what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 90 RSS Feed

Files from Carsten Eiram

First Active2003-04-24
Last Active2013-09-10
GameHouse Unsafe Permissions / Use-After-Free
Posted Sep 10, 2013
Authored by Carsten Eiram

This whitepaper is aptly named An Analysis of the (In)Security State of the GameHouse Game Installation Mechanism. It discusses unsafe permission and use-after-free vulnerabilities and how it exposes users' systems.

tags | advisory, vulnerability
SHA-256 | cb01f95c23dc75b664abdad90dadd63aa8c3e97f89381bd35a60538e5b3975db
NTR ActiveX Control Check() Method Buffer Overflow
Posted Sep 22, 2012
Authored by Carsten Eiram, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in NTR ActiveX 1.1.8. The vulnerability exists in the Check() method, due to the insecure usage of strcat to build a URL using the bstrParams parameter contents, which leads to code execution under the context of the user visiting a malicious web page. In order to bypass DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.

tags | exploit, web, code execution, activex
systems | windows
advisories | CVE-2012-0266, OSVDB-78252
SHA-256 | 71b360ec4aa13486de7017b18411dfb19378317ae8e8699d3895d166df0771b8
NTR ActiveX Control StopModule() Remote Code Execution
Posted Sep 22, 2012
Authored by Carsten Eiram, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule() method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page.

tags | exploit, web, code execution, activex
advisories | CVE-2012-0267, OSVDB-78253
SHA-256 | 6acce73c09ae26c0cdd0799d7b6afb5dff55a6136f9b0ac4216f6537527d0c5c
Novell GroupWise iCalendar Date/Time Parsing Denial of Service
Posted Sep 17, 2012
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Novell GroupWise, which can be exploited by malicious people to cause a DoS (Denial of Service). However, no checks are performed by a function in iCalendar to ensure that the supplied date-time string is longer than 8 characters. This may result in an out-of-bounds read access violation, causing GWIA to crash in case a shorter date-time string was supplied via e.g. an e-mail with a specially crafted .ics attachment. Novell GroupWise version 8.0.2 HP3 is affected.

tags | advisory, denial of service
advisories | CVE-2011-3827
SHA-256 | 47079011e77d4b03dcf622040e29f04c46c08e437a5ae7d2a92d9802266de359
Adobe Photoshop TIFF SGI24LogLum Decompression Buffer Overflow
Posted Sep 3, 2012
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Adobe Photoshop, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by insufficient validation in Photoshop.exe when decompressing SGI24LogLum-compressed TIFF images. This can be exploited via a specially crafted TIFF image to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code.

tags | advisory, overflow, arbitrary
advisories | CVE-2012-0275
SHA-256 | 5b250b817b803791ecb2d09e8b49b1e908f5a7faf39121b38e3d74b57f9b9b57
Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow
Posted Aug 3, 2012
Authored by Carsten Eiram, juan | Site metasploit.com

This Metasploit module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sURL argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.

tags | exploit, web, overflow, code execution
systems | cisco
advisories | CVE-2012-0284
SHA-256 | 5a88ff9a13dc712f648150200591ec804a09cb0631600c4db7449f3c17604a4b
Cisco Linksys PlayerPT Active-X SetSource() Buffer Overflow
Posted Jul 17, 2012
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Cisco Linksys PlayerPT ActiveX Control, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code. Cisco Linksys PlayerPT ActiveX Control version 1.0.0.15 is affected. Other versions may also be affected.

tags | advisory, overflow, arbitrary, activex
systems | cisco
advisories | CVE-2012-0284
SHA-256 | a88c10267158fe9cf2d434bc63948819deb102117186a70288596b16e3102081
NTR ActiveX Control StopModule() Input Validation
Posted Jan 12, 2012
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in NTR ActiveX control, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by missing input validation in the handling of the "StopModule()" method and can be exploited via a specially crafted "lModule" parameter to reference an expected module structure at an arbitrary memory address. This can be exploited to dereference an arbitrary value in memory as a function pointer. Successful exploitation allows execution of arbitrary code. NTR ActiveX Control version 1.1.8 is affected.

tags | advisory, arbitrary, activex
advisories | CVE-2012-0267
SHA-256 | f4c7913670d60302279ef9cbc25fdd9fd7774592fda24b75eade05cc79505853
NTR ActiveX Control Four Buffer Overflows
Posted Jan 12, 2012
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered four buffer overflows in the NTR ActiveX control, which can be exploited by malicious people to compromise a user's system. NTR ActiveX Control version 1.1.8 is affected.

