Wonderware Archestra ConfigurationAccessComponent ActiveX stack overflow

Abstract:  The Wonderware Archestra ConfigurationAccessComponent ActiveX control that is marked “safe for scripting” is suffering from a stack overflow vulnerability. The UnsubscribeData method of the IConfigurationAccess interface is using wcscpy() to copy its first parameter into a static sized local buffer. Attackers can exploit this vulnerability in order to overwrite arbitrary stack data and gain code execution.

Read the technical details here.

Authentication Bypass In Tranax Remote Management Software

Abstract:  The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location.

To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. Due to an implementation flaw when verifying these credentials, it is possible to craft a request that bypasses all authentication measures, which means that remote management tasks can be performed with invalid credentials.

The RMS interface is enabled by default on a typical ATM installation.

Read the technical details here.

SQL Injection and Cross-site Scripting at www.courts.wa.gov

Abstract:  The formID parameter at http://www.courts.wa.gov/forms/ is vulnerable to SQL injection. The searchTerms parameter at http://www.courts.wa.gov/search/index.cfm is vulnerable to cross-site scripting attacks. Exploiting these vulnerabilities would likely expose sensitive data and may result in compromise of the affected systems.

Read the technical details here.

Multiple Vulnerabilities in Accoria Web Server

Abstract:  The Accoria Web Server 1.4.7 for x86 Solaris exhibits multiple vulnerabilities including cross-site scripting, directory traversal, and format string errors.

Read the technical details here.

Mach Exception Handling Privilege Escalation

Abstract:  Mach exception handling suffers from a vulnerability that allows an attacker to gain access to the memory of a suid process (set user identifer). Due to a vulnerability that's similar to CVE-2006-4392 (found by Dino Dai Zovi of Matasano Security), it’s possible for a suid process to inherit the Mach exception ports of the parent.

Read the technical details here.

Microsoft Windows CryptoAPI X.509 Spoofing Vulnerability

Release Date: 10.13.09
VUPEN ID: VUPEN/ADV-2009-2891
CVE ID: CVE-2009-2510, CVE-2009-2511
Author: Dan Kaminsky (IOActive), Ian Wright and Jean-Luc Giraud (Citrix)

Abstract:  Two vulnerabilities have been identified in Microsoft Windows that have to do with the use of X.509 certificates and could be exploited by attackers to bypass security restrictions.

Read the technical details here.

AppleTalk Response Packet Parsing Array Over-indexing Vulnerability

Date Discovered: 03.03.09
Date Reported: 03.03.09
Date Disclosed: 08.05.09
CVE-ID: CVE-2009-2193
Author: Ilja van Sprundel

Synopsis: The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial of service and cause a kernel panic remotely, effectively shutting down the system.

Read the technical details here.

doc.export* Methods Allow Arbitrary File Creation

Date Discovered: 07.13.09

Synopsis: Several JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on a targeted file system.

Read the technical details here.

Recursive Stack Overflow in ClamAV

Date Reported: 10.30.08
Date Patched: 12.01.08
Date Disclosed: 06.09.09
Author: Ilja van Sprundel

Synopsis: ClamAV's JPEG parser contains code that recursively checks thumbnails if they are included. Since the thumbnails can be JPEGs, there is no limit to the amount of recursions that can occur, leading to potential stack overflow.

Read the technical details here

Heap Corruption in Tor

Date Discovered: January 2009
Date Reported: 01.20.09
Date Disclosed: 06.08.09
Author: Ilja van Sprundel

Synopsis: There is a potential heap corruption bug in Tor when escaping data for logging purposes. Only certain deployments are vulnerable and the bug can be triggered only from certain locales.

Read the technical details here

Diskimages-helper band-size Vulnerability

Reported to Vendor: 09.30.08
Patch Released: 04.29.09
CVE ID: CVE-2009-0150
Author: Tiller Beauchamp

Synopsis: A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.

Read the technical details here.

Pointer Dereference in OpenSolaris

Date Reported: 09.29.08
Date Disclosed: 02.04.09
Date patched: 02.05.09
Author: Ilja van Sprundel

Synopsis: The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.

Read the technical details here

Multiple Vulnerabilities in Apple's MobileMe Service

Date reported: 08.05.08
Date patched: 11.06.08
Date disclosed: 11.20.08
Authors: Richard van Eeden, Ilja van Sprundel

Synopsis: Apple's MobileMe (me.com) web service contains several serious security vulnerabilities, the most critical of which combine Cross-site Request Forgery and Cross-site Scripting, and allow an attacker to access the service without a valid password.

Read the technical details here

QNX ker_msg_sendv System Call Integer Overflow

Synopsis: QNX's ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If it is only partially exploited it could lead to denial of service and kernel panic, effectively shutting down the system.

Read the technical details here

DNS TXT Record Parsing Bug in LibSPF2

Date reported: 10.20.08
Date disclosed: 10.21.08
Author: Dan Kaminsky

Synopsis: A relatively common bug that parses TXT records delivered over DNS—dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier—has been found in LibSPF2, a library that is used frequently to retrieve Sender Policy Framework (SPF) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.

Read the technical details here

Buffer Overflow in Mono BigInteger Montgomery Reduction Method

CVE-2007-5197, VU#146292

Date discovered: 07.25.07
Date reported: 08.24.07
Date disclosed: 09.20.07
Authors: Jason Larsen, Walter Pearce

Synopsis: An exploitable buffer overflow vulnerability in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger).

Read the technical details here

Multiple Total Remote Compromise Vulnerabilities in Mercury SiteScope Monitoring Software

CVE-2007-6257, VU#245025
Date discovered: 10.05.06
Date disclosed: 09.20.07
Author: Chris Paget

Synopsis: Critical vulnerabilities within the Mercury SiteScope server monitoring software, some of which allow for complete remote compromise of the entire monitored network as well as arbitrary code execution on all servers managed by the SiteScope software.

Read the technical details here

Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier

CVE-2007-6257, VU#245025
Date discovered: 05.01.07
Date reported: 06.27.07
Date disclosed: 09.20.07
Authors: Josh Betts, Jason Larsen, Walter Pearce

Synopsis: A buffer overflow in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors) which allows for remote code execution in the context of the apache process.

Read the technical details here

Static Microsoft Windows WPAD entries might allow interception of traffic

CVE-2007-1692
Date disclosed: 03.26.07
Author: Chris Paget

Synopsis: The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registerng a proxy server using WINS or DNS, then responding to WPAD requests.

• National Vulnerability Database technical details »
• Common Vulnerabilities and Exposures technical details »
• C|Net News article »

Numerous WebEOC Vulnerabilities

VU#956762, VU#170394, VU#138538, VU#372797, VU#491770, VU#258834, and VU#388282

Date first published: July 2005

Synopsis:

• WebEOC is vulnerable to a denial-of-service condition via uploading large files (VU#956762). Technical details »
• WebEOC account lock-out policy may allow a denial-of-service (VU#170394). Technical details »
• WebEOC is vulnerable to cross-site scripting attacks (VU#138538). Technical details »
• WebEOC contains multiple SQL injection vulnerabilities (VU#372797). Technical details »
• WebEOC implements weak algorithms to encrypt sensitive information (VU#491770). Technical details »
• WebEOC privileges are based on client-side authorization (VU#258834). Technical details »
• WebEOC uses a global shared key (VU#388282). Technical details »