Next Page >>
record
>
> Description
> ===========
>
> This exploit targets a fairly ubiquitous flaw in DNS implementations
> which allow the insertion of malicious DNS records into the cache of the
> target nameserver. This exploit caches a single malicious host entry
> into the target nameserver. By causing the target nameserver to query
> for random hostnames at the target domain, the attacker can spoof a
> response to the target server including an answer for the query, an
> authority server record, and an additional record for that server,
Description
===========
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
1. *Advisory Information*
the application service provider uses a dedicated
RegisteredDomain for the particular application.
>being able to sandbox each document+viewer combo is great. I think you
>should do some usability testing with your suggestion that the file
>retrieval session record be deleted when the document is accessed,
> though.
>This is very likely to cause problems with user agents like Internet
> Explorer
>that have aggressive anti-caching stances for https content, and I
> imagine
}
}
if(num_rrs!=le->num_rrs && ++num_rrs_errs<=MAX_NUM_RRS_ERRS) {
- unsigned char buf[256];
+ unsigned char buf[2560];
log_warn("Counted %d rr record types for %s but cached counter=%d",
num_rrs,rhn2str(le->qname,buf,sizeof(buf)),le->num_rrs);
}
@@ -1662,7 +1662,7 @@
rr_bucket_t *rr;
for(rr=rrset->rrs; rr; rr=rr->next) {
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mu Dynamics, Inc. Security Advisories MU-201202-01 and MU-201202-02 for GnuTLS and Libtasn1
TLS record handling vulnerability in GnuTLS [MU-201202-01]
ASN.1 length decoding vulnerability in Libtasn1 [MU-201202-02]
20 March 2012
http://blog.mudynamics.com/2012/03/20/gnutls-and-libtasn1-vulns/
File format [1] to persist spreadsheet data on the file system. Lotus
Notes uses a third-party library [2] to process file attachments in the
Lotus Worksheet File format (WKS).
A worksheet file in WKS format is simply a binary representation of the
spreadsheet built using a sequence of binary records in the TLV form
(Type-Length-Value) where both Type and Length are encoded using two bytes.
There are multiple vulnerabilities in the way the Verity KeyView SDK DLL
processes the TLV records of a worksheet file. These vulnerabilities stem
from lack of proper consistency checks for the stated Length and the
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Microsoft Office Excel PivotTable Cache Data Record Buffer Overflow
1. *Advisory Information*
Remote exploitation of a memory corruption vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute arbitrary code with
the privileges of the current user.
The vulnerability occurs when parsing a FEATHEADER record within an
Excel file. This record is used to store information common to multiple
other records, and was introduced with Excel 2002 (XP). When certain
fields of this record are set to a trigger value, it is possible to
corrupt memory in such a way that the next 4 bytes in the record are
treated as an object pointer. This pointer is then used to make a
Remote exploitation of an invalid array indexing vulnerability in
Microsoft Corp.'s Excel could allow an attacker to execute arbitrary
code with the privileges of the current user.
This issue exists in the handling of "AxesSet" records within a chart
embedded in a spreadsheet. This record is typically used for setting
the location and size of a set of axes on a chart. This particular
record type is not included in Microsoft's official documentation for
the Excel file format. However, the freely available source code for
OpenOffice implements this record type.
Remote exploitation of a heap overflow vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute arbitrary code with
the privileges of the current user.
This vulnerability occurs when parsing an MDXTUPLE record inside of the
Excel Workbook globals stream. This record is used to store metadata
for external data connections in the workbook. The vulnerability occurs
when a MDXTUPLE record is broken up into several records. This could
allow an attacker to trigger a heap based buffer overflow by
controlling both the allocation size of a heap buffer and the number of
ZDI-11-124: Microsoft PowerPoint TimeColorBehaviorContainer Floating Point Record Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-124
April 12, 2011
-- CVE ID:
CVE-2011-0655
-- CVSS:
Remote exploitation of a heap-based buffer overflow vulnerability in
Microsoft Corp.'s PowerPoint could allow an attacker to execute
arbitrary code with the privileges of the current user.
The vulnerability occurs during the parsing of two related PowerPoint
record types. The first record type, the "LinkedSlideAtom" record, is
used to specify collaboration information for different slides. One of
the fields in this record is used to specify the number of certain
records that are present in the file. The code responsible for filling
the array used to store the records does not perform any bounds
checking when storing elements into the array. This results in a
Remote exploitation of a heap overflow vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute arbitrary code with
the privileges of the current user.
This vulnerability occurs when parsing an MDXSET record inside of the
Excel Workbook globals stream. This record is used to store metadata
for external data connections in the workbook. The vulnerability occurs
when a MDXSET record is broken up into several records. This could allow
an attacker to trigger a heap based buffer overflow by controlling both
the allocation size of a heap buffer and the number of bytes copied
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Lotus Notes XLS viewer malformed BIFF record heap overflow
1. *Advisory Information*
Title: Lotus Notes XLS viewer malformed BIFF record heap overflow
Remote exploitation of an integer overflow vulnerability in Microsoft
Corp.'s PowerPoint could allow an attacker to execute arbitrary code
with the privileges of the current user.
