An authentication bypass vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated users to access some functionality on BioStar 2 servers.

**This topic does not exist yet**

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.

CVE-2023-33363: en:release_note_291_cve_title []

An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server.

**Disclosure Policy**

Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.

**Public Email & PGP Key**

Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.

CVE-2023-33364: CVE-2023-33364

A path traversal vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated attackers to fetch arbitrary files from the server's web server.

CVE-2023-33365: CVE-2023-33365

A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands.

CVE-2023-33366: CVE-2023-33366

Debian Linux Security Advisory 5462-1 - Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5462-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-20593

Tavis Ormandy discovered that under specific microarchitectural  
circumstances, a vector register in AMD "Zen 2" CPUs may not be  
written to 0 correctly.  This flaw allows an attacker to leak  
sensitive information across concurrent processes, hyper threads  
and virtualized guests.

For details please refer to  
<https://lock.cmpxchg8b.com/zenbleed.html> and  
<https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

This issue can also be mitigated by a microcode update through the  
amd64-microcode package or a system firmware (BIOS/UEFI) update.  
However, the initial microcode release by AMD only provides  
updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
also affected, but no updates are available yet.

For the stable distribution (bookworm), this problem has been fixed in  
version 6.1.38-2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCyRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Tjjw//SsbN4RnQHqV1G0XVWxApVK1DYoKw6+tHxkkf301jV2abDMcIO1keVNol  
gc2yENQyzeoGd++eBqO0MD9GnvrbutT6n7wChuyvB7bzFDQQA6hJHLcFLkKYA3D1  
6yFgczWL0Tx7wcrpKU9gVMWAe928VE4hJGVd6nFF02YS0GF8voY/ymiCqbuQA05f  
LOmeHNIWyzulBG0qNwQE6HT6s6LkLMCZAawpe3D85cE6exFWRDKJhxKY8GcZvJDV  
8G80Ik1xYAQ6Q5HqwxUr2Rp0sN7a8SghF817Sn/Bx6ahvej61ZTgDn7QhKLkGwu2  
/DOnMcKwKd9WB7gS9T4YLd6rNOPCL4J5P06ia4/JbocExIu19pEEfQvb7gf5PVl3  
994DykFy9ByKiXYh91U9QNyKaBZSjMFeN9Mg8FbbuwZGLLNACkhZc72JK4yKsxTq  
5cucuVBzwbwvvrK63h3YVDyOv8vRiI/jquxOMehsrSGOuaHpd2VduQdnS0ayKjqX  
STOKNRMA+GGjIoNdLyfe9HDlm3ztwsjrxoO0eXqWjUc7EA6KOfsF7NLFju2YXEt9  
80Yr6kCS5/IukkhZBAP4GwV4mLKG1yZ7vzwb15pAihvtw7UFrrzifkcL0yPf7Cx8  
wVtTUdl+5Y4Dfy+i9/LT0sY4fVEKfZZoXnDV733vxTTKKNQSpFk=  
=ceVi  
-----END PGP SIGNATURE-----

Debian Security Advisory 5462-1

Debian Linux Security Advisory 5461-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5461-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-3390 CVE-2023-3610 CVE-2023-20593

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-3390

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    error path handling may result in denial of service or privilege  
    escalation.

CVE-2023-3610

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    refcount handling on the table and chain destroy path may result in  
    denial of service or privilege escalation.

CVE-2023-20593

    Tavis Ormandy discovered that under specific microarchitectural  
    circumstances, a vector register in AMD "Zen 2" CPUs may not be  
    written to 0 correctly.  This flaw allows an attacker to leak  
    sensitive information across concurrent processes, hyper threads  
    and virtualized guests.

