another fatal bug in NT/2000 "Command Prompt" I/O

From: Michael Wojcik (Michael.Wojcik@merant.com)
Date: 10/26/01


Message-ID: <27B17B8B25A3D411B45800805FA7F01C0160E15A@mtvmail.merant.com>
From: Michael Wojcik <Michael.Wojcik@merant.com>
To: BugTraq <bugtraq@securityfocus.com>
Subject: another fatal bug in NT/2000 "Command Prompt" I/O
Date: Fri, 26 Oct 2001 11:35:42 -0700

Recent messages on the comp.lang.c and (allegedly)
comp.os.ms-windows.programmer.win32 have documented various short programs
which cause Windows NT4 and 2000 to crash and reboot by writing certain
strings to stdout.

The following is one example of such a program:

#include <stdio.h>

int main(void)
{
   while (1)
      printf("\t\t\b\b\b\b\b\b");
   return 0;
}

Note that several people have reported crashes using variants that do not
output unlimited text. One has crashed a test system using a program that
wrote only the four-character string "\t\b\b " (a tab, two backspaces, and a
space).

I've confirmed that collecting a large amount of output from a program such
as the one above in a file, and then using the "type" command in a
command-prompt window to display the file, will also crash or hang the
system.

My test system:

        IBM Thinkpad 600E
        400MHz Pentium II
        96MB RAM
        Windows NT 4 Workstation
        SP6a plus Q299444i, Q301625i, Q306121

I was logged in with a "Power User"-class user ID; administrative privilege
is not required to exploit the problem. The program was built with
Microsoft Visual C++ 6.0 SP5, from the command line with default options.

When NT crashed it displayed a crash dump message with the following
information:

        stop c000021a in "Windows SubSystem"
        process status c0000005 (5ffb355e 0124faa0)

Note that because this has been discussed on at least two widely-read
newsgroups, it's already well-known.

I've sent a message about this to Microsoft.

Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University