Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 030299.html (Request Expert securityfocus.com Support)

RE: NSLOOKUP.EXE

From: Brett Moore <brett(at)softwarecreations.co.nz>
Date: Sun Mar 23 2003 - 16:41:23 EST


Hi all..

On win32 systems, it is a common misconseption that buffer overflows in local executables through
command line arguments do not present much of a security risk.

However they do give an attacker another avenue of attack. For example.

going back to the long unicode/double decode vulnerabilities where one simple solutions was
to remove the cmd.exe program. Authough some commands could still be run through other programs
such as attrib and more, for directory listing and file reading, command execution is limited.

But with the help of a local exe that is vulnerable to command line overflow, couldnt an attacker
use something similar to
/scripts/..etc../nslookup?<overflowstring with shellcode> to obtain command access.

Brett

-----Original Message-----
From: K. K. Mookhey [mailto:cto@nii.co.in] Sent: Saturday, March 22, 2003 5:41 PM
To: Patrick Webster; vuln-dev@securityfocus.com Subject: Re: NSLOOKUP.EXE

Hi,

Do you need help?X

On a related note, we had reported the following local BOs to MS. But since, neither they nor us could come up with any remote exploits for this, I guess members on this list could check it out. Some of these do not work on Win2K SP3, but do work on earlier versions.

First:
C:\>regsvr32 AAAAAAA...(1300 times)

Second:
C:\>winhlp32 

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa 
aaaaaaaaaaaaaaaaaaaaa.exe

This one crashes only at a particular value of A's, not if its any more or if its any less.

Again, unless any of these runs with elevated privileges, or someone feeds in data remotely to these exes, the buffer overflows do not represent a security risk.

K. K. Mookhey
CTO,
Network Intelligence India Pvt. Ltd.
Web: www.nii.co.in


Security Auditing Handbooks
http://www.nii.co.in/research/handbook.html
  • Original Message ----- Hi List,

Can you do anything interesting with this?:

C:\>nslookup
Default Server: dns.server.net
Address: 111.222.333.444

> 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Do you need more help?X

Gives error: memory can't be "read" - 0x414141 (aka A). Received on Sun Mar 23 22:23:32 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library