A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo.
cdf458fa2ff6a679afd1037bdb879758b301305b20f223b3aade629bb97b04bcTechnical Cyber Security Alert 2010-159A - According to Adobe, there is a vulnerability in Adobe Flash. This vulnerability affects Flash Player, Reader, Acrobat, and possibly other products that support Flash. A remote attacker could exploit this vulnerability to execute arbitrary code.
92d4d10d9876e9f473c2b97c245bf320a1cd8e2ed321e0718a268d019d732f99Proof of concept exploit that demonstrates an Audio Tag denial of service vulnerability that affects Chrome and Safari.
7998f14f216bd39b0575479a751c7ae766a6ae068c1bccdbcecc3cf3812712d1Internet Explorer and Opera suffer from a null character handling vulnerability that affects the source code viewer.
6f47aa69966d060ace583f0150c43622582a55c04b1774dcfb97de6fdc1e70bfDebian Linux Security Advisory 2023-1 - Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl's maximum limit for a fixed buffer size and do not perform any sanity checks themselves.
2dd03f5782033bbbad2979c5613092755d8d8f7e9db11e1cb1845c5543498708Adobe PDF LibTiff integer overflow code execution exploit that affects versions 8.3.0 and below and 9.3.0 and below.
076c3cc941c8d0cafbb3478028a2e0b84834a5f95d7095704791d4b35d1d31f5Sagem routers remote reset exploit. It affects F@ST router models 1200/1240/1400/1400W/1500/1500-WG/2404.
6dd66d98a8ff326462c7d87ec26495683bd9141e9255e109ffa9173cb5e41ef6Todd Miller sudo 'sudoedit' local root exploit that affects 1.6.x versions before 1.6.9p21 and 1.7.x versions before 1.7.2p4.
0bc5ddb8c9f78020b6fdf754af735e0f64922f9795dab864f38f4d35c23c24d5iTunes file handling local buffer overflow exploit that creates a malicious .pls file. Affects version 9.0 on Mac OS X.
0d3d25fbf64ab5c281bc87376978e384c6e0c60f12194baa9a83445c36bdde3fSafari version 4.0.4 remote denial of service with possible memory corruption exploit. r45c4l has noted that this code also affects Opera version 10.10 and Firefox version 3.5.7 and that it works on Windows 7 and Mac OS X.
1de8981a66aafff330e11055d719e646e74a17a6ef5f71fd69190a9739809defThe Joomla Kunena component suffers from a remote blind SQL injection vulnerability. The researcher believes that this affects 1.5.9 but the author of the software has claimed that this only affects versions 1.5.4 and below.
e7a689b1c56bed9c9660f71ec06c232ea5ce0c6442d9306effe95e877117ba45Debian Linux Security Advisory 1980-1 - David Leadbeater discovered an integer underflow that could be triggered via the LINKS command and can lead to a denial of service or the execution of arbitrary code (CVE-2009-4016). This issue affects both, ircd-hybrid and ircd-ratbox.
0a6ecd8132d5653e5359b9dd2ff6f80c30c048776ddc6919626b811351537118Debian Linux Security Advisory 1977-1 - Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy in the interpreter for the Python language, does not properly process malformed or crafted XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file. In addition, this update fixes an integer overflow in the hashlib module in python2.5. This vulnerability could allow an attacker to defeat cryptographic digests. It only affects the oldstable distribution (etch).
28197fcb1e4306a91d0fa3becafcfc0ced03343e6c675879be0de7506a38c77dA heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. There are two different methods used by this exploit, which have been named "writeNcall" and "sprayNbrute". The first, "writeNcall", was published by k'sOSe on Dec 17 2008. It uses pointers 2 and 3, as well as a writeable address. This method is quite reliable. However, it relies on the the operation on pointer 2. Newer versions of SQL server (>= 2000 SP3 at least) use a length value that is 8-byte aligned. This imposes a restriction that the code address that leads to the payload (jmp ecx in this case) must match the regex '.[08].[08].[08].[08]'. Unfortunately, no such addresses were found in memory. For this reason, the second method, "sprayNbrute" is used. First a heap-spray is used to prime memory with lots of copies of the address of our code that leads to the payload (jmp ecx). Next, brute force is used to try to guess a value for pointer 3 that points to the sprayed data. A new method of spraying the heap inside MSSQL is presented. Sadly, it only allows the creation of a bunch of 8000 byte buffers.
132206feb12275d819fe75a51931368d87b85cda3a85d8d40fc77ff46d0342f7Mandriva Linux Security Advisory 2009-333 - NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue. Privilege escalation via changing session state in an index function. This closes a corner case related to vulnerabilities and CVE-2007-6600. Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides a solution to these vulnerabilities.
b0183b27a8fc7627f3bd44ab708862e840411e39f26ee2fa2b5bfe9cb3094727This Metasploit module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This Metasploit module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.
96b871a0195d2591844969f9bba63abc59813d3e7296ce6634f95d37eb06d859This Metasploit module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a specific type of request is sent to the TCP listener on port 41523. This vulnerability was discovered by cybertronic@gmx.net and affects all known versions of the BrightStor product. This Metasploit module is based on the 'cabrightstor_disco' exploit by Thor Doomen.
532219f28d50db309980d4c39dfa18dcf976499ccb5c9736a81297f410a80362This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This Metasploit module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.
bf2dd8378c0c0c82b912aa8e98c2826676a3f7e41c1c019b8e7c7c3874814359This Metasploit module exploits a stack overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo.
55e26861520e953f85b098982baa1fa9c82fe412aea320df41475c3eba5a0d70This Metasploit module exploits a previously unpublished vulnerability in the Dogfood CRM mail function which is vulnerable to command injection in the spell check feature. Because of character restrictions, this exploit works best with the double-reverse telnet payload. This vulnerability was discovered by LSO and affects version 2.0.10.
d47d25f175832f723f8a69b2a5df882d82ea6fc211e6829459cf8e694f589f04This Metasploit module exploits a stack overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.
ebc9848511c662d2d6efa684039176f4dfa816c15b3dfcced903cb341a9beab5Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61.
8ee97c6c137b092fb141c1b73dea46bcc91809906758777dbdcce9e2f67b0d2bThis is a detailed analysis regarding the U3D CLODProgressiveMeshDeclaration initialization array overrun that affects Adobe Acrobat Reader versions 7.x, 8.x, and 9.x. Exploit included.
c090417dc1342b3cda436100dd5256853c41e6b89eb64b311be1a05620d98e00libc:fts_*() suffers from multiple denial of service vulnerabilities. This affects multiple vendors.
60fdb0c5abb5e3ce9c4855e6377fd45eb308fb523b2c8e1b8e6eaf4ed9349437Debian Security Advisory 1871-2 - The previous wordpress update introduced a regression when fixing CVE-2008-4769 due to a function that was not backported with the patch. Please note that this regression only affects the oldstable distribution (etch).
565a2e4f05dcf7aeeb6e8faf612d43fcbf48f13dfbd682a6ec3e14c0ad64284dDebian Security Advisory 1847-1 - It was discovered that the BIND DNS server terminates when processing a specially crafted dynamic DNS update. This vulnerability affects all BIND servers which serve at least one DNS zone authoritatively, as a master, even if dynamic updates are not enabled. The default Debian configuration for resolvers includes several authoritative zones, too, so resolvers are also affected by this issue unless these zones have been removed.
d960652c458b82724cffc42f08caf5a2da1661b518fb338a1238b9264835e4e6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed