Site Map  |  Privacy Policy  |  Advisories

About Us







Wonderware Archestra ConfigurationAccessComponent ActiveX stack overflow

Author: Richard van Eeden

Abstract:  The Wonderware Archestra ConfigurationAccessComponent ActiveX control that is marked “safe for scripting” is suffering from a stack overflow vulnerability. The UnsubscribeData method of the IConfigurationAccess interface is using wcscpy() to copy its first parameter into a static sized local buffer. Attackers can exploit this vulnerability in order to overwrite arbitrary stack data and gain code execution.

Read the technical details here.

Authentication Bypass In Tranax Remote Management Software

Date Reported: 04.05.10
Author: Barnaby Jack

Abstract:  The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location.

To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. Due to an implementation flaw when verifying these credentials, it is possible to craft a request that bypasses all authentication measures, which means that remote management tasks can be performed with invalid credentials.

The RMS interface is enabled by default on a typical ATM installation.

Read the technical details here.

SQL Injection and Cross-site Scripting at

Date Discovered: 03.18.10
Date Reported: 03.23.10
Authors: Mike Davis, Rich Lundeen, and Sean Malone

Abstract:  The formID parameter at is vulnerable to SQL injection. The searchTerms parameter at is vulnerable to cross-site scripting attacks. Exploiting these vulnerabilities would likely expose sensitive data and may result in compromise of the affected systems.

Read the technical details here.

Multiple Vulnerabilities in Accoria Web Server

Date Discovered/Reported to Accoria: December 2008
Date Reported to US-Cert: March 1, 2010
Author: Ilja van Sprundel

Abstract:  The Accoria Web Server 1.4.7 for x86 Solaris exhibits multiple vulnerabilities including cross-site scripting, directory traversal, and format string errors.

Read the technical details here.

Mach Exception Handling Privilege Escalation

Date Discovered: 01.05.10
Author: Richard van Eeden

Abstract:  Mach exception handling suffers from a vulnerability that allows an attacker to gain access to the memory of a suid process (set user identifier). Due to a vulnerability that's similar to CVE-2006-4392 (found by Dino Dai Zovi of Matasano Security), it’s possible for a suid process to inherit the Mach exception ports of the parent.

Read the technical details here.

Microsoft Windows CryptoAPI X.509 Spoofing Vulnerability

Release Date: 10.13.09
CVE ID: CVE-2009-2510, CVE-2009-2511
Author: Dan Kaminsky (IOActive), Ian Wright and Jean-Luc Giraud (Citrix)

Abstract:  Two vulnerabilities have been identified in Microsoft Windows that have to do with the use of X.509 certificates and could be exploited by attackers to bypass security restrictions.

Read the technical details here.

AppleTalk Response Packet Parsing Array Over-indexing Vulnerability

Date Discovered: 03.03.09
Date Reported: 03.03.09
Date Disclosed: 08.05.09
CVE-ID: CVE-2009-2193
Author: Ilja van Sprundel

Synopsis: The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial of service and cause a kernel panic remotely, effectively shutting down the system.

Read the technical details here.

doc.export* Methods Allow Arbitrary File Creation

Date Discovered: 07.13.09

Synopsis: Several JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on a targeted file system.

Read the technical details here.

Recursive Stack Overflow in ClamAV

Date Reported: 10.30.08
Date Patched: 12.01.08
Date Disclosed: 06.09.09
Author: Ilja van Sprundel

Synopsis: ClamAV's JPEG parser contains code that recursively checks thumbnails if they are included. Since the thumbnails can be JPEGs, there is no limit to the amount of recursions that can occur, leading to potential stack overflow.

Read the technical details here

Heap Corruption in Tor

Date Discovered: January 2009
Date Reported: 01.20.09
Date Disclosed: 06.08.09
Author: Ilja van Sprundel

Synopsis: There is a potential heap corruption bug in Tor when escaping data for logging purposes. Only certain deployments are vulnerable and the bug can be triggered only from certain locales.

Read the technical details here

Diskimages-helper band-size Vulnerability

Reported to Vendor: 09.30.08
Patch Released: 04.29.09
CVE ID: CVE-2009-0150
Author: Tiller Beauchamp

Synopsis: A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.

Read the technical details here.

Pointer Dereference in OpenSolaris

Date Reported: 09.29.08
Date Disclosed: 02.04.09
Date patched: 02.05.09
Author: Ilja van Sprundel

Synopsis: The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.

Read the technical details here

Multiple Vulnerabilities in Apple's MobileMe Service

Date reported: 08.05.08
Date patched: 11.06.08
Date disclosed: 11.20.08
Authors: Richard van Eeden, Ilja van Sprundel

Synopsis: Apple's MobileMe ( web service contains several serious security vulnerabilities, the most critical of which combine Cross-site Request Forgery and Cross-site Scripting, and allow an attacker to access the service without a valid password.

Read the technical details here

QNX ker_msg_sendv System Call Integer Overflow

Date Discovered: 10.30.08
Date Reported: 10.30.08
Date Disclosed: 10.31.08
Author: Ilja van Sprundel

Synopsis: QNX's ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If it is only partially exploited it could lead to denial of service and kernel panic, effectively shutting down the system.

Read the technical details here

DNS TXT Record Parsing Bug in LibSPF2

Date reported: 10.20.08
Date disclosed: 10.21.08
Author: Dan Kaminsky

Synopsis: A relatively common bug that parses TXT records delivered over DNS—dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier—has been found in LibSPF2, a library that is used frequently to retrieve Sender Policy Framework (SPF) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.

Read the technical details here

Buffer Overflow in Mono BigInteger Montgomery Reduction Method

CVE-2007-5197, VU#146292

Date discovered: 07.25.07
Date reported: 08.24.07
Date disclosed: 09.20.07
Authors: Jason Larsen, Walter Pearce

Synopsis: An exploitable buffer overflow vulnerability in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger).

Read the technical details here

Multiple Total Remote Compromise Vulnerabilities in Mercury SiteScope Monitoring Software

CVE-2007-6257, VU#245025
Date discovered: 10.05.06
Date disclosed: 09.20.07
Author: Chris Paget

Synopsis: Critical vulnerabilities within the Mercury SiteScope server monitoring software, some of which allow for complete remote compromise of the entire monitored network as well as arbitrary code execution on all servers managed by the SiteScope software.

Read the technical details here

Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier

CVE-2007-6257, VU#245025
Date discovered: 05.01.07
Date reported: 06.27.07
Date disclosed: 09.20.07
Authors: Josh Betts, Jason Larsen, Walter Pearce

Synopsis: A buffer overflow in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors) which allows for remote code execution in the context of the apache process.

Read the technical details here

Static Microsoft Windows WPAD entries might allow interception of traffic

Date disclosed: 03.26.07
Author: Chris Paget

Synopsis: The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests.

Numerous WebEOC Vulnerabilities

VU#956762, VU#170394, VU#138538, VU#372797, VU#491770, VU#258834, and VU#388282

Date first published: July 2005



More Information

Need more information?
Contact IOActive today.

IOActive Profile:
Established: 1998
Headquarters: Seattle, WA and London, UK
Privately held and self-funded
IOActive Services:
Application Security, SCADA and Smart Grid, PCI and Compliance, Security Development Lifecycle, Infrastructure Audit, Incident Response and Training.
Global 500 companies including power and utility, game, hardware, retail, financial, media, travel, aerospace, healthcare, high-tech, social networking, and software development organizations.