Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Fwd: Windows Command Processor CMD.EXE BufferOverflow
From: "Mark Senior" <senatorfrog () gmail com>
Date: Tue, 24 Oct 2006 15:00:10 -0600

There are many such bugs in the Windows utilities.  e.g.

sort %d%n

FWIW, on XP SP2, I didn't need to mess with %COMSPEC% /K.  Just doing

dir \\?\(A * 260)

at a regular cmd window got me a DEP error.


(resending - forgot to copy the list first time)

On 10/23/06, Debasis Mohanty wrote:
 Matthew Flaschen <matthew.flaschen () gatech edu> to Peter, full-disclosure
 Aren't cross-zone urls disallowed by default, though?

I agree with Matthew & Brian. If cmd.exe can be run from a browser
using file:// irrespective of cross-zone security boundaries then
there are *much* other urgent things to be attended.

However, there are other attack vectors out of which few are already
mentioned by Nick. This can definitely be exploitable in conjunction
with other attack vectors.


On 10/23/06, Brian Eaton  wrote:
On 10/23/06, Peter Ferrie  wrote:

OK, I'll bite.  Why are file:// URLs relevant to the discussion?

It allows arbitrary data to be passed to CMD.EXE, without first owning the system.

You're telling me that a web page I view in IE can do this?

cmd.exe /K del /F /Q /S C:\*

Forgive my skepticism.  Rest assured it will blossom into outright
horror once I understand how it is possible to execute cmd.exe from an
HTML document.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]