Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities

• Previous message: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
• In reply to: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 12 Oct 2004 16:43:38 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

You missed the SEARCH IN <request> vector. I believe it calls the same heap alloc from STATXMEM.dll
I was having some issues with the string becoming unicoded, but just yesterday I got an ascii overwrite
(in the debugger only tho :/). Oh well looks like you snuffed the bug I was
working on in the process :). Obviously MS fixed this bug in the recent patch. Another thing to note,
when requesting ('s I noticed that an internal function was matching my ( with a ) since they were using
lstrcpy it totally smashed the heap structures when it became unicode'd. But they appeared to fix that as well.
-wire

On Tue, 12 Oct 2004 15:48:49 -0300
  CORE Security Technologies Advisories <advisories@coresecurity.com> wrote:
> Core Security Technologies Advisory
> http://www.coresecurity.com
>
> IIS NNTP Service XPAT Command Vulnerabilities
>
>
>

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

• Previous message: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
• In reply to: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities ... You missed the SEARCH IN <request> vector. ... I believe it calls the same heap alloc from STATXMEM.dll ... Obviously MS fixed this bug in the recent patch. ... (Bugtraq) Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities ... You missed the SEARCH IN <request> vector. ... I believe it calls the same heap alloc from STATXMEM.dll ... Obviously MS fixed this bug in the recent patch. ... (VulnWatch) Re: How to Run ASP natively in SQLServer7 ... > will not be re-inserted into Fogbugz. ... > 'Otherwise new request will be inserted. ... Insert one row of header data into the BUG table ... > 'within the BUG table everytime a new row is inserted. ... (microsoft.public.sqlserver.programming) Re: Cannot drag a link from Outlook Express to IE anymore ... I'm not aware of any *bug* that would prevent you from dragging a link ... Open your browser, insert ... > This is not an IE bug as your request for information on IE suggests. ... > email message to IR or to a folder in Windows Explorer. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) Re: [patch] __block_write_full_page bug ... >> It seems that more than one request would be submitted for a given bh ... the bug is that end_buffer_async_write first does ... Or did you mean *how* is it being run twice? ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)