accept no compromises
Showing 1 - 25 of 48 RSS Feed

Files from Aaron Portnoy

First Active2006-02-13
Last Active2012-11-06
EMC Networker Format String
Posted Nov 6, 2012
Authored by Aaron Portnoy | Site metasploit.com

This Metasploit module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This Metasploit module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This Metasploit module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).

tags | exploit
systems | windows, xp
advisories | CVE-2012-2288, OSVDB-85116
MD5 | 7200b7cb5e644bf20e77506e4376b50e
EMC NetWorker Format String
Posted Aug 30, 2012
Authored by Aaron Portnoy | Site emc.com

A format string vulnerability exists in the EMC NetWorker nsrd RPC service that could potentially be exploited by a malicious user to execute arbitrary code. Versions 8.0, 7.6.4, and 7.6.3 are all affected.

tags | advisory, arbitrary
advisories | CVE-2012-2288
MD5 | b4e80dd8f309b599062dbfade14faa4a
Hewlett-Packard Data Protector DtbClsAddObject Parsing Remote Code Execution
Posted Jun 29, 2012
Authored by Aaron Portnoy, HP DVLabs | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dpwintdb.exe process which listens by default on TCP port 3817. When parsing data within a DtbClsAddObject request, the process copies data from the network into a fixed-length buffer on the stack via an unchecked loop. This can be leveraged by attackers to execute arbitrary code under the context of the SYSTEM user.

tags | advisory, remote, arbitrary, tcp
advisories | CVE-2012-0123
MD5 | 8b4e4aaf4e7294a8c074fea60783bf0c
Adobe Shockwave dirapi.dll rcsL Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the dirapi.dll does not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-0335
MD5 | cab0264450c333db088b472a47d66f6a
Adobe Shockwave Lnam Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Lnam chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly validate certain fields before using them to calculate sizes used for later memory copy operations. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2116
MD5 | 488346dc18b7bcdd44ac42fd1b658f89
Adobe Shockwave iml32.dll DEMX Chunk GIF Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DEMX chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse GIF images. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
MD5 | d2fd6dac2903d5b58358f9d5f7d70b6c
Adobe Shockwave iml32.dll CSWV Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. When handling certain substructures, the code does not properly ensure arithmetic operations will not exceed expected values. By crafting a file with certain values this can be abused to cause memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
MD5 | 4b217726b50071c262dfeb215fdff666
Adobe Shockwave iml32.dll CSWV Chunk Byte Array Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse byte arrays. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
MD5 | 8550437e636f78c105f8f277ebf5455d
Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution
Posted Feb 10, 2011
Authored by Luigi Auriemma, Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2010-0569
MD5 | e66d7433e8eed22c83409d7ce51650c6
Adobe Shockwave GIF Logical Screen Descriptor Parsing Remote Code Execution
Posted Feb 10, 2011
Authored by Aaron Portnoy | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the IML32 module distributed with the player. While parsing GIF files within a director movie (.dir or .dcr) the code trusts the specified size of the global color table and uses it to determine an offset to image data. The process subsequently attempts to write two NULL bytes to the calculated address. A remote attacker can abuse this logic to corrupt memory at a controlled location and subsequently execute arbitrary code under the context of the user running the application.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4189
MD5 | 1af7a2b9161dea1316db31be415862f8
Adobe Shockwave dirapi.dll IFWV Trusted Offset Remote Code Execution
Posted Feb 9, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPI.dll module distributed with the player. While parsing a director movie (.dir or .dcr) the code trusts the specified size of the IFWV chunk and uses it within a calculation to determine another offset within the file. By setting it to 0, the code jumps to the wrong location within the file. While parsing data at the new location, the code uses a value as a loop counter. Within the loop, the code copies data to a heap buffer. By crafting a file with a large enough size, this loop can be forced to corrupt memory. A remote attacker can abuse this logic to execute arbitrary code under the context of the user running the application.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4188
MD5 | 170eb9e1def3f0b0a08815c7e0ecec71
RealNetworks RealPlayer MDPR Chunk Size Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's handling of Internet Video Recording (.ivr) files. While parsing the MLTI chunk the process trusts the field responsible for denoting the size of an embedded MDPR chunk. By modifying this value in an IVR file an attacker can force a misallocation on the heap. The process can then be made to write past the bounds of the buffer, corrupting memory. This can be leveraged to execute arbitrary code under the context of the user invoking RealPlayer.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4390
MD5 | d57fc3e4f7a0ffe83480766825ffd981
RealNetworks RealPlayer MLTI Stream Number Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's handling of Internet Video Recording (.ivr) files. While parsing the MLTI chunk the process trusts the field responsible for denoting the number of streams within the chunk. By modifying this value in an IVR file, an attacker can force a processing loop to overrun and corrupt heap memory. This can be abused to execute arbitrary code under the context of the user invoking RealPlayer.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2010-4390
MD5 | 40b796e0a9c507eccf6cb5b364a092ac
RealNetworks RealPlayer SIPR Stream Frame Dimensions Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown, Zef Cekaj | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the drv1.dll module. Code responsible for parsing SIPR stream metadata trusts frame width and height values from the input file. By crafting particular values an integer value used in a loop can be made to wrap negatively. The loop will subsequently overflow a static heap buffer during an inline memory copy. By crafting a malicious .rm file an attacker can exploit this vulnerability remotely using the RealPlayer ActiveX control.

