Cerberus Information Security Advisory (CISADV000420) http://www.cerberus-infosec.co.uk/advisories.html Released : 20th April 2000 Name : CMD.EXE overflow Affected Systems : Windows NT/2000 Issue : See details Author : David Litchfield (mnemonix@globalnet.co.uk) Description *********** The Cerberus Security Team has discovered an overflow issue in the Windows NT/ 2000 command interpreter "cmd.exe". This problem was discovered whilst looking for buffer overflow issues on certain web servers. Web servers that will execute batch files as CGI scripts on behalf of a client are therefore opened up to a Denial of Service attack. Details ******* By providing an overly long string as an argument to a CGI based batch file it is possible to crash the command interpreter in the "clean up" stages. Although control of the Instruction Pointer register (EIP) is gained it is done so with a UNICODE address eg 0x00410041. Having debugged the application it seems that, in this case, there is nowhere useful in memory to jump to to be able to get back to any "exploit code". Solution: ********* It is best not to allow web servers to execute batch files as CGI scripts anyway as these can often be subverted to run arbitary commands and so Cerberus would recommend disabling any script mappings for this. On top of this the patch should be applied as well. Vendor Status ************* Microsoft were informed on the 15th of March about this issue and have developed a patch . More information is available from http://www.microsoft.com/technet/security/bulletin/ms00-027.asp About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 60 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd