OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: con\con is a old thing (anyway is cool)
From: Stephen White (swhiteOX.COMPSOC.NET)
Date: Wed Mar 08 2000 - 09:01:53 CST

On Mon, Mar, 2000, Ussr Labs wrote:
> for: windoze 98 maybe 95 too...
> not for NT4 or win2K
>
> When we looked at the new exploit for ie that uses the image
> c:/con/con
> (http://www.zoomnet.net/~quick/error/crash.html)
>
> This can also be exploited to crash remote servers
> Look what we tryed on this servU-FTP v 2.4a
> (works on any windoze 98 FTP even with anonyous or guest account)

Just to reinforce what is being said this is the fault of a some API
call in Windows 95 and 98 (Not NT), and so affects many different
programs. The severity seems to vary from a recoverable BSOD to a
complete lockup.

This can be exploited by simply attempting to open a file or directory
called "con\con" (or "nul\nul") and there are many ways to achieve this:

Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening
a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other
browsers too).

Remotely:

Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure
most Windows FTPds and possibly HTTPds can be exploited in the same way
(Sambar HTTP Server 4.3 seems safe though).

If the machine has a directory shared with the standard SMB File &
Printer Sharing (even read only shares) it can also be hit:

[stepheneddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2
Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0
Password:
smb: \> ls con\con

Sure enough Eddie95 BSODs. It is running Windows 95 OSR 2. 

--
Stephen White <swhiteox.compsoc.net>