The vulnerability occurs during the parsing of two related PowerPoint
record types. The first record type is used to specify collaboration
information for different slides. One of the fields in this record
contains a 32-bit integer that is used to specify the number of a
specific type of records that are present in the file. This integer is
used in a multiplication operation that calculates the size of a heap
buffer that will be used to store the records as they are read in from
Executive Summary:
URL Spoofing when displaying the content of a NDEF
URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for parts of a NDEF record, reboots
graphical user interface (GUI) of phone.
-----------------------------
Reporter: Collin Mulliner <collin[AT]mulliner.org>
Remote exploitation of an integer overflow vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute arbitrary code with
the privileges of the current user.
The vulnerability occurs when parsing a Shared String Table (SST) record
inside of an Excel file. This record is used to hold a table of strings
that are used inside of the document. One of the fields in this record
is a 32-bit integer that represents the number of unique strings in the
table. This value is used to allocate an array of pointers to the
strings contained inside of the table. When allocating this array, an
ESX 3.0.2 ESX not affected
ESX 2.5.5 ESX not affected
d. VNnc Codec Heap Overflow vulnerabilities
The VNnc Codec assists in Record and Replay sessions. Record and
Replay record the dynamic virtual machine state over a period of
time.
Two heap overflow vulnerabilities could allow a remote attacker to
execute arbitrary code on VMware hosted products. For an attack to
Executive Summary:
URI/URL Spoofing when displaying the content of a NDEF Smart Poster
and plain URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for various parts of NDEF records, reboots
graphical user interface (GUI) of phone.
-----------------------------
Reporter: Collin Mulliner <collin.mulliner[AT]sit.fraunhofer.de>
======================================================================
Secunia Research 12/10/2010
- Microsoft Excel Ghost Record Type Parsing Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
C. The tool spoofs the source IP address of the queries. This is useful if
the
attacker does not want leave any trace of his IP address on the server.
D. The tool utilizes CNAME Record Type to inject the false entry. The way
the
poisoning is implemented is by sending two answer Resource Records (RRs):
One is
a CNAME RR, and the second is an A record. Every fake reply contains
something
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
* X.25 over TCP (XOT)
* X.25 Routing
Information on how to determine whether an affected feature is
enabled on a device are provided in the Details section of this
A vulnerability has been discovered and corrected in squid:
The idnsGrokReply function in Squid before 3.1.16 does not properly
free memory, which allows remote attackers to cause a denial of
service (daemon abort) via a DNS reply containing a CNAME record
that references another CNAME record that contains an empty A record
(CVE-2011-4096).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
bulletin may overlook or misrepresent actual threat scenarios.
Nicolas found that the Windows SMTP Service does its own DNS resolution
of MX records rather that use the DNS resolver from the operating system
while investigating CVE-2010-0024
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0024].
Furthermore, he found that the patch referenced in MS10-024 fixed two
severe bugs that were not disclosed as such in the bulletin and had no
CVE identifiers assigned to them. Basic analysis of the vulnerabilities
<sarcasm tagfor=oblivoious>
Yeh, but what if I want you to justify your decisions in the context of my perceptions?
You don't find it reasonable that because you wish to share your efforts for free that they should serve my needs as well?
</sarcasm>
For the record, I tried Tim's blocklists and because I use an external spam-catcher and therefore accept mail only from them or specific hosts, I can statistically validate the statement that the sources of SMTP connection attempts that ignore my MX record are coming from a large percentage of the IPs Tim assembled, with the majority coming from east Asia (China & Korea being the most active).
It's a fair bet that any SMTP connection attempts that fail to agree with your MX record are "less than trustworthy".
Jim
serious problem and could lead to code execution.
The majority of the issues discovered lead to a out of bounds read,
often caught by the operating system and converted into an error. For
example, in the affected versions of Flash player the following Action
Record (ActionScript 2.0) types failed to verify the size of member
elements (DefineConstantPool, ActionJump, ActionPush, ActionTry), as
well as several other Action Record types. These boundary issues become
apparent when Flash movies (.swf files consisting of a series of Action
Records or "tags") contain data with values for offsets which point to
regions beyond the end of the Flash file's memory.
Remote exploitation of an integer overflow vulnerability in Autonomy's
KeyView SDK allows attackers to execute arbitrary code with the
privileges of the targeted application.
The vulnerability occurs when parsing a Shared String Table (SST) record
inside of an Excel file. This record is used to hold a table of strings
that are used inside of the document. One of the fields in this record
is a 32-bit integer that represents the number of strings in the table.
This value is used in a calculation that controls the number of bytes to
allocate for a dynamic heap buffer. The value is not properly sanitized,
Remote exploitation of a memory corruption vulnerability in Apple Inc.'s
OfficeImport framework could allow an attacker to execute arbitrary code
with the privileges of the current user.
The vulnerability occurs when parsing an Excel file with a certain
maliciously constructed record. This record is used to describe a
formula that is shared between multiple cells. In this record, the
'formula' field is used to specify the formula used. By corrupting
certain opcodes within this formula it is possible to trigger a memory
corruption vulnerability. This can lead to the execution of arbitrary
code.
ZDI-10-104: Microsoft Office Excel SxView Record Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-104
June 8, 2010
-- CVE ID:
CVE-2010-0821
-- Affected Vendors:
Microsoft
Next Page>>
|
