Dailydave mailing list archives
Re: MSRPC vulnerability 1 billion and six?
From: Dave Aitel <dave () immunitysec com>
Date: Thu, 17 Nov 2005 08:08:24 -0500
http://www.frsirt.com/exploits/20051117.Win_upnp_getdevicelist.c.php So if I understand this correctly, if you have an IDL of the format: [in] int size;[out] [size_is(size)] [string] wchar_t * outstring; //note the lack of an [in] here! (does the [string] matter? Dunno! Any array should work I think...)
and you send size in as 0x10101010 you get a lot of allocation as it creates the output buffer. So function 0f in that same interface should work as well, as well as numerous thousands of other MSRPC functions that exist on every Microsoft platform.
This is probably not a problem they are going to be able to fix easily. And it's probably a problem you can find in lots of different ways in lots of different endpoints, up to and including the most recent Windows platform. But I could be wrong, and if I am, I'm sure someone will point it out quickly. That's the great thing about having a real community look at these sorts of things, rather than having a vendor monopoly on security information.
-dave
Current thread:
- MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Nicolas RUFF (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Alexander Sotirov (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Nicolas RUFF (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Thomas Lakofski (Nov 20)
- Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)