In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729.

CVE-2022-20066: May 2022

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.

@@ -159,8 +159,13 @@ static pj\_status\_t get\_name\_len(int rec\_counter, const pj\_uint8\_t \*pkt,

} else {

unsigned label\_len = \*p;

  

/\* Check that label length is valid \*/

if (pkt+label\_len > max)

/\* Check that label length is valid.

\* Each label consists of an octet length (of size 1) followed

\* by the octet of the specified length (label\_len). Then it

\* must be followed by either another label's octet length or

\* a zero length octet (that terminates the sequence).

\*/

if (p+1+label\_len+1 > max)

return PJLIB\_UTIL\_EDNSINNAMEPTR;

  

p += (label\_len + 1);

@@ -170,9 +175,6 @@ static pj\_status\_t get\_name\_len(int rec\_counter, const pj\_uint8\_t \*pkt,

++label\_len;

  

\*name\_len += label\_len;

  

if (p >= max)

return PJLIB\_UTIL\_EDNSINSIZE;

}

}

++p;

@@ -222,8 +224,13 @@ static pj\_status\_t get\_name(int rec\_counter, const pj\_uint8\_t \*pkt,

} else {

unsigned label\_len = \*p;

  

/\* Check that label length is valid \*/

if (pkt+label\_len > max)

/\* Check that label length is valid.

\* Each label consists of an octet length (of size 1) followed

\* by the octet of the specified length (label\_len). Then it

\* must be followed by either another label's octet length or

\* a zero length octet (that terminates the sequence).

\*/

if (p+1+label\_len+1 > max)

return PJLIB\_UTIL\_EDNSINNAMEPTR;

  

pj\_memcpy(name->ptr + name->slen, p+1, label\_len);

@@ -234,9 +241,6 @@ static pj\_status\_t get\_name(int rec\_counter, const pj\_uint8\_t \*pkt,

\*(name->ptr + name->slen) = '.';

++name->slen;

}

  

if (p >= max)

return PJLIB\_UTIL\_EDNSINSIZE;

}

}

  

@@ -269,6 +273,10 @@ static pj\_status\_t parse\_query(pj\_dns\_parsed\_query \*q, pj\_pool\_t \*pool,

  

p = (start + name\_part\_len);

  

/\* Check the size can accomodate next few fields. \*/

if (p + 4 > max)

return PJLIB\_UTIL\_EDNSINSIZE;

  

/\* Get the type \*/

pj\_memcpy(&q->type, p, 2);

q->type = pj\_ntohs(q->type);

CVE-2022-24793: Merge pull request from GHSA-p6g5-v97c-w5q4 · pjsip/pjproject@9fae8f4

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.

Valid

Reported on

May 13th 2021

**✍️ Description**

heap-buffer-overflow of decctx.cc in function read\_sps\_NAL

**🕵️‍♂️ Proof of Concept**

Verification steps： 1.Get the source code of Bento4 2.Compile the Bento4

    $ ./autogen.sh
    $ export CFLAGS="-g -lpthread -fsanitize=address"
    $ export CXXFLAGS="-g -lpthread -fsanitize=address"
    $ CC=clang CXX=clang++ ./configure --disable-shared
    $ make -j 32
    

3.run

    $./dec265 poc
    

**💥 Impact**

This vulnerability is capable of DDOS or code execution

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

CVE-2022-1253: Heap-based Buffer Overflow in libde265

Heap-based Buffer Overflow in libr/bin/format/ne/ne.c in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is heap overflow and may be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/122.html).

Expand Up

@@ -374,6 +374,9 @@ RList \*r\_bin\_ne\_get\_entrypoints(r\_bin\_ne\_obj\_t \*bin) {

}

int off \= 0;

while (off < bin\->ne\_header\->EntryTableLength) {

if (bin\->entry\_table + off + 32 >= r\_buf\_size (bin\->buf)) {

break;

}

ut8 bundle\_length \= \*(ut8 \*)(bin\->entry\_table + off);

if (!bundle\_length) {

break;

Expand All

@@ -398,7 +401,9 @@ RList \*r\_bin\_ne\_get\_entrypoints(r\_bin\_ne\_obj\_t \*bin) {

ut8 segnum \= \*(bin\->entry\_table + off);

off++;

ut16 segoff \= \*(ut16 \*)(bin\->entry\_table + off);

entry\->paddr \= (ut64)bin\->segment\_entries\[segnum \- 1\].offset \* bin\->alignment + segoff;

if (segnum \> 0) {

entry\->paddr \= (ut64)bin\->segment\_entries\[segnum \- 1\].offset \* bin\->alignment + segoff;

}

} else { // Fixed

entry\->paddr \= (ut64)bin\->segment\_entries\[bundle\_type \- 1\].offset \* bin\->alignment + \*(ut16 \*)(bin\->entry\_table + off);

}

Expand Down

CVE-2022-1238: Fix another oobread segfault in the NE bin parser ##crash · radareorg/radare2@c40a4f9

Heap buffer overflow in Cast UI in Google Chrome prior to 99.0.4844.51 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2022-0800: Stable Channel Update for Desktop

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.

As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities**

*   Security Advisory ID: MPSA-210501
*   Version: V1.0
*   Release Date: May 27, 2021
*   Reference:
    *   CVE-2021-32974
    *   BDU:2021-02699, BDU:2021-02700, BDU:2021-02701, BDU:2021-02702, BDU:2021-02703, BDU:2021-02704, BDU:2021-02705,BDU:2021-02706, BDU:2021-02707, BDU:2021-02708

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Buffer Overflow (CWE-120)  
BDU:2021-02699, BDU:2021-02702

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack.

2

Stack-Based Buffer Overflow (CWE-121)  
BDU:2021-02700, BDU:2021-02701, BDU:2021-02703, BDU:2021-02704, BDU:2021-02708

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack and execute arbitrary code (RCE).

3

Improper Input Validation (CWE-20)  
BDU:2021-02705, BDU:2021-02706

Data can be copied without validation in the built-in web server, which allows remote attackers to initiate a DoS attack.

4

OS Command Injection (CWE-78)  
BDU:2021-02707

Improper input validation in the built-in web server allows remote attackers to execute the OS command.

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

NPort IAW5000A-I/O Series

Firmware Version 2.2 or lower

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series

Solutions

NPort IAW5000A-I/O Series

Please contact Moxa Technical Support for a security patch.

**Acknowledgment:**

We would like to express our appreciation to Konstantin Kondratev, Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.  
 

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

May 27, 2021

**Relevant Products**

NPort IAW5000A-I/O Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2021-32974: NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT devices manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As a leading vendor of cybersecurity protection across endpoint and IoT devices, we have been assessing the security of smart-home equipment for more than half a decade. Our goal is to help vendors and customers stay on top of security and privacy blind spots and make the IoT ecosystem safer for everybody.

While looking into the Wyze Cam device, we identified several vulnerabilities that let an outside attacker access the camera feed or execute malicious code to further compromise the device.

**Vulnerabilities at a glance**

*   Authentication bypass (CVE-2019-9564)
*   Remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266)
*   Unauthenticated access to contents of the SD card

Download the research paper here

****Mitigation****

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.

_**IMPORTANT**: The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes. Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited._

CVE-2019-9564: Vulnerabilities Identified in Wyze Cam IoT Device

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.

**Description**

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1160: heap buffer overflow in get_one_sourceline in vim

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the minAddress parameter.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2022-26640: Hardware-IoT/tp-link tl-wr840n_minAddress=.pdf at main · Quadron-Research-Lab/Hardware-IoT

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the DNSServers parameter.

Tag

#buffer_overflow