Multiple buffer overflows in IBM Rational ClearCase 7.x before 7.1.2.13, 8.0.0.x before 8.0.0.10, and 8.0.1.x before 8.0.1.3 allow remote authenticated users to obtain privileged access via unspecified vectors.
Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been declared as critical. This vulnerability affects the function read of the component httpd. The manipulation of the argument Content-Length leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273526 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.
A stack buffer overflow vulnerability has been discovered in Microsoft Skype 7.2, 7.35, and 7.36 before 7.37, involving MSFTEDIT.DLL mishandling of remote RDP clipboard content within the message box.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "URL" parameter passed in the query string is not sanitized and is stored on the stack which allows an attacker to overflow the buffer. The function "LU::Generic_IP_Camera_Manager::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in query string. This function then calls "LU::Generic_IP_Camera_Manager::GetUrlFromArguments" and passes a "pointer" to the function where it will be allowed to store the value from the URL parameter. This pointer is passed as the second parameter $a2 to the function "LU::Generic_IP_Camera_Manager::GetUrlFromArguments". However, neither the callee or the caller in this case performs a simple length check and as a result an attacker who is able to send more than 1336 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device.
A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary code via the (1) Search or (2) Search Charset command.
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'get' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'get <node_name attr>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'commit' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'commit <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.
Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary code via tools_system.cgi date parameter, time parameter, and offset parameter.
Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary code via submit-url parameter.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "res" (resolution) parameter passed in the query string is not sanitized and is stored on the stack which allows an attacker to overflow the buffer. The function "LU::Generic_IP_Camera_Manager::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in the query string. This function then calls "LU::Generic_IP_Camera_Manager::GetUrlFromArguments". This function retrieves all the parameters passed in the query string including "res" and then uses the value passed in it to fill up buffer using the sprintf function. However, the function in this case lacks a simple length check and as a result an attacker who is able to send more than 184 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device.
Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary code via netWizard.cgi date parameter, time parameter, and offset parameter.
Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary code via HTTP request and response.
KadNode version version 2.2.0 contains a Buffer Overflow vulnerability in Arguments when starting up the binary that can result in Control of program execution flow, leading to remote code execution.
Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without authentication by leveraging CVE-2013-7107.
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'read' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'read <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts.
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03.
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'staticGet' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'staticGet <node_name attr>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'show' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'show <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as an 'unset' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'unset <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.
A vulnerability classified as critical has been found in emqx neuron up to 2.10.0. Affected is the function handle_add_plugin in the library cmd.library of the file plugins/restful/plugin_handle.c. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.
A vulnerability, which was classified as critical, was found in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu.861_B20230220/4.1.8cu.5207. This affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument desc/week/sTime/eTime leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek CC8160 VVTK-0100d and classified as critical. Affected by this issue is the function read of the component httpd. The manipulation of the argument Content-Length leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273524. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.
A vulnerability, which was classified as critical, has been found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. This issue affects the function setRptWizardCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument loginpass leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in overflowing the stack set up and allow an attacker to control the $ra register stored on the stack. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request. The POST parameter "gateway" allows to overflow the stack and control the $ra register after 1546 characters. The value from this post parameter is then copied on the stack at address 0x00421348 as shown below. This allows an attacker to provide the payload of his/her choice and finally take control of the device.
Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-AC5300 and earlier for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code on the router by sending a crafted http GET request packet that includes a long delete_offline_client parameter in the url.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: "SETCMD0001+0002+[2 byte length of wifipassword]+[Wifipassword]. This request is handled by "control_Dev_thread" function which at address "0x00409AE4" compares the incoming request and determines if the 10th byte is 02 and if it is then it redirects to 0x0040A7D8, which calls the function "setwifipassword". The function "setwifipassword" uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: "SETCMD0001+0001+[2 byte length of wifiname]+[Wifiname]. This request is handled by "control_Dev_thread" function which at address "0x00409AE0" compares the incoming request and determines if the 10th byte is 01 and if it is then it redirects to 0x0040A74C which calls the function "setwifiname". The function "setwifiname" uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value.