Next Page >>
exception
VULNERABILITY DETAILS
---------------------
This document describes two x64 instruction emulation flaws,
discovered by the author in the aforementioned versions of VMware
products, which allow user-mode code to cause an illegitimate
kernel-mode exception inside the virtual machine. If the guest
operating system kernel is not written to safely handle such an
exception, it may be possible for user-mode code to interfere with
kernel execution in a way that allows elevation of privileges.
Currently, the only scenario which the author knows to be exploitable
VULNERABILITY DETAILS
---------------------
This document describes the first of two x64 instruction emulation
flaws, discovered by the author in the aforementioned versions of
VMware products, which allow user-mode code to cause an illegitimate
kernel-mode exception inside the virtual machine. If the guest
operating system kernel is not written to safely handle such an
exception, it may be possible for user-mode code to interfere with
kernel execution in a way that allows elevation of privileges.
Currently, the only scenario which the author knows to be exploitable
Details:
========
A Buffer Overflow Vulnerability is detected on FlashFXPs Software Client v4.1.8.1701. The vulnerability is
located when processing to force a ListIndex Out of Bound(s) exception which allows to overwrite ecx & eip
of the affected software process. Successful exploitation can result in process compromise, execution of
arbitrary code, system compromise or escaltions with privileges of affected vulnerable software process.
The flaw is a direct result of a fixed length buffer being used in the TListBox control and the
lack of range checking. The code assumes that the string returned by the listbox control will be
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
-----------------------------------------------------------------------------
In protected mode, cpl is usually equal to the two least significant bits of
the cs register. However, there is an exception: in Virtual-8086 mode, the
cpl is always 3 (least privileged), regardless of the value of the cs
register.
When the processor raises a #PF (page fault) exception, an exception code is
pushed onto the stack containing flags used by the operating system to
if ($this->_layout) {
// Set the required "messages" value for the layout. Here we
// are assuming that the layout is for use with HTML.
$this->_layout->events = implode('', $this->_layoutEventsToMail);
// If an exception occurs during rendering, convert it to a notice
// so we can avoid an exception thrown without a stack frame.
try {
$this->_mail->setBodyHtml($this->_layout->render());
} catch (Exception $e) {
...
Application: Siemens Automation License Manager
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805384&treeLang=en
Versions: <= 500.0.122.1
Platforms: Windows
Bugs: A] Service *_licensekey serialid code execution
B] Service exceptions
C] Service NULL pointer
D] almaxcx.dll files overwriting
Exploitation: remote
Date: 28 Nov 2011
Author: Luigi Auriemma
Application Version: 2.60.0.0
Application Timestamp: 4cd197df
Fault Module Name: MSVCR100.dll
Fault Module Version: 10.0.30319.1
Fault Module Timestamp: 4ba1dbbe
Exception Offset: 0008ae6e
Exception Code: c0000417
Exception Data: 00000000
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033
Additional Information 1: e07f
if ($this->_layout) {
// Set the required "messages" value for the layout. Here we
// are assuming that the layout is for use with HTML.
$this->_layout->events = implode('', $this->_layoutEventsToMail);
// If an exception occurs during rendering, convert it to a notice
// so we can avoid an exception thrown without a stack frame.
try {
$this->_mail->setBodyHtml($this->_layout->render());
} catch (Exception $e) {
...
- -----------/
By supplying a web page with a long "mainurl" value, an attacker can
overflow the stack buffer mentioned above and overwrite the SEH
(Structured Exception Handler), enabling arbitrary code execution on the
machine that has the WePO ActiveX component installed. The Structured
Exception Handler can be overwritten by providing a "mainurl" value with
396 bytes as padding, plus 4 specially chosen bytes that will replace
the original SEH, allowing execution of arbitrary code with the
privileges of the current user.
