what you don't know can hurt you
Showing 1 - 25 of 38 RSS Feed

Files from regenrecht

First Active2007-02-24
Last Active2013-08-29
Firefox XMLSerializer Use After Free
Posted Aug 29, 2013
Authored by regenrecht, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically an use after free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This Metasploit module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

tags | exploit
systems | windows, xp
advisories | CVE-2013-0753, OSVDB-89021
MD5 | 6d919208c10f274c997a34ba8bbff8d7
Firefox 8/9 AttributeChildRemoved() Use-After-Free
Posted May 14, 2012
Authored by regenrecht | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution.

tags | exploit, arbitrary, code execution
advisories | CVE-2011-3659
MD5 | 0b77bf8a62335451d3cf458569f451f6
Mozilla Firefox 7 / 8 Out-Of-Bounds Access
Posted May 8, 2012
Authored by regenrecht | Site metasploit.com

This Metasploit module exploits an out-of-bounds access flaw in Firefox 7 and 8 (versions 8.0.1 and below). The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2011-3658
MD5 | 9c288acad3cd8cbab3fa521e13d9bcba
Mozilla Firefox 3.6.16 mChannel Use After Free
Posted Aug 10, 2011
Authored by regenrecht, Rh0 | Site metasploit.com

This Metasploit module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This Metasploit module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.

tags | exploit
systems | windows, xp
advisories | CVE-2011-0065, OSVDB-72085
MD5 | 226da513f467beff325d11b4a252d257
Mozilla Firefox 3.6.16 mChannel Use After Free Exploit
Posted Aug 5, 2011
Authored by regenrecht, Rh0 | Site metasploit.com

This Metasploit module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This Metasploit module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.

tags | exploit
systems | windows, xp
advisories | CVE-2011-0065, OSVDB-72085
MD5 | 7ab6775d994afb4873ee9d2b8f923e5b
Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
Posted Jul 11, 2011
Authored by regenrecht, xero | Site metasploit.com

This Metasploit module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it's possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn't employ any ASLR-free modules anymore.

tags | exploit, java, remote, code execution
advisories | CVE-2011-0073, OSVDB-72087
MD5 | 34f569f4d03a07d24416d8c0a6c4e732
iDEFENSE Security Advisory 2010-03-30.2
Posted Apr 1, 2010
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 03.30.10 - Remote exploitation of a buffer overflow vulnerability in Oracle Corp.'s (formerly Sun Microsystems Inc.) Java Runtime Environment (JRE) could allow an attacker to execute arbitrary code with the privileges of the current user. The JRE is a platform that supports the execution of programs that are developed using the Java programming language. It is available for multiple platforms, including Windows, Linux and MacOS. The JRE platform also supports Java Applets, which can be loaded from Web pages. During the processing of an image file, user-controlled data is trusted and can result in an undersized allocation of a heap buffer. A copy operation into the heap buffer can lead to a heap overflow condition within the JRE. This condition may allow a remote attacker to subvert execution control and execute arbitrary code.

tags | advisory, java, remote, web, overflow, arbitrary
systems | linux, windows
MD5 | 23927a2f96a8ffb6ebc1a56c3a54cada
iDEFENSE Security Advisory 2009-10-28.1
Posted Oct 28, 2009
Authored by iDefense Labs, regenrecht | Site idefense.com

Remote exploitation of a buffer overflow in the Mozilla Foundation's libpr0n image processing library allows attackers to execute arbitrary code. The libpr0n GIF parser was designed using a state machine which is represented as a series of switch/case statements. One particularly interesting state, 'gif_image_header', is responsible for interpreting a single image/frame description record. A single GIF file may contain many images, each with a different color map associated. The problem lies in the handling of changes to the color map of subsequent images in a multiple-image GIF file. Memory reallocation is not managed correctly and can result in an exploitable heap overflow condition. iDefense confirmed the existence of this vulnerability using Mozilla Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other versions, and potentially other applications using libpr0n, are suspected to be vulnerable.

tags | advisory, remote, overflow, arbitrary
systems | windows, xp
advisories | CVE-2009-3373
MD5 | 44a92ee1872b49c79818d60937028c4a
iDEFENSE Security Advisory 2009-08-04.1
Posted Aug 7, 2009
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 08.04.09 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java Runtime Environment (JRE) could allow an attacker to execute arbitrary code with the privileges of the current user.iDefense has confirmed the existence of this vulnerability in Sun Microsystems Inc.'s JRE version 1.6.0_13 for Windows and Linux. This vulnerability is different than the two previously reported iDefense Exclusives in the Pack200 code.

