iDefense Security Advisory 04.14.09 - Exploitation of a stack corruption vulnerability in Microsoft Corp.'s Word 2000 WordPerfect 6.x Converter could allow an attacker to execute code in the context of the current user. Microsoft Word is able to open documents created in other applications by transparently applying a filter module which converts them to a format Word can use. The WordPerfect 6.x converter from Office 2000 fails to perform sufficient sanity checking on input files. A maliciously constructed WordPerfect document can cause potentially exploitable stack corruption. iDefense Labs have confirmed that the WordPerfect 6.x converter (WPFT632.CNV, with file version 1998.1.27.0) in Microsoft Word 2000 Service Pack 3 is vulnerable. However, the version of this converter installed with Word 2003 is not affected by this vulnerability.
d7e06c594ee675783098ca1a2f12b2ee798b05b631ffdf21d98e79bb64fc7399iDefense Security Advisory 03.25.09 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java Runtime Environment (JRE) could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs during decompression when, to calculate the size of a heap buffer, the code manipulates several integers in the file. The bounds of these values are not checked, and the arithmetic operations can overflow. This results in an undersized buffer being allocated, which leads to a heap-based buffer overflow. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s JRE version 1.6.0_11 for Windows and Linux.
45f6f1ff008d7faa9a03ca57e555cc3f216424f6906bc9343bc797edf47efefaiDefense Security Advisory 03.25.09 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary PNG file to the splash logo parsing code. The vulnerability occurs when parsing a PNG file used as part of the splash screen. When parsing the image, several values are taken from the file and used in an arithmetic operation that calculates the size of a heap buffer. This calculation can overflow, which results in an undersized buffer being allocated. This buffer is later overflowed with data from the file. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.
2d38f70208475eab25a81127c23c1ab5bfa6f7b2fc50a6fd2c025f1f200bc126iDefense Security Advisory 03.25.09 - Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. Values from the GIF file are used to calculate an offset to store data in a dynamic heap buffer. These values are not validated before use, which allows an attacker to store controlled data outside of the bounds of the allocated buffer. This leads to corruption of object pointers, which can be leveraged to execute arbitrary code. iDefense has confirmed the existence of this vulnerability in Java JRE version 1.6_11. Previous versions may also be affected.
9d4ab7a3c8a6bb2829e143ebc1d41ab732008cbd002ad7dc56ddee22724c937fiDefense Security Advisory 03.25.09 - Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary GIF file to the splash logo parsing code to trigger the vulnerability. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.
787894ddedba68df8734507477667b37055d76f5f44660bb4cc572517e2626ddiDefense Security Advisory 03.25.09 - Remote exploitation of an integer signedness vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability exists within the font parsing code in the JRE. As part of its font API, the JRE provides the ability to load a font from a remote URL. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s Java JRE version 1.6.0_11 for Windows. Previous versions and versions for other platforms may also be affected.
3bc84907efc86fab9cc714244a3052994583300cd2f5c0cdbaf928ca680eb1b5iDefense Security Advisory 03.24.09 - Remote exploitation of a heap based buffer overflow vulnerability in Adobe Systems Inc.'s Reader and Acrobat could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when parsing a JBIG2-encoded stream inside of a PDF file. JBIG2 is an image encoding format that is primarily used for encoding monochrome images such as faxes. Acrobat Reader and Acrobat Professional versions 7.1.0, 8.1.3, 9.0.0 and prior versions are vulnerable.
e7cfd89da7bd450aec69dbd1d239966531bfa5c6db9726eb7db2cf3f804a3158iDefense Security Advisory 03.17.09 - Remote exploitation of a stack-based buffer overflow in Autonomy Inc's KeyView SDK allows attackers to execute arbitrary code with the privileges of the current user. This vulnerability exists within the "wp6sr.dll" which implements the processing of Word Perfect Documents. When processing certain records, data is copied from the file into a fixed-size stack buffer without ensuring that enough space is available. By overflowing the buffer, an attacker can overwrite control flow structures stored on the stack. iDefense confirmed that this vulnerability exists within Lotus Notes 8 installed on a Windows XP SP3 machine. All applications which utilize the Autonomy KeyView SDK to process Word Perfect Documents are suspected to be vulnerable.
