ISS has requested that I forward this response to the list. ---------- This vulnerability was originally detected auditing the Apache 2.0 source tree. Apache 2.0 uses the same function to determine the chunk size, and has the same vulnerable signed comparison. It is, however, not vulnerable (by luck?) due to a signed comparison deep within the buffered reading routines (within core_input_filter). This issue is no more exploitable or unexploitable on a 32-bit platform than on a 64-bit platform. Due to the signed comparison, the minimum size passed to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over 2gb of contiguous stack memory located after the target buffer in memory, a segmentation fault will be caused. If you understand how the stack is used, you will understand that this is an impossibility. Apache on "Win32" is not exploitable due to any "64-bit" addressing issues. It is easily exploitable due to the nature of structured exception handling on Windows and the fact that exception handler pointers are stored on the stack. If the DoS vulnerability is related to the overflow then the ISS patch will work to prevent it. The unsigned comparison prevents any stack overflow and as a result any related DoS issue is prevented. If the DoS issue is unrelated, then of course the ISS patch will not be of any help. ISS X-Force
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 17:45:15 PDT