Published: 2000-04-24 00:00:00
Updated: 2000-04-24 00:00:00
===================================================================== Securax-SA-02 Security Advisory belgian.networking.security Dutch ===================================================================== Topic: Malformed Filename Extensions causes Microsoft Windows modules to overflow. Announced: 2000-04-24 Obsoletes: SCX-SA-02.TXT dd 2000-04-21 Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE, Ms Windows NT Server/Workstation 4.0, Ms win2K ===================================================================== THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ. THANK YOU, I. BACKGROUND SHDOC401.DLL/SHELL32.DLL seems to crash when parsing filenames with long extensions. This results in an buffer overflow, that might be exploitable to some extent. This is a local crash, but one can use this to send malformed filenames using e-mail, dcc, ... to crash one's these modules. After crashing the modules, the recovery is one click away, thus there is no need in rebooting, ... II. DETAILED PROBLEM DESCRIPTION Microsoft Windows seems to crash, due to an overflow, when trying to parse a filename with an extension >129. Doing so, a buffer overflow will occur, with the following information: EXPLORER caused an invalid page fault in module SHDOC401.DLL/SHELL32.DLL at 0000:61616161. Registers: EAX=61616161 CS=0187 EIP=61616161 EFLGS=00010246 EBX=80070032 SS=018f ESP=01a1d8fc EBP=61616161 ECX=c16b6f10 DS=018f ESI=01d0bd3c FS=5047 EDX=81724974 ES=018f EDI=7fcbd320 GS=0000 Bytes at CS:EIP: Stack dump: 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 As you can notice, the EIP was overwritten during this overflow, this means we can execute code from in the filename. This will occur when selecting the file, or trying to view it. There seems to be a crash in the modules SHELL32.DLL, and SHDOC401.DLL when parsing long-extensions. III. REPRODUCTION OF THE PROBLEM Trying to create such a "Malformed Extension Filename" using Windows will fail due to editing limitations on the filename in its whole. However Ms-Dos doesn't have these limitations and one can easily create such a file. This file needs to have an extension of >129 characters. Else, the crash won't occur. For your ease, you can create a batch file (.BAT) like we did. ---- cut here ---- @Echo CRASHES SHDOC401.DLL USING A BUFFER OVERFLOW >129 CALL dir *.* > _.aaaaa-130-Characters-aaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa @Echo CRASHES AN [UNKNOWN MODULE] USING AN EXTENSION >135 CALL dir *.* > _.aaaaa-135-Characters-aaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaabbbbb @Echo CRASHES AN SHELL32.DLL USING AN CHR(255) EXTENSION = 135 CALL dir *.* > _.aaaaa-135-Characters-aaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaabbbbb ---- cut here ---- CRASH TAXONOMY # Chars | Special ASCII | Crashed Module --------------+---------------+--------------- 130 - 135 | No | SHDOC401.DLL 135 - 140 | Yes, 255 | SHELL32.DLL 136 - ... | No | Unknown --------------+---------------+--------------- SIDENOTE: (1)When inserting a chr(255); code in the extension, Windows doesn't seem to be able to delete this particular file. (2)When parsing more than 135 characters in the extension, an other module will crash. When using >129 characters, SHDOC401.DLL will crash. (3) chr255 & 135 - 140 = shell.dll crash III. IMPACT This type of attack will allow any local or remote user with (write) file creation access to run hostile code on the computer. No exploit code has been written yet, but since the overflow overwrites the stack at the right places, it should be possible to write a small exploit. If you add higher ascii characters ( we've experimented with 255 ), you can cause it to be recognized as write only in windows ( not Dos ). Doing so, you will not be able to remove it unless you write directly to the FAT This could create the potential for virusses to stay on discs. This is primary a local probleem. Nevertheless, if one manages to upload a filename on a remote system and making sure the administrator or user highlights the uploaded filename, it is possible to crash the modules. Using this approach, e-mail clients, ftp daemons, ... may be used for injecting the malformed filename. Using Eudora Pro, we were able to crash it by sending the user an attachment ( using the malformed filename ). When this users wants to save the Attachment, his/her Eudora will crash ( EUDORA.EXE ). SIDENOTE: every time you try to access the dir where the e-mail attachement should have been saved, your program will crash, even if this program is not using explorer for it's file management. In this case you don't even have to click on the file or move over it and wait some time, it will crash immediately, rendering the entire directory useless. To some extent this could mean great harm to one's directory. ** Windows Commander ( WINCMD32.EXE ) seems to crash as well, trying to access such a directory. ** Letting ScanDisk do its job over the hard-drives, didn't show any problems. Other ways of injecting a malformed filename, is by using FTP daemons web-pages, DCC sends on IRC, We can use 247 + 129 + 118 bytes to store data for some shell code. IV. SOLUTION Microsoft hasn't released a patch yet. V. Credits Initial bug report : |ncubus -*- overflow detection + usage concepts + quickly written advisory by Zoa_Chien -*- Exploit shell-code : you? -*- Thnx to Lamagra(b0f) for testing this on NT. -*- final advisory, testing ('98SE/Win2k) by vorlon NOTE: This bug was found by "Incubus" and Zoa Chien while writing a paper on Microsoft Windows Vulnerabilities.