| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dan57170 at yahoo.com (Daniel Regalado Arias) Subject: RE: Microsoft's Explorer and Internet Explorer long share name buffer overflow. Pues mira Gutierrez, yo tengo un servidor samba funcionando correctamente en mi red, y efectivamente puse un share existente y no el que propones, obviamente con un usuario valido y de hecho en el explorer me aparece el nombre con las 300' caracteres A, no me deja entrar pero tampoco truena. Thats it!!!!! --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl> escribi?: > Then you probably didnt doit right, me and others > such as the secunia people > (www.secunia.com) have tested this > Vulnerability and proved that the systems are > vulnerable. Even microsoft > says that the vulnerability was not patched > Until w2k sp4. > > I tested this vulnerability in the following full > patched systems: > > Windows 98 (Vulnerable) > Windows Me (Vulnerable) > Windows NT (All) (Vulnerable) > Windows 2k (All) (Vulnerable) > Windows XP (All) (Vulnerable) > Windows 2003 server (Not Vulnerable) > > Remember that if you want to test the vulnerability, > first you must know how > samba works. Its not just to paste the example > Config in a smb.conf file, you must create the > directory that is pointed in > the share and perhaps have a valid user. > > Regards > > > Rodrigo.- > > > -----Mensaje original----- > De: Daniel Regalado Arias > [mailto:dan57170@...oo.com] > Enviado el: Lunes, 26 de Abril de 2004 16:56 > Para: Rodrigo Gutierrez; > full-disclosure@...ts.netsys.com; > bugtraq@...urityfocus.com; > submissions@...ketstormsecurity.org; > info@...uriteam.com > Asunto: Re: Microsoft's Explorer and Internet > Explorer long share name > buffer overflow. > > Well, i have tested it in W2k with sp3 and explorer > didnt get crashed!!!!!!! > > Well, i cant get into the share because a message > appears saying "share name > not found"!!!! > > But, explorer is OK. > > > --- Rodrigo Gutierrez <rodrigo@...ellicomp.cl> > escribi?: > Sunday afternoon is a bit boring, and > weather sucks > > down here in Santiago, > > Chile so here we go... > > The vuln is attached in TXT format, I would be > gratefull if someone > > could verify if it affects windows 2003 as well. > > > > Rodrigo.- > > > Microsoft Explorer and Internet Explorer Long > Share > > Name Buffer Overflow. > > > > > > > > Author: Rodrigo Gutierrez <rodrigo@...ellicomp.cl> > > > > Affected: MS Internet Explorer, MS Explorer > > (explorer.exe) > > Windows XP(All), Windows 2000(All) > > > > Not Tested: Windows 2003, Windows me, Windows 98, > Windows 95 > > > > Vendor Status: i notified the vendor in the > beginning of 2002, this > > vulnerability was supposed to be > fixed in xp service > > pack 1 according to the vendors > knowledge base article > > 322857. > > > > Vendor url: > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;322857 > > > > > > > > Background. > > > > MS Explorer (explorer.exe) and MS Internet > > Explorer(IEXPLORE.EXE) are > > core pieces of Microsoft Windows Operating > Systems. > > > > > > > > Description > > > > Windows fails to handle long share names when > accessing a remote file > > servers such as samba, allowing a malicious server > to crash the > > clients explorer and eventually get to execute > arbitrary code in the > > machine as the current user (usually with > Administrator rights in > > windows machines). > > > > > > > > Analysis > > > > In order to exploit this, an attacker must be able > to get a user to > > connect to a malicious server which contains a > share name equal or > > longer than 300 characters, windows wont allow you > to create such a > > share, but of course samba > > includes the feature ;). After your samba box is > > up and running create a > > share in you smb.conf : > > > > > > > > #------------ CUT HERE ------------- > > > > > [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] > > comment = Area 51 > > path = /tmp/testfolder > > public = yes > > writable = yes > > printable = no > > browseable = yes > > write list = @trymywingchung > > > > #------------ CUT HERE ------------- > > > > > > After your server is up, just get to your windows > test box and get to > > the start menu > run > > \\your.malicious.server.ip., plufff, explorer > > will crash :). > > > > Social Engineering: > > > > <a href="\\my.malicious.server.ip">Enter My 0day > sploit archive</a> > > > > > > > > Workaround. > > > > From your network card settings disable the client > for Microsoft > > networks until a real fix for this vulnerability > is available. > > > > _________________________________________________________ > Do You Yahoo!? > Informaci?n de Estados Unidos y Am?rica Latina, en > Yahoo! Noticias. > Vis?tanos en http://noticias.espanol.yahoo.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _________________________________________________________ Do You Yahoo!? Informaci?n de Estados Unidos y Am?rica Latina, en Yahoo! Noticias. Vis?tanos en http://noticias.espanol.yahoo.com
Powered by blists - more mailing lists