what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 49 RSS Feed

Files from Aaron Portnoy

First Active2006-02-13
Last Active2017-10-16
EMC NetWorker Buffer Overflow
Posted Oct 16, 2017
Authored by Aaron Portnoy | Site emc.com

EMC NetWorker Server contains a buffer overflow vulnerability that could potentially be exploited by malicious users to compromise the affected system. Versions prior to 8.2.4.9, 9.0.x (all supported versions), prior to 9.1.1.3, and prior to 9.2.0.4 are affected.

tags | advisory, overflow
advisories | CVE-2017-8022
SHA-256 | 369450dcc54bb4e682d177bc26e40df0e16897100df6e263e0947a432e6a9ef8
EMC Networker Format String
Posted Nov 6, 2012
Authored by Aaron Portnoy | Site metasploit.com

This Metasploit module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This Metasploit module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This Metasploit module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).

tags | exploit
systems | windows
advisories | CVE-2012-2288, OSVDB-85116
SHA-256 | 187180f15865924443eeaee0cc3daf29243c56a73fe15621b307d1808e687b71
EMC NetWorker Format String
Posted Aug 30, 2012
Authored by Aaron Portnoy | Site emc.com

A format string vulnerability exists in the EMC NetWorker nsrd RPC service that could potentially be exploited by a malicious user to execute arbitrary code. Versions 8.0, 7.6.4, and 7.6.3 are all affected.

tags | advisory, arbitrary
advisories | CVE-2012-2288
SHA-256 | 768328413795e6970904bc4833c2ec26daa72cde036884a7e4eaced57398951b
Hewlett-Packard Data Protector DtbClsAddObject Parsing Remote Code Execution
Posted Jun 29, 2012
Authored by Aaron Portnoy, HP DVLabs | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dpwintdb.exe process which listens by default on TCP port 3817. When parsing data within a DtbClsAddObject request, the process copies data from the network into a fixed-length buffer on the stack via an unchecked loop. This can be leveraged by attackers to execute arbitrary code under the context of the SYSTEM user.

tags | advisory, remote, arbitrary, tcp
advisories | CVE-2012-0123
SHA-256 | 556adc16dad6ca3f4873f33810b698ebf5dfd71151e2fd435143e01f45c5066c
Adobe Shockwave dirapi.dll rcsL Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the dirapi.dll does not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-0335
SHA-256 | 2e9a419ed0169c3cc6d9ce5d2e301542d14e6febbed1409f4b43cadd505ed726
Adobe Shockwave Lnam Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Lnam chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly validate certain fields before using them to calculate sizes used for later memory copy operations. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2116
SHA-256 | bbf4794eaa3e7dac2a4e188e4b0d7f002bdca57bfa15469360277fa9c43b6388
Adobe Shockwave iml32.dll DEMX Chunk GIF Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DEMX chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse GIF images. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
SHA-256 | c47310fe30f191a9103f8e515efc87c64abc3fda48eef04760d8f44811c9acf7
Adobe Shockwave iml32.dll CSWV Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. When handling certain substructures, the code does not properly ensure arithmetic operations will not exceed expected values. By crafting a file with certain values this can be abused to cause memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
SHA-256 | 571feb1825f4622c650c40c41542ffaf034e7af778679c7b4017b6aa04abb738
Adobe Shockwave iml32.dll CSWV Chunk Byte Array Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse byte arrays. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
SHA-256 | 748756cafb988b739c34fb1ba4c6edc71ac0e185dcae11850a3d7e074abe01cc
Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution
Posted Feb 10, 2011
Authored by Luigi Auriemma, Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2010-0569
SHA-256 | 4d5ada7d22be428a2d78618407bc4f18c600a32d6c297d355b0ddcd166035cde
Adobe Shockwave GIF Logical Screen Descriptor Parsing Remote Code Execution
Posted Feb 10, 2011
Authored by Aaron Portnoy | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the IML32 module distributed with the player. While parsing GIF files within a director movie (.dir or .dcr) the code trusts the specified size of the global color table and uses it to determine an offset to image data. The process subsequently attempts to write two NULL bytes to the calculated address. A remote attacker can abuse this logic to corrupt memory at a controlled location and subsequently execute arbitrary code under the context of the user running the application.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4189
SHA-256 | 9665e8d242dba1521f1087c1dfbf723d6e69c1a95471fff6082b1b23f8090e7b
Adobe Shockwave dirapi.dll IFWV Trusted Offset Remote Code Execution
Posted Feb 9, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPI.dll module distributed with the player. While parsing a director movie (.dir or .dcr) the code trusts the specified size of the IFWV chunk and uses it within a calculation to determine another offset within the file. By setting it to 0, the code jumps to the wrong location within the file. While parsing data at the new location, the code uses a value as a loop counter. Within the loop, the code copies data to a heap buffer. By crafting a file with a large enough size, this loop can be forced to corrupt memory. A remote attacker can abuse this logic to execute arbitrary code under the context of the user running the application.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4188
SHA-256 | 7040bca9eccf6a2f720afeeef790fed7dd9623170dc56e8f376e1c3cd7629549
RealNetworks RealPlayer MDPR Chunk Size Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's handling of Internet Video Recording (.ivr) files. While parsing the MLTI chunk the process trusts the field responsible for denoting the size of an embedded MDPR chunk. By modifying this value in an IVR file an attacker can force a misallocation on the heap. The process can then be made to write past the bounds of the buffer, corrupting memory. This can be leveraged to execute arbitrary code under the context of the user invoking RealPlayer.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4390
SHA-256 | ef22d184b5a4a171517add373ae6dc8fd3d072df971cf7a90421dcccf5664ddc
RealNetworks RealPlayer MLTI Stream Number Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's handling of Internet Video Recording (.ivr) files. While parsing the MLTI chunk the process trusts the field responsible for denoting the number of streams within the chunk. By modifying this value in an IVR file, an attacker can force a processing loop to overrun and corrupt heap memory. This can be abused to execute arbitrary code under the context of the user invoking RealPlayer.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2010-4390
SHA-256 | 6ed8ef7f4d23f0fee569702d8aba5ef2ba635dcf17e9a56a9b184e9acc1c3004
RealNetworks RealPlayer SIPR Stream Frame Dimensions Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown, Zef Cekaj | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the drv1.dll module. Code responsible for parsing SIPR stream metadata trusts frame width and height values from the input file. By crafting particular values an integer value used in a loop can be made to wrap negatively. The loop will subsequently overflow a static heap buffer during an inline memory copy. By crafting a malicious .rm file an attacker can exploit this vulnerability remotely using the RealPlayer ActiveX control.

