Dailydave mailing list archives

Re: MSRPC vulnerability 1 billion and six?

From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 17 Nov 2005 16:44:37 -0600

The way MS has fixed this in the past is via range()'s, here is one that 
was fixed in some early Windows 2000 SP:

  long function_1f (
    [in] [unique] [string] wchar_t * arg_00,
    [in] [string] wchar_t * arg_01,
    [out] [size_is(arg_03)] char * arg_02,
    [in] [range(0, 64000)] long arg_03, <<<<<<<<<<<<<<
    [in] [string] wchar_t * arg_04,
    [in,out] long * arg_05,
    [in] long arg_06
  );

-HD

On Thursday 17 November 2005 16:56, Alexander Sotirov wrote:

Dave Aitel wrote:

Hmm. I guess one possible fix would be
[size_is(size)] [out] * IDL's parsed to be a maximum of
"freememory/2".


This wouldn't help much, becase the memory is zeroed with rep stosd
after it is allocated. Not only does this consume 100% CPU for a while,
it also commits every allocated page and might force other programs to
get swapped out.

Alex

Current thread:

MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Nicolas RUFF (Nov 17)
  - Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
    - Re: MSRPC vulnerability 1 billion and six? Alexander Sotirov (Nov 17)
    - Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
    - Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
  - Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
- Re: MSRPC vulnerability 1 billion and six? halvar (Nov 17)
  - Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)
  - Re: MSRPC vulnerability 1 billion and six? Thomas Lakofski (Nov 20)
- Re: MSRPC vulnerability 1 billion and six? Blue Boar (Nov 17)
  - Re: MSRPC vulnerability 1 billion and six? H D Moore (Nov 17)
  - Re: MSRPC vulnerability 1 billion and six? Dave Aitel (Nov 17)