CoreLabs IT Security Research: Vulnerability Advisories

June 23rd - Francisco Falcon
Novell iManager is prone to a stack-based buffer overflow vulnerability that can be exploited by authenticated users to execute arbitrary code, and to an off-by-one error that can be abused by remote, unauthenticated attackers to cause a Denial of Service in the application.

June 14th - Mauro Olea and Nahuel Riva
XnView is prone to a security vulnerability when processing MBM files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine, by enticing the user of XnView to open a specially crafted file.

June 8th - 7Safe and Pedro Varangot
There is an SQL Injection[1] vulnerability in the CubeCart PHP Shopping cart[2], this vulnerability may be exploited by HTTP POSTing mailicious data to the index.php script of CubeCart. As an example, exploitation may result in leak of sensitive information or injection of mailicious code into the shopping cart's web page.

May 11th - Nahuel Riva
Adobe Director is prone to a memory corruption vulnerability due to an invalid write in DIRAPI.DLL, when opening a malformed .dir file.
This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Adobe Director to open a specially crafted file.

May 04th - Nicolás Economou
Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange while researching the fixes issued in Microsoft's Security Bulletin MS10-024 published April 13, 2010. The vulnerabilities in this security advisory were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor's security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor's security bulletin may overlook or miss-represent actual threat scenarios.

An attacker may leverage the two undisclosed vulnerabilities fixed by MS10-014 to spoof reponses to any DNS query sent by the Windows SMTP service or Microsoft Exchange servers. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact that goes beyond just Denial of Service and Information Disclosure as it was stated in MS10-024.

May 04th - Daniel Kazimirow
MS Office Visio is prone to a buffer overflow vulnerability when inserting malformed DXF files into a Visio document, leading to arbitrary code execution.

April 20th - 7Safe
A Cross Site Scripting (XSS) vulnerability has been discovered in CactuShop. This vulnerability occurs in the file that processes the user invoices (_invoice.asp). A malicious user can abuse of this flaw by requesting for an invoice and thus tricking an admin user into issuing him an invoice.

April 6th - Alejandro Rodriguez
An XSS vulneravility has been discovered in NextGEN Gallery, a very popular and commonly used plugin in Wordpress. This vulnerability can be exploited in almost all versions and configurations of Internet Explorer.

16th March - Nicolás Economou
A vulnerability found in the memory management of the Virtual Machine Monitor makes memory pages mapped above the 2GB available with read or read/write access to user-space programs running in a Guest operating system. By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) designed to prevent exploitation of security bugs in applications running on Windows operation systems.

16th March - 7safe's Penetration Testing Team
eFront is vulnerable to local file inclusion vulnerability, which allows an external remote attacker to upload an arbitrary file and execute code on the vulnerable website learning platform.

9th March - Damian Frizza
A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.

9th March - Damian Frizza
A vulnerability was found in Windows Movie Maker and Microsoft Producer, which can be triggered by a remote attacker by sending a specially crafted file and enticing the user to open it. This vulnerability results in a write access violation and can lead to remote code execution.

2nd March - Diego Juarez and Nadia Rodríguez
An attacker can take full control of the machine where Luxology Modo 401 is installed by sending a specially crafted .LXO file and enticing the user to open it.

9th February - Damián Frizza
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) leading to code execution in the context of the currently logged on user.

5th February - Dan Crowley
This advisory describes multiple vulnerabilities based on quirks in how Windows handles file names. The affected software is the Windows version of the following web servers: Nginx, Cherokee, Mongoose and LightTPD.

4th February - Aureliano Calvo and Adrián Manrique
A cross-site request forgery that allows an external remote attacker to make a command injection that can be used to execute arbitrary code with the webserver user. As a result, an attacker can remove the firewall and load a kernel module, allowing root access to the appliance. It also can be used as a non-persistant XSS.

3rd February - Jorge Luis Álvarez Medina
This advisory describes two vulnerabilities that provide access to any file stored in on a user's desktop system if it is running a vulnerable version of Internet Explorer. These vulnerabilities can be used in attacks combined with a number of insecure features of Internet Explorer to provide remote access to locally stored files without the need for any further action from the victim after visting a website controlled by the attacker.

1st February - Francisco Falcon
Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer overflow when processing malformed FPX files. This vulnerability can be exploited to overwrite adjacent heap chunks metadata, and possibly to gain arbitrary code execution.

1st February - Matias Pablo Brutti
Cisco Secure Desktop is prone to a cross-site scripting vulnerability due to insufficient validation of a POST request, leading to remote code execution.