8.2. *Reflected XSS Vulnerability (CVE-2009-2897)*
A reflected cross-site scripting vulnerability was found in the
generic exception handler of Hyperic, located in
'hq/web/common/GenericError.jsp'. When there is an uncatched exception
in Hyperic, this generic exception handler is invoked. It shows a
stack trace, including the data that caused the error without
sanitizing it, leading to a reflected XSS. This is the vulnerable code:
Application Version: 2.60.0.0
Application Timestamp: 4cd197df
Fault Module Name: MSVCR100.dll
Fault Module Version: 10.0.30319.1
Fault Module Timestamp: 4ba1dbbe
Exception Offset: 0008ae6e
Exception Code: c0000417
Exception Data: 00000000
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033
Additional Information 1: e07f
Authentication is required to exploit this vulnerability.
Debugger Results:
(ea8.aec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=734c4d90 ecx=035efe24 edx=00000193 esi=035efe24 edi=035efe24
eip=62408f23 esp=035efd20 ebp=035efd6c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Novell\NDS\httpstk.dlm -
vulnerabilities have been found, that could allow a remote attacker to
crash the Helix Server.
During a 'RTSP' (SET_PARAMETERS) request handling, if an empty
'DataConvertBuffer' parameter is received by the server, it will raise
an exception reading an invalid direction of memory. This exception is
usually handled correctly but if you send this malformed request
multiple times in a short period of time, it could render the Helix
Server unresponsive and terminate its execution.
During the 'SETUP' request handling, a 0x2F character is searched in the
win2000 sp4
0:000> g
(54c.284): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00
edi=ffffff00
eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na
po nc
overflow in other places in the fuction - responsible for moving data such as
strings describing the emoticons and so on.
When copying data using code shown above, the values of some local variables, return
addresses etc. may be overwritten. Modification of proper amount of stack data causes
an exception. There are several reasons for the exception being generated. It can happen
when the filename placed in "emots.txt" is longer than the size of stack,
or in a function under 0x0052F5D0 address, called by the emoticon parsing code:
.text:00443EEE call unknown_libname_52 ; Microsoft VisualC 2-8/net runtime
import com.adventnet.ncm.util.NCMServerUtil;
import java.io.*;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletException;
import javax.servlet.http.*;
public class ScheduleResultViewerServlet extends HttpServlet
{
Application: Double-Take
http://www.doubletake.com
Versions: <= 5.0.0.2865
(version 4.5.x tested with success too)
Platforms: Windows
Bugs: A] server termination through "vector<T> too long" exception
B] NULL pointer crash
C] termination through memory allocation
D] informations disclosure
E] other exceptions
Exploitation: remote
#Titan FTP SERVER REMOTE HEAP OVERFLOW(USER/PASS)
#Impact : Critical
#
# Windbg Output:
#(bec.528): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=41414141 ebx=00000000 ecx=07e415f4 edx=00000000 esi=41414141 edi=07e415f4
#eip=004bbafa esp=06e4fb38 ebp=06e4fb5c iopl=0 nv up ei pl nz na po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
#srxTitan+0xbbafa:
c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\com\eyretel\eyrapi\EyrAPIConfigurationImpl.class
:
..
public String getSubKeys(boolean iterateSubKeys, boolean includeValues, String systemId, String componentId, String sysCompId, String userName)
throws RemoteException
{
StringBuffer xml;
ConfigOwnerId configOwnerId;
Connection conn;
PreparedStatement pStmt;
SSL-encrypted traffic, which allows the CSM-S to perform intelligent
load balancing while ensuring secure end-to-end encryption.
When a module running affected code receives specific TCP packets out
of order, a DoS condition may be triggered resulting in the CPU
reaching 100% utilization or a reload with a FPGA4 exception with
icp.fatPath length error.
This vulnerability is documented in Cisco bug ID CSCsd27478.
