Next Page >>
triggers
Cisco ASA UDP Inspection Engine Denial of Service Vulnerability
+--------------------------------------------------------------
The Cisco ASA UDP inspection engine that is used to inspect UDP-based
protocols contains a vulnerability that could allow a remote
unauthenticated attacker to trigger a reload of the Cisco ASA.
All UDP protocols that are being inspected by the Cisco ASA UDP
inspection engine may be vulnerable. The following protocols are known
to use the Cisco ASA UDP inspection engine:
TCP Connection Exhaustion Denial of Service Vulnerability
+--------------------------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP
connection exhaustion condition (no new TCP connections are accepted)
that can be triggered through the receipt of specific TCP segments
during the TCP connection termination phase. Appliances that are running
versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they
are configured for any of the following features:
* SSL VPNs
of the application or to repeatean resource liberationdly execute a
denial of service attack to crash the iCal application.
The most serious of the three vulnerabilities is due to potential
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
of the application or to repeatean resource liberationdly execute a
denial of service attack to crash the iCal application.
The most serious of the three vulnerabilities is due to potential
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
exploited by an unauthenticated attacker while sending crafted RTSP
packets. Only devices with RTSP inspection enabled are affected. RTSP
inspection is disabled by default.
Note: A TCP three-way handshake is needed in order to exploit this
vulnerability. Only transit traffic can trigger this vulnerability;
traffic that is destined to the affected device will not trigger the
vulnerability.
This vulnerability is documented in these Cisco Bug IDs and has been
assigned these Common Vulnerability and Exposures (CVE) IDs:
Transport Layer Security (TLS) Denial of Service Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Three DoS vulnerabilities exist in the Cisco ASA security appliances
that can be triggered by a series of crafted TLS packets. A
successful attack may result in a sustained DoS condition. Versions
7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of
these vulnerabilities. A Cisco ASA device configured for any of the
following features is affected:
CVE-2007-1667
Multiple integer overflows in XInitImage function in xwd.c for
ImageMagick, allow user-assisted remote attackers to cause a denial of
service (crash) or obtain sensitive information via crafted images with
large or negative values that trigger a buffer overflow. It only affects
the oldstable distribution (etch).
CVE-2007-1797
Multiple integer overflows allow remote attackers to execute arbitrary
tool which is supplied with any Symbian (and EPOC) SDK.
8.1. *First Proof-of-Concept*
An MBM file that triggers this vulnerability is available at [2]. The
following is an excerpt of the vulnerable code, and the value of the
registers when the vulnerability is triggered (the values of EAX and ECX
are controlled by the attacker).
/-----
A DoS vulnerability affects the MSN IM inspection feature of Cisco
ASA 5500 Series Adaptive Security Appliances. During successful
exploitation, an unauthenticated attacker could cause the affected
device to reload and may result in a sustained DoS condition.
Note: Only transit traffic can trigger this vulnerability; traffic that
is destined to the appliance will not trigger the vulnerability. MSN IM
inspection is not enabled by default.
This vulnerability is documented in Cisco bug ID CSCtl67486 and has been
assigned CVE ID CVE-2011-3304.
----------- Major issues -----------
::::: SQL vulnerabilities :::::
[[ Trigger: /adview.php ]]
Description:
The cookie "OAID" is not filtered when adview.php is accessed and used directly to construct the SQL INSERT statement.
[[ Trigger: /www/delivery/tjs.php ]]
<link target="exportCategoryEbayStore">
<parameter param-name="productStoreId" value="${parameters.productStoreId}"/>
</link>
</menu-item>
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/ebaystore/control/exportProductListing?productStoreId=90100"
style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px"
onMouseOver="alert(document.cookie)
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
Cisco ASA security appliances may experience a device reload that can be
triggered by a series of crafted HTTP packets, when configured for SSL
VPNs or when configured to accept Cisco Adaptive Security Device Manager
(ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability.
Crafted TCP Packet DoS Vulnerability
earlier allow remote attackers to cause a denial of service (crash)
via a crafted PDF file (CVE-2009-0147).
The JBIG2 decoder in Xpdf 3.02pl2 and earlier allows remote attackers
to cause a denial of service (crash) via a crafted PDF file that
triggers a free of uninitialized memory (CVE-2009-0166).
Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9,
and probably other products, allows remote attackers to execute
arbitrary code via a PDF file with crafted JBIG2 symbol dictionary
segments (CVE-2009-0195).
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
states could consume system resources and prevent an affected device
from accepting or initiating new TCP connections, including any
TCP-based remote management access to the device.
No authentication is required to exploit this vulnerability. An attacker
does not need to complete a three-way handshake to trigger this
vulnerability; therefore, this this vunerability can be exploited using
spoofed packets. This vulnerability may be triggered by normal network
traffic.
Cisco has released Cisco IOS Software Release 15.1(2)T0a to address this
CVE-2007-1667
Multiple integer overflows in XInitImage function in xwd.c for
GraphicsMagick, allow user-assisted remote attackers to cause a
denial of service (crash) or obtain sensitive information via
crafted images with large or negative values that trigger a
buffer overflow. It only affects the oldstable distribution (etch).
