Next Page >>
bounds checking
CVE-2011-1745
Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
Local users can obtain elevated privileges or cause a denial of service due
to missing bounds checking in the AGPIOC_BIND ioctl. On default Debian
installations, this is exploitable only by users in the video group.
CVE-2011-1746
Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
CVE-2011-1745
Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
Local users can obtain elevated privileges or cause a denial of service due
to missing bounds checking in the AGPIOC_BIND ioctl. On default Debian
installations, this is exploitable only by users in the video group.
CVE-2011-1746
Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
VLC media player is vulnerable to a memory corruption vulnerability,
which can be exploited by malicious remote attackers to compromise a
user's system, by providing a specially crafted XSPF playlist file. The
vulnerability exists because the VLC ('demux/playlist/xspf.c') library
does not properly perform bounds-checking on an 'identifier' tag from an
XSPF file before using it to index an array on the heap. This can be
exploited to overwrite an arbitrary memory address in the context of the
VLC media player process, and eventually get arbitrary code execution by
opening a specially crafted file.
#2009-002 OpenCORE insufficient bounds checking during MP3 decoding
Description:
OpenCORE, an open source multimedia decoding subsystem, suffers from an
integer underflow during Huffman decoding resulting in improper bounds
checking when writing to a heap allocated buffer. Decoding a specially
crafted mp3 file will result in unexpected process termination or,
potentially, arbitrary code execution due to heap corruption.
necessary changes.
Details follow:
Bastien Roucaries discovered that dvips as included in tetex-bin
and texlive-bin did not properly perform bounds checking. If a
user or automated system were tricked into processing a specially
crafted dvi file, dvips could be made to crash and execute code as
the user invoking the program. (CVE-2007-5935)
Joachim Schrod discovered that the dviljk utilities created
Summary: CA ARCserve Backup for Laptops and Desktops contains
multiple vulnerabilities that can allow a remote attacker to cause
a denial of service condition or execute arbitrary code. The first
set of vulnerabilities, CVE-2007-3216, occur due to insufficient
bounds checking on multiple command arguments by the LGServer
service. The second set of vulnerabilities, CVE-2007-5003, occur
due to insufficient bounds checking on rxrLogin authentication
credentials and on a username by the GetUserInfo() function. The
third vulnerability, CVE-2007-5004, occurs due to insufficient
verification of an integer value used during authentication, which
malicious ICC tags, a remote attacker could crash applications linked
against liblcms1, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2009-0723)
Chris Evans discovered that LittleCMS did not properly perform bounds
checking, leading to a buffer overflow. If a user or automated system were
tricked into processing an image with malicious ICC tags, a remote attacker
could execute arbitrary code with user privileges. (CVE-2009-0733)
Updated packages for Ubuntu 6.06 LTS:
Advisory Issued: 4th August 2010
===============================ADVISORY===============================
Description
-----------
The Citrix Presentation Server Client (test on v10.150) does not perform bounds checking on the type field in an ICA "graphics" packet. This lack of checking allows for a remote exploitation of a user that has the client installed.
The exploit can be triggered by sending a user to a malicious webpage that causes an ICA file to be downloaded. This automatically connects to a simulated ICA server, which can trigger the remote code execution and take control over the client.
Analysis
Debian bug : 538989
CVE ID : none assigned yet
It was discovered that squid3, a high-performance proxy caching server for
web clients, is prone to several denial of service attacks. Due to incorrect
bounds checking and insufficient validation while processing response and
request data an attacker is able to crash the squid daemon via crafted
requests or responses.
The squid package in the oldstable distribution (etch) is not affected
vulnerable installations of Sun Microsystems Java. User interaction is
required in that a user must open a malicious file or visit a malicious
web page.
The specific flaw exists in the parsing of long file:// URL arguments to
the getSoundbank() function. Due to a lack of bounds checking on user
supplied data a stack overflow can occur leading to remote code
execution. Exploitation of this vulnerability can lead to system
compromise under the credentials of the currently logged in user.