tags | advisory, java, remote, overflow, arbitrary
systems | linux, windows
MD5 | 7d01d25b49238d9efcafda7bb4951190
iDEFENSE Security Advisory 2009-03-25.5
Posted Mar 27, 2009
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 03.25.09 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java Runtime Environment (JRE) could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs during decompression when, to calculate the size of a heap buffer, the code manipulates several integers in the file. The bounds of these values are not checked, and the arithmetic operations can overflow. This results in an undersized buffer being allocated, which leads to a heap-based buffer overflow. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s JRE version 1.6.0_11 for Windows and Linux.

tags | advisory, java, remote, overflow, arbitrary
systems | linux, windows
MD5 | 745655f99192eab0cfcaad45f2db5a40
iDEFENSE Security Advisory 2009-03-25.4
Posted Mar 27, 2009
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 03.25.09 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary PNG file to the splash logo parsing code. The vulnerability occurs when parsing a PNG file used as part of the splash screen. When parsing the image, several values are taken from the file and used in an arithmetic operation that calculates the size of a heap buffer. This calculation can overflow, which results in an undersized buffer being allocated. This buffer is later overflowed with data from the file. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.

tags | advisory, java, remote, web, overflow, arbitrary
systems | linux, windows
MD5 | a7c03e14bec9efc4a560b352713741e2
iDEFENSE Security Advisory 2009-03-25.3
Posted Mar 27, 2009
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 03.25.09 - Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. Values from the GIF file are used to calculate an offset to store data in a dynamic heap buffer. These values are not validated before use, which allows an attacker to store controlled data outside of the bounds of the allocated buffer. This leads to corruption of object pointers, which can be leveraged to execute arbitrary code. iDefense has confirmed the existence of this vulnerability in Java JRE version 1.6_11. Previous versions may also be affected.

tags | advisory, java, remote, arbitrary
MD5 | 88e5ed50eb496fcad942a6f8a27321cc
iDEFENSE Security Advisory 2009-03-25.2
Posted Mar 27, 2009
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 03.25.09 - Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary GIF file to the splash logo parsing code to trigger the vulnerability. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.

tags | advisory, java, remote, web, arbitrary
systems | linux, windows
MD5 | f4970366dc2949bf014b5f17a84b519e
iDEFENSE Security Advisory 2008-12-02.3
Posted Dec 4, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 12.02.08 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when reading the Pack200 compressed Jar file during decompression. In order to calculate the size of a heap buffer, the code multiplies and adds several integers. The bounds of these values are not checked, and the arithmetic operations can overflow. This results in an undersized buffer being allocated, which leads to a heap based buffer overflow. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s Java JRE version 1.6.0_07 for Windows and Linux. According to Sun, Pack200 was first introduced in JRE 1.5.0. The latest version of JRE 1.5, 1.5.0_15, does contain the vulnerable code, but the browser plugin does not handle Pack200 encoding. As such, exploitation through the browser does not appear to be possible with JRE 1.5.

tags | advisory, java, remote, overflow, arbitrary
systems | linux, windows
MD5 | 748f5b82a0cddaf39366fc23ddc4e1b5
iDEFENSE Security Advisory 2008-12-02.2
Posted Dec 4, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 12.02.08 - Remote exploitation of a memory corruption vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with the privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for an attacker to pass an arbitrary GIF file to the splash logo parsing code. The vulnerability occurs when parsing this GIF file. The parsing code does not correctly validate several values in the GIF header. This lets an attacker write data outside of the bounds of an allocated heap buffer, which can lead to the execution of arbitrary code. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_10 and 1.6_07 on Windows and Linux. Previous versions may also be affected.

tags | advisory, java, remote, web, arbitrary
systems | linux, windows
MD5 | 8eeba7078d5d1bde8ecc5320695d94e8
iDEFENSE Security Advisory 2008-11-03.2
Posted Nov 4, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 11.03.08 - Remote exploitation of a heap-based buffer overflow vulnerability in CUPS, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the affected service. iDefense has confirmed the existence of this vulnerability in CUPS version 1.3.7. Previous versions may also be affected.

