win98explorer.txt

1999-08-17T00:00:00
ID PACKETSTORM:12286
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 9 Feb 1998 17:49:45 -0800  
From: Scott <smc@visuallink.com>  
To: BUGTRAQ@netspace.org  
Subject: Another Windows98 Bug...  
  
  
I'm not sure about the details of this problem, but when testing another buffer overflow, I  
created a long filename called "testfile.txt "  
(note the chr(160)'s at the end) It is 235 characters in length. After creating it on my desktop,  
I right clicked on it; explorer crashed saying it caused an illegal operation. the only way I  
found to close this was by using command.com I sent this to a friend and he got the same error.  
  
-Scott Campbell (smc@visuallink.com)  
  
-------------------------------------------------------------------------------------  
  
Date: Fri, 12 Feb 1999 17:37:57 -0800  
From: Scott <smc@visuallink.com>  
To: BUGTRAQ@netspace.org  
Subject: Another Windows98 Bug (Cont'd)  
  
  
The easiest way to get rid of one of these files with an 'extra long'  
filename, is to drag it to the recycle bin (that seemed to work fine for me)  
  
All I did to create the long filename is right click on the desktop  
filename, go to 'rename', and copy and paste chr(160) many times until  
nothing would paste anymore. (note: this DOES work with other alpha-numeric  
characters. This must just be bad error checking by Microsoft  
  
I used Start->Find, and located the long file, I clicked once on it to  
select it, and Find crashed, but Explorer didn't seem to crash (or give me  
any errors)  
Also, I renamed an executable file to give it the same size long filename,  
leaving the last 3 characters as '.exe'. Explorer didn't crash when I  
clicked on it, the program ran fine, and menu didn't come up when I right  
clicked on it.  
  
Shortcuts do not seem to be affected by it, but I did try another file type  
with an association (.jpg), and it ran the program associated with it, but  
wouldn't let me right click on it.  
-Scott  
  
-------------------------------------------------------------------------------------  
  
Date: Sat, 13 Feb 1999 03:13:18 +0000  
From: Nick Lamb <njl98r@ECS.SOTON.AC.UK>  
To: BUGTRAQ@netspace.org  
Subject: Re: Another Windows98 Bug...  
  
On Fri, 12 Feb 1999, Jensen Allan AJE wrote:  
  
> It seems to be an Explorer-only bug, as no other application I've tried went  
> down.  
  
Every application that uses the Win95-style common file dialog will crash  
if you try to right-click on the over-length filename.  
  
In addition, I tried the following apps and as well as confirming the  
right-click problem I attempted to open the file...  
  
Word 7.0 seemed to ignore my attempt to open the file  
PowerPoint 7.0 seemed to ignore my attempt to open the file  
Excel 7.0 crashed with a standard crash dialog  
Paint Shop Pro 4.12 exited immediately without any messages  
Photoshop 4.0 politely said "File Not Found"  
  
The lab test machine claims to be NT 4.00.1381, which may or may not be  
important for this bug nest.  
  
Nick.  
  
-------------------------------------------------------------------------------------  
  
Date: Sat, 13 Feb 1999 15:51:34 -0500  
From: Eric Stevens <ejsteven@CS.MILLERSV.EDU>  
To: BUGTRAQ@netspace.org  
Subject: Re: Another Windows98 Bug...  
  
[ The following text is in the "iso-8859-1" character set. ]  
[ Your display is set for the "US-ASCII" character set. ]  
[ Some characters may be displayed incorrectly. ]  
  
I've researched this a bit.  
The real issue here seems to be that Windows (all versions including, but  
not limited to Win 95, 98, NT4.0 [sp3 & sp4]) apparently only accept file  
names up to 218 characters in length. The maximum number of characters you  
can enter in the little rename file box is 214 bytes. Any file name greater  
than 218 bytes including extension and dot is truncated with out attention  
paid to the extension in the truncation process. Example: aaaa.....aaa.txt  
of length 219 would become aaaa......aaa.tx . The Windows standard Save  
File dialog (Common Dialog control: comctl32.ocx) control alllows the entry  
of filenames up to apparently 259 bytes, which will promptly be truncated to  
that 217 byte limit. This truncation is done by the comctl32.ocx control,  
not the program trying to save the file. The program happily accepts the  
filename truncated by comctl32.ocx. If this program attempts to append an  
extension on this filename, you may very well have a real issue.  
Character 160 has no bearing on this whatsoever.  
At 252 characters, applications receive errors when trying to save files  
(tested by an application I wrote myself for this purpose).  
code:  
1 For b = 1 To 300  
2 a = Left(Trim(Str(b + 4)) + String(b, "a"), b) + ".txt"  
3 Open "c:\test\" + a For Output As #1  
4 Close  
5 Next  
line 2 declares the filename to be the value of b plus 4 (for the ".txt"  
on the end) plus the appropriate number of "a" 's on the end.  
This piece of code does not truncate the file name in any way, just returns  
a file not found error. All the files whose length are greater than 217  
crash on right click or pushing the delete button. The only way apparently  
to get rid of these guys very easily is to just drag them to the recycle  
bin.  
Since all the lengths I've reported above don't jive with each other, I  
suppose the moral of this story is "When deciding how large to make your  
buffer, tell everyone who's working on developing your OS so they all make  
it the same." If Microsoft had agreed amongst each other how long to make  
the file name, this wouldn't be an issue.  
  
-----Original Message-----  
>From: Nick Lamb <njl98r@ECS.SOTON.AC.UK>  
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>  
Date: Saturday, February 13, 1999 3:04 PM  
Subject: Re: Another Windows98 Bug...  
  
  
>On Fri, 12 Feb 1999, Jensen Allan AJE wrote:  
>  
>> It seems to be an Explorer-only bug, as no other application I've tried  
went  
>> down.  
>  
>Every application that uses the Win95-style common file dialog will crash  
>if you try to right-click on the over-length filename.  
>  
>In addition, I tried the following apps and as well as confirming the  
>right-click problem I attempted to open the file...  
>  
>Word 7.0 seemed to ignore my attempt to open the file  
>PowerPoint 7.0 seemed to ignore my attempt to open the file  
>Excel 7.0 crashed with a standard crash dialog  
>Paint Shop Pro 4.12 exited immediately without any messages  
>Photoshop 4.0 politely said "File Not Found"  
>  
>The lab test machine claims to be NT 4.00.1381, which may or may not be  
>important for this bug nest.  
>  
>Nick.  
>  
  
`