Posts Tagged ‘ предупредувања

Corel WordPerfect Office X5 and Corel Presentations X5 File Handling Vulnerabilities

- Corel WordPerfect Office X5 (wpd) Remote Buffer Preoccupation PoC

– Corel Presentations X5 (shw) Remote Buffer Preoccupation PoC

Corel Corporation

Version: (Standard Edition)

– Summary: Corel® WordPerfect® Office X5 – Standard Edition is the essential
office suite for word processing, spreadsheets, presentations and email.
Chosen over Microsoft® Office by millions of longtime users, it integrates
the latest productivity software with the best of the Web. Work faster and
collaborate more efficiently with all-new Web services, new Microsoft® Office
SharePoint® support, more PDF tools and even better compatibility with Microsoft
Office. It’s everything you expect in an office suite—for less.

– Desc: Corel WordPerfect and Corel Presentations X5 is prone to a remote buffer overflow vulnerability because
the application fails to perform adequate boundary checks on user supplied input with
.WPD (WordPerfect Document) and .SHW (Presentations Slide Show) file. Attackers may exploit this issue to execute arbitrary
code in the context of the application. Failed attacks will cause denial-of-service

– Tested On: Microsoft Windows XP Professional SP3 (English)

– Vulnerability Discovered By: Gjoko ‘LiquidWorm’ Krstic

– liquidworm gmail com

– Zero Science Lab –

– 09.07.2010

– Vendor status:

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.


Corel Presentations X5 (shw) Remote Buffer Preoccupation PoC
Corel WordPerfect Office X5 (wpd) Remote Buffer Preoccupation PoC

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability


Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability


Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.


Adobe Systems Incorporated

Product Web Page:

Version tested:



Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).


(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??


Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) /

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Adobe Advisory ID: APSB10-15
CVE ID: CVE-2010-2204

Live Demo:

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab –


UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media –

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details:

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Vendor: Adobe Systems Inc.

Product Web Page:

Version tested: CS3 10.0

Summary: Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Desc: When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Pottential vulnerability use is arbitrary code execution and denial of service.

Tested on Microsoft Windows XP Professional SP3 (English)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab –


Vendor status:

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

Zero Science Lab Advisory ID: ZSL-2010-4941

More info:

Edrawsoft Security Advisories

EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

– EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker toexecute arbitrary code.



EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

– EDraw Flowchart ActiveX Control EDImage.OCX suffers from a denial of service vulnerability when parsing large amount of bytes to the OpenDocument() function, resulting in browser crash and unspecified memory corruption.



Deimos Kasa <= 2.58 (table) Local Integer Overflow Vulnerability

More info:

WAMP, Nero and CableTEL vulns

1. CableTEL’s Triple Play v1.0 (login.php) Remote Login Bypass SQL Injection Vuln
More info:

2. WampServer 2.0i (index.php) Remote Cross Site Scripting Vulnerability
More info:

3. Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept

More info: