<< Previous Next >>
null pointer
Wireshark 1.4.0 Malformed SNMP V1 Packet Denial of Service
------------------------------------------------------------------
I. Summary
A flaw has been identified in Wireshark 1.4.0 concerning the ASN.1/BER dissector that will cause a denial of service (stack overflow and null pointer dereference in exception handling code).
------------------------------------------------------------------
II. Description
Wireshark makes use of protocol dissectors to parse packet data and organize its contents into a meaningful representation. Upon encountering an SNMP v1 packet, the ASN.1/BER dissector, as implemented in $SRC_ROOT/epan/dissectors/packet-ber.c, will be invoked to process the BER encoded content, i.e. variable bindings in the SNMP PDU. If this field is filled with an extremely long string, e.g. a sequence of 14000 'A's, a recursive call in function dissect_unknown_ber() would consume too much stack space, causing stack overflow in most configurations and later a null pointer deference in the exception handling code.
It's funny to me that this should get special attention over any of
the several dozen local DoS vulnerabilities that have been made public
this year, starting with:
CVE-2010-2954: NULL pointer dereference in IRDA
CVE-2010-2960: NULL pointer dereference in keyctl
CVE-2010-3066: NULL pointer dereference in io_submit_one()
CVE-2010-3080: double free in oss
CVE-2010-3086: kernel panic in futex handling
CVE-2010-3442: non-exploitable heap corruption in sound/core
[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- Dis.: 09.12.2010
- Pub.: 17.02.2011
CVE: CVE-2011-0420
Linux Kernel 2.6.38 Remote NULL Pointer Dereference
====================================================
[Advisory Information]
Title: Linux kernel 2.6.38: Remote NULL pointer dereference
Release date: 11/05/2011
Last update: 11/05/2011
Credits:
Aristide Fattori, Universit degli Studi di Milano (joystick@security.dico.unimi.it)
CVE-2011-1478
Ryan Sweat reported an issue in the Generic Receive Offload (GRO) support in
the Linux networking subsystem. If an interface has GRO enabled and is
running in promiscuous mode, remote users can cause a denial of service
(NULL pointer dereference) by sending packets on an unknown VLAN.
CVE-2011-1493
Dan Rosenburg reported two issues in the Linux implementation of the Amateur
Radio X.25 PLP (Rose) protocol. A remote user can cause a denial of service
execute arbitrary code via a crafted PDF file (CVE-2009-1179).
A free of invalid data flaw in the JBIG2 decoder allows remote
attackers to execute arbitrary code via a crafted PDF (CVE-2009-1180).
A NULL pointer dereference flaw in the JBIG2 decoder allows remote
attackers to cause denial of service (crash) via a crafted PDF file
(CVE-2009-1181).
Multiple buffer overflows in the JBIG2 MMR decoder allows remote
attackers to cause denial of service or to execute arbitrary code
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805384&treeLang=en
Versions: <= 500.0.122.1
Platforms: Windows
Bugs: A] Service *_licensekey serialid code execution
B] Service exceptions
C] Service NULL pointer
D] almaxcx.dll files overwriting
Exploitation: remote
Date: 28 Nov 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Original link:
http://cxsecurity.com/research/103
[--- 1. Multiple NULL Pointer Dereference with zend_strndup() [CVE-2011-4153] ---]
As we can see in zend_strndup()
-zend_alloca.c---
ZEND_API char *zend_strndup(const char *s, uint length)
{
===========
Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c
(CVE-2007-4510).
ipddp modules are loaded but the ipddpN device is not found, allows
remote attackers to cause a denial of service (memory consumption)
via IP-DDP datagrams. (CVE-2009-2903)
Multiple race conditions in fs/pipe.c in the Linux kernel before
2.6.32-rc6 allow local users to cause a denial of service (NULL pointer
dereference and system crash) or gain privileges by attempting to
open an anonymous pipe via a /proc/*/fd/ pathname. (CVE-2009-3547)
The tcf_fill_node function in net/sched/cls_api.c in the netlink
subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF,
does not properly allocate memory, which allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted PDF document that triggers a NULL pointer
dereference or a heap-based buffer overflow (CVE-2009-3604).
Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf
before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might
allow remote attackers to execute arbitrary code via a crafted PDF
http://www.debian.org/security/ Steve Kemp
September 21, 2007 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : fetchmail
Vulnerability : null pointer dereference
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-4565
Matthias Andree discovered that fetchmail, an SSL enabled POP3, APOP
=============================================================================
FreeBSD-SA-09:14.devfs Security Advisory
The FreeBSD Project
Topic: Devfs / VFS NULL pointer race condition
Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
CVE-2010-4242
Alan Cox reported an issue in the Bluetooth subsystem. Local users with
sufficient permission to access HCI UART devices can cause a denial of
service (NULL pointer dereference) due to a missing check for an existing
tty write operation.
