Focus on Microsoft
Identifying Security Metrics in the Windows Enterprise Aug 19 2008 07:38PM
Wayne S. Anderson (wfrazee wynweb net) (1 replies)
Unchecked Buffer in PowerCFG.CPL and PowerCFG.EXE on Windows XP SP3 Aug 20 2008 08:37PM
James D. Stallard (james leafgrove com)

While investigating centralised automation of power management settings for
Windows XP, I discovered that it is possible to use POWERCFG.EXE to create a
new power management profile scheme with a name of greater than 32
characters. The resultant name cannot be enumerated by POWERCFG.EXE itself
or the control panel applet POWERCFG.CPL, suggesting an unchecked buffer,
with the possibility of a buffer overflow.

Issue concerns the following:
Windows XP SP3
POWERCFG.CPL v6.00.2900.5512
POWERCFG.EXE v5.1.2600.5512

The problem does not occur in Windows 2003 with the following file versions:
POWERCFG.CPL v6.00.3790.3959
POWERCFG.EXE v5.2.3790.3959

Recreate as follows (use a test machine):
. Command: POWERCFG.EXE /CREATE "012345678901234567890123456789012"
. Note above command fails to enumerate the new scheme.
. Note GUI fails to enumerate the new scheme.
. Go to HKEY_CURRENT_USER\Control Panel\PowerCfg\PowerPolicies to remove the
new scheme, it will be listed under the ID of the highest number.
. Go to
Folder\PowerCfg\PowerPolicies and remove the key of the same ID as above.

I was developing a tool to perform central management of Windows XP Power
Management Settings, to allow a client to reduce their carbon footprint
(apparently there are awards to be had for this sort of thing). I had
originally planned to create a new power management scheme with the required
settings, but in light of the above have opted instead to change the profile
of the builtin scheme "Home/Office Desk" as that is always referenced with
the numeric ID 0 and already exists on all Windows XP machines. The project
was a success and for those interested, further information is available

It's also interesting to note that each time a new scheme is created with
the POWERCFG.EXE /CREATE command, it is assigned a unique decimal ID number
incremented from the previous one, even if deleted. I'm therefore of the
opinion that it might also be possible to overflow another buffer by
creating enough new schemes to push the ID beyond the number that can be
enumerated by the EXE or the CPL and potentially permanently break the
functionality. It remains to be seen if this one will run as far as the
malformed malicious ANI issue discovered in March 07 (BuqTraq ID: 23194).

Post is reproduced here:



James D. Stallard MBCS CITP MIoD
Enterprise Architect
Email: james (at) leafgrove (dot) com [email concealed]
Mobile: +44 (0) 7979 49 8880
Skype: JamesDStallard

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus