<< Previous Next >>
stack
*Vulnerability Description*
The Borland Interbase 2007 database server [1] is vulnerable to an
integer overflow when a malformed packet is sent to the default TCP port
3050. The integer overflow can cause a stack overflow, which allows
arbitrary code execution with system privileges.
*Vulnerable Packages*
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------
CVE-2010-0232
In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
http://office.microsoft.com/powerpoint
II. DESCRIPTION
Remote exploitation of multiple stack based buffer overflow
vulnerabilities in Microsoft Corp.'s PowerPoint could allow an attacker
to execute arbitrary code with the privileges of the current user.
The vulnerabilities exist within the importer for PowerPoint 95 format
files. This functionality is contained within the PP7X32.DLL.
'=.|w|.='
_='`"``=.
presents..
ChemviewX ActiveX Control Multiple Stack Overflows
Versions affected: v1.9.5
+-----------+
|Description|
+-----------+
*Vulnerability Description*
The MPlayer package [1] is vulnerable to a buffer overflow attack, which
can be exploited by malicious remote attackers. The vulnerability is due
to MPlayer not properly sanitizing certain tags on a FLAC file before
using them to index an array on the stack. This can be exploited to
execute arbitrary commands by opening a specially crafted file.
The Xine package [2], and probably other packages based on MPlayer [3],
are vulnerable to this attack too.
Dear jplopezy@gmail.com,
Stack exhaustion and stack overflow are 2 names for same thing.
stack _buffer_ overflow aka stack overrun - is different thing.
--Thursday, January 29, 2009, 6:31:05 PM, you wrote to bugtraq@securityfocus.com:
jgc> According to MS, is stack exhaustion and not overflow.
two vulnerabilities exist within the RPCFN_ENG_NewManualScan and
RPCFN_ENG_TimedNewManualScan functions. These functions copy
user-supplied data into a fixed-size heap buffer without performing
proper bounds checking. The third problem exists within the
RPCFN_SetComputerName function. This function copies user-supplied data
into a fixed-size stack buffer using the MultiByteToWideChar() function
without correctly specifying the output buffer length.
Two stack-based buffer overflows exist within the Stcommon.dll library.
These problems specifically exist within the
RPCFN_CMON_SetSvcImpersonateUser and
Felipe,
The bug goes back all the way to 2.4.0. But please keep in mind that
this exploit was intended as a joke - it only allows you to read a
single byte of uninitialized kernel stack memory, out of a 64-byte
buffer. In addition, you're not even guaranteed to be reading
contiguous data if you request sequential bytes. Even considering the
fact that on x86, the memory will be read from the soft IRQ stack
instead of the current process kernel stack, I seriously doubt that
you could get anything useful out of a single byte that probably just
application. (CVE-2010-4346)
The sk_run_filter function does not check whether a certain memory
location has been initialized before executing a BPF_S_LD_MEM
or BPF_S_LDX_MEM instruction, which allows local users to obtain
potentially sensitive information from kernel stack memory via a
crafted socket filter. (CVE-2010-4158)
Heap-based buffer overflow in the bcm_connect function the Broadcast
Manager in the Controller Area Network (CAN)on 64-bit platforms might
allow local users to cause a denial of service (memory corruption)
incorrectly parsed facilities. A remote attacker could exploit this to
crash the kernel, leading to a denial of service. (CVE-2010-3873)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation
did not properly initialize certain structures. A local attacker could
exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
We use flayer to trace the malformed tiff image and the flayer gives the following suggestions:
==1812== Warning: client syscall shmdt tried to modify addresses 0xFFFFFFFF-0xFFFFFFFF
==1812== Warning: set address range perms: large range 325120064 (defined)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FAC
==1812==
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812== Access not within mapped region at address 0xBE394FAC
==1812== at 0x484D407: (within /usr/lib/libX11.so.6.3.0)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FA8
Dear zgmzgm@mail.ustc.edu.cn,
This is stack overflow (stack memory exhaustion), most probably because
of recursion. This is not buffer overflow (stack overrun).
--Monday, March 21, 2011, 10:11:17 AM, you wrote to bugtraq@securityfocus.com:
zmuec> ==1812== Access not within mapped region at address 0xBE394FAC
zmuec> ==1812== at 0x484D407: (within /usr/lib/libX11.so.6.3.0)
zmuec> ==1812== Stack overflow in thread 1: can't grow stack to
SEC Consult Vulnerability Lab Security Advisory < 20110407-0 >
=======================================================================
title: Libmodplug ReadS3M Stack Overflow
product: Libmodplug library
vulnerable version: 0.8.8.1
fixed version: 0.8.8.2
impact: critical
homepage: http://modplug-xmms.sourceforge.net/
found: 2011-03-09
by: M. Lucinskij, P. Tumenas /
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability
tested against: Microsoft Windows 2k3 r2 sp2
Oracle Hyperion Performance Management and BI (v11.1.2.1.0)
download url of the Oracle Hyperion suite:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html
files tested:
SystemInstaller-11121-win32.zip
Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability
download url of a test version:
http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop
Note:
Found three weeks before the CS6 release.
