[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Oct 2006 10:44:23 +1300

Brian Eaton wrote:

> Is there a reason that a buffer overflow in cmd.exe matters?
> 
> If the attacker is sending arbitrary input to cmd.exe, haven't they
> owned the box anyway?

Without trying to test anything, it just may be exploitable via a 
"shortcut" file or a Packager "package", either embedded or in the form 
of a standalone (.SHS or similar) file.  If so, that potentially opens 
up a few "assisted remote" (i.e. the user has to double-click an 
attachment, click a URL link, etc) exploit options...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
  - From: offset
- Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
  - From: Brian Eaton

Prev by Date: [Full-disclosure] Comment Service
Next by Date: Re: [Full-disclosure] Windows Command Processor CMD.EXE BufferOverflow
Previous by thread: Re: [Full-disclosure] Windows Command Processor CMD.EXEBufferOverflow
Next by thread: [Full-disclosure] hack.lu Bluetooth demo
Index(es):
- Date
- Thread