Next Page >>
parses
>
>
> On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <aluigi@autistici.org>
> wrote:
>
> > > Autonomy Keyview Folio Flat File Parsing Buffer Overflows
> > > Autonomy Keyview Applix Graphics Parsing Vulnerabilities
> > > Autonomy Keyview EML Reader Buffer Overflows
> > > activePDF DocConverter Folio Flat File Parsing Buffer Overflows
> > > activePDF DocConverter Applix Graphics Parsing Vulnerabilities
> > > Lotus Notes Applix Graphics Parsing Vulnerabilities
> Autonomy Keyview Folio Flat File Parsing Buffer Overflows
> Autonomy Keyview Applix Graphics Parsing Vulnerabilities
> Autonomy Keyview EML Reader Buffer Overflows
> activePDF DocConverter Folio Flat File Parsing Buffer Overflows
> activePDF DocConverter Applix Graphics Parsing Vulnerabilities
> Lotus Notes Applix Graphics Parsing Vulnerabilities
> Lotus Notes Folio Flat File Parsing Buffer Overflows
> Lotus Notes EML Reader Buffer Overflows
> Lotus Notes kvdocve.dll Path Processing Buffer Overflow
> Lotus Notes htmsr.dll Buffer Overflows
of PoC code, discussion of fixes, etc.
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 10, 2008
I. BACKGROUND
FreeType2 is an open source library for parsing fonts that is used by
many applications. This includes projects such as X.Org, Second Life,
and the Sun Java JRE. For more information, please see the vendor's
website at the following URL.
http://freetype.sourceforge.net/freetype2/
"The HTTP request detection will attempt to determine the end-of-line
marker following the HTTP/1.x line. If it consists of a single LF,
then the logic will attempt to identify a LFLF."
Unfortunately, this logic may be problematic when attempting to parse
HTTP requests consisting of various combinations of end-of-line markers
within the same HTTP request. For instance, many web servers accept
requests with mixed newline sequences such as:
GET /protected_resource HTTP/1.0\x0d\x0a
most software does not care.
--n--
== The problem ==
Even though MIME is pretty old, many people have not yet learned how to
parse MIME correctly. The problem is that the number of MIME-parts of an
email and the depth of recursion is potentially unlimited. Some software
like the popular rfc2045 library of the courier-mta solve this problem by
discarding mails with too many MIME-parts as a Denial of Service attack.
This is probably the best approach to handle this problem.
======================================================================
Secunia Research 08/04/2008
- Autonomy Keyview Applix Graphics Parsing Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 08/04/2008
- activePDF DocConverter Applix Graphics Parsing Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 08/04/2008
- Symantec Mail Security Applix Graphics Parsing Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Details
=======
SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
======================================================================
Secunia Research 02/02/2009
- Free Download Manager Torrent Parsing Buffer Overflows -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 08/04/2008
- Lotus Notes Applix Graphics Parsing Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
brlc> most software does not care.
brlc> --n--
brlc> == The problem ==
brlc> Even though MIME is pretty old, many people have not yet learned how to
brlc> parse MIME correctly. The problem is that the number of MIME-parts of an
brlc> email and the depth of recursion is potentially unlimited. Some software
brlc> like the popular rfc2045 library of the courier-mta solve this problem by
brlc> discarding mails with too many MIME-parts as a Denial of Service attack.
brlc> This is probably the best approach to handle this problem.
by element, into an SwTableBoxes object. These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents. When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory. Because of a bug in the RTF
parser, corrupt table data may cause the insertion of elements into an
SwTableBoxes object to skip an index rather than remaining strictly sequential.
When this occurs, the nA field, representing the number of data elements used
in the object, will be out-of-sync with the index of the most recently inserted
element, allowing exploitation of a use-after-free vulnerability.
======================================================================
Secunia Research 01/04/2009
- UltraISO Image Parsing Buffer Overflow Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
unsigned char **buffer)
Function real_get_rdt_chunk() calls rtsp_read_data() to read RDT
(Real Data Transport) chunks headers from the network and after that it will
parse them.
A controled variable is used to allocate a buffer and later passed on to the
rtsp_read_data() function in order to specify the length of an RDT chunk
data to read from the network.
An integer underflow can be triggered when parsing a malformed RDT header chunk,
a remote attacker can exploit it to execute arbitrary code in the context of
#define RECLIMIT 256
-REG_EXTENTED---
341: p_ere(
342: struct parse *p,
343: int stop, /* character this ERE should end at */
344: size_t reclimit)
345: {
..
351:
address but the tcp session continue, all other request in this tcp session are
not ip tagged.
Since the ACE does not respect the ambigous RFC 2616 implied *LWS
rules (chap 2.1) it's
easy to do an "Parse Error" which is honoured by the backend honor.
RFC extracts:
The version of an HTTP message is indicated by an HTTP-Version field
in the first line of the message.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
1. *Advisory Information*
* Damian Frizza and Alfredo Ortega (Core Security Technologies)
reported a boundary error in the file libmpdemux/demux_audio.c when
parsing FLAC comments (CVE-2008-0486).
* Adam Bozanich (Mu Security) reported boundary errors in the
cddb_parse_matches_list() and cddb_query_parse() functions in the
file stream_cddb.c when parsing CDDB album titles (CVE-2008-0629) and
in the url_scape_string() function in the file stream/url.c when
parsing URLS (CVE-2008-0630).
Impact
Description
===========
iDefense Labs reported multiple vulnerabilities in OpenOffice.org:
* multiple heap-based buffer overflows when parsing the "Attribute"
and "Font" Description records of Quattro Pro (QPRO) files
(CVE-2007-5745),
* an integer overflow when parsing the EMR_STRETCHBLT record of an
EMF file, resulting in a heap-based buffer overflow (CVE-2007-5746),
listed game servers, asking each for its description. The client's parsing of
the servers' responses is vulnerable to a buffer overflow attack.
The client is designed to listen for incoming UDP packets from
master.corservers.com and from the game servers on port 27901, however it will
accept and parse UDP packets from any IP address even if the client did not
initiate a UDP conversation with that given IP address. As such, an attacker
can send a malformed UDP packet from any source IP address; they need not know
a valid game server's IP address to exploit this buffer overflow vulnerability.
When the client receives a UDP packet on port 27901 that specifies a server's
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.
Published: 29 October 2007
===========
Description
===========
There is a heap overflow in the Realplayer code that parses ID3 tags in
MP3 files.
Impact: attackers could execute code of their choice on susceptible
systems if a user were induced to open a malicious MP3 file.
Dear security@nruns.com,
Either Subject "UPX parsing Arbitrary CodeExecution" or vulnerability
description "Infinite Loop in UPX packed files parsing" are wrong. Can
you provide more detailed information please? It's not clear, how
infinite loop can lead to remote code execution.
--Friday, August 24, 2007, 11:15:01 PM, you wrote to bugtraq@securityfocus.com:
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.
I. BACKGROUND
The OfficeImport framework is an API used by Apple's mobile devices,
including the iPod Touch, iPhone, and iPad. The framework is used to
parse and display Microsoft Office file formats, such as Excel, Word,
and PowerPoint. The OfficeImport framework is used by several
applications, including MobileMail and MobileSafari. Both of these
applications are attack vectors for this vulnerability. For more
information, see the vendor's site found at the following link.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Font parsing vulnerabilities in FreeType might lead to user-assisted
execution of arbitrary code.
Background
==========
OpenOffice, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code.
These vulnerabilities exist within the TIFF parsing code of the
OpenOffice suite. When parsing the TIFF directory entries for certain
tags, the parser uses untrusted values from the file to calculate the
amount of memory to allocate. By providing specially crafted values, an
integer overflow occurs in this calculation. This results in the
allocation of a buffer of insufficient size, which in turn leads to a
heap overflow.
Microsoft Corp.'s Excel could allow an attacker to execute arbitrary
code with the privileges of the current user.
The vulnerability occurs due to Excel using a local function variable
without properly initializing it. This error occurs when parsing
several related records inside of an Excel worksheet. When Execl parses
certain records in a particular order, a stack variable may not be
initialized properly. If an attacker can control the area of memory
used for this variable, then it is possible to execute arbitrary code
on the targeted host.
Next Page>>
|
