CVE-2011-0500
published 2011-01-20CVE-2011-0500: Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and VideoSpirit Lite 1.4.0.1 and possibly other versions; allows user-assisted remote attackers…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.71%
98.0th percentile
Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and VideoSpirit Lite 1.4.0.1 and possibly other versions; allows user-assisted remote attackers to execute arbitrary code via a VideoSpirit project (.visprj) file containing a valitem element with a long "value" attribute, as demonstrated using a valitem with the mp3 name.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| verytools | videospirit_lite | — | — |
| verytools | videospirit_pro | <= 1.68 | — |
| verytools | videospirit_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uses ROP gadgets exclusively from OverlayPlug.dll (a non-ASLR module) to bypass DEP and ASLR; presence of OverlayPlug.dll ROP chain addresses in a .visprj file is a strong indicator of exploitation ↗
- →Payload offset to EIP control is 168 bytes; offset to ROP chain is 952 bytes within the malicious .visprj value attribute ↗
- →Bad characters to filter/detect in payload within .visprj files: null byte, line feed, and XML-special characters indicating crafted bypass ↗
- →Exploit sets EXITFUNC to 'process', meaning the spawned process will terminate after shellcode execution; monitor for VideoSpirit process spawning unexpected child processes ↗
- ·The Metasploit module targets a single generic target covering XP, Vista, and Windows 7 using OverlayPlug.dll ROP gadgets; the PoC exploit (exploit-db 15936) targets only Windows XP SP3 English with a different return address (SEH p/p/r in overlayplug.dll) ↗
- ·Payload space is limited to 800 bytes (0x320) to avoid marking the wrong page as RWX during VirtualProtect ROP; larger shellcode requires adjusting the ROP size gadget at 0x10101330 ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c7jj-cg79-r337: Buffer overflow in VideoSpirit Pro 1
ghsa_unreviewed·2022-05-17
CVE-2011-0500 [HIGH] CWE-119 GHSA-c7jj-cg79-r337: Buffer overflow in VideoSpirit Pro 1
Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and VideoSpirit Lite 1.4.0.1 and possibly other versions; allows user-assisted remote attackers to execute arbitrary code via a VideoSpirit project (.visprj) file containing a valitem element with a long "value" attribute, as demonstrated using a valitem with the mp3 name.
Red Hat
hplip: insecure temporary file handling flaws
vendor_redhat·2013-02-21·CVSS 1.2
CVE-2013-0200 [LOW] CWE-377 hplip: insecure temporary file handling flaws
hplip: insecure temporary file handling flaws
HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722.
Statement: This issue does not affect the version of hplip and hplip3 as shipped with Red Hat Enterprise Linux 5. This issue has been addressed in Red Hat Enterprise Linux 6 via RHSA-2013:0500.
Package: hplip (Red Hat Enterprise Linux 5) - Not affected
Package: hplip3 (Red Hat Enterprise Linux 5) - Not affected
Red Hat
kernel: fs/partitions: Corrupted OSF partition table infoleak
vendor_redhat·2011-03-15·CVSS 2.1
CVE-2011-1163 [LOW] kernel: fs/partitions: Corrupted OSF partition table infoleak
kernel: fs/partitions: Corrupted OSF partition table infoleak
The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.
Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0833.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for
this issue is not currently pl
Red Hat
ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow
vendor_redhat·2011-03-10·CVSS 7.8
CVE-2011-2534 [HIGH] ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow
ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow
Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before 2.6.39 might allow local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\0' character.
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not have support for ipt_CLUSTERIP. This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via http://rhn.redhat.com/errata/RHSA-2011-0833.html, http://rhn.redhat.com/errata/RHSA-2011-0498.html, and http://rhn.redhat.com/errata/RHSA-2011-0500.html.
Package: kernel (Red Hat Enterprise Linux
Red Hat
kernel: CAP_SYS_MODULE bypass via CAP_NET_ADMIN
vendor_redhat·2011-02-24·CVSS 1.9
CVE-2011-1019 [LOW] kernel: CAP_SYS_MODULE bypass via CAP_NET_ADMIN
kernel: CAP_SYS_MODULE bypass via CAP_NET_ADMIN
The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability.
Statement: This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport the upstream commit a8f80e8f that introduced this flaw. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0498.html and https://rhn.redhat.com/errata/RHSA-2011-0500.html.
