Next Page >>
Size
Technical Details:
The vulnerabilities in the .FLAC format are due to improperly handling
metadata values from malformed files. The file format is available here:
http://flac.sourceforge.net/format.html.
Vulnerability #1: Metadata Block Size Heap Overflow
The first notable vulnerability is the Metadata Block Size Overflow
vulnerability. Editing any Metadata Block Size value to a large value
such as 0xFFFFFFFF may result in a heap based overflow in the decoding
software.
Whenever vulnerable software open or process a malformed FLAC file, they
The SQL backup format consists of multiple chunks of data which
follow a basic structure of
struct backupChunk {
unsigned long nametag;
unsigned long size;
}
The nametag describes the type of tag (ex.SCIN, SFGI, MQCI, etc).
The size corresponds to the size of the complete chunk size which
includes the 8byte chunk header.
+++ subversion/libsvn_delta/svndiff.c (working copy)
@@ -60,10 +60,23 @@ struct encoder_baton {
apr_pool_t *pool;
};
+/* This is at least as big as the largest size of an integer that
+ encode_int can generate; it is sufficient for creating buffers for
+ it to write into. This assumes that integers are at most 64 bits,
+ and so 10 bytes (with 7 bits of information each) are sufficient to
+ represent them. */
+#define MAX_ENCODED_INT_LEN 10
int real_get_rdt_chunk(rtsp_t *rtsp_session, unsigned char **buffer) {
int n=1;
uint8_t header[8];
rmff_pheader_t ph;
int size;
int flags1;
int unknown1;
uint32_t ts;
n=rtsp_read_data(rtsp_session, header, 8);
hash('prefixstring2postfix'). If for example 'Ez' and 'FY' collide under
a hash function with this property, then 'EzEz', 'EzFY', 'FYEz', 'FYFY'
collide as well. An observing reader may notice that this is very
similar to binary counting from zero to four. Using this knowledge, an
attacker can construct arbitrary numbers of collisions (2^n for
2*n-sized strings in this example).
== Meet-in-the-middle attack ==
If equivalent substrings are not present in a given hash function, then
brute-force seems to be the only solution. The obvious way to best use
4. If either file timestamp is earlier than indicated in the below
table, the installation is vulnerable.
File Name
Timestamp
Size
Size on disk
webengine.exe
10/30/2009 12:11:16 PM
2936832 bytes
Technical Description
=====================
those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
3) nEntriesInuse
Olny build 5 testcases
Title: Incorrect input validation in PyString_FromStringAndSize()
leads to multiple buffer overflows
Date Discoverd: ??-April-2008
Date Reported: 08-April-2008
Date Patched: 09-April-2008
Date Disclosed: 11-April-2008
Criticality: High
Affected Products
-----------------
Change length of first parameter to change rip.
--- 2. grapheme_extract() NULL Pointer Dereference ---
As we can see in grapheme_extract(str,size)
-grapheme_extract()--
..
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char **)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) { <=== str='a' and size='-1'
..
}
-zend_builtin_functions.c---
-PoC code---
[cx@82 /www]$ ulimit -a
socket buffer size (bytes, -b) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) 524288
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) 40000
Here's some further analysis of the 1 billion sample used as a training
set along with a separate 1 million sample used as a test set:
Applying the 697 million unique passwords (from the 1 billion sample
above) as a wordlist (6 GB file size) to crack another 1 million of
pwgen'ed passwords cracks 418168 of them (41.8%). For a uniform
distribution (which is not the case), this would correspond to total
keyspace size of about 1.67 billion passwords (between 30 and 31 bits).
Focusing on more frequent pwgen'ed passwords only:
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
extra data that precedes the class instance. (This means that a
CDispNode-family class instance is not expected to snugly occupy its
Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function
- ---formatted_print.c-start---
inline static void
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
int min_width, int max_width, char padding,
int alignment, int len, int neg, int expprec, int always_sign)
- ---formatted_print.c-end---
The main varible what we will see is "npad"
uchar WordCount; /* must be 0x11 (17) */
ushort DialectIndex; /* selected dialect */
uchar SecurityMode; /* security flags */
ushort MaxMpxCount; /* maximum pending multiplexed requests supported*/
ushort MaxNumberVCs; /* maximum virtual connections */
ulong MaxBufferSize; /* maximum SMB message size */
ulong MaxRawSize; /* maximum raw buffer size */
ulong SessionKey; /* unique session identifier */
ulong Capabilities; /* server capabilities */
ulong SystemTimeLow; /* server time - low bytes */
ulong SystemTimeHigh; /* server time - high bytes */
*/
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>
#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12
struct vtp_summary {
u_int8_t version;
u_int8_t code;
*/
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>
#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12
struct vtp_summary {
u_int8_t version;
u_int8_t code;
Let's look in code:
"./src/modules/proxy/proxy_util.c"
long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int nowrite, int chunked, size_t recv_buffer_size)
{
...
size_t buf_size;
long remaining = 0;
4. If the file date is earlier than indicated in the below table,
the installation is vulnerable.