-- Vendor Response:
Summary: CA ARCserve Backup for Laptops and Desktops server
contains a vulnerability that can allow a remote attacker to
execute arbitrary code or cause a denial of service condition. CA
has issued updates to address the vulnerability. The vulnerability,
CVE-2008-3175, occurs due to insufficient bounds checking by the
LGServer service. An attacker can make a request that can result
in arbitrary code execution or crash the service.
Mitigating Factors: Only the server installation of BrightStor
Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the eTrust Common Services Transport
(ECSQdmn.exe) running on port 1882. When making a request to this
service a user supplied DWORD value is used in a memory copy operation.
Due to the lack of bounds checking an integer can be improperly
calculated leading to a heap overflow. If successfully exploited this
vulnerability will result in a remote system compromise with SYSTEM
credentials.
-- Disclosure Timeline:
Summary: CA ARCserve Backup for Laptops and Desktops Server
contains multiple vulnerabilities that can allow a remote attacker
to execute arbitrary code or cause a denial of service condition.
CA has issued updates to address the vulnerabilities. The first
issue, CVE-2008-1328, occurs due to insufficient bounds checking
on command arguments by the LGServer service. The second issue,
CVE-2008-1329, occurs due to insufficient verification of file
uploads by the NetBackup service. In most cases, an attacker can
potentially gain complete control of an affected installation.
Additionally, only a server installation of BrightStor ARCserve
Vulnerabilities and Exposures project identifies the following three
problems:
CVE-2007-5824
Insufficient validation and bounds checking of the Authorization:
HTTP header enables a heap buffer overflow, potentially enabling
the execution of arbitrary code.
CVE-2007-5825
Summary: Multiple vulnerabilities exist in BrightStor ARCserve
Backup that can allow a remote attacker to cause a denial of
service, execute arbitrary code, or take privileged action. The
first set of vulnerabilities, CVE-2007-5325, CVE-2007-5326, and
CVE-2007-5327, occur due to insufficient bounds checking by
multiple components. The second vulnerability, CVE-2007-5328,
occurs due to privileged functions being available for use without
proper authorization. The third set of vulnerabilities,
CVE-2007-5329, CVE-2007-5330, CVE-2007-5331, and CVE-2007-5332,
are due to a memory corruption occurring with the processing of
When samba is configured as a Primary or Backup Domain Controller,
a remote attacker could send malicious logon requests and possibly
cause a denial of service. (CVE-2007-4572)
Alin Rad Pop of Secunia Research discovered that Samba did not
properly perform bounds checking when parsing SMB replies. A remote
attacker could send crafted SMB packets and execute arbitrary code.
(CVE-2008-1105)
Updated packages for Ubuntu 6.06 LTS:
CA XOsoft. A vulnerability exists that can allow a remote attacker to
execute arbitrary code. CA has issued a patch to address the
vulnerability for each affected release.
The vulnerability, CVE-2010-3984, is due to insufficient bounds
checking with a SOAP request. A remote attacker can make a SOAP
request to cause a buffer overflow and potentially compromise the
system.
Risk Rating
CA Gateway Security. A vulnerability exists that can allow a remote
attacker to execute arbitrary code. CA has issued an update that
resolves the vulnerability.
The vulnerability, CVE-2011-2667, occurs due to insufficient bounds
checking that can result in a memory overwrite on the heap. By
sending a malformed request, an attacker can overwrite a sensitive
portion of heap memory, which can potentially result in server
compromise.
Risk Rating
-----------
Multiple vulnerabilities have been discovered in Securstar DriveCrypt kernel
drivers, the vulnerabilities exist due to several somewhat systemic issues in
the validation of user-supplied pointers and trust thereof, use of user-supplied
parameters to privileged kernel functionality and finally, the lack of bounds
checking in unbounded copy operations resulting in buffer overflows.
Analysis
--------
Numerous vulnerabilities exists due to a complete lack of validation of user-
supplied pointers contained within structures passed as arguments to the IOCTL
Additional Information:
=======================
Sending a malformed NDMP client authentication(NDMP_CONECT_CLIENT_AUTH Command) packet will cause a overflow a buffer overflow due to
invalid bounds checking.
