Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities

From: wirepair (wirepair_at_ROGUEMAIL.NET)
Date: 10/13/04

Next message: GreyMagic Security: "Regression in IE: Accessing remote/local content in IE (GM#009-IE)"

Previous message: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
In reply to: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 12 Oct 2004 16:43:38 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

You missed the SEARCH IN <request> vector. I believe it calls the same heap alloc from STATXMEM.dll
I was having some issues with the string becoming unicoded, but just yesterday I got an ascii overwrite
(in the debugger only tho :/). Oh well looks like you snuffed the bug I was
working on in the process :). Obviously MS fixed this bug in the recent patch. Another thing to note,
when requesting ('s I noticed that an internal function was matching my ( with a ) since they were using
lstrcpy it totally smashed the heap structures when it became unicode'd. But they appeared to fix that as well.
-wire

On Tue, 12 Oct 2004 15:48:49 -0300
CORE Security Technologies Advisories <advisories@coresecurity.com> wrote:
> Core Security Technologies Advisory
> http://www.coresecurity.com
>
> IIS NNTP Service XPAT Command Vulnerabilities
>
>
>

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

Next message: GreyMagic Security: "Regression in IE: Accessing remote/local content in IE (GM#009-IE)"

Previous message: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
In reply to: CORE Security Technologies Advisories: "CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities
... You missed the SEARCH IN <request> vector. ... I believe it calls the same heap alloc from STATXMEM.dll ... Obviously MS fixed this bug in the recent patch. ...
(VulnWatch)
Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities
... You missed the SEARCH IN <request> vector. ... I believe it calls the same heap alloc from STATXMEM.dll ... Obviously MS fixed this bug in the recent patch. ...
(Bugtraq)
Re: kernel BUG at block/blk-timeout.c:178!
... I've pushed the BUG ON check into blk_execute_rq, ... getting the request initially. ... should fix the current usage. ... [PATCH] ...
(Linux-Kernel)
Re: How to Run ASP natively in SQLServer7
... > will not be re-inserted into Fogbugz. ... > 'Otherwise new request will be inserted. ... Insert one row of header data into the BUG table ... > 'within the BUG table everytime a new row is inserted. ...
(microsoft.public.sqlserver.programming)
Re: ANTS!
... i feel as though entering my space by a bug is a request for assisted ... close enough for either of these to take place it is imho a request for help ... any case, the sweet bait doesn't attract cats, expecially if you put it ... where the ants are and the cats don't go. ...
(rec.pets.cats.anecdotes)