Buffer Overflow in CMD.EXE

CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000, has an unchecked buffer in part of the code that handles environment strings

If a server provides batch or other script files, a user could potentially provide arguments that would create an extremely large environment string and overflow the buffer. This would cause the process to fail, which presents a dialog on the console screen that must be cleared, and the memory allocated to the process would not be made available again until that dialogue had been cleared.

On systems that are run remotely without consoles or local operators, a denial of service attack could be launched by consuming memory resources. The attack is possible since no one would be immediately available to notice and clear the error message dialogs.

The most likely means of attack would be via the use of batch files. Microsoft said they have thoroughly researched the problem and believe that code could not be made to run on the remote machine via this buffer overflow condition since the overflow occurs on the heap, rather than the stack. In general, heap overruns do not offer the prospect of running arbitrary code.

VENDOR RESPONSE

Microsoft issued a patch for NT 4.0 as well as a patch for Windows 2000. In addition the company has provided technical information in Support Online article Q259401.

CREDITS
Discovered and reported by Cerberus Information Security