Next Page >>
buffer overflows
======================================================================
Secunia Research 25/08/2008
- Novell iPrint Client ActiveX Control Multiple Buffer Overflows -
======================================================================
Table of Contents
Affected Software....................................................1
> Autonomy Keyview Folio Flat File Parsing Buffer Overflows
> Autonomy Keyview Applix Graphics Parsing Vulnerabilities
> Autonomy Keyview EML Reader Buffer Overflows
> activePDF DocConverter Folio Flat File Parsing Buffer Overflows
> activePDF DocConverter Applix Graphics Parsing Vulnerabilities
> Lotus Notes Applix Graphics Parsing Vulnerabilities
> Lotus Notes Folio Flat File Parsing Buffer Overflows
> Lotus Notes EML Reader Buffer Overflows
> Lotus Notes kvdocve.dll Path Processing Buffer Overflow
> Lotus Notes htmsr.dll Buffer Overflows
>
>
> On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <aluigi@autistici.org>
> wrote:
>
> > > Autonomy Keyview Folio Flat File Parsing Buffer Overflows
> > > Autonomy Keyview Applix Graphics Parsing Vulnerabilities
> > > Autonomy Keyview EML Reader Buffer Overflows
> > > activePDF DocConverter Folio Flat File Parsing Buffer Overflows
> > > activePDF DocConverter Applix Graphics Parsing Vulnerabilities
> > > Lotus Notes Applix Graphics Parsing Vulnerabilities
http://www.doomsdayhq.com
http://www.dengine.net
http://sourceforge.net/projects/deng/
Versions: <= 1.9.0-beta5.1 and current SVN
Platforms: Windows, Linux and Mac
Bugs: A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
B] Msg_Write global buffer-overflow through PKT_CHAT
C] undelimited strcpy in PKT_CHAT
D] integer overflow in PKT_CHAT
E] static buffer-overflow in NetSv_ReadCommands
F] client format string through PSV_CONSOLE_TEXT
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Authorization bypass, Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34035
CVE Name: CVE-2009-0836, CVE-2009-0837
Application: libnemesi
http://live.polito.it/documentation/libnemesi
Versions: <= 0.6.4-rc1
Platforms: *nix
Bugs: A] buffer-overflow in handle_rtsp_pkt
B] buffer-overflow in the send_*_request functions
C] buffer-overflow in get_transport_str_*
Exploitation: remote
Date: 27 Dec 2007
Author: Luigi Auriemma
The last exploit (http://www.securityfocus.com/archive/1/508581 ) had a mistake in its instructions (usage). Now, it works perfectly:
//################################################
//
//Vulnerability: Remote Buffer Overflow Exploit
//Impact: Remote Denial of Service Attack
//Vulnerable Application: TFTP Daemon Version 1.9
//Tested on Windows XP Service Pack II
//
//Author: Socket_0x03
First of all, to make a polymorphic code we have to be sure we have all the
requirements to achieve the concept that a polymorphic code must be
unpredictable, and it means random. I choose the MS02-039[1], because I have
all the requirements for this proof of concept:
1. Microsoft Windows Buffer Overflow[2];
2. Buffer to overflow is not too big;
3. More than just one Return Address[3];
4. Incredible high number of writable addresses only in
SQLSORT.DLL[4].
//################################################
//
//Vulnerability: Remote Buffer Overflow Exploit
//Impact: Remote Denial of Service Attack
//Vulnerable Application: TFTP Daemon Version 1.9
//Tested on Windows XP Service Pack II
//
//Author: Socket_0x03
//Contact: Socket_0x03@teraexe.com
//Website: www.teraexe.com
A NULL pointer dereference flaw in the JBIG2 decoder allows remote
attackers to cause denial of service (crash) via a crafted PDF file
(CVE-2009-1181).
Multiple buffer overflows in the JBIG2 MMR decoder allows remote
attackers to cause denial of service or to execute arbitrary code
via a crafted PDF file (CVE-2009-1182, CVE-2009-1183).
An integer overflow in the JBIG2 decoding feature allows remote
attackers to cause a denial of service (crash) and possibly execute
A NULL pointer dereference flaw in the JBIG2 decoder allows remote
attackers to cause denial of service (crash) via a crafted PDF file
(CVE-2009-1181).
Multiple buffer overflows in the JBIG2 MMR decoder allows remote
attackers to cause denial of service or to execute arbitrary code
via a crafted PDF file (CVE-2009-1182, CVE-2009-1183).
An integer overflow in the JBIG2 decoding feature allows remote
attackers to cause a denial of service (crash) and possibly execute
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
~ Anzio Web Print Object Buffer Overflow
*Advisory Information*
Title: Anzio Web Print Object Buffer Overflow
[*] Version : 1.0
[*] Vendor : George Fesalides
[*] URL : http://sourceforge.net/projects/somplmp3/files/
[*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
[*] Platform : Windows
[*] Type of vulnerability : Buffer Overflow
[*] Risk rating : Medium
[*] Issue fixed in version : ???
[*] Vulnerability discovered by : Rick2600
[*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
1. *Advisory Information*
Title: Novell iManager Multiple Vulnerabilities
Advisory Id: CORE-2010-0316
Advisory URL:
[http://www.coresecurity.com/content/novell-imanager-buffer-overflow-off-by-one-vulnerabilities]
Date published: 2010-06-23
Date of last update: 2010-06-23
Vendors contacted: Novell
Release mode: User release
Problem Description:
Multiple vulnerabilities has been found and corrected in poppler:
Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2
and earlier allow remote attackers to cause a denial of service
(crash) via a crafted PDF file, related to (1) setBitmap and (2)
readSymbolDictSeg (CVE-2009-0146).
Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
1. *Advisory Information*
Title: Amaya web editor XML and HTML parser vulnerabilities
Advisory ID: CORE-2008-1211
Advisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows
Date published: 2009-01-28
Date of last update: 2009-01-26
Vendors contacted: INRIA
Release mode: Coordinated release
SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
overflow and execute arbitrary code on a vulnerable phone. This
vulnerability is corrected in SCCP firmware version 8.0(8) and
SIP firmware version 8.8(0). This vulnerability is documented in
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
PCRE is vulnerable to multiple buffer overflow and memory corruption
vulnerabilities, possibly leading to the execution of arbitrary code.
Background
==========
Application: WinCom LPD Total - Line Printer Daemon
http://clientsoftware.com.au/lpd.html
Versions: <= 3.0.2.623
Platforms: Windows
Bugs: A] buffer-overflow in control filename
B] remote administration bypassing
C] integer memcpy crash in remote administration
D] buffer-overflow in remote administration
Exploitation: remote
Date: 04 Feb 2008
Application: Now SMS/MMS Gateway
http://www.nowsms.com
Versions: <= v2007.06.27
Platforms: Windows
Bugs: A] web authorization buffer-overflow
B] SMPP buffer-overflow
Exploitation: remote
Date: 19 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Application: Georgia SoftWorks SSH2 Server (GSW_SSHD)
http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm
Versions: <= 7.01.0003
Platforms: Windows
Bugs: A] format string in the log function
B] buffer-overflow in the log function
C] buffer-overflow in the handling of the password
Exploitation: remote
Date: 02 Jan 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Application: yaSSL
http://www.yassl.com
Versions: <= 1.7.5
Platforms: Windows and *nix
Bugs: A] buffer-overflow in ProcessOldClientHello
B] buffer-overflow in "input_buffer& operator>>"
C] invalid memory access in HASHwithTransform::Update
Exploitation: remote
Date: 04 Jan 2008
Author: Luigi Auriemma
Application: Feng
http://live.polito.it/documentation/feng
Versions: <= 0.1.15
Platforms: *nix
Bugs: A] first buffer-overflow in RTSP_valid_response_msg
B] second buffer-overflow in RTSP_valid_response_msg
C] crash in RTSP_remove_msg
D] NULL pointer in parse_transport_header
E] NULL pointer in parse_play_time_range
F] NULL pointer in log_user_agent
Application: FSD
http://www.mcdu.com/en/download.php
Versions: <= "V2.052 d9" (original FSD) and "V3.000 d9" (FSFDT FSD)
Platforms: Windows and *nix
Bugs: A] buffer-overflow in exechelp
B] buffer-overflow in execmulticast
Exploitation: remote
Date: 01 Oct 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Application: Live for Speed
http://www.lfs.net
Versions: <= 0.5X10
Platforms: Windows
Bugs: A] nickname buffer-overflow
B] partial track buffer-overflow
C] NULL pointer access in internet/hidden S1/S2 servers
D] memcpy() NULL pointer in internet/hidden S1/S2 servers
Exploitation: remote, versus server
A] demo/S1/S2 in-game
Application: Toribash
http://www.toribash.com
Versions: <= 2.71
Platforms: Windows, Mac and Linux
Bugs: A] dedicated server format string
B] client commands buffer-overflow
C] client unicode buffer-overflow in the SAY command
D] server crash through uninitialized values
E] line-feed dropping
F] Windows dedicated server hell bell
G] clients kicked by malformed packet
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs
~ CORE FORCE Kernel Buffer Overflow
*Advisory Information*
Title: CORE FORCE Kernel Buffer Overflow
>>
>>
>>
>>
>> and run the filemon with the filter as smc.exe, Whenever it tries to
>> access the smcgui.exe. There is a "Buffer Overflow" detected. As I have
>> said at bugtrax as well, I am not sure if the buffer overflow has
>> happened or averted but its all very interesting.
>>
>>
>>
Team Vexillium
Security Advisory
http://vexillium.org/
Name : Gadu-Gadu
Class : Buffer Overflow
Threat level : VERY HIGH
Discovered : 2007-11-10
Published : 2007-11-22
Credit : j00ru//vx
Vulnerable : Gadu-Gadu 7.7 [Build 3669], prior versions may also be affected.
Next Page>>
|
