Microsoft Windows 9x File Handle Buffer Overflow Vulnerability
BID:1796
Info
Microsoft Windows 9x File Handle Buffer Overflow Vulnerability
| Bugtraq ID: | 1796 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jul 10 2000 12:00AM |
| Updated: | Jul 10 2000 12:00AM |
| Credit: | Discovered and posted in a NSFOCUS Security Advisory <SA2000-03> on July 10, 2000. |
| Vulnerable: |
Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 95 |
| Not Vulnerable: |
Microsoft Windows NT 4.0 Microsoft Windows 2000 Professional |
Discussion
Microsoft Windows 9x File Handle Buffer Overflow Vulnerability
The file sharing (SMB) service in Windows enables client applications to access and modify files from a server on the network.
The SMB service within Windows 95/98 allocates 0x400*4 bytes to store file handles. Therefore, a file handle returned to a client will be in the range 0 - 1023. When SMB commands such as SMBfindclose are sent to the service specifying a specially crafted handle out of that range, the sharing service will attempt to access illegal memory address.
Successful exploitation of this vulnerability will cause the sharing service to buffer overflow and likely crash.
The file sharing (SMB) service in Windows enables client applications to access and modify files from a server on the network.
The SMB service within Windows 95/98 allocates 0x400*4 bytes to store file handles. Therefore, a file handle returned to a client will be in the range 0 - 1023. When SMB commands such as SMBfindclose are sent to the service specifying a specially crafted handle out of that range, the sharing service will attempt to access illegal memory address.
Successful exploitation of this vulnerability will cause the sharing service to buffer overflow and likely crash.
Exploit / POC
Microsoft Windows 9x File Handle Buffer Overflow Vulnerability
Nsfocus Security Team <[email protected]> has provided the following exploit:
Nsfocus Security Team <[email protected]> has provided the following exploit:
Solution / Fix
Microsoft Windows 9x File Handle Buffer Overflow Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Microsoft Windows 9x File Handle Buffer Overflow Vulnerability
References:
References: