Exploitdb Exploits
3,138 exploits tracked across all sources.
Microsoft Windows Kernel - Local Code Execution via NtUserFnOUTSTRING Input Validation
Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, through Vista SP1, and Server 2008 allows local users to execute arbitrary code via unknown vectors related to improper input validation. NOTE: it was later reported that one affected function is NtUserFnOUTSTRING in win32k.sys.
by Whitecell
licq < 1.3.6 - Denial of Service via File-Descriptor Exhaustion
licq before 1.3.6 allows remote attackers to cause a denial of service (file-descriptor exhaustion and application crash) via a large number of connections.
by Milen Rangelov
SCO UnixWare 7.1.4 ReliantHA - Privilege Escalation via RELIANT_PATH Environment Variable
Untrusted search path vulnerability in (1) hvdisp and (2) rcvm in ReliantHA 1.1.4 in SCO UnixWare 7.1.4 allows local users to gain root privileges by modifying the RELIANT_PATH environment variable to point to a malicious bin/hvenv program.
by qaaz
SCO ReliantHA 1.1.4 - Local Privilege Escalation via mcd -d Argument
Merge mcd in ReliantHA 1.1.4 in SCO UnixWare 7.1.4 allows local users to gain root privileges via a crafted -d argument that contains .. (dot dot) sequences that point to a directory containing a file whose name includes shell metacharacters.
by qaaz
Xitami 2.2a-2.5c2 - Remote Code Execution via Format String in LRWP Request
Format string vulnerability in Xitami Web Server 2.2a through 2.5c2, and possibly other versions, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in a Long Running Web Process (LRWP) request, which triggers incorrect logging code involving the sendfmt function in the SMT kernel.
by bratax
mod_jk2 < 2.0.3-DEV - Remote Code Execution via Long Host Header
Multiple stack-based buffer overflows in the legacy mod_jk2 2.0.3-DEV and earlier Apache module allow remote attackers to execute arbitrary code via a long (1) Host header, or (2) Hostname within a Host header.
by Heretic2
FreeBSD 6.x-7.x and NetBSD 4.x - Integer Overflow in strfmon and printf Format Handling
Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.
by Maksymilian Arciemowicz
xine-lib <= 1.1.11 - Heap-Based Buffer Overflow via Crafted Media Files
Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote attackers to trigger heap-based buffer overflows and possibly execute arbitrary code via (1) a crafted .FLV file, which triggers an overflow in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which triggers an overflow in demuxers/demux_film.c.
by Luigi Auriemma
Solaris 10 - Denial of Service via Malformed RPC Request
rpc.metad in Sun Solaris 10 allows remote attackers to cause a denial of service (daemon crash) via a malformed RPC request.
by kingcope
SunOS 8-10 - Unauthenticated Memory Read via FIFO I_PEEK ioctl
Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative maximum length value to the I_PEEK ioctl.
by Marco Ivaldi
SafeGuard PrivateDisk 2.0/2.3 - 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities
by mu-b
ADI Convergence Galaxy FTP Server Password - Remote Denial of Service
by Maks M
Galaxy FTP Server 1.0 (Neostrada Livebox DSL Router) - Denial of Service
by 0in
Ghostscript < 8.61 - Remote Code Execution via Long Range Array in .seticcspace Operator
Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.
by Will Drewry
KAME ipcomp - Denial of Service via IPv6 IPComp Header
The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header.
by mu-b
DESlock+ <3.2.6 - Privilege Escalation
DESlock+ 3.2.6 and earlier, when DLMFENC.sys 1.0.0.26 and DLMFDISK.sys 1.2.0.27 are present, allows local users to gain privileges via a certain DLMFENC_IOCTL request to \\.\DLKPFSD_Device that overwrites a pointer, aka the "ring0 link list zero SYSTEM" vulnerability.
by mu-b
DESlock+ < 3.2.6 - Denial of Service via DLMFENC_IOCTL Requests
Memory leak in DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users to cause a denial of service (kernel memory consumption) via a series of DLMFENC_IOCTL requests to \\.\DLKPFSD_Device that allocate "link list structures."
by mu-b
DLMFDISK.sys 1.2.0.27 - Privilege Escalation
DLMFDISK.sys 1.2.0.27 in DESlock+ 3.2.6 and earlier allows local users to gain privileges via a certain DLKFDISK_IOCTL request to \\.\DLKFDisk_Control that overwrites a data structure associated with a mounted pseudo-filesystem, aka the "ring0 SYSTEM" vulnerability.
by mu-b
DESlock+ < 3.2.6 - Denial of Service via DLMFENC_IOCTL Request
DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users to cause a denial of service (system crash) via a certain ZERO_MEM DLMFENC_IOCTL request to \\.\DLKPFSD_Device, aka the "ring0 link list zero" vulnerability.
by mu-b
Microsoft Works File Converter - Stack-based Buffer Overflow via Crafted .wps File Field Lengths
Stack-based buffer overflow in wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted field lengths, aka "Microsoft Works File Converter Field Length Vulnerability."
by chujwamwdupe
GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Buffer Overflow
by forensec
Linux kernel <2.6.25 - Info Disclosure
The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
by qaaz
Linux Kernel 2.6.17-2.6.24.1 - Local Privilege Escalation via vmsplice_to_pipe Pointer Dereference
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
by qaaz
Linux Kernel 2.6.17-2.6.24.1 - Local Privilege Escalation via vmsplice_to_pipe Pointer Dereference
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
by qaaz
By Source