the original message in fool, I mean full, copied from some newsgroup: 
      
      Date: 
      Tue, 07 Mar 2000 20:27:07 +0100
      From: 
      Michal Medvecky 
      Organization: 
      Sillicon Hill News Server
      Newsgroups: 
      strahov.computing, strahov.networking, strahov.windows




      heh
      touto cestou sa ospravedlnujem Lubosovi Pinkavovi ...

      I. Background

      Local and Remote users can crash Windows '98 systems using special 
      crafted path-strings that refer to device drivers being used. 
      Upon parsing this path the Ms Windows OS will crash leaving no 
      other option but to reboot the macine. With this all other running
      applications on the machine will stop responding.

      NOTE: This is not a bug in Internet Explorer, FTPd and other
      webserver software running Win95/98. It is a bug in the Ms
      Windows kernel system, more specific in the handling of the device
      drivers specified in IO.SYS, causing this kernel meltdown.



      II. Problem Description

      When the Microsoft Windows operating system is parsing a path that 
      is being crafted like "c:\[device]\[device]" it will halt, and crash 
      the entire operating system. 

      Four device drivers have been found to crash the system. The CON,
      NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are 
      known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not 
      been found to crash the system. 

      Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to 
      crash Ms Windows as well.

      Calling a path such as "C:\CON\[filename]" won't result in a crash
      but in an error-message. Creating the map "CON", "CLOCK$", "AUX"
      "NUL" or "CONFIG$" will also result in a simple error-message 
      saying: ''creating that map isn't allowed''.


      DEVICE DRIVERS
      --------------
      These are specified in IO.SYS and date back from the early Ms Dos
      days. Here is what I have found. Here is a brief list;

      CLOCK$ - System clock
      CON - Console; combination of keyboard and screen to 
      handle input and output
      AUX or COM1 - First serial communicationport
      COMn - Second, Third, ... communicationport
      LPT1 or PRN - First parallel port
      NUL - Dummy port, or the "null device" which we all
      know under Linux as /dev/null.
      CONFIG$ - Unknown



      Any call made to a path consisting of "NUL" and "CON seems to
      crash routines made to the FAT32/VFAT, eventually trashing the 
      kernel.

      Therefore, it is possible to crash -any- other local and/or
      remote application as long as they parse the path-strings to
      call FAT32/VFAT routines in the kernel. Mind you, we are -not- 
      sure this is the real reason, however there are strong evidences 
      to assume this is the case.

      So... To put it in laymen terms... It seems that the Windows98
      kernel is going berserk upon processing paths that are made up
      of "old" (read: Ms Dos) device drivers.



      III. Reproduction of the problem

      (1) When receiving images into HTML with a path refering to 
      [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms
      Windows '98 Operatin System when viewing this HTML. This has
      been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape
      Messenger seems not to crash.



      crashing IE





      (2) When using GET /con/con or GET /nul/nul using WarFTPd on 
      any directory will also crash the operating system. Other 
      FTPdaemons have not been tested. So it's possible to remotely 
      crash Ms Windows '98 Operating Systems. We expect that virtually 
      every FTPd running Windows '95/'98(se) can be crashed.

      (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_
      open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* 
      will also crash the system. Think of what Macro virii can do
      to your system now.

      (4) It's possible to crash any Windows '95/'98(SE) machine 
      running webserver software as Frontpage Webserver, ... You can
      crash the machine by feeding an URL as 

      http://www.a_win98_site.be/nul/nul

      (5) Creating a HTML page with IMG tags or HREF tags refering to 
      the local "nul" path or the "con" path.











      There are much more methods in crashing the Ms Windows Operating 
      System but the essential part seems to be calling a path and file 
      both refering to a device name, either NUl, CON, AUX, CLOCK$ or
      CONFIG$, with the objective of getting data on the screen using 
      this path. As you may notice, crashing the system can be done 
      remote or local.


      NETSCAPE - Netscape doesn't crash at first, because the string to
      call a path is changed to file:///D|/c:\nul\nul. Upon entering
      c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape
      and the Operating System.



      III. Impact

      This type of attack will render all applications useless, thus 
      leaving the system administrator no other option than rebooting the 
      system. Due to the wide range of options how to crash the Ms Windows 
      operating system, this is a severe bug. However, Windows NT 
      systems don't seem to be vulnerable.



