Where results make sense

About us   |   Why use us?   |   Reviews   |   PR   |   Contact us

[No title] Note: One argument is that the presentation of a "heap-based overflow" is equivalent to a "stack-based overflow" presentation. Heap and Data/BSS Sections ~~~~~~~~~~~~~~~~~~~~~~~~~~ The heap is an area in memory that is dynamically allocated by the application. heap offset method: offset from the top of the heap to the estimated address of the target/overflow buffer (requiring an executable heap) Note: There is a greater probability of the heap being executable than the stack on any given system. www.w00w00.org /files/articles/heaptut.txt   (4056 words)

Buffer overflow - Wikipedia, the free encyclopedia Buffer overflows present a serious problem partially due to the low quality of today C and C++ compiliers which do not support optional checking for array boundary violation or stack overflow, even if adding such compilation flag would be trivial. Buffer overflows usually arise as a consequence of a bug and the improper use of languages such as C or C++ that are not "memory-safe". Buffer overflows are also a commonly exploited computer security risk — since program control data often sits in the memory areas adjacent to data buffers, by means of a buffer overflow condition, the computer can be made to execute arbitrary (and potentially malicious) code that is fed to the buggy program as data. en.wikipedia.org /wiki/Buffer_overflow   (2528 words)

LISA '03 — Technical Paper Heap-based overflows can be divided into two classes: One class [6] comprises attacks where the overflow of a buffer allocated on the heap directly alters the content of an adjacent memory block. When executing a stack-based attack, the intruder attempts to overflow a local buffer allocated on the stack to alter the return address of the function that is currently executing. Although this does not protect against the actual overflow and the modification of the return address, the solution is based on the observation that many exploits execute their malicious payload directly on the stack. www.usenix.org /events/lisa03/tech/full_papers/robertson/robertson_html   (5762 words)

Ddd The heap is used by programs to dynamically allocate and free memory blocks that may have longer lifetimes. Heap is a reserved address space region at least one page large from which the heap manager can dynamically allocate memory in smaller pieces. The heap manager is represented by a set of function for memory allocation/freeing which are localised in two places: ntdll.dll and ntoskrnl.exe. www.maxpatrol.com /defeating-xpsp2-heap-protection.htm   (2240 words)

OpenBSD Security Jul 6, 2005: Fix a buffer overflow in the zlib library that may be exploitable. May 20, 2004: A buffer overflow in the cvs(1) server has been found, which can be used by CVS clients to execute arbitrary code on the server. Feb 22, 2001: a non-exploitable buffer overflow was fixed in sudo(8). www.openbsd.org /security.html   (7053 words)

US-CERT Technical Cyber Security Alert TA04-147A -- CVS Heap Overflow Vulnerability A heap overflow vulnerability in the Concurrent Versions System (CVS) could allow a remote attacker to execute arbitrary code on a vulnerable system. There is a heap memory overflow vulnerability in the way CVS handles the insertion of modified and unchanged flags within entry lines. When processing an entry line, an additional byte of memory is allocated to flag the entry as modified or unchanged. www.us-cert.gov /cas/techalerts/TA04-147A.html   (456 words)

O-034: rsync Heap Overflow Vulnerability A heap overflow vulnerability has been identified in the rsync open source utility which is a fast remote file copy program. The rsync heap overflow vulnerability can allow attackers to remotely run arbitrary code, but can not be used by itself to gain root access on an rsync server. - While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise. www.ciac.org /ciac/bulletins/o-034.shtml   (879 words)

[No title] Stack Based Buffer Overflow ********************************* When SQL Server receives a packet on UDP port 1434 with the first byte set to 0x04, the SQL Monitor thread takes the remaining data in the packet and attempts to open a registry key using this user supplied information. Heap Based Buffer Overflow ******************************** When SQL Server receives a packet on UDP port 1434 with the first byte set to 0x08 followed by an overly long string, followed by a colon character (:) and number a heap based buffer is overflowed. As this corrupts the structures used to keep track of the heap an attacker can overwrite any location in memory with 4 bytes of their own choosing. www.nextgenss.com /advisories/mssql-udp.txt   (1126 words)

BufferOverflow / Internet Security Lectures by Prabhaker Mateti If the "buffer" is a local C variable, the overflow can be used to force the function to run code of an attackers' choosing. First, most such tools only provide partial defense against buffer overflows (and the ``complete'' defenses are generally 10-30 times slower); C and C++ were simply not designed to protect against buffer overflow. For example, a buffer overflow in a network server program that can be tickled by outside users may provide an attacker with a login on the machine. www.cs.wright.edu /~pmateti/InternetSecurity/Lectures/BufferOverflow   (2833 words)

