vulnerabilities published in 2009
|
ref. id
|
title
|
remote
|
pre-auth |
publ. date
|
severity
|
|
APS031
|
Multiple VLC stack overflows in MP4, AVI and ASF demuxer
|
yes |
yes |
20. sept, 09 |
high
|
|
references:
VLC advisory
these vulnerabilities can be triggered by creating mp4, asf or avi files with
an overly deep box structure. since vlc is not compiled with /GS we can get
control over eip quite easily. however, code execution is not trivial since
eip can only be overwritten with numeric values (0x30-0x39).
|
APS030
|
Apple Quicktime PICT Opcode 0x71 Heap Overflow Vulnerability
|
yes |
yes |
02. jun, 09 |
high
|
|
references:
ZDI advisory
advisory on Apple homepage
please check the zdi advisory for details.
|
APS029
|
Apple Quicktime PICT Opcode 0x8201 Heap Overflow Vulnerability
|
yes |
yes |
02. jun, 09 |
high
|
|
references:
ZDI advisory
advisory on Apple homepage
please check the zdi advisory for details.
|
APS028
|
Apple QuickTime PICT Unspecified Tag Heap Overflow Vulnerability
|
yes |
yes |
13. may, 09 |
high
|
|
references:
ZDI advisory
advisory on Apple homepage
please check the zdi advisory for details.
|
APS027
|
Symantec Client Security Alert Originator Service Stack Overflow Vulnerability
|
yes |
yes |
28. apr, 09 |
very high
|
|
references:
zdi advisory
advisory by symantec
one of the most dangerous bugs i found so far because the flaws were of a
sort which has become quite rare: vanilla stack overflow! in other words:
- no stack protection (gs cookies)
- no aslr
- stack smash down to SEH
- 100% reliable jump to shellcode on stack without character restrictions
- ...
one of the three bugs was even triggered by strcpy()... amazing!
it felt like exploiting some win2k vulnerability back in 2000 :)
oh well, i hope everyone's patched against this one...
|
vulnerabilities published in 2008
|
APS026
|
Sun Java JRE TrueType Font Parsing Integer Overflow Vulnerability
|
yes |
yes |
04. dec, 08 |
very high
|
|
references:
idefense advisory
advisory by sun microsystems
quite a bunch of critical vulnerabilities has been fixed in the new JRE release.
one of the bugs was this heap overflow which occurs while parsing a specially
crafted true type font file (.ttf).
the overflow itself happens in a wrapper around the memory allocator. by passing
a small negative value to the allocation wrapper we're able to trigger an integer
overflow and consequently write 10 partially-controlled bytes (one WORD and 2
DWORDs) behind the buffer borders. the font file that i used to hit the vulnerability
does not allow a further heap smash with controlled data due to a signedness check
after the allocation (don't ask me why the check is AFTER the allocation, not before...).
but since the allocator is called many times from several places i'm quite sure that
the vulnerable code can also be reached in a way which would allow us to execute
malicious code fairly reliable.
|
APS025
|
OpenOffice EMF Record Parsing Multiple Integer Overflow Vulnerabilities
|
yes |
yes |
31. oct, 08 |
high
|
|
references:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=750
advisory on OpenOffice homepage
3 straight-forward heap overflows caused by integer wraps. following EMR records were vulnerable:
- EMR_EXTTEXTOUTA/W (cases 0x83, 0x84)
- EMR_POLYPOLYGON16 (case 0x5b)
- EMR_POLYPOLYGON (case 0x08)
there's nothing much to say here... it's the typical screw-up which happens just too often
in binary-protocol parsing code. exploitation is not easy but doable.
edit:
seems like StarOffice and StarSuite were vulnerable to these overflows as well...
here's the link to the advisory by sun.
