Re: Buffer overflow in Explorer.exe

think about recycler folders

a readonly directory \recycler\S-xxxxxxxxxx is created for every user in the computer and a file called desktop.ini in that folder contains information about the icon..
every time the explorer.exe browse a directory search for desktop.ini placed in any subfolder and open and read that file. so, with this buffer overflow, if you place a file in c:\test_folder when you browse c:\ explorer.exe will crash and a few secs after will be executed again (explorer.exe will continue crashing every time an user browse that disk).

i didnt tested other keys.
winxp also includes a feature to browse .zip files as folders.... i didnt tested it but if an user download a .zip file with an special structure (+r folder with a desktop.ini inside) maybe when the user tryies to browse that zip file will crash explorer.exe too (this is only a supposition , test it please).

regards.

Andres Tarasco Acuña

From: Ryan Yagatich <ryany@pantek.com>
To: at4r@3wdesign.es
CC: vuln-dev@securityfocus.com
Subject: Re: Buffer overflow in Explorer.exe Date: Thu, 8 May 2003 18:28:21 -0400 (EDT)

Hi,

        I don't quite understand the purpose behind this code. It creates a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the contents of

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

[.ShellClassInfo]
AAAAAAAAAAAA {x2301}

        And then terminates? I don't have a windows machine available to really explore this any, but what makes that entry in desktop.ini cause this? Furthermore, is this issue only for that particular key or is it generally just key/excessive parameter/missing value size that is affected? And additionally, you mention that explorer will no longer be able to operate when trying to browse the hard disk, but does this mean globally, or when they try to browse the c:/ drive, or just that particular folder?

        Please send me more information about this, (even if it references past posts that I have missed) so that I can better understand the severity of this. Espcially since to me, I still see it as someone needing to download and execute untrusted software which causes a system crash, and if that were going to happen there are far worse things that can be done besides creating a small text file.

Thanks,
Ryan Yagatich

,_____________________________________________________,
\ Ryan Yagatich                     support@pantek.com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ 
http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /

>This bug allow a malicious an attacker to execute data with privileges of
a
>user that is browsing the hard disk with explorer.
<snip>
>
> strcpy(path,"\\aT4r[at]3WDesign.es Security");

> bof=fopen(path,"w");
<snip>