[No title]   (Site not responding. Last check: 2007-11-04) Local exploitation of heap overflow and integer overflow in GOCR, could allow an attacker to execute arbitrary code. This vulnerability lead to heap overflow on reading base data of pmn file. A heap overflow exists when GOCR read special craftem plain PNM file (P3 format). www.packetstormsecurity.org /0504-advisories/gocr_png_overflow.txt   (375 words)

AntiOnline - Heap-Based Overflows The heap grows from lower memory to higher memory while the stack grows from higher memory to lower memory. Heap based overflow are usually harder to spot because one must visualize the layout of memory and how it can be manipulated. I showed you a very simple heap based overflow in order to give you an idea of the concept behind a heap based overflow, and I also demonstrated a few methods that have been utilized to prevent heap based overflows. www.antionline.com /showthread.php?s=&threadid=268653   (2311 words)

Meet the future of Windows security exploits | The Register Sloppy programming practices (the root cause of buffer overflow vulnerabilities) give rise to security bugs where arbitrary and malicious code can be injected into a system, through a carefully crafted malformed data entry. Generally, this spurious input is much longer than a program expects, causing code to overflow the buffer and enter parts of a system where it may be subsequently executed. Heap overflow exploits (such as format string bugs and particularly malloc()/free()-manipulations) give attackers two powerful techniques. www.theregister.co.uk /content/55/23075.html   (444 words)

[No title] This can be used for a remote heap overflow exploit, which can, on some systems, lead to or help in executing malicious code with the permissions of the user running a xine-lib based media application. Several string overflows on the stack have been fixed in xine-lib, some of them can be used for remote buffer overflow exploits leading to the execution of arbitrary code with the permissions of the user running a xine-lib based media application. There is a buffer overflow in a function used by mod_include that may enable a local user to gain privileges of a httpd child. people.freebsd.org /~josef/stuff/vuln.xml   (6293 words)

[No title]   (Site not responding. Last check: 2007-11-04) Since this is the first Heap based overflow I've encountered my expertise was not advanced enough to cause this vulnerability to execute code. A lot of the functions appear to be executing from the heap so it was very hard (for me) to track or find information about the functions because the addresses were dynamic. Comedy: After using Dells "Support" page explaining I found a buffer overflow, the automated system mistakenly thought I was talking about the buffer underrun issues with cdburners: Dear Dell Customer, Dell's e-mail software interprets your message as a request for help with a CDRW drive that will not "burn" to a CD blank. sh0dan.org /files/domadv.txt   (1031 words)

Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers A heap-based overflow is a type of buffer overflow against a data structure residing within the memory heap. The memory heap is a section of system memory used by the operating system of the device to satisfy the dynamic data storage requirements for currently running processes. Cisco IOS may be susceptible to remote code execution through attack vectors such as specific heap-based overflows in which internal operating system timers may execute arbitrary code from portions of memory that have been overwritten via exploitation. www.cisco.com /warp/public/707/cisco-sa-20051102-timers.shtml   (1923 words)

Network Security, Vulnerability Assessment, Intrusion Prevention   (Site not responding. Last check: 2007-11-04) The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the player or application hosting the QuickTime plug-in. The heap block intended to hold the sample-to-chunk table data is allocated with a size equal to (number_of_entries + 2) * 16. By supplying the "number of entries" field with the value 0x0FFFFFFE or greater, an absolutely classic integer overflow results that causes an insufficiently-sized heap block to be allocated, resulting in an equally classic complete heap memory overwrite. www.eeye.com /html/Research/Advisories/AD20040502.html   (551 words)

BetaNews | Heap Overflow Vulnerability in WMP It isn’t much –- the entire overflow could be three or four bytes, maximum -– but the fact that it is an overflow could create an exploitable condition, eEye points out. Heap overflow problems with ASX files in Media Player have been discovered almost since version 6.4 was first released. Assuming Media Player has to make this substitution, then when it allocates the heap memory for the name, it counts the number of characters in the URL that was supplied, then adds six for the appendage. www.betanews.com /article/Heap_Overflow_Vulnerability_in_WMP/1165609151   (761 words)

Network Security, Vulnerability Assessment, Intrusion Prevention   (Site not responding. Last check: 2007-11-04) In this advisory, we'll describe a pair of arithmetic errors in a generic and low-level part of ASN.1 BER decoding that allow a very large swath of heap memory to be overwritten. LocalAlloc() successfully allocates a zero-length heap block whose address gets returned to the caller, but then the original, very large length is handed to memcpy(). The result is a classic, complete heap overwrite, where all contiguous heap memory following the zero-length block is wiped out by arbitrary data. www.eeye.com /html/Research/Advisories/AD20040210.html   (902 words)

[Full-Disclosure] RE: Windows XP explorer.exe heap overflow. Next message: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow. I suggested that on Vuln-Dev nearly four years ago [1], but I never pursued it, and this is the first time since then that I've seen it come up. They then proceed to read the rest of the file to a length of > (size-headersize), which allows for an integer overflow causing the > rest of the file to be appended to the already blown buffer. lists.grok.org.uk /pipermail/full-disclosure/2004-February/017761.html   (837 words)

Microsoft IIS HTR Chunked Encoding heap overflow allows arbitrary code Although similar to a previous heap overflow MS02-018, this vulnerability is in the Internet Services Application Programming Interface (ISAPI) extension that implements HTR. In either case, the attacker could overflow the heap with random data to corrupt program code and cause the IIS service to fail, preventing the use by legitimate users, or, he could change the operation of the server. Specifically, he could overflow the heap and then overwrite a section of the heap on the server with new program code, revising the functionality of the server software. securityresponse.symantec.com /avcenter/security/Content/2033.html   (770 words)

[No title] A heap overflow condition exists in "webcached" process when an invalid HTTP/HTTPS request is made. The overflow can be triggered by sending an overly long header as the HTTP Request Method. HTTP/HTTPS Method Heap Overflow & Firewalls ------------------------------------------- This vulnerability can bypass a large number of firewalls, so a firewall can not be considered as a measure for protection against this vulnerability. www.inaccessnetworks.com /ian/services/secadv01.txt   (593 words)

[No title]   (Site not responding. Last check: 2007-11-04) Overflow Security Advisory #3 ImageMagick ReadPNMImage() Heap Overflow Vendor: ImageMagick (http://www.imagemagick.org) Affected version: 6.x up to and including 6.2.1 Vendor status: Fixed version released (6.2.2) Author: Damian Put Description Remote exploitation of a heap overflow vulnerability could allow execution of arbitrary code or couse denial of service. A heap overflow exists in ReadPNMImage() function, that is used to decode a PNM image files. www.overflow.pl /adv/imheapoverflow.txt   (258 words)

Heap Overflow in Microsoft DirectX May Permit Remote System Compromise The mechanisms used by Windows operating systems support multimedia, in particular an audio format called MIDI (Musical Instrument Digital Interface) contain a remotely exploitable heap overflow [1,2]. All unpatched versions of DirectX, the low level programming interfaces that provide communications between user applications and the video/audio/display components of the core operating system, may permit a malicious user to execute arbitrary code. The eEye advisory includes a sample of the malicious format required for a MIDI file to trigger this vulnerability, as well as a detailed description of ways to exploit the heap overflow. www.stanford.edu /services/securecomputing/alerts/directx-23jul2003.html   (465 words)

Gentoo Linux Documentation -- mit-krb5: Heap overflow in libkadm5srv The MIT Kerberos 5 administration library (libkadm5srv) contains a heap overflow that could lead to execution of arbitrary code. The MIT Kerberos 5 administration library libkadm5srv contains a heap overflow in the code handling password changing. Under specific circumstances an attacker could execute arbitary code with the permissions of the user running mit-krb5, which could be the root user. www.gentoo.org /security/en/glsa/glsa-200501-05.xml   (120 words)

SecurityFocus A malformed.emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll. An.emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer. www.securityfocus.com /archive/1/354783   (262 words)

CERT Advisory CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) A buffer overflow vulnerability exists in the Remote Data Services (RDS) component of MDAC. The RDS Data Stub function's purpose is to parse incoming HTTP requests and generate RDS commands. This unchecked buffer could be exploited to cause a heap overflow. www.cert.org /advisories/CA-2002-33.html   (768 words)

US-CERT Vulnerability Note VU#842160 A heap buffer overflow vulnerability exists in the way IE handles the SRC and NAME attributes of HTML elements such as FRAME and IFRAME. Publicly available exploit code uses JavaScript to prepare the heap by allocating memory with blocks that consist of NOP slides and shell code. Note that an attacker may be able to prepare the heap using other techinques, in which case disabling Active scripting would only provides defense against attacks that use Active scripting. www.kb.cert.org /vuls/id/842160   (542 words)

Python heap overflow in the included PCRE library - Gentoo - Xatrix Security Python heap overflow in the included PCRE library An attacker could target a Python-based web application (or SUID application) that would use untrusted data as regular expressions, potentially resulting in the execution of arbitrary code (or privilege escalation). The "re" Python module is vulnerable to a heap overflow, possibly www.xatrix.org /advisory.php?s=6871   (232 words)

ISS X-Force Database: traceroute-heap-overflow(5311): Traceroute heap overflow Traceroute is a utility used to determine the path a packet takes between a source and a destination. It may be also possible to exploit this vulnerability to execute arbitrary code on the system and gain local root access. CVE-2000-0949: Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option. xforce.iss.net /xforce/xfdb/5311   (519 words)

Try your search on: Qwika (all wikis)

About us   |   Why use us?   |   Reviews   |   Press   |   Contact us   Copyright © 2005-2007 www.factbites.com Usage implies agreement with terms.