tags | advisory, overflow, activex
advisories | CVE-2012-0266
SHA-256 | 749b21b3ffb4706107fa23982681c9002436ae13b7acd96089e1d8988fdcb778
DVR Remote ActiveX Control DVRobot Library Loading
Posted Nov 17, 2011
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in DVR Remote ActiveX Control version 2.1.0.39, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by the ActiveX control during instantiation automatically downloading and loading DVRobot.dll from the "manifest" folder of the web server invoking the ActiveX control. Successful exploitation allows execution of arbitrary code via a specially crafted web page and hosted DVRobot.dll file.

tags | advisory, remote, web, arbitrary, activex
advisories | CVE-2011-3828
SHA-256 | e641c5041e65c7dcb486319e4f9f229021c6007e19079a2a67952f9abfd2a4b8
Novell GroupWise Internet Agent HTTP Interface Buffer Overflow
Posted Sep 27, 2011
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Novell GroupWise, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vulnerability is caused by a boundary error in GroupWise Internet Agent (gwia.exe) within the HTTP interface (port 9850/tcp) when handling requests for certain .css resources. This can be exploited to cause a limited stack-based buffer overflow via a specially crafted, overly long request.

tags | advisory, web, denial of service, overflow, tcp
advisories | CVE-2011-0334
SHA-256 | 0a0e3b9755408f3ac4d24cfc5ddaa02db84cde579ed5eb0e2b98699b9e5ace5f
Novell GroupWise Internet Agent TZNAME Parsing
Posted Sep 27, 2011
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Novell GroupWise, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused by an integer truncation error in NgwiCalVTimeZoneBody::ParseSelf() within gwwww1.dll when GroupWise Internet Agent parses "TZNAME" variables in VCALENDAR data. This can be exploited to cause a heap-based buffer overflow via a specially crafted e-mail containing an overly long "TZNAME" property value. Successful exploitation may allow execution of arbitrary code.

tags | advisory, overflow, arbitrary
advisories | CVE-2011-0333
SHA-256 | 098e587acb10c0083b88ba844ed01cfbf1ec6d61bdeb69e7e6a4f2b9e4413126
Microsoft Office TIFF Image Converter Two Buffer Overflows
Posted Dec 20, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered two vulnerabilities in Microsoft Office, which can be exploited by malicious people to compromise a user's system. An input validation error in the TIFF Import/Export Graphic Filter when copying certain data can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image. Another input validation error in the TIFF Import/Export Graphic Filter when copying certain data after having encountered a specific error can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image. Successful exploitation of the vulnerabilities may allow execution of arbitrary code when processing a TIFF image in an application using the graphics filter (e.g. opening the image in Microsoft Photo Editor or importing it into an Office document).

tags | advisory, overflow, arbitrary, vulnerability
advisories | CVE-2010-3947
SHA-256 | 9dba3d0d50ecb04d6b0e88ad279009be8dcf8e519a8e80f0bd5acd274e688272
Microsoft Office Document Imaging Endian Conversion
Posted Dec 20, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Microsoft Office, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by missing input validation within a library used by the bundled Microsoft Office Document Imaging application when converting certain data during parsing of TIFF images. This can be exploited to corrupt memory via a TIFF image containing specially crafted IFD entries. Successful exploitation may allow execution of arbitrary code.

tags | advisory, arbitrary
advisories | CVE-2010-3950
SHA-256 | 623e21468d54f2db461001bc0b8983f1dc7a59785a4ad47663b3d0349af2f8ce
Microsoft Office TIFF Image Converter Endian Conversion
Posted Dec 20, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Microsoft Office, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by an error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when converting the endianess of certain data. This can be exploited to corrupt memory via e.g. a specially crafted TIFF image. Successful exploitation may allow execution of arbitrary code when processing a TIFF image in an application using the graphics filter (e.g. opening the image in Microsoft Photo Editor or importing it into an Office document).

tags | advisory, arbitrary
advisories | CVE-2010-3949
SHA-256 | 28a0cbd4c91dc6908098a5bb540ee31c831d78a7df3e6e91cc796712c465d9fa
RealPlayer AAC Spectral Data Parsing
Posted Dec 20, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an error in the parsing of AAC audio content and can be exploited to corrupt memory via specially crafted spectral data. Successful exploitation may allow execution of arbitrary code.

