Date: Thu, 11 Feb 1999 11:25:01 -0800
From: Clifford Hammerschmidt <chammers@PIM.BC.CA>
To: BUGTRAQ@netspace.org
Subject: NT too? Re: Another Windows98 Bug...

The following perl script will create a 250 character file that will crash
WinNT (service pack 3) explorer when right-clicked on:
--------------------
$fn = 'A' x 250;
open (FH,">$fn") or die ":$!\n";
print FH "it worked?";
close FH;
--------------------

You may have to create the file inside a subdirectory. I think what is
happening here is the path+filename exceeds MAX_PATH.

To delete the file drop to a command window and delete it using it's
shortname (dir /X will display shortnames).

At 05:49 PM 2/9/98 -0800, you wrote:
>>>>
I'm not sure about the details of this problem, but when testing another
buffer overflow, I created a long filename called "testfile.txt


                                                          "
(note the chr(160)'s at the end) It is 235 characters in length.  After
creating it on my desktop, I right clicked on it; explorer crashed saying
it caused an illegal operation.  the only way I found to close this was by
using command.com  I sent this to a friend and he got the same error.

        -Scott Campbell (<mailto:smc@visuallink.com>smc@visuallink.com)

<<<<

-----------------------------------------------------------------------------

Date: Fri, 12 Feb 1999 09:53:00 -0000
From: Jensen Allan AJE <aje@ARCODAN.DK>
To: BUGTRAQ@netspace.org
Subject: Re: Another Windows98 Bug...

Scott  (10-02-98  01:49):
>I'm not sure about the details of this problem, but when testing another
buffer overflow, I created a long filename called "testfile.txt
"
>(note the chr(160)'s at the end) It is 235 characters in length.  After
creating it on my desktop, I right clicked on it; explorer crashed saying it
caused an illegal operation.  the only way I found to close this was by using
command.com  I sent this to a friend and he got the same error.

I tried the same under Windows NT 4 Workstation SP3, except the file name
length was only 225 bytes, called "hello.txt(lots of spaces)(chr(160))", and
Explorer crashed as well here.

It seems to be an Explorer-only bug, as no other application I've tried went
down.

Oh well, another buffer overflow..

_______________________________________________________________________
Allan Jensen         Scientific Atlanta Arcodan A/S Phone  +45 73122150
System Administrator Augustenborg Landevej 7        Direct +45 73122154
IT-Support           DK-6400 Sonderborg             Fax    +45 74423907
aje@sciatl.dk        http://www.arcodan.com