13th January - Francisco Falcon
Google SketchUp is prone to a memory corruption vulnerability when importing malformed 3DS files, possibly leading to arbitrary code execution.

9th December - Pablo Annetta
Multiple injection (both XSS and SQL) vulnerabilities have been discovered in Testlink. One of the XSS vulnerabilities, discovered in its login screen, can be exploited without an authenticated session.

December 2nd - Diego Juarez
An attacker could abuse the scripting interface by enticing an unsuspecting user to open a malicious scripting file, thus obtaining remote code execution.

November 23rd - Diego Juarez
An attacker can take full control of the machine where Maya is installed sending a specially crafted scene package and enticing the user to open it.

November 23rd - Sebastián Tello
This can be exploited by an attacker to execute arbitrary code by enticing a victim to open .max file with MaxScript application callbacks embedded.

November 23rd - Diego Juarez, Fernando Arnaboldi and Federico Charosky
Scene TOC XML files can be modified to execute arbitrary commands without user intervention by design. An attacker can take full control of the machine where SoftImage is installed by sending a specially crafted scene package and enticing the user to open it.

November 18th - Damián Frizza
A remotely exploitable vulnerability was found in IBM SolidDB server core component. Exploitation of this bug does not require authentication and will lead to a remotely triggered denial of service of the database service.

November 17th - Damián Frizza
A remotely exploitable vulnerability was found in the database server core component used by HP Openview Network Node Manager. Exploitation of the bug does not require authentication and will lead to a remotely triggered denial of service of the internal database service.

November 3rd - Sebastian Tello
Blender .blend project files can be modified to execute arbitrary commands without user intervention.

October 6th - Aureliano Calvo
Jetty includes several sample web applications for the developer to learn from. One of them is vulnerable to a persistent XSS vulnerability.

October 5th - Gaston Rey and Pablo Carballo
Multiple cross-site scripting vulnerabilities (both stored and reflected) have been found in the web interface of Hyperic HQ, which can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of a legitimate logged in user.

Agust 31st - Pablo Jorge and Alberto Soliño
A remote code-execution vulnerability has been found by researchers from Core Security Techonologies on the TFTP server of dnsmasq. In certain scenarios, remote code execution as the user running the service may be possible. This advisory also includes information about a remote denial of service, also in TFTP, independently reported to dnsmasq's authors.

August 18th - Federico Muttis
A remote arbitrary-code-execution vulnerability has been found in Libpurple (used by Pidgin and Adium instant messaging clients, among others), which can be triggered by a remote attacker by sending a specially crafted MSNSLP packet with invalid data to the client through the MSN server. No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration).

July 28th - Francisco Falcon
A remote denial of service vulnerability has been found in Firebird SQL, which can be triggered by a remote attacker by sending an unexpected op_connect_request packet with invalid data to the server.

July 17th - Damian Frizza
Helix Server is a multi-format cross-platform streaming server. Two vulnerabilities have been found, that could allow a remote attacker to crash the Helix Server.

July 8th - Diego Juarez
Awakening´s Winds3D Viewer, which runs as a plugin within most popular web browsers, is vulnerable to a remotely exploitable arbitrary command execution vulnerability which can be triggered by making the user visit a malicious link/website.

July 8th- Fernando Arnaboldi and Jose Orlicki
A vulnerability was found in the way that WordPress handles some local file includes in admin.php. This results in unprivileged users accessing and modifying the content of some plugin configuration pages. Other sensitive username information disclosures were found in WordPress.

June 9th - Jorge Luis Alvarez Medina
This advisory describes a vulnerability that provides access to the contents of any file stored in the local filesystem of user's machine running vulnerable versions of IE. Exploitation of the vulnerability relies solely on the ability for a would-be attacker to provide malicious HTML content from a website and to predict the full pathname for the file that will be used to cache it locally on victim's system. If the entire path name can be predicted, the attacker can cause a redirection to the locally stored file using an URI specified in UNC form and force the local conten to be rendered as an HTML document which will permit to run scripting commands and instantiate certain ActiveX controls. As a result of a successful attack, security or privacy-sensitive information can be obtained by an attacker including but not limited to user authentication credentials for any web application domain, HTTP cookies, session management data, cached content of web applciations in different domains and any files stored on local filesystems.

June 9th - Diego Juarez
DX Studio is a complete integrated development environment for creating interactive 3D graphics. DX Studio Player plug-in for Firefox is vulnerable to a remote command execution vulnerability.

June 1st - Anibal Sacco
CUPS provides a portable printing layer for UNIX based operating systems. A flaw has been identified in CUPS application, when handling the IPP_TAG_UNSUPPORTED tag, which could be exploited by attackers to cause a remote pre-authentication denial of service.

May 28th - Diego Juarez
Ston3D WebPlayer and Ston3D StandalonePlayer are vulnerable to a command injection vulnerability, which can be exploited by malicious remote attackers. This flaw can be exploited to execute arbitrary commands with the privileges of the Stone3D player by opening a specially crafted file.

May 20th - The SCS team from Core Security Technologies
Several cross-site scripting vulnerabilities (XSS) were found in the Sun Java System Communications Express. These vulnerabilities, allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application's domain).

April 21st - SCS Team
An HTTP Response Splitting vulnerability has been discovered in Sun Java System Delegated Administrator. This vulnerability allows proxy cache-poisoning attacks that affect the proxy users base when requesting a web page that belongs to the affected domain, redirection attacks or other kind of Cross-Site Scripting attacks.

March 31st - SCS team from Core Security Technologies
Several vulnerabilities have been discovered in Sun Java System Calendar Express web server.

March 23rd - Oren Isacson
Several buffer overflows have been found in HP OpenView Network Node Manager, which can be exploited to remotely compromise a user's system.

March 9th - Francisco Falcon
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF files may include actions (i.e., Go to a page view, Open/Execute a file, Open a web link, Execute a menu item) associated with different triggers (i.e., Mouse Up, Mouse Down, Page Visible, Page Invisible). The way Foxit Reader handles an Open/Execute a file action makes the software victim of two kinds of vulnerabilities: authorization bypass and buffer overflow.

February 3rd - Ariel Futoransky, Fernando Russ and Alfredo Ortega
Multiple integer overflow vulnerabilities have been discovered in UltraVNC and TightVNC open source applications. The vulnerabilities cause a miscalculation of a buffer size on the heap, allowing an attacker to corrupt a VNC client heap and can probably allow code execution (exploitation is very likely).

January 28th - Dan Crowley and Alfredo Ortega
Amaya is the W3C´s Web editor/browser, a tool used to create and update documents directly on the Web. Multiple stack buffer overflow vulnerabilities have been discovered in Amaya, which can be exploited by unauthorized people using crafted web pages to compromise a user´s system.

January 8th - Federico Muttis
Multiple cross-site scripting vulnerabilities have been found in Openfire, which may lead to arbitrary remote code execution on the server running the application due to unauthorized upload of Java plugin code.

December 22nd - Alfredo Ortega
The VNC server of Qemu and KVM virtualization solutions are vulnerable to a remote DoS, when specially crafted packets are received by the host VNC server causing an infinite loop.

December 10th - Ricardo Narvaja
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value.

December 9th - Alfredo Ortega
Vinagre is a VNC client for the GNOME Desktop and it is prone to a remote format string vulnerability. Successful exploits may allow attackers to execute arbitrary code in the context of the application.

November 4th - Damian Frizza
Adobe Reader suffers from a stack buffer overflow when parsing specially crafted (invalid) PDF files. The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the "util.printf()" JavaScript function.

October 14th - Francisco Falcon
VLC media player is vulnerable to a memory corruption vulnerability, which can be exploited by malicious remote attackers to compromise a user's system, by providing a specially crafted XSPF playlist file.

September 12th - Nicolas Economou
Apple's Safari is the default web browser included on Apple's iPhone. A vulnerability has been found on the WebKit library used by Safari inside iPhone. Inserting a special string on the alert() JavaScript method it is possible to crash Safari via an outbound memory read triggering an access violation.

August 20th - Federico Muttis
A XSS vulnerability has been discovered in vBulletin that could allow an attacker to carry out an action impersonating a legal user, or to obtain access to a user's account. This flaw allows unauthorized disclosure and modification of information, and it allows disruption of service.

August 20th - Francisco Falcón
Anzio Web Print Object is vulnerable to a buffer overflow attack, which can be exploited by remote attackers to execute arbitrary code, by providing a malicious web page with a long "mainurl" parameter for the WePO ActiveX component.

August 13th - Jorge Luis Alvarez Medina
Issues have been found in the way that Internet Explorer security policies are applied: when a remote site attempts to access a local resource, Internet Explorer will fail to enforce the Zone Elevation restrictions; and when browsing a remote site, Internet Explorer will not apply the right Security Zone permissions, allowing a site belonging to a less secure zone to be treated as one belonging to a more privileged zone.

August 4th - Anibal Sacco
Local exploitation of an input validation vulnerability within VirtualBox's VBoxDrv.sys driver could allow an unprivileged attacker to execute arbitrary code within the kernel of a Windows host operating system.

June 11th - Sebastián Muñiz and Nicolás Economou
A vulnerability was found in CitectSCADA that could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software. To accomplish such goal the would-be attacker must be able to connect to the vulnerable service on a TCP high-port.

June 4th - Alfredo Ortega
The NASA BigView package suffers from a stack buffer overflow when parsing specially crafted (invalid) PNM input files. If successful, a malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application.

May 21st - Rodrigo Carvalho and Ricardo Narvaja
Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application.

May 20th - Damian Frizza and Alfredo Ortega
The Borland Interbase 2007 database server [1] is vulnerable to an integer overflow when a malformed packet is sent to the default TCP port 3050. The integer overflow can cause a stack overflow, which allows arbitrary code execution with system privileges.

May 5th - Alfredo Ortega
The popular NASA's CDF open source library is vulnerable to a buffer overflow in the stack, enabling client-side attacks on users and server-side attacks on web services.

April 30th - Sebastián Muñiz
This is a remote denial of service vulnerability found in a component that is part of the WonderWare InTouch supervisory HMI sofware. HMI stands for Human-Machine-Interface and its the term commonly applied to refer to the use interface of Process Control Systems software. The vulnerability allows an attacker to crash the SuiteLink Service which is used by WonderWare InTouch software to receive input from devices on the network over TCP/IP.

28th April - Damian Saura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres Blanco and Rodrigo Carvalho
Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls (BitDefender Antivirus, Comodo Firewall, Sophos Antivirus and Rising Antivirus) have been found that could lead to a local Denial of Service (DoS) and possibly to code execution attacks.

April 3rd - Diego Juarez
Orbit downloader is vulnerable to a buffer overflow attack, which can be exploited by malicious remote attackers to execute arbitrary code.

March 25th - Ariel Waissbein, Pedro Varangot, Martin Mizrahi, Oren Isacson, Carlos Garcia and Ivan Arce
A remote buffer overflow vulnerability found in a library used by both the SILC server and client to process packets containing cryptographic material may allow an un-authenticated client to execute arbitrary code on the server with the privileges of the user account running the server, or a malicious SILC server to compromise client systems and execute arbitrary code with the privileges of the user account running the SILC client program.

March 18th - Rodrigo Carvalho
The Wiki Server is vulnerable to a path traversal attack, which can be exploited by non-privileged system users via a forged file upload to write arbitrary files on locations in the server filesystem, restricted only by privileges of the Wiki Server application.

March 11th - Sebastián Muñiz
The vulnerabilities discovered allow a remote attacker to upload a file to an arbitrary location on the victim's machine and forge peer information on the log lines of the victim's application.

4th March - Alfredo Ortega
Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality.

27th February - Felipe Manzano and Anibal Sacco The Videolan (VLC) media player package is vulnerable to an arbitrary memory corruption vulnerability, which can be exploited by malicious remote attackers to compromise a user's system.

25th February - Gerardo Richarte and Nicolas Economou
A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of these vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.

February 4th - Damian Frizza and Alfredo Ortega
The MPlayer package (and other related projects) are vulnerable to a buffer overflow attack, which can be exploited by malicious remote attackers.

February 4th - Felipe Manzano and Anibal Sacco
The MPlayer package is vulnerable to an arbitrary pointer dereference vulnerability, which can be exploited by malicious remote attackers to compromise a user's system.

January 28th - Damian Frizza and Alfredo Ortega
The Firebird database manager contains an integer overflow in the processing of certain tags on the XDR protocol used for communication with the server. The vulnerability allows remote attackers to crash the system (denial of service) and potentially execute arbitrary code.

January 17th - Sebastian Gottschalk
A locally exploitable kernel buffer overflow vulnerability has been found in CORE FORCE firewall module. The vulnerability allows unprivileged logged on users to crash the system (denial of service), write data and potentially execute arbitrary code into the kernel.

January 7th - Alfredo Ortega and Oren Isacson
The vdccm daemon (part of the SynCE package) is vulnerable to a remote command injection, which can be exploited by malicious remote attackers.

