Archery v1.4.5 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_file, end_file, start_time, and stop_time parameters in the binlog2sql interface.

\# -\*- coding: UTF-8 -\*- from django.urls import path from django.views.i18n import JavaScriptCatalog import sql.instance\_database import sql.query\_privileges import sql.sql\_optimize from common import auth, config, workflow, dashboard, check from common.twofa import totp from sql import views, sql\_workflow, sql\_analyze, query, slowlog, instance, instance\_account, db\_diagnostic, \\ resource\_group, binlog, data\_dictionary, archiver, audit\_log, user from sql.utils import tasks from common.utils import ding\_api urlpatterns \= \[ path('', views.index), path('jsi18n/', JavaScriptCatalog.as\_view(), name\='javascript-catalog'), path('index/', views.index), path('login/', views.login, name\='login'), path('login/2fa/', views.twofa, name\='twofa'), path('logout/', auth.sign\_out), path('signup/', auth.sign\_up), path('sqlworkflow/', views.sqlworkflow), path('submitsql/', views.submit\_sql), path('editsql/', views.submit\_sql), path('submitotherinstance/', views.submit\_sql), path('detail/<int:workflow\_id>/', views.detail, name\='detail'), path('autoreview/', sql\_workflow.submit), path('passed/', sql\_workflow.passed), path('execute/', sql\_workflow.execute), path('timingtask/', sql\_workflow.timing\_task), path('alter\_run\_date/', sql\_workflow.alter\_run\_date), path('cancel/', sql\_workflow.cancel), path('rollback/', views.rollback), path('sqlanalyze/', views.sqlanalyze), path('sqlquery/', views.sqlquery), path('slowquery/', views.slowquery), path('sqladvisor/', views.sqladvisor), path('slowquery\_advisor/', views.sqladvisor), path('queryapplylist/', views.queryapplylist), path('queryapplydetail/<int:apply\_id>/', views.queryapplydetail, name\='queryapplydetail'), path('queryuserprivileges/', views.queryuserprivileges), path('dbdiagnostic/', views.dbdiagnostic), path('workflow/', views.workflows), path('workflow/<int:audit\_id>/', views.workflowsdetail), path('dbaprinciples/', views.dbaprinciples), path('dashboard/', dashboard.pyecharts), path('group/', views.group), path('grouprelations/<int:group\_id>/', views.groupmgmt), path('instance/', views.instance), path('instanceaccount/', views.instanceaccount), path('database/', views.database), path('instanceparam/', views.instance\_param), path('binlog2sql/', views.binlog2sql), path('my2sql/', views.my2sql), path('schemasync/', views.schemasync), path('archive/', views.archive), path('archive/<int:id>/', views.archive\_detail, name\='archive\_detail'), path('config/', views.config), path('audit/', views.audit), path('audit\_sqlquery/', views.audit\_sqlquery), path('audit\_sqlworkflow/', views.audit\_sqlworkflow), path('authenticate/', auth.authenticate\_entry), path('sqlworkflow\_list/', sql\_workflow.sql\_workflow\_list), path('sqlworkflow\_list\_audit/', sql\_workflow.sql\_workflow\_list\_audit), path('sqlworkflow/detail\_content/', sql\_workflow.detail\_content), path('sqlworkflow/backup\_sql/', sql\_workflow.backup\_sql), path('simplecheck/', sql\_workflow.check), path('getWorkflowStatus/', sql\_workflow.get\_workflow\_status), path('del\_sqlcronjob/', tasks.del\_schedule), path('inception/osc\_control/', sql\_workflow.osc\_control), path('sql\_analyze/generate/', sql\_analyze.generate), path('sql\_analyze/analyze/', sql\_analyze.analyze), path('workflow/list/', workflow.lists), path('workflow/log/', workflow.log), path('config/change/', config.change\_config), path('check/inception/', check.inception), path('check/go\_inception/', check.go\_inception), path('check/email/', check.email), path('check/instance/', check.instance), path('group/group/', resource\_group.group), path('group/addrelation/', resource\_group.addrelation), path('group/relations/', resource\_group.associated\_objects), path('group/instances/', resource\_group.instances), path('group/unassociated/', resource\_group.unassociated\_objects), path('group/auditors/', resource\_group.auditors), path('group/changeauditors/', resource\_group.changeauditors), path('group/user\_all\_instances/', resource\_group.user\_all\_instances), path('instance/list/', instance.lists), path('instance/user/list', instance\_account.users), path('instance/user/create/', instance\_account.create), path('instance/user/edit/', instance\_account.edit), path('instance/user/grant/', instance\_account.grant), path('instance/user/reset\_pwd/', instance\_account.reset\_pwd), path('instance/user/lock/', instance\_account.lock), path('instance/user/delete/', instance\_account.delete), path('instance/database/list/', sql.instance\_database.databases), path('instance/database/create/', sql.instance\_database.create), path('instance/database/edit/', sql.instance\_database.edit), path('instance/schemasync/', instance.schemasync), path('instance/instance\_resource/', instance.instance\_resource), path('instance/describetable/', instance.describe), path('data\_dictionary/', views.data\_dictionary), path('data\_dictionary/table\_list/', data\_dictionary.table\_list), path('data\_dictionary/table\_info/', data\_dictionary.table\_info), path('data\_dictionary/export/', data\_dictionary.export), path('param/list/', instance.param\_list), path('param/history/', instance.param\_history), path('param/edit/', instance.param\_edit), path('query/', query.query), path('query/querylog/', query.querylog), path('query/querylog\_audit/', query.querylog\_audit), path('query/favorite/', query.favorite), path('query/explain/', sql.sql\_optimize.explain), path('query/applylist/', sql.query\_privileges.query\_priv\_apply\_list), path('query/userprivileges/', sql.query\_privileges.user\_query\_priv), path('query/applyforprivileges/', sql.query\_privileges.query\_priv\_apply), path('query/modifyprivileges/', sql.query\_privileges.query\_priv\_modify), path('query/privaudit/', sql.query\_privileges.query\_priv\_audit), path('binlog/list/', binlog.binlog\_list), path('binlog/binlog2sql/', binlog.binlog2sql), path('binlog/my2sql/', binlog.my2sql), path('binlog/del\_log/', binlog.del\_binlog), path('slowquery/review/', slowlog.slowquery\_review), path('slowquery/review\_history/', slowlog.slowquery\_review\_history), path('slowquery/optimize\_sqladvisor/', sql.sql\_optimize.optimize\_sqladvisor), path('slowquery/optimize\_sqltuning/', sql.sql\_optimize.optimize\_sqltuning), path('slowquery/optimize\_soar/', sql.sql\_optimize.optimize\_soar), path('slowquery/optimize\_sqltuningadvisor/', sql.sql\_optimize.optimize\_sqltuningadvisor), path('slowquery/report/', slowlog.report), path('db\_diagnostic/process/', db\_diagnostic.process), path('db\_diagnostic/create\_kill\_session/', db\_diagnostic.create\_kill\_session), path('db\_diagnostic/kill\_session/', db\_diagnostic.kill\_session), path('db\_diagnostic/tablesapce/', db\_diagnostic.tablesapce), path('db\_diagnostic/trxandlocks/', db\_diagnostic.trxandlocks), path('db\_diagnostic/innodb\_trx/', db\_diagnostic.innodb\_trx), path('archive/list/', archiver.archive\_list), path('archive/apply/', archiver.archive\_apply), path('archive/audit/', archiver.archive\_audit), path('archive/switch/', archiver.archive\_switch), path('archive/once/', archiver.archive\_once), path('archive/log/', archiver.archive\_log), path('4admin/sync\_ding\_user/', ding\_api.sync\_ding\_user), path('audit/log/', audit\_log.audit\_log), path('audit/input/', audit\_log.audit\_input), path('user/list/', user.lists), path('user/qrcode/<str:data>/', totp.generate\_qrcode), \]

CVE-2022-38537: Archery/urls.py at v1.8.5 · hhyo/Archery

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.


In the software world, it is expected for security vulnerabilities to be immediately announced, thus giving operators an opportunity to take protective measure against attackers.

Vulnerabilities typically take two forms:

1.  Vulnerabilities that, if exploited, would harm the software operator. In the case of Geth, examples would be:
    
    *   A bug that would allow remote reading or writing of OS files, or
    *   Remote command execution, or
    *   Bugs that would leak cryptographic keys
    
2.  Vulnerabilities that, if exploited, would harm the Ethereum mainnet. In the case of Geth, examples would be:
    
    *   Consensus vulnerabilities, which would cause a chain split,
    *   Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash.
    *   Denial-of-service via p2p networking, whereby portions of the network could be made inaccessible due to crashes or resource consumption.
    

In most cases so far, vulnerabilities in Geth have been of the second type, where the health of the network is a concern, rather than individual node operators. For such issues, Geth reserves the right to silently patch and ship fixes in new releases.

**Why silent patches**

In the case of Ethereum, it takes a lot of time (weeks, months) to get node operators to update even to a scheduled hard fork. If we were to highlight that a release contains important consensus or DoS fixes, there is always a risk of someone trying to beat node operators to the punch, and exploit the vulnerability. Delaying a potential attack sufficiently to make the majority of node operators immune may be worth the temporary loss of transparency.

The primary goal for the Geth team is the health of the Ethereum network as a whole, and the decision whether or not to publish details about a serious vulnerability boils down to minimizing the risk and/or impact of discovery and exploitation.

At certain times, it's better to remain silent. This practice is also followed by other projects such as Monero, ZCash and Bitcoin.

**Public transparency**

As of November 2020, our policy going forward is:

*   If we silently fix a vulnerability and include the fix in release X, then,
*   After 4-8 weeks, we will disclose that X contained a security-fix.
*   After an additional 4-8 weeks, we will publish the details about the vulnerability.

We hope that this provides sufficient balance between transparency versus the need for secrecy, and aids node operators and downstream projects in keeping up to date with what versions to run on their infrastructure.

In keeping with this policy, we have taken inspiration from Solidity bug disclosure - see below.

**Disclosed vulnerabilities**

There is a JSON-formatted list (vulnerabilities.json) of some of the known security-relevant vulnerabilities concerning Geth.

As of version 1.9.25, Geth has a built-in command to check whether it is affected by any publicly disclosed vulnerability, using the command geth version-check. This command will fetch the latest json file (and the accompanying signature-file, and cross-check the data against its own version number.

The list of vulnerabilities was started in November 2020, and covers mainly v1.9.7 and forward.

The JSON file of known vulnerabilities below is a list of objects, one for each vulnerability, with the following keys:

*   name
    
    *   Unique name given to the vulnerability.
    
*   uid
    
    *   Unique identifier of the vulnerability. Format GETH-<year>-<sequential id>
    
*   summary
    
    *   Short description of the vulnerability.
    
*   description
    
    *   Detailed description of the vulnerability.
    
*   links
    
    *   List of relevant URLs with more detailed information (optional).
    
*   introduced
    
    *   The first published Geth version that contained the vulnerability (optional).
    
*   fixed
    
    *   The first published Geth version that did not contain the vulnerability anymore.
    
*   published
    
    *   The date at which the vulnerability became known publicly (optional).
    
*   severity
    
    *   Severity of the vulnerability: low, medium, high, critical.
    *   Takes into account the severity of impact and likelihood of exploitation.
    
*   check
    
    *   This field contains a regular expression, which can be used against the reported web3\_clientVersion of a node. If the check matches, the node is with a high likelihood affected by the vulnerability.
    
*   CVE
    
    *   The assigned CVE identifier, if available (optional)
    

**What about GitHub security advisories**

We prefer to not rely on GitHub as the only/primary publishing protocol for security advisories, but we plan to use the GitHub-advisory process as a second channel for disseminating vulnerability-information.

Advisories published via GitHub can be accessed here.

**Bug Bounties**

The Ethereum Foundation run a bug bounty program to reward responsible disclosures of bugs in client software and specs. The details are provided on ethereum.org.

CVE-2023-40591: Vulnerability disclosure | go-ethereum

Telecommunications giant AT&T has finally confirmed that 73 million current and former customers are caught up in a massive dark web data leak.

Telecommunications giant AT&T has finally confirmed that 73 million current and former customers have been caught up in a massive dark web data leak. The leaked data includes names, addresses, mobile phone numbers, dates of birth, and social security numbers.

Malwarebytes VP of Consumer Privacy, Oren Arar, describes the AT&T breach as “especially risky” because much of the type of data that’s been exposed. “SSN, name, date of birth—this is personal identifiable information (PII) that cannot be changed, and if scammers gets their hands on it, it just makes their work in stealing peoples identities a lot easier.”

