The vulnerability is caused by a use-after-free error in the HouseCall
ActiveX control (Housecall_ActiveX.dll). This can be exploited to
dereference previously freed memory by tricking the user into opening
a web page containing a specially crafted "notifyOnLoadNative()"
callback function.
Successful exploitation allows execution of arbitrary code.
======================================================================
5) Solution
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2010-0734
Wesley Miaw discovered that libcurl, a multi-protocol file transfer
library, is prone to a buffer overflow via the callback function when
an application relies on libcurl to automatically uncompress data. Note
that this only affects applications that trust libcurl's maximum limit
for a fixed buffer size and do not perform any sanity checks themselves.
Details:
These two vulnerabilities specially exist in an unpublicized
fucntion called "app.checkForUpdate()", which are exploited through a
callback function.
Following is the POC for how to execute restricted functions:
function myCallBack()
{
/-----------
1016 ipp_state_t /* O - Current state */
1017 ippReadIO(void *src, /* I - Data source */
1018 ipp_iocb_t cb, /* I - Read callback function */
1019 int blocking, /* I - Use blocking IO? */
1020 ipp_t *parent, /* I - Parent request, if any */
1021 ipp_t *ipp) /* I - IPP data */
1022 {
1023 int n; /* Length of data */
Development is very active, and bug fixes are very fast!"
The vuln:
Weechat does not use the GnuTLS API properly to check certificates, potentially exposing users to man-in-the-middle attacks.
Weechat registers a callback function to be called by GnuTLS during the TLS/SSL handshake. The function perform checks on the server
certificate and optionally, send a client certificate.
The mentioned code is located in src/core/wee-network.c in the network_init function:
gnutls_certificate_client_set_retrieve_function (gnutls_xcred,
&hook_connect_gnutls_set_certificates);
