An exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. A specially crafted CMP image file can cause an integer underflow, potentially resulting in code execution. An attacker can specially craft a CMP image to trigger this vulnerability.

**Summary**

An exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. A specially crafted CMP image file can cause an integer underflow, potentially resulting in code execution. An attacker can specially craft a CMP image to trigger this vulnerability.

**Tested Versions**

LEADTOOLS 20.0.2019.3.15

**Product URLs**

https://www.leadtools.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-191: Integer Underflow (Wrap or Wraparound)

**Details**

LEADTOOLS, according to the website, “is a collection of comprehensive toolkits to integrate document, medical, multimedia, and imaging technologies into desktop, server, tablet, and mobile applications”. It offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building applications for medical systems.

The module used for this analysis is below:

    Loaded symbol image file: lfCmpX.DLL
    Mapped memory image file: C:\LEADTOOLS 20\Bin\CDLL\x64\lfCmpX.DLL
    Image path: C:\LEADTOOLS 20\Bin\CDLL\x64\lfCmpX.DLL
    Image name: lfCmpX.DLL
    Timestamp:        Thu Feb 21 13:24:07 2019 (5C6EFAD7)
    CheckSum:         00096660
    ImageSize:        0009B000
    File version:     20.0.0.7
    Product version:  20.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    

LEADTOOLS provides a proprietary image format called CMP which is used to potentially give smaller image sizes while maintaining higher image quality than other image formats.

The data in a CMP format has its top bit flipped. Before parsing this data, this bit is flipped back using the following bit-flipping method.

    lfcmpx+0xa420
    .text:000000000000A420  xor     byte ptr [rdx], 80h ; rdx points to image data
    .text:000000000000A423  inc     rdx
    .text:000000000000A426  dec     ecx
    .text:000000000000A428  jnz     short loc_A420
    

In preparation for reading the file data, the amount of data, including the length field itself is read in via a two-byte memmove.

    lfcmpx+0x3b75c
    .text:000000000003B75C  mov     edi, [rsi+1404h]
    .text:000000000003B762  mov     rdx, [rsi+13F8h] ; src -> points to two byte data size
    .text:000000000003B769  mov     rcx, r12         ; dst -> stack location to hold the dat size
    .text:000000000003B76C  cmp     ebp, edi
    .text:000000000003B76E  cmovb   edi, ebp
    .text:000000000003B771  mov     r8d, edi         ; size -> two bytes
    .text:000000000003B774  mov     ebx, edi
    .text:000000000003B776  call    memmove
    

The read in size is adjusted by two to remove the size bytes themselves. This calculated size is then passed to a memmove wrapper to copy data from the image into a larger CMP object.

    lfcmpx+0x3b7a7
    .text:000000000003B7A7                 movzx   r8d, [rsp+98h+size_0]   ; size byte 0
    .text:000000000003B7AD                 movzx   eax, [rsp+98h+size_1]   ; size byte 1
    .text:000000000003B7B2                 mov     rdx, [rsi+0A130h]       ; image buffer
    .text:000000000003B7B9                 shl     r8d, 8
    .text:000000000003B7BD                 mov     rcx, rsi
    .text:000000000003B7C0                 or      r8d, eax
    .text:000000000003B7C3                 add     r8d, 0FFFFFFFEh         ; Subtract 2 for size bytes
    .text:000000000003B7C7                 mov     [rsi+5F8h], r8d
    .text:000000000003B7CE                 call    copies_data_post_header ; memmove wrapper
    

If an attacker sets the current data size field to 1, then the subtraction results in an integer underflow. This underflow will cause the memmove to write data outside the bounds of the input file heap buffer, resulting in a heap buffer overflow, potentially leading to code execution.s

**Crash Information**

    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 194EF9:0
    lfCmpX!fltTransform+0xa92:
    00007fff`22026862 488941f0        mov     qword ptr [rcx-10h],rax ds:00000204`eaa18000=????????????????
    
    0:000> dx -g @$cursession.TTD.Utility.GetHeapAddress(@rcx-0x100)
    =========================================================================
    =                            = Action   = Address          = Size       =
    =========================================================================
    = [0x1e39] : [object Object] - Alloc    - 0x204eaa08000    - 0x10000    -
    =========================================================================
    

**Timeline**

2019-09-10 - Vendor Disclosure  
2019-11-03 - Vendor patched  
2019-11-05 - Public Disclosure

Discovered by Cory Duplantis of Cisco Talos.

CVE-2019-5099: TALOS-2019-0891 || Cisco Talos Intelligence Group

An exploitable integer overflow vulnerability exists in the BMP header parsing functionality of LEADTOOLS 20. A specially crafted BMP image file can cause an integer overflow, potentially resulting in code execution. An attacker can specially craft a BMP image to trigger this vulnerability.

**Summary**

An exploitable integer overflow vulnerability exists in the BMP header parsing functionality of LEADTOOLS 20. A specially crafted BMP image file can cause an integer overflow, potentially resulting in code execution. An attacker can specially craft a BMP image to trigger this vulnerability.

**Tested Versions**

LEADTOOLS 20.0.2019.3.15

**Product URLs**

https://www.leadtools.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-190: Integer Overflow or Wraparound

**Details**

LEADTOOLS, according to the website, “is a collection of comprehensive toolkits to integrate document, medical, multimedia, and imaging technologies into desktop, server, tablet, and mobile applications”. It offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc), that are all geared towards building applications for medical systems.

The module used for this analysis is below:

    Loaded symbol image file: lfBmpX.DLL
    Mapped memory image file: C:\LEADTOOLS 20\Bin\CDLL\x64\lfBmpX.DLL
    Image path: C:\LEADTOOLS 20\Bin\CDLL\x64\lfBmpX.DLL
    Image name: lfBmpX.DLL
    Browse all global symbols  functions  data
    Timestamp:        Thu Feb 21 13:22:56 2019 (5C6EFA90)
    CheckSum:         0001C9A0
    ImageSize:        00014000
    File version:     20.0.0.1
    Product version:  20.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    

LEADTOOLS begins parsing BMP files by checking if the two signature bytes are AM or BM.

    lfbmpx+2745
    .text:0000000000002745                 lea     rdx, [rsp+550h+var_508]
    .text:000000000000274A                 mov     r8d, 2
    .text:0000000000002750                 mov     rcx, rax
    .text:0000000000002753                 mov     [rsp+550h+arg_10], r12
    .text:000000000000275B                 call    cs:L_RedirectedRead
    .text:0000000000002761                 cmp     eax, 2
    .text:0000000000002764                 jnz     loc_30B8
    .text:000000000000276A                 movzx   eax, [rsp+550h+var_508]
    .text:000000000000276F                 mov     r12d, 'MB' ; Possible signature bytes
    .text:0000000000002775                 mov     ebx, 'AB'  ; Possible signature bytes
    .text:000000000000277A                 cmp     ax, r12w
    .text:000000000000277E                 jz      short loc_278E
    .text:0000000000002780                 cmp     ax, bx
    .text:0000000000002783                 jz      short loc_278E
    .text:0000000000002785                 test    ax, ax
    .text:0000000000002788                 jnz     loc_30B8
    

Assuming the file has the correct signature, the parser proceeds to read the BITMAPINFOHEADER, which includes the biWidth field.

    lfbmpx+28fb
    .text:00000000000028FB                 lea     rdx, [rsp+550h+var_4F0]
    .text:0000000000002900                 mov     r8d, 28h
    .text:0000000000002906                 mov     rcx, rdi
    .text:0000000000002909                 call    cs:L_RedirectedRead ; Internal read
    .text:000000000000290F                 cmp     eax, 28h
    .text:0000000000002912                 jnz     loc_2E8E        
    .text:0000000000002918                 cmp     dword ptr [rsp+550h+var_4F0], eax
    .text:000000000000291C                 jnz     loc_2E8E        
    .text:0000000000002922                 mov     r8d, dword ptr [rsp+550h+var_4F0+4]
    .text:0000000000002927                 movzx   r15d, word ptr [rsp+550h+var_4E8+6]
    .text:000000000000292D                 mov     [rbp+450h+var_4C8], eax
    .text:0000000000002930                 mov     eax, dword ptr [rsp+550h+var_4E8]
    .text:0000000000002934                 mov     [rsp+550h+biWidth_], r8d ; biWidth field saved locally
    

In preparation for copying file data, the parser allocates a buffer four times the provided biWidth value.