Red Hat
kernel: fs/partitions: Validate map_count in Mac partition tables
vendor_redhat·2011-02-17·CVSS 4.9
CVE-2011-1010 [MEDIUM] kernel: fs/partitions: Validate map_count in Mac partition tables
kernel: fs/partitions: Validate map_count in Mac partition tables
Buffer overflow in the mac_partition function in fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via a malformed Mac OS partition table.
Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0429.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates
Red Hat
kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
vendor_redhat·2011-02-10·CVSS 2.1
CVE-2011-0711 [LOW] kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not have support for the XFS file system. This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise
MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0498.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html.
Red Hat
kernel: potential kernel deadlock when creating circular epoll file structures
vendor_redhat·2011-02-05·CVSS 4.9
CVE-2011-1082 [MEDIUM] kernel: potential kernel deadlock when creating circular epoll file structures
kernel: potential kernel deadlock when creating circular epoll file structures
fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors within other epoll data structures without properly checking for (1) closed loops or (2) deep chains, which allows local users to cause a denial of service (deadlock or stack memory consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
Statement: This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5. This was addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0542.html and https://rhn.redhat.com/errata/RHSA-2011-0500.html.
Package: kernel (Red Hat Enterprise Linux 4) - Affected
Package: kernel (Re
Red Hat
kernel: panic in ib_cm:cm_work_handler
vendor_redhat·2010-11-15·CVSS 5.7
CVE-2011-0695 [MEDIUM] kernel: panic in ib_cm:cm_work_handler
kernel: panic in ib_cm:cm_work_handler
Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.
Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currentl
No detection rules found.
Exploit-DB
VeryTools VideoSpirit Pro 1.70 - '.visprj' Local Buffer Overflow (Metasploit)
exploitdb·2011-04-11
CVE-2011-0500 VeryTools VideoSpirit Pro 1.70 - '.visprj' Local Buffer Overflow (Metasploit)
VeryTools VideoSpirit Pro 1.70 - '.visprj' Local Buffer Overflow (Metasploit)
---
##
# $Id: videospirit_visprj.rb 12305 2011-04-11 23:32:41Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VeryTools Video Spirit Pro %q{
This module exploits a stack buffer overflow in Video Spirit MSF_LICENSE,
'Author' =>
[
'Acidgen', #found the vulnerability
'corelanc0d3r', #rop exploit + msf module
],
'Version' => '$Revision: 12305 $',
'References' =>
[
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-001' ],
],
'DefaultOptions' =>
{
'
Exploit-DB
VeryTools VideoSpirit Pro 1.68 - Local Buffer Overflow
exploitdb·2011-01-08
CVE-2011-0500 VeryTools VideoSpirit Pro 1.68 - Local Buffer Overflow
VeryTools VideoSpirit Pro 1.68 - Local Buffer Overflow
---
# Exploit Title: VideoSpirit Pro v1.68 Local BoF Exploit
# Date: 01/08/2011
# Author: xsploitedsec
# URL: http://www.x-sploited.com/
# Contact: xsploitedsec[at]x-sploited.com
# Software Link: http://www.verytools.com/videospirit/download.html
# Vulnerable version: v1.68
# Tested on: Windows XP SP3 Eng
# Software description #
# "VideoSpirit Pro is the most easily used Video Converter/Editor tools. For acting as a Video Editor,
# various slide effect/title/subtitle can be added to a video clip. Also, the video clip can be rotated,
# resized and warped. Multiple video/audio clips can be joined together. Converting speed is fast and
# the quality of output file is excellent."
# Vulnerability info #
# VideoSpirit Pro is prone to a
Metasploit
VeryTools Video Spirit Pro
metasploit
VeryTools Video Spirit Pro
VeryTools Video Spirit Pro
This module exploits a stack buffer overflow in Video Spirit <= 1.70. When opening a malicious project file (.visprj), a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
Bugzilla
CVE-2013-0200 hplip: insecure temporary file handling flaws
bugzilla·2013-01-21·CVSS 1.2
CVE-2013-0200 [LOW] CVE-2013-0200 hplip: insecure temporary file handling flaws
CVE-2013-0200 hplip: insecure temporary file handling flaws
Temporary file handling flaws were found in several places in hplip. Because a predicatable temporary filenames are used, an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running hplip.
This is a different flaw than CVE-2011-2722.
Discussion:
Acknowledgements:
This issue was discovered by Tim Waugh of Red Hat.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0500 https://rhn.redhat.com/errata/RHSA-2013-0500.html
---
Statement:
This issue does not affect the version of hplip and hplip3 as shipped with Red Hat Enterprise Linux 5. This issue has been addressed in Red Hat Enterprise Linux 6 via RHSA-2013:0500.