Solutions:
==========
Use the solution provided by Oracle http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
service (application crash) or possibly execute arbitrary code via
negative size values for certain strings in FontType42 font files,
leading to a heap-based buffer overflow (CVE-2010-2806).
FreeType before 2.4.2 uses incorrect integer data types during bounds
checking, which allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
font file (CVE-2010-2807).
Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
in FreeType before 2.4.2 allows remote attackers to cause a denial of
[Bug Summary]
The specific flaw exists within the oninit process bound to TCP port
9088 when processing the arguments to the COLLATION option in a SQL
query. User-supplied data is copied into a stack-based buffer without
proper bounds checking resulting in an overflow.
The vulnerability may/might result in possible arbitrary code execution under
the context of the database server
[Impact]
vulnerable installations of Oracle Secure Backup. Authentication is not
required to exploit this vulnerability.
The specific flaw exists in the Oracle Secure Backup Services daemon
observiced.exe listening on TCP port 10000 by default. Due to the lack
of bounds checking on the reverse lookup of connections to the port a
stack overflow can occur leading to a complete compromise of the
affected system under the credentials of the SYSTEM account.
-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
vulnerable installations of Oracle Secure Backup. User interaction is
not required to exploit this vulnerability.
The specific flaw exists in the parsing of commands sent to the
obscheduled.exe service listening by default on TCP port 1026, or 1027.
Due to a lack of bounds checking on a specific command sequence the
program stack can be overwritten with user controlled data. Successful
exploitation can lead to remote system compromise under the SYSTEM
credentials.
-- Vendor Response:
PRIMEQUEST system"
2. Non-technical description
PXEService.exe is prone to a remote buffer overflow due to improper
bounds checking when handling PXE requests.
A remote unauthenticated malicious attacker can take advantage of this
flaw to execute arbitrary code by sending a specially crafted UDP packet.
3. Technical Description.
OpenOffice, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the logged in user.
The first vulnerability occurs when parsing "Attribute" records from the
file. Due to a lack of bounds checking during a loop that reads these
records, an attacker can trigger a heap overflow by inserting more than
256 records.
The second vulnerability is nearly identical to the first one, but
involves the "Font Description" record instead of the "Attribute"
Vulnerabilities and Exposures project identifies the following three
problems:
CVE-2007-5824
Insufficient validation and bounds checking of the Authorization:
HTTP header enables a heap buffer overflow, potentially enabling
the execution of arbitrary code.
CVE-2007-5825
execution privileges are required to exploit this vulnerability.
The specific flaw exists within the oninit process bound to TCP port
9088 when processing the arguments to the USELASTCOMMITTED option in a
SQL query. User-supplied data is copied into a stack-based buffer
without proper bounds checking resulting in an exploitable overflow.
Exploitation can result in arbitrary code execution under the context of
the database server.
-- Disclosure Timeline:
2008-11-10 - Vulnerability reported to vendor
* Stefan Esser reported that a short-coming in PHP's algorithm of
seeding the random number generator might allow for predictible
random numbers (CVE-2008-2107, CVE-2008-2108).
* The IMAP extension in PHP uses obsolete c-client API calls making
it vulnerable to buffer overflows as no bounds checking can be done
(CVE-2008-2829).
* Tavis Ormandy reported a heap-based buffer overflow in
pcre_compile.c in the PCRE version shipped by PHP when processing
user-supplied regular expressions (CVE-2008-2371).
Vulnerability #5: Picture MIME-Type Stack Overflow
By using the same technique as the VORBIS Comment String Stack Overflow,
by setting a large size value at roughly 5000 bytes (depending on the
vulnerable application) and a large string value for the Picture
MIME-Type a stack-based overflow can be reached. Exploitation depends on
bounds-checking within the application in conjunction with the ability
to process Picture Data within FLAC files.
Vulnerability #6: Picture Dimension Size Heap Overflow
By modifying the width and height values in the PICTURE Metadata block,
a heap-based overflow could be achieved. When a vulnerable application
Next Page>>
|
