C Exploits
3,626 exploits tracked across all sources.
Galaxy FTP Server 1.0 (Neostrada Livebox DSL Router) - Denial of Service
by 0in
Ghostscript < 8.61 - Remote Code Execution via Long Range Array in .seticcspace Operator
Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.
by Will Drewry
KAME ipcomp - Denial of Service via IPv6 IPComp Header
The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header.
by mu-b
DESlock+ <3.2.6 - Privilege Escalation
DESlock+ 3.2.6 and earlier, when DLMFENC.sys 1.0.0.26 and DLMFDISK.sys 1.2.0.27 are present, allows local users to gain privileges via a certain DLMFENC_IOCTL request to \\.\DLKPFSD_Device that overwrites a pointer, aka the "ring0 link list zero SYSTEM" vulnerability.
by mu-b
DESlock+ < 3.2.6 - Denial of Service via DLMFENC_IOCTL Requests
Memory leak in DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users to cause a denial of service (kernel memory consumption) via a series of DLMFENC_IOCTL requests to \\.\DLKPFSD_Device that allocate "link list structures."
by mu-b
DLMFDISK.sys 1.2.0.27 - Privilege Escalation
DLMFDISK.sys 1.2.0.27 in DESlock+ 3.2.6 and earlier allows local users to gain privileges via a certain DLKFDISK_IOCTL request to \\.\DLKFDisk_Control that overwrites a data structure associated with a mounted pseudo-filesystem, aka the "ring0 SYSTEM" vulnerability.
by mu-b
DESlock+ < 3.2.6 - Denial of Service via DLMFENC_IOCTL Request
DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users to cause a denial of service (system crash) via a certain ZERO_MEM DLMFENC_IOCTL request to \\.\DLKPFSD_Device, aka the "ring0 link list zero" vulnerability.
by mu-b
Microsoft Works File Converter - Stack-based Buffer Overflow via Crafted .wps File Field Lengths
Stack-based buffer overflow in wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted field lengths, aka "Microsoft Works File Converter Field Length Vulnerability."
by chujwamwdupe
GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Buffer Overflow
by forensec
Linux kernel <2.6.25 - Info Disclosure
The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
by qaaz
Linux Kernel 2.6.17-2.6.24.1 - Local Privilege Escalation via vmsplice_to_pipe Pointer Dereference
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
by qaaz
Linux Kernel 2.6.17-2.6.24.1 - Local Privilege Escalation via vmsplice_to_pipe Pointer Dereference
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
by qaaz
SAPLPD < 6.28 - Remote Code Execution via Long LPD Command Arguments
Buffer overflow in SAPLPD 6.28 and earlier included in SAP GUI 7.10 and SAPSprint before 1018 allows remote attackers to execute arbitrary code via long arguments to the (1) 0x01, (2) 0x02, (3) 0x03, (4) 0x04, and (5) 0x05 LPD commands.
by BackBone
Microsoft Works File Converter - Stack-based Buffer Overflow via Crafted .wps File Field Lengths
Stack-based buffer overflow in wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted field lengths, aka "Microsoft Works File Converter Field Length Vulnerability."
by Luigi Auriemma
MikroTik RouterOS < 3.2 - Denial of Service via SNMP SET Request
SNMPd in MikroTik RouterOS 3.2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP SET request.
by ShadOS
iTinySoft Studio Total Video Player <1.03 - Buffer Overflow
Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.03, and possibly earlier, allows remote attackers to execute arbitrary code via a M3U playlist file that contains a long file name. NOTE: it was later reported that 1.20 and 1.30 are also affected.
by fl0 fl0w
SafeNET IPSecDrv.sys 10.4.0.12 - Privilege Escalation via Crafted IOCTL Request
IPSecDrv.sys 10.4.0.12 in SafeNET HighAssurance Remote and SoftRemote allows local users to gain privileges via a crafted IPSECDRV_IOCTL IOCTL request.
by mu-b
IrfanView - Remote Code Execution via Crafted FlashPix File
fpx.dll 3.9.8.0 in the FlashPix plugin for IrfanView 4.10 allows remote attackers to execute arbitrary code via a crafted FlashPix (.FPX) file, which triggers heap corruption. NOTE: some of these details are obtained from third party information.
by Marsu
AXIGEN Mail Server 5.0.2 - Remote Code Execution via AXIMilter CNHO Command Format String
Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers in the CNHO command.
by hempel
Microsoft Message Queuing - Stack-based Buffer Overflow via RPC Opnum 0x06
Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.
by Marcin Kozlowski
OpenBSD 4.2 - Denial of Service via SIOCGIFRTLABEL IOCTL
OpenBSD 4.2 allows local users to cause a denial of service (kernel panic) by calling the SIOCGIFRTLABEL IOCTL on an interface that does not have a route label, which triggers a NULL pointer dereference when the return value from the rtlabel_id2name function is not checked.
by Hunger
Cisco VPN Client 5.0.02.0090 - Denial of Service via IOCTL 0x80002038
Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) 5.0.02.0090 allows local users to cause a denial of service (crash) by calling the 0x80002038 IOCTL with a small size value, which triggers memory corruption.
by mu-b
Linux Kernel 2.6.20-2.6.21.1 - Denial of Service via IPv6 Jumbo Payload Hop-by-Hop Option
The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a denial of service (panic) via a certain IPv6 packet, possibly involving the Jumbo Payload hop-by-hop option (jumbogram).
by Clemens Kurtenbach
By Source