[15078] in bugtraq
Buffer Overflows with long file extensions in Windows
daemon@ATHENA.MIT.EDU (Moritz Jodeit)
Fri May 26 15:43:23 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <23988.959321852@www2.gmx.net>
Date: Fri, 26 May 2000 08:17:32 +0200
Reply-To: Moritz Jodeit <mjodeit@GMX.DE>
From: Moritz Jodeit <mjodeit@GMX.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
There is a buffer overflow in how Windows handles files, which have a very
long file extension. In Windows 98, I created the following file:
"x.xxxxxxxx[225 more x's]". If you keep your mouse a second over the file, you get a
general protection fault in the EXPLORER process. EAX, EIP and EBP are
overwritten with the x-values. I'm not aware of the fact, that this could be
remotely exploited. This was tested on Windows 98 4.10.1998. Windows 2000 seems
to have a similar bug. If you create the above file and make a copy of it to
the same directory, so it should get the name "Copy of ...", there is some
buffer overflow, too. I tested this on Windows 2000 Professional 5.00.2195.
If you try this in Windows 98, you get a general protection fault in module
SHELL32.DLL and EAX and ESI are overwritten with the x-values. In Windows 95,
there is the same problem, as in Windows 98. I didn't have the chance, to
test this on NT, but it should work there as well.
--
Moritz Jodeit
http://jodeit.exit.de
Sent through GMX FreeMail - http://www.gmx.net