    lfbmpx+1f85
    .text:0000000000001F85                 mov     edx, r12d
    .text:0000000000001F88                 mov     [rbp+37h+var_98], eax
    .text:0000000000001F8B                 lea     eax, [rbx*4] ; biWidth
    .text:0000000000001F92                 mov     r8d, 2E4h
    .text:0000000000001F98                 movsxd  rcx, eax
    .text:0000000000001F9B                 call    cs:L_LocalAlloc
    

To determine how many bytes to copy into this buffer, the biSize field from the BITMAPINFOHEADER is used.

    lfbmpx+1ebe
    .text:0000000000001EBE biSize_is_8:                               
    .text:0000000000001EBE                 lea     eax, [rdx+3]     ; rdx -> biWidth
    .text:0000000000001EC1                 mov     r8d, edx
    .text:0000000000001EC4                 and     eax, 0FFFFFFFCh
    .text:0000000000001EC7                 retn
    .text:0000000000001EC8 biSize_is_16:                              
    .text:0000000000001EC8                 lea     r8d, [rdx+rdx]   ; rdx -> biWidth
    .text:0000000000001ECC                 lea     eax, [r8+3]
    .text:0000000000001ED0                 and     eax, 0FFFFFFFCh
    .text:0000000000001ED3                 retn
    .text:0000000000001ED4 biSize_is_24:                              
    .text:0000000000001ED4                 lea     r8d, [rdx+rdx*2]  ; rdx -> biWidth
    .text:0000000000001ED8                 lea     eax, [r8+3]
    .text:0000000000001EDC                 and     eax, 0FFFFFFFCh
    .text:0000000000001EDF                 retn
    

The allocated buffer is then populated with memmove using the calculated value from the biSize switch statement above.

    lfbmpx+20c5
    .text:00000000000020C5                 mov     eax, r13d
    .text:00000000000020C8                 mov     r12d, esi
    .text:00000000000020CB                 movsxd  rdx, edi
    .text:00000000000020CE                 sub     eax, edi
    .text:00000000000020D0                 mov     rcx, r14        ; Dst
    .text:00000000000020D3                 cmp     eax, esi
    .text:00000000000020D5                 cmovb   r12d, eax
    .text:00000000000020D9                 add     rdx, r15        ; Src
    .text:00000000000020DC                 mov     r8d, r12d       ; Size
    .text:00000000000020DF                 mov     ebx, r12d
    .text:00000000000020E2                 call    memmove
    

It is possible for a BMP file to have a biWidth value that will be overflown when multiplied to allocate the buffer to hold image data. Because this buffer is too small, the memmove will cause an out of bounds write, resulting in a buffer overflow, potentially resulting in code execution.

**Crash Information**

    rax=ddd8ddc5dddddddd rbx=000000000000139c rcx=000001d35c0b1010
    rdx=000000000a411410 rsi=00000000c0000008 rdi=0000000000000000
    rip=00007ffd858aa632 rsp=00000012396ef978 rbp=00000012396efa29
    r8=000000000000139c  r9=000000000000009b r10=dddddddddddddddd
    r11=000001d35c0b0ff0 r12=000000000000139c r13=000000000000139c
    r14=000001d35c0b0ff0 r15=000001d3664c2400
    iopl=0         nv up ei pl nz na pe nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    lfBmpX!LEAD_Load+0x4652:
    00007ffd`858aa632 488941f0        mov     qword ptr [rcx-10h],rax ds:000001d3`5c0b1000=????????????????
    
    > !analyze -v
    FAILURE_EXCEPTION_CODE:  c0000005
    FAILURE_IMAGE_NAME:  lfBmpX.DLL
    BUCKET_ID_IMAGE_STR:  lfBmpX.DLL
    FAILURE_MODULE_NAME:  lfBmpX
    BUCKET_ID_MODULE_STR:  lfBmpX
    FAILURE_FUNCTION_NAME:  LEAD_Load
    BUCKET_ID_FUNCTION_STR:  LEAD_Load
    BUCKET_ID_OFFSET:  4652
    BUCKET_ID_MODTIMEDATESTAMP:  5c6efa90
    BUCKET_ID_MODCHECKSUM:  1c9a0
    BUCKET_ID_MODVER_STR:  20.0.0.1
    BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF_
    FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
    FAILURE_SYMBOL_NAME:  lfBmpX.DLL!LEAD_Load
    

**Timeline**

2019-08-11 - Vendor Disclosure  
2019-11-03 - Vendor patched  
2019-11-05 - Public Release

Discovered by Cory Duplantis of Cisco Talos.

