OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: CMD.EXE overflow (CISADV000420)
From: Cerberus Security Team (CSTCERBERUS-INFOSEC.CO.UK)
Date: Fri Apr 21 2000 - 10:47:45 CDT


Cerberus Information Security Advisory (CISADV000420)
http://www.cerberus-infosec.co.uk/advisories.html

Released : 20th April 2000
Name : CMD.EXE overflow
Affected Systems : Windows NT/2000
Issue : See details
Author : David Litchfield (mnemonixglobalnet.co.uk)

Description
***********
The Cerberus Security Team has discovered an overflow issue in the Windows
NT/ 2000 command interpreter "cmd.exe". This problem was discovered whilst
looking for buffer overflow issues on certain web servers. Web servers that
will execute batch files as CGI scripts on behalf of a client are therefore
opened up to a Denial of Service attack.

Details
*******
By providing an overly long string as an argument to a CGI based batch file
it is possible to crash the command interpreter in the "clean up" stages.
Although control of the Instruction Pointer register (EIP) is gained it is
done so with a UNICODE address eg 0x00410041. Having debugged the
application it seems that, in this case, there is nowhere useful in memory
to jump to to be able to get back to any "exploit code".

Solution:
*********
It is best not to allow web servers to execute batch files as CGI scripts
anyway as these can often be subverted to run arbitary commands and so
Cerberus would recommend disabling any script mappings for this. On top of
this the patch should be applied as well.

Vendor Status
*************
Microsoft were informed on the 15th of March about this issue and have
developed a patch . More information is available from
http://www.microsoft.com/technet/security/bulletin/ms00-027.asp

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 60 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd