Next Page >>
allocates
- Firefox : allocates 2GB of memory then the Browser crashes
- IE5,6,7,8 : allocates 2GB of memory then the Browser crashes
- Opera : Allocated and commits as much memory as available,
will not crash but other applications will become unstable
- Nintento WII (Opera) : Console hangs, needs hard reset
Video: http://vimeo.com/2937101 (Thanks to David Raison)
Software, if the certificate based authentication method is used.
Successful exploitation of this vulnerability may result in the
allocation of all available Phase 1 SAs, which may prevent new IPSec
sessions from being established.
Administrators can view Phase 1 SAs that are allocated as a result of
exploitation by issuing the "show crypto isakmp sa" command. The
following example displays sample output for this command:
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
/-----
[Module: JPEGACC.dll]
095F4D97 |. 68 080C0000 PUSH 0C08
;size of the buffer to be allocated
095F4D9C |. E8 9F4D0000 CALL JPEGACC.095F9B40
;call to malloc()
095F4DA1 |. 83C4 04 ADD ESP,4
095F4DA4 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
;saves the pointer returned by malloc()
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, it'll be 100% on single core processor) without taking of
memory.
Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.
Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
The Python core API provides multiple functions for the allocation
of string objects, specifically providing an API call that allows
for either the allocation or reallocation of a PyStringObject.
This function, PyString_FromStringAndSize() takes two parameters:
a pointer and a signed integer. If the pointer is non-NULL then
the memory pointed to it is reallocated to the size specified
by the second parameter. If the pointer is NULL then the number
of bytes specified by the integer are allocated and returned.
During the course of its operations this second parameter is not
validated to contain a positive value. This in turn is summed
======== Summary ========
The function netio!PtpCreateTrieNode allocates 32 bytes using
the method ExAllocatePoolWithTag, as a buffer. Next the function
netio!PtpCopyPartialKeys tries to copy memory into the previously
allocated buffer using an offset of 24 bytes and the illegal
value as number of bits to be copied. Since this value can be
bigger than 8 bytes the amount of memory copied is greater than
the buffer, overwriting surrounding kernel memory.
the client, to read arbitrary parts of the X server memory space.
CVE-2008-2360
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
CVE-2008-2361
Summary
-------
The FindFile method allocates memory for the buffer[1].
The buffer then is used to store the contents of the first argument of
the function[2] without cheching if the argument actually fits in the
allocated buffer. This data is in turn used to start a search.
Both the unicode and ascii versions of the library use a very similar
function and have the same bug, the only real difference is the size
of the allocated buffer. The unicode version allocates 592 bytes and,
the ascii version, 320 bytes.
Vulnerability #9: Picture Data Length Heap Overflow
By modifying the Picture Data Length field to an excessively large
value, such as 0xFFFFFFFF, a heap based overflow can be achieved. When a
vulnerable application that supports Picture Metadata blocks processes
an album art image, it uses this field to determine the size in bytes of
the embedded image file. This memory is allocated without bounds
checking and could be used to overwrite memory and pointers with
arbitrary values from inside the FLAC file.
Vulnerability #10: Picture URL Stack Overflow
Whenever a FLAC file's MIME-Type is set to "-->" this is a flag to
framework the _CFCapitalizeHeader() function is used for this purpose.
The first thing this function does is to convert the header name into
UTF-16 encoded form. Depending on the length of the header name the
result is either stored in a local stack buffer or in a buffer
allocated on the heap. For all header names > 511 bytes a heap buffer
is allocated as follows:
__text:00003A35 loc_3A35:
__text:00003A35 mov esi, [ebp+var_810]
__text:00003A3B add esi, esi
#2009-016 Poppler, Xpdf integer overflows during heap allocation
Description:
Poppler and Xpdf are two popular open source projects for processing PDF
files. Both projects are vulnerable to an integer overflow during heap
memory allocation when processing a PDF file. In general, this results
in unexpected process termination. If an application using this code is
multi-threaded (or uses a crash signal handler), it may be possible to
execute arbitrary code.
requests from clients on TCP/IP networks. The application layer protocol
used over TCP reads an initial packet of 4 bytes that specifies the
length of data that follows in the next packet. A second packet of that
length with a 5-byte fixed header is then read from the same TCP socket.
Once this second packet is read from the network into a buffer, the data
it is then copied to an internal buffer of fixed size allocated in the
stack.
Due to a lack of a proper length checking of the read data, a memory
copy operation that uses as destination a buffer of fixed size allocated
in the stack can be overflowed allowing an un-authenticated attacker to
PAGE:0001A208 push 5246704Eh ; Tag
PAGE:0001A20D push edi ; NumberOfBytes
PAGE:0001A20E push 0 ; PoolType
PAGE:0001A210 call ds:__imp__ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
In other words, for any amount of bytes that memcpy may copy, the same amount of bytes will be dynamically allocated. Thus, we never force an overflow condition.
Finally, below is the piece of code where the bug is triggered:
PAGE:0001A23E push edi ; size_t
PAGE:0001A23F mov eax, [ebp+arg_8] ; &Packet + Packet.DataOffset
The specific flaw exists within the decompression of a specific type of
video stream contained in an .AVI file. The application misuses a length
field for an allocation causing the memory allocation to be too small to
contain the subsequent data. During population of this buffer, the
application will copy more data than allocated for leading to memory
corruption with the potential for code execution.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
The SMB client then builds the SESSION_SETUP_ANDX_REQUEST packet that is to be
sent back the server.