CVE-2019-5100: TALOS-2019-0892 || Cisco Talos Intelligence Group

An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out of bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.

**Summary**

An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out of bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.

**Tested Versions**

LEADTOOLS 20.0.2019.3.15

**Product URLs**

https://www.leadtools.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122: Heap-based Buffer Overflow

**Details**

LEADTOOLS, according to the website, “is a collection of comprehensive toolkits to integrate document, medical, multimedia, and imaging technologies into desktop, server, tablet, and mobile applications”. It offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc), that are all geared towards building applications for medical systems.

The module used for this analysis is below:

    Image path: C:\LEADTOOLS 20\Bin\CDLL\Win32\lfJ2kU.DLL
    Image name: lfJ2kU.DLL
    Browse all global symbols  functions  data
    Timestamp:        Fri Mar  1 09:35:20 2019 (5C795138)
    CheckSum:         00058242
    ImageSize:        0005D000
    File version:     20.0.0.4
    Product version:  20.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    

One of the box types when parsing is Contiguous Codestream box (tagged by jp2c). For this box type, there are a number of code tags which specify the attributes of the box itself. For example, the tag 0xFF51 (SIZ) signifies an Image and Tile Size. An allocation is created based on the size given in the SIZ tag \[0\].

    lfj2ku+0x33f80
    .text:00033F77                 mov     esi, [eax+14h]
    ...
    .text:00033F80                 mov     edx, [ebp+var_18]
    .text:00033F83                 mov     ebx, eax
    .text:00033F85                 mov     eax, [ebp+var_48]
    .text:00033F88                 mov     [ebp+var_3C], ebx
    .text:00033F8B                 mov     eax, [eax+4]
    .text:00033F8E                 mov     ecx, [eax+0Ch] ; Xsiz field from image
    .text:00033F91                 mov     eax, [edx+0Ch]
    .text:00033F94                 imul    ecx, esi
    .text:00033F97                 mov     [ebx+4], eax
    .text:00033F9A                 test    ecx, ecx
    .text:00033F9C                 jg      short loc_33FAB
    .text:00033FAB                 lea     eax, [ecx-1]
    .text:00033FAE                 cdq
    .text:00033FAF                 and     edx, 7
    .text:00033FB2                 add     eax, edx
    .text:00033FB4                 sar     eax, 3
    .text:00033FB7                 inc     eax
    .text:00033FB8
    .text:00033FB8                 push    offset aDSrcmLead15Api_13 
    .text:00033FBD                 push    393h
    .text:00033FC2                 push    1
    .text:00033FC4                 add     eax, 30h
    .text:00033FC7                 push    eax      ; Calculated allocation size
    .text:00033FC8                 call    ds:L_LocalAlloc ; [0]
    

The contiguous codestream box can contain number components. Each of these components have an integer multiple which is used to populate the image in tiles rather than as an entire image all at once.

    lfj2ku+0x32b32
    .text:00032B32                 mov     esi, [esp+60h+image_offset] ; XRsiz field for current component
    ...
    .text:00032B40 loop_top:                               
    .text:00032B40                 movq    mm2, qword ptr [edi]
    .text:00032B43                 lea     edi, [edi+10h]
    .text:00032B46                 mov     ecx, [esp+60h+var_34]
    .text:00032B4A                 paddsw  mm2, mm3
    .text:00032B4D                 psraw   mm2, 5
    .text:00032B51                 paddsw  mm2, mm4
    .text:00032B54                 movq    mm1, qword ptr [edi-8]
    .text:00032B58                 paddsw  mm1, mm3
    .text:00032B5B                 psraw   mm1, 5
    .text:00032B5F                 movq    mm0, mm4
    .text:00032B62                 paddsw  mm0, mm1
    .text:00032B65                 packuswb mm2, mm0
    .text:00032B68                 movq    qword ptr [esp+60h+var_20], mm2
    .text:00032B6D                 movzx   eax, byte ptr [esp+60h+var_20]
    .text:00032B72                 mov     [edx], al
    .text:00032B74                 movzx   eax, byte ptr [esp+60h+var_20+1]
    .text:00032B79                 mov     [ecx+esi], al
    .text:00032B7C                 movzx   eax, byte ptr [esp+60h+var_20+2]
    .text:00032B81                 mov     ecx, [esp+60h+var_30]
    .text:00032B85                 mov     [esi], al
    ...
    .text:00032BC3                 add     esi, [esp+60h+var_38]
    .text:00032BC7                 sub     [esp+60h+var_40], 1
    .text:00032BCC                 jnz     loop_top
    .text:00032BD2                 mov     edi, [esp+60h+var_48]
    .text:00032BD6                 mov     ecx, [esp+60h+var_54]
    

By providing an offset field for a tile component that is outside the range of the original image, this will write data outside of the area of the image allocation, causing a heap buffer overflow, potentially resulting in code execution.

**Crash Information**

    eax=00000080 ebx=0be05fe8 ecx=00000004 edx=0be07ffb esi=0be08003 edi=0bddaf70
    eip=7a1d2b85 esp=012fa7e0 ebp=012fa848 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    lfJ2kU!fltJ2KFileInfo+0x6765:
    7a1d2b85 8806            mov     byte ptr [esi],al          ds:002b:0be08003=??
    
    0:000:x86> dc esi-0x20
    0be07fe3  c0c0c080 c0c0c080 c0c0c080 c0c0c080  ................
    0be07ff3  c0c0c080 c0c0c080 c0c0c080 ????????  ............????
    0be08003  ???????? ???????? ???????? ????????  ????????????????
    0be08013  ???????? ???????? ???????? ????????  ????????????????
    

**Timeline**

2019-10-08 - Vendor Disclosure  
2019-11-03 - Vendor Patched  
2019-11-05 - Public Release

Discovered by Cory Duplantis of Cisco Talos.

CVE-2019-5125: TALOS-2019-0916 || Cisco Talos Intelligence Group

A buffer overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro MR1 (7,0,2019,0220). While parsing a document text info container, the TxMasterStyleAtom::parse function is incorrectly checking the bounds corresponding to the number of style levels, causing a vtable pointer to be overwritten, which leads to code execution.

**Summary**

A buffer overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro MR1 (7,0,2019,0220). While parsing a document text info container, the TxMasterStyleAtom::parse function is incorrectly checking the bounds corresponding to the number of style levels, causing a vtable pointer to be overwritten, which leads to code execution.

**Tested Versions**

Antenna House Rainbow PDF Office Server Document Converter v7.0 Pro MR1 for Linux64 (7,0,2019,0220)

**Product URLs**

https://www.rainbowpdf.com/trial-server-solutions/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122: Heap-based Buffer Overflow

**Details**

Rainbow PDF is a software solution, developed by Antenna House, that converts Microsoft office 97-2016 documents into a PDF.

Office document structures are sometimes complex and they contain strict restraints. Not enforcing such constraints may lead to several sides effects while parsing.

The Microsoft documentation MS-PPT Powerpoint binary file format is explaining some of the structures that are needed to understand the issue described in this advisory. In particular, see below the format for DocumentTextInfoContainer, RecordHeader and TextMasterStyleAtom structures. The RecordHeader is a generic structure, present at the beginning of each container and atom record. A container is a record that defines the structure and hierarchy of atom records and other container records. An atom record contains presentation data. Analogous to a file system, atom records are similar to files that contain data and container records are similar to directories that provide structure and hierarchy for atom records. The DocumentTextInfoContainer record specifies the default text styles for the document and the TextMasterStyleAtom specifies the character-level and paragraph-level formatting of a main master slide.

The RecordHeader is described as follow, a fixed length of eight bytes:

    + recVer (4bits): An unsigned integer specifies the version of the record data that follow the record header. A value of 0xF specifies the record is a container record.
    + recInstance (12bits): An unsigned integer that specifies the record instance data. Interpretation of the value is dependent on the particular record type.
    + recType (2 bytes): A `RecordType` enumeration that specifies the type of the record data that follows the record header.
    + recLen (4 bytes): An unsigned integer that specifies the length, in bytes, of the record data that follows the record header.
    

The DocumentTextInfoContainer is described as:

    + rh (8 bytes): A `RecordHeader` structure with rh.recType set to the value RT_Environnement (0x3F2).
    + [...] several optional variable length atoms
    + testSIDefaultsAtom (variable): A `TextSIExceptionAtom` record.
    + textMasterStyleAtom (variable): A `TextMasterStyleAtom` record. 
    