|
APS024
|
Novell eDirectory Core Protocol Opcode 0x24 Heap Overflow Vulnerability
|
yes |
yes |
08. oct, 08 |
very high
|
|
references:
http://zerodayinitiative.com/advisories/ZDI-08-066
advisory on novell homepage (TID 7001183)
this is another pre-auth vulnerability in the core component of novell eDirectory. it's a straight-forward integer wrap
which leads to a heap overflow:
LEA EAX,DWORD PTR DS:[EAX*8+18] ( <- EAX is a controlled DWORD from our user-supplied data)
by supplying values >= 0x1FFFFFFD we'll swap the integer over the 32bit maximum leading to the allocation of a
small heap buffer. a few instructions further down we'll hit a memcpy-like loop which smashes the heap eventually
leading to code execution with SYSTEM privileges.
|
APS023
|
Novell eDirectory Core Protocol Opcode 0x0F Heap Overflow Vulnerability
|
yes |
yes |
08. oct, 08 |
high
|
|
references:
http://zerodayinitiative.com/advisories/ZDI-08-065
advisory on novell homepage (TID 7001184)
here we have the same problem as described in APS024... we supply a huge user-controlled DWORD leading
to an integer wrap. the severity ranking of this vuln has not been set to "very high" because code execution is
most likely not possible here:
at some point of the client-server communication the dhost-process extracts unicode strings from an NCP packet
and checks them against an array of static strings. if one of the key-strings is found a corresponding static ID gets
written to the small-sized buffer which had been allocated after the int wrap. in other words we're able to overflow
the heap with values like 0x050000ff ("[All Attributes Rights]") or 0x070000ff ("[Entry Rights]"), etc...
in a browser-environment this would definitely be exploitable, but in a server-based scenario (no heap spraying and
stuff like that) it is probably not possible. => severity "high"
|
APS022
|
Novell eDirectory dhost Integer Overflow
|
yes |
yes |
10. july, 08 |
very high
|
|
references:
http://www.zerodayinitiative.com/advisories/ZDI-08-041
http://www.novell.com/support/search.do?cmd=displayKC&sliceId=SAL_Public&externalId=3694858
the core component of most of the novell products is prone to quite a bad stack overflow.
just take a look at the size and complexity of ds.dlm. there HAD to be bugs...
sadly this one can be triggered pre-auth over port 524. the origin of this bug was a size
check which could be circumvented by making an integer swap over 0xffffffff (once again...)
|
APS021
|
Microsoft Internet Explorer DOM Object substringData() Heap Overflow
|
yes |
yes |
10. jun, 08 |
very high
|
|
references:
http://zerodayinitiative.com/advisories/ZDI-08-039
http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx
for those who didn't notice, we had a similar flaw already in 2007 (take a look here).
maybe MS patched a call-path instead of the bug itself? whatever, this bug is quite a bad heap overflow
which results in reliable code execution.
when i read this i really wonder how many are still vulnerable...
|
APS020
|
CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow
|
yes |
yes |
04. jun, 08 |
very high
|
|
references:
http://zerodayinitiative.com/advisories/ZDI-08-036
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784
implementing a gateway (http proxy actually) which is capable of speaking multiple protocols is generally a dangerous idea.
the http code was OK, but the way the gateway service speaks ftp was not.
to trigger this bug you have to issue a request to the gateway and set up a malicious ftp server which speaks
to the gateway and gives overly long responses :)
when the gateway tries to list the ftp's files we can give a malformed response and overflow a stack buffer by
abusing a sprintf() call. code execution can be achieved reliably here.
|
APS019
|
CA ETrust Secure Content Manager Gateway FTP PASV Stack Overflow
|
yes |
yes |
04. jun, 08 |
medium
|
|
references:
http://zerodayinitiative.com/advisories/ZDI-08-035
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784
quite similar bug like above. the gateway connects, issues a PASV request and we give a bad response.
the rfc-conform repsonse should have the fragments of the ftp server's IP attached in brackets
(like "227 Entering Passive Mode (10,11,12,13,217,169)"). the first 4 numbers build the IP. and that's
where the flaw happens, because the gateway does not check whether the 4 numbers are between 0x00 and 0xff.