      IV. Solution

      Ms Windows NT 4.0 and 2000 aren't affected as well. We advice 
      Windows'98 users to either upgrade to the systems specified as 
      above, or not to follow html-links that refer to the device
      drivers specified as above. Microsoft has been notified. No
      official patch has been announced ( 2000-03-05 ).

      WORKAROUND: A simple byte hack could prevent this from happening
      as long as you don't use older Ms Dos programs making legitimate
      use of the device drivers. By replacing all "NUL", "AUX", "CON"
      "CLOCK$" and "CONFIG$" device driver strings with random values
      or hex null values. Mind you, upon hexediting these values, you
      must be aware that your system may become unstable. We have
      created a patch that alters the strings, after the patch we were
      no longer able to type in any commando's on the Ms-Dos prompt. The
      problem, however, was resolved. Because of this side-effect, we
      are -not- releasing the patch. It's up to you to decide if you
      want to change the bytes or not ( even with Ms Edit in binary 
      mode you can quickly patch your IO.SYS ).



      V. Credits

      Initial "con" bug found in Internet Explorer by Suigien -*- Remote 
      Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, 
      Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien
      -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ 
      detection by vorlon.
aux


    vinduze is so stupid. can you believe a simple silly string can take it down?

    in pure dos7, c:\nul and c:\aux etc (nul, aux, con, com1-4, lpt1-4, clock$, config$, prn) give error writing to device and that;s it.c:\nul\nul is okay, though u cant make such thing.
    is ok as well.

    once u get into windoze (95'OSR2) (vfat vmm32.vxd i think is to blame), all gets compilcated.
    open c:\nul - reserved device name
    open c:\nul\blha - file does not exist
    open \blah\nul - file does not exist
    open c:\nul\nul (or \aux\nul, or \con\aux or whatever combination of 2 from the above list
    leads windoze to repeatedly lock and crash.
    now the most interesting stuff.
    i open a dos session under windoze, and run some vfat-enabled (longnames) program (wget, pkzip, ...) over c:\null\aux...
    first thing that died was my opera, sleeping in backround. next thing was the wget itself, i still had a pretty working dos, and once i closed it... farewell

    i think the corruption is on some middle level between the physical device driver and logical devices.

    u can try to open c:\prn\prn though.
    nothing happens.

    now, anyone with a SoftIce to trace it and to tell us a 5-50 byte patch to avoid it from happening? it's only when a combination of 2 (or more?) of the above list one after the another.
    i assume some structure gets overwritten by mistake by the logical level device driver, and then the phisycal level and all higher levels (net api for example) die as well.

    not that i care, but if u spider a page with links and one of them is file://c:\nul\aux, u would have fun definitely. Batch files will be good as well.
    I see lots of Windoze "friendly" pages coming.
    ;-)
    Especialy if it can be tweaked that the crash is more controllable...

    svd

    svd


COOL W95/W98 BUG



    copied from som newsgroup, tested ,it can crash my system w95osr2:

    JT
    ---original message: ---

    Date:
    Tue, 07 Mar 2000 20:27:07 +0100
    From:
    Michal Medvecky
    Organization:
    Sillicon Hill News Server
    Newsgroups:
    strahov.computing, strahov.networking, strahov.windows




    heh
    touto cestou sa ospravedlnujem Lubosovi Pinkavovi ...

    I. Background

    Local and Remote users can crash Windows '98 systems using special
    crafted path-strings that refer to device drivers being used.
    Upon parsing this path the Ms Windows OS will crash leaving no
    other option but to reboot the macine. With this all other running
    applications on the machine will stop responding.

    NOTE: This is not a bug in Internet Explorer, FTPd and other
    webserver software running Win95/98. It is a bug in the Ms
    Windows kernel system, more specific in the handling of the device
    drivers specified in IO.SYS, causing this kernel meltdown.



    II. Problem Description

    When the Microsoft Windows operating system is parsing a path that
    is being crafted like "c:\[device]\[device]" it will halt, and crash
    the entire operating system.

    Four device drivers have been found to crash the system. The CON,
    NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are
    known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not
    been found to crash the system.

    Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to
    crash Ms Windows as well.

