===================================================================== Securax-SA-01 Security Advisory belgian.networking.security Dutch ===================================================================== Topic: Ms Windows '95/'98/SE will crash upon parsing special crafted path-strings refering to device drivers. Announced: 2000-03-04 Updated: 2000-03-05 Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE None affected: Ms Windows NT Server/Workstation 4.0 (sp5/6) Obsoletes: crash-ie.txt, win98-con.txt ===================================================================== THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ. THANK YOU, I. Background Local and Remote users can crash Windows '98 systems using special crafted path-strings that refer to device drivers being used. Upon parsing this path the Ms Windows OS will crash leaving no other option but to reboot the macine. With this all other running applications on the machine will stop responding. NOTE: This is not a bug in Internet Explorer, FTPd and other webserver software running Win95/98. It is a bug in the Ms Windows kernel system, more specific in the handling of the device drivers specified in IO.SYS, causing this kernel meltdown. II. Problem Description When the Microsoft Windows operating system is parsing a path that is being crafted like "c:\[device]\[device]" it will halt, and crash the entire operating system. Four device drivers have been found to crash the system. The CON, NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not been found to crash the system. Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to crash Ms Windows as well. Calling a path such as "C:\CON\[filename]" won't result in a crash but in an error-message. Creating the map "CON", "CLOCK$", "AUX" "NUL" or "CONFIG$" will also result in a simple error-message saying: ''creating that map isn't allowed''. DEVICE DRIVERS -------------- These are specified in IO.SYS and date back from the early Ms Dos days. Here is what I have found. Here is a brief list; CLOCK$ - System clock CON - Console; combination of keyboard and screen to handle input and output AUX or COM1 - First serial communicationport COMn - Second, Third, ... communicationport LPT1 or PRN - First parallel port NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null. CONFIG$ - Unknown Any call made to a path consisting of "NUL" and "CON seems to crash routines made to the FAT32/VFAT, eventually trashing the kernel. Therefore, it is possible to crash -any- other local and/or remote application as long as they parse the path-strings to call FAT32/VFAT routines in the kernel. Mind you, we are -not- sure this is the real reason, however there are strong evidences to assume this is the case. So... To put it in laymen terms... It seems that the Windows98 kernel is going berserk upon processing paths that are made up of "old" (read: Ms Dos) device drivers. III. Reproduction of the problem (1) When receiving images into HTML with a path refering to [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms Windows '98 Operatin System when viewing this HTML. This has been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape Messenger seems not to crash.
crashing IE (2) When using GET /con/con or GET /nul/nul using WarFTPd on any directory will also crash the operating system. Other FTPdaemons have not been tested. So it's possible to remotely crash Ms Windows '98 Operating Systems. We expect that virtually every FTPd running Windows '95/'98(se) can be crashed. (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_ open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* will also crash the system. Think of what Macro virii can do to your system now. (4) It's possible to crash any Windows '95/'98(SE) machine running webserver software as Frontpage Webserver, ... You can crash the machine by feeding an URL as http://www.a_win98_site.be/nul/nul (5) Creating a HTML page with IMG tags or HREF tags refering to the local "nul" path or the "con" path.