Next Page >>
frame
http://www.winamp.com
Versions: <= 5.61
Platforms: Windows
Bugs: A] vp6 heap corruption
B] h263 heap corruption
C] nsvdec_vp5 frame heap overflow
D] nsvdec_vp6 frame integer overflow
E] nsvdec_vp3 frame heap overflow
F] in_mod heap corruption
Date: 27 Jun 2011
Author: Luigi Auriemma
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: Malformed 802.11 Association Request frame causes Denial of
Service condition on an Access Point.
Aruba Advisory ID: AID-102609
Revision: 1.0
----------------------------------------------------------------
No. Time Source Destination Protocol Info
1 0.000000 fec0:0:beef:f00d::feed fe80::754f:6144:be9e:2ae7 DHCPv6 Reply
Frame 1 (183 bytes on wire, 183 bytes captured)
Ethernet II, Src: 50:48:49:4f:4e:53 (50:48:49:4f:4e:53), Dst: 50:48:49:4f:4e:43 (50:48:49:4f:4e:43)
Internet Protocol Version 6
User Datagram Protocol, Src Port: 547 (547), Dst Port: 546 (546)
DHCPv6
Message type: Reply (7)
| |
| |
C D
Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2
3. Switch 2 - accepts frame via link from switch 1 and forwards it to B
Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
Advisory # 1:
TITLE
Malformed 802.11 Probe Request frame causes Denial of Service condition
on an Access Point.
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
| |
| |
C D
Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2 3. Switch 2 - accepts frame via link from switch 1 and forwards it to B
Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.
This verification relies on the following incorrect assumptions:
- Setting up a VDM context requires SeTcbPrivilege.
See the VAX Architecture Reference Manual (VARM) or the
VAX Arcitecture Handbook.
http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy
of the internal version of the VARM,
which will help explain the stack frame and the instruction set.
*/
unsigned char shellcode[] =
"\021\017" /* brb shellcode+0x11 (PC-relative) */
"\272\001" /* popr $0x1 (this is a mask: pop one word into r0) */
On Tue, Sep 9, 2008 at 8:42 PM, Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
>> While having to power cycle the remainder of the frame may be a pain, the
>> fact it isolates the fault to only power off the affected domain suggests to
>> me that it is working as designed (the relative virtue of the design not up
>> for debate). The power cycle of the remainder of the frame can be done at
>> your leisure.
>
> Didn't you read the advisory?
>
> You don't get any crashed domain back until you power cycle the entire
#149 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
#150 0xc0162bbb in ip_input (m=0xc14e1300) at ../../../../netinet/ip_input.c:1059
#151 0xc0161b82 in ipintr () at ../../../../netinet/ip_input.c:476
#152 0xc05d6248 in softint_execute (si=0xca79e154, l=0xca7a7a00, s=4) at ../../../../kern/kern_softint.c:539
#153 0xc05d60e6 in softint_dispatch (pinned=0xca7a7500, s=4) at ../../../../kern/kern_softint.c:811
(gdb) info frame
Stack level 0, frame at 0xcab9bf08:
eip = 0xc01ebd5c in ipcomp4_input (../../../../netinet6/ipcomp_input.c:112); saved eip 0xc01ec302
called by frame at 0xcab9bfa8
source language c.
Arglist at 0xcab9bf00, args: m=0xc14e1300
Description
===========
Multiple vulnerabilities have been discovered in Opera:
* Opera does not restrict the ability of a framed web page to change
the address associated with a different frame (CVE-2008-4195).
* Chris Weber (Casaba Security) discovered a Cross-site scripting
vulnerability (CVE-2008-4196).
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
... ; GS -> user or kernel
; If the CPL at the time of the fault (recorded in the two least
; significant bits of <return CS>) was zero, then the fault occurred
Aruba Networks Security Advisory
Title: DoS Vulnerability in Aruba Mobility Controller Caused by
Malformed EAP Frame.