December 3rd - Ricardo Narvaja
A vulnerability has been found in the ActiveX control DLL (axvlc.dll) used by VLC player. This library contains three methods whose parameters are not correctly checked, and may produce a bad initialized pointer. By providing these functions specially crafted parameters, an attacker can overwrite memory zones and execute arbitrary code.

November 27th - Sebastian Muniz
Several buffer overflow vulnerabilities were found in the third-party library used by Lotus Notes to process Lotus 1-2-3 file attachments.

October 10th - Nahuel Riva and Gerardo Richarte
A vulnerability found in OpenBSD's dhcpd allows attackers on the local network to remotely cause the DHCP server to corrupt its process memory and crash; or continue functioning erratically thus denying service to all DHCP clients on the network and, if PF updates are in use, potentially affecting egress/ingress filtering as well.

September 25th - Lucas Lavarello
A vulnerability was discovered in AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite, which expose workstations running the IM clients and their users to several immediate high-risk attack vectors.

March 13th - Alfredo Ortega with assistance from Mario Vilas and Gerardo Richarte
The vulnerability is due to improper handling of kernel memory buffers using mbuf structures. The vulnerability is triggered by OpenBSD-specific code at the mbuf layer and developed to accommodate the processing of IPv6 protocol packets.

March 5th - Gerardo Richarte

Scripts and applications using GnuPG are prone to a vulnerability in how signature verification information is shown to the end user. An attacker is able to add arbitrary content to a signed message. The receiver of the message (using a mail client such as Enigmail to read the message) will not be able to distinguish the forged and the properly signed parts of the message.

December 13th - Alfredo Ortega

A locally exploitable stack overflow vulnerability has been found in the mod_ctrls module of ProFTPD server. The vulnerability allows local attackers with access to the Controls features (and who have been allowed by Controls ACLs in proftpd.conf) to gain root privileges.

September 7th - Luciana Tabo, Lucas Lavarello, Sebastian Cufre, Ezequiel Gutesman and Javier Garcia Di Palma

A vulnerability found in the way the ICQ Pro 2003b client handles incoming message lengths could lead to denial of service attacks and remote compromise of systems running vulnerable versions of the client.

September 7th - Lucas Lavarello, Sebastian Cufre, Ezequiel Gutesman, Javier Garcia Di Palma and Luciana Tabo

Security problems found in the ICQ Toolbar v1.3 may allow attackers to control and change configuration settings and to inject scripting code in RSS feed contents and execute it in the context of the feed interface (IE's Local Zone)

August 14th, 2006 - Gerardo Richarte

While investigating the Microsoft Server Service Mailslot heap overflow vulnerability reported in Microsoft Security Bulletin MS06-035 [1], Core Security Technologies researcher Gerardo Richarte discovered a second bug in the server service.

June 9th, 2006 - Damian Saura, Alejandro Lozanoff, Eduardo Koch, Norberto Kueffner and Ivan Arce

A vulnerability found in the Asterisk's handling of IAX2 video frames couldlead to remote compromise of the system running vulnerable versions of the PBX software through execution of arbitrary code of the attacker's choosing with the privileges of the Asterisk daemon

June 9th, 2006 - Damian Saura, Alejandro Lozanoff, Eduardo Koch, Norberto Kueffner andIvan Arce

IAXclient is an open source library that implements the IAX2 VoIP protocol used by the Asterisk IP PBX and several VoIP software phones.Two vulnerabilities have been found in the library that may grant attackers remote execution of arbitrary code on systems using software packages that rely on it to implement the IAX2 protocol support.

March 20th, 2006 - Alberto Soliño

A cross-site scripting vulnerability found in Verisign’s haydn.exe could allow an attacker to execute scripting code in the machine of a user within the user's web browser with the trust level of the site hosting the haydn.exe file

July 12th, 2005 - Ariel Sanchez

A buffer overflow vulnerability was found in the status command. Remote exploitation of this vulnerability could allow an attacker to execute arbitrary code with System privileges. The status command requires an authenticated session, so valid credentials are required.

February 8th, 2005 - Juliano Rizzo

A vulnerability found in the parsing of PNG images could allow an attacker to execute arbitrary code in the chat partner's machine and gain access to the system with the privileges of the user running the MSN Messenger client program.
This vulnerability can be exploited on Windows 2000 (all service packs) and Windows XP (all service packs) that run vulnerable clients of MSN Messenger.

