--=====================_3004758==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
This is the OFFICIAL RELEASE (ignore all incomplete pre-releases) of the
exploit by the securax security team.
----------------------------------------------------------------------------
---------------------
Description :
securax security advisory 01:
Local and REMOTE! users can crash Windows '95/'98 systems using special
crafted path-strings that refer to device drivers being used. Upon parsing
this path the Ms Windows OS will crash leaving no other option but to
reboot the machine. With this all other running applications on the machine
will stop responding...local use : with any application that allows saving
or opening of a file | remote use : with all HTTPd/FTPd/Email/Usenet (and
possibly napster/samba /icq /...). This bug could also be used in macro
viruses.
This advisory contains a simple workaround.
----------------------------------------------------------------------------
---------------------
www.securax.org
--=====================_3004758==_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="scx-sa-01.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0ASecurax-SA-01 =
Security=
Advisory=0Abelgian.networking.security =
Dutch=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0ATopic: =
Ms Windows '95/'98/SE will crash upon parsing special=0A =
crafted path-strings refering to device drivers.=0A=0AAnnounced: =
2000-03-04=0AUpdated: 2000-03-05=0AAffects: Ms Windows'95, Ms=
Windows '98, Ms Windows '98 SE=0ANone affected: Ms Windows NT=
Server/Workstation 4.0 (sp5/6)=0AObsoletes: crash-ie.txt,=
win98-con.txt=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=0A=0A=0A THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR =
=0A RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS =0A =
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR=0A =
NOTICE.=0A=0A PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION=
CONCERNING =0A THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON=
BUQTRAQ. =0A THANK YOU,=0A=0A=0A=0A=0AI. Background=0A=0A Local and=
Remote users can crash Windows '98 systems using special =0A crafted=
path-strings that refer to device drivers being used. =0A Upon parsing=
this path the Ms Windows OS will crash leaving no =0A other option but to=
reboot the macine. With this all other running=0A applications on the=
machine will stop responding.=0A=0A NOTE: This is not a bug in Internet=
Explorer, FTPd and other=0A webserver software running Win95/98. It is a=
bug in the Ms=0A Windows kernel system, more specific in the handling of=
the device=0A drivers specified in IO.SYS, causing this kernel=
meltdown.=0A=0A=0A=0AII. Problem Description=0A=0A When the Microsoft=
Windows operating system is parsing a path that =0A is being crafted like=
"c:\[device]\[device]" it will halt, and crash =0A the entire operating=
system. =0A=0A Four device drivers have been found to crash the system. =
The CON,=0A NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which=
are =0A known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not=
=0A been found to crash the system. =0A=0A Making combinations as CON\NUL,=
NUL\CON, AUX\NUL, ... seems to =0A crash Ms Windows as well.=0A=0A Calling=
a path such as "C:\CON\[filename]" won't result in a crash=0A but in an=
error-message. Creating the map "CON", "CLOCK$", "AUX"=0A "NUL" or=
"CONFIG$" will also result in a simple error-message =0A saying: ''creating=
that map isn't allowed''.=0A =0A=0A DEVICE DRIVERS=0A --------------=0A=
These are specified in IO.SYS and date back from the early Ms Dos=0A days. =
Here is what I have found. Here is a brief list;=0A=0A CLOCK$ -=
System clock=0A CON - Console; combination of keyboard and screen=
to =0A handle input and output=0A AUX or COM1 - First=
serial communicationport=0A COMn - Second, Third, ...=
communicationport=0A LPT1 or PRN - First parallel port=0A NUL -=
Dummy port, or the "null device" which we all=0A know under=
Linux as /dev/null.=0A CONFIG$ - Unknown=0A=0A=0A=0A Any call made to=
a path consisting of "NUL" and "CON seems to=0A crash routines made to the=
FAT32/VFAT, eventually trashing the =0A kernel.=0A=0A Therefore, it is=
possible to crash -any- other local and/or=0A remote application as long as=
they parse the path-strings to=0A call FAT32/VFAT routines in the kernel. =
Mind you, we are -not- =0A sure this is the real reason, however there are=
strong evidences =0A to assume this is the case.=0A=0A So... To put it in=
