[13720] in bugtraq

home help back first fref pref prev next nref lref last post

Windows Api SHGetPathFromIDList Buffer Overflow

daemon@ATHENA.MIT.EDU (Ussr Labs)
Sat Feb 5 05:10:42 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id:  <NCBBKFKDOLAGKIAPMILPAEGNCCAA.labs@ussrback.com>
Date:         Fri, 4 Feb 2000 17:13:27 -0300
Reply-To: Ussr Labs <labs@USSRBACK.COM>
From: Ussr Labs <labs@USSRBACK.COM>
X-To:         BUGTRAQ <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Windows Api SHGetPathFromIDList Buffer Overflow

To all those people who sent email to us asking for more information
about
the SHGetPathFromIDList Windows Api overflow.

Here is a more specific description about the problem. All Structure
lengths, or Length of string, can be a modified or altered and cause
whatever handles the shortcuts to crash.

SHGetPathFromIDList

Converts an item identifier list to a file system path.

BOOL SHGetPathFromIDList(
    LPCITEMIDLIST pidl,
    LPSTR pszPath
);

Parameters
pidl
Address of an item identifier list that specifies a file or directory
location relative to the root of the namespace (the desktop).
pszPath
Address of a buffer to receive the file system path. This buffer must
be at least MAX_PATH characters in size.
Return Values
Returns TRUE if successful, or FALSE otherwise.


Disassembly of a hypothetical shortcut file
Offset Bytes Contents
Header
0000 	4C 00 00 00 	L Magic value
0004 	01 04 02 00 	GUID of shortcut files
	00 00 00 00
	C0 00 00 00
	00 00 00 46
0014 	3F 00 00 00 Flags
			Has item id list
			Target is a file
			Has description string
			Has relative pathname
			Has a working directory
			Has a custom icon
0018 	20 00 00 00 	File attibutes
			Archive
001C 	C0 0E 82 D5 	Time 1
	C1 20 BE 01
0024 	00 08 BF 46 	Time 2
	D5 20 BE 01
002C 	00 47 AA EC 	Time 3
	EC 15 BE 01
0034 	A0 86 00 00 	File length is 34464 bytes. 86A0h
0038 	05 00 00 00 	Icon number 5
003C 	01 00 00 00 	Normal window
0040 	46 06 00 00 	Ctrl-Alt-F hotkey
0044 	00 00 00 00 	Always zero, unknown/reserved
0048 	00 00 00 00 	Always zero, unknown/reserved
			Item Id List
004C 	2A 00 		Size of item id list
			First item
004E 	28 00 		Length of first item
0050 	32 00 		???
0052 	A0 86 00 00 	File length
0056 	76 25 71 3E 	???
005A 	20 00 		File attributes?
005C 	62 65 73 74 5F 37 	best_773.mid Long name
	37 33 2E 6D 69 64
	00 		Null terminator
0069 	42 45 53 54 5F 37 	BEST_773.MID Short name
	37 33 2E 4D 49 44
	00 		Null terminator
			Last item
0076 	00 00 		Zero length value
File location info
0078 	74 00 00 00 	Structure length
007C 	1C 00 00 00 	Offset past last item in structure
0080 	03 00 00 00 	Flags
			Local volume
			Network volume
0084 	1C 00 00 00 	Offset of local volume table
0088 	34 00 00 00 	Offset of local path string
008C 	40 00 00 00 	Offset of network volume table
0090 	5F 00 00 00 	Offset of final path string
Local volume table
0094 	18 00 00 00 	Length of local volume table
0098 	03 00 00 00 	Fixed disk
009C 	D0 07 33 3A 	Volume serial number 3A33-07D0
00A0 	10 00 00 00 	Offset to volume label
00A4 	44 52 49 56 45 20 	DRIVE C,0
	43 00
00AC 	43 3A 5C 57 49 4E 	C:\ WINDOWS\ local path string
	44 4F 57 53 5C 00
Network volume table
00B8 	1F 00 00 00 	Length of network volume table
00BC 	02 00 00 00 	???
00C0 	14 00 00 00 	Offset of share name
00C4 	00 00 00 00 	???
00C8 	00 00 02 00 	???
00CC 	5C 5C 4A 45 53 53 	\\ JESSE\ WD,0 Share name
	45 5C 57 44 00
00D7 	44 65 73 6B 74 6F 	Desktop\ best_773.mid,0
	70 5C 62 65 73 74 	Final path name
	5F 37 37 33 2E 6D
	69 64 00
Description string
00EC 	12 00 		Length of string
00EE 	42 65 73 74 20 37 	Best 773 midi file
	37 33 20 6D 69 64
	69 20 66 69 6C 65
Relative path
0100 	0E 00 Length of string
0102 	2E 5C 62 65 73 74 .\ best_773.mid
	5F 37 37 33 2E 6D
	69 64
Working directory
0114 	12 00 Length of string
0116 	43 3A 5C 57 49 4E C:\ WINDOWS\ Desktop
	44 4F 57 53 5C 44
	65 73 6B 74 6F 70
Command line arguments
0128 	06 00
012A 	2F 63 6C 6F 73 65 /close
Icon file
0130 	16 00 	Length of string
0132 	43 3A 5C 57 49 4E C:\ WINDOWS\ Mplayer.exe
	44 4F 57 53 5C 4D
	70 6C 61 79 65 72
	2E 65 78 65
Ending stuff
0148 	00 00 00 00 	Length 0 - no more stuff

The target is located at:
C:\ WINDOWS\ Desktop\ best_773.mid
The windows directory is shared as:
\\ JESSE\ WD


Note:
 This overflow does not work under win2k

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOJsy5dybEYfHhkiVEQKw/QCcCUW+KwEiRJzL7APDeTbHL8J/jgcAoKmg
Iq7wT+Tnpxp0z/5hYVAB9RVq
=p19U
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post