ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 15 Mar 2023 17:18:38 -0600 (MDT)
From: Damien Miller <djm@....openbsd.org>
To: oss-security@...ts.openwall.com
Subject: Announce: OpenSSH 9.3 released

OpenSSH 9.3 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.2
=========================

This release fixes a number of security bugs.

Security
========

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 \* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop desination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 \* ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

New features
------------

 \* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
   outputting SSHFP fingerprints to allow algorithm selection. bz3493
    
 \* sshd(8): add a \`sshd -G\` option that parses and prints the
   effective configuration without attempting to load private keys
   and perform other checks. This allows usage of the option before
   keys have been generated and for configuration evaluation and
   verification by unprivileged users.

Bugfixes
--------

 \* scp(1), sftp(1): fix progressmeter corruption on wide displays;
   bz3534

 \* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
   of private keys as some systems are starting to disable RSA/SHA1
   in libcrypto.

 \* sftp-server(8): fix a memory leak. GHPR363

 \* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
   compatibility code and simplify what's left.

 \* Fix a number of low-impact Coverity static analysis findings.
   These include several reported via bz2687

 \* ssh\_config(5), sshd\_config(5): mention that some options are not
   first-match-wins.

 \* Rework logging for the regression tests. Regression tests will now
   capture separate logs for each ssh and sshd invocation in a test.

 \* ssh(1): make \`ssh -Q CASignatureAlgorithms\` work as the manpage
   says it should; bz3532.

 \* ssh(1): ensure that there is a terminating newline when adding a
   new entry to known\_hosts; bz3529

Portability
-----------

 \* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
   mmap(2), madvise(2) and futex(2) flags, removing some concerning
   kernel attack surface.

 \* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
   bz3537

Checksums:
==========

- SHA1 (openssh-9.3.tar.gz) = 5f9d2f73ddfe94f3f0a78bdf46704b6ad7b66ec7
- SHA256 (openssh-9.3.tar.gz) = eRcXkFZByz70DUBUcyIdvU0pVxP2X280FrmV8pyUdrk=

- SHA1 (openssh-9.3p1.tar.gz) = 610959871bf8d6baafc3525811948f85b5dd84ab
- SHA256 (openssh-9.3p1.tar.gz) = 6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE\_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@...nssh.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-28531: security - Announce: OpenSSH 9.3 released

An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.

CVE-2018-18310: Mark Wielaard - [PATCH] libdwfl: Sanity check partial core file data reads.

Ubuntu Security Notice 5770-1 - Todd Eisenberger discovered that certain versions of GNU Compiler Collection could be made to clobber the status flag of RDRAND and RDSEED with specially crafted input. This could potentially lead to less randomness in random number generation.

    ==========================================================================Ubuntu Security Notice USN-5770-1December 08, 2022gcc-5, gccgo-6 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:GNU Compiler Collection's (GCC) random number generation could bemade less random with specially crafted input.Software Description:- gcc-5: GNU C compiler- gccgo-6: GNU Go compilerDetails:Todd Eisenberger discovered that certain versions of GNU CompilerCollection (GCC) could be made to clobber the status flag of RDRANDand RDSEED with specially crafted input. This could potentially leadto less randomness in random number generation.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:g++-5 5.4.0-6ubuntu1~16.04.12+esm2gcc-5 5.4.0-6ubuntu1~16.04.12+esm2gccgo-5 5.4.0-6ubuntu1~16.04.12+esm2gccgo-6 6.0.1-0ubuntu1+esm1gcj-5 5.4.0-6ubuntu1~16.04.12+esm2gcj-5-jdk 5.4.0-6ubuntu1~16.04.12+esm2gcj-5-jre-headless 5.4.0-6ubuntu1~16.04.12+esm2gdc-5 5.4.0-6ubuntu1~16.04.12+esm2gfortran-5 5.4.0-6ubuntu1~16.04.12+esm2gnat-5 5.4.0-6ubuntu1~16.04.12+esm2In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-5770-1CVE-2017-11671

Ubuntu Security Notice USN-5770-1

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

  

@@ -132,6 +132,7 @@ This next release focus on two-factor-authentication as a measure to increase se

\* Generate a new session on login and 2FA #220

\* Enforce permission on /etc/rdiffweb configuration folder

\* Enforce validation on fullname, username and email

\* Limit incorrect attempts to change the user's password to prevent brute force attacks #225 \[CVE-2022-3273\](https://nvd.nist.gov/vuln/detail/CVE-2022-3273)

  

Breaking changes:

  

@@ -69,7 +69,7 @@ def flash(message, level='info'):

assert level in \['info', 'error', 'warning', 'success'\]

if 'flash' not in cherrypy.session: \# @UndefinedVariable

cherrypy.session\['flash'\] \= \[\] \# @UndefinedVariable

flash\_message \= FlashMessage(message, level)

flash\_message \= FlashMessage(str(message), level)

cherrypy.session\['flash'\].append(flash\_message)

  

  

@@ -159,7 +159,7 @@ def validate\_mfa(self, field):

def populate\_obj(self, userobj):

\# Save password if defined

if self.password.data:

userobj.set\_password(self.password.data, old\_password\=None)

userobj.set\_password(self.password.data)

userobj.role \= self.role.data

userobj.fullname \= self.fullname.data or ''

userobj.email \= self.email.data or ''

@@ -29,6 +29,10 @@

from rdiffweb.core.model import UserObject

from rdiffweb.tools.i18n import gettext\_lazy as \_

  

\# Maximum number of password change attempt before logout

CHANGE\_PASSWORD\_MAX\_ATTEMPT \= 5

CHANGE\_PASSWORD\_ATTEMPTS \= 'change\_password\_attempts'

  

  

class UserProfileForm(CherryForm):

action \= HiddenField(default\='set\_profile\_info')

@@ -85,11 +89,30 @@ def is\_submitted(self):

return super().is\_submitted() and self.action.data \== 'set\_password'

  

def populate\_obj(self, user):

try:

user.set\_password(self.new.data, old\_password\=self.current.data)

flash(\_("Password updated successfully."), level\='success')

except ValueError as e:

flash(str(e), level\='warning')

\# Check if current password is "valid" if Not, rate limit the

\# number of attempts and logout user after too many invalid attempts.

if not user.validate\_password(self.current.data):

cherrypy.session\[CHANGE\_PASSWORD\_ATTEMPTS\] \= cherrypy.session.get(CHANGE\_PASSWORD\_ATTEMPTS, 0) + 1

attempts \= cherrypy.session\[CHANGE\_PASSWORD\_ATTEMPTS\]

if attempts \>= CHANGE\_PASSWORD\_MAX\_ATTEMPT:

cherrypy.session.clear()

cherrypy.session.regenerate()

flash(

\_("You were logged out because you entered the wrong password too many times."),

level\='warning',

)

raise cherrypy.HTTPRedirect('/login/')

flash(\_("Wrong current password."), level\='warning')

else:

\# Clear number of attempts

if CHANGE\_PASSWORD\_ATTEMPTS in cherrypy.session:

del cherrypy.session\[CHANGE\_PASSWORD\_ATTEMPTS\]

\# If Valid, update password

try:

user.set\_password(self.new.data)

flash(\_("Password updated successfully."), level\='success')

except ValueError as e:

flash(str(e), level\='warning')

  

  

class RefreshForm(CherryForm):

@@ -182,7 +182,7 @@ def test\_change\_password\_with\_wrong\_confirmation(self):

  

def test\_change\_password\_with\_wrong\_password(self):

self.\_set\_password("oups", "pr3j5Dwi", "pr3j5Dwi")

self.assertInBody("Wrong password")

self.assertInBody("Wrong current password")

  

def test\_change\_password\_with\_too\_short(self):

self.\_set\_password(self.PASSWORD, "short", "short")

@@ -193,6 +193,21 @@ def test\_change\_password\_with\_too\_long(self):

self.\_set\_password(self.PASSWORD, new\_password, new\_password)

self.assertInBody("Password must have between 8 and 128 characters.")

  

def test\_change\_password\_too\_many\_attemps(self):

\# When udating user's password with wrong current password 5 times

for \_i in range(1, 5):

self.\_set\_password('wrong', "pr3j5Dwi", "pr3j5Dwi")

self.assertStatus(200)

self.assertInBody("Wrong current password.")

\# Then user session is cleared and user is redirect to login page

self.\_set\_password('wrong', "pr3j5Dwi", "pr3j5Dwi")

self.assertStatus(303)

self.assertHeaderItemValue('Location', self.baseurl + '/login/')

\# Then a warning message is displayed on login page

self.getPage('/login/')

self.assertStatus(200)

self.assertInBody('You were logged out because you entered the wrong password too many times.')

  

def test\_change\_password\_method\_get(self):

\# Given an authenticated user

\# Trying to update password with GET method

@@ -21,7 +21,6 @@

from cherrypy.process.plugins import SimplePlugin

  

from rdiffweb.core.model import UserObject

from rdiffweb.core.passwd import check\_password

  

logger \= logging.getLogger(\_\_name\_\_)

  

@@ -52,7 +51,7 @@ def authenticate(self, username, password):

Only verify the user's credentials using the database store.

"""

user \= UserObject.query.filter\_by(username\=username).first()

if user and check\_password(password, user.hash\_password):

if user and user.validate\_password(password):

return username, {}

return False

  

@@ -344,13 +344,12 @@ def is\_ldap(cls):

def is\_maintainer(self):

return self.role <= self.MAINTAINER\_ROLE

  

def set\_password(self, password, old\_password\=None):

def set\_password(self, password):

"""

Change the user's password. Raise a ValueError if the username or

the password are invalid.

"""

assert isinstance(password, str)

assert old\_password is None or isinstance(old\_password, str)

if not password:

raise ValueError("password can't be empty")

cfg \= cherrypy.tree.apps\[''\].cfg

@@ -359,9 +358,6 @@ def set\_password(self, password, old\_password=None):

if self.username \== cfg.admin\_user and cfg.admin\_password:

raise ValueError(\_("can't update admin-password defined in configuration file"))

  

if old\_password and not check\_password(old\_password, self.hash\_password):

raise ValueError(\_("Wrong password"))

  

\# Check password length

if cfg.password\_min\_length \> len(password) or len(password) \> cfg.password\_max\_length:

raise ValueError(

@@ -448,6 +444,9 @@ def validate\_access\_token(self, token):

return True

return False

  

def validate\_password(self, password):

return check\_password(password, self.hash\_password)

  

  

@event.listens\_for(UserObject.hash\_password, "set")

def hash\_password\_set(target, value, oldvalue, initiator):

@@ -200,28 +200,6 @@ def test\_set\_password\_update(self):

\# Check if listener called

self.listener.user\_password\_changed.assert\_called\_once\_with(userobj)

  

def test\_set\_password\_with\_old\_password(self):

\# Given a user in drabase with a password

userobj \= UserObject.add\_user('john', 'password')

self.listener.user\_password\_changed.reset\_mock()

\# When updating the user's password with old\_password

userobj.set\_password('new\_password', old\_password\='password')

\# Then password is SSHA

self.assertTrue(check\_password('new\_password', userobj.hash\_password))

\# Check if listener called

self.listener.user\_password\_changed.assert\_called\_once\_with(userobj)

  

def test\_set\_password\_with\_invalid\_old\_password(self):

\# Given a user in drabase with a password

userobj \= UserObject.add\_user('foo', 'password')

self.listener.user\_password\_changed.reset\_mock()

\# When updating the user's password with wrong old\_password

\# Then an exception is raised

with self.assertRaises(ValueError):

userobj.set\_password('new\_password', old\_password\='invalid')

\# Check if listener called

self.listener.user\_password\_changed.assert\_not\_called()

  

def test\_delete\_user(self):

\# Given an existing user in database

userobj \= UserObject.add\_user('vicky')

**0 comments on commit b5e3bb0**

Please sign in to comment.

CVE-2022-3273: Limit incorrect attempts to change the user's password to prevent bru… · ikus060/rdiffweb@b5e3bb0

As digital threats against US water, food, health care, and other vital sectors loom large, a new project called UnDisruptable27 aims to help fix cybersecurity weaknesses where other efforts have failed.

An endless parade of data breaches, brutally disruptive ransomware attacks, and crippling IT outages has somehow become the norm around the world. And in spite of escalating impacts to critical infrastructure and daily life, progress has been intermittent and often fleeting. Something's gotta give—and at the BSides Las Vegas security conference this week, a longtime critical-infrastructure security researcher is launching a project to communicate with utility operators, municipalities, and regular people in creative ways about both urgency and optimism around protecting critical infrastructure now.

Dubbed UnDisruptable27, the project will start as a pilot with a $700,000 grant for the first year through Craig Newmark Philanthropies' Cyber Civil Defense coalition. Led by Josh Corman, who was chief strategist for the US Cybersecurity and Infrastructure Security Agency's Covid Task Force, in collaboration with the Institute for Security and Technology (IST), the project will focus on the critical interdependence of water, food, emergency medical care, and power as the backbone of human safety. Corman says that the key goal is to foster new discourse about these challenges inspired by the disaster management tenets “inform, influence, inspire.” In other words, people need to understand the risks and feel empowered that they can take action.

“We are overdependent on undependable things. No one should feel comfortable with the potential for harm here with our current state of defense,” Corman told WIRED ahead of the announcement. “Our dependence on connected tech has grown faster than our ability to secure it. People have been doing good things, but public policy takes time, and I think this year we need to cross certain thresholds on the sense of urgency.”

One of Corman's main motivations to launch the effort as quickly as possible came from comments made during a January congressional hearing about the cybersecurity threat China poses to the US. In the hearing, then Cyber Command head and NSA director Paul Nakasone, Cybersecurity and Infrastructure Security Agency director Jen Easterly, FBI director Christopher Wray, and head of the Office of the National Cyber Director Harry Coker Jr. testified about pressing threats to US critical infrastructure, including specific campaigns the Chinese hacking group known as Volt Typhoon has been conducting to pre-position itself in US water infrastructure. The goal of this targeting is apparently to create leverage and a credible threat against the US as part of a Chinese plan to invade Taiwan, potentially in 2027.

“The budgets that emerge from discussions underway now will dictate what kind of resources we have ready in 2027, a year that, as this committee knows all too well, the CCP has circled on its calendar,” Wray told the US House of Representatives committee in January. “And that year will be on us before you know it. As I've described, the PRC is already today putting their pieces in place. I do not want those watching today to think we can't protect ourselves, but I do want the American people to know that we cannot afford to sleep on this danger.”

Having worked on embedded device security and critical infrastructure defense for years, including through the decade-old grassroots computer security and human safety initiative he founded known as I Am the Cavalry, Corman says that it felt significant that some of the nation's top intelligence officials were warning Congress of such specific threats to US infrastructure in an unclassified setting.

“It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

UnDisruptable27 will focus on interacting with communities who aren't reached by Washington, DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

“There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact," says Megan Stifel, IST's chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

“Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

“We must prioritize the security, safety, and resilience of critical infrastructure—including water, health care facilities, and utilities," Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. "The urgency of this issue requires affecting human behavior through storytelling.”

A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

Code Sector TeraCopy 3.9.7 does not perform proper access validation on the source folder during a copy operation. This leads to Arbitrary File Read by allowing any user to copy any directory in the system to a directory they control.

CVE-2023-29586: CWE - CWE-285: Improper Authorization (4.10)

An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An exploitable code execution vulnerability exists in the fsck\_chk\_orphan\_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

F2fs-Tools F2fs.Fsck 1.13

**Product URLs**

https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git

**CVSSv3 Score**

8.2 - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The f2fs-tools set of utilities is used specifically for creating, checking and fixing f2fs (Flash-Friendly File System) files, a file system that has been replacing ext4 more recently in embedded devices, as it was crafted with eMMC chips and sdcards in mind. Fsck.f2fs more specifically is the file-system checking binary for f2fs partitions, and is where this vulnerability lies.

Today’s vulnerability deals with the ability of f2fs to recover files, more specifically in f2fs terms orphan inodes. For instance if a directory gets corrupted, the f2fs filesystem and f2fs.fsck in particular can recover the files within that directory even if the directory cannot be accessed through normal means. The data structure which stores this recovery information is called f2fs_orphan_block structs, and looks like so:

    [~.~]> ptype struct f2fs_orphan_block
    type = struct f2fs_orphan_block {
        __le32 ino[1020];      // [1]
        __le32 reserved;
        __le16 blk_addr;
        __le16 blk_count;
        __le32 entry_count;    // [2]
        __le32 check_sum;
    }
    

At \[1\], an array of all the inodes of all the orphaned datablocks lives, while at \[2\], the amount of orphan datablocks is stored. To cut to the chase of this vulnerability, there is no check on the entry_count member of this struct. Knowing that, let us examine where the orphan nodes are read from disk:

    int fsck_chk_orphan_node(struct f2fs_sb_info *sbi)
    {
        u32 blk_cnt = 0;
        block_t start_blk, orphan_blkaddr, i, j;
        struct f2fs_orphan_block *orphan_blk, *new_blk;
        struct f2fs_super_block *sb = F2FS_RAW_SUPER(sbi);
        u32 entry_count;
    
        if (!is_set_ckpt_flags(F2FS_CKPT(sbi), CP_ORPHAN_PRESENT_FLAG))  // [1]
            return 0;
    
        start_blk = __start_cp_addr(sbi) + 1 + get_sb(cp_payload);       //sbi->cp_blkaddr (0x201)
        orphan_blkaddr = __start_sum_addr(sbi) - 1 - get_sb(cp_payload); //ckpt->cp_pack_start_sum
                                                                               // offset(0x8c)
    

At \[1\], there’s a check that we control, and at the comments below that, we get the bounds of the orphan pages on disk, which is completely arbitrary. Each of these orphan pages is read directly into a f2fs_orphan_block as we will see shortly. Continuing on:

      int fsck_chk_orphan_node(struct f2fs_sb_info *sbi){
        //[...]
    
        f2fs_ra_meta_pages(sbi, start_blk, orphan_blkaddr, META_CP);
    
        orphan_blk = calloc(BLOCK_SZ, 1);
        ASSERT(orphan_blk);
    
        new_blk = calloc(BLOCK_SZ, 1);
        ASSERT(new_blk);
    
        for (i = 0; i < orphan_blkaddr; i++) {  // [1]
            int ret = dev_read_block(orphan_blk, start_blk + i); // [2]
            u32 new_entry_count = 0;
    
            ASSERT(ret >= 0);
            entry_count = le32_to_cpu(orphan_blk->entry_count); // [3]
    
            for (j = 0; j < entry_count; j++) {   // [4]
                //[...]
    

At \[1\], we see a loop that is dependent on the amount of orphan pages in the filesystem being analyzed, and at \[2\], we start reading each of these pages into f2fs_orphan_block structures. At \[3\], we directly read the orphan_blk->entry_count member (i.e. how many orphan inodes there are) and at \[4\] we see a loop whose iteration amount depends on a user-controlled value. Already this should be ringing bells, as there is no validation in between \[3\] and \[4\]. Moving on:

            for (j = 0; j < entry_count; j++) {
                nid_t ino = le32_to_cpu(orphan_blk->ino[j]);  // [0]
                DBG(1, "[%3d] ino [0x%x]\n", i, ino);
                struct node_info ni;
                blk_cnt = 1;
    
                // [...]
    
                ret = fsck_chk_node_blk(sbi, NULL, ino, F2FS_FT_ORPHAN, TYPE_INODE, &blk_cnt, NULL); // [1]
    
                if (!ret)
                    new_blk->ino[new_entry_count++] = orphan_blk->ino[j]; // [2]
                else if (ret && c.fix_on)
                    FIX_MSG("[0x%x] remove from orphan list", ino);
                else if (ret)
                    ASSERT_MSG("[0x%x] wrong orphan inode", ino);
            }
    

At \[0\], we can see an out-of-bounds read here, since j has an upper bound of entry_count, and it’s important to note for purposes of exploitation that this out of bounds read pointer (which starts at the top of the orphan blocks’s inodes) always advances, regardless of the value it reads. At \[1\], there is a sanity check on the inode block number read with fsck_chk_node_blk, and while this checking is very intensive and quite thorough, the validity of the inode numbers read is determined by the f2fs partition itself. But why does this sanity checking matter? Because at \[2\], we also have an out of bounds write that occurs, but the write only happens (and the pointer only advances) if the check at \[1\] is valid.

This interesting scenario is technically two different vulnerabilities and is a situation that is extremely exploitable. To start (in android) the read pointer is 0x1000 bytes before the write pointer, but since the validity of inodes is controlled by the partition, the read pointer can be moved ahead of the write pointer, allowing someone to effectively store arbitrary memory in unused heap areas. Then, since we also control the amount of orphan pages (not just the orphan inodes), we can reset the out of bounds pointers while keeping the read pointer before the write pointer, such that we can overwrite other values in memory with our desired value. For specific targets to overwrite, there are function pointers further down in the heap belonging to dict_t objects that get called inside fsck_chk_node_blk during these loops.

Additional note on the exploitation on Android:  
In Google Pixel 3 running Android 10, the f2fs filesystem is used for the /data partition, and, due to the fstab configuration, f2fs.fsck is is always executed on boot on the /data partition. Moreover, since full-disk encryption has been deprecated in favor of file-based encryption, it is possible to corrupt metadata in a reproducible manner. This means that a vulnerability in f2fs.fsck would allow an attacker to gain privileges in its context during boot, which could be the first step to start a chain to maintain persistence on the device, bypassing Android verified boot. Such an attack would require either physical access to the Android device, or a temporary root access in a context that allows to write to block devices from the Android OS.

**Crash Information**

Program received signal SIGSEGV, Segmentation fault.

    [^_^] SIGSEGV
    
    ************************************************************************
    x0         : 0x7f00000101                   | x18        : 0x7fb7c10000
    x1         : 0x0                            | x19        : 0x1000
    x2         : 0x1000                         | x20        : 0x7fb5a7a000
    x3[X]      : 0x55555580e0                   | x21        : 0x7fb5a92000       //quota_ctx
    x4[X]      : 0x55555580ed                   | x22        : 0x7f00000101
    x5         : 0x7fb600a07c                   | x23        : 0x0
    x6         : 0x203e2d20                     | x24[X]     : 0x555557a000
    x7         : 0xa30203e                      | x25        : 0x7f
    x8         : 0x2000                         | x26        : 0x25
    x9         : 0xbc4190939fe90dbd             | x27        : 0x7fb6d8f020
    x10        : 0x0                            | x28        : 0x0
    x11[H]     : 0x555557a510                   | x29[S]     : 0x7ffffff320
    x12        : 0x0                            | x30[X]     : 0x55555610ac
    x13        : 0xce4dff                       | sp[S]      : 0x7ffffff300
    x14        : 0x10                           | pc[X]      : 0x5555560990
    x15[L]     : 0x7fb675b40a                   | cpsr       : 0x80000000
    x16[X]     : 0x5555579458                   | fpsr       : 0x0
    x17[L]     : 0x7fb673fe80                   | fpcr       : 0x0
    ************************************************************************
    0x5555560980 : stp      x22, x21, [sp,#-48]!
    0x5555560984 : stp      x20, x19, [sp,#16]
    0x5555560988 : stp      x29, x30, [sp,#32]
    0x555556098c : add      x29, sp, #0x20
    =>0x5555560990 : ldr    x19, [x0]
    0x5555560994 : cmp      x19, x0
    0x5555560998 : b.eq     0x55555609cc <dict_lookup+76>
    0x555556099c : mov      x20, x0
    0x55555609a0 : mov      x21, x1
    0x55555609a4 : ldr      x8, [x20,#64]
    ************************************************************************
    #0  0x0000005555560990 in dict_lookup ()
    #1  0x00000055555610ac in quota_data_add ()
    #2  0x00000055555614a0 in quota_add_inode_usage ()
    #3  0x000000555556f12c in fsck_chk_node_blk ()
    #4  0x0000005555573178 in fsck_chk_orphan_node ()
    #5  0x0000005555566a20 in main ()
    ************************************************************************
    

**Timeline**

2020-05-08 - Vendor Disclosure  
2020-07-02 - 60 day follow up  
2020-07-20 - 90 day follow up  
2020-10-14 - Zero day public release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2020-6108: TALOS-2020-1050 || Cisco Talos Intelligence Group

util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

**Path Traversal in Moby builder**

Moderate severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database • Updated Jan 31, 2024

GHSA-6hwg-w5jg-9c6x: Path Traversal in Moby builder

Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 26 Apr 2023 11:54:38 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

Hi list,

this report is about a remote file deletion vulnerability in Warpinator
\[1\].

Introduction
============

I already reviewed and found issues in Warpinator a while ago \[2\]. The
openSUSE packager for Warpinator asked me for a follow-up review after
updating to upstream release 1.4.3 which contained the fixes for
CVE-2022-42725.

In the course of the review I found another vulnerability which is
described in detail in the next section.

The Vulnerability
=================

In the code base of version 1.4.3 the sender of a file also sends a list
of \`top\_dir\_basenames\` to the peer. While there is now a verification of
the \`relative\_path\` on the receiving side, the \`top\_dir\_basenames\` are
not verified at all. In \`FileReceiver.\_\_init\_\_()\` the following code is
found:

\`\`\`
    for name in op.top\_dir\_basenames:
        try:
            path = os.path.join(self.save\_path, name)
            if os.path.isdir(path): # file not found is ok
                shutil.rmtree(path)
            else:
                os.remove(path)
        except FileNotFoundError:
            pass
        except Exception as e:
            logging.warning("Problem removing existing files.  Transfer may not succeed: %s" % e)
\`\`\`

If the sender is passing a string like "../" as part of
\`top\_dir\_basenames\` then this code will delete the complete parent
directory of the download directory (by default ~/Warpinator) and thus
the complete home directory of the receiving party. Any other files
under control of the receiving party are similarly endangered by this
remote DoS / integrity attack.

This can happen automatically if the receiving side is running
Warpinator in trusted mode, both parties share the same non-default
group key and unconfirmed file overwrites are allowed. If this is not
the case then the receiving side will see a confirmation popup like

    X wants to send \`../´

This message might not be very suspecting for an average end user. Other
strings can be used here as well like an absolute path to the user's
home directory, which could be interpreted as correct, or overlooked.

I investigated whether the fact that this allows to delete the download
directory completely could lead to a follow-up vulnerability to allow
overwriting files in other paths again. This seems not to be possible
though.  The check of the \`relative\_path()\` is stable enough to prevent
this even if the download directory does not exist at all.

Affectedness
============

The problematic handling of \`top\_dir\_basenames\` was first introduced in
upstream version 1.0.7.

Bugfixes
========

The remote file deletion vulnerability has been fixed upstream via
commit 9aae768 \[3\].

The fact that this vulnerability escaped both upstream's and my own
review efforts during handling of CVE-2022-4272 confirmed earlier
concerns I had about relying on a single line of defense in the
Warpinator codebase. I recommended to upstream to use an isolation
technique like Linux mount namespaces to prevent escapes from the
destined download directory. In the light of this new security issue I
additionally or alternatively recommended a redesign of the codebase to
better separate trusted and untrusted codepaths.

Upstream used the 90 days embargo time we offered to implement isolation
mechanisms either based on Linux namespaces through the Bubblewrap tool,
or based on the Linux kernel's landlock security module. Only if none of
both can be established, Warpinator will run in a legacy mode. In
this case the user will be warned about the weakened security.

The new Warpinator major version release 1.6.0 contains both the bugfix
for this the remote file deletion issue as well as the added security
layers.

Timeline
========

2023-01-25: I reported the newly found issue to upstream and offered
            coordinated disclosure.
2023-03-08: Upstream shared the core changes listed above with us, I
            reviewed them and gave feedback.
2023-04-05: I received CVE-2023-29380 from Mitre to track the file
            deletion issue and shared it with upstream.
2023-04-25: Upstream needed additional time for testing and integration.
            The 90 days maximum embargo period we offer ends and with
	    the 1.6.0 release being available we agreed on the
	    publication of all available information.

References
==========

\[1\]: https://github.com/linuxmint/warpinator
\[2\]: https://seclists.org/oss-sec/2022/q4/38
\[3\]: https://github.com/linuxmint/warpinator/commit/9aae768522b7bbb09c836419893802a02221d663

Best Regards

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-29380: security - Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

By Deeba Ahmed
Conor Brian Fitzpatrick (Pompompurin on the forum) launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums.
This is a post from HackRead.com Read the original post: BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Conor Brian Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum.

Conor Brian Fitzpatrick, a 21-year-old man from Peekskill, New York, has been sentenced to 20 years of supervised release in the Eastern District of Virginia for operating the notorious BreachForums hacking forum.

For your information, Fitzpatrick launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums. It served as an ideal platform for selling/leaking millions of personal data worldwide. The platform contained nearly 900 stolen databases storing more than 14 billion individual records, which BreachForums members were entitled to use. 

BreachForums ceased operations after the FBI apprehended Fitzpatrick and reportedly reemerged under the management of ShinyHunters, causing concern among cybersecurity experts and law enforcement agencies worldwide. Baphomet, one of the original forum administrators, confirmed the resurgence in a PGP-signed message, leaving little doubt about its authenticity.

Fitzpatrick was arrested on 15th March 2023 from his family home. Under custody, he admitted to owning/operating BreachForums under the “pompompurin” moniker. The accused was released on a $300,000 bond and was re-arrested on 2nd January 2024 for violating pretrial release conditions by using a computer without the required monitoring software and using VPN services.

Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum. Court documents reveal that he possessed nearly 26 video files containing sexually explicit videos of minors, including prepubescent ones. Prosecutors claimed Fitzpatrick knowingly possessed these files.

The sentencing recommendation memo reveals several incidents involving Fitzpatrick, including a data leak in December 2022 exposing records of 87,760 members of InfraGuard, 200 million users of a US social media company, 20 million user records for a background check service company, and data theft involving thousands of users’ private health insurance information in March 2023.

Fitzpatrick pleaded guilty to several counts, including Conspiracy to Commit Access Device Fraud, Solicitation for the Purpose of Offering Access, and Possession of CSAM on July 13, 2023 (PDF). He served as a middleman for stolen data transactions and admitted to feeding false information to law enforcement.

Prosecutors sought 188 months (15.7 years) of imprisonment. The defendant’s attorneys filed a memo under seal recommending his sentencing, citing confidential and medical information that should not be disclosed to the public. The court showed leniency and sentenced Fitzpatrick to time served and 20 years of supervised release. The sentencing memorandum was submitted (PDF) on 16th January 2024.

Per the sentencing conditions (PDF), for the first two years of his release, Fitzpatrick will stay at home arrest with a GPS locator and also receive mental health treatment. Fitzpatrick cannot access the internet during his first year of supervised release, and a probation officer will install monitoring software on his computer.

Prosecutors claimed that Fitzpatrick’s platform enabled hackers and fraudsters to commit “more sophisticated crimes than any could have done alone,” impacting nearly every sector of U.S. society.

****_RELATED ARTICLES_****

1.  **Authorities seize the world’s biggest dark web child abuse site**
2.  **Data Breach at New BreachForums: 4,000 members’ data leaked**
3.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**
4.  **Raidforums Database Leak: Data of 460,000 Users Dumped Online**
5.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us