b937ed5f21b2e4393b8c522f7c8752591ab0f7291ae5ffefd1340932bb43c9c1iDefense Security Advisory 02.24.09 - Remote exploitation of a invalid object reference vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user. During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control. iDefense has confirmed the existence of this vulnerability in latest version of Flash Player, version 9.0.124.0. Previous versions may also be affected.
780e892128d7d79681ecb9f2b0c8adb3af7430a9be41d1863f245d1dd740cf75iDefense Security Advisory 02.06.09 - Remote exploitation of a BSS based buffer overflow vulnerability in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager could allow an attacker to execute arbitrary code with the privileges of the affected service. The vulnerability exists within the 'ovlaunch' CGI application, which is used to launch the remote user interface. iDefense has confirmed the existence of this vulnerability in Network Node Manager version 7.53 for Windows. Previous versions may also be affected. The Linux version of 'ovlaunch' contains the vulnerable code, but it is not triggered. The actual hostname is used instead of the attacker supplied 'Host' parameter.
26dfc28bbbebe64ce9d4722f1ae740edae5d75f638211f1f9d97f2ca4be3afd3iDefense Security Advisory 02.06.09 - Remote exploitation of multiple information disclosure vulnerabilities in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager could allow an attacker to gain access to sensitive information. Two vulnerabilities exist within the CGI applications distributed with NNM. iDefense has confirmed the existence of these vulnerabilities in Network Node Manager version 7.53 for Linux and Windows. Previous versions may also be affected.
1383b8f6f00f24494f4b27b8e42ff950034a86a07d5a4f362f2eb9297c90ce50iDefense Security Advisory 02.06.09 - Remote exploitation of multiple command injection vulnerabilities in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager, could allow an attacker to execute arbitrary code with the privileges of the affected service. Multiple command injection vulnerabilities are present in NNM CGI applications. The vulnerabilities are very similar and occur in the webappmon.exe and OpenView5.exe program. iDefense has confirmed the existence of these vulnerabilities in Network Node Manager version 7.53 for Linux. Previous versions, as well as versions for other Unix based operating systems, may also be affected.
7205e1f402b8dbdefe11b8330ff0cc23eca2e06cc1fe98d35bfcdc3e4fd65979iDefense Security Advisory 01.13.09 - Remote exploitation of an input validation vulnerability in the authentication component of Oracle Corp.'s Secure Backup Administration Server could allow an unauthenticated attacker to execute arbitrary commands in the context of the running server. The vulnerability is in a function of common.php which is called from the login.php page. The script fails to sanitize the input when verifying the user has permission to use the service. Oracle Corp.'s Secure Backup version 10.1.0.3 for Linux has been confirmed vulnerable. Other versions and other platforms may also be affected.
676f52505a06f7b79799cd7fe2ffc5fade5bf578746eeec70f727c0fa7100f6fiDefense Security Advisory 01.13.09 - Remote exploitation of two command injection vulnerabilities in the authentication component of Oracle Corp.'s Secure Backup Administration Server could allow an unauthenticated attacker to execute arbitrary commands in the context of the running server. In both cases, the vulnerabilities exist in PHP scripts that authenticate a user attempting to use the service. The first vulnerability is in "php/login.php". By making a login request with a specially crafted cookie value, an attacker can execute arbitrary code on the server. The second vulnerability is in "php/common.php". This function is called from the "login.php" page. A variable is used to specify a command to be run. An attacker can supply any shell command for this variable and it will be executed in the context of the web server process. Oracle Corp.'s Secure Backup version 10.2.0.2 for Linux, and Secure Backup version 10.2.0.2 for Windows have been confirmed vulnerable. Other versions and other platforms may also be affected.
1697cdfe744c84a5745ef437ce40fd26636f5d419badf01a27127a22ffea6cf5iDefense Security Advisory 01.12.09 - Local exploitation of an arbitrary file rewrite vulnerability in Oracle Corp.'s Oracle Database 10g Release 2 database product allows attackers to gain elevated privileges. The vulnerability exists in a function that allows a user with an authenticated session to create any file or rewrite any files to which the database account has access. iDefense has confirmed the existence of this vulnerability in Oracle Database 10g Release 2 version 10.2.0.3.0 on 32-bit Linux platform and Windows platform. Previous versions may also be affected. Oracle Database 11g Release 1 version 11.1.0.6.0 is not affected by this vulnerability.
610c95b870b142b03e112907707ba9657094278aaa69f7396c8de41722da6c51iDefense Security Advisory 01.12.09 - Remote exploitation of an uninitialized memory vulnerability in Research In Motion Ltd.'s BlackBerry Enterprise Server could allow an attacker to execute arbitrary code with the privileges of the affected service, which is usually SYSTEM. The vulnerability occurs when parsing a data stream inside of a PDF file. Due to a logic error, it is possible to allocate an array of object pointers that is never initialized. This array is located on the heap. When the object that contains this array is destroyed, each pointer in the array is deleted. Since the memory is never properly initialized, whatever content was previously there is used. It is possible to control the chunk of memory that gets allocated for this array, which can lead to attacker-controlled values being used as object pointers. This results in the execution of arbitrary code when these pointers are deleted. iDefense has confirmed the existence of this vulnerability in BlackBerry Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the most current version, as of the publishing of this report. This vulnerability was confirmed in BlackBerry Enterprise Server for Microsoft Exchange, but is believed to affect the Lotus and Novell versions as well. Previous versions may also be affected.
a32f982c4395b7c5889ee78df68e43c9f167aa38acbfef060b123138bc180740iDefense Security Advisory 01.12.09 - Remote exploitation of a heap overflow vulnerability in Research In Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an attacker to execute arbitrary code with the privileges of the affected service, usually SYSTEM. The vulnerability occurs when parsing a data stream inside of a PDF file. During parsing, a dynamic array is filled up with pointers to certain objects without properly checking to see whether the array is large enough to hold all of the pointers. By inserting a large number of pointers, it is possible to overflow the array, and corrupt object pointers. This can lead to the EIP register being controlled, which results in the execution of arbitrary code. Defense has confirmed the existence of this vulnerability in BlackBerry Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the most current version, as of the publishing of this report. This vulnerability was confirmed in BlackBerry Enterprise Server for Microsoft Exchange, but is believed to affect the Lotus and Novell versions as well. Previous versions may also be affected.
dbe2aeee0bfa5c0e9f6834239449ed5ed6148298a9df75a7d58c36cf6bcd68b9iDefense Security Advisory 01.12.09 - Remote exploitation of a heap overflow vulnerability in Research In Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an attacker to execute arbitrary code with the privileges of the affected service, usually SYSTEM. The vulnerability occurs when parsing a certain stream inside of a PDF file. During parsing, a heap buffer is filled up with without properly checking to see whether the buffer is large enough to hold the current value. By inserting a large number of values, it is possible to overflow the buffer, and corrupt object pointers. This can lead to pointers being controlled, which results in the execution of arbitrary code. iDefense has confirmed the existence of this vulnerability in BlackBerry Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the most current version, as of the publishing of this report. This vulnerability was confirmed in BlackBerry Enterprise Server for Microsoft Exchange, but is believed to affect the Lotus and Novell versions as well. Previous versions may also be affected.
088ad6b29c5080b1d10d96f654db6a53804b4e7c72ffc0fb13352281510e21abiDefense Security Advisory 12.09.08 - Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel spreadsheet could allow attackers to execute arbitrary code with the privileges of the current user. This issue exists in the handling of certain malformed object records within an Excel spreadsheet (XLS), allowing memory corruption to occur. This could lead to an exploitable situation. iDefense has confirmed the existence of this vulnerability with Office 2000 SP3 fully patched as of July 2008.
