Research-> Advisories 2010
| ref. id |
title |
publ. date |
severity |
||||||||||||||
| SSA-1023 |
IBM Informix Dynamic Server librpc.dll Integer Overflow Remote Code Execution Vulnerability |
18. oct., 2010 | very high |
||||||||||||||
references: ZDI Advisory (CVE not assigned, yet) Affected versions: Please check the ZDI advisory for a list of vulnerable versions. Description from ZDI advisory: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of IBM Informix Dynamic Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RPC protocol parsing library, librpc.dll, utilized by the ISM Portmapper service (portmap.exe) bound by default to TCP port 36890. A lack of sanity checking on supplied parameter sizes can result in an integer overflow and subsequent heap buffer under allocation which can finally lead to an exploitable memory corruption. Additional information: The vulnerability can be found in the function __lgto_xdr_string() which parses strings from the user-input. The structure is simple: [(dword)str_len] [string data of length str_len]. The heap overflow happens due to an integer overflow of the following form: char* buf = malloc(str_len + 3); Any value >= 0xfffffffd will trigger the integer overflow. Afterwards we copy str_len bytes into the small-sized buffer causing the heap overflow. Notable is the patch-timeline: 2007-05-22 - Vulnerability reported to vendor 2010-10-18 - Coordinated public release of advisory | |||||||||||||||||
| SSA-1022 |
RealNetworks RealPlayer RJMDSections Remote Code Execution Vulnerability |
15. oct., 2010 | very high |
||||||||||||||
references: RealNetworks advisory ZDI Advisory CVE-2010-3750 Affected versions: Please check vendor advisory for an overview; vulnerability found in version 12.0.0.343 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required in that a target must open a malicious website or media file. The specific flaw exists within the code responsible for parsing Name Value Property (NVP) elements from within logical streams in a RealPlayer media file. Specifically, a function within the rjrmrpln.dll file allocates a buffer on the heap which can be directly influenced from data within the file. This buffer is then written to using another value defined in the file and thus also controlled. By crafting a malicious media file an attacker can abuse this to execute arbitrary code under the context of the user running the player. | |||||||||||||||||
| SSA-1021 |
Microsoft Embedded OpenType (.eot) Font Parsing Heap Overflow Vulnerability |
12. oct., 2010 | very high |
||||||||||||||
references: Microsoft Security Advisory MS10-076 CVE-2010-1883 ZDI Advisory Affected versions: please check the Microsoft advisory for affected OS versions A critical vulnerability exists in the .eot (Embedded OpenType) parsing code within t2embed.dll. When parsing embedded MTX-compressed (MicroType Express) font files the multiplication of two controlled values can lead to an integer overflow which will result in a heap overflow later on. This heap overflow can be abused to achieve code execution in the process which performs the .eot-parsing (probably IE-only). The vulnerability specifically exists in the parsing code of the _MTX_TTC_CTF_To_TTF function. In order to reach the vulnerable code the font file needs an embedded 'hdmx' tag. The hdmx-header looks as follows:
The problem is an unchecked multiplication of numRecords * sizeDeviceRecords which can lead to an int32 overflow. This will result in the allocation of a small-sized buffer which will be overflown later. The heap overflow can be abused to execute code in the browser context. | |||||||||||||||||
| SSA-1020 |
Microsoft OpenType Font Parsing Kernel Heap Overflow Vulnerability |
12. oct., 2010 | high |
||||||||||||||
references: Microsoft Security Advisory MS10-078 CVE-2010-2740 Affected versions: please check the Microsoft advisory for affected OS versions The vulnerability allows for local privilege escalation due to an error in the .otf parsing code. Since parsing is performed in the kernel library atmfd.dll code execution in ring0 can possibly be achieved. To exploit this vulnerability a manipulated .otf file has to be opened or one of the GDI32 API functions AddFontResource(Ex)(A/W) has to be called directly. The specific flaw exists in a routine which is meant to extract unicode strings from the .otf 'name' table. A WORD value is read from the .otf user input and used as the length for a string in the name table. The string is then copied to a heap buffer in a loop with following pseudo-code: copySize = [controlled WORD value]; while(copySize != NULL) { copy 2 bytes to heap buffer; copySize -= 2; } If an uneven value is given in the .otf file we will never hit the loop's exit condition copySize == NULL. This will lead to an unbounded copy operation resulting in a heap overflow. Note: It might be possible that 3rd party products use the userland font-API GDI32.AddFontResource(Ex)(A/W) for OpenType font files. This could potentially lead to remote exploitation vectors! So far, no remote vectors could be found for IE and MS Word. However, this has NOT been tested extensively! | |||||||||||||||||
| SSA-1019 |
Adobe Reader ICC mluc Remote Code Execution Vulnerability |
06. oct., 2010 | very high |
||||||||||||||
references: ZDI Advisory Advisory on Adobe homepage Affected versions: <= 9.3.4 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required in that a target must be coerced into opening a file or visiting a web page. The specific flaw exists within the ACE.dll module responsible for parsing ICC streams. Within the 'desc' tag there exists an embedded 'mluc' data structure. The code within ACE performs arithmetic on the second DWORD from the mluc structure and a value from the desc structure. The resulting integer is used for an allocation of a heap-based buffer. An attacker can forge these values to force the process to under-allocate this buffer and later overflow it during a copy operation. This leads to remote code execution under the context of the user running the application. | |||||||||||||||||
| SSA-1018 |
Adobe Reader ICC Parsing Remote Code Execution Vulnerability |
06. oct., 2010 | very high |
||||||||||||||
references: ZDI Advisory Advisory on Adobe homepage Affected versions: <= 9.3.4 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required in that a target must be coerced into opening a file or visiting a web page. The specific flaw exists within the ACE.dll module responsible for parsing ICC streams. When processing an ICC stream, the process performs math on two DWORD values from the input file. If these values wrap over the maximum integer value of 0xFFFFFFFF a mis-allocation can occur. Later, the process uses one of the original DWORD values as a size to a copy function. This can be abused by an attacker to overflow a stack buffer and subsequently execute code under the context of the user running the process. | |||||||||||||||||
| SSA-1017 |
IBM TSM FastBack Server _DAS_ReadBlockReply Remote Denial of Service Vulnerability |
29. sept., 2010 | medium |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: The specific flaw exists within FastBackServer.exe process which listens by default on TCP port 11406. The problematic code resides within a function responsible for reading a block of network packet data. A parameter to this function is initialized to 0 and under certain conditions this value will be accessed before properly initialized. This causes a NULL pointer to be dereferenced and subsequent application crash due to a lack of exception handling. Successful exploitation leads to immediate termination of the fastback server. | |||||||||||||||||
| SSA-1016 |
IBM TSM FastBack _CalcHashValueWithLength Remote Denial of Service Vulnerability |
29. sept., 2010 | medium |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to create a denial of service condition on vulnerable installations of IBM Tivoli FastBack Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within FastBackServer.exe which listens by default on tcp port 11406. The issue is due to an unchecked user supplied length value. This value is used to iterate over supplied data and calculate a CRC value. Successful exploitation leads to an unhandled access violation and immediate termination of the FastBackServer.exe process. | |||||||||||||||||
| SSA-1015 |
IBM TSM FastBack Server _Eventlog Format String Remote Code Execution Vulnerability |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager Fastback. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FastBack server process (FastBackServer.exe) which listens by default on TCP port 11406. The process searches received packet data for a pipe character (0x7c) and then sends the remaining portion of the string to the event log without sanitization. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process. | |||||||||||||||||
| SSA-1014 |
IBM TSM FastBack Server USER_S_AddADGroup Remote Code Execution Vulnerability |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli FastBack Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within FastBackServer.exe which listens by default on TCP port 11460. The issue is due to a strcat of user supplied data to a fixed length buffer located on the stack. By providing sufficiently large values for a group, workgroup, or domain name this buffer can be overflowed. Successful exploitation leads to remote code execution under the context of the fastback server. | |||||||||||||||||
| SSA-1013 |
IBM TSM FastBack Server FXCLI_checkIndexDBLocation Remote Code Execution Vulnerability |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli FastBack Server. Authentication is not required to exploit this vulnerability. The flaw exists within FastBackServer.exe which listens by default on TCP port 11460. The issue is due to a strcpy of user supplied data and length to a fixed size buffer located on the stack. Specifically, this issue can be triggered by providing a large enough user_path variable. Successful exploitation leads to remote code execution under the context of the fastback server. | |||||||||||||||||
| SSA-1012 |
IBM TSM FastBack Server FXCLI_OraBR_Exec_Command Remote Code Execution Vulnerabilities |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli FastBack Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within FastBackServer.exe which listens by default on TCP port 11460. The vulnerable function uses values directly from a received packet as the size and data to several memcpy calls. By providing crafted values this issue can lead to remote code execution under the context of the fastback server. | |||||||||||||||||
| SSA-1011 |
IBM TSM FastBack Server ActivateLTScriptReply Remote Code Execution Vulnerability |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli FastBack Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within FastBackServer.exe which listens by default on tcp port 11406. The issue is due to a memcpy within the _AGI_S_ActivateLTScriptReply function. The process trusts a user-supplied length and copies user-supplied data to a fixed length buffer located on the stack. Successful exploitation leads to remote code execution under the context of the fastback server. | |||||||||||||||||
| SSA-1010 |
IBM TSM FastBack Server _SendToLog Remote Code Execution Vulnerability |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli FastBack Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within FastBackServer.exe which listens by default on tcp port 11406. The issue is due to an unsafe copy to a buffer located on the stack. This buffer is used to build a formatted event log message for the AGI_SendToLog method. Successful exploitation leads to remote code execution under the context of the fastback server. | |||||||||||||||||
| SSA-1009 |
IBM TSM FastBack Mount Service Arbitrary Overwrite Remote Code Execution Vulnerability |
29. sept., 2010 | very high |
||||||||||||||
references: ZDI Advisory Patch on IBM homepage Affected versions: 5.5.0.0 - 5.5.6.0 and 6.1.0.0 - 6.1.0.1 Description from ZDI advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager Fastback. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Mount service (FastBackMount.exe). This process listens by default on UDP port 30005. This process writes the value 0x01 to the address specified by the second DWORD from a packet received to it's UDP port. An attacker can exploit this behavior to execute arbitrary code by making several requests to this service. | |||||||||||||||||
| SSA-1008 |
RealNetworks RealPlayer FLV Parsing Multiple Integer Overflow Vulnerabilities |
26. august, 2010 | high |
||||||||||||||
references: ZDI Advisory Patch on Realnetworks homepage Affected versions: <= 12.0.0.301 This advisory comprises two Heap Overflow vulnerabilities in RealPlayer when parsing maliciously crafted .flv files. While parsing user-controlled input data of types HX_FLV_META_AMF_TYPE_MIXEDARRAY and HX_FLV_META_AMF_TYPE_ARRAY the function ParseKnownType trusts a user-controlled DWORD value as size for the allocation of a structure array. Since the structure is of size 0x23, any value >= 0x7507508 will cause the allocation of a small-sized buffer (0x23 * 0x7507508 == 0x18 an 32bit systems) and leads to a Heap Overflow right afterwards. | |||||||||||||||||
| SSA-1007 |
EZ Publish "search" function SQL Injections |
25. march, 2010 | very high |
||||||||||||||
