Summary of message on the con\con Windows issue. Any permutation of certain DOS device names as a filename of the form "device\device" when opened will crash Windows 95/98. Devices that seem to trigger the bug include "con", "aux", "nul", and "clock$". So not only will "con\con" trigger it, but so will "aux\clock$", "clock$\con", etc. Possible Solutions: TechnoCraft Co.,LTD. has released a patch they claim fixes the problem. The patch is said to work for Windows 98/95 in any language. You can find it at http://www.a2001.com/down/concon.html (Japanese). This fix seems to work for all affected devices, not just "con". - download DECON01A2.EXE - run it to extract DECON.EXE and CSAFE.VXD - put the above two files into one folder - put a shortcut to decon.exe into Startup folder to make it run whenever Windows starts. - to stop DECON.EXE, hit Control+Alt+Delete and choose Decon. More information from Japan at: http://www.oct.zaq.ne.jp/yufu/browser/2000/02.en.html#26_03 (English) http://www.oct.zaq.ne.jp/yufu/browser/2000/02.html#26_03 (Japanese) The jp.comp.security newsgroup (Japanese) Possible exploit vectors: * HTML formated web pages, email and USENET messages. E.g. <img SRC="file://c:/con/con"> Tested under Netscape 4.6 on Windows 98 Second edition. Email clients that render HTML messages include Outlook and Netscape Messenger. * Forums that allow people to submit URLs to be displayed to others. E.g. web message boards. * Web servers. E.g. Personal Web Server using the URL http://host/../con/con * File sharing / SMB. Tested with Samba. Connect to the Windows share and "cd /con/con". It was pointed out that Windows 95/98 users that share printers also have a passwordless share called PRINTER$ which leaves them open to attacks via this problem. E.g. D:\>net use * \\192.168.0.6\PRINTER$ Drive G: is now connected to \\192.168.0.6\PRINTER$. The command completed successfully. D:\>G: G:\> G:\>cd \CLOCK$\CLOCK$ The specified network name is no longer available. * FTP Servers. Tested and found vulnerable with WarFTPD 1.70B and G6 FTP 2.0b6. Login to the FTP server (as any user, even anonymous) and send the command "GET /con/con". * Mail servers that store attachments as separate files while using the filename provided in the message. E.g. The Bat. I am sure the are plenty of other ones. Some people have reported their machines do not exhibit the problem. One person commented it may only work if you are using the FAT23 file system. Another one found his Windows 98 First Edition with most security updates could recover the the problem and further attempts to exploit it would fail. Another one found Win95 (4.0.950B) box with IE 5.0 is not vulnerable, while Win95 (4.0.950C) box with IE 5.0 is. Microsoft has also been aware about the problem for a long while. As it was pointed out earlier in the thread this problem was reported last year to the list. Microsoft did not feel the problem was important enough to bother users with a security fix. More information about this at: http://www.zdnet.com/zdnn/stories/news/0,4586,2458885,00.html Contributors: YUFU <yufuat_private> Robin Whittle <rwat_private> Erwin Geirnaert <egeirnaertat_private> Gerardo Richarte <core.lists.bugtraq@core-sdi.com> Zoa_Chien <zoa_chienat_private> "IIJIMA 'Delmonta' Hiromitsu" <L94102at_private-tokyo.ac.jp> Brian Eckman <eckma009at_private> Nick Jones <nlj21at_private> Knud Erik <kainat_private> blane <blaneat_private> -{ David Leadbeater }- <dglat_private> <agueromat_private> Jason Staples - CNW <ellisat_private> LiTTlE-John <little_john80at_private> -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:26 PDT