OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions.
From: John Swensson (johnTHREEBS.COM)
Date: Sat Apr 22 2000 - 17:54:41 CDT

Nothing weird under command prompt, but when i increased the length of the
file extention
and tried to delete it. (this is under Win2000) I got a "Error Deleting
File or Folder" "Cannot delete _ :This network connection does not
exist."
renaming it, to something shorter allowed me to delete it. I was able to
delete in the Command Prompt.

as far as in the dos prompt under win98, there was the same listing, and I
was also able to delete it. I was able to crash Explorer with a double
click on the file (win98).

(win2000)

C:\Documents and Settings\jupiter\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 8834-A5F6

 Directory of C:\Documents and Settings\jupiter\Desktop

04/22/2000 05:15p <DIR> .
04/22/2000 05:15p <DIR> ..
04/22/2000 02:28p 1,144 test.BAT
04/22/2000 05:15p 621_.------Bufferoverflow-----------aaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaa
               2 File(s) 1,765 bytes
               2 Dir(s) 11,400,445,952 bytes free

(win98) dos prompt

TEST BAT 632 04-22-00 4:36p test.bat
__~1 _-- 1,948 04-22-00 4:36p
__._------Bufferoverflow-----------a
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
        15 file(s) 213,668 bytes
        13 dir(s) 853,651,456 bytes free

John Swensson
johnthreebs.com

On Sat, 22 Apr 2000, Ron DuFresne wrote:

>
> Here's another question:
>
> how dos a dos prompt handle such files?
>
> Thanks,
>
> Ron DuFresne
>
> On Sat, 22 Apr 2000, John Swensson wrote:
>
> > I have tested this on Win2000 , and failed to reproduce any problems.
> > I was using the server not the workstation, but that should not make a
> > difference. However I was not able to open the file with notepad or
> > wordpad, even after adding a .txt to the end of the file name. I'm
> > guessing this is just a limitation of notepad and wordpad.
> >
> >
> > On Sun, 23 Apr 2000, Thomas Dullien wrote:
> >
> > >
> > > On Sat, 22 Apr 2000 09:02:35 -0500, Ron DuFresne wrote:
> > >
> > > >Bob,
> > > >
> > > >Thanks for the info. Just what I was asking about fer sure. And then it
> > > >seems that EI is not the sole culprit in this little nasty. Has anyone
> > > >looked to see if this works on NT and or 2000?
> > >
> > > Under my NT configuration I cannot reproduce any problems :)
> > > As 2k is basically NT on DirectX I _assume_ this shouldn't produce
> > > any problems either.
> > > I have had a short look at the capability of exploiting the long filenames
> > > under 98 in the explorer. In my case, a single click will already be enough
> > > to kill it, but I assume this could vary on 95.
> > > Exploiting is gonna be a bitch as no registers point to our buffers. If you
> > > walk the stack upwards you can under certain circumstances find a
> > > pointer into the extension at ESP+0x1CC or ESP+0x1EC or the like,
> > > this could already provide us with the pointer we need. I will look at
> > > it on monday. Anyone wanna do a joint disassembly/analysis of the
> > > prblem ?
> > >
> > >
> > >
> > > Thomas Dullien
> > > dulliengmx.de
> > > Win32 Security Consultant ;-> Hire me !
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
>