references: EZ Publish advisory Patch 16397.diff Affected versions: >= 3.7.0 and <= 4.2.0 Two SQL-Injection vulnerabilities exist in the search functionality of EZ Publish. The parameters "SectionID" and "SearchTimestamp" can both be passed to the application as arrays. Since none of the SectionID array members undergo further validation it is possible for an attacker to inject malicious SQL statements into the final search query. The same problem exists for the SearchTimestamp array. The second array member gets assigned to the publishedDateStop variable which will later be built into the search query without sanitization. Both injections can be used to get access to sensitive data contained in the databases which are accessible to the current db-user. The search function is usually accessible by everyone, further aggravating the serious injection flaw. Please apply the patch ASAP since it is likely that an exploit will appear on the net soon. | |||||||||||||||||
| SSA-1006 |
EZ Publish "advancedsearch" function SQL Injection |
25. march, 2010 | very high |
||||||||||||||
references: EZ Publish advisory Patch 16398.diff Affected versions: >= 3.7.0 and <= 4.2.0 A SQL-Injection vulnerability exists in the advancedsearch functionality of EZ Publish. If the parameter “SearchContentClassAttributeID” is passed to the application as an array the array members are not getting validated properly. Just like the search functionality described in SSA-1007 advancedsearch is usually accessible without authentication and thus gets the same "very high" rating. | |||||||||||||||||
| SSA-1005 |
EZ Publish "advancedsearch" XSS Vulnerability |
25. march, 2010 | medium |
||||||||||||||
references: EZ Publish advisory Patch 16396.diff Affected versions: >= 3.7.0 and <= 4.2.0 The advancedsearch functionality of EZ Publish is prone to an XSS attack due to the lack of input filtering on the "subTreeItem" parameters. The subTreeItems are passed to the application as part of the "SubTreeArray" variable and get inserted into the advancedsearch.tpl template without further sanitization. Authentication is not required to exploit this vulnerability. | |||||||||||||||||
| SSA-1004 |
Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability |
01. march, 2010 | very high |
||||||||||||||
references: ZDI Advisory ZDI-10-023 CVE-2009-2754 This advisory describes a remotely exploitable vulnerability in IBM Informix and EMC Legato Networker. Both products expose an rpc endpoint through the service ISM Portmapper (portmap.exe), running by default on port 36890. Incoming RPC data gets parsed in the library librpc.dll. This library contains a severe signedness check vulnerability which can lead to a fully-controllable stack buffer overflow, allowing for remote code execution as SYSTEM. Authentication is not necessary. Disclosure timeline: 2008-02-07 - Vulnerability reported to vendor 2010-03-01 - Coordinated public release of advisory | |||||||||||||||||
| SSA-1003 |
IBM Informix librpc.dll Multiple Remote Code Execution Vulnerabilities |
01. march, 2010 | very high |
||||||||||||||
references: ZDI Advisory ZDI-10-022 CVE-2009-2753 The advisory comprises multiple heap and stack overflows resulting from improper size checks in the module librpc.dll (see SSA-1004). Patches have been made available by IBM and should be applied as soon as possible. Like in SSA-1004, the vulnerabilities can lead to pre-authentication remote code execution with SYSTEM privileges! | |||||||||||||||||
| SSA-1002 |
OpenOffice <3.2 XPM file parsing Heap Overflow |
13. feb, 2010 | high |
||||||||||||||
references: OpenOffice security advisory CVE-2009-2949 A Heap Overflow has been discovered in OpenOffice (versions <3.2) which can be triggered with a maliciously crafted XPM file. This vulnerability is caused by an Integer Overflow which leads to the allocation of a small-sized buffer. After the allocation this buffer can be overflown with very much control increasing the severity of the flaw. The usual advice not to open any XPM files from untrusted sources is not very helpful in this case since an attacker can easily embed the XPM file in common OpenOffice file formats (e.g. ODF). | |||||||||||||||||
| SSA-1001 |
OpenOffice <3.2 GIF file parsing Heap Overflow |
13. feb, 2010 | medium |
||||||||||||||
references: OpenOffice security advisory CVE-2009-2950 A Heap Overflow has been discovered in OpenOffice (versions <3.2) which can be triggered with a maliciously crafted GIF file. The severity was rated as "medium" because we can only write a limited number of rather uncontrolled bytes beyond the buffer boundaries. This makes it very unlikely that the vulnerability will be exploited in real-world scenarios. | |||||||||||||||||