Zero Day Initiative Advisory 12-057 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Flash Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Flash Player handles the update of a NetStream object via the appendBytes method which can lead to a use-after-free condition when the function returns. This can result in remote code execution under the context of the current process.
f10032eed460124a4fc1a534f5ee945f69ee0a881a07088857826cb6ecded560Zero Day Initiative Advisory 12-119 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 65 (0x41) and subcode 00, the vulnerable function uses a uninitialized stack variable in calculating a memory pointer. Also, the function uses signed extension and signed comparison when checking the uninitialized stack variable, which allows arbitrary negative values to bypass the check. This could result in corruption of a controlled memory location, which can be leveraged to execute code under the context of the SYSTEM user.
2fca778924705af40b57af80b858febce97f9007f8a7d7eeb17a8180102c1040Zero Day Initiative Advisory 12-118 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 03 and subcode 04, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user.
1dbe651ec7e0ee6c405bc46ecc0d35313f72a8a88af287572719bff63db9c760Zero Day Initiative Advisory 12-117 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 50 (0x32) and subcode 02, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user.
96194fc2f686d02a95bb2d46aeeccdfbc00294c4f7634b88db32f3d38f87892dZero Day Initiative Advisory 12-116 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 50 (0x32) and subcode 04, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap. This user supplied value is also used to determine how many times a loop will parse the data into the buffer. Combined, the vulnerable code will allow for the heap to be corrupted. This vulnerability can be leveraged to execute code under the context of the SYSTEM user.
458727a417921660c14dfe6156176e05c73d8a83bea38f4f7593e567c80373f2Zero Day Initiative Advisory 12-115 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP OpenView Performance Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the coda.exe process which listens on a random TCP port by default. The process trusts a value within a GET request as a size. It then proceeds to copy that many bytes of user-supplied data into a fixed-length buffer on the stack. Remote unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user.
c9606355a08972518402ac1fafd98121062c0703e35f6006ae3b6d731e987779Zero Day Initiative Advisory 12-114 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP OpenView Performance Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the coda.exe process which listens on a random TCP port by default. The process trusts a value within a GET request as a size. It then proceeds to copy that many bytes of user-supplied data into a fixed-length buffer on the stack. Remote unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user.
21f28ee6541bbbadf7aa3cc36ae5e8fc0a20145e2684d1d7704e00827d524a58Zero Day Initiative Advisory 12-113 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Rational ClearQuest. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CQOle ActiveX control. A function prototype mismatch in an ActiveX wrapper results in an extra argument to be pushed onto the stack, thereby misaligning the stack offset. When the function returns, it can be made to jump to a memory address provided via the ActiveX method call. This can be leveraged to execute arbitrary code under the context of the user running the browser.
ee2420a705a26ed773b1354114c6612b6c63f17469cb4b7177fbc350de395af5Zero Day Initiative Advisory 12-112 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP NetWeaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a Parameter Name string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. The location of this null byte is dependent on user supplied data and the resulting stack corruption can lead to remote code execution under the context of the running process.
a0f622145843006fa62dd9d19de99eb5f3c0d11cce559f5e222a1eee50b9b533Zero Day Initiative Advisory 12-111 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user supplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process.
ad22b44c74644b46fdacc02308bbd21656af15bb64c46cfe7da8bd7939f91b79Zero Day Initiative Advisory 12-110 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Firefox handles nsDOMAttribute child removal. It is possible to remove a child without setting the removed child pointer to NULL, thus leaving it still accessible as a dangling pointer. Subsequent use of this pointer allows for remote code execution.
75a17d05bb1ce9d85c18a44c0f62f0d23ba1f077eab5fccd0a2a8d01acd33897Zero Day Initiative Advisory 12-108 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the sampleData element the code within QuickTime3GPP.qtx does not properly validate the length of the data within a color sub-field before copying it into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime.
67df3b8ec25a60a634a3128373f2eafefadf0c72627a2cc6d57389c101714488Zero Day Initiative Advisory 12-109 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the karaoke XML element the code within QuickTime3GPP.qtx does not properly validate the length of the data within specific sub-fields. By providing specially crafted data, the code can be made to copy too much data into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime.
66658c754e796e0918edaec264117e07ba214d3cfb5485a34005f242ab8c18c5Zero Day Initiative Advisory 12-107 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the style XML element the code within QuickTime3GPP.qtx does not properly validate the length of the data within specific sub-fields. By providing specially crafted data, the code can be made to copy too much into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime.
ec9ca6e89db17756e89ac2f6a9f8f242ae57ba337294689a6345cc4b405617e3Zero Day Initiative Advisory 12-106 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Avaya IP Office Customer Call Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists because Avaya IP Office Customer Call Reporter allows unauthenticated users to upload files to the webserver through ImageUpload.ashx. The uploaded files will not be stripped of their file extensions and the directory where they are uploaded to has no scripting restrictions. This flaw can lead the remote code execution under the context of the user running the IP Office Customer Call Reporter, usually NETWORK SERVICE.
c9875f083e981a649b82cd3fc96e172a5e7ead7522bb0fcbbb19128b2cc1d8b9Zero Day Initiative Advisory 12-105 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within he way Quicktime handles Text Track Descriptors. Values for almost all of the text descriptors recognized by quicktime will be read into a fixed size buffer. This can lead to a heap based buffer overflow which can result in remote code execution under the context of the current process.
dbf5f7b5d2c56a334d965efc1089ddc6773033fa814118e2b2ade2ce11d35611Zero Day Initiative Advisory 12-104 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP NetWeaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. The location of this null byte is dependent on user supplied data and the resulting stack corruption can lead to remote code execution under the context of the running process.
eabbee78d8eade63ec066cd6d6608ab4a06b4c1ef10668b60197c14c5b8086e8Zero Day Initiative Advisory 12-103 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw occurs when parsing a movie file containing multiple atoms with a different string length. When resizing a buffer in order to make space for the string, the application will forget to include the null-terminator. When the application attempts to null-terminate the string, an out-of-bounds write will occur. If an aggressor can place the a useful heap buffer contiguous to the reallocated string, this can lead to code execution under the context of the application.
f1c0ec875d5f1f6611aaccba87f70c3dded4662ef965ecfd7279dddd6300d5f0Zero Day Initiative Advisory 12-102 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client. User interaction is required in that a target must visit a malicious page or open a malicious file. The flaw exists within the exposed GetDriverSettings method in the nipplib component imported by ienipp and npnipp. When encountering a realm parameter this user supplied value's length is not properly verified before copying into a fixed length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process.
dad2278a888a8b86768114f8246f8e419ae73d969cf93902e9da0f392a230cc8Zero Day Initiative Advisory 12-101 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Cognos. Authentication is not required to exploit this vulnerability. The flaw exists within the tm1admsd.exe component. This process listens on TCP port 5498 by default. Requests to the service include a request type field, a data length field, and a data field. Multiple request types (opcodes) fail to validate user supplied length and data fields before copying their contents to a fixed length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the system.
948d1a63f76e7397259aaddc98b7c87f1d5c6ecaaaaa72a571270335007c2ac7Zero Day Initiative Advisory 12-100 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP OpenView Performance Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PMParamHandler component of Performance Manager, which is served via an Apache Tomcat instance that listens on TCP port 8081. The process receives a filename from a remote user and performs insufficient validation of the provided file path. Additionally, the user can specify an arbitrary extension due to premature truncation resulting from an embedded null byte. Remote unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could lead to a directory traversing arbitrary file write and ultimately remote code execution under the context of the SYSTEM user.
62fba378efa118194bf75380e1caf3bdbb3a81ca43f314376ca1627030337be8Zero Day Initiative Advisory 12-099 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of DataDirect SequeLink. Authentication is not required to exploit this vulnerability. The specific flaw exists within how the application parses a packet that is received. When parsing a field in this packet, the application will use a signed length to copy data into a statically sized buffer located on the heap. This can lead to a heap-based buffer overflow and allows for code execution under the context of the service.
64bbdb8d912b2e77427f770b39fb5309ace52ec15991e279f6d81b1268f751bbZero Day Initiative Advisory 12-098 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of America Online's Toolbar, Desktop, IM, and winamp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the dnUpdater ActiveX Control. When initializing the ActiveX control object, dnu.exe assumes the 5th argument being used for the Init() method, to be a legitimate pointer to a function. This vulnerability can be leveraged to execute code under the context of the user.
a43f556f3d5f1fb2f42adb830bd5d07dc569dc14ea9ec83ad846c3de1fe60ccbZero Day Initiative Advisory 12-097 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Data Protector Express. Authentication is not required to exploit this vulnerability. User interaction is not required to exploit this vulnerability. The specific flaw exists within the dpwinsdr.exe process which listens on TCP port 3817 by default. The process has insufficient bounds checking on user-supplied data copied to a fixed-length buffer on the stack. Remote, unauthenticated attackers can exploit this vulnerability by sending malformed opcode 0x320 message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user.
1c1f3a3e3b1ea2c30d5e88a6ed5a02758054e2e93ac7c92988ed4cbb989df1d4Zero Day Initiative Advisory 12-096 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Data Protector Express. Authentication is not required to exploit this vulnerability. User interaction is not required to exploit this vulnerability. The specific flaw exists within the dpwinsdr.exe process which listens on TCP port 3817 by default. The process has insufficient bounds checking on user-supplied data copied to a fixed-length buffer on the stack. Remote, unauthenticated attackers can exploit this vulnerability by sending malformed opcode 0x330 message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user.
ff843e03fe1fd89ea3c39d8a5267a02514914a3b649920437ff61e21fc352272Zero Day Initiative Advisory 12-095 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the transform attribute the code within QuickTime3GPP.qtx does not properly validate the length of the data within a translate or matrix object before copying it into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime.
a690137e64bef8ffcb153214bdb9c44ed446d4114da83d08686a0c31ffe78477
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed