Fwd: Windows Command Processor CMD.EXE BufferOverflow

["Mark Senior" <senatorfrog () gmail com>]

There are many such bugs in the Windows utilities.  e.g.

sort %d%n

FWIW, on XP SP2, I didn't need to mess with %COMSPEC% /K.  Just doing

dir \\?\(A * 260)

at a regular cmd window got me a DEP error.

Mark

(resending - forgot to copy the list first time)

On 10/23/06, Debasis Mohanty wrote:
> > >  Matthew Flaschen <matthew.flaschen () gatech edu> to Peter, full-disclosure
> > >  Aren't cross-zone urls disallowed by default, though?
>
> I agree with Matthew & Brian. If cmd.exe can be run from a browser
> using file:// irrespective of cross-zone security boundaries then
> there are *much* other urgent things to be attended.
>
> However, there are other attack vectors out of which few are already
> mentioned by Nick. This can definitely be exploitable in conjunction
> with other attack vectors.
>
> regards,
> -d
>
> On 10/23/06, Brian Eaton  wrote:
> > On 10/23/06, Peter Ferrie  wrote:
> > > > > file://
> > > > > ?
> > > >
> > > > OK, I'll bite.  Why are file:// URLs relevant to the discussion?
> > >
> > > It allows arbitrary data to be passed to CMD.EXE, without first owning the system.
> >
> > You're telling me that a web page I view in IE can do this?
> >
> > cmd.exe /K del /F /Q /S C:\*
> >
> > Forgive my skepticism.  Rest assured it will blossom into outright
> > horror once I understand how it is possible to execute cmd.exe from an
> > HTML document.
> >
> > Regards,
> > Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/