what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

win98explorer.txt

win98explorer.txt
Posted Aug 17, 1999

Buffer overflow in Windows Explorer can lead to Denial of Service attack, and possibly more.

tags | exploit, denial of service, overflow
systems | windows
SHA-256 | 4214293d27b33ba9bb4f154acf870baa5a5a54e9b95f0a50d46aeaa2d415d028

win98explorer.txt

Change Mirror Download
Date: Mon, 9 Feb 1998 17:49:45 -0800
From: Scott <smc@visuallink.com>
To: BUGTRAQ@netspace.org
Subject: Another Windows98 Bug...


I'm not sure about the details of this problem, but when testing another buffer overflow, I
created a long filename called "testfile.txt                                                                                                                                                                                                "
(note the chr(160)'s at the end) It is 235 characters in length.  After creating it on my desktop,
I right clicked on it; explorer crashed saying it caused an illegal operation.  the only way I
found to close this was by using command.com  I sent this to a friend and he got the same error.
 
        -Scott Campbell (smc@visuallink.com)

-------------------------------------------------------------------------------------

Date: Fri, 12 Feb 1999 17:37:57 -0800
From: Scott <smc@visuallink.com>
To: BUGTRAQ@netspace.org
Subject: Another Windows98 Bug (Cont'd)


The easiest way to get rid of one of these files with an 'extra long'
filename, is to drag it to the recycle bin (that seemed to work fine for me)

All I did to create the long filename is right click on the desktop
filename, go to 'rename', and copy and paste chr(160) many times until
nothing would paste anymore. (note: this DOES work with other alpha-numeric
characters. This must just be bad error checking by Microsoft

I used Start->Find, and located the long file, I clicked once on it to
select it, and Find crashed, but Explorer didn't seem to crash (or give me
any errors)
Also, I renamed an executable file to give it the same size long filename,
leaving the last 3 characters as '.exe'. Explorer didn't crash when I
clicked on it, the program ran fine, and menu didn't come up when I right
clicked on it.

Shortcuts do not seem to be affected by it, but I did try another file type
with an association (.jpg), and it ran the program associated with it, but
wouldn't let me right click on it.
-Scott

-------------------------------------------------------------------------------------

Date: Sat, 13 Feb 1999 03:13:18 +0000
From: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
To: BUGTRAQ@netspace.org
Subject: Re: Another Windows98 Bug...

On Fri, 12 Feb 1999, Jensen Allan AJE wrote:

> It seems to be an Explorer-only bug, as no other application I've tried went
> down.

Every application that uses the Win95-style common file dialog will crash
if you try to right-click on the over-length filename.

In addition, I tried the following apps and as well as confirming the
right-click problem I attempted to open the file...

Word 7.0 seemed to ignore my attempt to open the file
PowerPoint 7.0 seemed to ignore my attempt to open the file
Excel 7.0 crashed with a standard crash dialog
Paint Shop Pro 4.12 exited immediately without any messages
Photoshop 4.0 politely said "File Not Found"

The lab test machine claims to be NT 4.00.1381, which may or may not be
important for this bug nest.

Nick.

-------------------------------------------------------------------------------------

Date: Sat, 13 Feb 1999 15:51:34 -0500
From: Eric Stevens <ejsteven@CS.MILLERSV.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: Another Windows98 Bug...

[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]

I've researched this a bit.
The real issue here seems to be that Windows (all versions including, but
not limited to Win 95, 98, NT4.0 [sp3 & sp4]) apparently only accept file
names up to 218 characters in length. The maximum number of characters you
can enter in the little rename file box is 214 bytes. Any file name greater
than 218 bytes including extension and dot is truncated with out attention
paid to the extension in the truncation process. Example: aaaa.....aaa.txt
of length 219 would become aaaa......aaa.tx . The Windows standard Save
File dialog (Common Dialog control: comctl32.ocx) control alllows the entry
of filenames up to apparently 259 bytes, which will promptly be truncated to
that 217 byte limit. This truncation is done by the comctl32.ocx control,
not the program trying to save the file. The program happily accepts the
filename truncated by comctl32.ocx. If this program attempts to append an
extension on this filename, you may very well have a real issue.
Character 160 has no bearing on this whatsoever.
At 252 characters, applications receive errors when trying to save files
(tested by an application I wrote myself for this purpose).
code:
1 For b = 1 To 300
2 a = Left(Trim(Str(b + 4)) + String(b, "a"), b) + ".txt"
3 Open "c:\test\" + a For Output As #1
4 Close
5 Next
line 2 declares the filename to be the value of b plus 4 (for the ".txt"
on the end) plus the appropriate number of "a" 's on the end.
This piece of code does not truncate the file name in any way, just returns
a file not found error. All the files whose length are greater than 217
crash on right click or pushing the delete button. The only way apparently
to get rid of these guys very easily is to just drag them to the recycle
bin.
Since all the lengths I've reported above don't jive with each other, I
suppose the moral of this story is "When deciding how large to make your
buffer, tell everyone who's working on developing your OS so they all make
it the same." If Microsoft had agreed amongst each other how long to make
the file name, this wouldn't be an issue.

-----Original Message-----
>From: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Date: Saturday, February 13, 1999 3:04 PM
Subject: Re: Another Windows98 Bug...


>On Fri, 12 Feb 1999, Jensen Allan AJE wrote:
>
>> It seems to be an Explorer-only bug, as no other application I've tried
went
>> down.
>
>Every application that uses the Win95-style common file dialog will crash
>if you try to right-click on the over-length filename.
>
>In addition, I tried the following apps and as well as confirming the
>right-click problem I attempted to open the file...
>
>Word 7.0 seemed to ignore my attempt to open the file
>PowerPoint 7.0 seemed to ignore my attempt to open the file
>Excel 7.0 crashed with a standard crash dialog
>Paint Shop Pro 4.12 exited immediately without any messages
>Photoshop 4.0 politely said "File Not Found"
>
>The lab test machine claims to be NT 4.00.1381, which may or may not be
>important for this bug nest.
>
>Nick.
>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close