New User, Welcome!     Login

unsigned int

Camino 1.6.10 Remote Array Overrun (Arbitrary code execution)

16  org.mozilla.camino                  0x001a60e8 CNavDTD::OpenBody(nsCParserNode const*) + 54
17  org.mozilla.camino                  0x001a8b53 CNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393
18  org.mozilla.camino                  0x001aa3e5 CNavDTD::HandleStartToken(CToken*) + 623
19  org.mozilla.camino                  0x001aaaa2 CNavDTD::HandleToken(CToken*, nsIParser*) + 1358
20  org.mozilla.camino                  0x001a9a4d CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*, nsIContentSink*) + 165
21  org.mozilla.camino                  0x001a94ee CNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550
22  org.mozilla.camino                  0x001b5e28 nsParser::DidBuildModel(unsigned int) + 90
23  org.mozilla.camino                  0x001b83c7 nsParser::ResumeParse(int, int, int) + 661
24  org.mozilla.camino                  0x001b59a8 nsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128
25  org.mozilla.camino                  0x002076a0 nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 88
26  org.mozilla.camino                  0x000f522a nsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78

[CORE-2010-0819] LibSMI smiGetNode Buffer Overflow When Long OID Is Given In Numerical Form

8. *Technical Description / Proof of Concept Code*

The 'smiGetNode' function returns a 'SmiNode' struct given the name of
a OID as a 'char *' in both either numeric (i.e. "1.3.6.1.2.1.4.17")
or human readable format (i.e. "ipForwarding"). This function uses a
static array of 128 elements of type 'unsigned int' to hold the OID in
numeric format:

/-----
    SmiSubid        oid[128];
- -----/

Re: vulnerabilities in this code chunk

It is vulnerable to heap overflows.

An unsigned int and an unsigned long have the same size (4 bytes), as well as the same range (0 to 4294967295). The function 'copy_data()' takes 'data_len' as an unsigned int. The function 'memcpy()' takes its parameter as a 'size_t' which is nothing but an unsigned long.

If we send 'data_len' as 0xFFFFFFF8, when the 8 is added inside 'malloc()' it will become 0x100000000, and 1 being an overflow it will be dropped. Note that this overflow is not the same as the heap overflow. This will cause 'malloc()' to allocate no space, however it will return an address.

When the data will be added to it with 'memcpy()' it will cause a heap overflow. With a good shellcode as 'data' and knowing that its address will be buf+8, you can execute arbitrary code.


- BluePass

iDefense Security Advisory 04.14.08: ClamAV libclamav PE WWPack Heap Overflow Vulnerability

  1879          dsize = max-min+headsize-exe_sections[nsections - 1].rsz;
  ....
  1883          if((dest = (char *) cli_calloc(dsize, sizeof(char))) == 
NULL) {
  ....
  1897          for(i = 0 ; i < (unsigned int)nsections-1; i++) {
  1898              if(exe_sections[i].rsz) {
  1899                  if(!cli_seeksect(desc, &exe_sections[i]) || 
(unsigned int) cli_readn(desc, dest + headsize + exe_sections[i].rva - 
min, exe_sections[i].rsz) != exe_sections[i].rsz) {

CORE-2008-1009 - VNC Multiple Integer Overflows

Multiple VNC clients are affected, as they share the vulnerable code.
The integer overflow follows this pattern:

/-----------

unsigned int len; /* note the *unsigned int* */

// read len from the net
len = network.read_placeholder();

// check the size to ensure the network related read buffer is of the


Copyright © 1995-2012 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!