Netscape Browsers use the Independent JPEG Group's decoder library to process JPEG encoded images. The library functions skip JPEG comments; however, the browser uses a custom function to process these comments and store them in memory. The comment includes a 2-byte “length” field which indicates how long the comment is - this value includes the 2-bytes of the “length” field. To determine the length of the comment string alone (for memory allocation), the function reads the value in the “length” field and subtracts two. The function then allocates the length of the comment + one byte for NULL termination. There is no error checking to ensure the “length” value is valid. This makes it possible to cause an overflow by creating an image with a comment “length” field containing the value 1. The memory allocation call of 0 bytes (1 minus 2 (length field) + 1 (null termination)) will succeed. The calculated comment size variable is declared unsigned, resulting in a large positive value (from 1 minus 2). The comment handling function goes into a loop to read the comment into memory, but since the calculated comment size is enormous this causes the function to read the entire JPEG stream, overwriting the heap. It is theoretically possible to exploit this to execute arbitrary code. The browser, mail and news readers are all vulnerable to this.
Certain versions of the IBM WebSphere application server ship with a vulnerability which allows malicious users to view the source of any document which resides in the web document root directory. This is possible via a flaw which allows a default servlet (different servlets are used to parse different types of content, JHTML, HTMl, JSP, etc.) This default servlet will display the document/page without parsing/compiling it hence allowing the code to be viewed by the end user. It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being parsed or compiled.
When a remote user attempts to access an area protected by basic authentication with no realm defined, while specifying HTTP 1.0, Microsoft IIS will return an Access Denied error message containing the internal IP address of the host. Even if IIS is behind a firewall or NAT, it will disclose the true internal IP address to the remote user. The internal IP address may also be revealed through a HTTP request made with an empty host name. If a PROPFIND HTTP request is made, the message returned will include the IP address as part of the HREF header. The IP address may also be exposed through the WRITE or MKCOL methods, although they would not normally be exposed to the external network.
The servlet sunexamples.RealmDumpServlet, which is packaged by Default with Sun's Java Web Server, can be used to discover ACLs and local users on the server. It can be accessed by using the URL http://javawebserver/servlet/sunexamples.RealmDumpServlet#Realm-NT and http://javawebserver:8080/servlet/sunexamples.RealmDumpServlet#Users-UNIX.
The M3U Playlist file parser in NullSoft Winamp does not perform proper bounds checking with the extension '#EXTINF:'. Therefore, entering a string consisting of over 280 characters in conjunction with this parameter will cause a buffer overflow condition which will either crash the application or allow for arbitrary code to be executed, depending on the data entered.
Xconq is a multiple player strategy game available for many unix platforms. It contains a number of buffer overflow vulnerabilities including the ability to overflow stack buffers with either the DISPLAY or the USER environment variables. The Redhat Linux Xconq package installs the game with SGID 'games' privileges allowing an attacker to compromise the local 'games' group.
A vulnerability in Big Brother exists which would allow a user to remotely create CGI scripts which could be requested from the Web Server. These could be used to read files and possibly execute commands on the web server machine.
It is possible to exploit this vulnerability to read arbitrary files on the filesystem. As CommuniGate Pro runs as root, any file can be accessed. Using this flaw, it is possible to gain enough privilege to remotely execute commands as root.
HP JetDirect devices have an FTP service which fails to properly handle bad FTP commands sent with the ftp "quote" command. This causes the device to stop responding and possibly display an error message. Powering the device off and on is required to regain normal functionality.
Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending '+.htr' to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request.
Services By CQR