exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 19 of 19 RSS Feed

Files from Logan Brown

First Active2010-08-26
Last Active2011-06-16
Adobe Shockwave dirapi.dll rcsL Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the dirapi.dll does not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-0335
SHA-256 | 2e9a419ed0169c3cc6d9ce5d2e301542d14e6febbed1409f4b43cadd505ed726
Adobe Shockwave Lnam Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Lnam chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly validate certain fields before using them to calculate sizes used for later memory copy operations. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2116
SHA-256 | bbf4794eaa3e7dac2a4e188e4b0d7f002bdca57bfa15469360277fa9c43b6388
Adobe Shockwave iml32.dll DEMX Chunk GIF Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DEMX chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse GIF images. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
SHA-256 | c47310fe30f191a9103f8e515efc87c64abc3fda48eef04760d8f44811c9acf7
Adobe Shockwave iml32.dll CSWV Chunk Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. When handling certain substructures, the code does not properly ensure arithmetic operations will not exceed expected values. By crafting a file with certain values this can be abused to cause memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
SHA-256 | 571feb1825f4622c650c40c41542ffaf034e7af778679c7b4017b6aa04abb738
Adobe Shockwave iml32.dll CSWV Chunk Byte Array Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse byte arrays. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2111
SHA-256 | 748756cafb988b739c34fb1ba4c6edc71ac0e185dcae11850a3d7e074abe01cc
Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution
Posted Feb 10, 2011
Authored by Luigi Auriemma, Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2010-0569
SHA-256 | 4d5ada7d22be428a2d78618407bc4f18c600a32d6c297d355b0ddcd166035cde
Adobe Shockwave Font Xtra String Decoding Remote Code Execution
Posted Feb 10, 2011
Authored by Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Font Xtra.x32 asset module responsible for parsing font structures within Director movie files (.dir). When parsing data within the PFR1 chunk, the process implicitly sign-extends a 16-bit size value and seeks pointers accordingly. It then operates upon the data it has reached which can be abused by an attacker to corrupt memory and subsequently execute arbitrary code under the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-0556
SHA-256 | 4e0acccb7d07905c2a7f565814201ce12c01a15abc149ccc9f479bee2775e0f7
Adobe Shockwave TextXtra Invalid Seek Remote Code Execution
Posted Feb 9, 2011
Authored by Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing a DEMX RIFF chunk within Director files. The logic within the TextXtra.x32 module fails to account for a specific condition and can be made to misallocate a buffer on the heap. By crafting specific values within DEMX substructures an attacker can corrupt memory leading to arbitrary code execution under the context of the user running the browser.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2011-0555
SHA-256 | 797bf403a4b513b396d26d36df0149d489cb9d807a1b1014511eb72dfabca1fd
Adobe Shockwave dirapi.dll IFWV Trusted Offset Remote Code Execution
Posted Feb 9, 2011
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPI.dll module distributed with the player. While parsing a director movie (.dir or .dcr) the code trusts the specified size of the IFWV chunk and uses it within a calculation to determine another offset within the file. By setting it to 0, the code jumps to the wrong location within the file. While parsing data at the new location, the code uses a value as a loop counter. Within the loop, the code copies data to a heap buffer. By crafting a file with a large enough size, this loop can be forced to corrupt memory. A remote attacker can abuse this logic to execute arbitrary code under the context of the user running the application.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4188
SHA-256 | 7040bca9eccf6a2f720afeeef790fed7dd9623170dc56e8f376e1c3cd7629549
RealNetworks RealPlayer MDPR Chunk Size Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's handling of Internet Video Recording (.ivr) files. While parsing the MLTI chunk the process trusts the field responsible for denoting the size of an embedded MDPR chunk. By modifying this value in an IVR file an attacker can force a misallocation on the heap. The process can then be made to write past the bounds of the buffer, corrupting memory. This can be leveraged to execute arbitrary code under the context of the user invoking RealPlayer.

