Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RES: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]

From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Thu, 5 Dec 2002 22:50:33 -0300
Hum.

Anyway, I think that "something" could appear in the logs, but nothing gets logged.

Forgive me about my lack of programming skills (maybe the following question simply does not apply) but does this kind 
of behaviour can be used to hide a lagitimate request ? If so, someone could access HTTP content inside an IIS without 
anything making into the logs.

Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

    "If a technology does not seem like magic, that's because   
                     it's not good enough."                     
                                                                
                                                                


]-----Mensagem original-----
]De: Anthony LaMantia [mailto:contact () bia-security com] 
]Enviada em: sexta-feira, 6 de dezembro de 2002 03:58
]Para: dullien () gmx de
]Cc: Romulo M. Cholewa; Dan Hanson; at4r; vuln-dev () securityfocus com
]Assunto: Re: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]
]
]
]well i think that you should look at the headers of that "security 
]alert"... then maybe you will get a clue that this is a joke
]
]the senders e-mail is:
]
]at4r () hotmail com
]
]and the reply to addr is 
]at4r () 3wdesign es
]
]
]-Anthony LaMantia
]http://www.bia-security.com
]
]
]dullien () gmx de wrote:
]
]> Hey all,
]> 
]> RMC> Just tried it.
]> RMC> Got the 500 server error in the logs with a size of 30K. No 
]> RMC> noticeable CPU increase, but got the "Not enough storage is 
]> RMC> available to complete this operation." in the log. Also tried 
]> RMC> 65535 and NO record found in logs whatsoever.
]> 
]> I would expect several bugs similar to this all over the NT/2k/XP 
]> operating system ... the system-internal RtlInitAnsiString 
]stores the 
]> length of the string as a 16-bit value (see disassembly), therefore 
]> sending any string > 65535 into RtlInitAnsiString will make the 
]> reported string size & the actual string size differ.
]> 
]> ..text:77F9194E RtlInitAnsiString proc near             ; 
]CODE XREF: .text:77F83962p
]> ..text:77F9194E                                         ; 
].text:77F86280p ...
]> ..text:77F9194E 
]> ..text:77F9194E arg_0           = dword ptr  8
]> ..text:77F9194E arg_4           = dword ptr  0Ch
]> ..text:77F9194E 
]> ..text:77F9194E                 push    edi
]> ..text:77F9194F                 mov     edi, [esp+arg_4]
]> ..text:77F91953                 mov     edx, [esp+arg_0]
]> ..text:77F91957                 mov     dword ptr [edx], 0
]> ..text:77F9195D                 mov     [edx+4], edi
]> ..text:77F91960                 or      edi, edi
]> ..text:77F91962                 jz      short loc_77F91975
]> ..text:77F91964                 or      ecx, 0FFFFFFFFh
]> ..text:77F91967                 xor     eax, eax
]> ..text:77F91969                 repne scasb
]> ..text:77F9196B                 not     ecx
]> ..text:77F9196D                 mov     [edx+2], cx    <--- Here
]> ..text:77F91971                 dec     ecx
]> ..text:77F91972                 mov     [edx], cx      <--- Here
]> ..text:77F91975 
]> ..text:77F91975 loc_77F91975:                           ; 
]CODE XREF: RtlInitAnsiString+14j
]> ..text:77F91975                 pop     edi
]> ..text:77F91976                 retn    8
]> 
]> 
]> Cheers,
]> dullien () gmx de
]> 
]> 
]> 
]> 
]
]
]
Previous By Date Next
Previous By Thread Next

Current thread: