[FD] 123ADV-001: Stack Buffer Overflow in Lotus 1-2-3 R3 for UNIX/Linux

# About The 123 command is a spreadsheet application for UNIX-based systems that can be used in interactive mode to create and modify financial and scientific models. For more information, see https://123r3.net # Advisory A stack buffer overflow was reported in the cell format processing routin

Re: [FD] Defense in depth -- the Microsoft way (part 80): 25 (in words: TWENTY-FIVE) year old TRIVIAL bug crashes CMD.exe

On 2022-05-10, Stefan Kanthak wrote: >| Their reasoning centers around the requirement to have admin >| privileges to pull off the attack. > > OUCH! Unprivileged users can but write this registry entry below > [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] They're explainin

Re: [FD] #WorldPenguinDay or this cant be right, can it?

On 1 May 2015 at 00:11, PIN wrote: >> It sounds like you're asking "If I can learn an address, have I defeated >> ASLR", and the answer is usually yes. > > Really? Because leaking a heap address in windows, openbsd, etc doesn't > yield a full collapse of all loaded modules randomization given the

Re: [FD] #WorldPenguinDay or this cant be right, can it?

PIN wrote: > address space layout of a linux process. It sounds like you're asking "If I can learn an address, have I defeated ASLR", and the answer is usually yes. It depends on the circumstances of course, but leaking any address to an attacker would usually be considered a bug and renders ASL

[FD] Problems in automatic crash analysis frameworks

-rw-r--r--. 1 taviso abrt 2421 Apr 13 11:15 /etc/passwd In case it isn't obvious, you can then give yourself uid zero. $ getent passwd taviso taviso:x:1000:1000:Tavis Ormandy:/home/taviso:/bin/bash $ vi /etc/passwd $ getent passwd taviso taviso:x:0:0:Tavis Ormandy:/home/taviso:/bin/bash

[FD] CVE-2014-5119 glibc __gconv_translit_find() exploit

List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte heap metadata overflow in the glibc internal routine __gconv_translit_find(). This is caused by the file extension being incorrectly appended to the transliteration module filename. The result is one too few bytes are allo

[FD] Windows 8 Touch Injection API doesn't handle memory pressure

2") #pragma comment(lib, "advapi32") // InitializeTouchInjection() Win8.1 Testcase // -- Tavis Ormandy , Feb 2014. int main(int argc, char **argv) { POINTER_TOUCH_INFO Contact; SID_AND_ATTRIBUTES SidToRestricted; ULONG Size; HANDLE Handle; ZeroMemory(&a

[FD] NULL page mitigations on Windows 8 x86

ndows 8 specific (uses Xferable Objects), but the bug can // be triggered without that feature in a more complicated way. // // Tavis Ormandy -- tav...@cmpxchg8b.com Feb 2014. NTSTATUS SystemCall(DWORD Number, PVOID Args, ...) { NTSTATUS Status; SetLastError(0); __try { __as

Re: [FD] Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

bly has a n x m matrix that they'd have to issue fix for, which > quickly explodes into upper two or even three digit numbers. > > -coderaptor > > On Wed, May 21, 2014 at 6:57 AM, Tavis Ormandy wrote: >> On 21 May 2014 02:13, Project Un1c0rn wrote: >>> ---

Re: [FD] Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

> Uh, Thanks, I'll keep that in mind. > - - > > Project Un1c0rn > http://un1c0rn.net > http://unicorntufgvuhbi.onion > > On 05/21/2014 06:10 AM, Tavis Ormandy wrote: >> "Stefan Kanthak" wrote: >> >>> Hi @ll, >>> >>>

Re: [FD] Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

"Stefan Kanthak" wrote: > Hi @ll, > > several programs of the current Windows 7 driver software for the "HP > OfficeJet 6700" multifunction device execute a rogue program > C:\Program.exe > > It sounds like a bug, but why is this a security issue? I can only imagine two possible scenarios 1.