Home page logo

bugtraq logo Bugtraq mailing list archives

Re: con\con is a old thing (anyway is cool)
From: swhite () OX COMPSOC NET (Stephen White)
Date: Wed, 8 Mar 2000 15:01:53 +0000

On Mon, Mar, 2000, Ussr Labs wrote:
for: windoze 98 maybe 95 too...
not for NT4 or win2K

When we looked at the new exploit for ie that uses the image

This can also be exploited to crash remote servers
Look what we tryed on this servU-FTP v 2.4a
(works on any windoze 98 FTP even with anonyous or guest account)

Just to reinforce what is being said this is the fault of a some API
call in Windows 95 and 98 (Not NT), and so affects many different
programs.  The severity seems to vary from a recoverable BSOD to a
complete lockup.

This can be exploited by simply attempting to open a file or directory
called "con\con" (or "nul\nul") and there are many ways to achieve this:

Locally just type "dir con\con" into a MS-DOS Prompt Window, or opening
a webpage with the <IMG SRC="c:\con\con"> tag in I.E. (presumably other
browsers too).


Gene6 - G6 FTP Server v2.0 - login and type 'ls con/con' .. I'm sure
most Windows FTPds and possibly HTTPds can be exploited in the same way
(Sambar HTTP Server 4.3 seems safe though).

If the machine has a directory shared with the standard SMB File &
Printer Sharing (even read only shares) it can also be hit:

[stephen () eddie stephen]$ smbclient //eddie95/TEST -I
Added interface ip= bcast= nmask=
smb: \> ls con\con

Sure enough Eddie95 BSODs.  It is running Windows 95 OSR 2.

Stephen White <swhite () ox compsoc net>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]