Next Page >>
invalid
Summary
=======
Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering
session when receiving a specific invalid BGP update.
The vulnerability manifests when a BGP peer announces a prefix with a
specific invalid attribute. On receipt of this prefix, the Cisco IOS
XR device will restart the peering session by sending a notification.
The peering session will flap until the sender stops sending the
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
vulnerability
* ANM default user credentials vulnerability
* ANM MySQL default credentials vulnerability
* ANM Java agent privilege escalation
device control.
Both control codes are used for an object name retrieval, through
ZwQueryObject() method or
ObReferenceObjectByHandle()/ObQueryNameString() methods. Input buffers
for both IRP packets include user mode pointers which are completely
user-controllable. However, no checks regarding NULL pointers, invalid
input buffer length, or otherwise invalid pointers are made - user can
pass NULL input buffer and thus cause a BSOD.
Vulnerable code disassembly excerpt:
---
@@ -390,6 +409,13 @@ static svn_error_t *
/* First thing in the string is the original length. */
in->data = (char *)decode_size(&len, (unsigned char *)in->data,
(unsigned char *)in->data+in->len);
+ if (in->data == NULL)
+ return svn_error_create(SVN_ERR_SVNDIFF_INVALID_COMPRESSED_DATA, NULL,
+ _("Decompression of svndiff data failed:
no size"));
+ if (len > limit)
+ return svn_error_create(SVN_ERR_SVNDIFF_INVALID_COMPRESSED_DATA, NULL,
+ _("Decompression of svndiff data failed: "
When parsing specially crafted Type 1 fonts, the t1lib library
is subject to several memory corruption vulnerabilities. We will
exemplify only a few of them : t1lib being decomissioned by xpdf
anyways, it will probably never get fixed.
[*] Invalid memory reads (off by few):
The following valgrind trace exemplifies an invalid read from
t1lib:
==24009== Invalid read of size 8
release (Sophos)
*Vulnerability Information*
Class: Invalid memory reference
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 28741 28742 28743 28744
CVE Name: CVE-2008-1735 CVE-2008-1736 CVE-2008-1737 CVE-2008-1738
MIT krb5 Security Advisory 2011-004
Original release: 2011-04-12
Last update: 2011-04-12
Topic: kadmind invalid pointer free()
CVE-2011-0285
CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
difficult to fault Cisco for adhering strictly to the RFC. However, in
combining these issues in typical deployment scenarios the end result
could be catastrophic for an application using a CSS and relying on
client certificates for user identification and authorization.
During testing, VSR found that use of invalid newline sequences caused
the CSS to fail to insert it's own ClientCert-* headers, though the
back-end Apache web server accepted these newline sequences. This
clearly defeats the approach that some application developers might take
in trying to rely only on the last set of certificate headers.
.text:0102D349 jg short CheckLowercase
.text:0102D34B add eax, 0FFFFFFC9h ; atoi()
.text:0102D34E jmp short Complete
.text:0102D350 CheckLowercase:
.text:0102D350 cmp eax, 'a'
.text:0102D353 jl short Invalid ; lowercase xdigit?
.text:0102D355 cmp eax, 'f'
.text:0102D358 jg short Invalid
.text:0102D35A add eax, 0FFFFFFA9h ; atoi()
.text:0102D35D jmp short Complete
.text:0102D35F Invalid:
> .text:0102D349 jg short CheckLowercase
> .text:0102D34B add eax, 0FFFFFFC9h ; atoi()
> .text:0102D34E jmp short Complete
> .text:0102D350 CheckLowercase:
> .text:0102D350 cmp eax, 'a'
> .text:0102D353 jl short Invalid ; lowercase xdigit?
> .text:0102D355 cmp eax, 'f'
> .text:0102D358 jg short Invalid
> .text:0102D35A add eax, 0FFFFFFA9h ; atoi()
> .text:0102D35D jmp short Complete
> .text:0102D35F Invalid:
.text:0102D349 jg short CheckLowercase
.text:0102D34B add eax, 0FFFFFFC9h ; atoi()
.text:0102D34E jmp short Complete
.text:0102D350 CheckLowercase:
.text:0102D350 cmp eax, 'a'
.text:0102D353 jl short Invalid ; lowercase xdigit?
.text:0102D355 cmp eax, 'f'
.text:0102D358 jg short Invalid
.text:0102D35A add eax, 0FFFFFFA9h ; atoi()
.text:0102D35D jmp short Complete
.text:0102D35F Invalid:
IMPACT
======
An unauthenticated remote attacker can, by inducing the decryption of
an invalid AES or RC4 ciphertext, cause a crash or heap corruption,
or, under extraordinarily unlikely conditions, arbitrary code
execution. A successful code-execution attack against a KDC can
compromise all services relying on that KDC for authentication.
However, the most probable outcome is a crash due to a memory fault or
abort() call. An attacker with a valid account in the relevant
>>> > as (windows,linux,macos).
>>> >
>>> > ------------------------------------------------------
>>> > Vulnerability
>>> >
>>> > The bug is caused when you try to open a url with a invalid char, in
>>> > this time, you can edit the error page, and make a "spoof".
>>> >
>>> > This not would be important because when you make the spoof the "invalid
>>> > web" is loading all time, but as firefox allow that you call the "stop"
>>> > method of other page you can stop this.
an application using the AFM font parser, leading to that particular
application crash or, potentially, arbitrary code execution with the
privileges of the user running the application. Different vulnerability
than CVE-2010-2642 (CVE-2011-0433).
t1lib 5.1.2 and earlier reads from invalid memory locations, which
allows remote attackers to cause a denial of service (application
crash) via a crafted Type 1 font in a PDF document, a different
vulnerability than CVE-2011-0764 (CVE-2011-1552).
