Date: Mon, 15 Feb 1999 17:59:13 -0500
From: Ervin Fried <ervin@NAME.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Win98 Buffer Overflow (File attached)

my .02$:
Explorer has bugs in handling files with pathname longer than or
equal to the documented max and files with components
that exceed other maximums.

CreateFile(...) seem to not parse the name to ensure that

when network is involved, even shorter paths can cause problems.
Any shell extensions that you have installed may crash explorer
if they have bugs.

see below.

Scott wrote:
>
> This file did crash explorer when I right clicked on it, but it didn't crash
> until after the menu came up and I clicked off of it.  I was surprised the
> menu even loaded this time.

The windows headers define MAX_PATH as:

WINDEF.H(44): #define MAX_PATH     260

STDLIB.H(145):
#define _MAX_PATH   260 /* max. length of full pathname */
#define _MAX_DRIVE  3   /* max. length of drive component */
#define _MAX_DIR    256 /* max. length of path component */
#define _MAX_FNAME  256 /* max. length of file name component */
#define _MAX_EXT    256 /* max. length of extension component */


What i experienced:

systems:
[
win95 original, most patches/upgrades:
win98, all updates
]
your attached file had a length of 239, most chars 0xA0 (chr(160)).


Both handled the file OK, as long the complete name (file + path) was
less than 260 chars and the file was on a local drive.

as soon as i tried copying etc to a path that would yield a filepath
longer than 260, i got errors (various different one, no one
indicating the real problem, ie MAX_PATH exceeded)


creating files via the api, works until the path is 259 chars,
( 260 seems to be max length of the buffer, including terminating '\0')

on both, explorer rename edit box has a max, set so that total path is
less than  254 chars (so 250 chars in root, but 246 chars in c:\temp )

on both, std file open dialog has the same 254 chars total path limit
(which by the way is in Comdlg32.dll and not in the comdlg32.ocx
shipped with VB, which is a wrapper aroung former)

on both, std file save edit box will sillently truncate to a total of
259 chars (ie 251 for filename in c:\temp\ ). the edit box has a limit
of 259 chars.

on win95, right click works for files with extension for
paths up to 259 chars

on win98, right click menu does not open for path greater that 122 (???)

on both, explorer crashes (without re-starting though) in
WZSHLEXT.DLL when right-click on a file with a total path of
exactly 259 chars (wzshlext.dll is a shell extension that is installed
by WinZip)

on both, explorer crashes in kernel32.dll on right click on a file
with no extension with a 256 or 257 or 258 path


other problems:

network:

Using Win98 trying to handle the file on the root of a Win95 share

- share mapped as drive:
        explorer didn't crash
        right click didn't open context menu
        File menu didn't open
        attempts to rename failed
[
 with error 1026, which i cant find in header files,
 //  The filename or extension is too long.
 #define ERROR_FILENAME_EXCED_RANGE       206L
]

- accessed via Network Neighbourhood:
     crashed once on right click, then i couldn't reproduce.
     other attempt got results same as above



> Explorer 'resets' the system tray, causing ICQ, my modem dialer icon, etc.
> to be hidden.  The Volume Control Icon either remained, or was reloaded.

That's another issue. see MSJ February 1999, page 62


>     -Scott Campbell

Ervin Fried

----------------------------------------------------------------------------

Date: Mon, 15 Feb 1999 22:43:55 -0500
From: Ervin Fried <ervin@NAME.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Win98 Buffer Overflow (File attached)

> CreateFile(...) seem to not parse the name to ensure that

hit the send button to early. please ignore this half sentence.

the call seems to work ok.


Ervin Fried

----------------------------------------------------------------------------

Date: Tue, 16 Feb 1999 10:15:44 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Win98 Buffer Overflow

Summary of some of the responces:

Also crashes:

BeMail (ships with BeOSE)
rik <erik@catv6219.extern.kun.nl>

Lotus Notes (when you try visualize it. you can't detach
the document, but you can choose Launch and WordPad won't cash)
Bertrand FREMONT <bfremont@danka.fr>

Pine 3.0 under HP-UX A.09.07 A 9000/712 
Rohit Singh <svsingh@arp.iitkgp.ernet.in>

Outlook 98 under Windows NT 4.0 SP?
Scott <smc@visuallink.com>

Not affected:

Windows NT SP4
Bronislaw Kozicki <bronek@wpi.com.pl>

John D. Hardin <jhardin@wolfenet.com> reminds of of the procmail
security filter page at
http://www.wolfenet.com/~jhardin/procmail-security.html

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01