Error Code
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
IBM SolidDB invalid error code vulnerability
1. *Advisory Information*
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HP Openview NNM 7.53 Invalid DB Error Code vulnerability
1. *Advisory Information*
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:15 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
And here is the error log: fragment
[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:15 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
when attempting to log with a valid username / invalid password you seem
to get:
"Error: bad credentials
Error Information
Error Code Description
34 authentication failure"
Version 1.5.1, anyone confirm? Has this been mentioned before?
> when attempting to log with a valid username / invalid password you seem
> to get:
>
> "Error: bad credentials
> Error Information
> Error Code Description
> 34 authentication failure"
>
> Version 1.5.1, anyone confirm? Has this been mentioned before?
>
>
(gdb) x/x $esp
0xdde15f08: 0x00000002
(gdb) x/t $esp
0xdde15f08: 00000000000000000000000000000010
Examining the condition code (error_code in the snippet below), you can see it
was caused by a data write (i.e. not an instruction fetch, the cs/eip push) in
supervisor mode to a non-present page. This is incorrect.
http://lxr.linux.no/linux+v2.6.24/arch/x86/mm/fault_32.c#L461
/* Fetch the object. */
FORMATTER_METHOD_FETCH_OBJECT;
length = unum_getSymbol(FORMATTER_OBJECT(nfo), symbol, value_buf,
length, &INTL_DATA_ERROR_CODE(nfo)); <================= !!!TO BIG INT HERE!!!
...
- ---
will crash for differ value. example {2444492804, 2147483648,
2147483649, 2554462209} (when rdi out off band (range 2to31 2to32 under 64bits linux)
Multiple vulnerabilities has been found and corrected in openafs:
The cache manager in the client in OpenAFS 1.0 through 1.4.8 and
1.5.0 through 1.5.58 on Linux allows remote attackers to cause a
denial of service (system crash) via an RX response with a large
error-code value that is interpreted as a pointer and dereferenced,
related to use of the ERR_PTR macro (CVE-2009-1250).
Heap-based buffer overflow in the cache manager in the client in
OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms
allows remote attackers to cause a denial of service (system crash)
ISR_Entry_Point:
; For a long-mode (64-bit) ISR, RSP points to the following QWORDs:
;
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
Multiple vulnerabilities has been found and corrected in openafs:
The cache manager in the client in OpenAFS 1.0 through 1.4.8 and
1.5.0 through 1.5.58 on Linux allows remote attackers to cause a
denial of service (system crash) via an RX response with a large
error-code value that is interpreted as a pointer and dereferenced,
related to use of the ERR_PTR macro (CVE-2009-1250).
Heap-based buffer overflow in the cache manager in the client in
OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms
allows remote attackers to cause a denial of service (system crash)
malicious code, thus causing the target user's browser to execute
it.
Software versions 5.3.333.0 and later of Cisco Unified MeetingPlace
Web Conferencing will return a XML message with an embedded error
code when receiving invalid input for the STPL and FTPL
parameters. The error message is properly and securely formatted
per the XML CDATA specification.
All 5.4 and 6.0 versions of Cisco Unified MeetingPlace Web
Conferencing are unaffected by this vulnerability.
available input large than the output buffer, but smaller than the
size required to hit an unmapped or read-only page of memory.
A semi-interesting note is that the value -1 will not work as when
extracting
this integer an API call mixes the return value and error code, with -1
indicating that an error occurred. This check is done in conjunction
with
another check and thus does not cause the routine to fail, but rather
causes
PyArg_ParseTuple() to initialize the length variable with a value of 1.
Keep in mind that this group is the group that responds to emails like
the following:
"From: coolguy131@vacationhomes.xyz
You are akcount is ABOUT TO BE UPDATED respond with you'r
SOCIAL SECURITY AND LICENSE SCAN.
Error code 51535351535153515.5f."
Also as this is an user attention issue,
targeting pages that are heavily animated or otherwise distracting may
help in the exploit.
ISR_Entry_Point:
; For a long-mode (64-bit) ISR, RSP points to the following QWORDs:
;
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
translated by 'MultiBytetoChar' to a string that includes the dot-dot
substring .
The fix to CVE-2007-1744 [6] consisted in setting the
'MB_ERR_INVALID_CHARS' flag to the function call thus making it fail
(setting the error code to 'ERROR_NO_UNICODE_TRANSLATION') if non-valid
UTF-8 input was provided.
However, since the inspection of input looking for the evil dot-dot
substring remained a step prior to its mapping to Unicode UTF-16 the basic
execution flow for a potential attack did not change. After the fix for
NumberParameters: 1
Parameter[0]: 0000000000000000
DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
EXCEPTION_PARAMETER1: 0000000000000000
The register;
Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error
code 00000000)
Registers:
CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010
EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001
ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4
EIP = 007E2F41 FLAGS = 00010282
|