4441eb16250d65d8bc6ff4a748607eb35ff4755d0a9fde4c53f0225021c96e4diDefense Security Advisory 12.09.08 - Remote exploitation of an integer overflow vulnerability in multiple versions of Microsoft Corp.'s Windows operating system could allow an attacker to execute arbitrary code with the privileges of the current user. iDefense has confirmed that gdi32.dll file version 5.1.2600.3316, as included in fully patched Windows XP Service Pack 2 as of May 2008, is vulnerable. Other versions of Windows are suspected to be vulnerable.
68501cbdd911465db4d25283b8377fdde05b71c2c0c33e8d6509ecde49f62b47iDefense Security Advisory 12.09.08 -Remote exploitation of a stack buffer overflow vulnerability while handling specific HTML tags in Microsoft Corp.'s Internet Explorer web browser allows attackers to execute arbitrary code within the context of the affected user. As of September 2008, iDefense confirms that Internet Explorer 5.01 on Windows 2000 SP4, is vulnerable. It also causes denial of service for Internet Explorer 6 on Windows XP SP2. Internet Explorer 7 is not affected.
027f86f331e8ec116d59559fda203fd63d14492947a5f9a5df9279c236cc1782iDefense Security Advisory 12.02.08 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability exists within the font parsing code in the JRE. As part of its font API, the JRE provides the ability to load a font from a remote URL. Various types of fonts are supported, one of which is the TrueType format font. The vulnerability occurs when parsing various structures in TrueType font files. During parsing, values are taken from the file, and without being properly validated, used in operations that calculate the number of bytes to allocate for heap buffers. The calculations can overflow, resulting in a potentially exploitable heap overflow. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s Java JRE version 1.6.0_05 for Windows. Previous versions may also be affected.
f6138bd9306284a73b3be3d7781e778c2de99c2305f7e7bac167538fec90f7e1iDefense Security Advisory 12.02.08 - Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when reading the Pack200 compressed Jar file during decompression. In order to calculate the size of a heap buffer, the code multiplies and adds several integers. The bounds of these values are not checked, and the arithmetic operations can overflow. This results in an undersized buffer being allocated, which leads to a heap based buffer overflow. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s Java JRE version 1.6.0_07 for Windows and Linux. According to Sun, Pack200 was first introduced in JRE 1.5.0. The latest version of JRE 1.5, 1.5.0_15, does contain the vulnerable code, but the browser plugin does not handle Pack200 encoding. As such, exploitation through the browser does not appear to be possible with JRE 1.5.
dab9693cbfab156b58ccd573d6ed1ca78b9c9f6523942ff72a05ea968306ee0aiDefense Security Advisory 12.02.08 - Remote exploitation of a memory corruption vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with the privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for an attacker to pass an arbitrary GIF file to the splash logo parsing code. The vulnerability occurs when parsing this GIF file. The parsing code does not correctly validate several values in the GIF header. This lets an attacker write data outside of the bounds of an allocated heap buffer, which can lead to the execution of arbitrary code. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_10 and 1.6_07 on Windows and Linux. Previous versions may also be affected.
790c9e0a41b95f39a04f9482a6b4f788552c5cbb8b7c9ddd89a814700672e139iDefense Security Advisory 12.02.08 - Remote exploitation of a heap overflow vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability exists within the font parsing code in the JRE. Various types of fonts are supported, one of which is the TrueType format font. The vulnerability occurs when processing TrueType font files. During parsing, improper bounds checking is performed, which can lead to a heap based buffer overflow. iDefense has confirmed the existence of this vulnerability in Sun Microsystem Inc.'s Java JRE version 1.6.0_07 for Windows. Previous versions and versions for other platforms may also be affected.
c281806ed9fa3e749351d077f4638d4f3bb9c48e4b82e1c2431bf89b0c70d7e6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed