Vulnerabilities


The following is a list of the vulnerabilities I have reported during my research on vulnerability discovery.

VLC Media Player

CVE-2014-9625 
Affiliation: University of Goettingen

A heap-based buffer overflow caused by an integer truncation in VLC's automated updater allows remote users to execute arbitrary code on 32 bit installations.

CVE-2014-9626 
Affiliation: University of Goettingen

An integer underflow in the MP4 Demuxer allows a heap-based buffer overflow to be triggered, possibly allowing for arbitrary code execution.
 
CVE-2014-9627
Affiliation: University of Goettingen

An integer truncation on 32 bit platforms in the MP4 Demuxer allows a heap-based buffer overflow to be triggered, possibly allowing for arbitrary code execution.
 
CVE-2014-9628
Affiliation: University of Goettingen

A zero-byte allocation in the MP4 Demuxer allows a heap-based buffer overflow to be triggered, possibly allowing for arbitrary code execution.

CVE-2014-9629 (2 Bugs)
Affiliation: University of Goettingen
joint work with Alwin Maier

Potential heap-based buffer overflows in the Schroedinger- and Dirac- encoders may allow for arbitrary code execution.

 
CVE-2014-9630
Affiliation: University of Goettingen
joint work with Alwin Maier

An attacker-controlled stack allocation in the RTP streaming code allows an attacker to cause a denial of service or possibly have other unspecified impact.

CVE-2015-1202
Affiliation: University of Goettingen

An attacker-controlled stack allocation in the SAP service discovery code may allow an attacker to cause a denial of service or possibly have other unspecified impact.

CVE-2015-1203
Affiliation: University of Goettingen

An attacker-controlled stack allocation in the FTP access module may allow an attacker to cause a denial of service or possibly have other unspecified impact.

Linux Kernel

CVE-2013-4511(2 Bugs)
Affiliation: University of Goettingen
joint work with Nico Golde


Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c.

CVE-2013-4512
Affiliation: University of Goettingen
joint work with Nico Golde


Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.

CVE-2013-4513
Affiliation: University of Goettingen
joint work with Nico Golde


Buffer overflow in the Ozmo Devices USB over WiFi devices. A local user could exploit this flaw to cause a denial of service or possibly unspecified impact.

CVE-2013-4514 (2 Bugs)
Affiliation: University of Goettingen
joint work with Nico Golde


Flaw in the Linux kernel's driver for Agere Systems HERMES II Wireless PC Cards. A local user with the CAP_NET_ADMIN capability could exploit this flaw to cause a denial of service or possibly gain adminstrative priviliges.

CVE-2013-4515
Affiliation: University of Goettingen
joint work with Nico Golde


Flaw in the Linux kernel's driver for Beceem WIMAX chipset based devices. An unprivileged local user could exploit this flaw to obtain sensitive information from kernel memory.

CVE-2013-4516
Affiliation: University of Goettingen
joint work with Nico Golde


Flaw in the Linux kernel's driver for the SystemBase Multi-2/PCI serial card. An unprivileged user could obtain sensitive information from kernel memory.

CVE-2013-6378
Affiliation: University of Goettingen
joint work with Nico Golde


Flaw in the Linux kernel's debugfs filesystem. An administrative local user could exploit this flaw to cause a denial of service (OOPS).

CVE-2013-6380
Affiliation: University of Goettingen
joint work with Nico Golde


Flaw in the driver for Adaptec AACRAID scsi raid devices in the Linux kernel. A local user could use this flaw to cause a denial of service or possibly other unspecified impact.

CVE-2013-6381
Affiliation: University of Goettingen
joint work with Nico Golde


Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size.

CVE-2013-6382 (2 Bugs)
Affiliation: University of Goettingen
joint work with Nico Golde


Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.

CVE-2013-6763
Affiliation: University of Goettingen
joint work with Nico Golde


Flaw in the Linux kernel's userspace IO (uio) driver. A local user could exploit this flaw to cause a denial of service (memory corruption) or possibly gain privileges.

CVE-2009-4537
Affiliation: Recurity Labs GmbH

drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.

CVE-2009-4536
Affiliation: Recurity Labs GmbH

drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.

Microsoft Windows

CVE-2009-1926
Affiliation: Recurity Labs GmbH
joint work with Bernhard Brehm

Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to cause a denial of service (TCP outage) via a series of TCP sessions that have pending data and a (1) small or (2) zero receive window size, and remain in the FIN-WAIT-1 or FIN-WAIT-2 state indefinitely, aka "TCP/IP Orphaned Connections Vulnerability." 

Pidgin

CVE-2013-6483
Affiliation: University of Goettingen
joint work with Christian Wressnegger

The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.

CVE-2013-6482 (3 Bugs)
Affiliation: University of Goettingen
joint work with Christian Wressnegger

A malicious server or man-in-the-middle could send Pidgin a specially-crafted SOAP response that results in a NULL pointer dereference. A malicious server or man-in-the-middle could send us a specially-crafted XML response that results in a NULL pointer dereference. A malformed Content-Length header could lead to a NULL pointer dereference.

CVE-2012-2318
Affiliation: University of Goettingen

Incoming messages with certain characters or character encodings can cause clients to crash.

CVE-2010-0277

Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly.

CVE-2010-0013

The MSN protocol plugin extracts the filename of a custom emoticon from an incoming request and uploads that file without correlating the filename to a valid custom emoticon.

libarchive

CVE-2013-0211
Affiliation: University of Goettingen

Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.

ffmpeg

CVE-2011-4364
Affiliation: Recurity Labs GmbH

Buffer overflow in the Sierra VMD decoder in libavcodec in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9 and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VMD file, related to corrupted streams.

CVE-2012-0947
Affiliation: University of Goettingen
joint work with Markus Lottmann

Heap-based buffer overflow in the vqa_decode_chunk function in the VQA codec (vqavideo.c) in libavcodec in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VQA media file in which the image size is not a multiple of the block size.

Squid

CVE-2010-0308

A flaw in squid's DNS client code, that can lead to a temporary denial of service condition.  A truncated ("header-only") DNS reply packet can cause squid child process to exit due to an assertion failure in rfc1035NameUnpack (lib/rfc1035.c).

No comments:

Post a Comment