Date: Mon, 15 Feb 1999 17:59:13 -0500 From: Ervin Fried To: BUGTRAQ@netspace.org Subject: Re: Win98 Buffer Overflow (File attached) my .02$: Explorer has bugs in handling files with pathname longer than or equal to the documented max and files with components that exceed other maximums. CreateFile(...) seem to not parse the name to ensure that when network is involved, even shorter paths can cause problems. Any shell extensions that you have installed may crash explorer if they have bugs. see below. Scott wrote: > > This file did crash explorer when I right clicked on it, but it didn't crash > until after the menu came up and I clicked off of it. I was surprised the > menu even loaded this time. The windows headers define MAX_PATH as: WINDEF.H(44): #define MAX_PATH 260 STDLIB.H(145): #define _MAX_PATH 260 /* max. length of full pathname */ #define _MAX_DRIVE 3 /* max. length of drive component */ #define _MAX_DIR 256 /* max. length of path component */ #define _MAX_FNAME 256 /* max. length of file name component */ #define _MAX_EXT 256 /* max. length of extension component */ What i experienced: systems: [ win95 original, most patches/upgrades: win98, all updates ] your attached file had a length of 239, most chars 0xA0 (chr(160)). Both handled the file OK, as long the complete name (file + path) was less than 260 chars and the file was on a local drive. as soon as i tried copying etc to a path that would yield a filepath longer than 260, i got errors (various different one, no one indicating the real problem, ie MAX_PATH exceeded) creating files via the api, works until the path is 259 chars, ( 260 seems to be max length of the buffer, including terminating '\0') on both, explorer rename edit box has a max, set so that total path is less than 254 chars (so 250 chars in root, but 246 chars in c:\temp ) on both, std file open dialog has the same 254 chars total path limit (which by the way is in Comdlg32.dll and not in the comdlg32.ocx shipped with VB, which is a wrapper aroung former) on both, std file save edit box will sillently truncate to a total of 259 chars (ie 251 for filename in c:\temp\ ). the edit box has a limit of 259 chars. on win95, right click works for files with extension for paths up to 259 chars on win98, right click menu does not open for path greater that 122 (???) on both, explorer crashes (without re-starting though) in WZSHLEXT.DLL when right-click on a file with a total path of exactly 259 chars (wzshlext.dll is a shell extension that is installed by WinZip) on both, explorer crashes in kernel32.dll on right click on a file with no extension with a 256 or 257 or 258 path other problems: network: Using Win98 trying to handle the file on the root of a Win95 share - share mapped as drive: explorer didn't crash right click didn't open context menu File menu didn't open attempts to rename failed [ with error 1026, which i cant find in header files, // The filename or extension is too long. #define ERROR_FILENAME_EXCED_RANGE 206L ] - accessed via Network Neighbourhood: crashed once on right click, then i couldn't reproduce. other attempt got results same as above > Explorer 'resets' the system tray, causing ICQ, my modem dialer icon, etc. > to be hidden. The Volume Control Icon either remained, or was reloaded. That's another issue. see MSJ February 1999, page 62 > -Scott Campbell Ervin Fried ---------------------------------------------------------------------------- Date: Mon, 15 Feb 1999 22:43:55 -0500 From: Ervin Fried To: BUGTRAQ@netspace.org Subject: Re: Win98 Buffer Overflow (File attached) > CreateFile(...) seem to not parse the name to ensure that hit the send button to early. please ignore this half sentence. the call seems to work ok. Ervin Fried ---------------------------------------------------------------------------- Date: Tue, 16 Feb 1999 10:15:44 -0800 From: Aleph One To: BUGTRAQ@netspace.org Subject: Re: Win98 Buffer Overflow Summary of some of the responces: Also crashes: BeMail (ships with BeOSE) rik Lotus Notes (when you try visualize it. you can't detach the document, but you can choose Launch and WordPad won't cash) Bertrand FREMONT Pine 3.0 under HP-UX A.09.07 A 9000/712 Rohit Singh Outlook 98 under Windows NT 4.0 SP? Scott Not affected: Windows NT SP4 Bronislaw Kozicki John D. Hardin reminds of of the procmail security filter page at http://www.wolfenet.com/~jhardin/procmail-security.html -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01