Next Page >>
stack
$fnn = $matches[1]; // get the function name
if (in_array($matches[1], $this->fb)) { // make sure it isn't built in
return $this->trigger("cannot redefine built-in function '$matches[1]()'");
}
$args = explode(",", preg_replace("/\s+/", "", $matches[2])); // get the arguments
if (($stack = $this->nfx($matches[3])) === false) return false; // see if it can be converted to postfix
for ($i = 0; $i<count($stack); $i++) { // freeze the state of the non-argument variables
$token = $stack[$i];
if (preg_match('/^[a-z]\w*$/', $token) and !in_array($token, $args)) {
if (array_key_exists($token, $this->v)) {
$stack[$i] = $this->v[$token];
Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely
implemented, RFC1951 DEFLATE (cpi=2).
It's well documented that ipcomp can be used to traverse perimeter filtering,
however this document discusses potential implementation flaws observed in
popular stacks.
The IPComp implementation originating from NetBSD/KAME implements injection of
unpacked payloads like so:
algo = ipcomp_algorithm_lookup(cpi);
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
Eric Dumazet discovered that many network functions could leak kernel
stack contents. A local attacker could exploit this to read portions
of kernel memory, leading to a loss of privacy. (Ubuntu 10.10 was not
affected.) (CVE-2010-2942, CVE-2010-3477)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
inode lookups when exported by NFS. A remote attacker could exploit this to
read or write disk blocks that had changed file assignment or had become
unlinked, leading to a loss of privacy. (CVE-2010-2943)
Dan Rosenberg discovered that several network ioctls did not clear kernel
memory correctly. A local user could exploit this to read kernel stack
memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)
Dan Jacobson discovered that ThinkPad video output was not correctly
access controlled. A local attacker could exploit this to hang the system,
leading to a denial of service. (CVE-2010-3448)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
... ; GS -> user or kernel
; If the CPL at the time of the fault (recorded in the two least
; significant bits of <return CS>) was zero, then the fault occurred
If an 'Open/Execute a file' action is defined in the PDF file, when the
trigger condition is satisfied, Foxit Reader will open/execute the file
defined by the creator of the PDF file without asking the user for
confirmation. A proof of concept PDF file is included [4].
The second one is a stack-based buffer overflow (CVE-2009-0837). If an
'Open/Execute a file' action is defined in the PDF file with an overly
long filename argument, when the trigger condition is satisfied it will
cause a stack-based buffer overflow, because the application tries to
copy the filename argument to a fixed-size buffer in the stack without
properly checking that the buffer is large enough to hold the filename
; [<error code>]
; <return RIP> <return CS> <return RFLAGS>
; [<return RSP> <return SS>]
;
; The first act of typical ISR prologue code is to build a standard
; "trap frame" on the stack -- saving registers, etc.
... ; GS -> user or kernel
; If the CPL at the time of the fault (recorded in the two least
; significant bits of <return CS>) was zero, then the fault occurred
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
exploit this to crash the system or possibly execute arbitrary code as
the root user. (CVE-2010-3874)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
Report Confidence: Confirmed
CVE-2008-0063
VU#895609
Uninitialized stack values cause re-use of a small window of previous
stack values to be interpreted as message content. Some of the
"content" may be returned to the attacker as part of an error
response.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C
CS <- tempCS; // This is the commit point (privilege switch)
EFLAGS (CF, PF, AF, ZF, SF, TF, DF, OF, NT) <- tempEFLAGS;
When the processor handles an exception, two cases can arise:
- the handler procedure is executed at the same level of privilege
as the interrupted procedure, no stack switch occurs
- the handler procedure is executed at a different privilege level,
therefore a stack switch occurs
The generated stack frame will be different if a stack switch occurs,
because the processor needs to save the interrupted procedure's stack.
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Remote stack overflow [CWE-120], Null pointer dereference
[CWE-476], Improper input validation [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515
Application: Sunway ForceControl
http://www.sunwayland.com.cn/pro.asp
Versions: <= 6.1 sp3 with AngelServer and WebServer updated
Platforms: Windows
Bugs: various stack overflows
directory traversals
third party ActiveX code execution
various Denials of Service
Exploitation: remote
Date: 22 Sep 2011
error handlers of the affected application. Exploitation would be
achieved by overwriting pointers in memory with arbitrary values stored
inside the FLAC file or hard coded addresses in DLL files that directing
code execution toward the attacker's payload.
