Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: James D. Stallard (jamesleafgrove.com)
Date: Wed Aug 20 2008 - 15:37:13 CDT
While investigating centralised automation of power management settings for
Windows XP, I discovered that it is possible to use POWERCFG.EXE to create a
new power management profile scheme with a name of greater than 32
characters. The resultant name cannot be enumerated by POWERCFG.EXE itself
or the control panel applet POWERCFG.CPL, suggesting an unchecked buffer,
with the possibility of a buffer overflow.
Issue concerns the following:
Windows XP SP3
The problem does not occur in Windows 2003 with the following file versions:
Recreate as follows (use a test machine):
. Command: POWERCFG.EXE /CREATE "012345678901234567890123456789012"
. Command: POWERCFG.EXE /LIST
. Note above command fails to enumerate the new scheme.
. Command: POWERCFG.CPL
. Note GUI fails to enumerate the new scheme.
. Go to HKEY_CURRENT_USER\Control Panel\PowerCfg\PowerPolicies to remove the
new scheme, it will be listed under the ID of the highest number.
. Go to
Folder\PowerCfg\PowerPolicies and remove the key of the same ID as above.
I was developing a tool to perform central management of Windows XP Power
Management Settings, to allow a client to reduce their carbon footprint
(apparently there are awards to be had for this sort of thing). I had
originally planned to create a new power management scheme with the required
settings, but in light of the above have opted instead to change the profile
of the builtin scheme "Home/Office Desk" as that is always referenced with
the numeric ID 0 and already exists on all Windows XP machines. The project
was a success and for those interested, further information is available
It's also interesting to note that each time a new scheme is created with
the POWERCFG.EXE /CREATE command, it is assigned a unique decimal ID number
incremented from the previous one, even if deleted. I'm therefore of the
opinion that it might also be possible to overflow another buffer by
creating enough new schemes to push the ID beyond the number that can be
enumerated by the EXE or the CPL and potentially permanently break the
functionality. It remains to be seen if this one will run as far as the
malformed malicious ANI issue discovered in March 07 (BuqTraq ID: 23194).
Post is reproduced here: http://blog.leafgrove.com/ViewItem.asp?Entry=278
James D. Stallard MBCS CITP MIoD
Mobile: +44 (0) 7979 49 8880