|
| |
| | Buffer overflow - Wikipedia, the free encyclopedia |
 | | Buffer overflows are also a commonly exploited computer security risk — since program control data often sits in the memory areas adjacent to data buffers, by means of a buffer overflow condition, the computer can be made to execute arbitrary (and potentially malicious) code that is fed to the buggy program as data. | | | A buffer overflow exploit works by feeding the program specially crafted input content that is designed to overflow the allocated data storage buffer and change the data that follows the buffer in memory. | | | In computer programming, a buffer overflow is an anomalous condition where a program somehow writes data beyond the allocated end of a buffer in memory. |
|
http://en.wikipedia.org/wiki/Buffer_overflow
(2528 words)
|
|
| |
| | Ddd |
| | The heap manager is represented by a set of function for memory allocation/freeing which are localised in two places: ntdll.dll and ntoskrnl.exe. | | | The heap is used by programs to dynamically allocate and free memory blocks that may have longer lifetimes. | | | The default heap is used not only by the win32 apps, but also by many runtime library functions which need temporary memory blocks. |
|
http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm
(2240 words)
|
|
| |
| | LISA '03 — Technical Paper |
| | If a malicious user is able to overflow a dynamically allocated block of memory, that user could overwrite the next contiguous chunk header in memory. | | | This paper introduces a heap protection mechanism that increases application security in a way that is nearly transparent to the functioning of applications and is invisible to users. | | | A `segfault' entry indicates that the exploit successfully corrupted the heap, but failed to run arbitrary code (note that it might still be possible to change the exploit to gain elevated privileges). |
|
http://www.usenix.org/events/lisa03/tech/full_papers/robertson/robertson_html
(5762 words)
|
|
| |
| | OpenBSD Security |
| | July 30, 2001: A kernel buffer overflow in the NFS code can be used to execute arbitrary code by users with mount privileges (only root by default). | | | Jun 7, 2005: Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1). | | | Apr 28, 2005: Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1). |
|
http://www.openbsd.org/security.html
(7053 words)
|
|
| |
| | AntiOnline - Heap-Based Overflows |
| | Because we only overflowed the buffer by 1 byte (the last byte), the NULL terminator overflows into outputfile. | | | The heap is the segmentation of memory that stores any dynamically allocated variables. | | | These "cookies" are generated based on the heap header. |
|
http://www.antionline.com/showthread.php?s=&threadid=268653
(2311 words)
|
|
| |
| | BufferOverflow / Internet Security Lectures by Prabhaker Mateti |
| | This general approach is recommended by the GNU programming guidelines, since it permits programs to handle arbitrarily-sized inputs (until they run out of memory). | | | Exceeding array bounds is referred to in security circles as "buffer overflow." These are by far the most common security problems in software. | | | Also, since dynamic reallocation may cause memory to be inefficiently allocated, it is entirely possible to run out of memory even though technically there is enough virtual memory available to the program to continue. |
|
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/BufferOverflow
(2833 words)
|
|
| |
| | [No title] |
| | A lot of the functions appear to be executing from the heap so it was very hard (for me) to track or find information about the functions because the addresses were dynamic. | | | A Heap Allocation routine is called only allocating 256 bytes, so when we add string > 256 the heap structures begin to be overwritten. | | | Since this is the first Heap based overflow I've encountered my expertise was not advanced enough to cause this vulnerability to execute code. |
|
http://sh0dan.org/files/domadv.txt
(1031 words)
|
|
| |
| | Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers |
| | Successful exploitations of heap-based buffer overflow vulnerabilities in Cisco IOS software often result in a Denial of Service because the exploit causes the router to crash and reload due to inconsistencies in running memory. | | | In many cases, a heap-based overflow in Cisco IOS will simply corrupt system memory and trigger a system reload when detected by the "Check Heaps" process, which constantly monitors for such memory corruption. | | | Any version of Cisco IOS prior to the versions listed in the Fixed Software table below may be susceptible to heap overflow exploitation. |
|
http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
(1923 words)
|
|
| |
| | [No title] |
