COMMAND
device\device
SYSTEMS AFFECTED
Win9x
PROBLEM
New exploit found by the securax crew on 3/3/error. They found
that any program in windows 98 will crash if you try to open that
file. eg: try Start --> run --> c:/con/con or open in Word the
non-existing document c:/con/con both attempts will result in en
Blues Screen of death and a lockup.
This can also be exploited to crash remote servers. Test was
done on servU-FTP v 2.4a (works on any windows 98 FTP even with
anonyous or guest account). It looked something like this:
230 user logged in, proceed
SYST
215 UNIX TYPE:L8
connect ok!
PWD
257 "c:/home" is current directory.
haal directory op
TYPE A
200 Type set to A.
PORT xx.xx.xx.xx :-)
200 PORT Command succesful
LIST
150 Opening ASCII mode data connect
Download: 86 bytes
Wacht op de server
226 transfer complete
CDUP
250 directory changed to /c:/
PWD
250 "/c:/" is current directory
CWD /con/con --> this does the trick
...
no more response server crashed. This is probably just the
beginning of a new series of exploits for windows. This little
flaw could easily be used in a macro virus. Maybe even be placed
in the registry
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open c:\con\con "%1" %*
USSRback found same some time ago, but this seems to be issue
again.
Zoa Chien completed story with following. Local and remote
users can crash Windows '95/'98 systems using special crafted
path-strings that refer to device drivers being used. Upon
parsing this path the Ms Windows OS will crash leaving no other
option but to reboot the machine. With this all other running
applications on the machine will stop responding...local use: with
any application that allows saving or opening of a file | remote
use: with all HTTPd/FTPd/Email/Usenet (and possibly napster/samba
/icq /...). This bug could also be used in macro viruses.
Remote users can crash Windows '98 systems using special crafted
path-strings that refer to device drivers being used. Upon
parsing this path the Ms Windows OS will crash leaving no other
option but to reboot the macine. With this all other running
applications on the machine will stop responding. NOTE: This is
not a bug in Internet Explorer, FTPd and other webserver software
running Win95/98. It is a bug in the Ms Windows kernel system,
more specific in the handling of the device drivers specified in
IO.SYS, causing this kernel meltdown.II.
When the Microsoft Windows operating system is parsing a path that
is being crafted like "c:\[device]\[device]" it will halt, and
crash the entire operating system. Four device drivers have been
found to crash the system. The CON, NUL, AUX, CLOCK$ and CONFIG$
are the two device drivers which are known to crash. Other
devices as LPT[x]:, COM[x]: and PRN have not been found to crash
the system. Making combinations as CON\NUL, NUL\CON, AUX\NUL, ...
seems to crash MS Windows as well. Calling a path such as
"C:\CON\[filename]" won't result in a crash but in an
error-message. Creating the map "CON", "CLOCK$", "AUX" "NUL" or
"CONFIG$" will also result in a simple error-message saying:
''creating that map isn't allowed''.
Device drivers? These are specified in IO.SYS and date back from
the early Ms Dos days. Here is what we have found. Here is a
brief list:
CLOCK$ - System clock
CON - Console; combination of keyboard and screen to handle
input and output
AUX or COM1- First serial communicationport
COMn - Second, Third, ... communicationport
LPT1 or PRN- First parallel port
NUL - Dummy port, or the "null device" which we all know
under UNIX as /dev/null.
CONFIG$ - Unknown
Any call made to a path consisting of "NUL" and "CON seems to
crash routines made to the FAT32/VFAT, eventually trashing the
kernel. Therefore, it is possible to crash -any- other local
and/or remote application as long as they parse the path-strings
to call FAT32/VFAT routines in the kernel. Mind you, we are
-not- sure this is the real reason, however there are strong
evidences to assume this is the case. So... To put it in laymen
terms... It seems that the Windows98 kernel is going berserk upon
processing paths that are made up of "old" (read: Ms Dos) device
drivers.
How to reproduce the problem:
(1) When receiving images into HTML with a path refering to
[drive]:\con\con or [drive]:\nul\nul. This will crash the MS
Windows '98 Operating System when viewing this HTML. This
has been tested on Microsoft Outlook and Eudora Pro 4.2.
Netscape Messenger seems not to crash.
<HTML>
<BODY>
<A HREF="c:\con\con">crashing IE</A>
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>
(2) When using GET /con/con or GET /nul/nul using WarFTPd on any
directory will also crash the operating system. Other
FTPdaemons have not been tested. So it's possible to remotely
crash MS Windows '98 Operating Systems. We expect that
virtually every FTPd running Windows '95/'98(se) can be
crashed.