In the function mrxsmb!SmbExtSecuritySessionSetupExchangeStart, the SMB headers
are copied starting at offset 80h from the beginning of the previously
allocated chunk. The amount of space available is controlled by the
'MaxBufferSize' value sent, and there is no check that the allocated buffer is
large enough. Any data copied after 'MaxBufferSize' bytes overwrites the
adjacent pool header and data.
kd> uf mrxsmb!SmbExtSecuritySessionSetupExchangeStart
break;
...
...
}
And here is overflow! We have too little allocated memory but program don't know about it
and try to convert colors and write in this memory by call:
*q++ = colToByte(rgb.r);
*q++ = colToByte(rgb.g);
*q++ = colToByte(rgb.b);
1898 if(exe_sections[i].rsz) {
1899 if(!cli_seeksect(desc, &exe_sections[i]) ||
(unsigned int) cli_readn(desc, dest + headsize + exe_sections[i].rva -
min, exe_sections[i].rsz) != exe_sections[i].rsz) {
The size of the allocated heap buffer is calculated on line 1879 using
several values that are under attacker control. The allocation takes
place on line 1883. Within the loop, starting on line 1897, data is
read into the allocated buffer (line 1899).
No validation is done to ensure that the resulting data is not written
The vulnerability exists within the code responsible for reallocating
dynamic buffers. The rdesktop xrealloc() function uses a signed
comparison to determine if the requested allocation size is less than
1. When this occurs, the function will incorrectly set the allocation
size to be 1. This results in an improperly sized heap buffer being
allocated, which can later be overflowed.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the logged in user. In order to exploit this
[0xB6298C23][4-byte size][....][data]
The specified size parameter is subsequently used as the size parameter
to the memory allocation routines _rm32.rm_getMem(). Due to a lack of
sanity checking, values between 0xFFFFFFF8 and 0xFFFFFFFF result in an
integer overflow and therefore an under allocated heap buffer. The
following excerpt demonstrates this problem:
10004A57 mov eax, [ebp+arg_0] ; specified size
10004A5A add eax, 8 ; integer overflow
10004A5D push eax
streams
that takes an input parameter of how much data to flush. This parameter
is a
signed integer that is not verified for sanity and is thus potentially
negative.
When passed a negative value memory is misallocated and then the signed
integer
is converted to an unsigned integer resulting in buffer overflow.
Techical Details
received in a loop a heap allocation can be arbitrarily overflown
resulting in the control of subsequent heap chunks. This can lead to
arbitrary code execution.
The vulnerability is due to a loop that occurs during receive of socket
data. An initial buffer is allocated at 0x19000 bytes, as can bee seen
here.
.text:00406077 191A8 68+ push 19000h
; size_t
.text:0040607C 191AC FF+ call ds:__imp_malloc
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings. A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.
In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value. It follows the pattern below:
g_malloc(user_supplied_length * 3 / 4 + some_small_num)
Due to the evaluation order of arithmetic operations, the length is
return pStatus;
}
-------------------------------------------------------------------------
The code marked as [1] creates an array of AEDRstructExt64 structures,
allocated on the heap and assigned to the AEDRList variable. The TempAEDR
structure [2] is also allocated on the heap. It is further used in the
while() loop to read the attributes from the CDF file that is being
parsed.
The Read32_64() function [3] is used to read an integer from the
CDF file stream and store it in the TempAEDR->AEDR.Num. At [4] this value
return EINVAL;
if (start_sel != LDT_AUTO_ALLOC
&& start_sel + num_sels > LDTSZ)
return EINVAL;
A new LDT is allocated using the kalloc() function, with its size
argument being
sizeof(struct user_ldt) + (ldt_count * sizeof(struct real_descriptor)).
/*
* Allocate new LDT
resources
available to both malicious attackers and administrators defending networked
systems.
GameSec conference aims to bring together researchers who aim to establish a
theoretical foundation for making resource allocation decisions that balance
available capabilities and perceived security risks in a principled
manner. The
conference focuses analytical models based on game, information,
communication,
optimization, decision, and control theories that are applied to diverse
resources
available to both malicious attackers and administrators defending networked
systems.
GameSec conference aims to bring together researchers who aim to establish a
theoretical foundation for making resource allocation decisions that balance
available capabilities and perceived security risks in a principled
manner. The
conference focuses analytical models based on game, information,
communication,
optimization, decision, and control theories that are applied to diverse
resources
available to both malicious attackers and administrators defending networked
systems.
GameSec conference aims to bring together researchers who aim to establish a
theoretical foundation for making resource allocation decisions that balance
available capabilities and perceived security risks in a principled
manner. The
conference focuses analytical models based on game, information,
communication,
optimization, decision, and control theories that are applied to diverse
resources
available to both malicious attackers and administrators defending networked
systems.
GameSec conference aims to bring together researchers who aim to establish a
theoretical foundation for making resource allocation decisions that balance
available capabilities and perceived security risks in a principled
manner. The
conference focuses analytical models based on game, information,
communication,
optimization, decision, and control theories that are applied to diverse
#2009-001 Pango integer overflow in heap allocation size calculations
Description:
Pango is a library for laying out and rendering text, with an emphasis
on internationalization. Pango suffers from a multiplicative integer
overflow which may lead to a potentially exploitable, heap overflow
depending on the calling conditions. For example, this vulnerability is
remotely reachable in Firefox by creating an overly large
document.location value but only results in a process-terminating,
WonderWare SuiteLink is a service that runs on Microsoft Windows
Operating Systems listening for connections on port 5413/tcp.
Un-authenticated client programs connecting to the service can send a
malformed packet that causes a memory allocation operation (a call to
'new()' operator) to fail returning a 'NULL' pointer. Due to a lack of
error-checking for the result of the memory allocation operation, the
program later tries to use the pointer as a destination for memory copy
operation, triggering an access violation error and terminating the
service.
Next Page>>
|