| | Searching for the word "heap" on BugTraq (for the archive, see www.geek-girl.com/bugtraq), yields only 40+ matches, whereas "stack" yields 2300+ matches (though several are irrelevant). | | | Prerequisites to this article: a general understanding of computer architecture, assembly, C, and stack overflows. | | | The downside to exploiting function pointers (and the others to follow) is that they require an executable heap. |
|
http://www.w00w00.org/files/articles/heaptut.txt
(4056 words)
|
|
| |
| | [No title] |
| | These overflows could be triggered by a specially-crafted TIFF image file, resulting in an application crash and possibly arbitrary code execution. | | | Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. | | | The MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center (KDC) host. |
|
http://people.freebsd.org/~josef/stuff/vuln.xml
(6293 words)
|
|
| |
| | Microsoft IIS HTR Chunked Encoding heap overflow allows arbitrary code |
| | Specifically, he could overflow the heap and then overwrite a section of the heap on the server with new program code, revising the functionality of the server software. | | | There is another heap overflow condition in the Chunked Encoding data transfer mechanism of Internet Information Server 4.0 and Internet Information Services 5.0. | | | These patches address the HTR Chunked Encoding buffer overflow in Microsoft IIS 4.0. |
|
http://securityresponse.symantec.com/avcenter/security/Content/2033.html
(770 words)
|
|
| |
| | Network Security, Vulnerability Assessment, Intrusion Prevention |
| | The result is a classic, complete heap overwrite, where all contiguous heap memory following the zero-length block is wiped out by arbitrary data. | | | The simplest way to manifest this condition is to encode a simple octet string (tag 04h) with a length-of-length set to 4 and a length of 0xFFFFFFFF, which corresponds to the bytes 04h/84h/FFh/FFh/FFh/FFh. | | | If DecMemAlloc() succeeds, the calling function then memcpy()'s the value data into the allocated heap buffer, using the original decoded length of the value as the byte count. |
|
http://www.eeye.com/html/Research/Advisories/AD20040210.html
(902 words)
|
|
| |
| | Heap Overflow in Microsoft DirectX May Permit Remote System Compromise |
| | The eEye advisory includes a sample of the malicious format required for a MIDI file to trigger this vulnerability, as well as a detailed description of ways to exploit the heap overflow. | | | , the vulnerable code tries to allocate a zero-byte block of heap memory. | | | to copy the string data from the file image into the heap buffer." |
|
http://www.stanford.edu/services/securecomputing/alerts/directx-23jul2003.html
(465 words)
|
|
| |
| | [Full-Disclosure] RE: Windows XP explorer.exe heap overflow. |
| | A buffer is allocated with the size indicated in the header (no > validity checks), then the header is copied into it - if the size is > less than the header size, that's one overflow. | | | > > > > > > > >An.emf file with a "total size" field set to less than the header > size will causes explorer.exe to crash in the heap routines - in > classic heap overflow style that should be exploitable a la the RPC > exploits. | | | http://www.securityfocus.com/archive/82/50050 -- Michael Wojcik Principal Software Systems Developer, Micro Focus > -----Original Message----- > From: Chris Calabrese [mailto:chris_calabrese at yahoo.com] > Sent: Monday, February 23, 2004 4:31 PM > To: sunglasses at bay-watch.com; bugtraq at securityfocus.com > Subject: Re: Windows XP explorer.exe heap overflow. |
|
http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017761.html
(837 words)
|
|
| |
| | Windows XP SP2 Said at Risk From Heap Overflow |
| | "It's important to note that data execution protection and heap overflow protection were never meant to be foolproof; the purpose of these features is to make it more difficult for an attacker to run malicious software on the computer as the result of a buffer overrun," the Microsoft e-mail states. | | | Sandboxing protects the stack (define) and the heap (define) memory storage types. | | | Microsoft said it is is investigating a report from Alexander Anisimov of the Russian security firm Positive Technologies that details how to bypass Windows XP SP2 heap protection to create an attack vector for a buffer overflow attack. |
|
http://www.internetnews.com/security/article.php/3466521
(808 words)
|
|
| |
| | ISS X-Force Database: traceroute-heap-overflow(5311): Traceroute heap overflow |
| | It may be also possible to exploit this vulnerability to execute arbitrary code on the system and gain local root access. | | | Lawrence Berkeley National Laboratory (LBNL) traceroute version 1.4a5, which is installed setuid root in many Linux distributions and Sun Solaris version 2.5.1, is vulnerable to a buffer overflow. | | | The information within this database may change without notice. |
|
http://xforce.iss.net/xforce/xfdb/5311
(519 words)
|
|
| |
| | VuXML: cvs pserver remote heap buffer overflow |
| | Due to a programming error in code used to parse data received from the client, malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory. | | | A malicious CVS client can exploit this to run arbitrary code on the server at the privilege level of the CVS server software. |
|
http://www.vuxml.org/freebsd/f93be979-a992-11d8-aecc-000d610a3b12.html
(81 words)
|
|
| |
| | O-034: rsync Heap Overflow Vulnerability |
| | A heap overflow vulnerability has been identified in the rsync open source utility which is a fast remote file copy program. | | | While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date. | | | New rsync release In response we have released a new version of rsync, version 2.5.7. |
|
http://www.ciac.org/ciac/bulletins/o-034.shtml
(879 words)
|
|
| |
| | NSFOCUS Information Technology |
| | The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. | | | The carefully crafted data then can run arbitrary code on the system with Local System privilege. | | | Topic: Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability |
|
http://www.nsfocus.com/english/homepage/research/0306.htm
(477 words)
|
|
| |
| | portaudit: realplayer -- remote heap overflow |
| | Exploit 1: To fashion a malicious WAV file to cause a buffer overflow which could have allowed an attacker to execute arbitrary code on a customer's machine. | | | Exploit 2: To fashion a malicious SMIL file to cause a buffer overflow which could have allowed an attacker to execute arbitrary code on a customer's machine. | | | RealNetworks has received no reports of machines compromised as a result of the now-remedied vulnerabilities. |
|
http://www.freebsd.org/ports/portaudit/c73305ae-8cd7-11d9-9873-000a95bc6fae.html
(174 words)
|
|
| |
| | Meet the future of Windows security exploits The Register |
| | Generally, this spurious input is much longer than a program expects, causing code to overflow the buffer and enter parts of a system where it may be subsequently executed. | | | He also outlined future cracker strategies involving creating a large number of threads in a multithreaded environment, which make an exploit "80-90 per cent reliable and independent of NT/Win2000/XP version, service pack and hot fix". | | | Sloppy programming practices (the root cause of buffer overflow vulnerabilities) give rise to security bugs where arbitrary and malicious code can be injected into a system, through a carefully crafted malformed data entry. |
|
http://www.theregister.co.uk/content/55/23075.html
(444 words)
|
|
| |
| | FrSIRT Advisories - Computer Associates Multiple Products Vet Engine Heap Overflow / Exploit |
| | This flaw is due to a heap overflow error in the Vet Antivirus engine (VetE.dll) when analyzing the OLE stream and processing malformed VBA macro object headers, which may be exploited by remote attackers to execute arbitrary commands by sending a specially crafted MS Office document to a vulnerable application. | | | Multiple vulnerabilities were identified in Sun Java Runtime Environment (JRE) and Software Development Kit (SDK), which could be exploited by remote attackers to place and execute malicious files on a vulnerable system. | | | FrSIRT Advisories - Computer Associates Multiple Products Vet Engine Heap Overflow / Exploit |
|
http://www.frsirt.com/english/advisories/2005/0596
(242 words)
|
|
| |
| | HNS - Microsoft Windows HtmlHelp .CHM File Heap Overflow Vulnerability |
| | This value is simple to achieve resulting in a reliable heap exploit using any of the multiple methods now known to exploit heap overflows. | | | At this time the EAX and ECX values have been filled with the data used to overwrite the heap, allowing an attacker to write an arbitrary value to a known place. | | | The HtmlHelp application (hh.exe) will read a value from a.CHM file and use this as the 'length' parameter in a REPZ MOVSD operation. |
|
http://www.net-security.org/vuln.php?id=3573
(745 words)
|
|
| |
| | CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk |
| | The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. | | | As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. | | | Note that the non-executable stack protection provided by some operating systems will not prevent the execution of code located on the heap. |
|
http://www.cert.org/advisories/CA-2002-26.html
(1332 words)
|
|
| |
| | SecuriTeam.com ™ - Apple QuickTime (QuickTime.qts) Heap Overflow |
| | The heap block intended to hold the sample-to-chunk table data is allocated with a size equal to (number_of_entries + 2) * 16. | | | The code in QuickTime.qts responsible for copying Sample-to-Chunk table entries from the 'stsc' atom data in a QuickTime-format movie into an array allocated on the heap. | | | The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code within the SYSTEM context. |
|
http://www.securiteam.com/windowsntfocus/5NP020KCVU.html
(450 words)
|
|
| |
| | FrSIRT - Microsoft Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046) |
