Next Page >>
null pointer
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
execute arbitrary code on vulnerable systems using these two
vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
execute arbitrary code on vulnerable systems using these two
vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1. *Advisory Information*
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
Versions: <= 0.1.15
Platforms: *nix
Bugs: A] first buffer-overflow in RTSP_valid_response_msg
B] second buffer-overflow in RTSP_valid_response_msg
C] crash in RTSP_remove_msg
D] NULL pointer in parse_transport_header
E] NULL pointer in parse_play_time_range
F] NULL pointer in log_user_agent
G] NULL pointer in Netembryo 0.0.4
Exploitation: remote
Date: 27 Dec 2007
node that is not part of the kernel node set. (CVE-2010-0415)
The ATI Rage 128 (aka r128) driver in the Linux kernel before
2.6.31-git11 does not properly verify Concurrent Command Engine (CCE)
state initialization, which allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly gain
privileges via unspecified ioctl calls. (CVE-2009-3620)
The wake_futex_pi function in kernel/futex.c in the Linux kernel
before 2.6.33-rc7 does not properly handle certain unlock operations
for a Priority Inheritance (PI) futex, which allows local users to
Original release: 2011-10-18
Last update: 2011-10-18
Topic: KDC denial of service vulnerabilities
CVE-2011-1527: null pointer dereference in KDC LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
node that is not part of the kernel node set. (CVE-2010-0415)
The ATI Rage 128 (aka r128) driver in the Linux kernel before
2.6.31-git11 does not properly verify Concurrent Command Engine (CCE)
state initialization, which allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly gain
privileges via unspecified ioctl calls. (CVE-2009-3620)
The wake_futex_pi function in kernel/futex.c in the Linux kernel
before 2.6.33-rc7 does not properly handle certain unlock operations
for a Priority Inheritance (PI) futex, which allows local users to
http://www.3s-software.com/index.shtml?en_CoDeSysV3_en
Versions: <= 3.4 SP4 Patch 2
Platforms: Windows
Bugs: A] GatewayService integer overflow
B] CmpWebServer stack overflow
C] CmpWebServer Content-Length NULL pointer
D] CmpWebServer invalid HTTP request NULL pointer
E] CmpWebServer folders creation
Exploitation: remote
Date: 29 Nov 2011
Author: Luigi Auriemma
[ PHP 5.3.6 multiple null pointer dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- Dis.: 20.07.2011
- Pub.: 19.08.2011
Name: Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce
Author: Adam Zabrocki / HISPASEC (<pi3@itsec.pl> or <adam@hispasec.com>)
Date: July 06, 2009
Issue:
Xpdf allows local and remote attackers to overflow buffer on heap via integer overflow vulnerability.
Xpdf is prone to NULL pointer dereference attack.
http://www.lfs.net
Versions: <= 0.5X10
Platforms: Windows
Bugs: A] nickname buffer-overflow
B] partial track buffer-overflow
C] NULL pointer access in internet/hidden S1/S2 servers
D] memcpy() NULL pointer in internet/hidden S1/S2 servers
Exploitation: remote, versus server
A] demo/S1/S2 in-game
B] demo/S1/S2 in-game
C] S1/S2 (internet/hidden)
The personality subsystem in the Linux kernel has a PER_CLEAR_ON_SETID
setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO
flags when executing a setuid or setgid program, which makes it
easier for local users to leverage the details of memory usage to (1)
conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr
protection mechanism, or (3) defeat address space layout randomization
(ASLR). (CVE-2009-1895)
The load_flat_shared_library function in fs/binfmt_flat.c in the
flat subsystem in the Linux kernel allows local users to cause a
MIT krb5 Security Advisory 2011-007
Original release: 2011-12-06
Last update: 2011-12-06
Topic: KDC null pointer dereference in TGS handling
CVE-2011-1530
KDC null pointer dereference in TGS handling
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
[CVE-2009-0845]
SPNEGO implementation can dereference a null pointer
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
CVSSv2 Temporal Score: 6.1
Versions: <= 3.7.2
Platforms: Windows
Bugs: A] directory traversal
B] scripts source visualization
C] arbitrary files deleting by users
D] NULL pointer crash in chat.ehintf by users
E] html injection in the trace viewer
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
http://www.openview.hp.com/products/nnm/
Versions: <= 7.53
Platforms: Windows (tested), Solaris, Linux, HP-UX
Bugs: A] CGIs directory traversal
B] Denial of Service in ovalarmsrv
C] NULL pointer in ovalarmsrv
D] process termination in ovtopmd
Exploitation: remote
Date: 11 Apr 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Linux Kernel 2.6.38 Remote NULL Pointer Dereference
====================================================
[Advisory Information]
Title: Linux kernel 2.6.38: Remote NULL pointer dereference
Release date: 11/05/2011
Last update: 11/05/2011
Credits:
Aristide Fattori, Universit degli Studi di Milano (joystick@security.dico.unimi.it)
3.1.1 and 3.1.0
Vulnerability:
Null Pointer
Description:
Hellcode Research discovered a null pointer vulnerability in Openoffice for
Windows.
