RE: Buffer overflow in Explorer.exe

["Kristopher Matthews" <krism () mailsnare net>]

I have tested and duplicated this behavior on a fully patched/updated
Windows XP Pro system.

1. The overflow is for that particular key, AFAICT.
1a. It will not work for the root (c:/) directory; explorer.exe does not
parse 'desktop.ini' for that directory. It will, however, work for any other
directory.
2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It
looks for all the world like a standard buffer overflow; I believe a more
carefully crafted 'desktop.ini' file could be cause for explorer.exe to
unintentionally execute arbitrary code.
3. Download and execute untrusted code? Combine this with any of the other
popular expoloits for windows; also, it wouldn't be terribly hard to get a
user to download a 'desktop.ini' file to their "My Documents" directory (in
the guise, of, say, a folder them, which windows does support; e.g.
different background, file layout, etc); bam, whenever they open that
directory, explorer crashes.

Regards,
Kristopher


-----Original Message-----
From: Ryan Yagatich [mailto:ryany () pantek com] 
Sent: Thursday, May 08, 2003 6:28 PM
To: at4r () 3wdesign es
Cc: vuln-dev () securityfocus com

Hi, 
        I don't quite understand the purpose behind this code. It creates
a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
contents of

[.ShellClassInfo]
AAAAAAAAAAAA {x2301}


        And then terminates? I don't have a windows machine available to
really explore this any, but what makes that entry in desktop.ini cause
this? Furthermore, is this issue only for that particular key or is it
generally just key/excessive parameter/missing value size that is
affected? And additionally, you mention that explorer will no longer be
able to operate when trying to browse the hard disk, but does this mean
globally, or when they try to browse the c:/ drive, or just that
particular folder?
        Please send me more information about this, (even if it references
past posts that I have missed) so that I can better understand the
severity of this. Espcially since to me, I still see it as someone needing
to download and execute untrusted software which causes a system crash, 
and if that were going to happen there are far worse things that can be 
done besides creating a small text file.

Thanks,
Ryan Yagatich


,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

On Wed, 7 May 2003, aT4r InsaN3 wrote:

> This bug allow a malicious an attacker to execute data with privileges of a

> user that is browsing the hard disk with explorer.
>
> tested against winxp SP1
>
> example code provided.
<snip>
>       strcpy(path,"\\aT4r[at]3WDesign.es Security");
>       mkdir(path);
>       SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
>
>       strcat(path,"\\desktop.ini");

>       bof=fopen(path,"w");
>       fputs("[.ShellClassInfo]\n",bof);
>       memset(evil,'A',BUFF);
>       fputs(evil,bof);
>       fclose(bof);
<snip>