Next Page >>
memory location
At 'mov_demux.c' (line 1768) an array of 'chunkmap' structures is filled
by reading data straight from file without any kind of check. Then, at
'mov_build_index()' (line 150), the 'trak->chunkmap[i].first' field is
used to index the heap array 'chunks' allowing an attacker to write the
'sdid' and 'spc' values at some memory address relative to that heap
pointer causing a memory corruption. This could be used to overwrite
function pointers or some critical data allowing an attacker to get code
execution.
Besides, it is possible to fool the parser in a way such that no memory
-----------------
The vulnerability resides in the WPXContentListener::_closeTableRow()
function which is declared in the WPXContentListener.cpp file. The
function doesn't check if the variable's m_ps->m_currentTableCol value
is less than zero before entering the while loop which leads to an
integer overflow and decrementation of the memory location pointed by
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol] address if the
conditions are met. Related code excerpt:
void WPXContentListener::_closeTableRow()
{
which can be exploited by malicious remote attackers to compromise a
user's system, by providing a specially crafted XSPF playlist file. The
vulnerability exists because the VLC ('demux/playlist/xspf.c') library
does not properly perform bounds-checking on an 'identifier' tag from an
XSPF file before using it to index an array on the heap. This can be
exploited to overwrite an arbitrary memory address in the context of the
VLC media player process, and eventually get arbitrary code execution by
opening a specially crafted file.
4. *Vulnerable packages*
Inc.'s Flash Player could allow an attacker to execute arbitrary code
with the privileges of the current user.<BR><BR> During the
processing
of certain types of Adobe Flash code, a certain function may be tricked
into accepting an overly large index argument. The index argument may
reference a memory location outside the bounds of memory allocated for
an array object. Arbitrary code execution can occur when an index is
calculated to point to a sensitive memory location, and the memory
location is overwritten with specially crafted values.
III. ANALYSIS
This value will be used later (at line '956' and '958') within a for
statement to index an array and consequently filling the heap buffer,
but due to the fact that 'i_last' (controlled by user) is used as a
limit for the writing without any kind of check it is possible to write
any value on almost any memory address.
It is important to note that 'i_last' is not fully controlled by the
attacker in the first iteration but as seen in code at line '961' it
gets the value of 'p_stsc->data.p_stsc->i_first_chunk[i_index] - 1'
which is one of the controlled fields.
unspecified other impact via malformed data, a different vulnerability
than CVE-2010-4164. (CVE-2010-3873)
The bcm_connect function Broadcast Manager in the Controller Area
Network (CAN) implementation in the Linux creates a publicly accessible
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
The install_special_mapping function in mm/mmap.c does not make an
expected security_file_mmap function call, which allows local users
libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin
(formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows
remote attackers to execute arbitrary code or cause a denial of service
(memory corruption and application crash) by sending multiple crafted
SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary
memory location. NOTE: this issue reportedly exists because of an
incomplete fix for CVE-2009-1376 (CVE-2009-2694).
Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers
to cause a denial of service (crash) via a link in a Yahoo IM
(CVE-2009-3025)
>
>
>
See above: you overwrote the saved EBP, ECX, and 3 bytes of ESP. If I
recall correctly, on stack-grows-down architectures (Intel et c. -
likely yours) the saved value of EBP occurs at a lower memory address
than the saved value of EIP (your target). The strcpy() call will copy
bytes to increasing memory addressed, so add bytes to the COPY array -
i.e. lengthen it.
Then, experiment with gdb until you've figure out what array length
inside the 'aux_request()' function in 'src/remote/server.cpp' due to a
null pointer dereference, instead of silently shutting down its listener
port. The problem arises when 'port->port_context' (which has a 'NULL'
value at this point) is loaded into 'rdb' variable and then, at line
'885', it is used as a pointer without properly checking that it points
to a valid memory address:
/-----------
src/remote/server.cpp:
- -----------/
It can be seen that the instruction 'ldrh r0, [r4, r3]' tries to read
the memory location pointed by 'R4+R3', in this case, unmapped memory.
