[14220] in bugtraq
Re: con\con is a old thing (anyway is cool)
daemon@ATHENA.MIT.EDU (Stephen White)
Thu Mar 9 01:37:12 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000308150153.E24727@eddie.foo>
Date: Wed, 8 Mar 2000 15:01:53 +0000
Reply-To: Stephen White <swhite@OX.COMPSOC.NET>
From: Stephen White <swhite@OX.COMPSOC.NET>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NCBBKFKDOLAGKIAPMILPCENECCAA.labs@ussrback.com>; from
labs@USSRBACK.COM on Mon, Mar 06, 2000 at 02:46:44PM -0300
On Mon, Mar, 2000, Ussr Labs wrote:
> for: windoze 98 maybe 95 too...
> not for NT4 or win2K
>
> When we looked at the new exploit for ie that uses the image
> c:/con/con
> (http://www.zoomnet.net/~quick/error/crash.html)
>
> This can also be exploited to crash remote servers
> Look what we tryed on this servU-FTP v 2.4a
> (works on any windoze 98 FTP even with anonyous or guest account)
Just to reinforce what is being said this is the fault of a some API
call in Windows 95 and 98 (Not NT), and so affects many different
programs. The severity seems to vary from a recoverable BSOD to a
complete lockup.
This can be exploited by simply attempting to open a file or directory
called "con\con" (or "nul\nul") and there are many ways to achieve this:
Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening
a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other
browsers too).
Remotely:
Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure
most Windows FTPds and possibly HTTPds can be exploited in the same way
(Sambar HTTP Server 4.3 seems safe though).
If the machine has a directory shared with the standard SMB File &
Printer Sharing (even read only shares) it can also be hit:
[stephen@eddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2
Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0
Password:
smb: \> ls con\con
Sure enough Eddie95 BSODs. It is running Windows 95 OSR 2.
--
Stephen White <swhite@ox.compsoc.net>
