|
Pipe the output of a command to FOR in (), and you crash the Windows
Vista Windows Command Processor (CMD.exe) with a DEP violation. I expect
it works on Server 2008 as well.
Maybe this is exploitable for privilege escalation, at least on a
machine with DEP disabled. I did not do any dump analysis or debugging
to find out.
Example:
Echo | for %i in () do rem
For ECHO you can substitute about any command. Any variation of FOR
seems to give the same results as long as "in ()".
Does not appear to work in XPSP2, Server 2003, or Win2000.
Reported to Microsoft yesterday. They declined to pursue an
authenticated self-DoS issue.