Hum. Anyway, I think that "something" could appear in the logs, but nothing gets logged. Forgive me about my lack of programming skills (maybe the following question simply does not apply) but does this kind of behaviour can be used to hide a lagitimate request ? If so, someone could access HTTP content inside an IIS without anything making into the logs. Romulo M. Cholewa Home : http://www.rmc.eti.br Forum: http://zeus.rmc.eti.br/forum PGP Keys Available @ website. "If a technology does not seem like magic, that's because it's not good enough." ]-----Mensagem original----- ]De: Anthony LaMantia [mailto:contact@bia-security.com] ]Enviada em: sexta-feira, 6 de dezembro de 2002 03:58 ]Para: dullienat_private ]Cc: Romulo M. Cholewa; Dan Hanson; at4r; vuln-devat_private ]Assunto: Re: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3] ] ] ]well i think that you should look at the headers of that "security ]alert"... then maybe you will get a clue that this is a joke ] ]the senders e-mail is: ] ]at4rat_private ] ]and the reply to addr is ]at4rat_private ] ] ]-Anthony LaMantia ]http://www.bia-security.com ] ] ]dullienat_private wrote: ] ]> Hey all, ]> ]> RMC> Just tried it. ]> RMC> Got the 500 server error in the logs with a size of 30K. No ]> RMC> noticeable CPU increase, but got the "Not enough storage is ]> RMC> available to complete this operation." in the log. Also tried ]> RMC> 65535 and NO record found in logs whatsoever. ]> ]> I would expect several bugs similar to this all over the NT/2k/XP ]> operating system ... the system-internal RtlInitAnsiString ]stores the ]> length of the string as a 16-bit value (see disassembly), therefore ]> sending any string > 65535 into RtlInitAnsiString will make the ]> reported string size & the actual string size differ. ]> ]> ..text:77F9194E RtlInitAnsiString proc near ; ]CODE XREF: .text:77F83962p ]> ..text:77F9194E ; ].text:77F86280p ... ]> ..text:77F9194E ]> ..text:77F9194E arg_0 = dword ptr 8 ]> ..text:77F9194E arg_4 = dword ptr 0Ch ]> ..text:77F9194E ]> ..text:77F9194E push edi ]> ..text:77F9194F mov edi, [esp+arg_4] ]> ..text:77F91953 mov edx, [esp+arg_0] ]> ..text:77F91957 mov dword ptr [edx], 0 ]> ..text:77F9195D mov [edx+4], edi ]> ..text:77F91960 or edi, edi ]> ..text:77F91962 jz short loc_77F91975 ]> ..text:77F91964 or ecx, 0FFFFFFFFh ]> ..text:77F91967 xor eax, eax ]> ..text:77F91969 repne scasb ]> ..text:77F9196B not ecx ]> ..text:77F9196D mov [edx+2], cx <--- Here ]> ..text:77F91971 dec ecx ]> ..text:77F91972 mov [edx], cx <--- Here ]> ..text:77F91975 ]> ..text:77F91975 loc_77F91975: ; ]CODE XREF: RtlInitAnsiString+14j ]> ..text:77F91975 pop edi ]> ..text:77F91976 retn 8 ]> ]> ]> Cheers, ]> dullienat_private ]> ]> ]> ]> ] ] ]
This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 11:51:10 PST