October 12th, 2004 - Lucas Lavarello and Juliano Rizzo

Microsoft IIS provides organizations using it with the ability to service and route news using the Network News Transfer Protocol (NNTP) with the Microsoft NNTP service listening on port 119/tcp, and optionally on port 563/tcp for SSL encrypted connections.
Multiple vulnerabilities were found in Microsoft IIS that could allow an attacker to execute arbitrary commands on vulnerable systems running the Microsoft IIS NNTP service.

August 9th, 2004 - Juan Pablo Martinez Kuhn

Two vulnerabilities were found in cfservd, a daemon which acts as both a file server and a remote cfagent executor. This daemon authenticates requests from the network and processes them. If exploited, the first vulnerability allows an attacker to execute arbitrary code with those privileges of root. The second vulnerability allows an attacker to crash the server, denying service to further requests.
Cfservd uses an IP based access control (AllowConnectionsFrom) which must be passed before the vulnerabilities can be exploited. The level of risk thus depends on how this access control is configured.

August 4th, 2004 - Daniel De Luca, Laura Nuñez and Carlos Sarraute

By sending specially crafted packets to the client during the authentication process, an attacker is able to compromise and execute arbitrary code on the machine running PuTTY or PSCP.
In SSH2, an attacker impersonating a trusted host can launch an attack before the client has the ability to determine the difference between the trusted and fake host. This attack is performed before host key verification.
WinSCP is an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). The SSH core of WinSCP is based on PuTTY and is affected by the same vulnerabilities.

December 10th, 2003 - Javier Kohen and Juliano Rizzo

Core Security Technologies researchers discovered new attack vectors for recently published vulnerabilities in Microsoft Windows operating systems.
These new attack methods were found while researching exploitation conditions for the Workstation Service vulnerability discovered by eEye Digital Security and disclosed in Microsoft security bulletin MS03-049 of November 11th, 2003.

September 18th, 2003 - Juan Pablo Martinez Kuhn

IBM's DB2 database ships with two vulnerable setuid binaries, namely db2licm and db2dart. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges of the root user. The vulnerability is triggered providing a long command line argument to the binaries.

July 2nd, 2003 - Eduardo Arias, Gabriel Becedillas, Ricardo Quesada and Damian Saura

A vulnerability in Active Directory allows an attacker to crash and force a reboot of any Windows 2000 Server running the Active Directory service.
The vulnerability can be triggered when an LDAP version 3 search request with more than 1000 "AND" statements is sent to the server, resulting in a stack overflow and subsequent crash of the Lsaas.exe service.

July 2nd, 2003 - Hernán Ochoa, Gustavo Ajzenman, Javier Garcia Di Palma and Pablo Rubinstein

A directory traversal vulnerability was found in NetMeeting when doing File Transfers. An attacker can use filenames containing "..\.." when doing a file transfer, and in this manner, create a file in any place of the victim's filesystem, escaping the directory where NetMeeting usually stores incoming files (e.g. C:\Program Files\Received\Received Files).
This makes it possible to force the execution of arbitrary code on vulnerable systems.

May 27th, 2003 - Juliano Rizzo

We have discovered the following security vulnerability: by accessing http://camera-ip//admin/admin.shtml (notice the double slash) the authentication for "admin" is bypassed and an attacker gains direct access to the configuration.
Using this vulnerability, an attacker can reset the root password, then enable the telnet server by modifying configuration files, giving the attacker interactive access to a Unix like command line, allowing her to execute arbitrary commands as root.

May 5th, 2003 - Lucas Lavarello, Daniel Benmergui, Norberto Kueffner and Fernando Russ

Six security vulnerabilities were found that could lead to various forms of exploitation ranging from denying users the ability to use ICQ services to execution of arbitrary commands on vulnerable systems.

April 28th, 2003 - Emiliano Kargieman, Hernán Gips and Javier Burroni

Kerio Personal Firewall (KPF) is a firewall for workstations designed to protect them against attacks from the Internet and the local network. We found two security vulnerabilities in KPF's remote administration system:
Click for more information

April 15th, 2003 - Bruce Leidl and Juan Pablo Martinez Kuhn

The stream4 preprocessor module is a Snort plugin that reassembles TCP traffic before passing it on to be analyzed. It also detects several types of IDS evasion attacks.
We have discovered an exploitable heap overflow in this module resulting from sequence number calculations that overflow a 32 bit integer variable.

March 28th, 2003 - Juliano Rizzo, Agustin Azubel Friedman, Bruno Acselrad and Carlos Sarraute

RealPlayer is a popular program provided by RealNetworks, Inc. It is used to play live video and audio over the net. This program is able to play a great set of media file formats, between them is the PNG graphic file format. A vulnerability has been found in the way that RealPlayer decompress those files.
If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the user running RealPlayer.