tags | advisory, remote, overflow, arbitrary, activex
advisories | CVE-2010-4385
SHA-256 | 9008fd6701a36aedb79d1920596baf54f3e5c2c61a1f4933ad72ba730297ce9a
VMWare VMnc Codec Frame Decompression Remote Code Execution
Posted Dec 4, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of multiple VMWare products. User interaction is required in that a user must visit a malicious web page or open a malicious video file.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-4294
SHA-256 | 5da5e1c6b9fa68402f609d44cbaeed06b7475924eea31e4c0ece915536bb26c7
Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPIX module responsible for parsing the RIFF-based Director file format. When handling the mmap chunk, the process trusts the chunk size immediately following the fourCC value. It is passed to Ordinal1111 exported by the IML32X module which is responsible for allocating a heap buffer for processing the rest of the chunk. If an incorrect size is provided, later memory copies can corrupt data beyond the allocated buffer. This can be abused to execute remote code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2870
SHA-256 | 81e8ba67b1a1a3b42dc58319b1e12d7d52164ce3c75ee9898b373eeafb8c25bb
Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing the Director RIFF based file format. While handling the rcsL chunk, code within DIRAPIX sign-extends a return value from a call to Ordinal1412 within the IML32X module. This ordinal is responsible for unmarshalling a WORD value from the RIFF chunk. If the value is signed, DIRAPIX sign-extends the value, performs arithmetic on it, and then proceeds to use it as an offset into a heap-based buffer. By supplying any of a specific range of values, an attacker can exploit this condition to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2867
SHA-256 | 30cb2f82be6c676e63922c615a0975be22d1d18506ac69ee4d34ce74e69e3142
Adobe Shockwave Director tSAC Chunk Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director's RIFF-based file format. While parsing the tSAC chunk, the DIRAPI module does not properly verify the signedness of a count value within an undocumented structure. By providing a large enough negative value a pointer can be miscalculated leading to memory corruption. This can be exploited by a remote attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2866
SHA-256 | 86a222ba1e8cbc3a092252acfbbfd4d5af69f70800dc8b82c9dfe26831862381
Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team Montreal Hotties | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to a faulty allocation routine within the TextXtra.x32 module. This allocator allocates a buffer on the heap based on arithmetic involving a number of elements and a size of an individual element. As the fields come from the file, if either of them are large enough, the value used for the number of bytes to allocate can be made to overflow. As the return value is rarely checked any caller of this function can usually be made to overflow the returned buffer with user-supplied data. An attacker can leverage this to execute remote code under the context of the user running the browser.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2010-2879
SHA-256 | 4a81213c5116b85cea84b6f555ccca604792fb22767b6dc4fdeb0994c35e2ed6
Adobe Shockwave tSAC Chunk Pointer Offset Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code sign-extends a value from the input file and uses it as an offset to seek into a heap buffer before performing a write operation. By crafting particular values for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2874
SHA-256 | a5b00042c264d908492a78e03e2b000c4d556668645f8023c4c9840bbe65d7af
Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code directly uses a value from the file while seeking into a heap buffer. The process then attempts to write a NULL byte to the seeked address. By specifying a large enough value for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2878
SHA-256 | 434a38f35c1ac47096e5844b388206de10edb7761328457c75b27d8e27b0ba9d
Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within IML32X.dll and DIRAPIX.dll which are responsible for parsing the Director movies, a RIFF-based file format. The code trusts a value from the file as a count and performs an endian-flipping loop on data in heap memory. If the value is large enough the process can be made to seek outside the bounds of the allocation and thus corrupt memory in a controlled fashion. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2877
SHA-256 | faf8a920a8245da335a891be6f9204c81adce0ab5f1ccbafaff30a2ab25425e5
Novell iPrint Client Browser PluginGetDriverFile Uninitialized Pointer Remote Code Execution
Posted Aug 24, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the ienipp.ocx ActiveX control with CLSID 36723f97-7aa0-11d4-8919-FF2D71D0D32C. The function exposes a GetDriverFile method. When this method is invoked for the first time a pointer in the .data section is mapped to an external function within another module. When invoked the second time, the process fails to load the library and assumes the pointer is still valid. When the uninitialized pointer is called the process jumps to an address space easily controlled by an attacker. This can be leveraged to execute remote code under the context of the user running the browser.

tags | advisory, remote, arbitrary, activex
SHA-256 | e0cfa3e2cd1ddcbcc01059726eacacbe82ac5d6853c2f30996a1f6f81e23e936
Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Remote Code Execution
Posted Aug 6, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the ienipp.ocx ActiveX control. The control accepts a 'debug' parameter that is expected to be either "yes" or "true". If a string of a specific length is provided instead, a processing loop within the ExecuteRequest method can be made to corrupt a stack-based buffer. This can be leveraged by a remote attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary, activex
SHA-256 | 8dbb5d8b6807df3734afa4e092b527b75a911323e3f79ba1f93c76c5ff72e259
Page 1 of 2
Back12Next

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close