|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: CMD.EXE overflow (CISADV000420)
From: Todd Sabin (tas
WEBSPAN.NET)Date: Fri Apr 21 2000 - 10:37:28 CDT
- Next message: Steve: "Re: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Previous message: Paul L Schmehl: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Maybe reply: Todd Sabin: "Re: CMD.EXE overflow (CISADV000420)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Cerberus Security Team <CSTCERBERUS-INFOSEC.CO.UK> writes:
> Cerberus Information Security Advisory (CISADV000420)
> http://www.cerberus-infosec.co.uk/advisories.html
> [...]
> Details
> *******
> By providing an overly long string as an argument to a CGI based batch file
> it is possible to crash the command interpreter in the "clean up" stages.
> Although control of the Instruction Pointer register (EIP) is gained it is
> done so with a UNICODE address eg 0x00410041. Having debugged the
> application it seems that, in this case, there is nowhere useful in memory
> to jump to to be able to get back to any "exploit code".
>
Assuming you have control over what the overflow contains, why can't
you just use a Unicode string that doesn't contain NUL bytes? E.g.,
overflow with a CJK string?
It sounds like there may be more here than simple DoS.
Todd
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Steve: "Re: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Previous message: Paul L Schmehl: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Maybe reply: Todd Sabin: "Re: CMD.EXE overflow (CISADV000420)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]