ISS X-Force response (fwd)

[Dave Ahmad <da () securityfocus com>]

ISS has requested that I forward this response to the list.

----------

This vulnerability was originally detected auditing the Apache 2.0 source
tree.  Apache 2.0 uses the same function to determine the chunk size, and
has the same vulnerable signed comparison.  It is, however, not vulnerable
(by luck?) due to a signed comparison deep within the buffered reading
routines (within core_input_filter).

This issue is no more exploitable or unexploitable on a 32-bit platform than
on a 64-bit platform.  Due to the signed comparison, the minimum size passed
to the memcpy() function is 0x80000000 or about 2gb.  Unless Apache has over
2gb of contiguous stack memory located after the target buffer in memory, a
segmentation fault will be caused.  If you understand how the stack is used,
you will understand that this is an impossibility.

Apache on "Win32" is not exploitable due to any "64-bit" addressing issues.
It is easily exploitable due to the nature of structured exception handling
on Windows and the fact that exception handler pointers are stored on the
stack.

If the DoS vulnerability is related to the overflow then the ISS patch will
work to prevent it.  The unsigned comparison prevents any stack overflow and
as a result any related DoS issue is prevented.  If the DoS issue is
unrelated, then of course the ISS patch will not be of any help.

ISS X-Force