Bugtraq mailing list archives
Re: con\con is a old thing (anyway is cool)
From: swhite () OX COMPSOC NET (Stephen White)
Date: Wed, 8 Mar 2000 15:01:53 +0000
On Mon, Mar, 2000, Ussr Labs wrote:
for: windoze 98 maybe 95 too... not for NT4 or win2K When we looked at the new exploit for ie that uses the image c:/con/con (http://www.zoomnet.net/~quick/error/crash.html) This can also be exploited to crash remote servers Look what we tryed on this servU-FTP v 2.4a (works on any windoze 98 FTP even with anonyous or guest account)
Just to reinforce what is being said this is the fault of a some API call in Windows 95 and 98 (Not NT), and so affects many different programs. The severity seems to vary from a recoverable BSOD to a complete lockup. This can be exploited by simply attempting to open a file or directory called "con\con" (or "nul\nul") and there are many ways to achieve this: Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other browsers too). Remotely: Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure most Windows FTPds and possibly HTTPds can be exploited in the same way (Sambar HTTP Server 4.3 seems safe though). If the machine has a directory shared with the standard SMB File & Printer Sharing (even read only shares) it can also be hit: [stephen@eddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2 Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0 Password: smb: \> ls con\con Sure enough Eddie95 BSODs. It is running Windows 95 OSR 2. -- Stephen White <swhite () ox compsoc net>
Current thread:
- con\con is a old thing (anyway is cool) Ussr Labs (Mar 06)
- Re: con\con is a old thing (anyway is cool) Stephen White (Mar 08)
- Realplayer update pedward () WEBCOM COM (Mar 09)
- Re: con\con is a old thing (anyway is cool) Elias Levy (Mar 11)
- Re: con\con is a old thing (anyway is cool) YUFU (Mar 11)
- <Possible follow-ups>
- Re: con\con is a old thing (anyway is cool) Oliver Friedrichs (Mar 15)
- Re: con\con is a old thing (anyway is cool) Bernd Luevelsmeyer (Mar 17)
- Re: con\con is a old thing (anyway is cool) David LeBlanc (Mar 17)
- Verified PIX vulnerability to FTP-Pasv attack. monti (Mar 19)