Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: con\con is a old thing (anyway is cool)
From: swhite () OX COMPSOC NET (Stephen White)
Date: Wed, 8 Mar 2000 15:01:53 +0000


On Mon, Mar, 2000, Ussr Labs wrote:
for: windoze 98 maybe 95 too...
not for NT4 or win2K

When we looked at the new exploit for ie that uses the image
c:/con/con
(http://www.zoomnet.net/~quick/error/crash.html)

This can also be exploited to crash remote servers
Look what we tryed on this servU-FTP v 2.4a
(works on any windoze 98 FTP even with anonyous or guest account)

Just to reinforce what is being said this is the fault of a some API
call in Windows 95 and 98 (Not NT), and so affects many different
programs.  The severity seems to vary from a recoverable BSOD to a
complete lockup.

This can be exploited by simply attempting to open a file or directory
called "con\con" (or "nul\nul") and there are many ways to achieve this:

Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening
a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other
browsers too).

Remotely:

Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure
most Windows FTPds and possibly HTTPds can be exploited in the same way
(Sambar HTTP Server 4.3 seems safe though).

If the machine has a directory shared with the standard SMB File &
Printer Sharing (even read only shares) it can also be hit:

[stephen () eddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2
Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0
Password:
smb: \> ls con\con

Sure enough Eddie95 BSODs.  It is running Windows 95 OSR 2.

--
Stephen White <swhite () ox compsoc net>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]