N0O

[CVE-2019-3822] NTLMv2 type-3 header stack buffer overflow

Reported on : 31 Dec 2018 Shipped on : 6 Feb 2019 Type : Stack buffer overflow In Function : Curl_auth_create_ntlm_type3_message The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. PoC

https://curl.haxx.se/docs/CVE-2019-3822.html

PENDING

[CVE-2018-16890] NTLM type-2 out-of-bounds buffer read

Reported on : 31 Dec 2018 Shipped on : 6 Feb 2019 Type : OOB Access - Read - Send to Remote In Function : ntlm_decode_type2_target libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. PoC

https://curl.haxx.se/docs/CVE-2018-16890.html

PENDING

[CVE-2018-20506] Denial of Service in SQLite3

Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : DoS In Function : to be confirmed Assertion fault due to malformed PRIMARY KEY DoS in query planner that results when a row-value expression is used with a PRIMARY KEY with redundant column. PoC

https://sqlite.org/src/info/1a84668dcfdebaf12415d

CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));

[CVE-2018-20505] Integer overflow in FTS3 of SQLite

Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : to be confirmed Different from CVE-2018-20346. SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. PoC

TO BE ADDED

[CVE-2018-20346] Integer Overflow in FTS3 of SQLite

Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : to be confirmed SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. PoC

TO BE ADDED

[CVE-2018-12686] Integer Overflow caused Heap buffer overflow in CivetWeb

Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : CivetServer::getParam "Content-Length" is user-supplied, hence con_len_str could be a negative number (-1). Then the signed int is converted into unsigned int, which will pass the check con_len > 0, and then malloc(-1 + 1) = malloc(0) , and mg_read will write data out-of-bound far over from here cause a heap buffer overflow. One attack scenario is when the server enables SSL (combined with OpenSSL), an attacker could overwrite the SSL_ctx object and thus the mg_write-->SSL_write(function pointer is overwritten) will cause a remote code execution. PoC


https://github.com/civetweb/civetweb/issues/633
https://github.com/civetweb/civetweb/commit/82c03a22f4690fb05137b1c00f

[CVE-2018-12685] Out-of-bounds Read in CivetWeb (2)

Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : Information Leak In Function : mg_start The libcivetweb must be compiled with Symbian support and runs in Symbian system, then attacker calls the function to get system information locally to trigger this problem. Number of data sources supplied is less than the number declared, which could cause a information leak vunlnerability or Denial of Service. PoC

https://github.com/civetweb/civetweb/issues/633
https://github.com/civetweb/civetweb/commit/6a1f14d47941a190b1c038b67f

[CVE-2018-12684] Out-of-bounds Read in CivetWeb

Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : OOB Access - Read In Function : send_ssi_file Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file. Server must enable SSI (server side includes) support, then attacker could send a request with a malformed SSI file locally or remotely. PoC


https://github.com/civetweb/civetweb/issues/633
https://github.com/civetweb/civetweb/commit/8fd069f6dedb064339f1091069

[CVE-2018-6110] Script Execution on non-HTML page in Google Chrome

Reported on : 24 Oct 2017 Shipped on : 25 Apr 2018 Type : Unexpected Results In Function : MIME Detection Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page. PoC

https://crbug.com/777737

[CVE-2016-3267] Microsoft Browser Information Disclosure Vulnerability

Reported on : 21 Mar 2016 Shipped on : 17 Nov 2016 Type : Information Disclosure In Function : readyState detection Local file detection problem in IE11/Edge using iframe and readyState. IE disabled loading a res protocol URI in image element, which will fails the check v31 = CMarkup::CheckForLMZLLoad (v8, 1) in CImgHelper::SetImgCtx, but an attacker can use an iframe instead to load an res URI under web zone. By using the readyState attribute, attacker can tell the existence of a local file. For example "interactive,interactive," means this file exists and is loaded in iframe, "loading, interactive" means file is not exist. IE version less than IE11 is not affected. Since they will have "interactive,complete" readyState no matter local file exists or not, so attacker can't tell the existence of local file. PoC

https://github.com/leonwxqian/n0o-vuln-archive/blob/master/CVE-2016-3267.html

1 2 3 4