lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <C1627911.2B830%ltr@isc.upenn.edu>
Date: Mon, 23 Oct 2006 13:50:09 -0400
From: David Taylor <ltr@....upenn.edu>
To: "C. Hamby" <fixer@....net>,
	Tillmann Werner <tillmann.werner@....de>
Cc: "disclosure@...kyd.securecoffee.com" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Windows Command Processor CMD.EXE Buffer
 Overflow

I got a "Data Execution Prevention" popup message from Windows using the
%COMSPEC% string below as well as just the dir\\?\ string as well.


On 10/23/06 12:31 PM, "C. Hamby" <fixer@....net> wrote:

> This looks more like the command processor itself is reporting an error
> because of length.  The %COMSPEC% variable is kind of an odd thing to
> use if the shell is already open (you usually see that in VBS to call
> the current command shell followed by the /K to keep it open).  Then
> again I could be totally wrong....it does happen from time to time :-)
> 
> I agree with Tillman, this doesn't look like a security issue.
> 
> -cdh
> 
> 
> Tillmann Werner wrote:
>> Luis,
>> 
>>> Tried it on Win2k3 SP1:
>>> C:\Documents and Settings\Administrator>%COMSPEC% /K
>>> "dir\\?\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> A AAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>>> A AAAA
>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
>>> System replied:
>>> The filename or extension is too long.
>>> 
>>> 
>>> YEah! Buffer Overflow Windows XP SP2
>>> 
>>> I Hill debug this.
>> 
>> What makes you think there is a buffer overflow? I'd say the 'dir' command
>> reports an error for parameters beyond 256 chars. Just plain error handling,
>> not a security issue, or am I missing something?
>> 
>> Tillmann
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/

Shadowserver Foundation Member
http://www.shadowserver.org
==================================================





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