corrupt data
eax=41414141 ebx=41414141 ecx=00000000 edx=00000000 esi=0012eb48 edi=00000000
eip=40004ae4 esp=0012eb18 ebp=0012fb4c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
VCL50!SystemLStrClr$qqrr17SystemAnsiString:
40004ae4 8b10 mov edx,dword ptr [eax] ds:0023:41414141=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> !exchain
0012eb2c: VCL50!StdctrlsTRadioButtonCNCommand$qqrr19MessagesTWMCommand+e6 (40048762)
0012fb7c: 41414141
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** WARNING: Unable to verify checksum for C:\Program Files\Xilisoft\Video Converter 3\avformat.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Xilisoft\Video Converter 3\avformat.dll -
avformat!yuv4mpeg_init+0x6e06:
0036a9ba 8a6811 mov ch,byte ptr [eax+11h] ds:0023:00000011=??
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> g
(26c8.1818): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\libavcodec_plugin.dll -
libavcodec_plugin!vlc_entry__1_1_0g+0x33cef2:
0ad3e272 0f7f2443 movq mmword ptr [ebx+eax*2],mm4
ds:0023:11185fd0=????????????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:008> !exploitable
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll -
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll -
IML32!Ordinal1113+0xf:
69009f1f 8b4804 mov ecx,dword ptr [eax+4] ds:0023:0000006c=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:008> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at IML32!Ordinal1113+0x000000000000000f (Hash=0x1a537c3d.0x1a63313d)
eip=7c812aeb esp=01c2f2e0 ebp=01c2f334 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!RaiseException+0x52:
7c812aeb 5e pop esi
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:004> g
WARNING: Continuing a non-continuable exception
(6dc.cec): Break instruction exception - code 80000003 (first chance)
=============================================================================
FreeBSD-SA-10:07.mbuf Security Advisory
The FreeBSD Project
Topic: Lost mbuf flag resulting in data corruption
Category: core
Module: kern
Announced: 2010-07-13
Credits: Ming Fu
| | cdr_addon_mysql could escape out of a SQL data field and |
| | create another query. This vulnerability is made all the |
| | more severe if a user were using realtime data, since |
| | the data may exist in the same database as the inserted |
| | call detail record, thus creating all sorts of possible |
| | data corruption and invalidation issues. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | The Asterisk-addons package is not distributed with |
| | Asterisk, nor is it installed by default. The module may |
I think you mistake my posting. I did not want to say that this issue is a (real) *security* vulnerability but I definitely would call it a DoS bug.
> DoS is not software crash, DoS is Denial of Service. It means,
> security impact of DoS vulnerability should be preventing (blocking)
> access of legitimate user to some data or service (via data
> corruption, service malfuction, etc).
It seems we have a different understanding of the term "Denial Of Service". In my opinion your explanation exactly matches this issue. As you said DoS is the attempt to make a (computer) resource unavailable to its user via data corruption etc. Here Winamp is the computer resource and the M3U file is the corrupted data. Sure the user can easily recover from this "DoS" by restarting the audio player and to be exact the M3U file is not a great example for corrupted data but I would still call this issue a DoS bug.
How would you name it? "Winamp 5.35 (Infinite) M3U File Inclusion Stack Overflow Exception"?
locate the message to send to the client; it may resend a previously
generated response, send some other arbitrary chunk of process memory,
perhaps including secret key data, or crash the process by attempting
to access an invalid address. If the process doesn't crash, random
addresses will be passed to free(), likely corrupting the free pool,
and potentially leading to later crashes, data corruption, jumps to
arbitrary locations in process memory, etc.
The KDC normally runs without write access to its database, so it is
not likely to corrupt the database, except insofar as arbitrary code
execution could theoretically corrupt anything the process has access
where the kernel might dereference a NULL pointer.
III. Impact
Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.
IV. Workaround
corruption, and other unpredictable results.
III. Impact
Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code on
the target system.
IV. Workaround
========================
Status: Critical
Critical - this update fixes a potential security threat, a possible
data corruption, calculation, search set, or other function that may
lead to inaccurate results. The update should be applied at the earliest
possible time as it may affect a large number of users.
Recommended - this update fixes non-critical issues that may impede
general usage and require undesirable work-arounds affecting a limited
|
