[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow

To: "C. Hamby" <fixer@xxxxxxx>, Tillmann Werner <tillmann.werner@xxxxxx>
Subject: Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
From: David Taylor <ltr@xxxxxxxxxxxxx>
Date: Mon, 23 Oct 2006 13:50:09 -0400

I got a "Data Execution Prevention" popup message from Windows using the
%COMSPEC% string below as well as just the dir\\?\ string as well.


On 10/23/06 12:31 PM, "C. Hamby" <fixer@xxxxxxx> wrote:

> This looks more like the command processor itself is reporting an error
> because of length.  The %COMSPEC% variable is kind of an odd thing to
> use if the shell is already open (you usually see that in VBS to call
> the current command shell followed by the /K to keep it open).  Then
> again I could be totally wrong....it does happen from time to time :-)
> 
> I agree with Tillman, this doesn't look like a security issue.
> 
> -cdh
> 
> 
> Tillmann Werner wrote:
>> Luis,
>> 
>>> Tried it on Win2k3 SP1:
>>> C:\Documents and Settings\Administrator>%COMSPEC% /K
>>> "dir\\?\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> A AAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> A AAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
>>> System replied:
>>> The filename or extension is too long.
>>> 
>>> 
>>> YEah! Buffer Overflow Windows XP SP2
>>> 
>>> I Hill debug this.
>> 
>> What makes you think there is a buffer overflow? I'd say the 'dir' command
>> reports an error for parameters beyond 256 chars. Just plain error handling,
>> not a security issue, or am I missing something?
>> 
>> Tillmann
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/

Shadowserver Foundation Member
http://www.shadowserver.org
==================================================





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
  - From: C. Hamby

Prev by Date: Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
Next by Date: Re: [Full-disclosure] Plague re-visited
Previous by thread: Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
Next by thread: Re: [Full-disclosure] [funsec] Who is n3td3v?
Index(es):
- Date
- Thread