The data came to light a few weeks ago when it was put up for sale on an online cybercrime forum, but the seller, a hacker calling themselves “MajorNelson”, claimed it had been stolen from AT&T three years prior.

In 2021, a hacker named “Shiny Hunters” put a database apparently containing the personal details of 70 million AT&T customers up for sale, but AT&T denied the leak was its data, and denied it again when the data appeared on the dark web last month. It has since revised its position as it wrestles with the thorny problem of investigating what happened on its computers three years ago.

In its latest statement, the company confirmed that the leak contained “AT&T data-specific fields,” but said it had not yet determined the source of that data.

> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.

However, it also said that it believes that the leak affects 7.6 million current customers, and the leaked data is “from 2019 or earlier”.

> Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

In a separate statement, the company also said it is reaching out to the people affected by the breach.

> It has come to our attention that a number of AT&T passcodes have been compromised. We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.

Personal information like names, addresses, phone numbers, passcodes, and social security numbers are prized assets for cybercriminals because they can be used to make scams much more believable.

In particular, this information will make it easier for criminals to pose as AT&T, and all 73 million people affected by this breach will need to be on their guard for scammers using it as a pretext to send personalised, AT&T-branded emails and messages.

**Protecting yourself from a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check if your data has been breached**

Our Digital Footprint records now include the AT&T data so you can check if your information has been exposed online. Submit your email address (it’s best to submit the one you use most frequently) to our free Digital Footprint scan and we’ll send you a report.

 AT&#038;T confirms 73 million people affected by data breach 

The file upload wizard in Zengenti Contensis Classic before 15.2.1.79 does not correctly check that a user has authenticated. By uploading a crafted aspx file, it is possible to execute arbitrary commands.

**CVE-2022-34919**

Contensis Content Management System prior to version 15.2.1.79 has a flaw in their 'Classic' interface that allows an unauthenticated user to upload and approve arbitrary files. By uploading an aspx file, it is possible to execute commands in the context of the web server.

This vulnerability was discovered in March 2022 and patched by Zengenti in their release on April 8, 2022.

Steps to reproduce:

1:

The initial file upload is performed with a POST request to the following endpoint:

https://\[example\].cloud.contensis.com/REST/UI/Wizards/CreateContent/UploadFile?folderId=1&projectId=1&context=%7B%22UserID%22%3A1%2C%22LanguageID%22%3A1%2C%22SecurityToken%22%3A%22%22%7D

The context parameter indicates which user is uploading the file; in this case, UserId 1, System Administrator. The SecurityToken parameter is required but may be blank. This request (screenshot 1) generates a temporary file on the server with a UUID. In this example, I used a webshell available at: https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx 

2:

The file must then be approved with a POST request to the following endpoint:

https://\[example\].cloud.contensis.com/REST/UI/Wizards/CreateContent/CreateContent

This request (screenshot 2) will include the path to the temporary file from the initial request and include parameters to approve for publishing and modify the content type to bypass file restrictions. In this instance, ContentTypeId is set to 43, indicating it is an HTML document, rather than ASPX. The file is then available on the ‘preview’ and ‘live’ domains below:

https://preview-\[example\].cloud.contensis.com/cmd2.aspx

https://iis-live-\[example\].cloud.contensis.com/cmd2.aspx 

3:

Be responsible and only test this on authorized hosts (screenshot 3)

CVE-2022-34919: GitHub - ahajnik/CVE-2022-34919

A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.

There is a check after the memory alloc and set the nPages to zero if failed:

    if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {
    
        error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");
    
        nPages = 0;
    
    }

But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.

I believe it should be changed to:

    if (nPages != 0) {
    
        readTables(str, linearization, xref, secHdlr);
    
    }

Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.

pdftops poc.pdf

Edited Mar 15, 2022 by

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler

In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds read. It only allows to abort a session. No data extraction is possible. This has been fixed in 2.0.0.

version

    https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129
    

vuln code  
rdp_read_share_control_header could read 2 byte from stream, if *length == 0x8000 , it could call rdp_read_flow_control_pdu.

    BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id)
    {
    	if (Stream_GetRemainingLength(s) < 2)
    		return FALSE;
    
    	Stream_Read_UINT16(s, *length); /* totalLength */
    
    	if (*length == 0x8000)
    	{
    		rdp_read_flow_control_pdu(s, type);   // vuln function
    
    

rdp_read_flow_control_pdu just read 1byte and seek some byte from stream without check length, it could lead _s->pointer - _s->buffer > _s->length, then the check in other function could failed

    void rdp_read_flow_control_pdu(wStream* s, UINT16* type)
    {
    
    	UINT8 pduType;
    	Stream_Read_UINT8(s, pduType); /* pduTypeFlow */
    	*type = pduType;
    	Stream_Seek_UINT8(s);  /* pad8bits */
    	Stream_Seek_UINT8(s);  /* flowIdentifier */
    	Stream_Seek_UINT8(s);  /* flowNumber */
    	Stream_Seek_UINT16(s); /* pduSource */
    }

CVE-2020-11048: memory out of bounds read in rdp_read_flow_control_pdu · Issue #6007 · FreeRDP/FreeRDP

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler · GitLab

Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.

@@ -25,6 +25,22 @@

\*/

class Security

{

/\*\*

\* @param string $filepath

\* @param array|null $options

\* @return string|null

\*/

public static function detectXssFromSvgFile(string $filepath, array $options = null): ?string

{

if (file\_exists($filepath) && Grav::instance()\['config'\]->get('security.sanitize\_svg')) {

$content = file\_get\_contents($filepath);

  

return static::detectXss($content, $options);

}

  

return null;

}

  

/\*\*

\* Sanitize SVG string for XSS code

\*

@@ -200,7 +216,7 @@ public static function detectXss($string, array $options = null): ?string

}, $string);

  

// Clean up entities

$string = preg\_replace('!(&#\[0-9\]+)!u', '$1;', $string);

$string = preg\_replace('!(&#\[0-9\]+);?!u', '$1;', $string);

  

// Decode entities

$string = html\_entity\_decode($string, ENT\_NOQUOTES | ENT\_HTML5, 'UTF-8');

CVE-2022-0970: Added XSS check for uploaded SVG files before they get stored · getgrav/grav@f19297d

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.

/\*\* \* @file tools/fwinfogen.c \* @brief . \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include "config.h" //#include "version.h" /\* Pre-processor Definitions. \*/ #define BUILD\_MONTH\_IS\_JAN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_FEB (\_\_DATE\_\_\[0\] == 'F') #define BUILD\_MONTH\_IS\_MAR (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'r') #define BUILD\_MONTH\_IS\_APR (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'p') #define BUILD\_MONTH\_IS\_MAY (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'y') #define BUILD\_MONTH\_IS\_JUN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_JUL (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'l') #define BUILD\_MONTH\_IS\_AUG (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'u') #define BUILD\_MONTH\_IS\_SEP (\_\_DATE\_\_\[0\] == 'S') #define BUILD\_MONTH\_IS\_OCT (\_\_DATE\_\_\[0\] == 'O') #define BUILD\_MONTH\_IS\_NOV (\_\_DATE\_\_\[0\] == 'N') #define BUILD\_MONTH\_IS\_DEC (\_\_DATE\_\_\[0\] == 'D') #define BUILD\_MONTH \\ ( \\ (BUILD\_MONTH\_IS\_JAN) ? 1 : \\ (BUILD\_MONTH\_IS\_FEB) ? 2 : \\ (BUILD\_MONTH\_IS\_MAR) ? 3 : \\ (BUILD\_MONTH\_IS\_APR) ? 4 : \\ (BUILD\_MONTH\_IS\_MAY) ? 5 : \\ (BUILD\_MONTH\_IS\_JUN) ? 6 : \\ (BUILD\_MONTH\_IS\_JUL) ? 7 : \\ (BUILD\_MONTH\_IS\_AUG) ? 8 : \\ (BUILD\_MONTH\_IS\_SEP) ? 9 : \\ (BUILD\_MONTH\_IS\_OCT) ? 16 : \\ (BUILD\_MONTH\_IS\_NOV) ? 17 : \\ (BUILD\_MONTH\_IS\_DEC) ? 18 : \\ /\* error default \*/ 0 \\ ) #define BUILD\_DAY\_CH0 ((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') #define BUILD\_DAY\_CH1 (\_\_DATE\_\_\[ 5\]) #define DATE\_COMPILE (((\_\_DATE\_\_\[7\] - '0') << 28) \\ | (((unsigned int)(\_\_DATE\_\_\[8\] - '0')) << 24) \\ | (((unsigned int)(\_\_DATE\_\_\[9\] - '0')) << 20) \\ | (((unsigned int)(\_\_DATE\_\_\[10\] - '0')) << 16) \\ | (((unsigned int)(BUILD\_MONTH)) << 8) \\ | (((unsigned int)(((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') - '0')) << 4) \\ | (((unsigned int)\_\_DATE\_\_\[5\] - '0'))) #define BL33\_METADATA\_ADDRESS (0x10080000 - CONFIG\_START\_ADDRESS\_BL33 - 0x8000) /\*\* Instruction Code of "B ." \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC public key structure \*/ typedef struct { uint32\_t au32Key0\[8\]; /\* 256-bits \*/ uint32\_t au32Key1\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_PUBKEY\_T; /\*\* \* @details ECC ECDSA signature structure \*/ typedef struct { uint32\_t au32R\[8\]; /\* 256-bits \*/ uint32\_t au32S\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECDSA\_SIGN\_T; typedef struct { uint32\_t u32Start; /\* 32-bits \*/ uint32\_t u32Size; /\* 32-bits \*/ }\_\_attribute\_\_((packed)) FW\_REGION\_T; typedef struct { uint32\_t u32AuthCFGs; /\* 32-bits \*/ /\* bit\[1:0\]: Reserved bit\[2\]: 1: Info Hash includes PDID / 0: Not include PDID bit\[3\]: 1: Info Hash includes UID / 0: Not include UID bit\[4\]: 1: Info Hash inculdes UICD / 0: Not include UICD bit\[31:5\]: Reserved \*/ uint32\_t u32FwRegionLen; /\* 32-bits \*/ FW\_REGION\_T au32FwRegion\[1\]; /\* (8\*1) bytes \*/ uint32\_t u32ExtInfoLen; /\* 32-bits \*/ uint32\_t au32ExtInfo\[3\]; /\* 12-bytes \*/ }\_\_attribute\_\_((packed)) METADATA\_T; typedef struct { ECC\_PUBKEY\_T pubkey; /\* 64-bytes (256-bits + 256-bits) \*/ METADATA\_T mData; /\* includes authenticate configuration, F/W regions and extend info \*/ uint32\_t au32FwHash\[8\]; /\* 32-bytes (256-bits) \*/ ECDSA\_SIGN\_T sign; /\* 64-bytes (256-bits R + 256-bits S) \*/ }\_\_attribute\_\_((packed)) FW\_INFO\_T; /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ const char header\[\] = "\\n" "const uint32\_t g\_InitialFWinfo\[\] =\\n" "{\\n" " /\* public key - 64-bytes (256-bits + 256-bits) \*/\\n"; /\* Public Function Prototypes \*/ /\* Private Functions. \*/ void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } static int sign\_pFwInfo(FW\_INFO\_T \*pFwInfo, ECC\_KEY\_T \*ecdsa\_key) { int ret = -1; EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); goto exit; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1) { printf("Failed to set group for EC Key\\n"); goto exit; } memcpy((void \*) pFwInfo->pubkey.au32Key0, (void \*) ecdsa\_key->Qx, 32); memcpy((void \*) pFwInfo->pubkey.au32Key1, (void \*) ecdsa\_key->Qy, 32); BIGNUM\* x = BN\_bin2bn((void \*) ecdsa\_key->Qx, 32, NULL); BIGNUM\* y = BN\_bin2bn((void \*) ecdsa\_key->Qy, 32, NULL); BIGNUM\* d = BN\_bin2bn((void \*) ecdsa\_key->d, 32, NULL); EC\_KEY\_set\_private\_key(eckey, d); EC\_KEY\_set\_public\_key\_affine\_coordinates(eckey, x, y); uint32\_t au32HeadHash\[8\]; unsigned int u32Size = sizeof(FW\_INFO\_T) - sizeof(ECDSA\_SIGN\_T); sha256((unsigned char \*) pFwInfo, u32Size, (unsigned char \*) au32HeadHash); ECDSA\_SIG \*signature = ECDSA\_do\_sign((unsigned char \*) au32HeadHash, u32Size, eckey); if (NULL == signature) { printf("Failed to generate EC Signature\\n"); } else { if (ECDSA\_do\_verify((unsigned char \*) au32HeadHash, u32Size, signature, eckey) != 1) { printf("Failed to verify EC Signature\\n"); } else { BIGNUM \*r, \*s; #if OPENSSL\_VERSION\_NUMBER >= 0x10100000L ECDSA\_SIG\_get0(signature, &r, &s); #else r = signature->r; s = signature->s; #endif // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); // printf("R: %s\\n", BN\_bn2hex(r)); // printf("S: %s\\n", BN\_bn2hex(s)); BN\_bn2bin(r, (unsigned char \*) pFwInfo->sign.au32R); BN\_bn2bin(s, (unsigned char \*) pFwInfo->sign.au32S); BN\_free(x); BN\_free(y); BN\_free(d); BN\_free(r); BN\_free(s); } } ret = 0; exit: EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); return ret; } int getFileSize(const char \*filename) { int size = -1; FILE\* fd = fopen(filename, "rb"); if (!fd) { printf("Failed to open file: %s\\n",filename); return -1; } /\* Get file size \*/ if (fseek(fd, 0, SEEK\_END) != 0) { printf("Unable to get '%s' file size\\n", filename); goto exit; } size = ftell(fd); if (size < 0) { printf("Stream doesn't support '%s' file positioning\\n", filename); goto exit; } // rewind(fd); exit: fclose(fd); return size; } #ifdef CONFIG\_BOOTLOADER2 /\*\* \* @brief printFwInfo - . \* \* @param pFwInfo \[in/out\] A pointer to jar file name string. \* \* @returns 0 on success or error code on failure. \*/ void printFwInfo(FW\_INFO\_T \*pFwInfo) { printf("%s", header); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[0\], pFwInfo->pubkey.au32Key0\[1\], pFwInfo->pubkey.au32Key0\[2\], pFwInfo->pubkey.au32Key0\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[4\], pFwInfo->pubkey.au32Key0\[5\], pFwInfo->pubkey.au32Key0\[6\], pFwInfo->pubkey.au32Key0\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[0\], pFwInfo->pubkey.au32Key1\[1\], pFwInfo->pubkey.au32Key1\[2\], pFwInfo->pubkey.au32Key1\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[4\], pFwInfo->pubkey.au32Key1\[5\], pFwInfo->pubkey.au32Key1\[6\], pFwInfo->pubkey.au32Key1\[7\]); printf("\\n"); printf( " /\* metadata data - includes Mode selection, F/W region and Extend info \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x00020000: NuBL32 F/W base\\n", pFwInfo->mData.u32AuthCFGs, pFwInfo->mData.u32FwRegionLen, pFwInfo->mData.au32FwRegion\[0\].u32Start, pFwInfo->mData.au32FwRegion\[0\].u32Size); printf( " 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x20180824/0x00001111/0x22223333: Extend info\\n", pFwInfo->mData.u32ExtInfoLen, pFwInfo->mData.au32ExtInfo\[0\], pFwInfo->mData.au32ExtInfo\[1\], pFwInfo->mData.au32ExtInfo\[2\]); printf("\\n"); printf(" /\* FW hash - 32-bytes (256-bits) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[0\], pFwInfo->au32FwHash\[1\], pFwInfo->au32FwHash\[2\], pFwInfo->au32FwHash\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[4\], pFwInfo->au32FwHash\[5\], pFwInfo->au32FwHash\[6\], pFwInfo->au32FwHash\[7\]); printf("\\n"); printf(" /\* FwInfo signature - 64-bytes (256-bits R + 256-bits S) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[0\], pFwInfo->sign.au32R\[1\], pFwInfo->sign.au32R\[2\], pFwInfo->sign.au32R\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[4\], pFwInfo->sign.au32R\[5\], pFwInfo->sign.au32R\[6\], pFwInfo->sign.au32R\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[0\], pFwInfo->sign.au32S\[1\], pFwInfo->sign.au32S\[2\], pFwInfo->sign.au32S\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[4\], pFwInfo->sign.au32S\[5\], pFwInfo->sign.au32S\[6\], pFwInfo->sign.au32S\[7\]); printf("};\\n"); } #endif /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char\*\* argv) { unsigned char \*buf = NULL; int ret = -1; FILE\* fd; int img\_size = 0; #ifdef CONFIG\_BOOTLOADER2 ECC\_KEY\_T ecdsa\_key; FW\_INFO\_T pFwInfo; pFwInfo.mData.u32AuthCFGs = 0x00000001; pFwInfo.mData.u32FwRegionLen = 0x00000008; pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL32; pFwInfo.mData.au32FwRegion\[0\].u32Size = 0x00000000; pFwInfo.mData.u32ExtInfoLen = 0x0000000c; pFwInfo.mData.au32ExtInfo\[0\] = DATE\_COMPILE; pFwInfo.mData.au32ExtInfo\[1\] = 0x00001111; pFwInfo.mData.au32ExtInfo\[2\] = 0x22223333; #endif if (argc != 7) { printf("Not enough input parameters for %s\\n", argv\[0\]); return -1; } buf = malloc(1024 \* 256); if (buf == NULL) { printf("Allocation memory error\\n"); goto exit; } memset((void \*) buf, 0, 1024 \* 256); //////////////////////////////////////////////////////////////// // mtower\_s.