NSLOOKUP.EXEMar 20 2003 12:45AM Patrick Webster (webster_p DeMorgan com au) (2 replies)
Re: NSLOOKUP.EXEMar 22 2003 05:40AM K. K. Mookhey (cto nii co in) (2 replies)
Re: NSLOOKUP.EXEMar 24 2003 12:32PM Marcos D. Marado Torres (marado student dei uc pt)
RE: NSLOOKUP.EXEMar 23 2003 09:41PM Brett Moore (brett softwarecreations co nz)
Hi all..
On win32 systems, it is a common misconseption that buffer overflows in
local executables through
command line arguments do not present much of a security risk.
However they do give an attacker another avenue of attack. For example.
going back to the long unicode/double decode vulnerabilities where one
simple solutions was
to remove the cmd.exe program. Authough some commands could still be run
through other programs
such as attrib and more, for directory listing and file reading, command
execution is limited.
But with the help of a local exe that is vulnerable to command line
overflow, couldnt an attacker
use something similar to
/scripts/..etc../nslookup?<overflowstring with shellcode>
to obtain command access.
Brett
-----Original Message-----
From: K. K. Mookhey [mailto:cto (at) nii.co (dot) in [email concealed]]
Sent: Saturday, March 22, 2003 5:41 PM
To: Patrick Webster; vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: Re: NSLOOKUP.EXE
Hi,
On a related note, we had reported the following local BOs to MS. But since,
neither they nor us could come up with any remote exploits for this, I guess
members on this list could check it out. Some of these do not work on Win2K
SP3, but do work on earlier versions.
First:
C:\>regsvr32 AAAAAAA...(1300 times)
Second:
C:\>winhlp32
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaa
aaaaaaaaaaaaaaaaaaaaa.exe
This one crashes only at a particular value of A's, not if its any more or
if its any less.
Again, unless any of these runs with elevated privileges, or someone feeds
in data remotely to these exes, the buffer overflows do not represent a
security risk.
K. K. Mookhey
CTO,
Network Intelligence India Pvt. Ltd.
Web: www.nii.co.in
=================================
Security Auditing Handbooks
http://www.nii.co.in/research/handbook.html
=================================
On win32 systems, it is a common misconseption that buffer overflows in
local executables through
command line arguments do not present much of a security risk.
However they do give an attacker another avenue of attack. For example.
going back to the long unicode/double decode vulnerabilities where one
simple solutions was
to remove the cmd.exe program. Authough some commands could still be run
through other programs
such as attrib and more, for directory listing and file reading, command
execution is limited.
But with the help of a local exe that is vulnerable to command line
overflow, couldnt an attacker
use something similar to
/scripts/..etc../nslookup?<overflowstring with shellcode>
to obtain command access.
Brett
-----Original Message-----
From: K. K. Mookhey [mailto:cto (at) nii.co (dot) in [email concealed]]
Sent: Saturday, March 22, 2003 5:41 PM
To: Patrick Webster; vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: Re: NSLOOKUP.EXE
Hi,
On a related note, we had reported the following local BOs to MS. But since,
neither they nor us could come up with any remote exploits for this, I guess
members on this list could check it out. Some of these do not work on Win2K
SP3, but do work on earlier versions.
First:
C:\>regsvr32 AAAAAAA...(1300 times)
Second:
C:\>winhlp32
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaa
aaaaaaaaaaaaaaaaaaaaa.exe
This one crashes only at a particular value of A's, not if its any more or
if its any less.
Again, unless any of these runs with elevated privileges, or someone feeds
in data remotely to these exes, the buffer overflows do not represent a
security risk.
K. K. Mookhey
CTO,
Network Intelligence India Pvt. Ltd.
Web: www.nii.co.in
=================================
Security Auditing Handbooks
http://www.nii.co.in/research/handbook.html
=================================
----- Original Message -----
Hi List,
Can you do anything interesting with this?:
C:\>nslookup
Default Server: dns.server.net
Address: 111.222.333.444
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Gives error: memory can't be "read" - 0x414141 (aka A).
[ reply ]