Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-4513 to a friend New vulnerability? New tool? Tell us	CVE-2006-4513 Multiple Vendor wvWare Integer Overflow Vulnerabilities (LFO, LVL)     Credit: The information has been provided by iDefense. The original article(s) can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=433 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=434 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-4513 Details Check for CVE-2006-4513 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * WV library version 1.2.2.  * Earlier versions are suspected to be vulnerable as well. LFO Count Integer Overflow Vulnerability: When parsing documents, two user supplied integer values are multiplied without checking for an overflow condition. 89 int 90 wvGetLFO_PLF (LFO ** lfo, U32 * nolfo, U32 offset, U32 len, wvStream * fd) ... 101 *nolfo = read_32ubit (fd); ... 104 *lfo = (LFO *) wvMalloc (*nolfo * sizeof (LFO)); ... 112 for (i = 0; i < *nolfo; i++) 113 wvGetLFO (&((*lfo)[i]), fd); As can be seen from the source code above, an attacker supplied integer value is read from the file on line 101. On line 104, memory for that number of structures is allocated based on the supplied number multiplied by the size of the structures. Any value larger than 2^^32 / sizeof(LFO) will cause an integer overflow. Lines 112 and 113 show the loop used for reading data into the newly allocated heap buffer. When integer overflow occurs, the loop will store data beyond the end of the allocated heap buffer. LVL Count Integer Overflow Vulnerability: When parsing documents, an attacker supplied integer value is multiplied with a constant without checking for an overflow condition. 35 int 36 wvGetLFO_records (LFO ** lfo, LFOLVL ** lfolvl, LVL ** lvl, U32 *nolfo, 37 U32 * nooflvl, U32 offset, U32 len, wvStream *fd) 38 { .. 47 for (i = 0; i < *nolfo; i++) 48 *nooflvl += (*lfo)[i].clfolvl; .. 59 *lfolvl = (LFOLVL *) wvMalloc (sizeof (LFOLVL) * *nooflvl); 60 *lvl = (LVL *) wvMalloc (sizeof (LVL) * *nooflvl); On lines 47 and 48, a loop of '*nolfo' iterations increments '*nooflvl' by an attacker supplied 8-bit value read from the file. Lines 59 and 60 will use the calculated value to allocate memory for two different dynamic structure arrays. Since no input validation is done, integer overflow can occur. If an integer overflow, or wrap-around, does occur it will lead to a heap overflow situation. A remote attacker could execute arbitrary code as a user that uses a WV library dependent product to handle a malicious Microsoft Word document. CVE Information: CVE-2006-4513 Vendor Status: The wvWare maintainers have addressed this vulnerability by releasing version 1.2.3. Disclosure Timeline:  * - 08/17/2006 Initial vendor notification  * - 10/18/2006 Initial vendor response  * - 10/18/2006 Second vendor notification  * - 10/26/2006 Coordinated public disclosure  Comments on CVE-2006-4513:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®