COMMAND

    CMD.EXE

SYSTEMS AFFECTED

    - Microsoft Windows NT 4.0 Workstation
    - Microsoft Windows NT 4.0 Server
    - Microsoft Windows NT 4.0 Server, Enterprise Edition
    - Microsoft Windows NT 4.0 Server, Terminal Server Edition
    - Microsoft Windows 2000 Professional
    - Microsoft Windows 2000 Server
    - Microsoft Windows 2000 Advanced Server

PROBLEM

    Following  is  based  on  Cerberus  Information Security Advisory.
    The Cerberus  Security Team  has discovered  an overflow  issue in
    the Windows NT/ 2000 command interpreter "cmd.exe".  This  problem
    was  discovered  whilst  looking  for  buffer  overflow  issues on
    certain web servers.   Web servers that  will execute batch  files
    as CGI scripts on behalf of a client are therefore opened up to  a
    Denial of Service attack.

    By providing an overly long string  as an argument to a CGI  based
    batch file it is possible to crash the command interpreter in  the
    "clean up" stages.   Although control of  the Instruction  Pointer
    register (EIP) is gained it is  done so with a UNICODE address  eg
    0x00410041.   Having debugged  the application  it seems  that, in
    this case,  there is  nowhere useful  in memory  to jump  to to be
    able to get back to any "exploit code".

SOLUTION

    It is best not to allow web servers to execute batch files as  CGI
    scripts anyway  as these  can often  be subverted  to run arbitary
    commands  and  so  Cerberus  would  recommend disabling any script
    mappings for this. On top of  this the patch should be applied  as
    well.  Patch availability:

    - Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20494 -
    - Windows 2000:   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20503