[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4D6E5E64A5ADA343B08C402576F1361D03450CA6@MAIL.sfld.iocenter.net>
From: srudolph at iocenter.net (Steven Rudolph)
Subject: RE: I've found the Allchin bug.
Dave,
I know this my be a little aside from your post...
Where can one obtain the Interface UUID's for Microsoft products?
-----Original Message-----
From: Dave Korn [mailto:davek_throwaway@...mail.com]
Sent: Monday, October 06, 2003 9:30 PM
To: vuln-dev@...urityfocus.com; full-disclosure@...ts.netsys.com
Cc: ivegotta@...bom.co.uk
Subject: I've found the Allchin bug.
[Refs: http://www.avet.com.pl/pipermail/bugdev/2002-August/000137.html
http://www.eweek.com/article2/0,3959,5264,00.asp
http://theregister.co.uk/content/archive/25194.html
]
Nope. You're wrong. He wasn't referring to windows message queues,
he
was referring to MSMQ. You'll find that MSMQ has GUID
Interface UUID: 77df7a80-f298-11d0-8358-00a024c480a8
Interface Ver: 1
Interface Ver Minor: 0
and that opnums 6, 7 and 8 are quite clearly MQLocateBegin, MQLocateNext
and
MQLocateEnd. Try passing an overly-long string as an MQRESTRICTION to
the
MQLocateBegin function, and you'll find a unicode heap overflow in
mqsvc.exe
that lets you overwrite an arbitrary address with an arbitrary long.
You'll also find that this works in w2k sp2, and not in sp4; I haven't
tested sp3 yet. Looks like they quietly fixed it up without any great
publicity.....
If anyone needs further convincing, I'll tidy up and post my p-o-c
code,
but I think it's pretty clear from his words that he meant MSMQ and not
the
underlying win32 api.
DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here> Master of Many
Meowing Minions. Holder of the exhalted PF Chang's Crab Wonton Award for
kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7
D2BD [This sig is probably too long for demon.local]
_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection
http://www.msn.co.uk/specials/btbroadband
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3213 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031009/2e13367c/smime.bin
Powered by blists - more mailing lists