| | Multiple vulnerabilities were identified in Sun Java Runtime Environment (JRE) and Software Development Kit (SDK), which could be exploited by remote attackers to place and execute malicious files on a vulnerable system. | | | Reliably exploiting this bug is # non-trivial; even though the entire buffer is binary safe (even nulls) and can be # just about any size, the actual code that crashes varies widely with each request. | | | #!/usr/bin/perl -w ################## ## # ms03-046.pl - hdm metasploit com # This vulnerability allows a remote unauthenticated user to overwrite big chunks # of the heap used by the inetinfo.exe process. |
|
http://www.frsirt.com/exploits/10.22.ms03-046.pl.php
(304 words)
|
|
| |
| | Gentoo Linux Documentation -- OpenOffice.Org: DOC document Heap Overflow |
| | An attacker could design a malicious DOC document containing a specially crafted header which, when processed by OpenOffice.Org, would result in the execution of arbitrary code with the rights of the user running the application. | | | OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities. | | | OpenOffice.Org is vulnerable to a heap overflow when processing DOC documents, which could lead to arbitrary code execution. |
|
http://security.gentoo.org/glsa/glsa-200504-13.xml
(218 words)
|
|
| |
| | Application Security Inc. - Securing Business by Securing Enterprise Applications |
| | This causes a heap corruption in the server process allowing arbitrary memory to be overwritten and can lead to arbitrary code execution. | | | When using this function the buffer is copied by the kernel from the client process to the server process memory ignoring the buffer size restriction which the server process set when calling NtCreatePort (the native API used to create LPC ports). |
|
http://www.appsecinc.com/resources/alerts/general/07-0001.html
(236 words)
|
|
| |
| | [No title] |
| | On Unix & Linux the Web Cache process normally is running as user ORACLE and in a successful exploitation of the vulnerability a complete compromise of the data may be possible. | | | From RFC 2616 valid values for the HTTP Request Method are GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT. | | | These ports are configured by the administrator of the system and in real world installations they become the well known ports 80 and 443 and they are available through the firewall to all. |
|
http://www.inaccessnetworks.com/ian/services/secadv01.txt
(593 words)
|
|
| |
| | US-CERT Vulnerability Note VU#842160 |
| | Publicly available exploit code uses JavaScript to prepare the heap by allocating memory with blocks that consist of NOP slides and shell code. | | | Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. | | | Without the ability to prepare the heap (i.e., without Active scripting), it becomes more difficult for the attacker to execute arbitrary code. |
|
http://www.kb.cert.org/vuls/id/842160
(542 words)
|
|
| |
| | [No title] |
| | CESA-2004-004 - rev 3 http://scary.beasts.org/security/CESA-2004-004.txt qt 3.3.2 BMP parser heap overflow error ======================================= Programs: qt, and any programs which use qt to decode BMP files. | | | Severity: Possible compromise of account used to browse malicious BMP files. |
|
http://scary.beasts.org/security/CESA-2004-004.txt
(115 words)
|
|
| |
| | US-CERT Vulnerability Note VU#192038 |
| | When processing an entry line, an additional byte of memory is allocated to flag the entry as modified or unchanged. | | | There is a failure to check if a byte has been previously allocated for the flag, which creates an off-by-one buffer overflow. | | | A heap overflow vulnerability in the Concurrent Versions System (CVS) could allow a remote attacker to execute arbitrary code on a vulnerable system. |
|
http://www.kb.cert.org/vuls/id/192038
(425 words)
|
|
| |
| | Kaspersky in heap-based buffer overflow vulnerability TG Daily |
| | This security defect might be exploited to allows arbitrary code execution when a malicious CAB archive is scanned, thereby compromising vulnerable systems. | | | The bug - unearthed by security researcher Alex Wheeler - involves a heap-based buffer overflow vulnerability related to the processing of malformed CAB archives. |
|
http://www.tomshardware.com/hardnews/20051004_165258.html
(374 words)
|
|
| |
| | [No title] |
| | In two version of it (using netpbm library and don`t), exists critical security vulnerabilities. | | | This vulnerability lead to heap overflow on reading base data of pmn file. | | | Local exploitation of heap overflow and integer overflow in GOCR, could allow an attacker to execute arbitrary code. |
|
http://www.packetstormsecurity.org/0504-advisories/gocr_png_overflow.txt
(375 words)
|
|
| |
| | Microsoft Security Bulletin MS03-008 |
| | An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine. | | | The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll. | | | Scripting languages can be used to add additional functionality to HTML web pages or operating systems. |
|
http://www.microsoft.com/technet/security/bulletin/MS03-008.asp
