The vulnerability has the most typical Buffer overflow vulnerabilities. Enter the application and Input 'A'*800 to the path box the press enter, which will cause a crash.
A bug in Symantec's I/O abstraction layer results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct. This can lead to a stack buffer overflow of attacker controlled data.
The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably.
Simple fuzzing found an integer overflow in the dec2tnef library. This allocation from Attachment::setDataFromAttachment() doesn't verify that the attacker controlled value doesn't wrap, which is (count + 1) * 4, without any checking that will succeed. The attached testcase reaches this code on Symantec Scan Engine, I'm not sure which other products use this code.
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters. This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow. The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to 'text/plain', then changing the filename to 'DELETED.TXT'. The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
The dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow. We can see from this initialization that var_141C is a 1024 byte stack buffer, because 0x100 * sizeof(dword) = 1024. But later on in this routine, the index is checked to see if it's > 4096 bytes, this is incorrect. This is most likely a simple programmers error, bounds checking with the wrong size.
A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).
The vulnerability is caused by the Upgrade Wizard module, which allows to upload a package with an arbitrary manifest.php file that will be executed by the application. This can be exploited by authenticated administrator users to upload and execute arbitrary PHP code.
A buffer overflow vulnerability exists in HNB Organizer version 1.9.18-10. A specially crafted input can cause a stack-based buffer overflow, overwriting the return address and allowing arbitrary code execution.
A buffer overflow vulnerability exists in PInfo File Viewer version 0.6.9-5.1. The vulnerability is triggered when a malicious user supplies a specially crafted input to the program, resulting in a segmentation fault. This can be exploited to execute arbitrary code by overwriting the return address on the stack with the address of the malicious code.
Services By CQR