CA ARCserve Backup for Laptops and Desktops
File Name File Size (bytes) File Date
rxRPC.dll 131,072 June 11, 2008
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1
SP2
File Name File Size (bytes) File Date
Service Console package Python update to version 2.4.3-24.el5.
When the assert() system call was disabled, an input sanitization
flaw was revealed in the Python string object implementation that
led to a buffer overflow. The missing check for negative size values
meant the Python memory allocator could allocate less memory than
expected. This could result in arbitrary code execution with the
Python interpreter's privileges.
Multiple buffer and integer overflow flaws were found in the Python
-----------------------------
C] in_midi MTrk heap overflow
-----------------------------
Winamp calculates the size of the memory to allocate through the
parsing of the chunk size of all the MTrk fields.
A combination of signed comparisons, integer overflows and
portions of data copied in predictable positions allow the
exploiting of the relative heap overflow:
>
> -----------------------------
> C] in_midi MTrk heap overflow
> -----------------------------
>
> Winamp calculates the size of the memory to allocate through the
> parsing of the chunk size of all the MTrk fields.
> A combination of signed comparisons, integer overflows and
> portions of data copied in predictable positions allow the
> exploiting of the relative heap overflow:
>
Analysis:
Details for TLS record handling vulnerability in GnuTLS [MU-201202-01]:
The block cipher decryption logic in GnuTLS assumed that a record containing
any data which was a multiple of the block size was valid for further
decryption processing, leading to a heap corruption vulnerability.
The bug can be reproduced in GnuTLS 3.0.14 by creating a corrupt
GenericBlockCipher struct with a valid IV, while everything else is stripped
off the end, while the handshake message length retains its original value:
Let's look in code:
"./goo/gmem.cc"
void *gmalloc(int size) GMEM_EXCEP {
#ifdef DEBUG_MEM
...
#else
void *p;
Mitigation recommendations from Trend:
1. Open the ScanMail for Domino Configuration database
2. Go to Configurations > Policies
3. Double click on Default Mail Scan
4. Click on Scan Options Tab > Scan Restrictions
5. Put a mark on Exceed extracted file size and set this to either of the much secured action
a. Quarantine
b. Delete
6. Put any of the preferred value to maximum extracted file size
7. Click on Save & Closed
0012E428 005AD1C6 ntdll.RtlAllocateHeap xnview.005AD1C0
0012E424
0012E42C 00C60000 hHeap = 00C60000
0012E430 40000060 Flags =
HEAP_TAIL_CHECKING_ENABLED|HEAP_FREE_CHECKING_ENABLED|40000000
0012E434 00000010 HeapSize = 10 (16.)
0012E464 005AD0BD xnview.005AD0D9 xnview.005AD0B8
0012E460
0012E46C 005AD0AA xnview.005AD0AD xnview.005AD0A5
0012E478 0049E8D4 xnview.005AD09B xnview.0049E8CF
0012E748 004A00F5 ? xnview.0049E6C0 xnview.004A00F0
a GIF file it loads a dynamic library called 'libsgl.so' which contains
the decoders for multiple image file formats.
Decoding of the GIF image is performed correctly by the library giflib
4.0 (compiled inside 'libsgl.so'). However, the wrapper object
'GIFImageDecoder' miscalculates the total size of the image.
First, the Logical Screen Size is read and stored in the following
calling sequence (As giflib is an Open Source MIT-licenced library, the
source was available for analysis):
'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1
VMware vCenter Server 4 and modules
proper key, and there is no need to keep track of any additional information
aside from what is already in the encrypted file itself. Think of eCryptfs as
a sort of ``gnupgfs.''
The parse_tag_11_packet function of eCryptfs in-kernel key management code
does not check if the tag 11 packet contains a literal data size
(tag11_contents_size) larger than literal data maximum size
(max_contents_bytes), before copying the literal data contents to a
stack-based buffer (of ECRYPTFS_SIG_SIZE size) passed by
ecryptfs_parse_packet_set function as the contents parameter, resulting in a
kernel stack-based buffer overflow vulnerability.
(BGP), Intermediate System to Intermediate System (ISIS), etc.) and
MPLS TDP/LDP to properly establish connections over an affected
interface.
In order to identify a blocked input interface, issue the show
interfaces command, and search for the Input Queue line. The size of
the input queue can continue to increase. If the current size, which
is 76 in the example below, is larger than the maximum size (75), the
input queue is blocked.
It is possible that a device receives a high rate of traffic destined
A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
---------------------------------------------------------
When a chat message is received, the server takes the incoming packet
and reads who sent it, its destination and naturally the entire message
which is copied in a heap buffer using the remaining size of the packet
for calculating the amount of data to allocate.
Then a strcpy() is performed for copying the message from the packet to
the new allocated buffer called msg.
If the message is directed to the server it's displayed in the console
using the D_NetPlayerEvent function.
Next Page>>
|