March 28th, 2003 - Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera

The Eye Of Gnome (EOG for short) is an image viewer, as well as an image cataloging program. EOG is part of the GNOME desktop and is bundled with all major Linux distributions.
A vulnerability was found in this application that could lead to the execution of arbitrary code with the privileges of the user running EOG. This vulnerability can be exploited from within email clients (MUAs) that use EOG as default for image viewing.

March 20th, 2003 - Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera

Mutt is a very popular small text-based MUA (Mail User Agent) for Unix operating systems.
For more information about Mutt visit http://www.mutt.org
The Mutt Mail User Agent (MUA) has support for accessing remote mailboxes through the IMAP protocol.
By controlling a malicious IMAP server and providing a specially crafted folder, an attacker can crash the mail reader and possibly force execution of arbitrary commands on the vulnerable system with the privileges of the user running Mutt.

March 19th, 2003 - Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera

Ximian Evolution is a personal and workgroup information management solution for Linux and UNIX-based systems. The software integrates email, calendaring, meeting scheduling, contact management, and task lists, in one application. For more information about Ximian Evolution visit http://www.ximian.com
Three vulnerabilities were found that could lead to various forms of exploitation ranging from denying to users the ability to read email, provoke system unstability, bypassing security context checks for email content and possibly execution of arbitrary commands on vulnerable systems.

December 2nd, 2002 - Gerardo Richarte

Many Linksys' network appliances have a remote administration and configuration interface via HTTP, either from the local network, or, if it's enabled, from any host across the internet. The implementation of the embedded HTTP server presents several different exploitable vulnerabilities, some of them allow an unauthorized user to gain control of the appliance, some let an attacker reboot it, and some are of an unknown severity. >>

December 2nd, 2002 - Gerardo Richarte

Many Linksys' network appliances have a remote administration and configuration interface via HTTP, either from the local network, or, if it's enabled, from any host across the internet. The implementation of the embedded HTTP server presents several different exploitable vulnerabilities, some of them allow an unauthorized user to gain control of the appliance, some let an attacker reboot it, and some are of an unknown severity. >>

August 22nd, 2002 - Alberto Solino and Hernan Ochoa

SMB stands for "Server Message Block" and is also known as CIFS (Common Internet File System).This protocol is intended to provide an open cross-platform mechanism for client systems to request file services from server system over a network.Current CIFS implementation under Windows runs over port tcp/139 and/or port tcp/445 (Direct Host), depending whether NetBIOS over TCP/IP is enabled or not.
By sending a specially crafted packet requesting the NetServerEnum2, NetServerEnum3 or NetShareEnum transaction, an attacker can mount a denial ofservice attack on the target machine.It might be possible to abuse this vulnerability to execute arbitrary code, although the research performed so far can not confirm this possibility (see 'Technical Description' below for more precise information). >>

July 10th, 2002 - Ricardo Quesada

The ToolTalk service allows independently developed applications to communicate with each other by exchanging ToolTalk messages. Using ToolTalk, applications can create open protocols which allow different programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration. >>

July 2nd, 2002 - Juliano Rizzo

Inktomi's Traffic Server product provides transparent web caching, access control and content filtering. It is available for Linux, Solaris and Windows platforms. A vulnerability that could allow a local attacker to gain root access has been discovered in the unix version of the software.

Problem: Buffer overflow in traffic_manager executable
The traffic_manager executable is used to manage Traffic Server, it is installed setuid-root by default under the [installpath]/bin directory.When traffic_manager is executed with a long command line argument, a buffer overflow occurs.This vulnerability can be exploited locally to gain root access. >>

April 22nd, 2002 - Gerardo Richarte

In the past years, several technologies (in the form of software packages) have been developed to protect programs against exploitation of buffer overflow vulnerabilities. These technologies aim at detecting and preventing the execution of hostile code that takes advantage of software security vulnerabilities by overwriting a critical portion of a running program's memory known as the stack. >>

November 28th, 2001 - Luciano Notarfrancesco and Juan Pablo Martinez Kuhn

The Washington University FTP daemon (WU-FTPD) is a highly modified and significantly complex version of FTPD that provides some extra features: custom logging, limited remote command support, and other enhacements to the standard BSD version of FTPD.
A problem was found in all versions of Wu-FTPD included by default in all major Linux distributions. Other platforms that ship wu-ftpd and FTP server programs derived from it are affected.
By exploiting this problem, any user who is able to log into a vulnerable version of the WU-FTPD server may be able to execute arbitrary code remotely with the privileges of the server process (usually root) which can lead to complete system compromise. >>

