This vulnerability allows an attacker to include arbitrary files from a remote server.
GDCM versions 2.6.0 and 2.6.1 are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution. The vulnerability is triggered by the exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies DICOM image data to a buffer. ReadIntoBuffer fails to detect the occurrence of an integer overflow, which leads to a buffer overflow later on in the code.
This exploit takes advantage of an uninitialized pb structure variable on .bss to execute arbitrary commands with root privileges. It uses the reverse connect-back method and targets systems running Fedora Core 6 with exec-shield enabled. The exploit modifies the arguments passed to execle() to execute a command of the attacker's choice. It also searches for 8 bytes of null from the stack to define an environment variable. The exploit requires 13 ret (pop %eip) codes to reach the desired stack position. It has been tested on Fedora Core 6 with webdesproxy version 0.0.1.
The attached swf file causes an out-of-bounds memset in BlurFilter processing. Note that Chrome aborts when processing the swf.
This exploit targets Clever Database Comparer ActiveX version 2.2. By sending a specially crafted request, an attacker can cause a buffer overflow, leading to remote code execution.
The vulnerability allows an attacker to include and execute arbitrary files from remote servers by exploiting the 'newsadmin.php' script. By manipulating the 'action' parameter in the URL, an attacker can specify the file to be included and executed. In this case, the exploit uses the 'shell' file as the payload.
The Vulnerability lies in the serve_argumentx function. The Argumentx command parameter is used to append data to a previously supplied Argument command. These data pointers are stored in the argument_vector array. The serve_argumentx fails to check whether an Argument command is present in the argument_vector and may append data to a pointer that should not get touched at all, in our case the *error_prog_name string. The function calls realloc to create space for the new string. Because realloc will be called to store strlen(error_prog_name) + strlen(somedata) the original chunk which just stores error_prog_name will get freed. This free chunk will once again get freed after we disconnect from the CVS pserver.
This exploit allows an attacker to include a remote file in the NagiosQL application. By manipulating the 'prepend_adm.php' file, the attacker can execute arbitrary code or gain unauthorized access to the system. The vulnerability was discovered by ThE TiGeR.
An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.
RealPlayer is prone to a memory-corruption vulnerability. An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.