A buffer overflow in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have allowed an out-of-bounds write via a specially crafted video stream after receiving and answering a malicious video call.
Tag: Buffer Overflow
ASA-2019-00633 – Arm Mbed OS CoAP: Memory access out of range in library parser part
Buffer overflows were discovered in the CoAP library in Arm Mbed OS.
ASA-2019-00573 – Linux kernel: Potential buffer overflow on P2P code in rtlwifi
rtl_p2p_noa_ie() in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow.
ASA-2019-00572 – Linux kernel: Buffer overflow when copying SSID to userspace in cfg80211
The function cfg80211_mgd_wext_giwessid() in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a buffer overflow when copying to userspace.
ASA-2019-00534 – Exim: Buffer overflow by sending a SNI ending in a backslash-null sequence during the initial TLS handshake
The SMTP Delivery process in all versions up to and including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate.
A local or remote attacker can execute programs with root privileges. The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.
ASA-2019-00510 – FreeBSD bhyve: Insufficient validation of guest-supplied data (e1000 device)
The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.
When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage.
A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.
ASA-2019-00501 – Wind River VxWorks: TCP Urgent Pointer state confusion during connect() to a remote host
A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow.
A prerequisite is that the system uses TCP sockets and the attacker can trigger the target to establish a new TCP connection that the attacker highjacks the traffic of. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00500 – Wind River VxWorks: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines.
A prerequisite is that the system uses TCP sockets and listens to at least one TCP port. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.