Re: MSRPC vulnerability 1 billion and six?

[Dave Aitel <dave () immunitysec com>]

http://www.frsirt.com/exploits/20051117.Win_upnp_getdevicelist.c.php

So if I understand this correctly, if you have an IDL of the format:
[in] int size;
[out] [size_is(size)] [string] wchar_t * outstring; //note the lack of 
an [in] here! (does the [string] matter? Dunno! Any array should work I 
think...)

and you send size in as 0x10101010 you get a lot of allocation as it 
creates the output buffer.  So function 0f in that same interface should 
work as well, as well as numerous thousands of other MSRPC functions 
that exist on every Microsoft platform.

This is probably not a problem they are going to be able to fix easily. 
And it's probably a problem you can find in lots of different ways in 
lots of different endpoints, up to and including the most recent Windows 
platform. But I could be wrong, and if I am, I'm sure someone will point 
it out quickly. That's the great thing about having a real community 
look at these sorts of things, rather than having a vendor monopoly on 
security information.

-dave