[Full-Disclosure] upnphost null pointer fun

From: ned (nd_at_felinemenace.org)
Date: 11/08/04

  • Next message: Berend-Jan Wever: "[Full-Disclosure] Re: some js code"
    To: full-disclosure@lists.netsys.com
    Date: Sun, 7 Nov 2004 21:31:11 -0800 (PST)
    
    

    unlike my other recent posts, i will revealing bug information which is
    NOT exploitable. i hope. i think they're properly diagnosed. i think.

    in upnphost module which is the windows UPNP service (http://upnp.org)
    there is a couple of null pointer exceptions, i named them 'upnp1' and
    'upnp2' and POC code is availiable at http://felinemenace.org/~nd/upnp/

    a quick demo using dumbug (http://phenoelit.de):
    (cmdline 'python upnp1.py')
    Debugger [INFO] Access violation at 5AFDDF5C
    Tracer [WARNING] AccessViolation EIP = 5AFDDF5C while reading from 00000002
    Tracer [WARNING] E_AccessViolation: Offending access not in mapped memory?
    (cmdline 'python upnp2.py')
    Debugger [INFO] Access violation at 5AFD7FEC
    Tracer [WARNING] AccessViolation EIP = 5AFD7FEC while reading from 00000000
    Tracer [WARNING] E_AccessViolation: Offending access not in mapped memory?

    completely useless of course, does not even stop the UPNP service or lock
    up svchost. dumbug is pretty cool though when screeshots just wont do!
    - nd

    -- 
    http://felinemenace.org/~nd
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Berend-Jan Wever: "[Full-Disclosure] Re: some js code"

    Relevant Pages

    • First-chance exception
      ... I compile one program with no warning and error, ... but it stops when running with one message "First-chance exception in xxx.exe: 0xC0000005 Access Violation". ...
      (microsoft.public.windowsce.embedded.vb)
    • Re: LNK4248 and access violation using C++/CLR
      ... Attempted to read or write protected memory. ... This is often an indication that other memory is corrupt. ... So do you think the warning and error are linked? ... Ignore that about the access violation, I was trying to pass a NULL pointer!! ...
      (comp.soft-sys.matlab)
    • Access violation warning
      ... All day today my computer has been displaying this warning box intermittently. ... Access violation at address 3010DBDA in module 'Flash9f.ocx'. ... Philocophus ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Access Voilation
      ... You need to take this up with the provider of ... > Access Violation at address 32.. ... > Anyone know what this is in Win XP Pro - came as a pop up warning when on ...
      (microsoft.public.windowsxp.security_admin)