tags | advisory, remote, overflow, arbitrary, activex
advisories | CVE-2010-4385
MD5 | b540a62fc52d5db7294384161939d54a
VMWare VMnc Codec Frame Decompression Remote Code Execution
Posted Dec 4, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of multiple VMWare products. User interaction is required in that a user must visit a malicious web page or open a malicious video file.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-4294
MD5 | ffcca7a8bfe239ae245b9287cb38f90b
Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPIX module responsible for parsing the RIFF-based Director file format. When handling the mmap chunk, the process trusts the chunk size immediately following the fourCC value. It is passed to Ordinal1111 exported by the IML32X module which is responsible for allocating a heap buffer for processing the rest of the chunk. If an incorrect size is provided, later memory copies can corrupt data beyond the allocated buffer. This can be abused to execute remote code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2870
MD5 | 33e5b0573ece83e983beb2adc72c6a91
Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing the Director RIFF based file format. While handling the rcsL chunk, code within DIRAPIX sign-extends a return value from a call to Ordinal1412 within the IML32X module. This ordinal is responsible for unmarshalling a WORD value from the RIFF chunk. If the value is signed, DIRAPIX sign-extends the value, performs arithmetic on it, and then proceeds to use it as an offset into a heap-based buffer. By supplying any of a specific range of values, an attacker can exploit this condition to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2867
MD5 | 96d9afaf64e2fd149b9f8514366fefeb
Adobe Shockwave Director tSAC Chunk Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director's RIFF-based file format. While parsing the tSAC chunk, the DIRAPI module does not properly verify the signedness of a count value within an undocumented structure. By providing a large enough negative value a pointer can be miscalculated leading to memory corruption. This can be exploited by a remote attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2866
MD5 | 736c5617203c5b53da252e5f37817519
Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team Montreal Hotties | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to a faulty allocation routine within the TextXtra.x32 module. This allocator allocates a buffer on the heap based on arithmetic involving a number of elements and a size of an individual element. As the fields come from the file, if either of them are large enough, the value used for the number of bytes to allocate can be made to overflow. As the return value is rarely checked any caller of this function can usually be made to overflow the returned buffer with user-supplied data. An attacker can leverage this to execute remote code under the context of the user running the browser.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2010-2879
MD5 | 1efcb63386c705f3ba2d992f8651326a
Adobe Shockwave tSAC Chunk Pointer Offset Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code sign-extends a value from the input file and uses it as an offset to seek into a heap buffer before performing a write operation. By crafting particular values for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2874
MD5 | ef9a3e7281ca06a5f1329b9f96d30dcb
Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code directly uses a value from the file while seeking into a heap buffer. The process then attempts to write a NULL byte to the seeked address. By specifying a large enough value for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2878
MD5 | 31a319c3e399b39147ef752cad8810f4
Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within IML32X.dll and DIRAPIX.dll which are responsible for parsing the Director movies, a RIFF-based file format. The code trusts a value from the file as a count and performs an endian-flipping loop on data in heap memory. If the value is large enough the process can be made to seek outside the bounds of the allocation and thus corrupt memory in a controlled fashion. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2877
MD5 | 6ecda7d93cb6fbf864cbd79cfd4c01fe
Novell iPrint Client Browser PluginGetDriverFile Uninitialized Pointer Remote Code Execution
Posted Aug 24, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the ienipp.ocx ActiveX control with CLSID 36723f97-7aa0-11d4-8919-FF2D71D0D32C. The function exposes a GetDriverFile method. When this method is invoked for the first time a pointer in the .data section is mapped to an external function within another module. When invoked the second time, the process fails to load the library and assumes the pointer is still valid. When the uninitialized pointer is called the process jumps to an address space easily controlled by an attacker. This can be leveraged to execute remote code under the context of the user running the browser.

tags | advisory, remote, arbitrary, activex
MD5 | 67de327a8f798bba346bfa99edaa6d2f
Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Remote Code Execution
Posted Aug 6, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the ienipp.ocx ActiveX control. The control accepts a 'debug' parameter that is expected to be either "yes" or "true". If a string of a specific length is provided instead, a processing loop within the ExecuteRequest method can be made to corrupt a stack-based buffer. This can be leveraged by a remote attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary, activex
MD5 | 7dc9a7094d36f29f60e1e61078d5f971
Novell iPrint Client Browser Plugin Remote File Deletion
Posted Aug 6, 2010
Authored by Aaron Portnoy | Site tippingpoint.com

This vulnerability allows remote attackers to delete all files on a system with a vulnerable installation of the Novell iPrint Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the nipplib.dll module that can be reached via the ienipp.ocx ActiveX control with CLSID 36723f97-7aa0-11d4-8919-FF2D71D0D32C. The CleanUploadFiles method appears to be used to remove temporary files within a contained directory. However, due to a logic flaw a remote attacker can abuse the function to force the process to recursively delete all files on the target system.

tags | advisory, remote, activex
MD5 | 405292911ab3e63d1dc044c54842ae0a
Page 1 of 2
Back12Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close