Re: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]

Hey all,

RMC> Just tried it.
RMC> Got the 500 server error in the logs with a size of 30K. No noticeable CPU increase, but got the "Not enough storage is available to complete this operation." in the log.
RMC> Also tried 65535 and NO record found in logs whatsoever.

I would expect several bugs similar to this all over the NT/2k/XP operating system ... the system-internal RtlInitAnsiString stores the length of the string as a 16-bit value (see disassembly), therefore sending any string > 65535 into RtlInitAnsiString will make the reported string size & the actual string size differ.

.text:77F9194E RtlInitAnsiString proc near ; CODE XREF: .text:77F83962p
.text:77F9194E ; .text:77F86280p ...
.text:77F9194E
.text:77F9194E arg_0 = dword ptr 8
.text:77F9194E arg_4 = dword ptr 0Ch
.text:77F9194E
.text:77F9194E push edi
.text:77F9194F mov edi, [esp+arg_4]
.text:77F91953 mov edx, [esp+arg_0]
.text:77F91957 mov dword ptr [edx], 0
.text:77F9195D mov [edx+4], edi
.text:77F91960 or edi, edi
.text:77F91962 jz short loc_77F91975
.text:77F91964 or ecx, 0FFFFFFFFh
.text:77F91967 xor eax, eax
.text:77F91969 repne scasb
.text:77F9196B not ecx
.text:77F9196D mov [edx+2], cx <--- Here
.text:77F91971 dec ecx
.text:77F91972 mov [edx], cx <--- Here
.text:77F91975
.text:77F91975 loc_77F91975: ; CODE XREF: RtlInitAnsiString+14j
.text:77F91975 pop edi
.text:77F91976 retn 8

Cheers,
dullien@gmx.de Received on Thu Dec 5 14:54:48 2002