<![CDATA[eEye Zero-Day Tracker]]>

<![CDATA[eEye Zero-Day Tracker]]> http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111206 <![CDATA[Adobe Reader/Acrobat U3D Memory Corruption Vulnerability]]> Tue, 06 Dec 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111114 <![CDATA[Firefox 8.0 Null Pointer Dereference Vulnerability]]> Mon, 14 Nov 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111114-(1) <![CDATA[Apple OS X Sandbox Predefined Profile Bypass Vulnerability]]>
Note: According to CORE's advisory, Apple does not believe this issue has any security implications and they intend to update their documentation to reflect the sandbox profile's functionality. ]]> Thu, 10 Nov 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111104 <![CDATA[Microsoft Excel 2003 Use After Free]]> Fri, 04 Nov 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111102 <![CDATA[Apache HTTP Server ap_pregsub() buffer overflow]]> Wed, 02 Nov 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111025 <![CDATA[Trend Micro IWSS 3.1 privilege escalation]]> Tue, 25 Oct 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111018 <![CDATA[Skype Multiple 0day Vulnerabilities]]> Tue, 18 Oct 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20111012-(1) <![CDATA[VMware ESXi and ESX Multiple Vulnerabilities]]> Wed, 12 Oct 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110923 <![CDATA[Internet Explorer MHTML Mime-Formatted Request Vulnerability]]> Fri, 23 Sep 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110918 <![CDATA[OS X Lion Fails to Verify Authentication Before Changing User Password]]> Sun, 18 Sep 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110918-(1) <![CDATA[OS X Lion Fails to Protect Users' Password Hashes]]> Sun, 18 Sep 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110902 <![CDATA[Apple Mac OS X Keychain Certificate Security Bypass]]> Fri, 02 Sep 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110725 <![CDATA[Mac OS X Lion OpenLDAP Security Bypass]]> Mon, 25 Jul 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/17273 <![CDATA[Symantec Backup Exec System Recovery 8.5 Kernel Pointer Dereference]]> Thu, 12 May 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110412 <![CDATA[Microsoft HTML Help]]> Tue, 12 Apr 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110402 <![CDATA[IE9 VUPEN Non-disclosed Remote Code Execution Vullnerability]]> Sat, 02 Apr 2011 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110311 <![CDATA[PHP Substr_Replace Memory Corruption]]> Sun, 13 Mar 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110307 <![CDATA[Microsoft .NET Framework Optimization Service Privilege Escalation]]> Mon, 07 Mar 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110222 <![CDATA[Citrix Licensing Server 11.x Unspecified Vulnerabilities]]> Tue, 22 Feb 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2011/20110215 <![CDATA[Oracle 10/11g exp.exe - param file Local Buffer Overflow]]> Tue, 15 Feb 2011 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20101222-(1) <![CDATA[Microsoft WMI Administrative Tools ActiveX Remote Code Execution]]> Wed, 22 Dec 2010 08:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20101104 <![CDATA[Adobe Reader printSeps() Heap Corruption]]> Thu, 04 Nov 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20101102 <![CDATA[Trend Micro Titanium Maximum Security 2011 Local Kernel Level Privilege Escalation]]> Tue, 02 Nov 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20100914 <![CDATA[Microsoft Outlook Web Access (OWA) CSRF Privilege Elevation Vulnerability]]> Tue, 14 Sep 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20100823 <![CDATA[Microsoft Windows Insecure Library Loading Vulnerability (DLL Hijacking)]]> Mon, 23 Aug 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20100811 <![CDATA[Windows Service Isolation Bypass Privilege Elevation Vulnerability]]> Wed, 11 Aug 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20100630 <![CDATA[Microsoft Internet Explorer 6 Memory Address Disclosure ]]> Wed, 30 Jun 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2010/20100608 <![CDATA[Microsoft Office XP COM Object Instantiation Validation Vulnerability]]> Tue, 08 Jun 2010 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2006/20061028 <![CDATA[Internet Connection Sharing DoS]]> Sat, 28 Oct 2006 07:00:00 GMT http://www.eeye.com/resources/security-center/research/zero-day-tracker/2005/20051116 <![CDATA[RPC Memory Exhaustion]]>
For the UPNP service, the vulnerable function is PNP_GetDeviceList(), which is available over the RPC endpoint for the UPNP (8D9F4E40-A03D-11CE-8F69-08003E30051B) in opnum 0x0A. The MIDL for the vulnerable opnum is:
long PNP_GetDeviceList (
[in][unique][string] wchar_t * arg_1,
[out][size_is(*arg_3)][length_is(*arg_3)] wchar_t * arg_3, //vulnerable argument
[in, out] long * arg_3, //vulnerable argument
[in] long arg_4
);

Regarding the Print Spooler service, the vulnerable function is GetPrinterData(), which is available over the RPC endpoint for the SPOOLSS (12345678-1234-abcd-ef00-0123456789ab) in opnum 0x1A. The MIDL for the vulnerable opnum is:
long RpcGetPrinterData (
[in][context_handle] void * arg_1,
[in][string] wchar_t * arg_2,
[out] long * arg_3,
[out][size_is(arg_5)] char * arg_4, //vulnerable argument
[in] long arg_5, //vulnerable argument
[out] long * arg_6
);

NOTE: Because the vulnerability is inherent within RPC and not these specific services, it is likely that other services are also "vulnerable" to the same exploitation.]]> Wed, 16 Nov 2005 08:00:00 GMT