Vulnerability Development mailing list archives
Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions.
From: john () THREEBS COM (John Swensson)
Date: Sat, 22 Apr 2000 15:54:41 -0700
Nothing weird under command prompt, but when i increased the length of the file extention and tried to delete it. (this is under Win2000) I got a "Error Deleting File or Folder" "Cannot delete _ :This network connection does not exist." renaming it, to something shorter allowed me to delete it. I was able to delete in the Command Prompt. as far as in the dos prompt under win98, there was the same listing, and I was also able to delete it. I was able to crash Explorer with a double click on the file (win98). (win2000) C:\Documents and Settings\jupiter\Desktop>dir Volume in drive C has no label. Volume Serial Number is 8834-A5F6 Directory of C:\Documents and Settings\jupiter\Desktop 04/22/2000 05:15p <DIR> . 04/22/2000 05:15p <DIR> .. 04/22/2000 02:28p 1,144 test.BAT 04/22/2000 05:15p 621_.------Bufferoverflow-----------aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaa 2 File(s) 1,765 bytes 2 Dir(s) 11,400,445,952 bytes free (win98) dos prompt TEST BAT 632 04-22-00 4:36p test.bat __~1 _-- 1,948 04-22-00 4:36p __._------Bufferoverflow-----------a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaa 15 file(s) 213,668 bytes 13 dir(s) 853,651,456 bytes free John Swensson john () threebs com On Sat, 22 Apr 2000, Ron DuFresne wrote:
Here's another question: how dos a dos prompt handle such files? Thanks, Ron DuFresne On Sat, 22 Apr 2000, John Swensson wrote:I have tested this on Win2000 , and failed to reproduce any problems. I was using the server not the workstation, but that should not make a difference. However I was not able to open the file with notepad or wordpad, even after adding a .txt to the end of the file name. I'm guessing this is just a limitation of notepad and wordpad. On Sun, 23 Apr 2000, Thomas Dullien wrote:On Sat, 22 Apr 2000 09:02:35 -0500, Ron DuFresne wrote:Bob, Thanks for the info. Just what I was asking about fer sure. And then it seems that EI is not the sole culprit in this little nasty. Has anyone looked to see if this works on NT and or 2000?Under my NT configuration I cannot reproduce any problems :) As 2k is basically NT on DirectX I _assume_ this shouldn't produce any problems either. I have had a short look at the capability of exploiting the long filenames under 98 in the explorer. In my case, a single click will already be enough to kill it, but I assume this could vary on 95. Exploiting is gonna be a bitch as no registers point to our buffers. If you walk the stack upwards you can under certain circumstances find a pointer into the extension at ESP+0x1CC or ESP+0x1EC or the like, this could already provide us with the pointer we need. I will look at it on monday. Anyone wanna do a joint disassembly/analysis of the prblem ? Thomas Dullien dullien () gmx de Win32 Security Consultant ;-> Hire me !~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- buffer overflow???, (continued)
- buffer overflow??? Cyber_Bob (Apr 23)
- Re: buffer overflow??? Przemyslaw Frasunek (Apr 23)
- Re: buffer overflow??? Sebastian (Apr 23)
- Re: buffer overflow??? Markus Kern (Apr 23)
- exploit for W98 long filenameextensions buffer overflow. Laurent Eschenauer (Apr 23)
- Re: buffer overflow??? Blue Boar (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Thomas Dullien (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. John Swensson (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. John Swensson (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Su Wadlow (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. James Dyson (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Arturo Busleiman (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Blue Boar (Apr 23)
- Securax Extension overflow update. Securax (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. John Swensson (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Octavian (Apr 23)