<< Previous Next >>
elements
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL
tree had an HTML \<div\> element nested inside a \<treechildren\>
element then code attempting to display content in the XUL tree would
incorrectly treat the \<div\> element as a parent node to tree content
underneath it resulting in incorrect indexes being calculated for the
child content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL
tree had an HTML \<div\> element nested inside a \<treechildren\>
element then code attempting to display content in the XUL tree would
incorrectly treat the \<div\> element as a parent node to tree content
underneath it resulting in incorrect indexes being calculated for the
child content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
------------------------
B] rows integer overflow
------------------------
There is an integer overflow in the handling of the rows.
The number of rows (first element of the second line in the file) is
multiplied by the size of the elements (8 for floats, 4 for strings
and so on) and the allocated memory gets overflowed when the elements
are copied one by one.
At the moment I have not seen ways to exploit this vulnerability to
execute code so I report it just as reference.
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the way <option> elements are inserted into
a XUL tree <optgroup>. In certain cases, the number of references
to an <option> element is under-counted so that when the element is
deleted, a live pointer to its old location is kept around and may
later be used. An attacker could potentially use these conditions to
run arbitrary code on a victim's computer (CVE-2010-0176).
vulnerable installations of Apple Safari. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page.
The specific flaw exists in the garbage collection of JavaScript
document elements in WebCore. When a CSSStyleSheet object of a style
element is copied, and the style element is deallocated, a reference to
the ownerNode property of the copied CSSStyleSheet object will result in
a heap corruption allowing for the execution of arbitrary code.
-- Vendor Response:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists when specific elements are used within a table
container. If one of these elements is removed the application will
unlink the element from the layout tree incorrectly. When this tree is
later traversed, the application will reuse the object that has been
freed which can lead to code execution under the context of the current
user.
The MBM Jumptable is an LListL of offsets in which each offset points to
a Paint Data Section. An LListL is basically a list where, as can be
deduced from [4], the first letter ("L") represents the encoding of the
list size indicator and the last letter ("L") represents the size of
each element of the list. In this case, we have a list of LONGs and the
size of this list is encoded as a LONG. So in our case, we have the
following:
/-----
37000010 // Header Section Layout
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
ZDI-09-047: Microsoft Internet Explorer getElementsByTagName Memory
Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-047
August 5, 2009
-- CVE ID:
CVE-2009-1918
-- Affected Vendors:
Microsoft
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the implementation of a particular
element within the XUL namespace. Due to a method for the element having
the side effect of executing javascript, an attacker can provide their
own javascript code which can be used to remove an object out from
underneath the element's child hierarchy. This can force the application
to make an invalid reference when traversing it's internal objects, thus
using an illegitimate pointer. This can be leveraged by an attacker to
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari's Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the library's support of an element
containing the run-in property. When a block box is appended as the
sibling of a run-in box, the run-in box will be promoted to the first
inline box. This implies that the first inline box will be destroyed.
Later when the application attempts to destroy this element, it will
access memory that has been freed. If an attacker can substitute an
vulnerable installations of Apple Safari's Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the library's implementation of the
first-letter style in the context of an SVG text element. Upon applying
the style to this element, the library will calculate the height for
determining the overflow for an inline box. While traversing the
elements for the height, the library will utilize data from a
non-existent linebox. Successful exploitation will lead to code
execution under the context of the application.
> this prompt (perfectly reasonable, protocol handlers are intended to be safe),
> it's not a particularly exciting attack.
>
> I've found a way to avoid the prompt in a default Windows XP installation in all
> major browsers, The solution is to invoke the protocol handler from within an
> <iframe> in an ASX HtmlView element. There are probably other ways.
>
> http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
>
> The version of Windows Media Player that is available by default in Windows XP
> is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
ZDI-10-097: Apple Webkit ContentEditable moveParagraphs Uninitialized Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-097
June 8, 2010
-- CVE ID:
CVE-2010-1398
-- Affected Vendors:
Apple
When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS
15327, ONS 15454 or ONS 15454 SDH control card reloads at the same
time, the synchronous data channels traversing the switch drop
traffic until the card comes back online. Asynchronous data channels
traversing the switch are not impacted. Manageability functions
provided by the network element using the CTX, CTX2500, XTC or TCC/
TCC+/TCC2/TCC2P control cards are not available until the control
card comes back online.
