The vulnerabilities in SumatraPDF are caused due to boundary errors within the "pdf_loadtype4shade()", "pdf_loadtype5shade()", "pdf_loadtype6shade()", and "pdf_loadtype7shade()" functions. This can be exploited to cause stack-based buffer overflows. The module will send an e-mail with an attached .PDF file. This file will deploy an agent when opened by the user. Additionally, the module will allow users to download the malformed zipped .PDF file from Core Impact's Web Server.
This module exploits a vulnerability in XVoice.dll included in the Microsoft Text to Speech Control. The exploit is triggered when the FindEngine() method processes a long string argument resulting in a stack-based buffer overflow. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.
Sothink SWF Decompiler is prone to a vulnerability that may allow the execution of any library file named dwmapi.dll, if this dll is located in the same folder than a .FLV file. The attacker must entice a victim into opening a specially crafted .FLV file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.
Sorax PDF Reader is prone to a vulnerability that may allow the execution of any library file named dwmapi.dll, if this dll is located in the same folder than a .PDF file. The attacker must entice a victim into opening a specially crafted .HEX file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.
Sony Sound Forge Pro is prone to a vulnerability that may allow the execution of any library file named MtxParhVegasPreview.dll, if this dll is located in the same folder as a .SFW file. The attacker must entice a victim into opening a specially crafted .SFW file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.
SolarWinds Application Monitor suffers from an ActiveX heap overflow. The vulnerability is caused due to an error when handling the "PEstrarg1" member within the bundled GigaSoft ProEssentials PieChart ActiveX control (Pesgo32c). This module runs a web server waiting for vulnerable clients (Internet Explorer 6, 7, 8) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.
The specific flaw exists within the factory object's loadExtensionFactory method. The issue lies in a failure to validate the size of an attacker-supplied input before copying it into a fixed-size buffer on the stack. An attacker can leverage this vulnerability to execute code under the context of the current process. This module runs a web server waiting for vulnerable clients (Internet Explorer 6, 7, 8, 9) to connect to it.
SolarWinds Application Monitor suffers from an ActiveX heap overflow. The vulnerability is caused due to an error when handling the "PEstrarg1" member within the bundled GigaSoft ProEssentials PieChart ActiveX control (pepco32c.ocx). This module runs a web server waiting for vulnerable clients (Internet Explorer 6, 7 or 8) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.
Subscribe to Impact