tag:blogger.com,1999:blog-42664836066483600792012-01-24T00:08:55.630Z[ X - Zero-Day ]The dumping ground for Zero-Day Exploits..
<BR>
The following entries are active zero-day vulnerabilities.
<BR>
Exploits that do not have any published vendor-supplied patch.lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.comBlogger151100tag:blogger.com,1999:blog-4266483606648360079.post-46232780174700188902007-02-09T19:08:00.000Z2007-03-06T19:15:11.967ZWord Unspecified Exploit [4]Vendor:: MicrosoftApplication:: Word XP Word 2000Disclosed:: 09-02-07Description:: This is reported by McAfee as a different vulnerability than all previous Word zero-day vulnerabilities. Microsoft has acknowledged that this vulnerability does cause a denial of service for Word, and claims that exploitability is not possible. However, without any technical details lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com2tag:blogger.com,1999:blog-4266483606648360079.post-3028172000259115912007-01-28T17:18:00.000Z2007-02-01T19:29:21.723ZApple crashdump Privilege Escalation VulnerabilityVendor:: AppleApplication:: Mac OS XDisclosed:: 28-01-07Description:: Crashreporterd is the daemon responsible for detecting application crashes. Crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user. Crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-71672979385544945072007-01-27T22:45:00.000Z2007-02-01T19:30:12.266ZTelestream Flip4Mac WMV Parsing Memory Corruption VulnerabilityVendor:: AppleApplication:: Mac OS X - WindowsQuickTime™ Player 7.1.3Windows Media ® Components for Quicktime 2.1.0.33Disclosed:: 27-01-07Description:: Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-64258882702352566432007-01-25T19:23:00.000Z2007-02-01T19:32:25.845ZApple CFNetwork HTTP Response Denial of ServiceVendor:: AppleApplication:: Mac OS XDisclosed:: 25-01-07Description:: CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition exploitable by a server sending a crafted response to a client application making use of this API.Exploit::lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-37138004235276211252007-01-23T19:01:00.000Z2007-02-01T19:33:00.605ZApple QuickDraw GetSrcBits32ARGB() Memory Corruption VulnerabilityVendor:: AppleApplication:: Mac OS XDisclosed:: 23-01-07Description:: QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-51177279256877627022007-01-22T23:00:00.000Z2007-02-01T19:33:38.989ZApple UserNotificationCenter Privilege Escalation VulnerabilityVendor:: AppleApplication:: Mac OS XDisclosed:: 22-01-07Description:: UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutillem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-15290425524571232132007-01-21T18:40:00.000Z2007-02-01T19:34:08.861ZApple System Preferences writeconfig Local Privilege Escalation VulnerabilityVendor:: AppleApplication:: Mac OS XDisclosed:: 21-01-07Description:: The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges.Apple provides the following description in the The Preference Application documentation:: System Preferenceslem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-73397701574314654862007-01-17T19:58:00.000Z2007-02-01T19:34:29.774ZApple SLP Daemon Service Registration Buffer Overflow VulnerabilityVendor:: AppleApplication:: Mac OS XDisclosed:: 17-01-07Description:: slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-79214041173162680342006-12-15T03:53:00.000Z2007-02-01T19:35:04.318ZNtRaiseHardErrorVendor:: MicrosoftApplication:: WindowsWindows 2000Windows XPWindows 2003Windows VistaDisclosed:: 15-12-06Description::A double-free vulnerability exists in WINSRV.DLL's handling of certain hard error messages that may be locally exploitable for the purpose of privilege escalation to SYSTEM.Calling one of the MessageBox APIs with the MB_SERVICE_NOTIFICATION flag set invokes USER32.DLL!lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-46732942588190446662006-11-27T23:51:00.000Z2007-02-01T19:36:46.350ZMac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory CorruptionVendor:: MacApplication:: OS X Disclosed:: 27-11-06Description:: Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command, and can be abused by unprivileged users by opening an AppleTalk socket and issuing the ioctl control lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-78858330733255473472006-11-26T21:40:00.000Z2007-02-01T19:37:01.704ZMac OS X Universal Binary Loading Memory CorruptionVendor:: MacApplication:: OS XDisclosed:: 26-11-06Description:: Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in the fatfile_getarch2() function. Local unprivileged users can abuse this lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-64161889683804270252006-11-06T17:45:00.000Z2007-02-01T19:37:15.362ZWindows kernel GDI local privilege escalationVendor:: MicrosoftApplication:: WindowsDisclosed:: 06-11-06Description:: A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. This would allow a local user to escalate privileges, gaining full control oflem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-8403136739790012632006-10-28T00:16:00.000Z2007-02-01T19:37:28.482ZInternet Connection Sharing DoSVendor:: MicrosoftApplication:: WindowsDisclosed:: 28-10-06Description:: Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP SP2, when Internet Connection Sharing is enabled, allows remote attackers to cause a denial of service (svchost.exe crash) via a malformed DNS query, which results in a null pointer dereference.Exploit:: Remote Shutdown of Windows Firewall from LANThus lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-432785307386620192006-10-27T00:07:00.000Z2007-02-01T19:37:42.574ZNAT Helper Components [ipnathlp.dll] Remote DOSVendor:: MicrosoftApplication:: Internet ExplorerDisclosed:: 27-10-06Description:: The "Execute" method of ADODB.Connection.2.7 and ADODB.Connection.2.8 objects allow malicious script to free heap memory in a way that circumvents the script interpreter's memory manager. The second argument to Execute, a variant, is passed to VariantClear, which will free the associated string memory using lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0tag:blogger.com,1999:blog-4266483606648360079.post-48991702775909901842005-11-16T23:51:00.000Z2007-02-01T19:38:26.033ZRPC Memory ExhaustionVendor:: MicrosoftApplication:: WindowsDisclosed:: 16-11-05Description:: Three referenced exploits take advantage of an inherent problem in RPC, in which an attacker gets to supply the size of an output buffer, and RPC allocates the buffer and (more importantly) initializes it to zeroes, which causes the entire memory range to become committed. For huge output buffers, the target service (which lem0nhttp://www.blogger.com/profile/05722076653739547167noreply@blogger.com0