(2162 words)
|
|
| |
| | Gentoo Linux Documentation -- neon heap-based buffer overflow |
| | Stefan Esser discovered a vulnerability in the code of the neon library : if a malicious date string is passed to the ne_rfc1036_parse() function, it can trigger a string overflow into static heap variables. | | | Depending on the application linked against libneon and when connected to a malicious WebDAV server, this vulnerability could allow execution of arbitrary code with the rights of the user running that application. | | | A vulnerability potentially allowing remote execution of arbitrary code has been discovered in the neon library. |
|
http://www.gentoo.org/security/en/glsa/glsa-200405-13.xml
(148 words)
|
|
| |
| | CVE-2004-0209 (under review) |
| | BUGTRAQ:20041019 [EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow | | | Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. |
|
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0209
(140 words)
|
|
| |
| | Gain root remotely : Tinyproxy heap overflow |
| | Solution : if you are using tinyProxy, then upgrade to version 1.3.3a, or else | | | Bugtraq: 20010117 [pkc] remote heap overflow in tinyproxy (Google Search) |
|
http://www.securityspace.com/smysecure/catid.html?id=10596
(112 words)
|
|
| |
| | [No title] |
| | Background ImageMagick is a free software suite to create, edit, and compose bitmap images. | | | If image->colors*sizeof(PixelPacket) bytes are not enought for it, heap structures are overflowed. | | | We cannot control contents of this buffer, so execute of arbitrary code is very difficult or imposible, but we can crash it in easy way. |
|
http://www.overflow.pl/adv/imheapoverflow.txt
(258 words)
|
|
| |
| | [No title] |
| | A reliable arbitrary dword overwrite is possible, and it is trivial to exploit this flaw. | | | Details ******* When initialising the Heartbeat control in a webpage, there are several parameters which must be set to access the functionality within the control, such as urls and filenames. | | | When providing an overly string for the SetupData parameter, a heap based buffer overflow occurs. |
|
http://www.ngssoftware.com/advisories/heartbeatfull.txt
(190 words)
|
|
| |
| | Secunia - Advisories - Symantec Multiple Products UPX Parsing Engine Buffer Overflow |
| | The vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. | | | This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file. | | | - Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow |
|
http://secunia.com/advisories/14179
(581 words)
|
|
| |
| | [No title] |
| | There are no known exploits in the wild at the time of this advisory. | | | Subversion versions up to and including 1.0.4 have a potential Denial of Service and Heap Overflow issue related to the parsing of strings in the 'svn://' family of access protocols. | | | Additionally, if the size given is large enough it may cause the integer holding the size to wrap, thus allocating less memory than the string length and resulting in a heap overflow. |
|
http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt
(303 words)
|
|
| |
| | MFSA 2005-15: Heap overflow possible in UTF8 to Unicode conversion |
| | Exploitability would depend on the attackers ability to get the string into the buggy converter. | | | It is possible for a UTF8 string with invalid sequences to trigger a heap overflow of converted Unicode data. | | | MFSA 2005-15: Heap overflow possible in UTF8 to Unicode conversion |
|
http://www.mozilla.org/security/announce/mfsa2005-15.html
(110 words)
|
|
| |
| | dBforums - Sporadic Heap Overflow Error |
| | This means your program has run out of (heap) memory. | | | dBforums > Usenet Groups > comp.lang.* > comp.lang.pascal.borland > Sporadic Heap Overflow Error | | | Help would be very much appreciated cause I'm stumped! |
|
http://www.dbforums.com/t385132.html
(756 words)
|
|
| |
| | Gentoo: MPlayer Two heap overflow vulnerabilities - The Community's Center for Security |
| | Impact ====== By setting up a malicious server and enticing a user to use its streaming data, a remote attacker could possibly execute arbitrary code on the client computer with the permissions of the user running MPlayer. | | | = 1.0_pre6-r4 Description =========== Heap overflows have been found in the code handling RealMedia RTSP and Microsoft Media Services streams over TCP (MMST). | | | Gentoo: MPlayer Two heap overflow vulnerabilities - The Community's Center for Security |
|
http://www.linuxsecurity.com/content/view/118924
(272 words)
|
|
| |
| | O-147: Linux CVS Server Heap Overflow Vulnerability |
| | For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody4. | | | The server that runs the Concurrent Versions System, a version control system that is used to manage source code repositories, contains a heap overflow. | | | Malformed "Entry" Lines in combination with Is-modified and Unchanged may be used to overflow memory. |
|
http://www.ciac.org/ciac/bulletins/o-147.shtml
(356 words)
|
|
|
