Re: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]

[dullien () gmx de]

Hey all,

RMC> Just tried it.
RMC> Got the 500 server error in the logs with a size of 30K. No noticeable CPU increase, but got the "Not enough 
storage is available to complete this operation." in the log.
RMC> Also tried 65535 and NO record found in logs whatsoever.

I would expect several bugs similar to this all over the NT/2k/XP
operating system ... the system-internal RtlInitAnsiString stores
the length of the string as a 16-bit value (see disassembly),
therefore sending any string > 65535 into RtlInitAnsiString will
make the reported string size & the actual string size differ.

.text:77F9194E RtlInitAnsiString proc near             ; CODE XREF: .text:77F83962p
.text:77F9194E                                         ; .text:77F86280p ...
.text:77F9194E 
.text:77F9194E arg_0           = dword ptr  8
.text:77F9194E arg_4           = dword ptr  0Ch
.text:77F9194E 
.text:77F9194E                 push    edi
.text:77F9194F                 mov     edi, [esp+arg_4]
.text:77F91953                 mov     edx, [esp+arg_0]
.text:77F91957                 mov     dword ptr [edx], 0
.text:77F9195D                 mov     [edx+4], edi
.text:77F91960                 or      edi, edi
.text:77F91962                 jz      short loc_77F91975
.text:77F91964                 or      ecx, 0FFFFFFFFh
.text:77F91967                 xor     eax, eax
.text:77F91969                 repne scasb
.text:77F9196B                 not     ecx
.text:77F9196D                 mov     [edx+2], cx    <--- Here
.text:77F91971                 dec     ecx
.text:77F91972                 mov     [edx], cx      <--- Here
.text:77F91975 
.text:77F91975 loc_77F91975:                           ; CODE XREF: RtlInitAnsiString+14j
.text:77F91975                 pop     edi
.text:77F91976                 retn    8


Cheers,
dullien () gmx de