When service termination is enabled on a module running affected
This occurs because of a feature known as "SafeSEH". This is a new
compiler flag that creates a list of registered SEH handlers within each
executable and DLL. If your target executable was compiled with /SafeSEH
and you try to return into a module that has been also been compiled with
this feature, but the address you chose is not in the list of registered
handlers, then the exception handling code will not transfer execution.
There are a few options to work around this:
1. On Windows 2003, prior to SP1, SafeSEH was essentially broken and you
can return to DLLs such as "ATL.dll" and a few others without the
If we check the SEH chain:
0:008> !exchain
0469ff70: ffffffff
Invalid exception stack at ffffffff
We can see that the exception handler chain is invalid as stack has been
overwritten. And if we try to continue the execution, it jumps to
0xfffffff, which is a value that we can control.
application, similar to Skype Video.[1] ooVoo allows video chats with up to 6
participants, and unlike Skype Video, does not use a P2P network.[..]
faultmon dump of oovoo.exe processing the url given:
...
04:22:10.875 pid=0E10 tid=0C08 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [0000005A])
----------------------------------------------------------------
EAX=00000066: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00133D44: 6F 00 6F 00 76 00 6F 00-6F 00 3A 00 00 00 0F 00
crash dump, eip and seh overwritten, unicode expanded,
I suppose one should be able to deal with it :
(208.152c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008b ebx=00000000 ecx=0e752eb8 edx=0f490000 esi=0e6b3d60 edi=0012a338
eip=00410043 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
brioqry+0x10043:
Notes: the reported dumps refer to WINS 5.2.3790.4520 on Windows 2003
Server.
The problem is located in the function at address 0101488A used to
perform the sending of a reply packet back to the client where it's
raised an exception if send() fails, for example because the client
interrupted the connection before the receiving of the data.
In this function the size of the data to send (0x2c) is passed to
ntohl() and stored on the stack buffer where is located the beginning
of the packet to send, but when the exception is raised then the code
The M3U file format allows it to include local and remote files by
simply specifing the path to the desired file. Furthermore Winamp does
not check if the M3U file to include is the currently processed M3U
file wherefore it's possible to force Winamp to recursively read a
certain M3U file. Winamp allocates memory by each iteration which
leads to a stack overflow exception (0xc00000fd).
You are able to simply test this bug yourself by creating a file named
'a.m3u' with the content 'a.m3u'. If you are using the standard version
of Winamp (not the Lite version) you just have to add the M3U file to
Winamp by for example simply dragging the file into the playlist.
Microsoft Windows Media Player version 11 :
:
If you open a specially crafted .au file in windows Media player :
you will crash the player with the following error. :
:
Exception number: c0000094 (divide by zero) :
:
To see if you Windows Media Player is vulnerable you can use our :
.au generator coded in python, or you can download the POC file. :
:
:
As an example:
0000 4d 53 47 30 30 30 43 32 39 43 39 43 32 39 32 41 MSG000C29C9C292A
0010 64 6d 69 6e 69 73 74 72 61 74 6f 72 dministrator
When appending at least 8190 (Tested on WinXP) or more bytes to the \\\\\\\\\\\\\\\"MSG\\\\\\\\\\\\\\\" string, a C++ Exception is triggered.
Windows-Crash-Log:
Problemsignatur:
Problemereignisname: APPCRASH
Anwendungsname: lmc.exe
bmo> The M3U file format allows it to include local and remote files by
bmo> simply specifing the path to the desired file. Furthermore Winamp does
bmo> not check if the M3U file to include is the currently processed M3U
bmo> file wherefore it's possible to force Winamp to recursively read a
bmo> certain M3U file. Winamp allocates memory by each iteration which
bmo> leads to a stack overflow exception (0xc00000fd).
bmo> You are able to simply test this bug yourself by creating a file named
bmo> 'a.m3u' with the content 'a.m3u'. If you are using the standard version
bmo> of Winamp (not the Lite version) you just have to add the M3U file to
bmo> Winamp by for example simply dragging the file into the playlist.
Next Page>>
|
