Pipe the output of a command to FOR in (), and you crash the Windows Vista Windows Command Processor (CMD.exe) with a DEP violation. I expect it works on Server 2008 as well. Maybe this is exploitable for privilege escalation, at least on a machine with DEP disabled. I did not do any dump analysis or debugging to find out. Example: Echo | for %i in () do rem For ECHO you can substitute about any command. Any variation of FOR seems to give the same results as long as "in ()". Does not appear to work in XPSP2, Server 2003, or Win2000. Reported to Microsoft yesterday. They declined to pursue an authenticated self-DoS issue.
