Microsoft Windows Long Filename Extension Vulnerability
BID:1259
Info
Microsoft Windows Long Filename Extension Vulnerability
| Bugtraq ID: | 1259 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Unknown |
| Local: | Yes |
| Published: | Apr 21 2000 12:00AM |
| Updated: | Apr 21 2000 12:00AM |
| Credit: | Discovered by Securax and publicized in a Securax advisory released April 21 2000. |
| Vulnerable: |
Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows 98 Microsoft Windows 95 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows Long Filename Extension Vulnerability
Windows 95, 98, NT and 2000 suffer from a number of related buffer overflows that can result in a crash if a filename with an extension longer than 128 characters is accessed. Although arbitrary code could be executed via this manner, it would have to composed of valid filename character values only.
File extensions of this size cannot be created within Windows 95, 98 or NT. A batch file executed from the command interpreter can accomplish this in a manner similar to the example in Securax advisory SA-02, linked to in the credit section.
In Windows 2000, long extensions can be created with Explorer. The file will display properly, however if a cut and paste operation is attempted Explorer crashes and EIP is overwritten, making arbitrary code executable at the security level of the user.
Windows 95, 98, NT and 2000 suffer from a number of related buffer overflows that can result in a crash if a filename with an extension longer than 128 characters is accessed. Although arbitrary code could be executed via this manner, it would have to composed of valid filename character values only.
File extensions of this size cannot be created within Windows 95, 98 or NT. A batch file executed from the command interpreter can accomplish this in a manner similar to the example in Securax advisory SA-02, linked to in the credit section.
In Windows 2000, long extensions can be created with Explorer. The file will display properly, however if a cut and paste operation is attempted Explorer crashes and EIP is overwritten, making arbitrary code executable at the security level of the user.
Exploit / POC
Microsoft Windows Long Filename Extension Vulnerability
Exploit written by Laurent Eschenauer <[email protected]>
From the comments:
"I tested it with explorer.exe 4.72.3110.1 In the sploit, i use a JMP ESP (FF E4) in comctl32.dll version 5.81"
Exploit written by Laurent Eschenauer <[email protected]>
From the comments:
"I tested it with explorer.exe 4.72.3110.1 In the sploit, i use a JMP ESP (FF E4) in comctl32.dll version 5.81"
Solution / Fix
Microsoft Windows Long Filename Extension Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Microsoft Windows Long Filename Extension Vulnerability
References:
References: