Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It’s possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.
A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITYSYSTEM. These API routines access memory from […]
Wireshark suffers from a crash vulnerability due to a static memory out-of-bounds write that can be observed in an ASAN build of Wireshark .
In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy’d onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow. This vulnerability is obviously […]
The Comodo Antivirus LZMA decoder performs insufficient parameter checks, resulting in a heap overflow vulnerability.
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move […]
Comodo Antivirus includes a x86 emulator that is used to unpack and monitor obfuscated executables, this is common practice among antivirus products. The idea is that emulators can run the code safely for a short time, giving the sample enough time to unpack itself or do something that can be profiled. Needless to say, this […]
WordPress Brandfolder plugin versions 3.0 and below suffer from local and remote file inclusion vulnerabilities.
WordPress Dharma Booking plugin versions 2.28.3 and below suffer from local and remote file inclusion vulnerabilities.
WordPress Memphis Document Library plugin version 3.1.5 suffers from an arbitrary file download vulnerability.