lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: I've found the Allchin bug.

[Refs:
http://www.avet.com.pl/pipermail/bugdev/2002-August/000137.html
http://www.eweek.com/article2/0,3959,5264,00.asp
http://theregister.co.uk/content/archive/25194.html
]

  Nope.  You're wrong.  He wasn't referring to windows message queues, he 
was referring to MSMQ.  You'll find that MSMQ has GUID

    Interface UUID: 77df7a80-f298-11d0-8358-00a024c480a8
    Interface Ver: 1
    Interface Ver Minor: 0

and that opnums 6, 7 and 8 are quite clearly MQLocateBegin, MQLocateNext and 
MQLocateEnd.  Try passing an overly-long string as an MQRESTRICTION to the 
MQLocateBegin function, and you'll find a unicode heap overflow in mqsvc.exe 
that lets you overwrite an arbitrary address with an arbitrary long.

  You'll also find that this works in w2k sp2, and not in sp4; I haven't 
tested sp3 yet.  Looks like they quietly fixed it up without any great 
publicity.....

  If anyone needs further convincing, I'll tidy up and post my p-o-c code, 
but I think it's pretty clear from his words that he meant MSMQ and not the 
underlying win32 api.

         DaveK

--
moderator of 
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he 
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions.
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above 
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD
[This sig is probably too long for demon.local]

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection 
http://www.msn.co.uk/specials/btbroadband

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