Dailydave mailing list archives
Re: MSRPC vulnerability 1 billion and six?
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 17 Nov 2005 16:44:37 -0600
The way MS has fixed this in the past is via range()'s, here is one that was fixed in some early Windows 2000 SP: long function_1f ( [in] [unique] [string] wchar_t * arg_00, [in] [string] wchar_t * arg_01, [out] [size_is(arg_03)] char * arg_02, [in] [range(0, 64000)] long arg_03, <<<<<<<<<<<<<< [in] [string] wchar_t * arg_04, [in,out] long * arg_05, [in] long arg_06 ); -HD On Thursday 17 November 2005 16:56, Alexander Sotirov wrote:
Dave Aitel wrote:Hmm. I guess one possible fix would be [size_is(size)] [out] * IDL's parsed to be a maximum of "freememory/2".This wouldn't help much, becase the memory is zeroed with rep stosd after it is allocated. Not only does this consume 100% CPU for a while, it also commits every allocated page and might force other programs to get swapped out. Alex
Current thread:
- MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Nicolas RUFF (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Alexander Sotirov (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Nicolas RUFF (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Thomas Lakofski (Nov 20)
- Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)