    For details please refer to  
    <https://lock.cmpxchg8b.com/zenbleed.html> and  
    <https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

    This issue can also be mitigated by a microcode update through the  
    amd64-microcode package or a system firmware (BIOS/UEFI) update.  
    However, the initial microcode release by AMD only provides  
    updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
    also affected, but no updates are available yet.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.179-3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCxhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q2Lw//W7eGT2uTxzgwGK1ivLNtzu4VnZfX3luCzLc2Gy49YhSTPfepMsR+EZWU  
zMfxMwXp7HcgUUAj6VnKPSYt0lmauDVy9POUl20nOzM8hFScemhFJ+DVSeeJrfhR  
RPUroaJNLpJS1QjYJisi2tjKnoc8IhCkw/X88I4S4dAzekmRTLeEdeAIP0jyRYDi  
Pd+nW8vR2bcMG4jAaA/lBu17FgysEpHMleMzr9Ocw7k6eqlcIo12w36Ml51MmXZW  
Lxr7XKrAM6p9TuL+BY0i4FvW0f7hvbpMdhIaAzUf+7LQj9Tn5rGNaHB+NhLO6HB1  
spOXfZLVCM10LDCDIUR3lz0hUNI/10bKtoarbvoygevVzuvGWLTmI5P/uei9Bv1m  
jqd+FOtkZuYsuQzvzIrVISGL2ltpD3055mBaOJWIBrDl+mrR88m+LAMA5iJiCuvh  
M6rfJgraQFHeMFJi1ojDgNyyRaasxOKXRcWAYOvgZ1XKLfJ10OkieYq5CO1c7iKW  
4NkwBklDP8wEHoZHMEY3KnLnGcNO93wBBGcQVIBlMXu0IKlf/BT0Rcj0ynz5g5N1  
MgvGAJio+yTr4QWRz/GQRtF3Lf5r4Ezib/Y2Qv9PUbVWzmmiUyQsATjcp9d+sLSB  
hJhR9+9d4DefRAPGFOSCA6d01qL8HygsvKyyGB4C1DdbSlT3APc=  
=3UcB  
-----END PGP SIGNATURE-----

Debian Security Advisory 5461-1

By Deeba Ahmed
Dubbed CherryBlos and FakeTrade by researchers, these two malware campaigns have been identified as potentially related by Trend Micro.
This is a post from HackRead.com Read the original post: FakeTrade Android Malware Attack Steals Crypto Wallet Data

**IN SUMMARY**

*   **The malware campaigns have been dubbed CherryBlos and FakeTrade.**
*   **The prime target of this attack is crypto wallet data on Android devices.**
*   **TikTok, Twitter and Telegram are being used to promote malicious apps.**

A new malware campaign is currently focusing its sights on Android devices, aiming to surreptitiously steal personal information and cryptocurrency wallet credentials from unsuspecting users.

According to the latest report by Trend Micro, cybersecurity researchers have detected two financially motivated malware campaigns. These malicious operations exploit applications within the official Google Play Store, making the platform an attractive target for such cybercriminal campaigns.

Dubbed CherryBlos and FakeTrade by researchers, these two malware campaigns have been identified as potentially related by Trend Micro. The link between them lies in the fact that both types of malware utilize identical application certificates and network infrastructure.

Researchers have identified that campaign operators are increasingly targeting Android users with banking trojans to steal cryptocurrency. To achieve their malicious objectives, they distribute fake Android applications loaded with malware. These apps are advertised on the Google Play Store, phishing websites, and social media platforms. The same pattern is identified in the latest campaigns.

It is worth noting that the malware operators are exploiting various social networking platforms, including X (formerly Twitter), TikTok, and Telegram, to promote fraudulent Android apps. All of the offensive apps have been removed from Google Play.

Fake TikTok and (X) Twitter account dropping malicious apps (Screenshots credit: Trend Micro)

**CherryBlos Campaign**

The CherryBIos campaign exploits social network sites to promote fake services and ads, leading users to phishing websites. Unsuspecting individuals are deceived into downloading and installing Android apps infected with malware from these sites.

The malware, known as CherryBIos, first appeared online in April 2023. It earned its name from the unique string found in its hijacking framework. Once installed, CherryBIos can pilfer cryptocurrency wallet credentials and alter a user’s address, diverting funds to the attackers’ address during withdrawals.

“Upon further investigation, we were able to trace its source to a telegram group called Ukraine ROBOT that had been posting messages related to cryptocurrency mining since early 2023. This group’s profile directly points to the phishing website where the malware was downloaded,” Trend Micro’s report read.

Later, the malware was found in Happy Miner, GPTalk, and SynthNet apps. An interesting feature of CherryBIos malware is that it exploits OCR (optical character recognition) to read mnemonic phrases found in images on a compromised device and send the data to a C2 server.

These phrases are specifically helpful when users want to restore a crypto wallet. It is a notorious Android banking trojan that first requests Android accessibility permissions to perform malicious activities. These permissions are designed for people with disabilities and help them interact with the device via gestures and perform tasks like reading screen content aloud or automating repetitive tasks.

**FakeTrade Campaign**

In the FakeTrade campaign, malware operators use numerous fake money-earning apps that appear to be e-commerce platforms, promising increased income through referrals and top-ups. The malware (AndroidOS FakeTrade.HRXB), hidden inside the apps, prevents users from withdrawing funds.

Researchers found approximately 31 fake Android apps distributing the FakeTrade malware, most of which were designed for shopping or persuading users to complete various tasks in order to earn money or purchase app credits to top up their accounts. However, those who fell for this trap were unable to withdraw funds when they attempted to do so. Most of the apps were uploaded to Google Play in 2021, with some appearing in 2022.

Researchers suspect that the threat actors behind these campaigns aren’t targeting any specific region, considering the languages used in their analyzed samples. This means their victims could be dispersed worldwide, as attackers can conveniently replace resource strings and upload these fake apps to different Google Play regions such as Vietnam, Mexico, Indonesia, the Philippines, and Uganda.

1.  Triada Malware Infects Android Devices via Fake Telegram App
2.  Google Removes Swing VPN Android App Exposed as DDoS Botnet
3.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60K Android Devices
4.  Popular Android Screen Recorder iRecorder App Revealed as Trojan
5.  Global Malware Attack Imitates VPN, Security Apps on Android Phones

FakeTrade Android Malware Attack Steals Crypto Wallet Data

Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.
"Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity

Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.

"Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis.

"Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components."

The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package.

The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MP3 file ("Idea.mp3") to load an image file ("Fruit.png") to activate the multi-stage infection.

"This image file uses the steganography method to hide two executables (.dll libraries) and the shellcode for the next-stage initialization inside it," Doctor Web said.

Fruity is also designed to bypass antivirus detection on the compromised host and ultimately launch the Remcos RAT payload using a technique called process doppelgänging.

That said, the attack sequence could be exploited to distribute all kinds of malware, which makes it imperative that users stick to downloading software only from trustworthy sources.

The development comes as Bitdfender disclosed details of a malspam campaign delivering the Agent Tesla malware to harvest sensitive data from compromised endpoints.

It also follows a surge in malvertising operations that have targeted customers and businesses with tainted software boosted via ads on search engines.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

This includes a new wave of attacks dubbed Nitrogen in which fraudulent ISO archives are distributed using bogus ads that impersonate download pages for applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, and TreeSize.

"This malvertising campaign leads to the propagation of the infection after initial exposure," Bitdefender researchers Victor Vrabie and Alexandru Maximciuc said.

"For as long as they dwell in the victim's network, the attackers' primary goal is to obtain credentials, set up persistence on important systems and exfiltrate data, with extortion as the end goal."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT

A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information.

This is a note to let you know that I've just added the patch titled

    vc\_screen: move load of struct vc\_data pointer in vcs\_read() to avoid UAF

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vc\_screen-move-load-of-struct-vc\_data-pointer-in-vcs.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 322ff296a88276d7895a7a0ecb60553cf4914e16
Author: George Kennedy <george.kennedy@xxxxxxxxxx>
Date:   Tue Jan 24 11:16:54 2023 -0500

    vc\_screen: move load of struct vc\_data pointer in vcs\_read() to avoid UAF
    
    \[ Upstream commit 226fae124b2dac217ea5436060d623ff3385bc34 \]
    
    After a call to console\_unlock() in vcs\_read() the vc\_data struct can be
    freed by vc\_deallocate(). Because of that, the struct vc\_data pointer
    load must be done at the top of while loop in vcs\_read() to avoid a UAF
    when vcs\_size() is called.
    
    Syzkaller reported a UAF in vcs\_size().
    
    BUG: KASAN: use-after-free in vcs\_size (drivers/tty/vt/vc\_screen.c:215)
    Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537
    
    CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1
    Hardware name: Red Hat KVM, BIOS 1.15.0-2.module
    Call Trace:
      <TASK>
    \_\_asan\_report\_load4\_noabort (mm/kasan/report\_generic.c:350)
    vcs\_size (drivers/tty/vt/vc\_screen.c:215)
    vcs\_read (drivers/tty/vt/vc\_screen.c:415)
    vfs\_read (fs/read\_write.c:468 fs/read\_write.c:450)
    ...
      </TASK>
    
    Allocated by task 1191:
    ...
    kmalloc\_trace (mm/slab\_common.c:1069)
    vc\_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720
         drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)
    con\_install (drivers/tty/vt/vt.c:3383)
    tty\_init\_dev (drivers/tty/tty\_io.c:1301 drivers/tty/tty\_io.c:1413
         drivers/tty/tty\_io.c:1390)
    tty\_open (drivers/tty/tty\_io.c:2080 drivers/tty/tty\_io.c:2126)
    chrdev\_open (fs/char\_dev.c:415)
    do\_dentry\_open (fs/open.c:883)
    vfs\_open (fs/open.c:1014)
    ...
    
    Freed by task 1548:
    ...
    kfree (mm/slab\_common.c:1021)
    vc\_port\_destruct (drivers/tty/vt/vt.c:1094)
    tty\_port\_destructor (drivers/tty/tty\_port.c:296)
    tty\_port\_put (drivers/tty/tty\_port.c:312)
    vt\_disallocate\_all (drivers/tty/vt/vt\_ioctl.c:662 (discriminator 2))
    vt\_ioctl (drivers/tty/vt/vt\_ioctl.c:903)
    tty\_ioctl (drivers/tty/tty\_io.c:2776)
    ...
    
    The buggy address belongs to the object at ffff888113747800
      which belongs to the cache kmalloc-1k of size 1024
    The buggy address is located 424 bytes inside of
      1024-byte region \[ffff888113747800, ffff888113747c00)
    
    The buggy address belongs to the physical page:
    page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000
         index:0x0 pfn:0x113740
    head:00000000b3fe6c7c order:3 compound\_mapcount:0 subpages\_mapcount:0
         compound\_pincount:0
    anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
    raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001
    raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
      ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    > ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                       ^
      ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    Disabling lock debugging due to kernel taint
    
    Fixes: ac751efa6a0d ("console: rename acquire/release\_console\_sem() to console\_lock/unlock()")
    Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
    Suggested-by: Jiri Slaby <jirislaby@xxxxxxxxxx>
    Signed-off-by: George Kennedy <george.kennedy@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/1674577014-12374-1-git-send-email-george.kennedy@xxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/tty/vt/vc\_screen.c b/drivers/tty/vt/vc\_screen.c
index 1850bacdb5b0..f566eb1839dc 100644
--- a/drivers/tty/vt/vc\_screen.c
+++ b/drivers/tty/vt/vc\_screen.c
@@ -386,10 +386,6 @@ vcs\_read(struct file \*file, char \_\_user \*buf, size\_t count, loff\_t \*ppos)
 
 	uni\_mode = use\_unicode(inode);
 	attr = use\_attributes(inode);
-	ret = -ENXIO;
-	vc = vcs\_vc(inode, &viewed);
-	if (!vc)
-		goto unlock\_out;
 
 	ret = -EINVAL;
 	if (pos < 0)
@@ -407,6 +403,11 @@ vcs\_read(struct file \*file, char \_\_user \*buf, size\_t count, loff\_t \*ppos)
 		unsigned int this\_round, skip = 0;
 		int size;
 
+		ret = -ENXIO;
+		vc = vcs\_vc(inode, &viewed);
+		if (!vc)
+			goto unlock\_out;
+
 		/\* Check whether we are above size each round,
 		 \* as copy\_to\_user at the end of this loop
 		 \* could sleep.

CVE-2023-3567: move load of struct vc_data pointer in vcs_read() to avoid UAF" has been added to the 6.1-stable tree — Linux Stable Commits

A use of uninitialized pointer vulnerability exists in the PQS format pFormat functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A use of uninitialized pointer vulnerability exists in the PQS format pFormat functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Babel 3.1.1  
Open Babel master commit 530dbfa3

**PRODUCT URLS**

Open Babel - https://openbabel.org/

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-824 - Access of Uninitialized Pointer

**DETAILS**

Open Babel is a popular library for converting chemical file formats, currently supporting about 130 different file formats. It implements bindings for several programming languages. Because of the nature of the library, and since there are many online chemical format converters and molecule viewers which might be using Open Babel in their backend for parsing and conversion, we consider this software as potentially accessible via network.

Open Babel ships a simple converter application called obabel that can be used to trigger the issue described in this advisory. obabel supports -i and -o parameters, which select the input and output formats to perform the conversion. obabel supports multiple input and output files (as does the Open Babel library itself): this technically allows multiple vulnerabilities to trigger in sequence, which in turn could make some vulnerabilities easier to exploit. In this advisory, however, we focus on only one input file and a corresponding output file.

When a single input file and output file are supplied, obabel.cpp records the input and output formats (if supplied) and calls OBConversion::FullConvert in obconversion.cpp. Inside this function, there’s a call to OpenAndSetFormat, which uses FormatFromExt to derive the input format from the filename extension if no -i parameter was supplied. Similarly, OpenInAndOutFiles can be used to derive both input and output formats from the filename extensions when none are supplied.  
Depending on how the obabel application is invoked, different paths could actually take place. Eventually, pInFormat and pOutFormat (of base class OBFormat) objects are allocated, which are instances of the classes that implement the selected input and output formats.

The code then proceeds with a call to OBConversion::Convert, which eventually leads to calling pInFormat->ReadMolecule and pOutFormat->WriteMolecule.

In this advisory, we describe an issue in the “Parallel Quantum Solutions” (PQS) file format (formats/PQSformat.cpp.cpp) when parsing an input file via ReadMolecule.

        bool PQSFormat::ReadMolecule(OBBase* pOb, OBConversion* pConv)
        {
          ...
    [1]   const char* title = pConv->GetTitle();
    
    [2]   char buffer[BUFF_SIZE];
          char coord_file[256];
          char full_coord_path[256]="\0";
          ifstream coordFileStream;
          ...
    [3]   while (!geom_found && ifs.getline(buffer,BUFF_SIZE))
            {
              lowerit(buffer);      //look for geom except in title or text
              if (strstr(buffer, "geom") != nullptr &&
                  (strncmp(buffer,"text",4)!=0 && strncmp(buffer,"titl",4)!=0))
                {
                  ...
    [4]           if (strstr(buffer, "file=") != nullptr)
                    {  //external geometry file
    [5]               strncpy(coord_file,strstr(buffer,"file=")+5, sizeof(coord_file));
                      coord_file[sizeof(coord_file) - 1] = '\0';
                      if (strrchr(coord_file, ' ') != nullptr)
                        *strrchr(coord_file,' ')='\0';
                      if (coord_file[0]!='/')
                        {
                          strncpy(full_coord_path,title, sizeof(full_coord_path));
                          full_coord_path[sizeof(full_coord_path)-1] = '\0';
                          if (strrchr(full_coord_path, '/') != nullptr)
                            *(strrchr(full_coord_path,'/')+1)='\0';
                          else
                            full_coord_path[0] = '\0';
                        }
    [6]               strcat(full_coord_path,coord_file);
                      full_coord_path[sizeof(full_coord_path) - 1] = '\0';
                      stringstream errorMsg;
                      errorMsg <<"External geometry file referenced: "<< \
                        full_coord_path<<endl;
                      obErrorLog.ThrowError(__FUNCTION__, errorMsg.str(), obInfo);
    

At \[1\], the title of the file is retrieved (this corresponds to the filename of the input file). Then, for each line in the input file \[3\], if the line contains the string “file=”, the condition at \[4\] matches. At \[5\] the coordinates file path is built, depending on what comes after “file=” (set to coord_file). If coord_file is a relative path, it is concatenated to the directory path of the input file, and the result is stored in full_coord_path \[6\]. If coord_file is an absolute path, full_coord_path is simply set to coord_file.

                      ...
    [7]               coordFileStream.open(full_coord_path);
                      if (!coordFileStream)
                        {
                          obErrorLog.ThrowError(__FUNCTION__, "Cannot read external geometry file!", obError);
                          return(false);
                          //                    exit (-1);
                        }
                      else
    [8]                 {
                          ifs.seekg(0, ios::end); //move .inp file pointer to the end of file
    
                          //New framework mods
                          OBConversion coordconv(&coordFileStream);
    [9]                   OBFormat* pFormat;
                          if (strstr(buffer, "=car" ) != nullptr)
                            pFormat =OBConversion::FindFormat("BIOSYM");
                          if (strstr(buffer, "=hin" ) != nullptr)
                            pFormat = OBConversion::FindFormat("HIN");
                          if (strstr(buffer, "=pdb" ) != nullptr)
                            pFormat = OBConversion::FindFormat("PDB");
                          if (strstr(buffer, "=mop" ) != nullptr)
                            pFormat = OBConversion::FindFormat("MOPAC");
    [10]                  return pFormat->ReadMolecule(&mol,&coordconv);
    

full_coord_path is then opened \[7\], and if the open succeeds (it will succeed with any user-readable file or directory), we enter the block at \[8\].  
At \[9\], a pFormat is declared but not initialized. Then, a series of conditions try to match strings within the current line, setting pFormat accordingly. Finally \[10\] pFormat is used to call ReadMolecule with the proper format conversion function. The issue is that, if none of the conditions between \[9\] and \[10\] succeed, pFormat will be uninitialized, and at \[10\] an uninitialized pointer dereference will happen.  
As ReadMolecule is a virtual function referenced from pFormat, this allows direct control of the control flow. The pointer is stored on the stack, and, depending on how the code is compiled and the stack is laid out, the pointer could be under full control of an attacker, who could in turn use this to execute arbitrary code.

**Crash Information**

    $ ./bin/obabel -i pqs pformat.uninit.pqs -o sdf
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1280241==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0xf4f51af1 bp 0xffffb818 sp 0xffff2b00 T0)
    ==1280241==The signal is caused by a READ memory access.
    ==1280241==Hint: address points to the zero page.
        #0 0xf4f51af1 in OpenBabel::PQSFormat::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/PQSformat.cpp:263
        #1 0xf751a915 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:102
        #2 0xf63c358c in OpenBabel::OBMoleculeFormat::ReadChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:116
        #3 0xf72a204e in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:545
        #4 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
        #5 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
        #6 0x565594ea in main ./tools/obabel.cpp:370
        #7 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #8 0xf779247e in __libc_start_main_impl ../csu/libc-start.c:389
        #9 0x5655c356 in _start (./bin/obabel+0x7356)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ./src/formats/PQSformat.cpp:263 in OpenBabel::PQSFormat::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*)
    ==1280241==ABORTING
    

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2022-12-20 - Initial Vendor Contact  
2023-01-12 - Vendor Disclosure  
2023-07-21 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

Tag

#bios