Bugzilla
CVE-2011-4600 libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network [fedora-16]
bugzilla·2011-12-10·CVSS 5.9
CVE-2011-4600 [MEDIUM] CVE-2011-4600 libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network [fedora-16]
CVE-2011-4600 libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network [fedora-16]
fedora-16 tracking bug for libvirt: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
The following upstream commit needs to be backported to F16:
commit ae1232b298323dd7bef909426e2ebafa6bca9157
Author: Laine Stump
Date: Tue Dec 6 15:13:50 2011 -0500
network: don't add iptables rules for externally managed networks
---
libvirt-0.9.6-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libvirt-0.9.6-4.fc16
---
Package libvirt-0.9.6-4
Bugzilla
CVE-2011-4324 kernel: nfsv4: mknod(2) DoS
bugzilla·2011-11-21·CVSS 4.9
CVE-2011-4324 [MEDIUM] CVE-2011-4324 kernel: nfsv4: mknod(2) DoS
CVE-2011-4324 kernel: nfsv4: mknod(2) DoS
Creating a file with mknod(2) syscall on a nfsv4 mount can trigger BUG().
Discussion:
Eryu Guan 2011-11-18 02:16:30 EST
Upstream commit
commit dc0b027dfadfcb8a5504f7d8052754bf8d501ab9
Author: Trond Myklebust
Date: Tue Dec 23 15:21:56 2008 -0500
NFSv4: Convert the open and close ops to use fmode
Signed-off-by: Trond Myklebust
removed the BUGON() at fs/nfs/nfs4xdr.c:894
---
Statement:
This issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as they did not have the vulnerable code as introduced in history:1a7bc914. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maint
Bugzilla
CVE-2011-1080 kernel: ebtables stack infoleak
bugzilla·2011-03-01·CVSS 2.1
CVE-2011-1080 [LOW] CVE-2011-1080 kernel: ebtables stack infoleak
CVE-2011-1080 kernel: ebtables stack infoleak
Description of problem:
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
References:
http://seclists.org/oss-sec/2011/q1/309
https://lkml.org/lkml/2011/2/14/51
Acknowledgements:
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Discussion:
Upstream commit:
http://git.kernel.org/linus/d846f711
---
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
---
This issue has
Bugzilla
CVE-2011-1079 kernel: bnep device field missing NULL terminator
bugzilla·2011-03-01·CVSS 5.4
CVE-2011-1079 [MEDIUM] CVE-2011-1079 kernel: bnep device field missing NULL terminator
CVE-2011-1079 kernel: bnep device field missing NULL terminator
Description of problem:
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
References:
http://seclists.org/oss-sec/2011/q1/309
https://lkml.org/lkml/2011/2/14/50
Acknowledgements:
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Discussion:
Upstream commit:
http://git.kernel.org/linus/43629f8f5ea32a998d06d1bb41eefa0e821ff573
---
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
---
This issue has be
Bugzilla
CVE-2011-1078 kernel: bt sco_conninfo infoleak
bugzilla·2011-03-01·CVSS 1.9
CVE-2011-1078 [LOW] CVE-2011-1078 kernel: bt sco_conninfo infoleak
CVE-2011-1078 kernel: bt sco_conninfo infoleak
Description of problem:
struct sco_conninfo has one padding byte in the end. Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.
Reference:
http://seclists.org/oss-sec/2011/q1/309
https://lkml.org/lkml/2011/2/14/49
Acknowledgements:
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Discussion:
Upstream commit:
http://git.kernel.org/linus/c4c896e1471aec3b004a693c689f60be3b17ac86
---
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:0833
Bugzilla
CVE-2011-1010 kernel: fs/partitions: Validate map_count in Mac partition tables
bugzilla·2011-02-22·CVSS 4.9
CVE-2011-1010 [MEDIUM] CVE-2011-1010 kernel: fs/partitions: Validate map_count in Mac partition tables
CVE-2011-1010 kernel: fs/partitions: Validate map_count in Mac partition tables
Validate number of blocks in map and remove redundant variable.
Upstream commit:
http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed
Acknowledgements:
Red Hat would like to thank Timo Warns for reporting this issue.
Discussion:
Greg explained this nicely: "Incorrectly formed mac partition tables could cause bad things to happen when it was automatically scanned after plugging in a device with this type of partition table on it."
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:0429 https://rhn.redhat.com/errata/RHSA-2011-0429.html
---
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2011:0500 https://rhn.
2011-01-20
Published