ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
74 lines
No EOL
2.7 KiB
Text
74 lines
No EOL
2.7 KiB
Text
#####################################################################################
|
||
|
||
Application: Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)
|
||
|
||
Platforms: Windows
|
||
|
||
Versions: The vulnerability is confirmed in version Paintshop Prox X7, Other versions may also be affected.
|
||
|
||
Secunia:
|
||
|
||
{PRL}: 2015-06
|
||
|
||
Author: Francis Provencher (Protek Research Lab’s)
|
||
|
||
Website: http://www.protekresearchlab.com/
|
||
|
||
Twitter: @ProtekResearch
|
||
|
||
#####################################################################################
|
||
|
||
1) Introduction
|
||
2) Report Timeline
|
||
3) Technical details
|
||
4) POC
|
||
|
||
#####################################################################################
|
||
|
||
===============
|
||
1) Introduction
|
||
===============
|
||
|
||
|
||
|
||
PaintShop Pro (PSP) is a raster and vector graphics editor for Microsoft Windows. It was originally published by Jasc Software. In October 2004, Corel purchased Jasc Software and the distribution rights to Paint Shop Pro. PSP functionality can be extended by Photoshop-compatible plugins.
|
||
|
||
Although often written as Paint Shop Pro, Corel’s website shows the name for the product as PaintShop Pro. The X-numbered editions have been sold in two versions: PaintShop Pro, which is the basic editing program, and PaintShop Pro Ultimate, which bundles in other standalone programs. The particular bundled programs have varied with each numbered version and have not been sold by Corel as separate products.
|
||
|
||
(https://en.wikipedia.org/wiki/PaintShop_Pro)
|
||
|
||
#####################################################################################
|
||
|
||
============================
|
||
2) Report Timeline
|
||
============================
|
||
|
||
2015-04-23: Francis Provencher from Protek Research Lab’s found the issue;
|
||
2015-02-24: Francis Provencher From Protek Research Lab’s ask for a security contact at Corel Software;
|
||
2015-02-25: Francis Provencher From Protek Research Lab’s ask for a security contact at Corel Software;
|
||
2015-05-10: Corel push a silent fix, without credit.
|
||
|
||
2015-05-16: Publication of this advisory.
|
||
|
||
|
||
|
||
#####################################################################################
|
||
|
||
============================
|
||
3) Technical details
|
||
============================
|
||
|
||
An error when handling LZWMinimumCodeSize can be exploited to cause an heap memory corruption via a specially crafted GIF file.
|
||
|
||
#####################################################################################
|
||
|
||
===========
|
||
|
||
4) POC
|
||
|
||
===========
|
||
|
||
http://protekresearchlab.com/exploits/PRL-2015-06.gif
|
||
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37346.gif
|
||
|
||
############################################################################### |