|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Buffer overflow in Explorer.exe
From: aT4r InsaN3 (at4r
hotmail.com)
Date: Fri May 09 2003 - 06:31:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
think about recycler folders
a readonly directory \recycler\S-xxxxxxxxxx is created for every user in the
computer and a file called desktop.ini in that folder contains information
about the icon..
every time the explorer.exe browse a directory search for desktop.ini placed
in any subfolder and open and read that file. so, with this buffer overflow,
if you place a file in c:\test_folder when you browse c:\ explorer.exe will
crash and a few secs after will be executed again (explorer.exe will
continue crashing every time an user browse that disk).
i didnt tested other keys.
winxp also includes a feature to browse .zip files as folders.... i didnt
tested it but if an user download a .zip file with an special structure (+r
folder with a desktop.ini inside) maybe when the user tryies to browse that
zip file will crash explorer.exe too (this is only a supposition , test it
please).
regards.
Andres Tarasco Acuña
------------------------------------------------
From: Ryan Yagatich <ryanypantek.com>
To: at4r3wdesign.es
CC: vuln-devsecurityfocus.com
Subject: Re: Buffer overflow in Explorer.exe
Date: Thu, 8 May 2003 18:28:21 -0400 (EDT)
Hi,
I don't quite understand the purpose behind this code. It creates
a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
contents of
[.ShellClassInfo]
AAAAAAAAAAAA {x2301}
And then terminates? I don't have a windows machine available to
really explore this any, but what makes that entry in desktop.ini cause
this? Furthermore, is this issue only for that particular key or is it
generally just key/excessive parameter/missing value size that is
affected? And additionally, you mention that explorer will no longer be
able to operate when trying to browse the hard disk, but does this mean
globally, or when they try to browse the c:/ drive, or just that
particular folder?
Please send me more information about this, (even if it references
past posts that I have missed) so that I can better understand the
severity of this. Espcially since to me, I still see it as someone needing
to download and execute untrusted software which causes a system crash,
and if that were going to happen there are far worse things that can be
done besides creating a small text file.
Thanks,
Ryan Yagatich
,_____________________________________________________,
\ Ryan Yagatich supportpantek.com \
/ Pantek Incorporated (877) LINUX-FIX /
\ http://www.pantek.com/security (440) 519-1802 \
/ Are your networks secure? Are you certain? /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\
On Wed, 7 May 2003, aT4r InsaN3 wrote:
>This bug allow a malicious an attacker to execute data with privileges of
a
>user that is browsing the hard disk with explorer.
>
>tested against winxp SP1
>
>example code provided.
>
<snip>
>
> strcpy(path,"\\aT4r[at]3WDesign.es Security");
> mkdir(path);
> SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
>
> strcat(path,"\\desktop.ini");
> bof=fopen(path,"w");
> fputs("[.ShellClassInfo]\n",bof);
> memset(evil,'A',BUFF);
> fputs(evil,bof);
> fclose(bof);
<snip>
_________________________________________________________________
MSN Compras: Veinte tiendas personales abiertas todo el día.
http://www.msn.es/compras/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]