Buffer Overflow in CMD.EXE

Buffer Overflow in CMD.EXE
Reported April 21, 2000 by
Cerberus Information Security
  • Windows NT 4.0 Workstation
  • Windows NT 4.0 Server
  • Windows NT 4.0 Server, Enterprise Edition
  • Windows NT 4.0 Server, Terminal Server Edition
  • Windows 2000 Professional
  • Windows 2000 Server
  • Windows 2000 Advanced Server


CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000, has an unchecked buffer in part of the code that handles environment strings

If a server provides batch or other script files, a user could potentially provide arguments that would create an extremely large environment string and overflow the buffer. This would cause the process to fail, which presents a dialog on the console screen that must be cleared, and the memory allocated to the process would not be made available again until that dialogue had been cleared.

On systems that are run remotely without consoles or local operators, a denial of service attack could be launched by consuming memory resources. The attack is possible since no one would be immediately available to notice and clear the error message dialogs.

The most likely means of attack would be via the use of batch files. Microsoft said they have thoroughly researched the problem and believe that code could not be made to run on the remote machine via this buffer overflow condition since the overflow occurs on the heap, rather than the stack. In general, heap overruns do not offer the prospect of running arbitrary code.


Microsoft issued a patch for NT 4.0 as well as a patch for Windows 2000. In addition the company has provided technical information in Support Online article Q259401.

Discovered and reported by
Cerberus Information Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.