(3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_
open with the value of
c:\con\con "%1" %* or c:\nul\nul "%1" %*
will also crash the system. Think of what Macro virii can do
to your system now.
(4) It's possible to crash any Windows '95/'98(SE) machine running
webserver software as Frontpage Webserver, ... You can crash
the machine by feeding an URL as
http://www.a_win98_site.be/nul/nul
(5) Creating a HTML page with IMG tags or HREF tags refering to
the local "nul" path or the "con" path.
<HTML>
<BODY>
<IMG=SRC="c:\con\con">
<!-- or nul\nul, clock$\clock$ -->
<!-- or aux\aux, config$\config$ -->
</BODY>
</HTML>
There are much more methods in crashing the Ms Windows Operating
System but the essential part seems to be calling a path and file
both refering to a device name, either NUl, CON, AUX, CLOCK$ or
CONFIG$, with the objective of getting data on the screen using
this path. As you may notice, crashing the system can be done
remote or local.
Netscape doesn't crash at first, because the string to call a path
is changed to file:///D|/c:\nul\nul. Upon entering c:\nul\nul in
the URL without file:///D|/ you -do- crash Netscape and the
Operating System.
This can be exploited by simply attempting to open a file or
directory called "con\con" (or "nul\nul") and there are many ways
to achieve this. Locally just type "dir con\con" into a MS-DOS
Prompt, or opening a webpage with the <IMG SRC="c:\con\con"> tag
in I.E. (presumably other browsers too). Remotely; Gene6 - G6
FTP Server v2.0 - login and type 'ls con/con' .. most Windows
FTPds and possibly HTTPds can be exploited in the same way (Sambar
HTTP Server 4.3 seems safe though).
If the machine has a directory shared with the standard SMB File &
Printer Sharing (even read only shares) it can also be hit:
[stephen@eddie stephen]$ smbclient //eddie95/TEST -I 172.16.61.2
Added interface ip=172.16.61.1 bcast=172.16.61.255 nmask=255.255.255.0
Password:
smb: \> ls con\con
This type of attack will render all applications useless, thus
leaving the system administrator no other option than rebooting
the system. Due to the wide range of options how to crash the MS
Windows operating system, this is a severe bug. However, Windows
NT systems don't seem to be vulnerable.
Any permutation of certain DOS device names as a filename of the
form "device\device" when opened will crash Windows 95/98.
Devices that seem to trigger the bug include "con", "aux", "nul",
and "clock$". So not only will "con\con" trigger it, but so will
"aux\clock$", "clock$\con", etc.
Possible exploit vectors:
* HTML formated web pages, email and USENET messages. E.g.
<img SRC="file://c:/con/con">
Tested under Netscape 4.6 on Windows 98 Second edition. Email
clients that render HTML messages include Outlook and Netscape
Messenger.
* Forums that allow people to submit URLs to be displayed to
others. E.g. web message boards.
* Web servers. E.g. Personal Web Server using the URL
http://host/../con/con
* File sharing / SMB.
Tested with Samba. Connect to the Windows share and "cd
/con/con". It was pointed out that Windows 95/98 users that
share printers also have a passwordless share called PRINTER$
which leaves them open to attacks via this problem. E.g.
D:\>net use * \\192.168.0.6\PRINTER$
Drive G: is now connected to \\192.168.0.6\PRINTER$.
The command completed successfully.
D:\>G:
G:\>
G:\>cd \CLOCK$\CLOCK$
The specified network name is no longer available.
* FTP Servers.
Tested and found vulnerable with WarFTPD 1.70B and G6 FTP 2.0b6.
Login to the FTP server (as any user, even anonymous) and send
the command "GET /con/con".
* Mail servers that store attachments as separate files while
using the filename provided in the message. E.g. The Bat.
SOLUTION
MS Windows NT 4.0 and 2000 aren't affected as well. It is adviced
Windows'98 users to either upgrade to the systems specified as
above, or not to follow html-links that refer to the device
drivers specified as above. Microsoft has been notified. No
official patch has been announced.
A simple byte hack could prevent this from happening as long as you
don't use older MS DOS programs making legitimate use of the device
drivers. By replacing all "NUL", "AUX", "CON" "CLOCK$" and
"CONFIG$" device driver strings with random values or hex null
values. Mind you, upon hexediting these values, you must be aware
that your system may become unstable.
Patch availability:
- Windows 95: http://www.microsoft.com/downloads/release.asp?releaseID=19491
- Windows 98 and Windows 98 Second Edition: http://www.microsoft.com/downloads/release.asp?ReleaseID=19389