CVE-2010-4243
Brad Spengler reported a denial-of-service issue in the kernel memory
http://www.debian.org/security/ Steve Kemp
September 21, 2007 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : fetchmail
Vulnerability : null pointer dereference
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-4565
Matthias Andree discovered that fetchmail, an SSL enabled POP3, APOP
Application: World in Conflict
http://www.worldinconflict.com
Versions: <= 1.008
Platforms: Windows
Bug: NULL pointer
Exploitation: remote, versus server
Date: 22 Jun 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The compat_sys_mount function in fs/compat.c allowed local users
to cause a denial of service (NULL pointer dereference and oops)
by mounting a smbfs file system in compatibility mode (CVE-2006-7203).
The nf_conntrack function in netfilter did not set nfctinfo during
reassembly of fragmented packets, which left the default value as
IP_CT_ESTABLISHED and could allow remote attackers to bypass certain
is being loaded.
CVE-2009-2695
Eric Paris provided several fixes to increase the protection
provided by the mmap_min_addr tunable against NULL pointer
dereference vulnerabilities.
CVE-2009-3080
Dave Jones reported an issue in the gdth SCSI driver. A missing
and possibly have unspecified other impact via a DTLS packet, as
demonstrated by a packet from a server that uses a crafted server
certificate (CVE-2009-1379).
ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to
cause a denial of service (NULL pointer dereference and daemon crash)
via a DTLS ChangeCipherSpec packet that occurs before ClientHello
(CVE-2009-1386).
The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c
in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a
Application: Unreal Tournament III
http://www.unrealtournament3.com
Versions: <= 1.2 and 1.3beta4
Platforms: Windows (tested), Linux, PS3 and Xbox360
Bugs: A] memory corruption
B] NULL pointer
Exploitation: remote, versus server
Date: 30 Jul 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 15, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : syslog-ng
Vulnerability : null pointer dereference
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-6437
Oriol Carreras discovered that syslog-ng, a next generation logging
Yahoo Messenger 9.0.0.2162
********************************************************************************
Vulnerability:
ActiveX Null Pointer - Denial of Service
********************************************************************************
Description:
Yahoo Messenger is prone to a denial-of-service (cause of null pointer) vulnerability.
Application: Remotely Anywhere Server and Workstation
http://www.remotelyanywhere.com
Versions: <= 8.0.668
Platforms: Windows
Bug: NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
Application: Remotely Anywhere Server and Workstation
http://www.remotelyanywhere.com
Versions: <= 8.0.668
Platforms: Windows
Bug: NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
with corrupted permissions, possibly granting unintentional
privileges to other local users.
CVE-2009-3547
Earl Chew discovered a NULL pointer dereference issue in the
pipe_rdwr_open function which can be used by local users to gain
elevated privileges.
CVE-2009-3612
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
.text:00010B12
.text:00010B12 loc_10B12: ; CODE XREF: sub_10ADE+2D_j
.text:00010B12 mov edi, [ebp+ClientId]
.text:00010B15 cmp edi, ebx ; Little check to avoid a
Null Pointer
- -----------/
Here it gets the pointer to the 'ClientId' value, and if it is non zero
('!= 0') it does not care where it is pointing to.
other products allow remote attackers to execute arbitrary code via
a crafted PDF file. (CVE-2009-0800)
The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10
does not properly initialize memory for IPP request packets, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via a scheduler request with two
consecutive IPP_TAG_UNSUPPORTED tags. (CVE-2009-0949)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
to execute arbitrary code via a crafted PDF file that triggers a free
of invalid data (CVE-2009-1180).
The JBIG2 decoder in Xpdf 3.02pl2 and earlier allows remote attackers
to cause a denial of service (crash) via a crafted PDF file that
triggers a NULL pointer dereference (CVE-2009-1181).
Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2
and earlier allow remote attackers to execute arbitrary code via a
crafted PDF file (CVE-2009-1182).
http://www.debian.org/security/ Nico Golde
May 20th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : ipsec-tools
Vulnerability : null pointer dereference, memory leaks
Problem type : remote
Debian-specific: no
Debian bug : 527634 528933
CVE ID : CVE-2009-1574 CVE-2009-1632
<<Previous Next>>
|