Use-after-free vulnerability in t1lib 5.1.2 and earlier allows
>> > as (windows,linux,macos).
>> >
>> > ------------------------------------------------------
>> > Vulnerability
>> >
>> > The bug is caused when you try to open a url with a invalid char, in
>> > this time, you can edit the error page, and make a "spoof".
>> >
>> > This not would be important because when you make the spoof the "invalid
>> > web" is loading all time, but as firefox allow that you call the "stop"
>> > method of other page you can stop this.
A remote denial of service vulnerability has been found in Firebird SQL,
which can be exploited by a remote attacker to force the server to close
the socket where it is listening for incoming connections and to enter
an infinite loop, by sending an unexpected 'op_connect_request' message
with invalid data to the server.
4. *Vulnerable packages*
. Firebird SQL v1.5.5
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
IBM SolidDB invalid error code vulnerability
1. *Advisory Information*
II. DESCRIPTION ---------------------
VUPEN Vulnerability Research Team discovered four critical vulnerabilities
affecting
Adobe Shockwave Player.
These vulnerabilities are caused by memory corruptions, invalid index, and
invalid pointer errors within the processing of malformed Shockwave content,
which could allow attackers to execute arbitrary code via specially crafted
web pages.
VUPEN-SR-2009-15 - Adobe Shockwave String Length Code Execution
> My sshd_config has this:
> ChallengeResponseAuthentication yes
> PasswordAuthentication no
> UsePAM yes
>
> What I see: Successful pass of the captcha with an invalid username
> results in being given another captcha or an abort (if this is
> multiple failures) and PAM logs the fact that there was a failure due
> to invalid user.
>
- S21Sec Advisory -
##############################################################
Title: Infinite invalid authentication attempts possible in BEA
WebLogic Server
ID: S21SEC-040-en
Severity: Medium
Scope: BEA Weblogic
Platforms: All
DBT key, data;
DB *db = sd->db;
key.data = buf;
if (proto == NULL)
key.size = snprintf(buf, sizeof(buf), "\376%s", name); <===== INVALID key.size HERE
else
key.size = snprintf(buf, sizeof(buf), "\376%s/%s", <===== INVALID key.size HERE
name, proto);
key.size++;
This software is a popular web browser that supports multiple platforms as (windows,linux,macos).
------------------------------------------------------
Vulnerability
The bug is caused when you try to open a url with a invalid char, in this time, you can edit the error page, and make a "spoof".
This not would be important because when you make the spoof the "invalid web" is loading all time, but as firefox allow that you call the "stop" method of other page you can stop this.
The result of this is a fake page.
** Actual Vulnerability **
In RFC 3629 "UTF-8, a transformation format of ISO 10646" [10] and even as
early as the preceding RFC 2279 [11], F. Yergeau et. al. clearly identified
under section 6. "Security Considerations" the impact of overlong byte
sequences (and declaring same as invalid sequences) in January 1998. Such
Security Considerations were not discussed in the preceding RFC 2044 [12]
published October 1996.
Limiting consideration for the moment to the original vulnerability report
and the HTTP/1.1 URI syntax, it becomes immediately clear that; HTTP/1.1
malicious page or open a malicious file.
The specific flaw results when .setUserData() handlers are used with an
object and .appendChild() is called within a handler. Ultimately the
import operation resulting from an .appendChild() is not guarded from
mutation, and invalid DOM trees can result. Invalid DOM trees can be
navigated resulting in dereferencing invalid pointers which can be
leveraged to execute arbitrary code in the context of the browser.
-- Vendor Response:
Mozilla has issued an update to correct this vulnerability. More
with an enable pwd set:
c5-515E-pix> ena
Password:
Invalid password
Password:
Invalid password
Password:
Invalid password
Access denied.
We can control this value so we
can control [ecx+8], for example.
Modifying this dictionary name
with different values we find
crashes and invalid access at
different EIP. For example with
names with length under 8, it
uses the last bytes of the name
as a pointer at EIP = 0x4A6EE7.
With larger names it completes
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Adobe Director DIRAPI.DLL Invalid Read Vulnerability
1. *Advisory Information*
instruction. Affected versions of VMware, on the other hand, will
improperly execute the instruction, which assigns a non-canonical
address to RIP, and will then raise a #GP fault because RIP is
non-canonical. Therefore, when the #GP handler is invoked, it will
have a non-canonical address on the stack as its "return RIP" -- this
is an invalid state that will cause the handler to experience a
separate #GP fault if it tries to IRETQ back to the non-canonical RIP.
As depicted in the earlier pseudo-assembly, the IRETQ instruction may
be returning to user mode or to kernel mode, and therefore it may
execute with user GS active. If this IRETQ faults when user GS is
active, an exploitable situation results.
http://www.adobe.com/products/flashplayer
II. DESCRIPTION
Remote exploitation of a invalid object reference vulnerability in Adobe
Systems Inc.'s Flash Player could allow an attacker to execute arbitrary
code with the privileges of the current user.
During the processing of a Shockwave Flash file, a particular object can
be created, along with multiple references that point to the object. The
Problem Description:
Multiple vulnerabilities has been discovered and corrected in libtiff:
The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in
ImageMagick, does not properly handle invalid ReferenceBlackWhite
values, which allows remote attackers to cause a denial of service
(application crash) via a crafted TIFF image that triggers an array
index error, related to downsampled OJPEG input. (CVE-2010-2595)
Multiple integer overflows in the Fax3SetupState function in tif_fax3.c
Next Page>>
|
