lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bb5da2a80610232038t6606700dy41cfd943b49bff24@mail.gmail.com>
Date: Mon, 23 Oct 2006 20:38:11 -0700
From: "Debasis Mohanty" <debasis.mohanty.listmails@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows Command Processor CMD.EXE
	BufferOverflow

>>  Matthew Flaschen <matthew.flaschen@...ech.edu> to Peter, full-disclosure
>>  Aren't cross-zone urls disallowed by default, though?

I agree with Matthew & Brian. If cmd.exe can be run from a browser
using file:// irrespective of cross-zone security boundaries then
there are *much* other urgent things to be attended.

However, there are other attack vectors out of which few are already
mentioned by Nick. This can definitely be exploitable in conjunction
with other attack vectors.

regards,
-d

On 10/23/06, Brian Eaton <eaton.lists@...il.com> wrote:
> On 10/23/06, Peter Ferrie <pferrie@...antec.com> wrote:
> > > > file://
> > > > ?
> > >
> > > OK, I'll bite.  Why are file:// URLs relevant to the discussion?
> >
> > It allows arbitrary data to be passed to CMD.EXE, without first owning the system.
>
> You're telling me that a web page I view in IE can do this?
>
> cmd.exe /K del /F /Q /S C:\*
>
> Forgive my skepticism.  Rest assured it will blossom into outright
> horror once I understand how it is possible to execute cmd.exe from an
> HTML document.
>
> Regards,
> Brian
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