| census ID: | census-2012-0001 |
| CVE ID: | CVE-2012-1257 |
| Affected Products: | libpurple (all versions), libpurple clients with DBUS support (incl. all versions of pidgin), pidgin-otr (all versions) |
| Class: | Information Exposure (CWE-200), Privacy Violation (CWE-359), Information Exposure Through Sent Data (CWE-201) |
| Remote: | No |
| Discovered by: | Dimitris Glynos |
libpurple-based applications broadcast the plaintext of OTR (off-the-record) conversations over DBUS.
This makes the plaintext available to other (possibly unrelated) applications executing under the same
user. Also, due to a design flaw in libpurple, the user’s choice of not logging OTR plaintext on Pidgin is not communicated over to the third party applications listening on DBUS. This may lead to unintentional (on disk) logging of private messages.
read more...
| census ID: | census-2010-0001 |
| CVE ID: | CVE-2010-2020 |
| Affected Products: | FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE |
| Class: | Improper Input Validation (CWE-20) |
| Remote: | No |
| Discovered by: | Patroklos Argyroudis |
We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.
read more...
In my recent Black Hat Europe 2010 talk I gave an overview of the kernel exploitation prevention mechanisms that exist on FreeBSD. A few people at the conference have subsequently asked me to elaborate on the subject. In this post I will collect all the information from my talk and the various discussions I had in the Black Hat conference hallways.
read more...
This article is a followup to our last year’s advisory on canary randomisation for applications of the Debian distribution.
I was recently asked what the currently employed method is for canary randomisation in SSP-armoured Linux applications. I’ve been meaning to write an article on this for some time now, but didn’t have the necessary time. So here it is (albeit a little late).
read more...
| census ID: | census-2009-0004 |
| Affected Products: | Monkey web server versions ≤ 0.9.2. |
| Class: | Improper Input Validation (CWE-20), Incorrect Calculation (CWE-682) |
| Remote: | Yes |
| Discovered by: | Patroklos Argyroudis |
We have discovered a remotely exploitable “improper input validation” vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests.
read more...
| census ID: | census-2009-0003 |
| CVE ID: | CVE-2009-3586 |
| Affected Products: | CoreHTTP web server versions ≤ 0.5.3.1. |
| Class: | Improper Input Validation (CWE-20), Failure to Constrain Operations within the Bounds of a Memory Buffer (CWE-119) |
| Remote: | Yes |
| Discovered by: | Patroklos Argyroudis |
We have discovered a remotely exploitable “improper input validation” vulnerability in the CoreHTTP web server that leads to an off-by-one stack buffer overflow. The vulnerability can lead to denial of service attacks against the web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server.
read more...
| census ID: | census-2009-0005 |
| Affected Products: | Linux kernel versions from 2.6.32 to 2.6.32-rc7. |
| Class: | Off-by-two stack buffer overflow. |
| Discovered by: | Patroklos Argyroudis |
We have found an off-by-two stack buffer overflow in the Linux kernel SUNRPC implementation. Linux kernel versions from 2.6.32 to 2.6.32-rc7 are affected.
read more...
| census ID: | census-2009-0006 |
| CVE ID: | CVE-2009-5018 |
| Affected Products: | gif2png versions ≤ 2.5.1. |
| Class: | Improper Input Validation (CWE-20), Failure to Constrain Operations within the Bounds of a Memory Buffer (CWE-119) |
| Remote: | Yes (when gif2png is used by CGI programs) |
| Discovered by: | Patroklos Argyroudis |
We have discovered an “improper input validation” vulnerability in the gif2png utility that leads to a stack buffer overflow.
read more...
About four months ago I developed a reliable exploit for vulnerability
CVE-2008-3531, which is also addressed in the advisory
FreeBSD-SA-08:08.nmount. In this post I will use this vulnerability to provide an overview of the development process for FreeBSD kernel stack exploits.
CVE-2008-3531 is a kernel stack overflow vulnerability that affects FreeBSD versions 7.0-RELEASE and 7.0-STABLE, but not 7.1-RELEASE nor 7.1-STABLE as the CVE entry seems to suggest.
read more...
| census ID: | census-2009-0002 |
| CVE ID: | CVE-2009-1760 |
| Affected Products: | Any application that uses the Rasterbar Software libtorrent library (versions ≤ 0.14.3) for BitTorrent file downloads. |
| Class: | Relative Path Traversal (CWE-23), Improper Handling of Syntactically Invalid Structure (CWE-228) |
| Remote: | Yes |
| Discovered by: | Dimitris Glynos |
We have discovered an “arbitrary file overwrite” vulnerability in libtorrent that allows an
attacker to create and modify arbitrary files (and directories) in remote systems, with the effective rights of the user executing the vulnerable libtorrent-based application.
read more...