CVE-2007-1797
Multiple integer overflows allow remote attackers to execute arbitrary
processes a malformed IP packet and obtaining Layer 4 (UDP or TCP)
information from the packet is required.
The vulnerability is in the operating system's IP stack and any feature
that makes use of services offered by the IP stack to parse IP packets
is affected. For instance, the following scenarios may trigger the
vulnerability because they imply that Layer 4 (UDP or TCP) information
is required to be able to perform the configured function:
* A malformed, transit IP packet that would normally be forwarded
by the switch is received and the Time-to-live (TTL) is 1. In
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted PDF document (CVE-2009-1188).
Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x
before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers
to execute arbitrary code via a crafted PDF document that triggers a
heap-based buffer overflow. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603).
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
Multiple vulnerabilities has been identified and fixed in ffmpeg:
oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain
pointer arithmetic, which might allow remote attackers to obtain
sensitive memory contents and cause a denial of service via a crafted
file that triggers an out-of-bounds read. (CVE-2009-4632)
vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a
comparison operator was intended, which might allow remote attackers
to cause a denial of service and possibly execute arbitrary code via
a crafted file that modifies a loop counter and triggers a heap-based
Multiple vulnerabilities have been identified and fixed in mplayer:
oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain
pointer arithmetic, which might allow remote attackers to obtain
sensitive memory contents and cause a denial of service via a crafted
file that triggers an out-of-bounds read. (CVE-2009-4632)
vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a
comparison operator was intended, which might allow remote attackers
to cause a denial of service and possibly execute arbitrary code via
a crafted file that modifies a loop counter and triggers a heap-based
Multiple vulnerabilities have been identified and fixed in blender:
oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain
pointer arithmetic, which might allow remote attackers to obtain
sensitive memory contents and cause a denial of service via a crafted
file that triggers an out-of-bounds read. (CVE-2009-4632)
vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a
comparison operator was intended, which might allow remote attackers
to cause a denial of service and possibly execute arbitrary code via
a crafted file that modifies a loop counter and triggers a heap-based
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted PDF document (CVE-2009-1188).
Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x
before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers
to execute arbitrary code via a crafted PDF document that triggers a
heap-based buffer overflow. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603).
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -------------
* This is a NULL pointer dereference in the Econet protocol. By itself, it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
the root and nature of this vulnerability was not provided by Microsoft.
8.1. *Proof of Concept*
The following PoC would trigger the vulnerability. The PoC basically
injects the functions 'handle', 'handle2' and 'packet_changer' as a
shellcode, and calls to the command 'ipconfig' for generating activity
in the driver of the network adapter (in order to accelerate the
trigger). It was compiled using Borland C++ v5.5.1 for Win32, and should
be executed under the following scenario:
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
> *
> * CVE-2010-3849
> * -------------
> * This is a NULL pointer dereference in the Econet protocol. By itself, it's
> * fairly benign as a local denial-of-service. It's a perfect candidate to
3. *Vulnerability Description*
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF
files may include actions (i.e., 'Go to a page view', 'Open/Execute a
file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities:
authorization bypass and buffer overflow.
*** SUMMARY ***
GCALDaemon is an OS-independent Java program that offers two-way synchronization between Google Calendar and various iCalendar compatible calendar applications. GCALDaemon is primarily designed as a calendar synchronizer but it can also be used as a Gmail notifier, Address Book importer, Gmail terminal and RSS feed converter.
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over HTTP, by uploading their file via an HTTP PUT and getting/refreshing their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this HTTP messages in sync with a specified Google Calendar. An input validation flaw permits to craft an HTTP request with an abnormal content-length value; this malformed request could trigger a denial of service that arises from a Java out of memory fatal error.
*** VULNERABILITY DETAILS ***
Using a crafted HTTP request, an attacker could trigger a denial of service that arises from a java.lang.OutOfMemoryError when the Java heap space is overfilled.
In the file "org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's built-in HTTP server parses the HTTP request and the HTTP header parameters without validation checkpoints.
Windows Movie Maker is a video creating/editing software, which is
included by default in Windows Vista and XP. Microsoft Producer is an
add-in for PowerPoint to create rich-media presentations.
A vulnerability was found in Windows Movie Maker and Microsoft Producer,
which can be triggered by a remote attacker by sending a specially
crafted file and enticing the user to open it. This vulnerability
results in a write access violation and can lead to remote code execution.
4. *Vulnerable packages*
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
> *
> * CVE-2010-3849
> * -------------
> * This is a NULL pointer dereference in the Econet protocol. By itself, it's
> * fairly benign as a local denial-of-service. It's a perfect candidate to
5. *Vendor Information, Solutions and Workarounds*
The vendor did not provide fixes or workaround information.
To prevent an accidental trigger of the vulnerability, you can disable
the 'Preview' feature that exists in the 'File/Open' dialog.
Furthermore, avoid opening FPX files coming from untrusted sources.
6. *Credits*
Next Page>>
|
