C Exploits
3,626 exploits tracked across all sources.
Microsoft Windows 2000 SP4 through Vista - Remote Code Execution via Animated Cursor RIFF File
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
by Marsu
IrfanView 3.99 - Buffer Overflow via Crafted ANI File
Buffer overflow in IrfanView 3.99 allows remote attackers to execute arbitrary code via a crafted animated cursor (ANI) file.
by Marsu
Ipswitch WS_FTP 5.05 - Server Manager Local Site Buffer Overflow
by Marsu
Ipswitch IMail < 8.2 Hotfix 2 - Remote Code Execution via IMAP LOGIN Command
Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 and 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allow remote attackers to execute arbitrary code via a LOGIN command with (1) a long username argument or (2) a long username argument that begins with a special character.
by Heretic2
Symantec Norton Personal Firewall 9.1.0.33/9.1.1.7 DoS via NtCreateMutant/NtOpenEvent
SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9.1.1.7 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateMutant and (2) NtOpenEvent functions. NOTE: it was later reported that Norton Internet Security 2008 15.0.0.60, and possibly other versions back to 2006, are also affected.
by David Matousek
dproxy dproxy-nexgen - Stack-based Buffer Overflow in dns_decode_reverse_name
Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465.
by mu-b
Corel WordPerfect Office X3 13.0.0.565 - Stack-based Buffer Overflow via Long PRS Name
Stack-based buffer overflow in Corel WordPerfect Office X3 (13.0.0.565) allows user-assisted remote attackers to execute arbitrary code via a long printer selection (PRS) name in a Wordperfect document.
by Jonathan So
Linux Kernel 2.6.20 and later - Denial of Service via DCCP Getsockopt Optlen Bounds Check
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
by Robert Swiecki
Linux Kernel 2.6.20 and later - Denial of Service via DCCP Getsockopt Optlen Bounds Check
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
by Robert Swiecki
Linux Kernel < 2.6.19.7 - Denial of Service via IPV6_RTHDR Setsockopt NULL Pointer Dereference
The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
by Joey Mengele
mcweject - Buffer Overflow via Long Command Line Argument
Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name.
by harry
War FTP Daemon < 1.65 - Stack-Based Buffer Overflow
Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.
by niXel
Microsoft Windows DNS Server - Unauthenticated DNS Record Manipulation via Dynamic Update Mechanism
The dynamic DNS update mechanism in the DNS Server service on Microsoft Windows does not properly authenticate clients in certain deployments or configurations, which allows remote attackers to change DNS records for a web proxy server and conduct man-in-the-middle (MITM) attacks on web traffic, conduct pharming attacks by poisoning DNS records, and cause a denial of service (erroneous name resolution).
by Andres Tarasco
0irc 1345 build 20060823 - Denial of Service via Long IRC Server String
0irc 1345 build 20060823 allows remote attackers to cause a denial of service (application crash) by operating an IRC server that sends a long string to a client, which triggers a NULL pointer dereference.
by DiGitalX
file < 4.19 - Remote Code Execution via Integer Underflow in file_printf
Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.
by Jean-Sebastien Guay-Leroux
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escalation
by Cesar Cerrudo
Linux kernel < 2.6.21-rc3 - Buffer Overflow in Omnikey CardMan 4040 Driver
Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
by Daniel Roethlisberger
Snort 2.6.1.1 2.6.1.2 2.7.0 beta - Denial of Service via UDP Packet Handling in frag3 Preprocessor
The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when configured for inline use on Linux without the ip_conntrack module loaded, allows remote attackers to cause a denial of service (segmentation fault and application crash) via certain UDP packets produced by send_morefrag_packet and send_overlap_packet.
by Antimatt3r
Asterisk 1.2-1.4 - Denial of Service via SIP Packet Without URI and SIP-Version Header
Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference.
by fbffff
WebMod 0.48 - Stack-Based Buffer Overflow via Content-Length HTTP Header
Stack-based buffer overflow in the connectHandle function in server.cpp in WebMod 0.48 allows remote attackers to execute arbitrary code via a long string in the Content-Length HTTP header.
by cybermind
tcpdump <3.9.6 - RCE
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
by mu-b
CVSS 9.8
MadWifi - Stack-Based Buffer Overflow in IEEE80211 Wireless Component
Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified vectors, related to the encode_ie and giwscan_cb functions.
by Massimiliano Oldani
Alcatel-Lucent Bell Labs Plan 9 - Memory Corruption
Integer overflow in the envwrite function in the Alcatel-Lucent Bell Labs Plan 9 kernel allows local users to overwrite certain memory addresses with kernel memory via a large n argument, as demonstrated by (1) modifying the iseve function to gain privileges and (2) making the devpermcheck function grant unrestricted device permissions.
by Don Bailey
Debian apache - Local Privilege Escalation via TIOCSTI ioctl in CGI Program
The Debian GNU/Linux 033_-F_NO_SETSID patch for the Apache HTTP Server 1.3.34-4 does not properly disassociate httpd from a controlling tty when httpd is started interactively, which allows local users to gain privileges to that tty via a CGI program that calls the TIOCSTI ioctl.
by Kristian Hermansen
Microsoft Windows 2000-XP-Vista - Info Disclosure
The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, Server 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information.
by 3APA3A
By Source