Why Windoze is a stupid OS.crashing testI (c:\nul\nul) crashing test II (c:\con\con) crashing Test III c:\aux\aux crashing test IV c:\clock$\clock$ crashing test V c:\config$\config$ crashing test VI file://nul\nul crashing test VII file://con\con crashing test VIII file://aux\aux crashing test IX (file://clock$\clock$) crashing test X file://config$\config$ You can crash even Netscape just use "file:// ...." instead of "c:\ ...." |
Date: Tue, 07 Mar 2000 20:27:07 +0100 From: Michal Medvecky Organization: Sillicon Hill News Server Newsgroups: strahov.computing, strahov.networking, strahov.windows heh touto cestou sa ospravedlnujem Lubosovi Pinkavovi ... I. Background Local and Remote users can crash Windows '98 systems using special crafted path-strings that refer to device drivers being used. Upon parsing this path the Ms Windows OS will crash leaving no other option but to reboot the macine. With this all other running applications on the machine will stop responding. NOTE: This is not a bug in Internet Explorer, FTPd and other webserver software running Win95/98. It is a bug in the Ms Windows kernel system, more specific in the handling of the device drivers specified in IO.SYS, causing this kernel meltdown. II. Problem Description When the Microsoft Windows operating system is parsing a path that is being crafted like "c:\[device]\[device]" it will halt, and crash the entire operating system. Four device drivers have been found to crash the system. The CON, NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not been found to crash the system. Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to crash Ms Windows as well. Calling a path such as "C:\CON\[filename]" won't result in a crash but in an error-message. Creating the map "CON", "CLOCK$", "AUX" "NUL" or "CONFIG$" will also result in a simple error-message saying: ''creating that map isn't allowed''. DEVICE DRIVERS -------------- These are specified in IO.SYS and date back from the early Ms Dos days. Here is what I have found. Here is a brief list; CLOCK$ - System clock CON - Console; combination of keyboard and screen to handle input and output AUX or COM1 - First serial communicationport COMn - Second, Third, ... communicationport LPT1 or PRN - First parallel port NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null. CONFIG$ - Unknown Any call made to a path consisting of "NUL" and "CON seems to crash routines made to the FAT32/VFAT, eventually trashing the kernel. Therefore, it is possible to crash -any- other local and/or remote application as long as they parse the path-strings to call FAT32/VFAT routines in the kernel. Mind you, we are -not- sure this is the real reason, however there are strong evidences to assume this is the case. So... To put it in laymen terms... It seems that the Windows98 kernel is going berserk upon processing paths that are made up of "old" (read: Ms Dos) device drivers. III. Reproduction of the problem (1) When receiving images into HTML with a path refering to [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms Windows '98 Operatin System when viewing this HTML. This has been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape Messenger seems not to crash. crashing IE (2) When using GET /con/con or GET /nul/nul using WarFTPd on any directory will also crash the operating system. Other FTPdaemons have not been tested. So it's possible to remotely crash Ms Windows '98 Operating Systems. We expect that virtually every FTPd running Windows '95/'98(se) can be crashed. (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_ open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* will also crash the system. Think of what Macro virii can do to your system now. (4) It's possible to crash any Windows '95/'98(SE) machine running webserver software as Frontpage Webserver, ... You can crash the machine by feeding an URL as http://www.a_win98_site.be/nul/nul (5) Creating a HTML page with IMG tags or HREF tags refering to the local "nul" path or the "con" path. There are much more methods in crashing the Ms Windows Operating System but the essential part seems to be calling a path and file both refering to a device name, either NUl, CON, AUX, CLOCK$ or CONFIG$, with the objective of getting data on the screen using this path. As you may notice, crashing the system can be done remote or local. NETSCAPE - Netscape doesn't crash at first, because the string to call a path is changed to file:///D|/c:\nul\nul. Upon entering c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape and the Operating System. III. Impact This type of attack will render all applications useless, thus leaving the system administrator no other option than rebooting the system. Due to the wide range of options how to crash the Ms Windows operating system, this is a severe bug. However, Windows NT systems don't seem to be vulnerable. IV. Solution Ms Windows NT 4.0 and 2000 aren't affected as well. We advice Windows'98 users to either upgrade to the systems specified as above, or not to follow html-links that refer to the device drivers specified as above. Microsoft has been notified. No official patch has been announced ( 2000-03-05 ). WORKAROUND: A simple byte hack could prevent this from happening as long as you don't use older Ms Dos programs making legitimate use of the device drivers. By replacing all "NUL", "AUX", "CON" "CLOCK$" and "CONFIG$" device driver strings with random values or hex null values. Mind you, upon hexediting these values, you must be aware that your system may become unstable. We have created a patch that alters the strings, after the patch we were no longer able to type in any commando's on the Ms-Dos prompt. The problem, however, was resolved. Because of this side-effect, we are -not- releasing the patch. It's up to you to decide if you want to change the bytes or not ( even with Ms Edit in binary mode you can quickly patch your IO.SYS ). V. Credits Initial "con" bug found in Internet Explorer by Suigien -*- Remote Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ detection by vorlon.
aux vinduze is so stupid. can you believe a simple silly string can take it down? in pure dos7, c:\nul and c:\aux etc (nul, aux, con, com1-4, lpt1-4, clock$, config$, prn) give error writing to device and that;s it.c:\nul\nul is okay, though u cant make such thing. is ok as well. once u get into windoze (95'OSR2) (vfat vmm32.vxd i think is to blame), all gets compilcated. open c:\nul - reserved device name open c:\nul\blha - file does not exist open \blah\nul - file does not exist open c:\nul\nul (or \aux\nul, or \con\aux or whatever combination of 2 from the above list leads windoze to repeatedly lock and crash. now the most interesting stuff. i open a dos session under windoze, and run some vfat-enabled (longnames) program (wget, pkzip, ...) over c:\null\aux... first thing that died was my opera, sleeping in backround. next thing was the wget itself, i still had a pretty working dos, and once i closed it... farewell i think the corruption is on some middle level between the physical device driver and logical devices. u can try to open c:\prn\prn though. nothing happens. now, anyone with a SoftIce to trace it and to tell us a 5-50 byte patch to avoid it from happening? it's only when a combination of 2 (or more?) of the above list one after the another. i assume some structure gets overwritten by mistake by the logical level device driver, and then the phisycal level and all higher levels (net api for example) die as well. not that i care, but if u spider a page with links and one of them is file://c:\nul\aux, u would have fun definitely. Batch files will be good as well. I see lots of Windoze "friendly" pages coming. ;-) Especialy if it can be tweaked that the crash is more controllable... svd svd |
COOL W95/W98 BUG copied from som newsgroup, tested ,it can crash my system w95osr2: JT ---original message: --- Date: Tue, 07 Mar 2000 20:27:07 +0100 From: Michal Medvecky Organization: Sillicon Hill News Server Newsgroups: strahov.computing, strahov.networking, strahov.windows heh touto cestou sa ospravedlnujem Lubosovi Pinkavovi ... I. Background Local and Remote users can crash Windows '98 systems using special crafted path-strings that refer to device drivers being used. Upon parsing this path the Ms Windows OS will crash leaving no other option but to reboot the macine. With this all other running applications on the machine will stop responding. NOTE: This is not a bug in Internet Explorer, FTPd and other webserver software running Win95/98. It is a bug in the Ms Windows kernel system, more specific in the handling of the device drivers specified in IO.SYS, causing this kernel meltdown. II. Problem Description When the Microsoft Windows operating system is parsing a path that is being crafted like "c:\[device]\[device]" it will halt, and crash the entire operating system. Four device drivers have been found to crash the system. The CON, NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not been found to crash the system. Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to crash Ms Windows as well. Calling a path such as "C:\CON\[filename]" won't result in a crash but in an error-message. Creating the map "CON", "CLOCK$", "AUX" "NUL" or "CONFIG$" will also result in a simple error-message saying: ''creating that map isn't allowed''. DEVICE DRIVERS -------------- These are specified in IO.SYS and date back from the early Ms Dos days. Here is what I have found. Here is a brief list; CLOCK$ - System clock CON - Console; combination of keyboard and screen to handle input and output AUX or COM1 - First serial communicationport COMn - Second, Third, ... communicationport LPT1 or PRN - First parallel port NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null. CONFIG$ - Unknown Any call made to a path consisting of "NUL" and "CON seems to crash routines made to the FAT32/VFAT, eventually trashing the kernel. Therefore, it is possible to crash -any- other local and/or remote application as long as they parse the path-strings to call FAT32/VFAT routines in the kernel. Mind you, we are -not- sure this is the real reason, however there are strong evidences to assume this is the case. So... To put it in laymen terms... It seems that the Windows98 kernel is going berserk upon processing paths that are made up of "old" (read: Ms Dos) device drivers. III. Reproduction of the problem (1) When receiving images into HTML with a path refering to [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms Windows '98 Operatin System when viewing this HTML. This has been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape Messenger seems not to crash. crashing IE (2) When using GET /con/con or GET /nul/nul using WarFTPd on any directory will also crash the operating system. Other FTPdaemons have not been tested. So it's possible to remotely crash Ms Windows '98 Operating Systems. We expect that virtually every FTPd running Windows '95/'98(se) can be crashed. (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_ open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* will also crash the system. Think of what Macro virii can do to your system now. (4) It's possible to crash any Windows '95/'98(SE) machine running webserver software as Frontpage Webserver, ... You can crash the machine by feeding an URL as http://www.a_win98_site.be/nul/nul (5) Creating a HTML page with IMG tags or HREF tags refering to the local "nul" path or the "con" path. There are much more methods in crashing the Ms Windows Operating System but the essential part seems to be calling a path and file both refering to a device name, either NUl, CON, AUX, CLOCK$ or CONFIG$, with the objective of getting data on the screen using this path. As you may notice, crashing the system can be done remote or local. NETSCAPE - Netscape doesn't crash at first, because the string to call a path is changed to file:///D|/c:\nul\nul. Upon entering c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape and the Operating System. III. Impact This type of attack will render all applications useless, thus leaving the system administrator no other option than rebooting the system. Due to the wide range of options how to crash the Ms Windows operating system, this is a severe bug. However, Windows NT systems don't seem to be vulnerable. IV. Solution Ms Windows NT 4.0 and 2000 aren't affected as well. We advice Windows'98 users to either upgrade to the systems specified as above, or not to follow html-links that refer to the device drivers specified as above. Microsoft has been notified. No official patch has been announced ( 2000-03-05 ). WORKAROUND: A simple byte hack could prevent this from happening as long as you don't use older Ms Dos programs making legitimate use of the device drivers. By replacing all "NUL", "AUX", "CON" "CLOCK$" and "CONFIG$" device driver strings with random values or hex null values. Mind you, upon hexediting these values, you must be aware that your system may become unstable. We have created a patch that alters the strings, after the patch we were no longer able to type in any commando's on the Ms-Dos prompt. The problem, however, was resolved. Because of this side-effect, we are -not- releasing the patch. It's up to you to decide if you want to change the bytes or not ( even with Ms Edit in binary mode you can quickly patch your IO.SYS ). V. Credits Initial "con" bug found in Internet Explorer by Suigien -*- Remote Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ detection by vorlon. ===================================================================== For more information info@securax.org Website http://www.securax.org Advisories/Text http://www.securax.org/pers --------------------------------------------------------------------- JT |