WCM Forum - Einzelnen Beitrag anzeigen

holu · 06.04.2004, 21:30

Hi,

http://www.gwdg.de/samba/updates/win...P2_x86_DEU.exe

Was eine Pufferüberlaufschwachstelle bedeutet ? Ok .. technisch aber hier mal ein schöner auszug

[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007

0. PRODUCTS
=============
'ntdll.dll' is a core operating system component that is contained with Windows NT series.

1. DESCRIPTION
================

A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U' which belongs to the 'ntdll.dll' and is called from some APIs or etc.

This function uses 16 bits integer (unsigned short) to handle the given string's length inside. And it cannot get the given string's correct length if it was called with a string that has the size over 65536 bytes (exceeding size of the maximum of the 16 bits integer). Then it causes the overflow on the given buffer.

As a result, if an attacker made some programs or services that is able to call the 'RtlGetFullPathName_U' with a string which has the size over 65536 bytes, it is possible for him to execute arbitrary codes or escalate his privilege.

06.04.2004, 21:30	#6
holu Veteran Registriert seit: 23.02.2001 Alter: 57 Beiträge: 293	Hi, http://www.gwdg.de/samba/updates/win...P2_x86_DEU.exe Was eine Pufferüberlaufschwachstelle bedeutet ? Ok .. technisch aber hier mal ein schöner auszug [Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007 0. PRODUCTS ============= 'ntdll.dll' is a core operating system component that is contained with Windows NT series. 1. DESCRIPTION ================ A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U' which belongs to the 'ntdll.dll' and is called from some APIs or etc. This function uses 16 bits integer (unsigned short) to handle the given string's length inside. And it cannot get the given string's correct length if it was called with a string that has the size over 65536 bytes (exceeding size of the maximum of the 16 bits integer). Then it causes the overflow on the given buffer. As a result, if an attacker made some programs or services that is able to call the 'RtlGetFullPathName_U' with a string which has the size over 65536 bytes, it is possible for him to execute arbitrary codes or escalate his privilege. ____________________________________ Always Happy Landings Holger Ludwig German Lockheed L1011 Information Center Mail : Webmaster@L-1011.de Web : http://www.L1011.de Lockheed L1011 TriStar! Alles andere ist tinnef!