There are many such bugs in the Windows utilities. e.g. sort %d%n
FWIW, on XP SP2, I didn't need to mess with %COMSPEC% /K. Just doing dir \\?\(A * 260) at a regular cmd window got me a DEP error. Mark (resending - forgot to copy the list first time) On 10/23/06, Debasis Mohanty wrote: > >> Matthew Flaschen <[EMAIL PROTECTED]> to Peter, full-disclosure > >> Aren't cross-zone urls disallowed by default, though? > > I agree with Matthew & Brian. If cmd.exe can be run from a browser > using file:// irrespective of cross-zone security boundaries then > there are *much* other urgent things to be attended. > > However, there are other attack vectors out of which few are already > mentioned by Nick. This can definitely be exploitable in conjunction > with other attack vectors. > > regards, > -d > > On 10/23/06, Brian Eaton wrote: > > On 10/23/06, Peter Ferrie wrote: > > > > > file:// > > > > > ? > > > > > > > > OK, I'll bite. Why are file:// URLs relevant to the discussion? > > > > > > It allows arbitrary data to be passed to CMD.EXE, without first owning > > > the system. > > > > You're telling me that a web page I view in IE can do this? > > > > cmd.exe /K del /F /Q /S C:\* > > > > Forgive my skepticism. Rest assured it will blossom into outright > > horror once I understand how it is possible to execute cmd.exe from an > > HTML document. > > > > Regards, > > Brian > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