Vulnerability #3: VORBIS Comment String Size Length Stack Overflow
This is due to predetermined buffer sizes in applications when handling
data in the VORBIS Comment Metadata block. By inserting an overly long
VORBIS Comment data string along with an large VORBIS Comment data
string size value (such as 0x000061A8 followed by 25,050 A's),
applications that do not properly apply boundary checks will result in a
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
NASA BigView Stack Buffer Overflow
*Advisory Information*
Title: NASA BigView Stack Buffer Overflow
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
advisory [3], three bugs were found. The stack-based bug found on CGI
parameter 'OvOSLocale' is similar to one of the bugs previously reported
in [3] whereas the two heap-based bugs are different vulnerabilities.
Versions 7.51, 7.53, and 7.53 with patch NNM_01195 were tested and all
of them were vulnerable. The two heap-based buffer overflows are
_______________________________________________________________________
Problem Description:
The do_anonymous_page function in mm/memory.c in the Linux kernel
does not properly separate the stack and the heap, which allows
context-dependent attackers to execute arbitrary code by writing
to the bottom page of a shared memory segment, as demonstrated by a
memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)
The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
assign Econet addresses to arbitrary interfaces. (CVE-2010-3848,
CVE-2010-3849, CVE-2010-3850)
Ben Hawkes discovered that the Linux kernel did not correctly validate
memory ranges on 64bit kernels when allocating memory on behalf of 32bit
> Date: Tue, 10 Nov 2009 23:26:09 +0100
> Subject: Exploit writing tutorials
>
> Hi all,
>
> Just wanted to share the following links/tutorials on writing windows (stack based) exploits :
>
> * Stack based overflows (direct RET overwrite) :
> (Tutorial Part 1)
> http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
>
- -----------/
WePO takes the value of "mainurl" parameter in OLECHAR format and
transforms it to a BSTR string using the API SysAllocStringLen from
oleaut32.dll. The pointer to a BSTR string returned by SysAllocStringLen
is stored in the stack.
/-----------
024F64B8 . 51 PUSH ECX
~ ; length of "mainurl" value
Hi all,
Just wanted to share the following links/tutorials on writing windows (stack based) exploits :
* Stack based overflows (direct RET overwrite) :
(Tutorial Part 1)
http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
* Jumping to shellcode :
(Tutorial Part 2)
http://office.microsoft.com/en-us/word/default.aspx
II. DESCRIPTION
Remote exploitation of multiple stack-based buffer overflow
vulnerabilities in Microsoft Corp.'s PowerPoint could allow an attacker
to execute arbitrary code with the privileges of the current user.
The vulnerabilities exist within the importer for PowerPoint 95 format
files. This functionality is contained within the PP7X32.DLL.
Application: Microsoft HTML Help
http://www.microsoft.com
Versions: <= 6.1
Platforms: Windows (any version included the latest Windows 7)
Bug: stack overflow
Date: 12 Apr 2011 (found 20 Feb 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
http://www.cytel.com/Software/StatXact.aspx
http://www.cytel.com/Software/LogXact.aspx
http://www.cytel.com/Software/Crossover.aspx
Versions: <= 9.0.0
Platforms: Windows
Bugs: A] strings stack overflow
B] rows integer overflow
C] CYB USE stack overflow
Exploitation: file
Date: 02 Oct 2011
Author: Luigi Auriemma
Bob Peterson discovered that GFS2 rename operations did not correctly
validate certain sizes. A local attacker could exploit this to crash the
system, leading to a denial of service. (CVE-2010-2798)
Eric Dumazet discovered that many network functions could leak kernel stack
contents. A local attacker could exploit this to read portions of kernel
memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
Dear jplopezy@gmail.com,
Stack exhaustion and stack overflow are 2 names for same thing.
stack _buffer_ overflow aka stack overrun - is different thing.
--Thursday, January 29, 2009, 6:31:05 PM, you wrote to bugtraq@securityfocus.com:
jgc> According to MS, is stack exhaustion and not overflow.
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------
CVE-2010-0232
In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
http://office.microsoft.com/powerpoint
II. DESCRIPTION
Remote exploitation of multiple stack based buffer overflow
vulnerabilities in Microsoft Corp.'s PowerPoint could allow an attacker
to execute arbitrary code with the privileges of the current user.
The vulnerabilities exist within the importer for PowerPoint 95 format
files. This functionality is contained within the PP7X32.DLL.
Next Page>>
|
