=====================================================================
Securax-SA-01                                       Security Advisory
belgian.networking.security                                     Dutch
=====================================================================
Topic:          Ms Windows '95/'98/SE will crash upon parsing special
                crafted path-strings refering to device drivers.

Announced:      2000-03-04
Updated:        2000-03-05
Affects:        Ms Windows'95, Ms Windows '98, Ms Windows '98 SE
None affected:  Ms Windows NT Server/Workstation 4.0 (sp5/6)
Obsoletes:      crash-ie.txt, win98-con.txt
=====================================================================


         THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR 
  RESULTS.  THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 
  100% CORRECT.  THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
  NOTICE.

         PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING 
  THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.  
  THANK YOU,




I.   Background

 Local and Remote users can crash Windows '98 systems using special 
 crafted path-strings that refer to device drivers being used.  
 Upon parsing this path the Ms Windows OS will crash leaving no 
 other option but to reboot the macine. With this all other running
 applications on the machine will stop responding.

 NOTE: This is not a bug in Internet Explorer, FTPd and other
 webserver software running Win95/98.  It is a bug in the Ms
 Windows kernel system, more specific in the handling of the device
 drivers specified in IO.SYS, causing this kernel meltdown.



II.  Problem Description

 When the Microsoft Windows operating system is parsing a path that 
 is being crafted like "c:\[device]\[device]" it will halt, and crash 
 the entire operating system.  

 Four device drivers have been found to crash the system.  The CON,
 NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are 
 known to crash.  Other devices as LPT[x]:, COM[x]: and PRN have not 
 been found to crash the system.  

 Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to 
 crash Ms Windows as well.

 Calling a path such as "C:\CON\[filename]" won't result in a crash
 but in an error-message.  Creating the map "CON", "CLOCK$", "AUX"
 "NUL" or "CONFIG$" will also result in a simple error-message 
 saying: ''creating that map isn't allowed''.
 

 DEVICE DRIVERS
 --------------
 These are specified in IO.SYS and date back from the early Ms Dos
 days.  Here is what I have found.  Here is a brief list;

  CLOCK$       - System clock
  CON          - Console; combination of keyboard and screen to 
                 handle input and output
  AUX or COM1  - First serial communicationport
  COMn         - Second, Third, ... communicationport
  LPT1 or PRN  - First parallel port
  NUL          - Dummy port, or the "null device" which we all
                 know under Linux as /dev/null.
  CONFIG$      - Unknown



 Any call made to a path consisting of "NUL" and "CON seems to
 crash routines made to the FAT32/VFAT, eventually trashing the 
 kernel.

 Therefore, it is possible to crash -any- other local and/or
 remote application as long as they parse the path-strings to
 call FAT32/VFAT routines in the kernel.  Mind you, we are -not- 
 sure this is the real reason, however there are strong evidences 
 to assume this is the case.

 So... To put it in laymen terms...  It seems that the Windows98
 kernel is going berserk upon processing paths that are made up
 of "old" (read: Ms Dos) device drivers.



III.  Reproduction of the problem

  (1) When receiving images into HTML with a path refering to 
  [drive]:\con\con or [drive]:\nul\nul.  This will crash the Ms
  Windows '98 Operatin System when viewing this HTML.  This has
  been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape
  Messenger seems not to crash.

       <HTML>
         <BODY>
           <A HREF="c:\con\con">crashing IE</A>
           <!-- or nul\nul, clock$\clock$ -->
           <!-- or aux\aux, config$\config$ -->
         </BODY>
       </HTML>

  (2) When using GET /con/con or GET /nul/nul using WarFTPd on 
  any directory will also crash the operating system.  Other 
  FTPdaemons have not been tested.  So it's possible to remotely 
  crash Ms Windows '98 Operating Systems.  We expect that virtually 
  every FTPd running Windows '95/'98(se) can be crashed.

  (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_
  open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* 
  will also crash the system.  Think of what Macro virii can do
  to your system now.

  (4) It's possible to crash any Windows '95/'98(SE) machine 
  running webserver software as Frontpage Webserver, ...  You can
  crash the machine by feeding an URL as 

      http://www.a_win98_site.be/nul/nul

  (5) Creating a HTML page with IMG tags or HREF tags refering to 
  the local "nul" path or the "con" path.

       <HTML>
         <BODY>
           <IMG SRC="c:\con\con">
           <!-- or nul\nul, clock$\clock$ -->
           <!-- or aux\aux, config$\config$ -->
         </BODY>
       </HTML>



 There are much more methods in crashing the Ms Windows Operating 
 System but the essential part seems to be calling a path and file 
 both refering to a device name, either NUl, CON, AUX, CLOCK$ or
 CONFIG$, with the objective of getting data on the screen using 
 this path.  As you may notice, crashing the system can be done 
 remote or local.


 NETSCAPE - Netscape doesn't crash at first, because the string to
 call a path is changed to file:///D|/c:\nul\nul.  Upon entering
 c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape
 and the Operating System.
 


III. Impact

 This type of attack will render all applications useless, thus 
 leaving the system administrator no other option than rebooting the 
 system. Due to the wide range of options how to crash the Ms Windows 
 operating system, this is a severe bug.  However, Windows NT 
 systems don't seem to be vulnerable.



IV.  Solution
 
 Ms Windows NT 4.0 and 2000 aren't affected as well.  We advice 
 Windows'98 users to either upgrade to the systems specified as 
 above, or not to follow html-links that refer to the device
 drivers specified as above.  Microsoft has been notified.  No
 official patch has been announced ( 2000-03-05 ).

 WORKAROUND: A simple byte hack could prevent this from happening
 as long as you don't use older Ms Dos programs making legitimate
 use of the device drivers.  By replacing all "NUL", "AUX", "CON"
 "CLOCK$" and "CONFIG$" device driver strings with random values
 or hex null values.  Mind you, upon hexediting these values, you
 must be aware that your system may become unstable.  We have
 created a patch that alters the strings, after the patch we were
 no longer able to type in any commando's on the Ms-Dos prompt.  The
 problem, however, was resolved.  Because of this side-effect, we
 are -not- releasing the patch.  It's up to you to decide if you
 want to change the bytes or not ( even with Ms Edit in binary 
 mode you can quickly patch your IO.SYS ).



V.   Credits

 Initial "con" bug found in Internet Explorer by Suigien -*- Remote 
 Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, 
 Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien
 -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ 
 detection by vorlon.





=====================================================================
For more information                                 info@securax.org
Website                                        http://www.securax.org
Advisories/Text                           http://www.securax.org/pers
---------------------------------------------------------------------