what happens is something like sprintf(< small stack buffer>, "%d.%d.%d.%d", part1, part2, part3, part4);.
supplying large numbers will overflow our small stack buffer.
code execution is not possible i'd say because the function has a stack cookie check before the return
and SEH is of course out of reach => risk medium.
|
APS018
|
Microsoft GDI WMF Parsing Heap Overflow Vulnerability
|
yes |
yes |
08. apr, 08 |
very high
|
|
references:
http://www.zerodayinitiative.com/advisories/ZDI-08-020
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
by creating a section in a wmf file with type value 0x42 we'll reach a nice function called CreateDIBPatternBrushPt
which will parse user-supplied data from our input file. this function contains the flawed calculation of a size
value resulting in an integer overflow. the value will be passed on to malloc() and an inline memcpy (rep movsd)
overflowing the heap. the "best" exploitation vector is a browser since we can make use of heap spraying to get
fairly reliable code execution.
|
APS017
|
Symantec VERITAS Storage Foundation Administrator Service Heap Overflow
|
yes |
yes |
20. feb, 08 |
very high
|
|
references:
http://www.zerodayinitiative.com/advisories/ZDI-08-007
http://www.symantec.com/avcenter/security/Content/2008.02.20a.html
the heap overflow occurs in vxvea3.dll which will parse the data coming in from udp port 3207.
it uses a word value from an initial packet (recv size max. 0x200) as the size for a second packet.
the source of the problem is that the destination buffer of the second receive operation has a static size
and is also at a fixed address!! this gives us the chance to overwrite crucial data behind the allocated
buffer if the word value is large enough. the static offset in vxvea3.dll ensures us 100% reliable
exploitation through the control of function pointers which will get called shortly after the overflow.
the result is code execution with SYSTEM privs.. not too good :-/
|
APS016
|
Adobe Flash Media Server 2 Multiple Integer Overflow Vulnerabilities
|
yes |
yes |
12. feb, 08 |
very high
|
|
references:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=662
http://www.adobe.com/support/security/bulletins/apsb08-03.html
the heap overflows originate from the usual malloc( [contolled dword] + X)-problem leading to an integer overflow
and a subsequent 0-byte memory allocation. afterwards user-controlled data gets copied into and beyond this
under-allocated buffer. successful exploitation of this bug is rather unlikely due to the huge amount of data
which will be copied (0xffffffff bytes in one case) leading to an access violation as soon as we reach the next
memory page boundary... however, it can be done using multiple simultaneous connections accessing the exact data
regions where the overflow happens.
|
APS015
|
IBM Tivoli Storage Manager Express Backup Server Heap Overflow Vulnerability
|
yes |
yes |
14. jan, 08 |
very high
|
|
references:
http://www.zerodayinitiative.com/advisories/ZDI-08-001.html
http://www-1.ibm.com/support/docview.wss?uid=swg21291536
this issue happens because of a static heap buffer which can be overflown by supplying a large length value in the packet.
thus, we can overwrite structures on the heap including function pointers. by carefully crafting our data we can hijack
these function pointers and get reliable code execution as SYSTEM.
|
vulnerabilities found in 2007:
|
ref. id
|
title
|
remote
|
pre-auth |
publ. date
|
severity
|
|
| APS014 |
Computer Associates eTrust Intrusion Detection CallCode ActiveX Control Code Execution Vulnerability |
yes
|
yes
|
24 july, 07
|
high
|
|
reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=568
straight forward design error: arg1 is passed to LoadLibraryA, arg2 is passed to GetProcAddress, arg3 (or for other
methods also arg4/5) are pushed as arguments. in other words we can for example load kernel32.system and execute
any command in arg3..