tags | advisory, remote, overflow, arbitrary
MD5 | 1dacc3345fe6fd4e35b5a717f2655268
iDEFENSE Security Advisory 2008-11-03.1
Posted Nov 4, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 11.03.08 - Remote exploitation of an integer overflow vulnerability in CUPS, as included in various vendors operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the affected service. The vulnerability exists within the WriteProlog() function in the "texttops" application. When calculating the page size used for storing PostScript data, multiple values that are derived from attacker-controlled content are used in a multiplication operation. This calculation can overflow, resulting in an incorrect result for the total page size. This value is then used to allocate a heap buffer that is later filled with attacker controlled content, resulting in a heap buffer overflow. iDefense has confirmed the existence of this vulnerability in CUPS version 1.3.7. Previous versions may also be affected.

tags | advisory, remote, overflow, arbitrary
MD5 | d296664e145b7f1d3da3fe7a3c64ed40
Zero Day Initiative Advisory 08-067
Posted Oct 11, 2008
Authored by Tipping Point, regenrecht | Site zerodayinitiative.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple CUPS. Authentication is not required to exploit this vulnerability. The specific flaw exists in the Hewlett-Packard Graphics Language filter. Inadequate bounds checking on the pen width and pen color opcodes result in an arbitrary memory overwrite allowing for the execution of arbitrary code as the "hgltops" process uid.

tags | advisory, remote, arbitrary
systems | apple
advisories | CVE-2008-3641
MD5 | 9926adae42bd4b463869d0112262dd6b
iDEFENSE Security Advisory 2008-06-11.5
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.11.08 - Local exploitation of an information disclosure vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to gain access to sensitive information stored in server memory. The vulnerability exists when creating a Pixmap in the fbShmPutImage() function. The width and height of the Pixmap, which are controlled by the user, are not properly validated to ensure that the Pixmap they define are within the bounds of the shared memory segment. This allows an attacker to read arbitrary areas of memory in the X server process. iDefense has confirmed the existence of this vulnerability in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.

tags | advisory, arbitrary, local, info disclosure
advisories | CVE-2008-1379
MD5 | b97be81b56db7c21a2c2ce11144f8ca3
iDEFENSE Security Advisory 2008-06-11.4
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.11.08 - Local exploitation of multiple memory corruption vulnerabilities in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. iDefense has confirmed the existence of these vulnerabilities in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.

tags | advisory, arbitrary, local, root, vulnerability
advisories | CVE-2008-1377
MD5 | 84d5bbe99f8952f376797d89c1dba252
iDEFENSE Security Advisory 2008-06-11.3
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.11.08 - Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. iDefense has confirmed the existence of this vulnerability in X.org X11 version R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.

tags | advisory, overflow, arbitrary, local, root
advisories | CVE-2008-2362
MD5 | 6fcefa2590859e0359151b323865f5f4
iDEFENSE Security Advisory 2008-06-11.2
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.11.08 - Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to create a denial of service (DoS) condition on the affected X server. The vulnerability exists within the ProcRenderCreateCursor() function. When parsing a client request, values are taken from the request and used in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which results in an undersized buffer being allocated. This leads to an invalid memory access, which crashes the X server. iDefense has confirmed the existence of these this vulnerability in X.org X11 version R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.

tags | advisory, denial of service, overflow, local
advisories | CVE-2008-2361
MD5 | 1aac731a1df26bc92016e8603a765815
iDEFENSE Security Advisory 2008-06-11.1
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.11.08 - Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. The vulnerability exists within the AllocateGlyph() function, which is called from several request handlers in the render extension. This function takes several values from the request, and multiplies them together to calculate how much memory to allocate for a heap buffer. This calculation can overflow, which leads to a heap overflow. iDefense has confirmed the existence of this vulnerability in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.

tags | advisory, overflow, arbitrary, local, root
advisories | CVE-2008-2360
MD5 | 0c8278845aad04aaa0cbb9f6e4722696
iDEFENSE Security Advisory 2008-06-10.4
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.10.08 - Remote exploitation of multiple heap overflow vulnerabilities in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. iDefense has confirmed the existence of these vulnerabilities in FreeType2 version 2.3.5. Previous versions may also be affected.

tags | advisory, remote, overflow, arbitrary, vulnerability
advisories | CVE-2008-1808
MD5 | 46e074a304e454aa5adcdae2c8b6a925
iDEFENSE Security Advisory 2008-06-10.3
Posted Jun 11, 2008
Authored by iDefense Labs, regenrecht | Site idefense.com

iDefense Security Advisory 06.10.08 - Remote exploitation of a memory corruption vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. iDefense has confirmed the existence of this vulnerability in FreeType2 version 2.3.5. Previous versions may also be affected.

tags | advisory, remote, arbitrary
advisories | CVE-2008-1807
MD5 | ffadea1dac3d6b9c991c4408037734ea
Page 1 of 2
Back12Next

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    12 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close