On the Cisco ONS 15600 hardware, whenever both the active and standby
control cards are rebooting at the same time, there is no impact to
vulnerable installations of Apple Safari's Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the library's support for mouse events
on a particular element. If a mouse event is dispatched to an element
when one of it's attributes is undefined, the library will dereference a
memory pointer pointing to arbitrary data. Usage of this element can
then lead to code execution under the context of the application.
-- Vendor Response:
- it uses memcpy to copy the data from the packet into a stack buffer
of exactly 0x2b8 bytes (handled as 0x2b9 bytes)
- later this data is handled as a string but no final NULL byte
delimiter is inserted
- there is also an off-by-one bug since one byte overwrites the lower
8bit value of a saved element (a stack pointer 017bff??)
- after this buffer are located some pushed elements and obviously the
return address of the function
- it calls the OemToChar API that changes some bytes of the buffer
(like those major than 0x7f) till it reaches a 0x00 that "luckily" is
after the return address
this prompt (perfectly reasonable, protocol handlers are intended to be safe),
it's not a particularly exciting attack.
I've found a way to avoid the prompt in a default Windows XP installation in all
major browsers, The solution is to invoke the protocol handler from within an
<iframe> in an ASX HtmlView element. There are probably other ways.
http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
The version of Windows Media Player that is available by default in Windows XP
is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which could lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists when a Col element is used within an HTML table
container. If this element is removed while the table is in use a cache
that exists of the table's cells will be used after one of it's elements
has been invalidated. This can lead to code execution under the context
of the currently logged in user.
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the way <option> elements are inserted into
a XUL tree <optgroup>. In certain cases, the number of references
to an <option> element is under-counted so that when the element is
deleted, a live pointer to its old location is kept around and may
later be used. An attacker could potentially use these conditions to
run arbitrary code on a victim's computer (CVE-2010-0176).
* The access scope of FileReference.browse() and
FileReference.download() allows ActionScript programs to execute the
methods without user interaction (CVE-2008-4401).
* The Settings Manager controls can be disguised as normal graphical
elements. This so-called "clickjacking" vulnerability was disclosed
by Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat
Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu
of TopsecTianRongXin (CVE-2008-4503).
* Matthew Dempsky reported a null-pointer dereference flaw when
The majority of the issues discovered lead to a out of bounds read,
often caught by the operating system and converted into an error. For
example, in the affected versions of Flash player the following Action
Record (ActionScript 2.0) types failed to verify the size of member
elements (DefineConstantPool, ActionJump, ActionPush, ActionTry), as
well as several other Action Record types. These boundary issues become
apparent when Flash movies (.swf files consisting of a series of Action
Records or "tags") contain data with values for offsets which point to
regions beyond the end of the Flash file's memory.
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.
The flaw exists within the handling of VML element positioning. When
appending a VML element to a textArea element a reference to a
cDispScroller object can be improperly freed. The object is can be
reused, and due to this object being freed, a later allocation can be
located in this memory region. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the process.
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
this prompt (perfectly reasonable, protocol handlers are intended to be safe),
it's not a particularly exciting attack.
I've found a way to avoid the prompt in a default Windows XP installation in all
major browsers, The solution is to invoke the protocol handler from within an
<iframe> in an ASX HtmlView element. There are probably other ways.
http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
The version of Windows Media Player that is available by default in Windows XP
is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
vulnerable installations of Apple Safari's Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the application's support of the run-in
display property. On insertion of a specific element with the "run-in"
display property, the application will create a duplicate reference of a
child element used to support that attribute. Upon destruction of the
parent container, the application will then call the destructor for this
child element multiple times. Successful exploitation can lead to code
execution under the context of the application.
On Tue, 21 Jul 2009, Thierry Zoller wrote:
> Yeah, security is too complex. Dude, the fix was to LIMIT the the
> number of elements. This is not rocket science.
I believe Michal and I are having the conversation in a larger context.
What you found is valid on its own merit and got addressed, which is
great. But now think of the whole ECMAScript API and there are probably
dozens or hundreds of such functions that would expose similar issues.
<<Previous Next>>
|
