Full Disclosure mailing list archives
Fwd: Windows Command Processor CMD.EXE BufferOverflow
From: "Mark Senior" <senatorfrog () gmail com>
Date: Tue, 24 Oct 2006 15:00:10 -0600
There are many such bugs in the Windows utilities. e.g. sort %d%n FWIW, on XP SP2, I didn't need to mess with %COMSPEC% /K. Just doing dir \\?\(A * 260) at a regular cmd window got me a DEP error. Mark (resending - forgot to copy the list first time) On 10/23/06, Debasis Mohanty wrote:
Matthew Flaschen <matthew.flaschen () gatech edu> to Peter, full-disclosure Aren't cross-zone urls disallowed by default, though?I agree with Matthew & Brian. If cmd.exe can be run from a browser using file:// irrespective of cross-zone security boundaries then there are *much* other urgent things to be attended. However, there are other attack vectors out of which few are already mentioned by Nick. This can definitely be exploitable in conjunction with other attack vectors. regards, -d On 10/23/06, Brian Eaton wrote:On 10/23/06, Peter Ferrie wrote:file:// ?OK, I'll bite. Why are file:// URLs relevant to the discussion?It allows arbitrary data to be passed to CMD.EXE, without first owning the system.You're telling me that a web page I view in IE can do this? cmd.exe /K del /F /Q /S C:\* Forgive my skepticism. Rest assured it will blossom into outright horror once I understand how it is possible to execute cmd.exe from an HTML document. Regards, Brian
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Windows Command Processor CMD.EXE Buffer Overflow offset (Oct 23)
- Re: Windows Command Processor CMD.EXE Buffer Overflow Brian Eaton (Oct 23)
- Re: Windows Command Processor CMD.EXE Buffer Overflow Thierry Zoller (Oct 23)
- Re: Windows Command Processor CMD.EXE Buffer Overflow Brian Eaton (Oct 23)
- Re: Windows Command Processor CMD.EXE BufferOverflow Peter Ferrie (Oct 23)
- Re: Windows Command Processor CMD.EXE BufferOverflow Matthew Flaschen (Oct 23)
- Re: Windows Command Processor CMD.EXE BufferOverflow Brian Eaton (Oct 23)
- Re: Windows Command Processor CMD.EXE BufferOverflow Debasis Mohanty (Oct 23)
- Message not available
- Fwd: Windows Command Processor CMD.EXE BufferOverflow Mark Senior (Oct 24)
- Re: Windows Command Processor CMD.EXE Buffer Overflow Thierry Zoller (Oct 23)
- Re: Windows Command Processor CMD.EXE Buffer Overflow Brian Eaton (Oct 23)
- Re: Windows Command Processor CMD.EXEBufferOverflow Dave "No, not that one" Korn (Oct 25)