Next Page >>
stack/based
iPrint Client, which can be exploited by malicious people to
compromise a user's system.
1) A boundary error in the Novell iPrint ActiveX control (ienipp.ocx)
when handling the "GetDriverFile()" method can be exploited to cause a
stack-based buffer overflow by passing an overly long string as the
third argument.
2) Two boundary errors in the Novell iPrint ActiveX control
(ienipp.ocx) when constructing a URI based on input to the
"GetPrinterURLList()" and "GetPrinterURLList2()" methods can be
2. *Vulnerability Information*
Class: Stack-based buffer overflow [CWE-119], Off-by-one error [CWE-193]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-1929, CVE-2010-1930
Bugtraq ID: 40480, 40485
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
advisory [3], three bugs were found. The stack-based bug found on CGI
parameter 'OvOSLocale' is similar to one of the bugs previously reported
in [3] whereas the two heap-based bugs are different vulnerabilities.
Versions 7.51, 7.53, and 7.53 with patch NNM_01195 were tested and all
of them were vulnerable. The two heap-based buffer overflows are
Secunia Research has discovered vulnerabilities in HP OpenView Network
Node Manager, which can be exploited by malicious people to compromise
a vulnerable system.
1) Various boundary errors in the OpenView5.exe CGI application when
processing parameters can be exploited to cause stack-based buffer
overflows via HTTP requests to the CGI application with overly long
parameter strings.
2) A boundary error in ov.dll can be exploited to cause a stack-based
buffer overflow by e.g. sending a HTTP request to the OpenView5.exe
Secunia Research has discovered four vulnerabilities in Free Download
Manager, which can be exploited by malicious people to compromise a
user's system.
1) A boundary error when opening folders within the "Site Explorer"
functionality can be exploited to cause a stack-based buffer overflow.
2) A boundary error when e.g. opening websites in the "Site Explorer"
functionality can be exploited to cause a stack-based buffer overflow.
3) A boundary error when processing FTP URIs can be exploited to
http://office.microsoft.com/en-us/powerpoint/default.aspx
II. DESCRIPTION
Remote exploitation of multiple stack-based buffer overflow
vulnerabilities in Microsoft Corp.'s PowerPoint could allow an attacker
to execute arbitrary code with the privileges of the current user.
The vulnerabilities exist within the importer for PowerPoint 4.0 format
files. This functionality is contained within the PP4X32.DLL.
Multiple stack buffer overflow vulnerabilities have been discovered in
Amaya web editor/browser [1], which can be exploited by unauthorized
people using crafted web pages to compromise a user's system.
A boundary error when processing 'input' HTML tags can be exploited to
cause a stack-based buffer overflow via an overly long 'type' parameter
(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals
multiple unchecked buffers declared on the stack, one of which is used
in the function 'EndOfXmlAttributeValue()':
/-----------
Field 2: RPC command ("rxrLogin")
Field 3: Constant Argument Delimiter ("~~")
Field 4: Argument ("administrator")
Vulnerability #1: Authentication Username Overflow
A stack-based buffer overflow exists within the authentication portion
of rxRPC.dll which is accessible via TCP/1900. A sample legitimate
authentication packet resembles the following:
0000000013rxrLogin~~administrator
28-Jul-2011
___________________________________________________________________________
Vendor: Citrix, http://www.citrix.com
Affected Products: XenApp and XenDesktop
Affected Version: See the Citrix security bulletin [2] for a list
Vulnerability: Stack-Based Buffer Overflow in Citrix XML Service
Risk: HIGH
___________________________________________________________________________
Vendor communication:
Secunia Research has discovered four vulnerabilities in NTR ActiveX
control, which can be exploited by malicious people to compromise a
user's system.
1) A boundary error in the handling of the "StartModule()" method can
be exploited to cause a stack-based buffer overflow via an overly long
"bstrUrl" parameter.
2) A boundary error when constructing an url can be exploited to cause
a stack-based buffer overflow via e.g. an overly long, specially
crafted "bstrParams" parameter passed to the "Check()" method.
III. Detailed Description
A. Stack-based Buffer Overflow (CVE-2009-0839)
Severity: Medium/High
A buffer overflow that could allow for the execution of arbitrary
code exists in the "mapserv" CGI program. In mapserv.c are the
following lines of code:
http://www-01.ibm.com/software/lotus/products/inotes/
II. DESCRIPTION
Remote exploitation of a stack-based buffer overflow vulnerability in
IBM Corp.'s Lotus Domino Web Access ActiveX control could allow an
attacker to execute arbitrary code with the privileges of the current
user.
The vulnerabe function takes an attacker-controlled URL, and copies it
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: mtr: Stack-based buffer overflow
Date: June 03, 2008
Bugs: #223017
ID: 200806-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1) A boundary error in the parsing of file names inside torrent files
can be exploited to cause a heap-based buffer overflow via an overly
long file name.
2) Two boundary errors when parsing names from torrent files can be
exploited to cause stack-based buffer overflows via overly long file
names.
3) A boundary error when parsing tracker URLs from torrent files can
be exploited to cause a stack-based buffer overflow via an overly
long tracker URL.
* Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary
errors within the searchwn() function in src/wn.c, the wngrep()
function in lib/search.c, the morphstr() and morphword() functions in
lib/morph.c, and the getindex() in lib/search.c, which lead to
stack-based buffer overflows.
* Rob Holland (oCERT) reported two boundary errors within the
do_init() function in lib/morph.c, which lead to stack-based buffer
overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment
variables.
If an 'Open/Execute a file' action is defined in the PDF file, when the
trigger condition is satisfied, Foxit Reader will open/execute the file
defined by the creator of the PDF file without asking the user for
confirmation. A proof of concept PDF file is included [4].
The second one is a stack-based buffer overflow (CVE-2009-0837). If an
'Open/Execute a file' action is defined in the PDF file with an overly
long filename argument, when the trigger condition is satisfied it will
cause a stack-based buffer overflow, because the application tries to
copy the filename argument to a fixed-size buffer in the stack without
properly checking that the buffer is large enough to hold the filename
DETAILS
The vulnerable functions do not validate user supplied data when copying
it to a
stack-based buffer, resulting in a stack-based buffer overflow. The
exploitation
of these vulnerabilities are trivial and results in remote compromise of the
vulnerable system.
This is the list of vulnerable functions, some of them contain more than one
DETAILS
The vulnerable functions do not validate user supplied data when copying
it to a
stack-based buffer, resulting in a stack-based buffer overflow. The
exploitation
of these vulnerabilities are trivial and results in remote compromise of the
vulnerable system.
This is the list of vulnerable functions, some of them contain more than one
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: KOffice, KWord, KPDF, KDE Graphics Libraries: Stack-based
buffer overflow
Date: October 09, 2007
Bugs: #187139
ID: 200710-08
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
*Advisory Information*
Title: Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
proper bounds checking. The third problem exists within the
RPCFN_SetComputerName function. This function copies user-supplied data
into a fixed-size stack buffer using the MultiByteToWideChar() function
without correctly specifying the output buffer length.
Two stack-based buffer overflows exist within the Stcommon.dll library.
These problems specifically exist within the
RPCFN_CMON_SetSvcImpersonateUser and
RPCFN_OldCMON_SetSvcImpersonateUser functions. These functions copy
user-supplied data into a fixed-size stack buffer without performing
proper bounds checking.
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds1/capture.htm
II. DESCRIPTION
Local exploitation of a stack-based buffer overflow vulnerability in the
'capture' program, as included with IBM Corp.'s AIX operating system,
allows an attacker to execute arbitrary code with root privileges.
The vulnerability exists within the code that parses terminal control
sequences. A long series of control sequences will trigger an
Problem Description:
Multiple vulnerabilities was discovered and fixed in gimp:
Stack-based buffer overflow in the "LIGHTING EFFECTS > LIGHT" plugin in
GIMP 2.6.11 allows user-assisted remote attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via a long Position field in a plugin configuration file. NOTE:
it may be uncommon to obtain a GIMP plugin configuration file from
an untrusted source that is separate from the distribution of the
Several vulnerabilities have been identified in GIMP, the GNU Image
Manipulation Program.
CVE-2010-4540
Stack-based buffer overflow in the load_preset_response
function in plug-ins/lighting/lighting-ui.c in the "LIGHTING
EFFECTS > LIGHT" plugin allows user-assisted remote attackers
to cause a denial of service (application crash) or possibly
execute arbitrary code via a long Position field in a plugin
configuration file.
=============================================================================
FreeBSD-SA-09:11.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd stack-based buffer-overflow vulnerability
Category: contrib
Module: ntpd
Announced: 2009-06-10
Credits: Chris Ries
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
A stack-based buffer overflow was discovered in ntpq. If a user were
tricked into connecting to a malicious ntp server, a remote attacker could
cause a denial of service in ntpq, or possibly execute arbitrary code with
the privileges of the user invoking the program. (CVE-2009-0159)
Chris Ries discovered a stack-based overflow in ntp. If ntp was configured
The parse_tag_11_packet function of eCryptfs in-kernel key management code
does not check if the tag 11 packet contains a literal data size
(tag11_contents_size) larger than literal data maximum size
(max_contents_bytes), before copying the literal data contents to a
stack-based buffer (of ECRYPTFS_SIG_SIZE size) passed by
ecryptfs_parse_packet_set function as the contents parameter, resulting in a
kernel stack-based buffer overflow vulnerability.
fs/ecryptfs/keystore.c
--
56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455
and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and
ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528;
allows remote attackers to cause a denial of service (daemon crash)
or execute arbitrary code via a malformed DHCP packet with a large
dhcp-max-message-size that triggers a stack-based buffer overflow,
related to servers configured to send many DHCP options to clients
(CVE-2007-0062).
Stack-based buffer overflow in the script_write_params method in
client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0
http://www.kaspersky.com/
II. DESCRIPTION
Local exploitation of a stack-based buffer overflow in Kaspersky Lab's
Internet Security could allow an attacker to execute arbitrary code in
the context of the kernel.
The kl1.sys kernel driver distributed with Internet Security contains a
stack-based buffer overflow in the handling of IOCTL 0x800520e8. This
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Stack-based buffer overflows in Transmission may allow for remote
execution of arbitrary code.
Background
==========
Next Page>>
|
