RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Disclosures | ADVISORIES | March 3, 2009

AppleTalk Response Packet Parsing Array Over-indexing Vulnerability

Discovered: 03.03.09. Reported: 03.03.09. Disclosed: 08.05.09. CVE-ID: CVE-2009-2193. The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial-of-service conditions and cause a kernel panic remotely, effectively shutting down the system.

Launch PDF
Ilja van Sprundel
Disclosures | ADVISORIES | February 4, 2009

Pointer Dereference in OpenSolaris

Reported: 09.29.08. Disclosed: 02.04.09. Patched: 02.05.09. The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.

Launch PDF
Ilja van Sprundel
Disclosures | ADVISORIES | October 31, 2008

QNX ker_msg_sendv System Call Integer Overflow

Discovered: 10.30.08. Reported: 10.30.08. Disclosed: 10.31.08. QNX’s ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If only partially exploited, this could lead to denial-of-service conditions and kernel panic, effectively shutting down the system.

Launch PDF
Ilja van Sprundel
Disclosures | ADVISORIES | October 21, 2008

DNS TXT Record Parsing Bug in LibSPF2

Reported: 10.20.08. Disclosed: 10.21.08. Researchers discovered a relatively common bug that parses TXT records delivered over DNS-dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier-in LibSPF2. This library retrieves Sender Policy Framework (SPF) records and applies policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.

Launch PDF
Dan Kaminsky
Disclosures | ADVISORIES | September 30, 2008

Diskimages-helper band-size Vulnerability

Reported to Vendor: 09.30.08. Patch Released: 04.29.09. CVE ID: CVE-2009-0150. A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.

Launch PDF
Tiller Beauchamp
Disclosures | ADVISORIES | August 5, 2008

Multiple Vulnerabilities in Apple’s MobileMe Service

Reported: 08.05.08. Patched: 11.06.08 Disclosed: 11.20.08. Apple’s MobileMe (me.com) web service contains several serious security vulnerabilities. The most critical vulnerability combines cross-site request forgery and cross-site scripting, and allows an attacker to access the service without a valid password.

Launch PDF
Richard van Eeden & Ilja van Sprundel
Disclosures | ADVISORIES | September 20, 2007

Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier

CVE-2007-6257, VU#245025. Discovered: 05.01.07. Reported: 06.27.07. Disclosed: 09.20.07. A buffer overflow vulnerability exists in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors), which allows for remote code execution in the context of the Apache process.

Launch PDF
Josh Betts Jason Larsen & Walter Pearce
Disclosures | ADVISORIES |

Buffer Overflow in Mono BigInteger Montgomery Reduction Method

VU#146292. Discovered: 07.25.07. Reported: 08.24.07. Disclosed: 09.20.07. An exploitable buffer overflow vulnerability exists in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger).

Launch PDF
Jason Larsen & Walter Pearce
Disclosures | ADVISORIES | March 26, 2007

Static Microsoft Windows WPAD entries might allow interception of traffic

CVE-2007-1692. Disclosed: 03.26.07. The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries. A remote attacker could leverage this to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests.

Read More
Chris Paget

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.

ACCESS THE WHITEPAPER


IOACTIVE CORPORATE OVERVIEW (PDF)