On Mon, Mar, 2000, Ussr Labs wrote: > for: windoze 98 maybe 95 too... > not for NT4 or win2K > > When we looked at the new exploit for ie that uses the image > c:/con/con > (http://www.zoomnet.net/~quick/error/crash.html) > > This can also be exploited to crash remote servers > Look what we tryed on this servU-FTP v 2.4a > (works on any windoze 98 FTP even with anonyous or guest account) Just to reinforce what is being said this is the fault of a some API call in Windows 95 and 98 (Not NT), and so affects many different programs. The severity seems to vary from a recoverable BSOD to a complete lockup. This can be exploited by simply attempting to open a file or directory called "con\con" (or "nul\nul") and there are many ways to achieve this: Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other browsers too). Remotely: Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure most Windows FTPds and possibly HTTPds can be exploited in the same way (Sambar HTTP Server 4.3 seems safe though). If the machine has a directory shared with the standard SMB File & Printer Sharing (even read only shares) it can also be hit: [stephen@eddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2 Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0 Password: smb: \> ls con\con Sure enough Eddie95 BSODs. It is running Windows 95 OSR 2. -- Stephen White <swhiteat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:14 PDT