exploit the possibilities

SCX-SA-01.txt

SCX-SA-01.txt
Posted Mar 6, 2000

Securax Advisory - Many windows applications can be made to blue screen upon parsing special crafted path-strings refering to device drivers.

tags | exploit
systems | windows
MD5 | 92be8f0f7a56c7af4cd6e57cb818c1c5

SCX-SA-01.txt

Change Mirror Download
=====================================================================
Securax-SA-01 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: Ms Windows '95/'98/SE will crash upon parsing special
crafted path-strings refering to device drivers.

Announced: 2000-03-04
Updated: 2000-03-05
Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE
None affected: Ms Windows NT Server/Workstation 4.0 (sp5/6)
Obsoletes: crash-ie.txt, win98-con.txt
=====================================================================


THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR
RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
NOTICE.

PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING
THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.
THANK YOU,




I. Background

Local and Remote users can crash Windows '98 systems using special
crafted path-strings that refer to device drivers being used.
Upon parsing this path the Ms Windows OS will crash leaving no
other option but to reboot the macine. With this all other running
applications on the machine will stop responding.

NOTE: This is not a bug in Internet Explorer, FTPd and other
webserver software running Win95/98. It is a bug in the Ms
Windows kernel system, more specific in the handling of the device
drivers specified in IO.SYS, causing this kernel meltdown.



II. Problem Description

When the Microsoft Windows operating system is parsing a path that
is being crafted like "c:\[device]\[device]" it will halt, and crash
the entire operating system.

Four device drivers have been found to crash the system. The CON,
NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are
known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not
been found to crash the system.

Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to
crash Ms Windows as well.

Calling a path such as "C:\CON\[filename]" won't result in a crash
but in an error-message. Creating the map "CON", "CLOCK$", "AUX"
"NUL" or "CONFIG$" will also result in a simple error-message
saying: ''creating that map isn't allowed''.


DEVICE DRIVERS
--------------
These are specified in IO.SYS and date back from the early Ms Dos
days. Here is what I have found. Here is a brief list;

CLOCK$ - System clock
CON - Console; combination of keyboard and screen to
handle input and output
AUX or COM1 - First serial communicationport
COMn - Second, Third, ... communicationport
LPT1 or PRN - First parallel port
NUL - Dummy port, or the "null device" which we all
know under Linux as /dev/null.
CONFIG$ - Unknown



Any call made to a path consisting of "NUL" and "CON seems to
crash routines made to the FAT32/VFAT, eventually trashing the
kernel.

Therefore, it is possible to crash -any- other local and/or
remote application as long as they parse the path-strings to
call FAT32/VFAT routines in the kernel. Mind you, we are -not-
sure this is the real reason, however there are strong evidences
to assume this is the case.

So... To put it in laymen terms... It seems that the Windows98
kernel is going berserk upon processing paths that are made up
of "old" (read: Ms Dos) device drivers.



III. Reproduction of the problem

(1) When receiving images into HTML with a path refering to
[drive]:\con\con or [drive]:\nul\nul. This will crash the Ms
Windows '98 Operatin System when viewing this HTML. This has
been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape
Messenger seems not to crash.

<HTML>
<BODY>
<A HREF="c:\con\con">crashing IE</A>
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>

(2) When using GET /con/con or GET /nul/nul using WarFTPd on
any directory will also crash the operating system. Other
FTPdaemons have not been tested. So it's possible to remotely
crash Ms Windows '98 Operating Systems. We expect that virtually
every FTPd running Windows '95/'98(se) can be crashed.

(3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_
open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %*
will also crash the system. Think of what Macro virii can do
to your system now.

(4) It's possible to crash any Windows '95/'98(SE) machine
running webserver software as Frontpage Webserver, ... You can
crash the machine by feeding an URL as

http://www.a_win98_site.be/nul/nul

(5) Creating a HTML page with IMG tags or HREF tags refering to
the local "nul" path or the "con" path.

<HTML>
<BODY>
<IMG SRC="c:\con\con">
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>



There are much more methods in crashing the Ms Windows Operating
System but the essential part seems to be calling a path and file
both refering to a device name, either NUl, CON, AUX, CLOCK$ or
CONFIG$, with the objective of getting data on the screen using
this path. As you may notice, crashing the system can be done
remote or local.


NETSCAPE - Netscape doesn't crash at first, because the string to
call a path is changed to file:///D|/c:\nul\nul. Upon entering
c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape
and the Operating System.



III. Impact

This type of attack will render all applications useless, thus
leaving the system administrator no other option than rebooting the
system. Due to the wide range of options how to crash the Ms Windows
operating system, this is a severe bug. However, Windows NT
systems don't seem to be vulnerable.



IV. Solution

Ms Windows NT 4.0 and 2000 aren't affected as well. We advice
Windows'98 users to either upgrade to the systems specified as
above, or not to follow html-links that refer to the device
drivers specified as above. Microsoft has been notified. No
official patch has been announced ( 2000-03-05 ).

WORKAROUND: A simple byte hack could prevent this from happening
as long as you don't use older Ms Dos programs making legitimate
use of the device drivers. By replacing all "NUL", "AUX", "CON"
"CLOCK$" and "CONFIG$" device driver strings with random values
or hex null values. Mind you, upon hexediting these values, you
must be aware that your system may become unstable. We have
created a patch that alters the strings, after the patch we were
no longer able to type in any commando's on the Ms-Dos prompt. The
problem, however, was resolved. Because of this side-effect, we
are -not- releasing the patch. It's up to you to decide if you
want to change the bytes or not ( even with Ms Edit in binary
mode you can quickly patch your IO.SYS ).



V. Credits

Initial "con" bug found in Internet Explorer by Suigien -*- Remote
Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s,
Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien
-*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$
detection by vorlon.





=====================================================================
For more information info@securax.org
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
---------------------------------------------------------------------
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close