Resources
Advisories
Microsoft Windows CryptoAPI X.509 Spoofing Vulnerability
Release Date: 10.13.09
VUPEN ID: VUPEN/ADV-2009-2891
CVE ID: CVE-2009-2510, CVE-2009-2511
Author: Dan Kaminsky (IOActive), Ian Wright and Jean-Luc Giraud (Citrix)
Abstract: Two vulnerabilities have been identified in Microsoft Windows that have to do with the use of X.509 certificates and could be exploited by attackers to bypass security restrictions.
Read the security advisory here.
Best Practices for using Adobe Reader 9.0
Author: IOActive
Abstract: Adobe products have long touted how they enable organizations to collaborate and share information in heterogeneous environments. But a recent stream of vulnerabilities found in Adobe products has caused a great deal of concern about the overall security threat associated with using these products. IOActive security experts offer suggestions for how to best protect your computer. Read the article here.
Read the technical press release here.
QNX ker_msg_sendv System Call Integer Overflow
Date Discovered: 10.30.08Date Reported: 10.30.08
Date Disclosed: 10.31.08
Author: Ilja van Sprundel
Synopsis: QNX's ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If it is only partially exploited it could lead to denial of service and kernel panic, effectively shutting down the system.
Read the technical details (.pdf)
AppleTalk Response Packet Parsing Array Over-indexing Vulnerability
Date Disclosed: 03.03.09
Date Reported: 03.03.09
Date Disclosed: 08.05.09
CVE-ID: CVE-2009-2193
Author: Ilja van Sprundel
Synopsis: The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial of service and cause a kernel panic remotely, effectively shutting down the system.
Read the technical details (.pdf).
Diskimages-helper band-size Vulnerability
Reported to Vendor: 09.30.08
Patch Released: 04.29.09
CVE ID: CVE-2009-0150
Author: Tiller Beauchamp
Synopsis: A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.
Read the technical details (.pdf).
Recursive Stack Overflow in ClamAV
Date Reported: 10.30.08
Date Patched: 12.01.08
Date Disclosed: 06.09.09
Author: Ilja van Sprundel
Synopsis: ClamAV's JPEG parser contains code that recursively checks thumbnails if they are included. Since the thumbnails can be JPEGs, there is no limit to the amount of recursions that can occur, leading to potential stack overflow.
Read the technical details (.pdf)
Heap Corruption in Tor
Date Discovered: January 2009
Date Reported: 01.20.09
Date Disclosed: 06.08.09
Author: Ilja van Sprundel
Synopsis: There is a potential heap corruption bug in Tor when escaping data for logging purposes. Only certain deployments are vulnerable and the bug can be triggered only from certain locales.
Read the technical details (.pdf)
Pointer Dereference in OpenSolaris
Date Reported: 09.29.08
Date Disclosed: 02.04.09
Date patched: 02.05.09
Author: Ilja van Sprundel
Synopsis: The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.
Read the technical details (.pdf)
Multiple Vulnerabilities in Apple's MobileMe Service
Date reported: 08.05.08
Date patched: 11.06.08
Date disclosed: 11.20.08
Authors: Richard van Eeden, Ilja van Sprundel
Synopsis: Apple's MobileMe (me.com) web service contains several serious security vulnerabilities, the most critical of which combine Cross-site Request Forgery and Cross-site Scripting, and allow an attacker to access the service without a valid password.
Read the technical details (.pdf)
DNS TXT Record Parsing Bug in LibSPF2
Date reported: 10.20.08
Date disclosed: 10.21.08
Author: Dan Kaminsky
Synopsis: A relatively common bug that parses TXT records delivered over DNS—dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier—has been found in LibSPF2, a library that is used frequently to retrieve Sender Policy Framework (SPF) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.
Read the technical details (.pdf)
Buffer Overflow in Python zlib extension module
Date discovered: April 2008
Date reported: 04.08.08
Date disclosed: 04.09.08
Date patched: 04.08.08
Author: Justin Ferguson
Synopsis: The zlib extension module contains a method for flushing decompression streams that takes an input parameter of how much data to flush. This parameter is a signed integer that is not verified for sanity and is, thus, potentially negative. When passed a negative value, memory is misallocated and then the signed integer is converted to an unsigned integer, resulting in buffer overflow.
IOActive technical details (.pdf)
Buffer Overflow in Mono BigInteger Montgomery Reduction Method
CVE-2007-5197, VU#146292
Date discovered: 07.25.07
Date reported: 08.24.07
Date disclosed: 09.20.07
Authors: Jason Larsen, Walter Pearce
Synopsis: An exploitable buffer overflow vulnerability in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger).
Read the technical details (.pdf)
Multiple Total Remote Compromise Vulnerabilities in Mercury SiteScope Monitoring Software
CVE-2007-6257, VU#245025
Date discovered: 10.05.06
Date disclosed: 09.20.07
Author: Chris Paget
Synopsis: Critical vulnerabilities within the Mercury SiteScope server monitoring software, some of which allow for complete remote compromise of the entire monitored network as well as arbitrary code execution on all servers managed by the SiteScope software.
Read the technical details (.pdf)
Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier
CVE-2007-6257, VU#245025
Date discovered: 05.01.07
Date reported: 06.27.07
Date disclosed: 09.20.07
Authors: Josh Betts, Jason Larsen, Walter Pearce
Synopsis: A buffer overflow in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors) which allows for remote code execution in the context of the apache process.
Read the technical details (.pdf)
Static Microsoft Windows WPAD entries might allow interception of traffic
CVE-2007-1692
Date disclosed: 03.26.07
Author: Chris Paget
Synopsis: The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registerng a proxy server using WINS or DNS, then responding to WPAD requests.
- National Vulnerability Database technical details »
- Common Vulnerabilities and Exposures technical details »
- C|Net News article »
Numerous WebEOC Vulnerabilities
VU#956762, VU#170394, VU#138538, VU#372797, VU#491770, VU#258834, and VU#388282
Date first published: July 2005
Synopsis:
- WebEOC is vulnerable to a denial-of-service condition via uploading large files (VU#956762). Technical details »
- WebEOC account lock-out policy may allow a denial-of-service (VU#170394). Technical details »
- WebEOC is vulnerable to cross-site scripting attacks (VU#138538). Technical details »
- WebEOC contains multiple SQL injection vulnerabilities (VU#372797). Technical details »
- WebEOC implements weak algorithms to encrypt sensitive information (VU#491770). Technical details »
- WebEOC privileges are based on client-side authorization (VU#258834). Technical details »
- WebEOC uses a global shared key (VU#388282). Technical details »