Aruba Advisory ID: AID-12808
Revision: 1.0
For Public Release on 12/8/2008
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
... ; GS -> user or kernel
; If the CPL at the time of the fault (recorded in the two least
; significant bits of <return CS>) was zero, then the fault occurred
Le mercredi 28 avril 2010 à 18:20 +0200, Jann Horn a écrit :
> Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski:
> > Second scenario:
> > 1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
> >
> > A ---- switch 1 --X-- switch 2 ----- B
> > | |
> > | |
> > C --no conn-- D
> > 2. Station A sends frame to B
> On Apr 29, 2010, at 12:19 AM, news <news@phocean.net> wrote:
>
> > Le mercredi 28 avril 2010 à 18:20 +0200, Jann Horn a écrit :
> >> Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski:
> >>> Second scenario:
> >>> 1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
> >>>
> >>> A ---- switch 1 --X-- switch 2 ----- B
> >>> | |
> >>> | |
> >>> C --no conn-- D
On Apr 29, 2010, at 12:19 AM, news <news@phocean.net> wrote:
> Le mercredi 28 avril 2010 à 18:20 +0200, Jann Horn a écrit :
>> Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski:
>>> Second scenario:
>>> 1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
>>>
>>> A ---- switch 1 --X-- switch 2 ----- B
>>> | |
>>> | |
>>> C --no conn-- D
> While having to power cycle the remainder of the frame may be a pain, the
> fact it isolates the fault to only power off the affected domain suggests to
> me that it is working as designed (the relative virtue of the design not up
> for debate). The power cycle of the remainder of the frame can be done at
> your leisure.
Didn't you read the advisory?
You don't get any crashed domain back until you power cycle the entire
machine. If you need that domain back, you have to make a very nasty
PR07-06, PR07-07, PR07-08, PR07-09, PR07-10, PR07-12: Several XSS,
Cross-domain Redirection and Frame Injection on Sun Java System Identity
Manager
Vulnerability found: 11th June 2007
Vendor informed: 18th June 2007
Severity: Medium
It allows to set the MIME type (in the type attribute) of an externally
referenced file in the data attribute which will be loaded as an object.
4. Internet Explorer behaves in a slightly different way when
displaying a page directly rather than displaying that page inside an
HTML '<frame>' tag. For example, a page containing an HTML '<object>'
tag like the one shown below will prompt the user to accept the download
of file being referenced inside if loaded directly but it will be
automatically downloaded and rendered according to the specified MIME
type if the page is loaded inside an HTML '<frame>' tag.
5. Internet Explorer will determine the security zone of an UNC
Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski:
> Second scenario:
> 1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
>
> A ---- switch 1 --X-- switch 2 ----- B
> | |
> | |
> C --no conn-- D
> 2. Station A sends frame to B
> 3. Frame is forwarded to C station
ZDI-11-139 (formerly ZDI-CAN-1035): Webkit Anonymous Frame Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-139
April 19, 2011
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
I think it's a bit of a leap to call this a DoS vulnerability.
While having to power cycle the remainder of the frame may be a pain,
the fact it isolates the fault to only power off the affected domain
suggests to me that it is working as designed (the relative virtue of
the design not up for debate). The power cycle of the remainder of
the frame can be done at your leisure. It is for this reason I would
not class this as a DoS attack, as the "attacker" could not affect the
availability of the other domains, only the admin could.
indicates the private IP address and port logic of our interlocutor.
This happens because the server fails to properly manage the various NAT
Client. That is, the server should send its IP to another client and not
the client you are talking.
Here is a portion of the frame concerned:
MSNMSGR:aaaa@hotmail.it MSNSLP/1.0
To: <msnmsgr:aaaa@hotmail.it>
From: <msnmsgr:bbbbbb@hotmail.it>
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
Details:
SektionEins recently demonstrated how it is sometimes possible
to execute arbitrary PHP code in an application using unserialize()
on user supplied data. In detail various exploits were shown that
work against all Zend Framework based applications that unserialize()
user input. Part of this research was to find popular PHP open
source applications that are vulnerable to this.
During our search it was discovered that Piwik does unserialize()
data from the cookie and uses parts of the Zend Framework:
=====[ Exploitation
The stack alignment of Winamp is predictable. An attacker can
choose the value to write into the saved base pointer, so that
when the base pointer is restored, the stack frame of the
calling function is moved to a location where the attacker
controls the return address.
The value must be chosen so that the calling function will not
access invalid memory addresses by using local variables in the
Title:
------
* Atheros Driver Reserved Frame Vulnerability
Summary:
--------
* The wireless driver in some Wi-Fi access points (such as the
ATHEROS-based Netgear WNDAP330) do not correctly parse malformed
reserved management frames.
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
Hi
Google Chrome, right from the start has shown some stringency in tab
crashing. But crashing tabs or full browser crash is becoming more smoother
than the previously reported cases. On playing around with Google Chrome
and Chrome Frame direct tab crashing has been reloaded. The specific
points are mentioned below:
1. Scripts are checked against memory allocation part and raises a warning.
2. In recent versions playing around with JavaScript based conversion of
Unicode values to characters and rendering it directly leads to tab
Vulnerability overview:
---------------
A specially crafted beacon frame causes the driver to exit(), leading to
a kernel panic on the affected machine. An attacker could crash client
machines that are listening for beacons using a fake access point.
Vulnerability details:
---------------
Next Page>>
|
