[23009] in bugtraq
another fatal bug in NT/2000 "Command Prompt" I/O
daemon@ATHENA.MIT.EDU (Michael Wojcik)
Fri Oct 26 15:23:48 2001
Message-ID: <27B17B8B25A3D411B45800805FA7F01C0160E15A@mtvmail.merant.com>
From: Michael Wojcik <Michael.Wojcik@merant.com>
To: BugTraq <bugtraq@securityfocus.com>
Date: Fri, 26 Oct 2001 11:35:42 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Recent messages on the comp.lang.c and (allegedly)
comp.os.ms-windows.programmer.win32 have documented various short programs
which cause Windows NT4 and 2000 to crash and reboot by writing certain
strings to stdout.
The following is one example of such a program:
#include <stdio.h>
int main(void)
{
while (1)
printf("\t\t\b\b\b\b\b\b");
return 0;
}
Note that several people have reported crashes using variants that do not
output unlimited text. One has crashed a test system using a program that
wrote only the four-character string "\t\b\b " (a tab, two backspaces, and a
space).
I've confirmed that collecting a large amount of output from a program such
as the one above in a file, and then using the "type" command in a
command-prompt window to display the file, will also crash or hang the
system.
My test system:
IBM Thinkpad 600E
400MHz Pentium II
96MB RAM
Windows NT 4 Workstation
SP6a plus Q299444i, Q301625i, Q306121
I was logged in with a "Power User"-class user ID; administrative privilege
is not required to exploit the problem. The program was built with
Microsoft Visual C++ 6.0 SP5, from the command line with default options.
When NT crashed it displayed a crash dump message with the following
information:
stop c000021a in "Windows SubSystem"
process status c0000005 (5ffb355e 0124faa0)
Note that because this has been discussed on at least two widely-read
newsgroups, it's already well-known.
I've sent a message about this to Microsoft.
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University
