latest news
blog posts

Oracle WebCenter information exposure vulnerability

census ID:census-2014-0001
CVE ID:CVE-2014-0450
Oracle Tracking #:S0388414 (CPUApr2014)
Affected Products:Oracle Fusion Middleware (versions 11.1.1.7 and 11.1.1.8)
Class:Information Exposure (CWE-200), Privacy Violation (CWE-359)
Remote:Yes
Discovered by:Alex Zaharis
Researched by:Alex Zaharis, Patroklos Argyroudis

The Oracle WebCenter portal component in Oracle Fusion Middleware (versions 11.1.1.7 and 11.1.1.8) is vulnerable to an information exposure vulnerability. A malicious user may utilize this vulnerability to gain unauthenticated access to the list of valid usernames of the system, the users’ personal information and files linked to the users’ profiles.

 read more...

Netvolution referer header SQL injection vulnerability

census ID:census-2011-0001
CVE ID:CVE-2011-3340
Affected Products:Netvolution v2.5.8 (ASP). Other versions may also be vulnerable.
Class:Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
Remote:Yes
Discovered by:Patroklos Argyroudis
Researched and Exploited by:Dimitris Glynos

Netvolution v2.5.8 is vulnerable to a blind SQL injection attack in the HTTP “referer” header. A malicious user may utilize this vulnerability to modify content on the vulnerable website, inject malicious javascript code to a visitor’s browser, collect CMS usernames and plaintext passwords and, in some cases, execute commands on the system hosting the database server. This is a critical vulnerability since it does not require authentication and its exploitation may go undetected.

 read more...

FreeBSD kernel NFS client local vulnerabilities

census ID:census-2010-0001
CVE ID:CVE-2010-2020
Affected Products:FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE
Class:Improper Input Validation (CWE-20)
Remote:No
Discovered by:Patroklos Argyroudis

We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.

 read more...

Monkey HTTPd improper input validation vulnerability

census ID:census-2009-0004
Affected Products:Monkey web server versions ≤ 0.9.2.
Class:Improper Input Validation (CWE-20), Incorrect Calculation (CWE-682)
Remote:Yes
Discovered by:Patroklos Argyroudis

We have discovered a remotely exploitable “improper input validation” vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests.

 read more...

CoreHTTP web server off-by-one buffer overflow vulnerability

census ID:census-2009-0003
CVE ID:CVE-2009-3586
Affected Products:CoreHTTP web server versions ≤ 0.5.3.1.
Class:Improper Input Validation (CWE-20), Failure to Constrain Operations within the Bounds of a Memory Buffer (CWE-119)
Remote:Yes
Discovered by:Patroklos Argyroudis

We have discovered a remotely exploitable “improper input validation” vulnerability in the CoreHTTP web server that leads to an off-by-one stack buffer overflow. The vulnerability can lead to denial of service attacks against the web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server.

 read more...

Linux kernel SUNRPC off-by-two buffer overflow

census ID:census-2009-0005
Affected Products:Linux kernel versions from 2.6.32 to 2.6.32-rc7.
Class:Off-by-two stack buffer overflow.
Discovered by:Patroklos Argyroudis

We have found an off-by-two stack buffer overflow in the Linux kernel SUNRPC implementation. Linux kernel versions from 2.6.32 to 2.6.32-rc7 are affected.

 read more...

gif2png command line buffer overflow

census ID:census-2009-0006
CVE ID:CVE-2009-5018
Affected Products:gif2png versions ≤ 2.5.1.
Class:Improper Input Validation (CWE-20), Failure to Constrain Operations within the Bounds of a Memory Buffer (CWE-119)
Remote:Yes (when gif2png is used by CGI programs)
Discovered by:Patroklos Argyroudis

We have discovered an “improper input validation” vulnerability in the gif2png utility that leads to a stack buffer overflow.

 read more...

CVE-2008-3531: FreeBSD kernel stack overflow exploit development

About four months ago I developed a reliable exploit for vulnerability CVE-2008-3531, which is also addressed in the advisory FreeBSD-SA-08:08.nmount. In this post I will use this vulnerability to provide an overview of the development process for FreeBSD kernel stack exploits.

CVE-2008-3531 is a kernel stack overflow vulnerability that affects FreeBSD versions 7.0-RELEASE and 7.0-STABLE, but not 7.1-RELEASE nor 7.1-STABLE as the CVE entry seems to suggest.

 read more...

Rasterbar libtorrent arbitrary file overwrite vulnerability

census ID:census-2009-0002
CVE ID:CVE-2009-1760
Affected Products:Any application that uses the Rasterbar Software libtorrent library (versions ≤ 0.14.3) for BitTorrent file downloads.
Class:Relative Path Traversal (CWE-23), Improper Handling of Syntactically Invalid Structure (CWE-228)
Remote:Yes
Discovered by:Dimitris Glynos

We have discovered an “arbitrary file overwrite” vulnerability in libtorrent that allows an attacker to create and modify arbitrary files (and directories) in remote systems, with the effective rights of the user executing the vulnerable libtorrent-based application.

 read more...