Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs

Malformed Filename Extensions causes Microsoft Windows modules to overflow.
SA-02
Published: 2000-04-24 00:00:00
Updated: 2000-04-24 00:00:00

=====================================================================
Securax-SA-02 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: Malformed Filename Extensions causes Microsoft
Windows modules to overflow.
Announced: 2000-04-24
Obsoletes: SCX-SA-02.TXT dd 2000-04-21
Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE,
        Ms Windows NT Server/Workstation 4.0, Ms win2K
=====================================================================
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR
RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
NOTICE.
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING
THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.
THANK YOU,


I. BACKGROUND
SHDOC401.DLL/SHELL32.DLL seems to crash when parsing filenames with
long extensions. This results in an buffer overflow, that might be
exploitable to some extent. This is a local crash, but one can use
this to send malformed filenames using e-mail, dcc, ... to crash
one's these modules. After crashing the modules, the recovery is
one click away, thus there is no need in rebooting, ...

II. DETAILED PROBLEM DESCRIPTION
Microsoft Windows seems to crash, due to an overflow, when trying
to parse a filename with an extension >129. Doing so, a buffer
overflow will occur, with the following information:
EXPLORER caused an invalid page fault in
module SHDOC401.DLL/SHELL32.DLL at 0000:61616161.
Registers:
EAX=61616161 CS=0187 EIP=61616161 EFLGS=00010246
EBX=80070032 SS=018f ESP=01a1d8fc EBP=61616161
ECX=c16b6f10 DS=018f ESI=01d0bd3c FS=5047
EDX=81724974 ES=018f EDI=7fcbd320 GS=0000
Bytes at CS:EIP:
Stack dump:
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161
As you can notice, the EIP was overwritten during this overflow,
this means we can execute code from in the filename. This will
occur when selecting the file, or trying to view it.
There seems to be a crash in the modules SHELL32.DLL, and
SHDOC401.DLL when parsing long-extensions.


III. REPRODUCTION OF THE PROBLEM
Trying to create such a "Malformed Extension Filename" using Windows
will fail due to editing limitations on the filename in its whole.
However Ms-Dos doesn't have these limitations and one can easily
create such a file.
This file needs to have an extension of >129 characters. Else, the
crash won't occur. For your ease, you can create a batch file (.BAT)
like we did.
---- cut here ----
@Echo CRASHES SHDOC401.DLL USING A BUFFER OVERFLOW >129
CALL dir *.* > _.aaaaa-130-Characters-aaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaa
@Echo CRASHES AN [UNKNOWN MODULE] USING AN EXTENSION >135
CALL dir *.* > _.aaaaa-135-Characters-aaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaabbbbb
@Echo CRASHES AN SHELL32.DLL USING AN CHR(255) EXTENSION = 135
CALL dir *.* > _.aaaaa-135-Characters-aaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaabbbbb
---- cut here ----
CRASH TAXONOMY
# Chars | Special ASCII | Crashed Module
--------------+---------------+---------------
130 - 135 | No | SHDOC401.DLL
135 - 140 | Yes, 255 | SHELL32.DLL
136 - ... | No | Unknown
--------------+---------------+---------------
SIDENOTE: (1)When inserting a chr(255); code in the extension, Windows
doesn't seem to be able to delete this particular file. (2)When parsing
more than 135 characters in the extension, an other module will crash.
When using >129 characters, SHDOC401.DLL will crash. (3)
chr255 & 135 - 140 = shell.dll crash


III. IMPACT
This type of attack will allow any local or remote user with (write) file
creation access to run hostile code on the computer. No exploit code has
been written yet, but since the overflow overwrites the stack at the right
places, it should be possible to write a small exploit.
If you add higher ascii characters ( we've experimented with 255 ), you
can cause it to be recognized as write only in windows ( not Dos ). Doing
so, you will not be able to remove it unless you write directly to the FAT
This could create the potential for virusses to stay on discs.
This is primary a local probleem. Nevertheless, if one manages to upload
a filename on a remote system and making sure the administrator or user
highlights the uploaded filename, it is possible to crash the modules.
Using this approach, e-mail clients, ftp daemons, ... may be used for
injecting the malformed filename.
Using Eudora Pro, we were able to crash it by sending the user an
attachment ( using the malformed filename ). When this users wants
to save the Attachment, his/her Eudora will crash ( EUDORA.EXE ).

SIDENOTE: every time you try to access the dir where the e-mail
attachement should have been saved, your program will
crash, even if this program is not using explorer for
it's file management. In this case you don't even have
to click on the file or move over it and wait some time,
it will crash immediately, rendering the entire
directory useless. To some extent this could mean great
harm to one's directory.
** Windows Commander ( WINCMD32.EXE ) seems to crash as
well, trying to access such a directory.
** Letting ScanDisk do its job over the hard-drives,
didn't show any problems.
Other ways of injecting a malformed filename, is by using FTP daemons
web-pages, DCC sends on IRC,
We can use 247 + 129 + 118 bytes to store data for some shell
code.

IV. SOLUTION
Microsoft hasn't released a patch yet.


V. Credits
Initial bug report : |ncubus -*- overflow detection + usage concepts
+ quickly written advisory by Zoa_Chien -*- Exploit shell-code : you?
-*- Thnx to Lamagra(b0f) for testing this on NT. -*- final advisory,
testing ('98SE/Win2k) by vorlon

NOTE: This bug was found by "Incubus" and Zoa Chien while writing
a paper on Microsoft Windows Vulnerabilities.







 

Privacy Statement
Copyright 2008, SecurityFocus