Making a dump of the memory area accessed, we see the following:
/-----------
* Federico Muttis of Core Security Technologies reported that the
msn_slplink_process_msg() function in
libpurple/protocols/msn/slplink.c in libpurple as used in Pidgin
doesn't properly process incoming SLP messages, triggering an
overwrite of an arbitrary memory location (CVE-2009-2694). NOTE: This
issue reportedly exists because of an incomplete fix for
CVE-2009-1376 (GLSA 200905-07).
* bugdave reported that protocols/jabber/auth.c in libpurple as used
in Pidgin does not follow the "require TSL/SSL" preference when
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the way Java handles True Type Font
files. When reading a font file, Java will use the MaxInstructionSize
from the maxp table to create a heap memory location to store all the
Instruction Definition found in the Font Program 'fpgm' table.
However, when Java encounters an IDEF opcode (0x89) in the opcode
stream it never checks the size of the MaxInstructionSize which can
result in a heap buffer overflow. This can lead to remote code
execution under the context of the current process.
user's system.
The vulnerability is caused by missing input validation in the
handling of the "StopModule()" method and can be exploited via a
specially crafted "lModule" parameter to reference an expected module
structure at an arbitrary memory address. This can be exploited to
dereference an arbitrary value in memory as a function pointer.
Successful exploitation allows execution of arbitrary code.
======================================================================
overflows (CVE-2009-0135).
* Multiple array index errors in the Audible::Tag::readTag() function
in metadata/audible/audibletag.cpp can lead to invalid pointer
dereferences, or the writing of a 0x00 byte to an arbitrary memory
location after an allocation failure (CVE-2009-0136).
Impact
======
A remote attacker could entice a user to open a specially crafted
===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable
manner) when parsing a malformed TrueType font.
Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
browser.
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
to run arbitrary code on a victim's computer (CVE-2009-1563).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
#!/usr/bin/perl -w
# Hex Workshop v6 "ColorMap files .cmap" Invalid Memory Reference crash POC
# Discovred by : DATA_SNIPER
# for more information vist my blog:http://datasniper.arab4services.net/
# the Exploit it's very hard to implemented,if we can make the "reference" point to valid memory location contain
# unicode string we can corrupt the memory and get code execution(it's not so easy as you can see,try it manually in olly).
print "==========================================================================\n";
print "Hex Workshop v6 (ColorMap files .cmap) Invalid Memory Reference crash POC\n";
print "Discovred by DATA_SNIPER\n";
print "Greetz to: arab4services team and AT4RE Team\n";
--- 5. Issue: Arbitrary code execution by using ZwQueryValueKey() wrapper ---
ZwQueryValueKey() wrapper was described above. Since pointer to which
contents of the specifed value of the given key in the registry will
be written is completely controllable by the user, we can overwrite
arbitrary memory location. Furthermore, contents which are going to be
written to arbitrary memory location are also completely controllable
by the user - they are registry values. An attacker could create
registry value with malicious content (x86 code).
Checks added in new version do not prevent this attack in any way.
8.1. *RTSP request handling Denial of Service (CVE-2009-2533)*
The problem arises when the 'rmserver' process receives an 'RTSP
(SET_PARAMETER)' request with no content in the 'DataConvertBuffer'
parameter. The handling code reads at the memory location zero (0) and
triggers an exception, which is handled correctly. However sending this
malformed request multiple times renders the rmserver process
unresponsive and subsequently stops its execution.
