Vuln Dev
Windows Command Processor CMD.EXE Buffer Overflow Oct 19 2006 03:33AM
gregory_panakkal (gregory_panakkal fastmail fm) (2 replies)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 20 2006 11:51AM
Osvaldo Casagrande (ocasagrande diviserv com) (2 replies)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 21 2006 02:05PM
RockyH (rocky he g-wizinnovations com)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 20 2006 10:51PM
Marvin Simkin (Marvin Simkin asu edu) (2 replies)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 21 2006 12:22PM
gregory_panakkal (gregory_panakkal fastmail fm) (2 replies)
Hi,

I had tested on couple of winxp sp2 fully patched systems, DEP came into
the picture.
On Win2k - the cmd.exe immediately terminates; on vista - no issues - it
throws up a proper error.

just for clarifying if you executed the command properly -- "\\?\" is
required after dir cmd.. and not
one with the single slash "\?\". to reproduce the issue in winxp sp2,
copy page the command from my original
mail into a notepad instance; remove the unnecessary line-breaks to make
it a single line command. now, copy-paste
this line into an instance of the command processor and execute it.

On Fri, 20 Oct 2006 15:51:17 -0700, "Marvin Simkin"
<Marvin.Simkin (at) asu (dot) edu [email concealed]> said:
> WXPSP2 fully patched:
>
> C:\>ver
>
> Microsoft Windows XP [Version 5.1.2600]
>
> C:\>%COMSPEC% /K "dir
> \?\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> The filename or extension is too long.
>
> C:\>
>
> ... but then, all the command history is lost; you cannot arrow-up to
> repeat the command.
>
>
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] on behalf of Osvaldo Casagrande
> Sent: Fri 2006-10-20 04:51
> To: gregory_panakkal; vuln-dev (at) securityfocus (dot) com [email concealed]
> Subject: RE: Windows Command Processor CMD.EXE Buffer Overflow
>
> It does not works on Windows Vista RC1 (5728)
>
>
> Osvaldo Casagrande
> MCSE. MCT, MVP, Security+
> Gerente de Servicios
> DiviServ S.A.
> D: 595(21) 613 828 | Cel. 595 (971) 300 836 | |: ocasagrande (at) diviserv (dot) com [email concealed]
> | Add me to messenger
>
> Busca mis referencias? / Looking for my personal references?
> Acces to Programa MVP - Access to Certificaciones MS On "Transcript ID"
> input: 740381 / On "Access Code" input: ViewMyInfo
>
> Running Windows Vista RC1- Build 5728 and Office 2007 Beta 2 TR
>
> CONFIDENCIALIDAD: La informacion contenida en este mail y sus anexos es
> confidencial y/o privilegiada y esta reservada para el destinatario
> unicamente. Si usted no es el destinatario o un agente responsable de
> enviar este mensaje al destinatario final, se le notifica que: No puede
> utilizarlo, retransmitirlo, imprimirlo, copiarlo o divulgar las
> informaciones contenidas en este mail o sus anexos o tomar cualquier
> accion basada en estas informaciones. Si usted recibe este mensaje por
> error, por favor avise inmediatamente al remitente, y tenga la amabilidad
> de borrarlo de su computadora o cualquier otro banco de datos. DIVISERV
> agradece su cooperacion.
>
> This mail message may contain confidential and/or privileged information
> for the adressee. If you are not the addressee or authorized to receive
> this for the addressee, you must not use, copy, print, retransmit,
> disclose or take any action based on this message or any information
> herein. If you have received this message by mistake, please advise the
> sender immediately replying this message and delete it from your computer
> and any database. DIVISERV appreciates your cooperation.
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of gregory_panakkal
> Sent: Wednesday, October 18, 2006 11:33 PM
> To: vuln-dev (at) securityfocus (dot) com [email concealed]
> Subject: Windows Command Processor CMD.EXE Buffer Overflow
>
>
> Windows Command Processor CMD.EXE Buffer Overflow
> Tested on WinXP SP2
> Impact - Very Low
>
>
> Copy-paste the following line in cmd.exe and execute it..
> (it is a single command, has been split into multiple lines for
> readability sake).
>
> %COMSPEC% /K "dir
> \\?\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
>
> (260 characters of 'A's)
>
> DEP Comes into the picture.
>
> URL :
> http://www.infogreg.com/security/misc/windows-command-processor-cmd.exe-
buffer-overflow.html
>
> regards,
> Gregory Panakkal
> www.infogreg.com
> --
> gregory_panakkal
> gregory_panakkal (at) fastmail (dot) fm [email concealed]
>
> --
> http://www.fastmail.fm - I mean, what is it about a decent email service?
>
>
--
gregory_panakkal
gregory_panakkal (at) fastmail (dot) fm [email concealed]

--
http://www.fastmail.fm - A fast, anti-spam email service.

[ reply ]
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 23 2006 03:05PM
Marvin Simkin (Marvin Simkin asu edu)
Re: Windows Command Processor CMD.EXE Buffer Overflow Oct 22 2006 01:01PM
Dan Yefimov (dan ns15 lightwave net ru) (2 replies)
Re: Windows Command Processor CMD.EXE Buffer Overflow Oct 22 2006 10:24PM
Danux (danuxx gmail com)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 22 2006 07:56PM
Luis Alberto Cortes Zavala (napasn securitynation com) (1 replies)
Re: Windows Command Processor CMD.EXE Buffer Overflow Oct 23 2006 04:51PM
Dan Yefimov (dan ns15 lightwave net ru)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 20 2006 10:57PM
Marvin Simkin (Marvin Simkin asu edu)
Re: Windows Command Processor CMD.EXE Buffer Overflow Oct 20 2006 08:58AM
The SNiFF (thesniff gmail com) (1 replies)
RE: Windows Command Processor CMD.EXE Buffer Overflow Oct 20 2006 07:33PM
Luis Alberto Cortes Zavala (napasn securitynation com)


 

Privacy Statement
Copyright 2010, SecurityFocus