Dubrovin (Mar 30)
    - Re: Explorer crashes when it sees this .lnk file AnorEXia (Mar 31)
    - Exposures in MQ and CORBA Adam.Levine () BANKOFAMERICA COM (Mar 31)

(Thread continues...)