lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5E1016B43E234D23B21233EFA1DEDB85@H270> Date: Tue, 10 May 2022 17:01:51 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: [FD] Defense in depth -- the Microsoft way (part 80): 25 (in words: TWENTY-FIVE) year old TRIVIAL bug crashes CMD.exe Hi @ll, the subject says it all: a 25 year old TRIVIAL signed integer arithmetic bug (which may well have earned a PhD now) crashes Windows' command interpreter CMD.exe via its builtin SET command. See their documentation: <https://technet.microsoft.com/en-us/library/cc771320.aspx> <https://technet.microsoft.com/en-us/library/cc754250.aspx> Classification ~~~~~~~~~~~~~~ <https://cwe.mitre.org/data/definitions/190.html> CWE-190: Integer Overflow or Wraparound <https://cwe.mitre.org/data/definitions/248.html> CWE-248: Uncaught Exception Demonstration ~~~~~~~~~~~~~ On Windows NT4 or any newer version start the command interpreter and run the following 4 command lines (the first 3 set just the base): SET /A -2147483648 SET /A ~2147483647 SET /A ~2147483647 / -1 SET /A ~2147483647 % -1 [1] Oops: although a valid signed 32-bit integer, the command interpreter reports the literal value -2147483648 = 2**31 alias INT_MIN as "Invalid number. Numbers are limited to 32-bits of precision." [2] As expected, ~2147483647, the negation of INT_MAX, yields INT_MIN [3] Also as expected, computing the quotient of INT_MIN / -1 produces "Invalid number. Numbers are limited to 32-bits of precision.": the correct result is +2147483648 alias INT_MAX + 1, i.e. produces a integer overflow, which raises a #DE (divide error) exception on x86/x64 processors (and their 8- and 16-bit predecessors too). [4] OUCH: rather unexpected, computing the remainder of INT_MIN / -1 crashes the command processor with the #DE exception, i.e. the developers failed to implement the check they used for division. JFTR: the remainder of <any integer> % -1 as well as <any integer> % 1 is (by the algebraic definition of division) 0 (in words: ZERO): the remainder is in magnitude less than the divisor. The only integer that is in magnitude less than |-1| = 1 is 0! Exploit ~~~~~~~ Setting one or both of the following documented registry entries crashes the command interpreter upon invocation (unless started with the switch /D): [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] "AutoRun"="SET /A ~2147483647 % ~0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor] "AutoRun"="SET /A ~2147483647 % ~0" stay tuned Stefan Kanthak PS: I reported this bug as DoS to the MSRC; they replied with the following bullshit statement in their 2nd sentence: | Though engineering confirmed the crash in this case, it was assessed | as a Low severity DoS. | Their reasoning centers around the requirement to have admin | privileges to pull off the attack. OUCH! Unprivileged users can but write this registry entry below [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists