[Full-disclosure] Fwd: Windows Command Processor CMD.EXE BufferOverflow
Mark Senior
senatorfrog at gmail.com
Tue Oct 24 22:00:10 BST 2006
There are many such bugs in the Windows utilities. e.g.
sort %d%n
FWIW, on XP SP2, I didn't need to mess with %COMSPEC% /K. Just doing
dir \\?\(A * 260)
at a regular cmd window got me a DEP error.
Mark
(resending - forgot to copy the list first time)
On 10/23/06, Debasis Mohanty wrote:
> >> Matthew Flaschen <matthew.flaschen at gatech.edu> to Peter, full-disclosure
> >> Aren't cross-zone urls disallowed by default, though?
>
> I agree with Matthew & Brian. If cmd.exe can be run from a browser
> using file:// irrespective of cross-zone security boundaries then
> there are *much* other urgent things to be attended.
>
> However, there are other attack vectors out of which few are already
> mentioned by Nick. This can definitely be exploitable in conjunction
> with other attack vectors.
>
> regards,
> -d
>
> On 10/23/06, Brian Eaton wrote:
> > On 10/23/06, Peter Ferrie wrote:
> > > > > file://
> > > > > ?
> > > >
> > > > OK, I'll bite. Why are file:// URLs relevant to the discussion?
> > >
> > > It allows arbitrary data to be passed to CMD.EXE, without first owning the system.
> >
> > You're telling me that a web page I view in IE can do this?
> >
> > cmd.exe /K del /F /Q /S C:\*
> >
> > Forgive my skepticism. Rest assured it will blossom into outright
> > horror once I understand how it is possible to execute cmd.exe from an
> > HTML document.
> >
> > Regards,
> > Brian
> >
> >
Full-Disclosure is hosted and sponsored by Secunia.