    Calling a path such as "C:\CON\[filename]" won't result in a crash
    but in an error-message. Creating the map "CON", "CLOCK$", "AUX"
    "NUL" or "CONFIG$" will also result in a simple error-message
    saying: ''creating that map isn't allowed''.


    DEVICE DRIVERS
    --------------
    These are specified in IO.SYS and date back from the early Ms Dos
    days. Here is what I have found. Here is a brief list;

    CLOCK$ - System clock
    CON - Console; combination of keyboard and screen to
    handle input and output
    AUX or COM1 - First serial communicationport
    COMn - Second, Third, ... communicationport
    LPT1 or PRN - First parallel port
    NUL - Dummy port, or the "null device" which we all
    know under Linux as /dev/null.
    CONFIG$ - Unknown



    Any call made to a path consisting of "NUL" and "CON seems to
    crash routines made to the FAT32/VFAT, eventually trashing the
    kernel.

    Therefore, it is possible to crash -any- other local and/or
    remote application as long as they parse the path-strings to
    call FAT32/VFAT routines in the kernel. Mind you, we are -not-
    sure this is the real reason, however there are strong evidences
    to assume this is the case.

    So... To put it in laymen terms... It seems that the Windows98
    kernel is going berserk upon processing paths that are made up
    of "old" (read: Ms Dos) device drivers.



    III. Reproduction of the problem

    (1) When receiving images into HTML with a path refering to
    [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms
    Windows '98 Operatin System when viewing this HTML. This has
    been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape
    Messenger seems not to crash.



    crashing IE





    (2) When using GET /con/con or GET /nul/nul using WarFTPd on
    any directory will also crash the operating system. Other
    FTPdaemons have not been tested. So it's possible to remotely
    crash Ms Windows '98 Operating Systems. We expect that virtually
    every FTPd running Windows '95/'98(se) can be crashed.

    (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_
    open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %*
    will also crash the system. Think of what Macro virii can do
    to your system now.

    (4) It's possible to crash any Windows '95/'98(SE) machine
    running webserver software as Frontpage Webserver, ... You can
    crash the machine by feeding an URL as

    http://www.a_win98_site.be/nul/nul

    (5) Creating a HTML page with IMG tags or HREF tags refering to
    the local "nul" path or the "con" path.











    There are much more methods in crashing the Ms Windows Operating
    System but the essential part seems to be calling a path and file
    both refering to a device name, either NUl, CON, AUX, CLOCK$ or
    CONFIG$, with the objective of getting data on the screen using
    this path. As you may notice, crashing the system can be done
    remote or local.


    NETSCAPE - Netscape doesn't crash at first, because the string to
    call a path is changed to file:///D|/c:\nul\nul. Upon entering
    c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape
    and the Operating System.



    III. Impact

    This type of attack will render all applications useless, thus
    leaving the system administrator no other option than rebooting the
    system. Due to the wide range of options how to crash the Ms Windows
    operating system, this is a severe bug. However, Windows NT
    systems don't seem to be vulnerable.



    IV. Solution

    Ms Windows NT 4.0 and 2000 aren't affected as well. We advice
    Windows'98 users to either upgrade to the systems specified as
    above, or not to follow html-links that refer to the device
    drivers specified as above. Microsoft has been notified. No
    official patch has been announced ( 2000-03-05 ).

    WORKAROUND: A simple byte hack could prevent this from happening
    as long as you don't use older Ms Dos programs making legitimate
    use of the device drivers. By replacing all "NUL", "AUX", "CON"
    "CLOCK$" and "CONFIG$" device driver strings with random values
    or hex null values. Mind you, upon hexediting these values, you
    must be aware that your system may become unstable. We have
    created a patch that alters the strings, after the patch we were
    no longer able to type in any commando's on the Ms-Dos prompt. The
    problem, however, was resolved. Because of this side-effect, we
    are -not- releasing the patch. It's up to you to decide if you
    want to change the bytes or not ( even with Ms Edit in binary
    mode you can quickly patch your IO.SYS ).



    V. Credits

    Initial "con" bug found in Internet Explorer by Suigien -*- Remote
    Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s,
    Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien
    -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$
    detection by vorlon.





    =====================================================================
    For more information info@securax.org
    Website http://www.securax.org
    Advisories/Text http://www.securax.org/pers
    ---------------------------------------------------------------------



    JT