Re[2]: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

From: dullien@gmx.de
Date: 04/12/02


Date: Fri, 12 Apr 2002 10:25:43 -0700
From: dullien@gmx.de
To: MadHat <madhat@unspecific.com>

Hey all,

M> I have not been able to reproduce these results. I have managed to lock
M> up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages
M> appear and no entries in the Application Log. I have also been able get
M> the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
M> still no popup or messages.

rule of thumb : It locks up <==> Heap is corrupted <==> vulnerable

Cheers,
dullien@gmx.de

-- 
Mit freundlichen Grüssen
dullien@gmx.de                            mailto:dullien@gmx.de



Relevant Pages

  • Re: [RFC] tcp: race in receive part
    ... Meaning that once tp->rcv_nxt is updated by CPU2, the CPU1 either already ... The customer has been able to reproduce this problem only on one CPU model: ... AJ18 only matters on unaligned accesses, tcp code doesnt do this. ... Memory operations issued after the LOCK will be completed after the LOCK ...
    (Linux-Kernel)
  • Re: [RFC] tcp: race in receive part
    ... Meaning that once tp->rcv_nxt is updated by CPU2, the CPU1 either already ... The customer has been able to reproduce this problem only on one CPU model: ... AJ18 only matters on unaligned accesses, tcp code doesnt do this. ... Memory operations issued after the LOCK will be completed after the LOCK ...
    (Linux-Kernel)
  • Re: [RFC] tcp: race in receive part
    ... The customer has been able to reproduce this problem only on one CPU model: ... Memory operations issued after the LOCK will be completed after the LOCK ... static void sock_def_readable(struct sock *sk, ...
    (Linux-Kernel)
  • Re: NFS Locking Issue
    ... to am-utils running into some race condition the other problem is related to throughput, freebsd is slower than linux, and while freebsd/nfs/tcp is faster on Freebsd than udp, on linux it's the same. ... If you can help to produce simple test cases to reproduce the bugs you're seeing, ... First, architectural issues, some derived from architectural problems in the NLM protocol: for example, assumptions that there can be a clean mapping of process lock owners to locks, which fall down as locks are properties of file descriptors that can be inheritted. ... Once you've established whether it can be reproduced with a single client, you have to track down the behavior that triggers it -- normally, this is done by attempting to narrow down the specific program or sequence of events that causes the bug to trigger, removing things one at a time to see what causes the problem to disappear. ...
    (freebsd-stable)
  • Re: [RFC] tcp: race in receive part
    ... Meaning that once tp->rcv_nxt is updated by CPU2, the CPU1 either already ... The customer has been able to reproduce this problem only on one CPU model: ... AJ18 only matters on unaligned accesses, tcp code doesnt do this. ... Memory operations issued after the LOCK will be completed after the LOCK ...
    (Linux-Kernel)