tags | advisory, arbitrary
advisories | CVE-2010-0125
SHA-256 | e1d707d2fdf5b309bfa5099effc7b3f06ec130515db11e823db3c81a62298aaf
QuickTime Track Dimensions Buffer Overflow
Posted Dec 8, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in QuickTime, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error when copying track content based on the track's dimensions and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-1508
SHA-256 | 911bd4b055ba39de0bc64e6b9b69f88e96dd93acfe80f04f10e0363185f748a4
Winamp NSV Table of Contents Parsing Integer Overflow
Posted Dec 2, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an integer overflow error in the "in_nsv.dll" plugin when parsing the Table of Contents. This can be exploited to cause a heap-based buffer overflow via a specially crafted NSV stream or file. Successful exploitation allows execution of arbitrary code.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-2586
SHA-256 | 0e11ad9228e8586e68caa98094db7b108049945b5e471bad6d6329da58669380
QuickTime Sorenson Video 3 Array-Indexing
Posted Nov 11, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in QuickTime, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an array-indexing error when parsing Sorenson Video 3 content and can be exploited to corrupt memory during decompression via a specially crafted file. Successful exploitation may allow execution of arbitrary code.

tags | advisory, arbitrary
advisories | CVE-2010-3793
SHA-256 | e114b679b8b2a77228eda194e3cac070aeb1c50ddabcdbb4ade3ae86857bb33e
Adobe Shockwave Player "DEMX" Chunk Parsing
Posted Oct 29, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Adobe Shockwave Player, which may be exploited by malicious people to compromise a user's system. The vulnerability is caused by a logic error in TextXtra.x32 when parsing "DEMX" chunks. This can be exploited to cause a heap-based buffer overflow via a specially crafted Director file as a function does not reallocate a buffer to contain a section of data as expected, but another function to still copy chunk data into the insufficiently sized buffer. Successful exploitation allows execution of arbitrary code.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-2582
SHA-256 | 0520606f6722058230d81d2805a4528a191ff0ab419df32cfb2367dc2efaca0c
Adobe Shockwave Player "pamm" Chunk Parsing
Posted Oct 29, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Adobe Shockwave Player, which may be exploited by malicious people to compromise a user's system. The vulnerability is caused by a function in dirapi.dll not validating the size and number of sub-chunks inside a "pamm" chunk during initial parsing of the sub-chunks. This can be exploited to corrupt memory outside the bounds of a buffer allocated for the "pamm" data via a specially crafted Director file. Successful exploitation may allow execution of arbitrary code.

tags | advisory, arbitrary
advisories | CVE-2010-2581
SHA-256 | a3e29c613af64c8ecff2b697ddfc189577bbb6d153195c683e72b4cc58a495ab
Winamp VP6 Content Parsing Buffer Overflow
Posted Oct 28, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Winamp, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by an error in the VP6 codec (vp6.w5s) when parsing VP6 video content. This can be exploited to cause a heap-based buffer overflow via a specially crafted media file or stream. Successful exploitation may allow execution of arbitrary code. Version 5.581 is affected.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-1523
SHA-256 | 589a067f3f1289bab05e944bfaf2f2cc31e132d0938bcb4b2965adc396c3972b
RealPlayer QCP Sample Chunk Parsing Buffer Overflow
Posted Oct 19, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in RealPlayer SP, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by missing input validation in the handling of sample chunks when parsing QCP audio content. This can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. RealPlayer SP 1.0.5 is affected.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-2578
SHA-256 | eeeb4329cff7001ffd06cec1862563c1994e5260cf8c7aa4113f614fd72bb98e
Microsoft Excel Lotus 1-2-3 File Parsing Vulnerability
Posted Oct 14, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Microsoft Excel, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error in the parsing of certain records in Lotus 1-2-3 workbooks. This can be exploited to cause a heap-based buffer overflow via a Lotus 1-2-3 file containing a specially crafted, overly long record. Successful exploitation may allow execution of arbitrary code. Microsoft Excel versions 2002 SP3 and 2003 SP3 are affected.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-3233
SHA-256 | eaa3b220e89e395f1191b6a6206ef0e5d0192c66b80b7db1d9065ae7233e71ad
Novell iPrint Client call-back-url Buffer Overflow
Posted Aug 21, 2010
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Novell iPrint Client, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error in the handling of the "call-back-url" parameter value for a "op-client-interface-version" operation where the "result-type" parameter is set to "url". This can be exploited to cause a stack-based buffer overflow via an overly long "call-back-url" parameter value. Successful exploitation allows execution of arbitrary code when a user visits a malicious website. Version 5.42 is affected.

tags | advisory, overflow, arbitrary
advisories | CVE-2010-1527
SHA-256 | 86ec5434f28f41769e1ad6322513f98a99f533295cafe1d92ffb54acee744c55
Page 1 of 4
Back1234Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close