laymen terms... It seems that the Windows98=0A kernel is going berserk=
upon processing paths that are made up=0A of "old" (read: Ms Dos) device=
drivers.=0A=0A=0A=0AIII. Reproduction of the problem=0A=0A (1) When=
receiving images into HTML with a path refering to =0A [drive]:\con\con or=
[drive]:\nul\nul. This will crash the Ms=0A Windows '98 Operatin System=
when viewing this HTML. This has=0A been tested on Microsoft Outlook and=
Eudora Pro 4.2. Netscape=0A Messenger seems not to crash.=0A=0A =
<HTML>=0A <BODY>=0A <A HREF=3D"c:\con\con">crashing=
IE</A>=0A <!-- or nul\nul, clock$\clock$ -->=0A <!-- or=
aux\aux, config$\config$ -->=0A </BODY>=0A </HTML>=0A=0A (2)=
When using GET /con/con or GET /nul/nul using WarFTPd on =0A any directory=
will also crash the operating system. Other =0A FTPdaemons have not been=
tested. So it's possible to remotely =0A crash Ms Windows '98 Operating=
Systems. We expect that virtually =0A every FTPd running Windows=
'95/'98(se) can be crashed.=0A=0A (3) Inserting=
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_=0A open with the value=
of c:\con\con "%1" %* or c:\nul\nul "%1" %* =0A will also crash the=
system. Think of what Macro virii can do=0A to your system now.=0A=0A =
(4) It's possible to crash any Windows '95/'98(SE) machine =0A running=
webserver software as Frontpage Webserver, ... You can=0A crash the=
machine by feeding an URL as =0A=0A =
http://www.a_win98_site.be/nul/nul=0A=0A (5) Creating a HTML page with IMG=
tags or HREF tags refering to =0A the local "nul" path or the "con"=
path.=0A=0A <HTML>=0A <BODY>=0A <IMG=
SRC=3D"c:\con\con">=0A <!-- or nul\nul, clock$\clock$ -->=0A =
<!-- or aux\aux, config$\config$ -->=0A </BODY>=0A =
</HTML>=0A=0A=0A=0A There are much more methods in crashing the Ms Windows=
Operating =0A System but the essential part seems to be calling a path and=
file =0A both refering to a device name, either NUl, CON, AUX, CLOCK$ or=0A=
CONFIG$, with the objective of getting data on the screen using =0A this=
path. As you may notice, crashing the system can be done =0A remote or=
local.=0A=0A=0A NETSCAPE - Netscape doesn't crash at first, because the=
string to=0A call a path is changed to file:///D|/c:\nul\nul. Upon=
entering=0A c:\nul\nul in the URL without file:///D|/ you -do- crash=
Netscape=0A and the Operating System.=0A =0A=0A=0AIII. Impact=0A=0A This=
type of attack will render all applications useless, thus =0A leaving the=
system administrator no other option than rebooting the =0A system. Due to=
the wide range of options how to crash the Ms Windows =0A operating system,=
this is a severe bug. However, Windows NT =0A systems don't seem to be=
vulnerable.=0A=0A=0A=0AIV. Solution=0A =0A Ms Windows NT 4.0 and 2000=
aren't affected as well. We advice =0A Windows'98 users to either upgrade=
to the systems specified as =0A above, or not to follow html-links that=
refer to the device=0A drivers specified as above. Microsoft has been=
notified. No=0A official patch has been announced ( 2000-03-05 ).=0A=0A=
WORKAROUND: A simple byte hack could prevent this from happening=0A as long=
as you don't use older Ms Dos programs making legitimate=0A use of the=
device drivers. By replacing all "NUL", "AUX", "CON"=0A "CLOCK$" and=
"CONFIG$" device driver strings with random values=0A or hex null values. =
Mind you, upon hexediting these values, you=0A must be aware that your=
system may become unstable. We have=0A created a patch that alters the=
strings, after the patch we were=0A no longer able to type in any=
commando's on the Ms-Dos prompt. The=0A problem, however, was resolved. =
Because of this side-effect, we=0A are -not- releasing the patch. It's up=
to you to decide if you=0A want to change the bytes or not ( even with Ms=
Edit in binary =0A mode you can quickly patch your IO.SYS ).=0A=0A=0A=0AV. =
Credits=0A=0A Initial "con" bug found in Internet Explorer by Suigien -*-=
Remote =0A Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, =
=0A Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien=0A=
-*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ =0A detection=
by=
vorlon.=0A=0A=0A=0A=0A=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=0AFor more information =
infoat_private=0AWebsite =
http://www.securax.org=0AAdvisories/Text http://w=
ww.securax.org/pers=0A------------------------------------------------------=
---------------
--=====================_3004758==_--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:04 PDT