I could not reproduce against CS6, cannot say if there is
a CVE for this, I think is also possible they patched silently.
||
.:: SUMMARY
Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow
Version: 2.0, It is suspected that all previous versions of Groupwise
Messenger Client are vulnerable.
3. Technical Description.
The problem lies in how the stack locations are traversed while trying
to complete an IRP. Let's see
lkd> dt nt!_IRP
2008/08/25 #2008-014 WordNet stack and heap overflows
Description:
The WordNet 3.0 Unix library and command-line interface suffer from a
number of stack overflows due to their handling of command line
arguments,
environment variables and data read from user supplied dictionaries.
The oCERT team was contacted by Moritz Muehlenhoff from the Debian
----------------------------------------------------------------------
IRM Security Advisory 024
Cisco IOS LPD Remote Stack Overflow
Vulnerability Type / Importance: Remote Code Execution / High
Problem Discovered: 30 July 2007
Vendor Contacted: 30 July 2007
Advisory Published: 10 October 2007
// cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
// kernel32!RaiseException+0x53:
// 7c7e2afb 5e pop esi
// --
//
// Call Stack:
// 00 0012aa28 7815c54b e06d7363 00000001 00000003 kernel32!RaiseException+0x53
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 01 0012aa60 78164f33 0012aa70 781caa24 781ac11c MOZCRT19!CxxThrowException+0x46
// 02 0012aa78 100cd464 08c00060 0012b1a0 21500008 MOZCRT19!operator new+0x73
// 03 00000000 00000000 00000000 00000000 00000000 xul!gfxWindowsFontGroup::MakeTextRun+0x54
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered that Coolpreviews
stack feature is vulnerable to Cross Site Scripting
injection. The Coolpreviews stack previews link
content within a Chrome window positioned on the right
side of the browser window. A malicious page is then
able to pass arbitrary browser code, such as
JavaScript, via a link that points to a data URI which
[*] Product : Audiotran
[*] Version : 1.4.1
[*] Vendor : E-Soft
[*] URL : http://www.e-soft.co.uk/Audiotran.htm
[*] Platform : Windows
[*] Type of vulnerability : Stack overflow
[*] Risk rating : Medium
[*] Issue fixed in version : not fixed
[*] Vulnerability discovered by : Sebastien Duquette
[*] Greetings to : corelanc0d3r, rick2600, mr_me & MarkoT from Corelan Team
Luxology LLC [3].
The function Swap4 in valet4.dll takes a length and an input buffer
and proceeds to reverse DWORDs in the input buffer for proper
endianness. In the case of the CHNL subchunk in which passing an
invalid length to the Swap4 function would reverse every DWORD in the
stack, both reversing SEH pointer near the bottom of the stack AND
causing an exception
An attacker can take full control of the machine where Luxology Modo
401 is installed by sending a specially crafted .LXO file and enticing
the user to open it.
emulator included in the SDK, which emulates phone running the Android
platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs,
including a proof of concept exploit to run arbitrary code, proving the
possibility of running code on Android stack (over an ARM architecture)
via a binary exploit.
Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
Summary:
A remote code execute vulnerability exists in Microsoft Jet
Engine. A remote attacker who successfully exploit this vulnerability
Luxology LLC [3].
The function Swap4 in valet4.dll takes a length and an input buffer
and proceeds to reverse DWORDs in the input buffer for proper
endianness. In the case of the CHNL subchunk in which passing an
invalid length to the Swap4 function would reverse every DWORD in the
stack, both reversing SEH pointer near the bottom of the stack AND
causing an exception
An attacker can take full control of the machine where Luxology Modo
401 is installed by sending a specially crafted .LXO file and enticing
the user to open it.
http://www.ibm.com/systems/power/software/aix/index.html
II. DESCRIPTION
Remote exploitation of a stack based buffer overflow vulnerability in
IBM Corp.'s AIX could allow an attacker to execute arbitrary code with
the privileges of the affected service.
rpc.cmsd, more commonly known as the Calendar Manager Service Daemon, is
an RPC application used to manage schedules and calendars. It operates
If there's only one string associated to a gif file, the brackets can be skipped.
Also the third part of line isn't essential - it's just the name of optional graphic
file in NETSCAPE GIF format.
During the process of copying data from currently opened file (2nd and 3rd part of
configuration line) to some local buffers, the program doesn't check the
strings' lengths, what can lead to overwriting the 500-byte buffers placed on the stack.
Vulnerable code that copies the name of first gfx file is shown below:
.text:00443E37 loc_443E37: ; CODE XREF: HandleEmotsConfig+164j
.text:00443E37 cmp al, '"'
| CVE Name | CVE-2009-2726 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | On certain implementations of libc, the scanf family of |
| | functions uses an unbounded amount of stack memory to |
| | repeatedly allocate string buffers prior to conversion |
| | to the target type. Coupled with Asterisk's allocation |
| | of thread stack sizes that are smaller than the default, |
| | an attacker may exhaust stack memory in the SIP stack |
| | network thread by presenting excessively long numeric |
<<Previous Next>>
|
