This works on Windows SP2 : The system doesn't reply "The filename or extension is too long."
but cmd crash.
Tillmann Werner <tillmann.werner (AT) gmx (DOT) dewrote:
Luis,
Tried it on Win2k3 SP1:
C:\Documents and Settings\Administrator>%CMSPEC% /K
"dir\\?\

>A AAAA
>

>A AAAA
"
System replied:
The filename or extension is too long.
--
YEah! Buffer Windows XP SP2
I Hill debug this.
What makes you think there is a buffer overflow? I'd say the 'dir'
command
reports an error for parameters beyond 256 chars. Just plain error
handling,
not a security issue, or am I missing something?
Tillmann
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/23/06, offset (AT) galvanet (DOT) com <offset (AT) galvanet (DOT) comwrote:
This works on Windows SP2 : The system doesn't reply "The filename or extension is too long."
but cmd crash.

Is there a reason that a buffer overflow in cmd.exe matters?

If the attacker is sending arbitrary input to cmd.exe, haven't they
owned the box anyway?

Regards,
Brian

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/23/06, Thierry Zoller <Thierry (AT) zoller (DOT) luwrote:
Dear Brian Eaton,
--
file://
?

Dear Thierry,

K, I'll bite. Why are file:// URLs relevant to the discussion?

(Be obscure if you want too, but at least give me enough key words
that I can STFW.)

Regards,
Brian

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Brian Eaton wrote:

Is there a reason that a buffer overflow in cmd.exe matters?

If the attacker is sending arbitrary input to cmd.exe, haven't they
owned the box anyway?

Without trying to test anything, it just may be exploitable via a
"shortcut" file or a Packager "package", either embedded or in the form
of a standalone (.SHS or similar) file. If so, that potentially opens
up a few "assisted remote" (i.e. the user has to double-click an
attachment, click a URL link, etc) exploit options

Regards,

Nick FitzGerald

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/23/06, Peter Ferrie <pferrie (AT) symantec (DOT) comwrote:
file://
?

K, I'll bite. Why are file:// URLs relevant to the discussion?

It allows arbitrary data to be passed to CMD.EXE, without first owning the system.

You're telling me that a web page I view in IE can do this?

cmd.exe /K del /F /Q /S C:\*

Forgive my skepticism. Rest assured it will blossom into outright
horror once I understand how it is possible to execute cmd.exe from an
HTML document.

Regards,
Brian

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

>Matthew Flaschen <matthew.flaschen (AT) gatech (DOT) eduto Peter, full-disclosure
>Aren't cross-zone urls disallowed by default, though?

I agree with Matthew & Brian. If cmd.exe can be run from a browser
using file:// irrespective of cross-zone security boundaries then
there are *much* other urgent things to be attended.

However, there are other attack vectors out of which few are already
mentioned by Nick. This can definitely be exploitable in conjunction
with other attack vectors.

regards,
-d

10/23/06, Brian Eaton <eaton.lists (AT) gmail (DOT) comwrote:
10/23/06, Peter Ferrie <pferrie (AT) symantec (DOT) comwrote:
file://
?

K, I'll bite. Why are file:// URLs relevant to the discussion?

It allows arbitrary data to be passed to CMD.EXE, without first owning the system.

You're telling me that a web page I view in IE can do this?

cmd.exe /K del /F /Q /S C:\*

Forgive my skepticism. Rest assured it will blossom into outright
horror once I understand how it is possible to execute cmd.exe from an
HTML document.

Regards,
Brian

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

There are many such bugs in the Windows utilities. e.g.

sort %d%n

FWIW, on XP SP2, I didn't need to mess with %CMSPEC% /K. Just doing

dir \\?\(A * 260)

at a regular cmd window got me a DEP error.

Mark

(resending - forgot to copy the list first time)

10/23/06, Debasis Mohanty wrote:
>Matthew Flaschen <matthew.flaschen (AT) gatech (DOT) eduto Peter, full-disclosure
>Aren't cross-zone urls disallowed by default, though?
>
I agree with Matthew & Brian. If cmd.exe can be run from a browser
using file:// irrespective of cross-zone security boundaries then
there are *much* other urgent things to be attended.

However, there are other attack vectors out of which few are already
mentioned by Nick. This can definitely be exploitable in conjunction
with other attack vectors.

regards,
-d

10/23/06, Brian Eaton wrote:
10/23/06, Peter Ferrie wrote:
file://
?

K, I'll bite. Why are file:// URLs relevant to the discussion?

It allows arbitrary data to be passed to CMD.EXE, without first owning the system.

You're telling me that a web page I view in IE can do this?

cmd.exe /K del /F /Q /S C:\*

Forgive my skepticism. Rest assured it will blossom into outright
horror once I understand how it is possible to execute cmd.exe from an
HTML document.

Regards,
Brian
--

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/