THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
rodwelch@pacbell.net


S U M M A R Y


DIARY: October 30, 2003 07:11 PM Thursday; Rod Welch

Problem using cmd with Start for long filenames to launch programs.

1...Summary/Objective
......Windows NT 4.0/2000 cmd.exe Long Path Buffer Overflow/DoS
......Vulnerable systems:


..............
Click here to comment!

CONTACTS 

SUBJECTS
00903.bat Fails to Launch Application Because Windows 2000 Cmd.exe H
Other Programs Launch from Within SDS Based on File Extension to Mic
Start DOS CMD Windows Command Launches Other Programs Called with DO
Other Programs Launch Within SDS Based on File Extension to Microsof
Launch Other Programs to Open Files with Long Filenames Failing

1007 -
1007 -    ..
1008 - Summary/Objective
1009 -
100901 - Follow up ref SDS 1 0000.
100902 -
100903 - On 031020 developed new feature for opening files with other
100904 - applications using...
100905 -
100906 -                     c: sd 01 00903.bat
100908 -  ..
100909 - This system uses cmd.exe with the Windows start command. ref SDS 1
100910 - NW3N
100912 -  ..
100913 - Testing on 031020 and subsequently that long filenames fail to
100914 - execute, returning an "out of memory" message." ref SDS 1 F18I
100916 -  ..
100917 - Today, we had the same problem in another record. ref SDS 2 MC8L
100918 -
100919 -    Two relatively short filenames processed correctly; the 3rd one
100920 -    that is only slightly longer failed.
100922 -  ..
100923 - Gary suggested reducing the overall length of the command string by
100924 - changing the title from "Schedule Diary System," created on 031020,
100925 - ref SDS 1 NW3N, to just "SDS" and this change solved the problem for
100926 - this particular file.
100928 -  ..
100929 - The bigger problem is that many filenames are too long, so we need a
100930 - switch, of some kind, to support long filenames.
100931 -
100932 -         [On 031102 solved the problem. ref SDS 3 7F4K
100934 -  ..
100935 - Research on the Internet at...
100936 -
100937 -       http://www.securiteam.com/windowsntfocus/5MP0F1F95U.html
100938 -
100939 - ...yielded the following reported failure of batch using the cd
100940 - command in cmd.exe.
100941 -
100943 -       ..
100944 -      Windows NT 4.0/2000 cmd.exe Long Path Buffer Overflow/DoS
100945 -
100946 -      cmd.exe is Windows NT OS family command processor.  It is used to
100947 -      process .bat and .cmd batch files.  Many system administrators
100948 -      run batch files with elevated privileges for system maintenance.
100949 -      cmd.exe has a flaw in processing "cd" command on long path name.
100950 -      Under Windows NT 4.0, it may cause buffer overflow, on Windows
100951 -      2000 - failure of batch file processing
100952 -
100954 -       ..
100955 -      Vulnerable systems:
100956 -
100957 -      Microsoft Windows NT 4.0 (buffer overflow)
100958 -      Microsoft Windows 2000 (DoS)
100959 -
100961 -       ..
100962 -      NTFS file system allows creating paths of almost unlimited
100963 -      length. However, Windows API does not allow path longer than 256
100964 -      bytes.  To prevent Windows API from checking requested path \\?\
100965 -      prefix may be used for filename. This is documented feature of
100966 -      Windows API.
100968 -       ..
100969 -      cmd.exe from Windows NT 4.0 has trivial buffer overflow in CD
100970 -      command if destination path is longer than 256 characters. This
100971 -      vulnerability may be trivially exploited to execute code.
100973 -       ..
100974 -      cmd.exe from Windows 2000 has no buffer overflow, but when
100975 -      changing to directory with a path slightly longer than 256
100976 -      characters (for example 260 characters) cmd.exe becomes "jailed"
100977 -      in this directory, it means "cd .." command will fail.
100979 -       ..
100980 -      Vendor response:
100981 -      Microsoft acknowledged problem.
100982 -
100984 -  ..
100985 - Gary submitted some ideas for solving the problem under a Windows 95
100986 - system....
100987 -
100988 -    1.  Subject: increase command line length
100989 -        Date: Thu, 30 Oct 2003 12:05:11 -0800
100993 -         ..
100994 -    2.  Rod,
100996 -         ..
100997 -        Tyr
100998 -
100999 -           http://support.microsoft.com/default.aspx?scid=http://ort.microsoft.com:80/support/kb/articles/Q121/0/59.asp
101001 -            ..
101002 -           http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q121/0/59.asp&NoWebContent=1&NoWebContent=
101004 -         ..
101005 -    3.  It says:
101007 -         ..
101008 -    4.  RESOLUTION
101010 -         ..
101011 -    5.  The global command-line character limitation can be increased
101012 -        to its maximum by placing the following line in the CONFIG.SYS
101013 -        file:
101014 -
101015 -           shell=c:\windows\command.com /u:250 /p
101017 -         ..
101018 -    6.  This command affects all MS-DOS virtual machines (VMs) as well
101019 -        as the Windows 95 command line.
101021 -         ..
101022 -    7.  It *may* work on 2000. No time to search further.
101023 -
101025 -         ..
101026 -    8.  Thanks,
101028 -         ..
101029 -    9.  Gary
101031 -
101032 -
101034 -  ..
1011 -
1012 -
1013 - 2150
1014 -
101401 - Found another source that seemed to indicate that the length of
101402 - cmd.exe command string is a security risk and that as a result there
101403 - is a Microsoft patch to the Windows 2000 program.  When trying to
101404 - download and install the software patch, got a message saying the
101405 - software already installed on c13 superceed the the patch.
101406 -
101407 -
101408 -
101409 -
101410 -
1015 -