|
APS013
|
IBM Tivoli Storage Manager Express CAD Service Overflow
|
yes
|
yes
|
24 sept, 07
|
very high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-07-054.html
simple unicode heap overflow while parsing the http header. the only surprise is the manner in which we can get
code control here: overwriting the IAT! i've not seen this before and usually it's not possible. however, here it is.. :)
|
APS012
|
Trend Micro ServerProtect TMregChange() Stack Overflow
|
yes
|
yes
|
07 sept,07
|
very high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-07-051.html
this overflow is a classic ^^ programmer A writes a function (here TMRegChange) in which he reserves X bytes
for a local variable. programmer B "checks" user input in his function (strips it down to length Y) and passes
the input to our function by programmer A. but programmer B did not look properly how much space programmer A
reserved! the result is the trouble we have here... a straight-forward stack overflow.
|
APS011
|
Ipswitch IMail IMAP Daemon SUBSCRIBE Stack Overflow
|
yes
|
no
|
24 jul,07 |
high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-07-043.html
a second bug i stumbled over while looking into APS010. exploitable only through SEH control
which is ~30000 chars away from our buffer. but then exploitable very reliably.
|
APS010
|
Ipswitch IMail Server GetIMailHostEntry Memory Corruption |
yes
|
yes
|
24 jul,07 |
very high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-07-042.html
the first bug i found by reversing. it's a heap overflow which is not very easy to exploit, but doable.
this bug can be triggered through services which require authentication! imap, ldap and web-interface are
vulnerable to this attack. only the pop3 daemon verifies the username's length before passing it to GetImailHostEntry.
pre-auth / remote / exploitable overflow in a wide-spread product => risk: very high.
|
vulnerabilities found in 2006:
|
ref. id
|
title
|
remote
|
pre-auth |
publ. date
|
severity
|
|
APS009
|
Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow |
yes
|
yes
|
13 dec,06 |
high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-06-006.html
see APS005
|
APS008
|
Symantec Veritas NetBackup Long Request Buffer Overflow
|
yes
|
yes
|
13 dec,06 |
high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-06-006.html
see APS005
|
APS007
|
IBM Lotus Domino Server LDAP DoS |
yes
|
yes
|
02 oct,06 |
medium
|
|
reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=389
0-pointer dereference due to invalid user-input.
|
APS006
|
Symantec Veritas NetBackup Database Manager Buffer Overflow
|
yes
|
yes
|
27 mar,06 |
high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-06-006.html
see APS005
|
APS005
|
Symantec Veritas NetBackup Volume Manager Buffer Overflow |
yes
|
yes
|
27 mar,06 |
high
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-06-005.html
this overflow lets malicious users execute code in a very easy and realiable fashion. the reason why it is "only"
rated "high" risk is that the bug can only be triggered from computers within the local network. the vulnerable
service is not reachable from outside the local network.
|
vulnerabilities found in 2005:
|
ref. id
|
title
|
remote
|
pre-auth |
publ. date
|
severity
|
|
APS004
|
Ipswitch IMail IMAP List Command DoS Vulnerability |
yes
|
no
|
06 dec,05 |
low
|
|
reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=347
|
APS003
|
Novell NetMail IMAPD Buffer Overflows |
yes
|
no
|
18 nov,05 |
medium
|
|
reference:
https://www.zerodayinitiative.com/advisories/ZDI-05-003.html
this advisory comprised 8 post-auth buffer overflows in netmail's imap service. severity medium (post-auth).
|
APS002
|
Veritas Backup Exec Remote Agent NDMLSRVR.DLL DoS |
yes
|
yes
|
23 jun,05 |
medium
|
|
reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=270
not much to say here. the remote agent gets into trouble when parsing crippled input and crashes due to
an access violation when reading in unmapped memory.
|
APS001
|
Ipswitch IMail IMAP SELECT
Command DoS
|
yes
|
no
|
24 may,05 |
medium
|
|
reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=241
my first bug *proud*.. it was actually a stack overflow. but didn't have the knowledge to prove it back in 05.
severity "medium" because the SELECT command can only be issued after authenticating to the imap service.
|