The code section which triggers the exception is:
0x1EFFE1
62A70611 8B8E 9A000000 MOV ECX,DWORD PTR DS:[ESI+9A] ; ecx=heap mem
62A70617 D1E0 SHL EAX,1 ;
eax=0x003DFFC2
62A70619 03C8 ADD ECX,EAX ; ecx=ecx+eax
(memory location)
62A7061B 8379 36 00 CMP DWORD PTR DS:[ECX+36],0
62A7061F 75 1F JNZ SHORT 62A70640
62A70621 8951 24 MOV DWORD PTR DS:[ECX+24],EDX ; ** corruption
**
the proper checks to validate the addresses sent from user mode.
The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method
when handling IOCTLs request and does not validate properly the buffer
sent in the Irp object allowing an attacker to write to any memory
address in the kernel-mode.
Let's see the bug on the source. This is the function used to handle the
IOCTL requests at 'SUPDrv-win.cpp'.
/-----------
- -----------/
At this point, the Structured Exception Handler is already controlled by
the attacker, so when exception raises the execution is transferred to
an arbitrary memory address chosen by the person providing the malicious
web page.
By adding JavaScript code in the malicious web page, the attacker can
use a technique called Heap Spray, that fills the heap of the browser
process with his payload, and then jump to the arbitrary code located in
VMware products emulate hardware functions, like CPU, Memory, and
IO.
A flaw in VMware's CPU hardware emulation could allow the
virtual CPU to jump to an incorrect memory address. Exploitation of
this issue on the guest operating system does not lead to a
compromise of the host system but could lead to a privilege
escalation on guest operating system. An attacker would need to
have a user account on the guest operating system.
-----------------------------
A] array overflow with write2
-----------------------------
Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:
00630399 |> 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
0063039C |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
0063039F |. 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4]
006303A2 |. 3938 CMP DWORD PTR DS:[EAX],EDI
(crash) and possibly execute arbitrary code via a PNG file with zero
length "unknown" chunks, which trigger an access of uninitialized
memory. (CVE-2008-1382)
The png_check_keyword might allow context-dependent attackers to set the
value of an arbitrary memory location to zero via vectors involving
creation of crafted PNG files with keywords. (CVE-2008-5907)
A memory leak in the png_handle_tEXt function allows context-dependent
attackers to cause a denial of service (memory exhaustion) via a crafted
PNG file. (CVE-2008-6218)
Technical description:
======================
The IOCTL call 0xb2d60030 of the aavmker4.sys kernel driver shipped with avast!
4.7 accepts user supplied input that doesn't get validated enough. In consequence
it is possible to overwrite arbitrary memory addresses with arbitrary values.
Disassembly of aavmker4.sys (version 4.7.1098.0):
[...]
.text:00010D28 cmp eax, 0B2D60030h <-- (1)
during the check of the extension of the requested file.
When it handles the HTTP POST requests it checks if the first byte of
the URI is equal to 0xfa in which case it considers the URI as a binary
sequence of data composed by two 32bit integer numbers used for taking
a new URI from the arbitrary memory address calculated on the second
number or on the sum of both:
004425E0 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; URI_to_binary
004425E4 |. 85C0 TEST EAX,EAX
004425E6 |. 75 01 JNZ SHORT Miniweb.004425E9
The functions in parser.cpp are affected by some memory corruption
vulnerabilities with different effects depending by the type of
variable/script used.
In short a value longer than MAX_FILE_SIZE (16384) bytes can lead to
the writing of custom data in a custom memory address through strcat
(auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory
access (the rconpass parameter of auth.w) and so on.
----------------------------
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
to run arbitrary code on a victim's computer (CVE-2009-1563).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
I/O-2 F800000 8388616 1020632 7367984 7367984 7367932
Processor memory
Address Bytes Prev Next Ref PrevF NextF Alloc PC what
62275DC8 0000000048 62275D68 62275E24 001 ------- ------- 60654230 PPTP create idb
62275E24 0000000052 62275DC8 62275E84 001 ------- ------- 60654230 PPTP create idb
62275E84 0000000052 62275E24 62275EE4 001 ------- ------- 60654230 PPTP create idb
....
Next Page>>
|