tags | advisory, remote, arbitrary
advisories | CVE-2010-4390
SHA-256 | ef22d184b5a4a171517add373ae6dc8fd3d072df971cf7a90421dcccf5664ddc
RealNetworks RealPlayer MLTI Stream Number Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's handling of Internet Video Recording (.ivr) files. While parsing the MLTI chunk the process trusts the field responsible for denoting the number of streams within the chunk. By modifying this value in an IVR file, an attacker can force a processing loop to overrun and corrupt heap memory. This can be abused to execute arbitrary code under the context of the user invoking RealPlayer.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2010-4390
SHA-256 | 6ed8ef7f4d23f0fee569702d8aba5ef2ba635dcf17e9a56a9b184e9acc1c3004
RealNetworks RealPlayer SIPR Stream Frame Dimensions Remote Code Execution
Posted Dec 10, 2010
Authored by Aaron Portnoy, Logan Brown, Zef Cekaj | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the drv1.dll module. Code responsible for parsing SIPR stream metadata trusts frame width and height values from the input file. By crafting particular values an integer value used in a loop can be made to wrap negatively. The loop will subsequently overflow a static heap buffer during an inline memory copy. By crafting a malicious .rm file an attacker can exploit this vulnerability remotely using the RealPlayer ActiveX control.

tags | advisory, remote, overflow, arbitrary, activex
advisories | CVE-2010-4385
SHA-256 | 9008fd6701a36aedb79d1920596baf54f3e5c2c61a1f4933ad72ba730297ce9a
Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPIX module responsible for parsing the RIFF-based Director file format. When handling the mmap chunk, the process trusts the chunk size immediately following the fourCC value. It is passed to Ordinal1111 exported by the IML32X module which is responsible for allocating a heap buffer for processing the rest of the chunk. If an incorrect size is provided, later memory copies can corrupt data beyond the allocated buffer. This can be abused to execute remote code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2870
SHA-256 | 81e8ba67b1a1a3b42dc58319b1e12d7d52164ce3c75ee9898b373eeafb8c25bb
Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing the Director RIFF based file format. While handling the rcsL chunk, code within DIRAPIX sign-extends a return value from a call to Ordinal1412 within the IML32X module. This ordinal is responsible for unmarshalling a WORD value from the RIFF chunk. If the value is signed, DIRAPIX sign-extends the value, performs arithmetic on it, and then proceeds to use it as an offset into a heap-based buffer. By supplying any of a specific range of values, an attacker can exploit this condition to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2867
SHA-256 | 30cb2f82be6c676e63922c615a0975be22d1d18506ac69ee4d34ce74e69e3142
Adobe Shockwave Director tSAC Chunk Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director's RIFF-based file format. While parsing the tSAC chunk, the DIRAPI module does not properly verify the signedness of a count value within an undocumented structure. By providing a large enough negative value a pointer can be miscalculated leading to memory corruption. This can be exploited by a remote attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2866
SHA-256 | 86a222ba1e8cbc3a092252acfbbfd4d5af69f70800dc8b82c9dfe26831862381
Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team Montreal Hotties | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to a faulty allocation routine within the TextXtra.x32 module. This allocator allocates a buffer on the heap based on arithmetic involving a number of elements and a size of an individual element. As the fields come from the file, if either of them are large enough, the value used for the number of bytes to allocate can be made to overflow. As the return value is rarely checked any caller of this function can usually be made to overflow the returned buffer with user-supplied data. An attacker can leverage this to execute remote code under the context of the user running the browser.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2010-2879
SHA-256 | 4a81213c5116b85cea84b6f555ccca604792fb22767b6dc4fdeb0994c35e2ed6
Adobe Shockwave tSAC Chunk Pointer Offset Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code sign-extends a value from the input file and uses it as an offset to seek into a heap buffer before performing a write operation. By crafting particular values for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2874
SHA-256 | a5b00042c264d908492a78e03e2b000c4d556668645f8023c4c9840bbe65d7af
Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code directly uses a value from the file while seeking into a heap buffer. The process then attempts to write a NULL byte to the seeked address. By specifying a large enough value for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2878
SHA-256 | 434a38f35c1ac47096e5844b388206de10edb7761328457c75b27d8e27b0ba9d
Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown, Team lollersk8erz | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within IML32X.dll and DIRAPIX.dll which are responsible for parsing the Director movies, a RIFF-based file format. The code trusts a value from the file as a count and performs an endian-flipping loop on data in heap memory. If the value is large enough the process can be made to seek outside the bounds of the allocation and thus corrupt memory in a controlled fashion. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2877
SHA-256 | faf8a920a8245da335a891be6f9204c81adce0ab5f1ccbafaff30a2ab25425e5
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close