home *** CD-ROM | disk | FTP | other *** search
- Date: Mon, 15 Feb 1999 17:59:13 -0500
- From: Ervin Fried <ervin@NAME.NET>
- To: BUGTRAQ@netspace.org
- Subject: Re: Win98 Buffer Overflow (File attached)
-
- my .02$:
- Explorer has bugs in handling files with pathname longer than or
- equal to the documented max and files with components
- that exceed other maximums.
-
- CreateFile(...) seem to not parse the name to ensure that
-
- when network is involved, even shorter paths can cause problems.
- Any shell extensions that you have installed may crash explorer
- if they have bugs.
-
- see below.
-
- Scott wrote:
- >
- > This file did crash explorer when I right clicked on it, but it didn't crash
- > until after the menu came up and I clicked off of it. I was surprised the
- > menu even loaded this time.
-
- The windows headers define MAX_PATH as:
-
- WINDEF.H(44): #define MAX_PATH 260
-
- STDLIB.H(145):
- #define _MAX_PATH 260 /* max. length of full pathname */
- #define _MAX_DRIVE 3 /* max. length of drive component */
- #define _MAX_DIR 256 /* max. length of path component */
- #define _MAX_FNAME 256 /* max. length of file name component */
- #define _MAX_EXT 256 /* max. length of extension component */
-
-
- What i experienced:
-
- systems:
- [
- win95 original, most patches/upgrades:
- win98, all updates
- ]
- your attached file had a length of 239, most chars 0xA0 (chr(160)).
-
-
- Both handled the file OK, as long the complete name (file + path) was
- less than 260 chars and the file was on a local drive.
-
- as soon as i tried copying etc to a path that would yield a filepath
- longer than 260, i got errors (various different one, no one
- indicating the real problem, ie MAX_PATH exceeded)
-
-
- creating files via the api, works until the path is 259 chars,
- ( 260 seems to be max length of the buffer, including terminating '\0')
-
- on both, explorer rename edit box has a max, set so that total path is
- less than 254 chars (so 250 chars in root, but 246 chars in c:\temp )
-
- on both, std file open dialog has the same 254 chars total path limit
- (which by the way is in Comdlg32.dll and not in the comdlg32.ocx
- shipped with VB, which is a wrapper aroung former)
-
- on both, std file save edit box will sillently truncate to a total of
- 259 chars (ie 251 for filename in c:\temp\ ). the edit box has a limit
- of 259 chars.
-
- on win95, right click works for files with extension for
- paths up to 259 chars
-
- on win98, right click menu does not open for path greater that 122 (???)
-
- on both, explorer crashes (without re-starting though) in
- WZSHLEXT.DLL when right-click on a file with a total path of
- exactly 259 chars (wzshlext.dll is a shell extension that is installed
- by WinZip)
-
- on both, explorer crashes in kernel32.dll on right click on a file
- with no extension with a 256 or 257 or 258 path
-
-
- other problems:
-
- network:
-
- Using Win98 trying to handle the file on the root of a Win95 share
-
- - share mapped as drive:
- explorer didn't crash
- right click didn't open context menu
- File menu didn't open
- attempts to rename failed
- [
- with error 1026, which i cant find in header files,
- // The filename or extension is too long.
- #define ERROR_FILENAME_EXCED_RANGE 206L
- ]
-
- - accessed via Network Neighbourhood:
- crashed once on right click, then i couldn't reproduce.
- other attempt got results same as above
-
-
-
- > Explorer 'resets' the system tray, causing ICQ, my modem dialer icon, etc.
- > to be hidden. The Volume Control Icon either remained, or was reloaded.
-
- That's another issue. see MSJ February 1999, page 62
-
-
- > -Scott Campbell
-
- Ervin Fried
-
- ----------------------------------------------------------------------------
-
- Date: Mon, 15 Feb 1999 22:43:55 -0500
- From: Ervin Fried <ervin@NAME.NET>
- To: BUGTRAQ@netspace.org
- Subject: Re: Win98 Buffer Overflow (File attached)
-
- > CreateFile(...) seem to not parse the name to ensure that
-
- hit the send button to early. please ignore this half sentence.
-
- the call seems to work ok.
-
-
- Ervin Fried
-
- ----------------------------------------------------------------------------
-
- Date: Tue, 16 Feb 1999 10:15:44 -0800
- From: Aleph One <aleph1@UNDERGROUND.ORG>
- To: BUGTRAQ@netspace.org
- Subject: Re: Win98 Buffer Overflow
-
- Summary of some of the responces:
-
- Also crashes:
-
- BeMail (ships with BeOSE)
- rik <erik@catv6219.extern.kun.nl>
-
- Lotus Notes (when you try visualize it. you can't detach
- the document, but you can choose Launch and WordPad won't cash)
- Bertrand FREMONT <bfremont@danka.fr>
-
- Pine 3.0 under HP-UX A.09.07 A 9000/712
- Rohit Singh <svsingh@arp.iitkgp.ernet.in>
-
- Outlook 98 under Windows NT 4.0 SP?
- Scott <smc@visuallink.com>
-
- Not affected:
-
- Windows NT SP4
- Bronislaw Kozicki <bronek@wpi.com.pl>
-
- John D. Hardin <jhardin@wolfenet.com> reminds of of the procmail
- security filter page at
- http://www.wolfenet.com/~jhardin/procmail-security.html
-
- --
- Aleph One / aleph1@underground.org
- http://underground.org/
- KeyID 1024/948FD6B5
- Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
-
-