Re: con\con is a old thing (anyway is cool)

[swhite () OX COMPSOC NET (Stephen White)]

On Mon, Mar, 2000, Ussr Labs wrote:
> for: windoze 98 maybe 95 too...
> not for NT4 or win2K
>
> When we looked at the new exploit for ie that uses the image
> c:/con/con
> (http://www.zoomnet.net/~quick/error/crash.html)
>
> This can also be exploited to crash remote servers
> Look what we tryed on this servU-FTP v 2.4a
> (works on any windoze 98 FTP even with anonyous or guest account)

Just to reinforce what is being said this is the fault of a some API
call in Windows 95 and 98 (Not NT), and so affects many different
programs.  The severity seems to vary from a recoverable BSOD to a
complete lockup.

This can be exploited by simply attempting to open a file or directory
called "con\con" (or "nul\nul") and there are many ways to achieve this:

Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening
a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other
browsers too).

Remotely:

Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure
most Windows FTPds and possibly HTTPds can be exploited in the same way
(Sambar HTTP Server 4.3 seems safe though).

If the machine has a directory shared with the standard SMB File &
Printer Sharing (even read only shares) it can also be hit:

[stephen@eddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2
Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0
Password:
smb: \> ls con\con

Sure enough Eddie95 BSODs.  It is running Windows 95 OSR 2.

--
Stephen White <swhite () ox compsoc net>