Bugtraq mailing list archives
Re: con\con is a old thing (anyway is cool)
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Sat, 11 Mar 2000 14:43:21 -0800
Summary of message on the con\con Windows issue. Any permutation of certain DOS device names as a filename of the form "device\device" when opened will crash Windows 95/98. Devices that seem to trigger the bug include "con", "aux", "nul", and "clock$". So not only will "con\con" trigger it, but so will "aux\clock$", "clock$\con", etc. Possible Solutions: TechnoCraft Co.,LTD. has released a patch they claim fixes the problem. The patch is said to work for Windows 98/95 in any language. You can find it at http://www.a2001.com/down/concon.html (Japanese). This fix seems to work for all affected devices, not just "con". - download DECON01A2.EXE - run it to extract DECON.EXE and CSAFE.VXD - put the above two files into one folder - put a shortcut to decon.exe into Startup folder to make it run whenever Windows starts. - to stop DECON.EXE, hit Control+Alt+Delete and choose Decon. More information from Japan at: http://www.oct.zaq.ne.jp/yufu/browser/2000/02.en.html#26_03 (English) http://www.oct.zaq.ne.jp/yufu/browser/2000/02.html#26_03 (Japanese) The jp.comp.security newsgroup (Japanese) Possible exploit vectors: * HTML formated web pages, email and USENET messages. E.g. <img SRC="file://c:/con/con"> Tested under Netscape 4.6 on Windows 98 Second edition. Email clients that render HTML messages include Outlook and Netscape Messenger. * Forums that allow people to submit URLs to be displayed to others. E.g. web message boards. * Web servers. E.g. Personal Web Server using the URL http://host/../con/con * File sharing / SMB. Tested with Samba. Connect to the Windows share and "cd /con/con". It was pointed out that Windows 95/98 users that share printers also have a passwordless share called PRINTER$ which leaves them open to attacks via this problem. E.g. D:\>net use * \\192.168.0.6\PRINTER$ Drive G: is now connected to \\192.168.0.6\PRINTER$. The command completed successfully. D:\>G: G:\> G:\>cd \CLOCK$\CLOCK$ The specified network name is no longer available. * FTP Servers. Tested and found vulnerable with WarFTPD 1.70B and G6 FTP 2.0b6. Login to the FTP server (as any user, even anonymous) and send the command "GET /con/con". * Mail servers that store attachments as separate files while using the filename provided in the message. E.g. The Bat. I am sure the are plenty of other ones. Some people have reported their machines do not exhibit the problem. One person commented it may only work if you are using the FAT23 file system. Another one found his Windows 98 First Edition with most security updates could recover the the problem and further attempts to exploit it would fail. Another one found Win95 (4.0.950B) box with IE 5.0 is not vulnerable, while Win95 (4.0.950C) box with IE 5.0 is. Microsoft has also been aware about the problem for a long while. As it was pointed out earlier in the thread this problem was reported last year to the list. Microsoft did not feel the problem was important enough to bother users with a security fix. More information about this at: http://www.zdnet.com/zdnn/stories/news/0,4586,2458885,00.html Contributors: YUFU <yufu () i am> Robin Whittle <rw () firstpr com au> Erwin Geirnaert <egeirnaert () reference be> Gerardo Richarte <core.lists.bugtraq () core-sdi com> Zoa_Chien <zoa_chien () iname com> "IIJIMA 'Delmonta' Hiromitsu" <L94102 () mail ecc u-tokyo ac jp> Brian Eckman <eckma009 () tc umn edu> Nick Jones <nlj21 () cam ac uk> Knud Erik <kain () egotrip dk> blane <blane () gmx net> -{ David Leadbeater }- <dgl () dgle freeserve co uk> <aguerom () grupocp net> Jason Staples - CNW <ellis () cnw com> LiTTlE-John <little_john80 () hotmail com> -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
Current thread:
- con\con is a old thing (anyway is cool) Ussr Labs (Mar 06)
- Re: con\con is a old thing (anyway is cool) Stephen White (Mar 08)
- Realplayer update pedward () WEBCOM COM (Mar 09)
- Re: con\con is a old thing (anyway is cool) Elias Levy (Mar 11)
- Re: con\con is a old thing (anyway is cool) YUFU (Mar 11)
- <Possible follow-ups>
- Re: con\con is a old thing (anyway is cool) Oliver Friedrichs (Mar 15)
- Re: con\con is a old thing (anyway is cool) Bernd Luevelsmeyer (Mar 17)
- Re: con\con is a old thing (anyway is cool) David LeBlanc (Mar 17)
- Verified PIX vulnerability to FTP-Pasv attack. monti (Mar 19)