NOTE: ONLY the products and versions listed as affected above are vulnerable to these issues. This issue impacts the
server only. Client agents are NOT affected.
Details
Secunia Research notified Symantec of three DoS issues involving erroneous packet handling affecting components of the
Symantec Backup Exec for Windows Servers Job Engine. One is a null-pointer dereference issue that crashes the listening
service, and two additional issues involving integer overflows that can force the service into an infinite loop resulting in
memory exhaustion or high CPU utilization. Successful exploitation requires access to the affected port. In normal installations
this would require the attacker to have authorized but non-privileged access to the network on which the targeted server resides
to leverage network communications. A successful attack could result in termination of the targeted service and loss of scheduling
services or potentially loss of access to the application until the service is restarted or the targeted activity ceases.
===========
Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c
(CVE-2007-4510).
[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- Dis.: 09.12.2010
- Pub.: 17.02.2011
CVE: CVE-2011-0420
ipddp modules are loaded but the ipddpN device is not found, allows
remote attackers to cause a denial of service (memory consumption)
via IP-DDP datagrams. (CVE-2009-2903)
Multiple race conditions in fs/pipe.c in the Linux kernel before
2.6.32-rc6 allow local users to cause a denial of service (NULL pointer
dereference and system crash) or gain privileges by attempting to
open an anonymous pipe via a /proc/*/fd/ pathname. (CVE-2009-3547)
The tcf_fill_node function in net/sched/cls_api.c in the netlink
subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6
Application: TinTin++ / WinTin++
http://tintin.sourceforge.net
Versions: <= 1.97.9
Platforms: Windows, Linux and Mac
Bugs: A] chat buffer-overflow
B] chat YES NULL pointer
C] chat home folder empty files creation
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Tested Vulnerable Versions:
3.1.1 and 3.1.0
Vulnerability:
Null Pointer
Description:
Hellcode Research discovered a null pointer vulnerability in Openoffice for Windows.
Application: Acronis PXE Server
http://www.acronis.com/enterprise/products/snapdeploy/
Versions: <= 2.0.0.1076
Platforms: Windows
Bugs: A] directory traversal
B] NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
: Advisory URL: http://www.coresecurity.com/?action=item&id=2219
: Bugtraq ID: 28629 28632 28633
: CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
: 1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006)
:
: The 'COUNT' value causes an integer overflow, which leads to a null
: 2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006)
:
context switch, or reset the flags when creating new threads, which
allowed local users to cause a denial of service (process crash)
(CVE-2006-5755).
The compat_sys_mount function in fs/compat.c allowed local users
to cause a denial of service (NULL pointer dereference and oops)
by mounting a smbfs file system in compatibility mode (CVE-2006-7203).
The nfnetlink_log function in netfilter allowed an attacker to cause a
denial of service (crash) via unspecified vectors which would trigger
a NULL pointer dereference (CVE-2007-1496).
Original link:
http://cxsecurity.com/research/103
[--- 1. Multiple NULL Pointer Dereference with zend_strndup() [CVE-2011-4153] ---]
As we can see in zend_strndup()
-zend_alloca.c---
ZEND_API char *zend_strndup(const char *s, uint length)
{
Wireshark 1.4.0 Malformed SNMP V1 Packet Denial of Service
------------------------------------------------------------------
I. Summary
A flaw has been identified in Wireshark 1.4.0 concerning the ASN.1/BER dissector that will cause a denial of service (stack overflow and null pointer dereference in exception handling code).
------------------------------------------------------------------
II. Description
Wireshark makes use of protocol dissectors to parse packet data and organize its contents into a meaningful representation. Upon encountering an SNMP v1 packet, the ASN.1/BER dissector, as implemented in $SRC_ROOT/epan/dissectors/packet-ber.c, will be invoked to process the BER encoded content, i.e. variable bindings in the SNMP PDU. If this field is filled with an extremely long string, e.g. a sequence of 14000 'A's, a recursive call in function dissect_unknown_ber() would consume too much stack space, causing stack overflow in most configurations and later a null pointer deference in the exception handling code.
MITKRB5-SA-2010-005
MIT krb5 Security Advisory 2010-005
Original release: 2010-05-18
Topic: GSS-API library null pointer dereference
CVE-2010-1321
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
Next Page>>
|