August 13th, 2001 - Juliano Rizzo

PGP Keyserver is a product aimed primarily for storage and retrieval of public keys. It acts both as HTTP and LDAP server for this purpose.
Web Console is the Web-based portion of the software that gives administrators the ability to remotely monitor and manage their PGP Keyserver. There exist several security flaws in the Web Console system that can allow an attacker to gain full control of server configuration.
Taking advantage of console's configuration functionalities an attacker is able to read and overwrite almost any file on the system. Carefully overwriting files could also allow an intruder to run arbitrary commands on the server.

June 26th, 2001 - Alberto Soliño and Juliano Rizzo

GroupWise is Novell's truly integrated messaging, Groupware and document management product. It combines document management, e-mail, group calendaring and scheduling, task management, imaging and workflow in one tightly integrated package.
When the Post Office mailboxes are accessed through a network share it is possible, by patching Groupwise's client software, to get access to any user's mailbox (including the administrator) without knowing its password.

February 8th, 2001 - Michal Zalewski of the Bindview RAZOR Team

SSH is a widely used client-server application for authentication and encryption of network communications.
In 1998 Ariel Futoransky and Emiliano Kargieman [1] discovered a design flaw in the SSH1 protocol (protocol 1.5) that could lead an attacker to inject malicious packets into an SSH encrypted stream that would allow execution of arbitrary commands on either client or server. >>

February 7th, 2001 - Ariel Waissbein and Agustin Azubel Friedman

SSH is a widely used client-server application for authentication and encryption of network communications. In order to ensure that all data exchanged between client and server is kept confidential a symmetric algorithm is used with a key obtained from the key exchange and authentication process done upon connection from the client to an SSH server. >>

January 29th, 2001 - Emiliano Kargieman, Agustín Azubel Friedman and Maximiliano Cáceres

As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):
"VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures"

The ATT VNC client ships with a remotely exploitable buffer overflow.
By providing a specially crafted response a malicious server has the ability to obtain access to the client machine and execute arbitrary commands as the user running the client software. >>

January 29th, 2001 - Emiliano Kargieman, Agustín Azubel Friedman and Maximiliano Cáceres

As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

"VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures"

The ATT VNC server for windows ships with a remotely and locally exploitable buffer overflow if it is configured with a certain debug level.
By providing a specially crafted HTTP request an attacker has the ability to obtain access to the VNC server and execute arbitrary commands with the privileges of the user running the server. >>

January 23rd, 2001 - Emiliano Kargieman, Agustín Azubel Friedman and Maximiliano Cáceres

As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

"VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures".

VNC uses a challenge/response mechanism for authenticating clients in order to avoid the transmition of clear text passwords over insecure channels and prevent unauthorized clients to get access to the VNC server.
A design flaw in the client authentication mechanism permits an attacker to obtain legit credentials from a valid client in order to gain unauthorized access to the server.
The attack can be performed by an attacker eavesdropping the client/server communications with the ability to modify the data flow. NO TCP hijacking techniques are required. >>

December 4th, 2000.Alberto Soliño

November 16th, 2000. Gerardo Richarte and Claudio Castiglia

November 8th, 2000.Bruno Acselrad and Agustín Azubel Friedman

October 31st, 2000.Emiliano Kargieman and Agustín Azubel Friedman

October 31st, 2000.Emiliano Kargieman and Agustín Azubel Friedman

October 26th, 2000.Emliano Kargieman and Agustín Azubel Friedman

October 25th, 2000.Alberto Soliño

October 23rd, 2000.Ariel Waissbein, Emiliano Kargieman, Carlos Sarraute, Gerardo Richarte and Agustín Azubel Friedman

September 27th, 2000.Juliano Rizzo

September 4th, 2000.Ivan Arce

August 15th, 2000.Gerardo Richarte and Hernán Ochoa

August 2nd, 2000.Juliano Rizzo

April 14th, 2000. Gerardo Richarte and Alberto Soliño

December 1st, 1999.Alberto Soliño and Gerardo Richarte

June 11th, 1998.Ariel Futoransky and Emiliano Kargieman

March 23th, 1998.Core SDI and Secure Networks Inc.

April 22nd, 1997. Cache corruption.Core SDI and Secure Networks Inc (spanish version).