All While investigating centralised automation of power management settings for Windows XP, I discovered that it is possible to use POWERCFG.EXE to create a new power management profile scheme with a name of greater than 32 characters. The resultant name cannot be enumerated by POWERCFG.EXE itself or the control panel applet POWERCFG.CPL, suggesting an unchecked buffer, with the possibility of a buffer overflow.
Issue concerns the following: Windows XP SP3 POWERCFG.CPL v6.00.2900.5512 POWERCFG.EXE v5.1.2600.5512 The problem does not occur in Windows 2003 with the following file versions: POWERCFG.CPL v6.00.3790.3959 POWERCFG.EXE v5.2.3790.3959 Recreate as follows (use a test machine): . Command: POWERCFG.EXE /CREATE "012345678901234567890123456789012" . Command: POWERCFG.EXE /LIST . Note above command fails to enumerate the new scheme. . Command: POWERCFG.CPL . Note GUI fails to enumerate the new scheme. . Go to HKEY_CURRENT_USER\Control Panel\PowerCfg\PowerPolicies to remove the new scheme, it will be listed under the ID of the highest number. . Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies and remove the key of the same ID as above. I was developing a tool to perform central management of Windows XP Power Management Settings, to allow a client to reduce their carbon footprint (apparently there are awards to be had for this sort of thing). I had originally planned to create a new power management scheme with the required settings, but in light of the above have opted instead to change the profile of the builtin scheme "Home/Office Desk" as that is always referenced with the numeric ID 0 and already exists on all Windows XP machines. The project was a success and for those interested, further information is available here: http://www.leafgrove.com/news.asp?id=9&articleid=20. It's also interesting to note that each time a new scheme is created with the POWERCFG.EXE /CREATE command, it is assigned a unique decimal ID number incremented from the previous one, even if deleted. I'm therefore of the opinion that it might also be possible to overflow another buffer by creating enough new schemes to push the ID beyond the number that can be enumerated by the EXE or the CPL and potentially permanently break the functionality. It remains to be seen if this one will run as far as the malformed malicious ANI issue discovered in March 07 (BuqTraq ID: 23194). Post is reproduced here: http://blog.leafgrove.com/ViewItem.asp?Entry=278 Cheers James James D. Stallard MBCS CITP MIoD Enterprise Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard Email: [EMAIL PROTECTED] Mobile: +44 (0) 7979 49 8880 Skype: JamesDStallard
