===================================================================== Securax-SA-01 Security Advisory belgian.networking.security Dutch ===================================================================== Topic: Ms Windows '95/'98/SE will crash upon parsing special crafted path-strings refering to device drivers. Announced: 2000-03-04 Updated: 2000-03-05 Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE None affected: Ms Windows NT Server/Workstation 4.0 (sp5/6) Obsoletes: crash-ie.txt, win98-con.txt ===================================================================== THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ. THANK YOU, I. Background Local and Remote users can crash Windows '98 systems using special crafted path-strings that refer to device drivers being used. Upon parsing this path the Ms Windows OS will crash leaving no other option but to reboot the macine. With this all other running applications on the machine will stop responding. NOTE: This is not a bug in Internet Explorer, FTPd and other webserver software running Win95/98. It is a bug in the Ms Windows kernel system, more specific in the handling of the device drivers specified in IO.SYS, causing this kernel meltdown. II. Problem Description When the Microsoft Windows operating system is parsing a path that is being crafted like "c:\[device]\[device]" it will halt, and crash the entire operating system. Four device drivers have been found to crash the system. The CON, NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not been found to crash the system. Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to crash Ms Windows as well. Calling a path such as "C:\CON\[filename]" won't result in a crash but in an error-message. Creating the map "CON", "CLOCK$", "AUX" "NUL" or "CONFIG$" will also result in a simple error-message saying: ''creating that map isn't allowed''. DEVICE DRIVERS -------------- These are specified in IO.SYS and date back from the early Ms Dos days. Here is what I have found. Here is a brief list; CLOCK$ - System clock CON - Console; combination of keyboard and screen to handle input and output AUX or COM1 - First serial communicationport COMn - Second, Third, ... communicationport LPT1 or PRN - First parallel port NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null. CONFIG$ - Unknown Any call made to a path consisting of "NUL" and "CON seems to crash routines made to the FAT32/VFAT, eventually trashing the kernel. Therefore, it is possible to crash -any- other local and/or remote application as long as they parse the path-strings to call FAT32/VFAT routines in the kernel. Mind you, we are -not- sure this is the real reason, however there are strong evidences to assume this is the case. So... To put it in laymen terms... It seems that the Windows98 kernel is going berserk upon processing paths that are made up of "old" (read: Ms Dos) device drivers. III. Reproduction of the problem (1) When receiving images into HTML with a path refering to [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms Windows '98 Operatin System when viewing this HTML. This has been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape Messenger seems not to crash. crashing IE (2) When using GET /con/con or GET /nul/nul using WarFTPd on any directory will also crash the operating system. Other FTPdaemons have not been tested. So it's possible to remotely crash Ms Windows '98 Operating Systems. We expect that virtually every FTPd running Windows '95/'98(se) can be crashed. (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_ open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* will also crash the system. Think of what Macro virii can do to your system now. (4) It's possible to crash any Windows '95/'98(SE) machine running webserver software as Frontpage Webserver, ... You can crash the machine by feeding an URL as http://www.a_win98_site.be/nul/nul (5) Creating a HTML page with IMG tags or HREF tags refering to the local "nul" path or the "con" path. There are much more methods in crashing the Ms Windows Operating System but the essential part seems to be calling a path and file both refering to a device name, either NUl, CON, AUX, CLOCK$ or CONFIG$, with the objective of getting data on the screen using this path. As you may notice, crashing the system can be done remote or local. NETSCAPE - Netscape doesn't crash at first, because the string to call a path is changed to file:///D|/c:\nul\nul. Upon entering c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape and the Operating System. III. Impact This type of attack will render all applications useless, thus leaving the system administrator no other option than rebooting the system. Due to the wide range of options how to crash the Ms Windows operating system, this is a severe bug. However, Windows NT systems don't seem to be vulnerable. IV. Solution Ms Windows NT 4.0 and 2000 aren't affected as well. We advice Windows'98 users to either upgrade to the systems specified as above, or not to follow html-links that refer to the device drivers specified as above. Microsoft has been notified. No official patch has been announced ( 2000-03-05 ). WORKAROUND: A simple byte hack could prevent this from happening as long as you don't use older Ms Dos programs making legitimate use of the device drivers. By replacing all "NUL", "AUX", "CON" "CLOCK$" and "CONFIG$" device driver strings with random values or hex null values. Mind you, upon hexediting these values, you must be aware that your system may become unstable. We have created a patch that alters the strings, after the patch we were no longer able to type in any commando's on the Ms-Dos prompt. The problem, however, was resolved. Because of this side-effect, we are -not- releasing the patch. It's up to you to decide if you want to change the bytes or not ( even with Ms Edit in binary mode you can quickly patch your IO.SYS ). V. Credits Initial "con" bug found in Internet Explorer by Suigien -*- Remote Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ detection by vorlon. ===================================================================== For more information info@securax.org Website http://www.securax.org Advisories/Text http://www.securax.org/pers ---------------------------------------------------------------------