SCX-SA-01.txt

2000-03-06T00:00:00
ID PACKETSTORM:10178
Type packetstorm
Reporter Packet Storm
Modified 2000-03-06T00:00:00

Description

                                        
                                            `=====================================================================  
Securax-SA-01 Security Advisory  
belgian.networking.security Dutch  
=====================================================================  
Topic: Ms Windows '95/'98/SE will crash upon parsing special  
crafted path-strings refering to device drivers.  
  
Announced: 2000-03-04  
Updated: 2000-03-05  
Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE  
None affected: Ms Windows NT Server/Workstation 4.0 (sp5/6)  
Obsoletes: crash-ie.txt, win98-con.txt  
=====================================================================  
  
  
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR   
RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS   
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR  
NOTICE.  
  
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING   
THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.   
THANK YOU,  
  
  
  
  
I. Background  
  
Local and Remote users can crash Windows '98 systems using special   
crafted path-strings that refer to device drivers being used.   
Upon parsing this path the Ms Windows OS will crash leaving no   
other option but to reboot the macine. With this all other running  
applications on the machine will stop responding.  
  
NOTE: This is not a bug in Internet Explorer, FTPd and other  
webserver software running Win95/98. It is a bug in the Ms  
Windows kernel system, more specific in the handling of the device  
drivers specified in IO.SYS, causing this kernel meltdown.  
  
  
  
II. Problem Description  
  
When the Microsoft Windows operating system is parsing a path that   
is being crafted like "c:\[device]\[device]" it will halt, and crash   
the entire operating system.   
  
Four device drivers have been found to crash the system. The CON,  
NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are   
known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not   
been found to crash the system.   
  
Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to   
crash Ms Windows as well.  
  
Calling a path such as "C:\CON\[filename]" won't result in a crash  
but in an error-message. Creating the map "CON", "CLOCK$", "AUX"  
"NUL" or "CONFIG$" will also result in a simple error-message   
saying: ''creating that map isn't allowed''.  
  
  
DEVICE DRIVERS  
--------------  
These are specified in IO.SYS and date back from the early Ms Dos  
days. Here is what I have found. Here is a brief list;  
  
CLOCK$ - System clock  
CON - Console; combination of keyboard and screen to   
handle input and output  
AUX or COM1 - First serial communicationport  
COMn - Second, Third, ... communicationport  
LPT1 or PRN - First parallel port  
NUL - Dummy port, or the "null device" which we all  
know under Linux as /dev/null.  
CONFIG$ - Unknown  
  
  
  
Any call made to a path consisting of "NUL" and "CON seems to  
crash routines made to the FAT32/VFAT, eventually trashing the   
kernel.  
  
Therefore, it is possible to crash -any- other local and/or  
remote application as long as they parse the path-strings to  
call FAT32/VFAT routines in the kernel. Mind you, we are -not-   
sure this is the real reason, however there are strong evidences   
to assume this is the case.  
  
So... To put it in laymen terms... It seems that the Windows98  
kernel is going berserk upon processing paths that are made up  
of "old" (read: Ms Dos) device drivers.  
  
  
  
III. Reproduction of the problem  
  
(1) When receiving images into HTML with a path refering to   
[drive]:\con\con or [drive]:\nul\nul. This will crash the Ms  
Windows '98 Operatin System when viewing this HTML. This has  
been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape  
Messenger seems not to crash.  
  
<HTML>  
<BODY>  
<A HREF="c:\con\con">crashing IE</A>  
<!-- or nul\nul, clock$\clock$ -->  
<!-- or aux\aux, config$\config$ -->  
</BODY>  
</HTML>  
  
(2) When using GET /con/con or GET /nul/nul using WarFTPd on   
any directory will also crash the operating system. Other   
FTPdaemons have not been tested. So it's possible to remotely   
crash Ms Windows '98 Operating Systems. We expect that virtually   
every FTPd running Windows '95/'98(se) can be crashed.  
  
(3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_  
open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %*   
will also crash the system. Think of what Macro virii can do  
to your system now.  
  
(4) It's possible to crash any Windows '95/'98(SE) machine   
running webserver software as Frontpage Webserver, ... You can  
crash the machine by feeding an URL as   
  
http://www.a_win98_site.be/nul/nul  
  
(5) Creating a HTML page with IMG tags or HREF tags refering to   
the local "nul" path or the "con" path.  
  
<HTML>  
<BODY>  
<IMG SRC="c:\con\con">  
<!-- or nul\nul, clock$\clock$ -->  
<!-- or aux\aux, config$\config$ -->  
</BODY>  
</HTML>  
  
  
  
There are much more methods in crashing the Ms Windows Operating   
System but the essential part seems to be calling a path and file   
both refering to a device name, either NUl, CON, AUX, CLOCK$ or  
CONFIG$, with the objective of getting data on the screen using   
this path. As you may notice, crashing the system can be done   
remote or local.  
  
  
NETSCAPE - Netscape doesn't crash at first, because the string to  
call a path is changed to file:///D|/c:\nul\nul. Upon entering  
c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape  
and the Operating System.  
  
  
  
III. Impact  
  
This type of attack will render all applications useless, thus   
leaving the system administrator no other option than rebooting the   
system. Due to the wide range of options how to crash the Ms Windows   
operating system, this is a severe bug. However, Windows NT   
systems don't seem to be vulnerable.  
  
  
  
IV. Solution  
  
Ms Windows NT 4.0 and 2000 aren't affected as well. We advice   
Windows'98 users to either upgrade to the systems specified as   
above, or not to follow html-links that refer to the device  
drivers specified as above. Microsoft has been notified. No  
official patch has been announced ( 2000-03-05 ).  
  
WORKAROUND: A simple byte hack could prevent this from happening  
as long as you don't use older Ms Dos programs making legitimate  
use of the device drivers. By replacing all "NUL", "AUX", "CON"  
"CLOCK$" and "CONFIG$" device driver strings with random values  
or hex null values. Mind you, upon hexediting these values, you  
must be aware that your system may become unstable. We have  
created a patch that alters the strings, after the patch we were  
no longer able to type in any commando's on the Ms-Dos prompt. The  
problem, however, was resolved. Because of this side-effect, we  
are -not- releasing the patch. It's up to you to decide if you  
want to change the bytes or not ( even with Ms Edit in binary   
mode you can quickly patch your IO.SYS ).  
  
  
  
V. Credits  
  
Initial "con" bug found in Internet Explorer by Suigien -*- Remote   
Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s,   
Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien  
-*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$   
detection by vorlon.  
  
  
  
  
  
=====================================================================  
For more information info@securax.org  
Website http://www.securax.org  
Advisories/Text http://www.securax.org/pers  
---------------------------------------------------------------------  
`