An exploitable vulnerability exists in the filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

**Summary**

An exploitable vulnerability exists in filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

**Tested Versions**

Circle with Disney 2.0.1

**Product URLs**

https://meetcircle.com/

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)

**Details**

Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all filtered devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device.

Libbluecoat.so is a shared library linked into the timetracker and filterd binaries within the Disney Circle, and is the communications mechanism through which the Disney Circle can talk to the Blue Coat Systems API. If the Circle doesn’t know what to do with a given DNS name or IP address that has been requested by a filtered device, it will ask the Blue Coat infrastructure, and take the appropriate action as determined by Blue Coat. Whenever a new destination address is seen, and it is not found within the local ‘bluecache’ (a custom hash table cache stored on the device) libbluecoat will query outbound to find the designated action, and then cache the result. The timetracker and filterd services act on different network activities, however the end result is the same. In total, they end up covering TCP, UDP, and the IP protocols used for VPNs, ESP and GRE. It’s also worth noting that there are more product specific codeflows, such as one for the Google Mobilizer Proxy.

In more detail, both binaries call the same library function, bluecoat_query, which leads to the main control flow, inside of the do_bluecoat_query function. This function sets up an SSL connection to sp.cwfservice.net, a Blue Coat Systems controlled domain, and then does a rather simple request.

     aGet2RSCmiCircl:.ascii "GET /2/R/%s/CMI-CIRCLE01/0/GET/dns/%s/80/ HTTP/1.1\r\n"
    .rodata:000048D8 .ascii "User-Agent: Circle \r\n"
    .rodata:000048D8 .ascii "Host: http://sp.cwfservice.net\r\n"
    .rodata:000048D8 .ascii "\r\n"<0>
    

Where by the first ‘%s’ is the unique mac address of the Circle making the request, and the second ‘%s’ is the DNS name in question, which could potentially be some sensitive information.

Regardless, backing up a little bit, there is some SSL validation that occurs before this information is ever transmitted.

    do_bluecoat_query+228                  la      $t9, X509_get_subject_name 
    do_bluecoat_query+22C                  move    $a0, $v0
    do_bluecoat_query+230                  jalr    $t9 ; X509_get_subject_name [1]
    do_bluecoat_query+234                  sb      $zero, 0x618+X509_oneline_dst_buff($sp)
    do_bluecoat_query+238                  lw      $gp, 0x618+var_600($sp)
    do_bluecoat_query+23C                  addiu   $s0, $sp, 0x618+X509_oneline_dst_buff
    do_bluecoat_query+240                  la      $t9, X509_NAME_oneline
    do_bluecoat_query+244                  move    $a1, $s0
    do_bluecoat_query+248                  move    $a0, $v0
    do_bluecoat_query+24C                  jalr    $t9 ; X509_NAME_oneline [3]
    do_bluecoat_query+250                  li      $a2, 0x400 
    do_bluecoat_query+254                  lw      $gp, 0x618+var_600($sp)
    

As shown at \[1\] libbluecoat.so gets the X509 subject name of the certificate, and then at \[2\], uses this to call X509\_NAME\_oneline, which grabs a lot of the information from the certificate attributes, joins it all into one line, and then stores it into a buffer on the stack \[3\] of max size 0x400. An example return string might be:

    `/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net`
    

While the interesting behavior of the X509\_NAME\_oneline can lead to some other vulnerabilites, like including the string ‘CN=\*.sp.cwfservice.net” inside of another attribute ( For a great writeup of this: \[https://langui.sh/2016/01/29/x509-name-oneline/\])(https://langui.sh/2016/01/29/x509-name-oneline/) ) , however, due to reasons mentioned a little further down, the binary was not vulnerable to this, as we could not get a certificate signed by the specific CA to be formed as such.

However, due to how they actually check the Common Name attribute of the SSL cert, the binary was left vulnerable to another attack vector:

    do_bluecoat_query+23C                  addiu   $s0, $sp, 0x618+X509_oneline_dst_buff
    [...]
    do_bluecoat_query+258                  move    $a0, $s0         # haystack [1]
    do_bluecoat_query+25C                  li      $a1, 0
    do_bluecoat_query+260                  la      $t9, strstr
    do_bluecoat_query+264                  nop
    do_bluecoat_query+268                  jalr    $t9 ; strstr [3]
    do_bluecoat_query+26C                  addiu   $a1, aCnSp_cwfservic  # "CN=sp.cwfservice.net" [2]
    do_bluecoat_query+270                  lw      $gp, 0x618+var_600($sp)
    do_bluecoat_query+274                  beqz    $v0, loc_2B88
    do_bluecoat_query+278                  nop
    do_bluecoat_query+27C                  li      $fp, 0x10000
    do_bluecoat_query+280                  nop
    do_bluecoat_query+284                  lw      $v0, (x509_store_initialized_15360 - 0x10000)($fp)
    do_bluecoat_query+288                  nop
    do_bluecoat_query+28C                  beqz    $v0, loc_28A0
    do_bluecoat_query+290                  nop
    do_bluecoat_query+294                  li      $v1, 0x10000
    do_bluecoat_query+298                  nop                      # Cert already inited
    do_bluecoat_query+29C                  sw      $v1, 0x618+var_30($sp)
    do_bluecoat_query+2A0
    

Picking up from where we left off, we continue from immediately after the X509\_NAME\_oneline() function call \[1\], with the X509\_NAME\_online string stored in $s0. This string is compared is compared against “CN=sp.cwfservice.net” \[2\], with the strstr() function \[3\], which returns a pointer to the first match of register $a1 in $a0 (and NULL otherwise).

Since this is the only check upon the Common Name attribute, it becomes possible to bypass this check by buying the following domain: cwfservice.network.

The return value from X509\_oneline\_name will look as such:

    "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=sp.cwfservice.network”
    

And then the resulting call to strstr will return CN=sp.cwfservice.network.

It should be cautioned that certificate presented by the MITM server needs to have its trust chain signed by the Entrust CA. The binary has a CA DER-encoded cert chain located inside that is read into memory and then utilized to validate the outbound SSL connection.

**Timeline**

2017-08-29 - Vendor Disclosure  
2017-10-31 - Public Release

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.

CVE-2017-2913: TALOS-2017-0420 || Cisco Talos Intelligence Group

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

@@ -3411,10 +3411,13 @@ parse\_cmd\_address(exarg\_T \*eap, char \*\*errormsg, int silent)

curwin->w\_cursor.lnum = eap->line2;

  

// Don't leave the cursor on an illegal line or column, but do

// accept zero as address, so 0;/PATTERN/ works correctly.

// accept zero as address, so 0;/PATTERN/ works correctly

// (where zero usually means to use the first line).

// Check the cursor position before returning.

if (eap->line2 > 0)

check\_cursor();

else

check\_cursor\_col();

need\_check\_cursor = TRUE;

}

}

CVE-2022-2182: patch 8.2.5150: read past the end of the first line with ":0;'{" · vim/vim@f7c7c3f

Affiliation adds new all-source and counterintelligence, cyber, software development, and identity intelligence capabilities to SilverEdge's growing suite of technology solutions focused on the US intelligence community.

**RESTON, Va., Oct. 24, 2022, (****BUSINESS WIRE****)** — SilverEdge Government Solutions (“SilverEdge”) today announced it has partnered with Counter Threat Solutions, LLC (“CTS”), a leading provider of all source and counterintelligence analysis, identity intelligence, and enterprise IT and data management solutions, which include sophisticated software development and engineering and niche ServiceNow capabilities. The partnership furthers SilverEdge’s objective of serving as the cyber, software, intelligence, and technology solutions provider of choice for the U.S. Intelligence Community (“IC”).

“We are excited to welcome the CTS team to the SilverEdge family,” said Robert Miller, CEO of SilverEdge. “By combining CTS’ capabilities with SilverEdge’s existing cybersecurity, software, and intelligence solutions, we are increasing our cleared workforce to approximately 450 engineers and technical staff whose primary focus is to provide our intelligence customers with the tools required to support critical mission needs."

Founded in 2015 and based in Reston, Virginia, CTS provides technology solutions and related services to key U.S. intelligence agencies. Led by CEO Theresa Keith, a U.S. Army intelligence veteran with more than 20 years of experience in the IC, CTS employs more than 100 technical and mission support specialists, nearly 100% of whom hold high-level security clearances. The company will continue to operate with its current leadership under the SilverEdge platform.

Theresa Keith said, “We are thrilled to be joining SilverEdge, whose tremendous resources, qualified team, and extensive capabilities will enable us to continue to grow our business rapidly and provide additional opportunities for our people. Our team looks forward to working together as part of SilverEdge, contributing our specialized expertise to expand our shared capabilities, and growing our talent pool to serve national security interests and our IC customers.”

Douglas T. Lake Jr., Founder & Managing Partner at Godspeed, remarked, “The addition of CTS to SilverEdge’s comprehensive suite of offerings further enhances the growth potential of the platform as it continues to scale into the leading technology and cybersecurity solutions provider for critical U.S. Intelligence agencies and select mission-oriented Department of Defense customers.”

Nathaniel Fogg, Partner at Godspeed, added, “Following SilverEdge’s recent acquisition of QVine, bringing CTS on board alongside will help to further bolster our commitment to the Intelligence Community. We welcome Theresa and her team to SilverEdge and are excited to be partnering with them.”

CTS was advised by the McLean Group. Latham & Watkins LLP acted as legal advisor to Godspeed.

**About Counter Threat Solutions**

Counter Threat Solutions, LLC (“CTS”) is a leading technology services and solutions company providing mission-focused subject matter experts in all source and counterintelligence analysis, enterprise IT and data management, and identity intelligence services to the U.S. intelligence and defense communities. Learn more about CTS at www.ctstruenorth.com.

**About SilverEdge**

SilverEdge is a next-generation provider of innovative and proprietary cybersecurity, software, and intelligence solutions for the Defense and Intelligence Communities. SilverEdge’s seasoned team of cybersecurity experts, software developers and engineers, and intelligence analysts identify tomorrow’s challenges today and work to empower America’s defenders with the tools and solutions needed to address our National Security Community’s toughest challenges. SilverEdge is based in Columbia, MD. For more information, please visit the SilverEdge website at www.silveredge-gs.com.

**About Godspeed Capital**

Godspeed Capital is a lower middle-market Defense & Government services, solutions, and technology focused private equity firm investing alongside forward-thinking management teams that seek an experienced and innovative investment partner with unique sector expertise, operational insight, and flexible capital for growth. While a typical investment will involve companies generating approximately $3 million to $30 million of EBITDA, Godspeed Capital has significant support to complete larger transactions through strategic co-invest relationships. The firm focuses on control buyouts, buy-and-builds, corporate carve-outs, and special situations. For more information, please visit the Godspeed Capital website at www.godspeedcm.com.

Godspeed Capital-Backed SilverEdge Partners with Counter Threat Solutions

The suspected Chinese influence operation had limited success. But it signals a growing threat from a new disinformation adversary.

Since Russia bombarded the 2016 election with Twitter trolls and astroturfed lies, election watchers have been on guard against social media “influence operations.” Four years later, Iran took a stab at meddling in the 2020 presidential election, with more mixed results. Now, the People's Republic of China—or, at least, a group with a long-running pro-Chinese government agenda—seems to be trying out its own political influence operation just ahead of this year's US midterm elections. And while that operation seems to have largely failed this time, the campaign represents the growing boldness of a new adversary in the fight against organized disinformation.

On Wednesday, cybersecurity and threat intelligence firm Mandiant published new findings about a group it calls Dragonbridge, which it's seen for years promoting pro-Chinese interests in fake grassroots social media campaigns designed to influence politics in Taiwan and Hong Kong. Now, Mandiant's analysts have tied Dragonbridge to a series of more US-focused influence campaigns. The group claimed that a notorious hacking spree carried out by known Chinese state-sponsored hackers was actually carried out by US intelligence, falsely blamed the sabotage of the Nord Stream pipeline on the US government, and—perhaps most brazenly—seeded hundreds of posts on social media designed to demoralize voters and reduce turnout ahead of the November midterms.

“This actor has been rapidly growing and hyper-aggressive. They went from carrying out limited campaigns focused on Hong Kong to a global operation on dozens of platforms,” says John Hultquist, Mandiant's VP of intelligence analysis. “Interfering in our elections is just another line that they're clearly willing to cross.”

Mandiant declined to reveal in its report or to WIRED the full collection of disinformation posts that it's tied to Dragonbridge, but the company says the posts numbered in the thousands. Nor would Mandiant name all the platforms where Dragonbridge had created accounts. But it describes posts published by these accounts arguing that American democracy was being taken over by extreme partisanship, as well as posts pointing to episodes of confrontations and violence between political groups and against the FBI as instances of “civil war.” The group also published a video, Mandiant says, that discourages Americans from voting, making claims about political gridlock and inaction and showing images of the January 6, 2021, insurrection at the US Capitol Building. “The solution to America’s ills is not to vote for someone,” the video argues at one point, according to Mandiant, but “to root out this ineffective and incapacitated system.” All of the content Mandiant identified in its report as part of the Dragonbridge operations has since been deleted, the company says.

Other simultaneous influence campaigns from the group tie it more evidently to Chinese government interests. Pseudonymous Twitter accounts that Mandiant says were controlled by Dragonbridge posted claims in both English and Mandarin stating that espionage campaigns carried out by the prolific China-linked hacker group APT41 were really the work of the NSA and CIA. “For at least ten years, the American hacker group \[APT41\] has repeatedly carried out cyber attacks, espionage activities, cyber piracy and cyber crimes against other countries,” reads one tweet in October from a seemingly fictional person named Karen Diaz.

In fact, the US Department of Justice indicted seven Chinese men in 2020 as members of APT41, tying them to a contractor working on behalf of China's Ministry of State Security known as Chengdu 404. The indictment accuses the men of hacking hundreds of targets around the globe, both to carry out espionage on behalf of the MSS and to profit from their own cybercrime operations.

In an attempt to shift that blame, Dragonbridge's influence campaign went so far as to create spoofed posts from Intrusion Truth, a mysterious pseudonymous Twitter account that has previously released evidence tying multiple hacking campaigns to China, including those of APT41. The fake Intrusion Truth posts instead falsely tie APT41 to US hackers. Dragonbridge also created an altered, spoofed version of an article in the Hong Kong news outlet _Sing Tao Daily_ pinning APT41's activities on the US government.

In a more timely example of Dragonbridge's disinformation operations, it also sought to blame the destructive sabotage of the Nord Stream natural gas pipeline—a key piece of infrastructure connecting European countries to Russian gas sources—on the United States. Mandiant says that claim, which echoes statements from Russian president Vladimir Putin and Russian disinformation sources, appears to be part of a larger campaign designed to sow divisions between the United States and its allies that have opposed and sanctioned Russia for its unprovoked and catastrophic military invasion of Ukraine.

None of those campaigns, Mandiant emphasizes, was particularly successful. Most of the posts had single-digit likes, retweets, or comments at best, the company says. Some of its spoofed tweets impersonating Intrusion Truth have no signs of engagement at all. But Hultquist warns nonetheless that Dragonbridge demonstrates a new interest in aggressive disinformation from pro-China sources, and possibly from China itself. He worries, given China's widespread cyber intrusions around the world, that future Chinese disinformation campaigns might include hack-and-leak operations that blend real revelations into disinformation campaigns, as Russia's GRU military intelligence agency has done. “If they get their hands on some real information from a hacking operation,” Hultquist says, “that's where they become especially dangerous.”

Despite Dragonbridge's occasional pro-Russian messages, Hultquist says that Mandiant has little doubt of the group's pro-China focus. The company first spotted Dragonbridge engaged in a fake grassroots campaign to disparage Hong Kong pro-democracy protestors in 2019. Earlier this year, it saw the group pose as Americans protesting against US rare-earth metal mining companies that competed with Chinese firms.

That doesn't mean Dragonbridge's campaigns are necessarily the work of a Chinese government agency or even a contractor firm like Chengdu 404. But they're very likely at least located in China, Hultquist says. “It's hard to imagine their activity, in its totality, being in any other country's interest,” says Hultquist.

If Dragonbridge is working directly for the Chinese government, it may mark a new phase in China's use of disinformation. In the past, China has largely stayed away from influence operations. A Director of National Intelligence report on foreign threats to the 2020 election declassified last year stated that China “considered but did not deploy influence efforts designed to change the outcome of the US Presidential election.” But just last month Facebook, too, says it spotted and removed campaigns of Chinese political disinformation posted to the platform from mid-2021 to September 2022, though it didn't say if the campaigns were linked to Dragonbridge.

Despite the apparent resources put into Dragonbridge's long-running operations, its new foray into election meddling looks remarkably ham-fisted, says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, _Active Measures_. He points to abstract phrases, like its call to “root out this ineffective and incapacitated system.” That kind of dull language fails to effectively exploit real wedge issues to exacerbate existing divisions in US society—often best identified by local agents on the ground. “It seems like they didn’t read the manual,” Rid says. “It seems like a remote, amateurish affair done from Beijing.”

But both Rid and Mandiant's Hultquist agree that Dragonbridge's relative lack of success shouldn't be seen as a sign of Americans' growing immunity to influence operations. In fact, they argue that the deep political divisions in American society may mean that the US is less equipped than ever to distinguish fact from fabrication in social media. “Authoritative sources are no longer trusted,” says Hultquist. “I'm not sure that we're in a great place right now, as a country, to digest that some major information operation is attributable to a foreign power.”

A Pro-China Disinfo Campaign Is Targeting US Elections—Badly

OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.

**Full Disclosure mailing list archives**

_From_: Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Thu, 24 Nov 2022 11:31:13 +0100 (CET)  

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne and soon 
at YesWeHack.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Product: OX App Suite
Vendor: OX Software GmbH



Internal reference: OXUIB-1654
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16
Vendor notification: 2022-05-23
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-31469
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary 
fake applications. This can be used to request unexpected content, potentially including script code, when those links 
are used.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would 
require the victim to follow a hyperlink.

PoC:
<a class="deep-link-app" 
href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123";>

Solution:
We improved deep-link validation to avoid malicious use.



---



Internal reference: OXUIB-1678
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-05-30
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37307
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness 
that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious 
code. Once such code is in place it can be used for persistent access to the users account.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would 
require access to the same OX App Suite instance or temporary access to the users account.

PoC:
<!\[CDATA\[
<bo<script></script>dy>AA<img src onerror="alert('XSS')">BB</body>
\]\]>

Solution:
We improved the sanitizing algorithm to deal with disguised code.



---



Internal reference: OXUIB-1731
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37308
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need 
to make the victim print a malicious E-Mail.

PoC:
...
Content-Type: text/plain
<img src onerror="alert('XSS')">

Solution:
We removed plain-text specific code and use existing sanitization mechanisms for HTML content.



---



Internal reference: OXUIB-1732
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37309
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" 
component, commonly used to select contacts as recipients or participants.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would 
require access to the same OX App Suite instance or make the victim import malicious contact data.

Solution:
We now apply proper HTML escaping to all relevant data sets.



---



Affected product: OX App Suite
Internal reference: OXUIB-1785
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-07-20
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37310
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness 
that allows attackers to use special characters that register malicious capabilities, which will be executed as script 
code after login.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would 
require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, 
the "help" module is available on all instances.

PoC:
https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t%3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(""%2b{})\[$$f\]%2b(""%2b{})\[$f\]%2b(""%2b\[\]\[f\])\[$f\]%2b"f"\[f$\]%2b"t"\[$$\]%2b"t"\[$f\]%2b"t"\[$t\]%2b(""%2b{})\[$$f\]%2b"t"\[$$\]%2b(""%2b{})\[$f\]%2b"t"\[$f\];$$$%3d\[\]\[$t$\]\[$t$\];$$$("$$$('"%2b'\\\\'%2b$f%2bt$%2b$f%2b'\\\\'%2b$f%2b$$f%2bt$%2b'\\\\'%2b$f%2bt$%2b$$f%2b'\\\\'%2b$f%2b$$t%2b$t%2b'\\\\'%2b$f%2b$$t%2bt$%2b'('%2b'"'%2b'\\\\'%2b$f%2bf$%2b$$%2b'\\\\'%2b$f%2b$t%2bf$%2b'\\\\'%2b$f%2b$t%2bf$%2b'"'%2b')'%2b"')();")()})()

Solution:
We sanitized any non-parsable characters from the capabilities input.



---



Internal reference: MWB-1712
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37313
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA 
response.

Risk:
Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal 
resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and 
services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, 
the risk is a violation of perimeter based security policies.

PoC:
Use API calls to setup an external mail account and provide a attacker controlled domain that returns more than one 
record. Only the first record will be checked against the deny-list, but the second record may also be used afterwards.

Solution:
We improved the analysis of DNS responses and check all available records against deny-list entries.



---



Internal reference: MWB-1713
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37312
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes.

Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such 
requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled 
to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require 
authentication.

PoC:
Sending a large request body containing a "redirect" URL to the "deferrer" servlet.

Solution:
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled 
resource usage.



---



Internal reference: MWB-1714
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37311
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes.

Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such 
requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled 
to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require 
authentication.

PoC:
Sending a large "location" request parameter to the "redirect" servlet.

Solution:
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled 
resource usage.

**Attachment: signature.asc**  
_Description:_

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Open-Xchange Security Advisory 2022-11-24** _Martin Heiland via Fulldisclosure (Nov 29)_

CVE-2022-37313: Full Disclosure: Open-Xchange Security Advisory 2022-11-24

Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information.

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2023-001

CVE-2023-23561

01/10/2023

low

v1

**Vulnerability details**

An unspecified vulnerability in SES Evolution could allow an authenticated user to have read access to some sensitive information.

**Impacted products**

Products

Severity

Detail

Stormshield Endpoint Security

low

SES is impacted

**Revisions**

Version

Date

Description

v1

05/25/2023

Initial release

**Stormshield Endpoint Security**

**CVSS v3.1 Overall Score: 3.4      **

**Analysis**

**Impacted version**

An authenticated SES user (of any applicative profile) could leverage a local installation of the console to read internal parameters that should not be accessible.

*   SES 2.3.0 to 2.3.2

**Workaround solution**

**Solution**

There is no workaround solution.

The 2.4.1 update fixes this vulnerability.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Adjacent Network

Low

Low

None

Unchanged

High

None

None

CVSS Base score: 5.7

CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Exploit Code Maturity

Remediation Level

Report Confidence

Unproven that exploit exists

Official fix

Confirmed

CVSS Temporal score: 5

CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Low

Low

Low

CVSS Environmental score: 3.4

CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2023-23561: SES Evolution server access check bypass (CVE-2023-23561)

Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control that allows an authenticated user can update global parameters.

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2023-002

CVE-2023-23562

01/10/2023

low

v1

**Vulnerability details**

An unspecified vulnerability in SES Evolution could allow an authenticated user to update global parameters.

**Impacted products**

Products

Severity

Detail

Stormshield Endpoint Security

low

SES is impacted

**Revisions**

Version

Date

Description

v1

05/25/2023

Initial release

**Stormshield Endpoint Security**

**CVSS v3.1 Overall Score: 3.9      **

**Analysis**

**Impacted version**

An authenticated SES user (of any applicative profile) could leverage a local installation of the console to modify global parameters that he should not, potentially impacting the application availability.

*   SES 2.3.0 to 2.3.2

**Workaround solution**

**Solution**

There is no workaround solution.

The 2.4.1 update fixes this vulnerability.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Adjacent Network

Low

Low

None

Unchanged

High

None

Low

CVSS Base score: 6.3

CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Exploit Code Maturity

Remediation Level

Report Confidence

Unproven that exploit exists

Official fix

Confirmed

CVSS Temporal score: 5.5

CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Low

Low

Low

CVSS Environmental score: 3.9

CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2023-23562: SES Evolution server access check bypass (CVE-2023-23562)

mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

I can confirm that @awakenine 's fix works. I also can't think of a reason to accept a ReturnTo argument that contains a scheme but no hostname in the URI, but maybe others could. If there is no use-case for such argument, I would vote for merging the patch.

OTOH, I don't completely agree with removal of the backslash check. Maybe my knowledge of the codebase is still not so deep, but it appears that the backslash check is sort of orthogonal to the parsing and moreover am_check_url is used in fewer locations than am_validate_redirect_url and the functions are not codependent.

At the very least, the commit message of the patch that touches am_validate_redirect_url should be a bit better.

As I understand from this conversation backslash check was introduced as a fix to previous bypass. Now, it should be covered with hostname check because apr_uri_parse() will parse any http and https URL without :// as URI \[scheme\]:\[path\], and it will cause HTTP\_BAD\_REQUEST.

    uri: 'http:/\example.com/page.html' (ret=0)
    	scheme: 'http'
    	hostinfo: '(null)'
    	user: '(null)'
    	password: '(null)'
    	hostname: '(null)'
    	port_str: '(null)'
    	path: '/\example.com/page.html'
    	query: '(null)'
    	fragment: '(null)'
    	port: '0'
    	is_initialized: '1'
    	dns_looked_up: '0'
    	dns_resolved: '0'
    psznewuri: 'http:/\example.com/page.html'
    

Please let me know if you can bypass that.

CVE-2019-13038: Open Redirection issue · Issue #35 · Uninett/mod_auth_mellon

Bento4 MP4Dump v1.2 was discovered to contain a segmentation violation via an unknown address at /Source/C++/Core/Ap4DataBuffer.cpp:175.

SUMMARY: AddressSanitizer: SEGV on unknown address 0x000000000000 in /Source/C++/Core/Ap4DataBuffer.cpp:175

*   Version

    $ ./mp4dump 
    MP4 File Dumper - Version 1.2
    (Bento4 Version 1.6.0.0)
    (c) 2002-2011 Axiomatic Systems, LLC
    

branch d02ef82

*   Platform

    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    $ uname -r
    5.13.0-40-generic
    
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.4 LTS
    Release:	20.04
    Codename:	focal
    

*   Steps to reproduce

    $ mkdir build
    $ cd build
    $ cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
    $ make
    
    $ ./mp4dump poc
    

*   Asan

    $ ./mp4dump poc
    [ftyp] size=8+16
      major_brand = mk24
      minor_version = 24017c
      compatible_brand = yl73
      compatible_brand = oxsh
    [free] size=8+0
    [mdat] size=8+397
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2476501==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f73f2e09321 bp 0x7fffe8de6b70 sp 0x7fffe8de62e0 T0)
    ==2476501==The signal is caused by a READ memory access.
    ==2476501==Hint: address points to the zero page.
        #0 0x7f73f2e09320 in AddressIsPoisoned ../../../../src/libsanitizer/asan/asan_mapping.h:396
        #1 0x7f73f2e09320 in QuickCheckForUnpoisonedRegion ../../../../src/libsanitizer/asan/asan_interceptors_memintrinsics.h:30
        #2 0x7f73f2e09320 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
        #3 0x55719b16636b in AP4_DataBuffer::SetData(unsigned char const*, unsigned int) /home/wulearn/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175
        #4 0x55719b14744a in AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) /home/wulearn/Bento4/Source/C++/Core/Ap4AvccAtom.cpp:176
        #5 0x55719b1464ab in AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4AvccAtom.cpp:95
        #6 0x55719b140dc6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513
        #7 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #8 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #9 0x55719b1bfeea in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115
        #10 0x55719b1c46f0 in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:884
        #11 0x55719b1c5c2a in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1136
        #12 0x55719b13f203 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:319
        #13 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #14 0x55719b1d5c90 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101
        #15 0x55719b1d550f in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57
        #16 0x55719b1409a6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458
        #17 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #18 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #19 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #20 0x55719b150be7 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #21 0x55719b142358 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
        #22 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #23 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #24 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #25 0x55719b150be7 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #26 0x55719b142358 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
        #27 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #28 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #29 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #30 0x55719b150be7 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #31 0x55719b142358 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
        #32 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #33 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #34 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #35 0x55719b1eb610 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165
        #36 0x55719b143429 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/wulearn/Bento4/build/mp4dump+0x324429)
        #37 0x55719b14063f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413
        #38 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #39 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #40 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #41 0x55719b189a6c in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:80
        #42 0x55719b1433bb in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/wulearn/Bento4/build/mp4dump+0x3243bb)
        #43 0x55719b1404b8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393
        #44 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #45 0x55719b13dbbd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
        #46 0x55719b130115 in main /home/wulearn/Bento4/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp:342
        #47 0x7f73f28540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #48 0x55719b12e8ed in _start (/home/wulearn/Bento4/build/mp4dump+0x30f8ed)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/asan/asan_mapping.h:396 in AddressIsPoisoned
    ==2476501==ABORTING
    

poc: poc.zip

Thanks!

CVE-2022-31282: SEGV on unknown address 0x000000000000 in /Source/C++/Core/Ap4DataBuffer.cpp:175 · Issue #708 · axiomatic-systems/Bento4

libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.

Skip to content

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 270  poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16658 (0x4112) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32256 (0x7e00) encountered.
    poc: Warning, Nonstandard tile width 1, convert file.
    TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16658"; tag ignored.
    _TIFFVSetField: poc: Null count for "Tag 32256" (type 1, writecount -3, passcount 1).
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFAdvanceDirectory: Error fetching directory count.
    Fax4Decode: Bad code word at line 1 of tile 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 0 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 1 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 1 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 1 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 2 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 2 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 3 of tile 2 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 3 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 3 (got 0, expected 1).
    Fax4Decode: Warning, Line length mismatch at line 0 of tile 4 (got 2, expected 1).
    Fax4Decode: Warning, Premature EOF at line 14 of tile 4 (x 0).
    Fax4Decode: Warning, Premature EOL at line 14 of tile 4 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 4 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 4 of tile 5 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOF at line 6 of tile 5 (x 0).
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    =================================================================
    ==1821995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000188ec at pc 0x56501555da96 bp 0x7ffc6a94efd0 sp 0x7ffc6a94efc0
    READ of size 1 at 0x6330000188ec thread T0
        #0 0x56501555da95 in extractContigSamplesShifted8bits /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753
        #1 0x565015573ffe in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7605
        #2 0x565015577fd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
        #3 0x56501555a0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x565015550b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x6330000188ec is located 233 bytes to the right of 98307-byte region [0x633000000800,0x633000018803)
    allocated by thread T0 here:
        #0 0x7f9dc5703808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7f9dc558af03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x565015550d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x565015571998 in loadImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7087
        #4 0x565015559f86 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2783
        #5 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753 in extractContigSamplesShifted8bits
    Shadow bytes around the buggy address:
      0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb100: 03 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1821995==ABORTING

**poc**

poc

CVE-2023-25435: heap-buffer-overflow in extractContigSamplesShifted8bits()  at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV) (#518) · Issues · libtiff / libtiff · GitLab

Search

lenovo warranty check/lookup | check warranty status | lenovo support us