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER2 int32\_t size\_bl2; if((size\_bl2 = getFileSize(argv\[1\])) < 0) { return -1; } fd = fopen(argv\[1\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[1\]); return -1; } if (fread(buf, 1, (size\_t) size\_bl2, fd) != (size\_t) size\_bl2) { free(buf); goto exit; } fclose(fd); #endif #ifdef CONFIG\_BOOTLOADER32 int32\_t size\_bl32; if((size\_bl32 = getFileSize(argv\[2\])) < 0) { return -1; } fd = fopen(argv\[2\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[2\]); goto exit; } if (fread(buf + CONFIG\_START\_ADDRESS\_BL32, 1, (size\_t) size\_bl32, fd) != (size\_t) size\_bl32) { free(buf); goto exit; } fclose(fd); img\_size = size\_bl32; #endif #ifdef CONFIG\_BOOTLOADER2 sha256(buf + CONFIG\_START\_ADDRESS\_BL32, size\_bl32, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl32; fd = fopen(argv\[4\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[4\]); goto exit; } if (fread((unsigned char \*) &ecdsa\_key, sizeof(char), sizeof(ECC\_KEY\_T), fd) != sizeof(ECC\_KEY\_T)) { return -1; } fclose(fd); sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + 0x00038000, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = 0x00038000 + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[3\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[3\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { free(buf); goto exit; } #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tSecure firmware info\\n"); printFwInfo(&pFwInfo); #endif //////////////////////////////////////////////////////////////// // mtower\_ns.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER33 memset((void \*) buf, 0, 1024 \* 256); int32\_t size\_bl33; if((size\_bl33 = getFileSize(argv\[5\])) < 0) { return -1; } fd = fopen(argv\[5\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[5\]); goto exit; } if (fread(buf, 1, (size\_t) size\_bl33, fd) != (size\_t) size\_bl33) { goto exit; } fclose(fd); img\_size = size\_bl33; #ifdef CONFIG\_BOOTLOADER2 sha256(buf, size\_bl33, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL33; pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl33; sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + BL33\_METADATA\_ADDRESS, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = BL33\_METADATA\_ADDRESS + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[6\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[6\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { goto exit; } #endif ret = 0; exit: free(buf); fclose(fd); #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tNon-secure firmware info\\n"); printFwInfo(&pFwInfo); #endif return ret; }

CVE-2022-39830: mTower/fwinfogen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the browser did not show full URL, such as port number.

**Security Advisories**

**CVE-2022-28869: Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android**

**Description**

Incomplete display of URL could lead to address bar spoofing. 

**STATUS:** Fixed

**RISK LEVEL:** Medium

**FIX:** A fix has been released in the automatic update channel since 13th April, 2022. No user action is required.

**Affected Products**

*   F-Secure SAFE Browser for Android Version 18.6 and below

**Platforms**

*   All supported platforms for the affected products

**More Information**

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the browser did not show full URL, such as port number. 

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

**Credits**

F-Secure Corporation would like to thank Kirtikumar Anandrao Ramchandani for bringing this issue to our attention.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us