My latest advisory exploits a buffer overflow vulnerability in CoolPlayer. The vulnerability occurs when the "PlaylistSkin" variable is set to 1534 characters, or 1538 including EIP. Besides a couple security vulnerabilities CoolPlayer is a pretty cool app!

I've recently created version 2 of both formatfuzz, and packetfuzz fuzzers which are currently private. FormatFuzz assisted in the discovery of BadAllocation vulnerabilities in Liferea RSS Reader (1.2.2), and RealPlayer (10.0.9.809 [gold]). PacketFuzz detected a stack overflow vulnerability in a Linksys WAG54G Wireless ADSL Router.

The BadAlloc error in Liferea occurs when a "title" tag contains around 5000 characters. The vulnerability is triggered when the user attempts to remove the subscription. In regard to RealPlayer, when the application receives a "favorite" with an overly long string the application crashes.
Proof of concept: liferea-badalloc.pl (Liferea)
Proof of concept: realplay-badalloc.pl (RealPlayer)

The stack overflow vulnerability in the Linksys WAG54G router occurs when the HTTPd service receives an overly long GET, or POST request. Approximately 10240 characters. However this vulnerability has been reported in various other Linksys products, yet the vulnerability in the WAG54G has not been reported.
Proof of concept: wag54g-DoS.phps

I've been hesitant about posting the errors in liferea, realplay, and wag54g for various reasons. So i doubt I'll release an advisory for the above three. Only CoolPlayer. The others are just something fun to play with!

Just now as I was searching my vulnerability stockpile I found a file I had on FreeSSHd. It listed more vulnerable functions I'd discovered in the software. Basically every SFTP operation in the software is vulnerable to a buffer overflow! After JB's first FreeSSHd post I discontinued my research on the vulnerabilities.

Anyway Christmas (Thursday) is not very far away now - I'm definitely looking forward to having some time to relax.