[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Fwd: Windows Command Processor CMD.EXE BufferOverflow
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Fwd: Windows Command Processor CMD.EXE BufferOverflow
- From: "Mark Senior" <senatorfrog@xxxxxxxxx>
- Date: Tue, 24 Oct 2006 15:00:10 -0600
There are many such bugs in the Windows utilities. e.g.
sort %d%n
FWIW, on XP SP2, I didn't need to mess with %COMSPEC% /K. Just doing
dir \\?\(A * 260)
at a regular cmd window got me a DEP error.
Mark
(resending - forgot to copy the list first time)
On 10/23/06, Debasis Mohanty wrote:
> >> Matthew Flaschen <matthew.flaschen@xxxxxxxxxx> to Peter, full-disclosure
> >> Aren't cross-zone urls disallowed by default, though?
>
> I agree with Matthew & Brian. If cmd.exe can be run from a browser
> using file:// irrespective of cross-zone security boundaries then
> there are *much* other urgent things to be attended.
>
> However, there are other attack vectors out of which few are already
> mentioned by Nick. This can definitely be exploitable in conjunction
> with other attack vectors.
>
> regards,
> -d
>
> On 10/23/06, Brian Eaton wrote:
> > On 10/23/06, Peter Ferrie wrote:
> > > > > file://
> > > > > ?
> > > >
> > > > OK, I'll bite. Why are file:// URLs relevant to the discussion?
> > >
> > > It allows arbitrary data to be passed to CMD.EXE, without first owning
> > > the system.
> >
> > You're telling me that a web page I view in IE can do this?
> >
> > cmd.exe /K del /F /Q /S C:\*
> >
> > Forgive my skepticism. Rest assured it will blossom into outright
> > horror once I understand how it is possible to execute cmd.exe from an
> > HTML document.
> >
> > Regards,
> > Brian
> >
> >
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/