OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: con\con is a old thing (anyway is cool)
From: Elias Levy (aleph1SECURITYFOCUS.COM)
Date: Sat Mar 11 2000 - 16:43:21 CST


Summary of message on the con\con Windows issue.

Any permutation of certain DOS device names as a filename of the form
"device\device" when opened will crash Windows 95/98. Devices that
seem to trigger the bug include "con", "aux", "nul", and "clock$". So not
only will "con\con" trigger it, but so will "aux\clock$", "clock$\con",
etc.

Possible Solutions:

TechnoCraft Co.,LTD. has released a patch they claim fixes the problem.
The patch is said to work for Windows 98/95 in any language. You can find
it at http://www.a2001.com/down/concon.html (Japanese).
This fix seems to work for all affected devices, not just "con".

- download DECON01A2.EXE
- run it to extract DECON.EXE and CSAFE.VXD
- put the above two files into one folder
- put a shortcut to decon.exe into Startup folder to make it
  run whenever Windows starts.

- to stop DECON.EXE, hit Control+Alt+Delete and choose Decon.

More information from Japan at:
http://www.oct.zaq.ne.jp/yufu/browser/2000/02.en.html#26_03 (English)
http://www.oct.zaq.ne.jp/yufu/browser/2000/02.html#26_03 (Japanese)
The jp.comp.security newsgroup (Japanese)

Possible exploit vectors:

* HTML formated web pages, email and USENET messages.
  E.g. <img SRC="file://c:/con/con">
  Tested under Netscape 4.6 on Windows 98 Second edition.
  Email clients that render HTML messages include Outlook
  and Netscape Messenger.

* Forums that allow people to submit URLs to be displayed to others.
  E.g. web message boards.

* Web servers. E.g.
  Personal Web Server using the URL http://host/../con/con

* File sharing / SMB.
  Tested with Samba. Connect to the Windows share and "cd /con/con".
  It was pointed out that Windows 95/98 users that share printers
  also have a passwordless share called PRINTER$ which leaves them
  open to attacks via this problem. E.g.

  D:\>net use * \\192.168.0.6\PRINTER$
  Drive G: is now connected to \\192.168.0.6\PRINTER$.
  The command completed successfully.

  D:\>G:
  G:\>
  G:\>cd \CLOCK$\CLOCK$
  The specified network name is no longer available.

* FTP Servers.
  Tested and found vulnerable with WarFTPD 1.70B and G6 FTP 2.0b6.
  Login to the FTP server (as any user, even anonymous) and send the
  command "GET /con/con".

* Mail servers that store attachments as separate files while using
  the filename provided in the message. E.g. The Bat.

I am sure the are plenty of other ones.

Some people have reported their machines do not exhibit the problem.
One person commented it may only work if you are using the FAT23 file
system. Another one found his Windows 98 First Edition with most security
updates could recover the the problem and further attempts to exploit it
would fail. Another one found Win95 (4.0.950B) box with IE 5.0 is not
vulnerable, while Win95 (4.0.950C) box with IE 5.0 is.

Microsoft has also been aware about the problem for a long while. As it
was pointed out earlier in the thread this problem was reported last year
to the list. Microsoft did not feel the problem was important enough to
bother users with a security fix. More information about this at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2458885,00.html

Contributors:

YUFU <yufui.am>
Robin Whittle <rwfirstpr.com.au>
Erwin Geirnaert <egeirnaertreference.be>
Gerardo Richarte <core.lists.bugtraqcore-sdi.com>
Zoa_Chien <zoa_chieniname.com>
"IIJIMA 'Delmonta' Hiromitsu" <L94102mail.ecc.u-tokyo.ac.jp>
Brian Eckman <eckma009tc.umn.edu>
Nick Jones <nlj21cam.ac.uk>
Knud Erik <kainegotrip.dk>
blane <blanegmx.net>
-{ David Leadbeater }- <dgldgle.freeserve.co.uk>
<agueromgrupocp.net>
Jason Staples - CNW <elliscnw.com>
LiTTlE-John <little_john80hotmail.com>

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/