The TextMasterStyleAtom is described as follow:

    + rh (8 bytes): A `RecordHeader` structure where recType value must be a RT_TextMasterStyleAtom (0xFA3) and recInstance value specifies the type of text to which the formatting applies.
    + cLevels (2 bytes): An unsigned integer that specifies the number of styles levels. It MUST be less than or equal to 0x0005
    + LstLvlx (variable): Five optional TextMasterStyleLevel structure that specifies the master formatting for text. Each structure must exist accordingly to the cLevels value. 
    

The cLevels field specifies it MUST be less than or equal to 0x0005. This is important because the vulnerability depends on the value of this field. The function DfvPptReaderNS::TxMasterStyleAtom::parse is called to parse Microsoft Office PowerPoint character-level and paragraph-level formatting of the main master slide.

    bool __fastcall DfvPptReaderNS::TxMasterStyleAtom::parse(DfvPptReaderNS::TxMasterStyleAtom *this, DfvCommon::MSORecParseContext *context)
    {
      DfvPptReaderNS::TxMasterStyleAtom *TxMasterStyleAtomTable; 
      unsigned __int16 data_recinstance; 
      unsigned __int16 TextTypeEnum;
      unsigned __int16 current_word_value; 
      unsigned __int16 index; 
      bool status; 
      DfvPptReaderNS::PFStyle *PFStyleAtom; 
      unsigned __int16 cLevels;
      int offset; 
    
      TxMasterStyleAtomTable = this;                                                                                                                
      recInstance = this->recVer_recInstance;
      offset = 0;
      TextTypeEnum = recInstance >> 4;                                                                                                              
      if ( !DfvCommon::MSORecParseContext::readRecordData(context, this->recLen)                                                                    
           || !DfvCommon::MSORecParseContext::getWord(context, &cLevels, offset) )                                                                  [1]
            goto error_TxMasterStyleAtom;
      
      offset += 2;
      if ( cLevels )                                                                                                                                [2]
      {
        index = 0;
        status = true;
        data_to_read = 1;
        while ( 1 )                                                                                                                                 [3]
        {
          if ( TextTypeEnum <= 8u )                 
          {
            if ( (TextTypeEnum <= 4 )     
            {
              current_index = index;
              if ( index )                                                                                                                          [7]
              {
                DfvPptReaderNS::PFStyle::operator=( TxMasterStyleAtomTable + 96 * index + 0x18, TxMasterStyleAtomTable + 96 * index - 0x48);        [8]
                DfvPptReaderNS::CFStyle::operator=( TxMasterStyleAtomTable + 32 * index + 0x1F8, TxMasterStyleAtomTable + 0x20 * index + 0x1D8);    [9]
              }
              goto read_data;                                                                                                                       [10]
            }
            if ( (TextTypeEnum >= 5 )    
            {
              if ( (unsigned int)DfvCommon::MSORecParseContext::getWord(a2, &current_index, offset) )
              {
                offset += 2;
    read_data:
                if ( !data_read
                  || (PFStyleObject = TxMasterStyleAtomTable + 96 * index + 24),
                      *((_WORD *)PFStyleObject + 4) = index,
                      DfvPptReaderNS::PFStyle::parse(PFStyleObject, context, &offset)                                                               [5]                             
                  &&  DfvPptReaderNS::CFStyle::parse(TxMasterStyleAtomTable + 32 * index + 0x1F8,context,&offset))
                {
                  goto next_entry;                                                                                                                  [6]
                }
              }
              goto reset_read_data;
            }
          }
    reset_read_data:
          data_read = 0;
    next_entry:
          if ( ++index >= cLevels )                                                                                                                 [4]
          {
            if ( data_read )
              return 1LL;
    error_TxMasterStyleAtom:
            icu_52::UnicodeString::UnicodeString((icu_52::UnicodeString *)&current_index, 1, L"TxMasterStyleAtom", 17);
            DfvPptReaderNS::PPTError::throwError((DfvPptReaderNS::PPTError *)0xD883, (unsigned __int64)&current_index, v6);
          }
        }
      }
    

The function DfvPptReaderNS::TxMasterStyleAtom::parse uses the function DfvCommon::MSORecParseContext::getWord to get the cLevels from file at \[1\], which is returning a word value from the buffer previously read. The algorithm of the function DfvPptReaderNS::TxMasterStyleAtom::parse is quite trivial, checking cLevels for a positive value at \[2\], then applying an infinite loop which starts at \[3\]. The bounds is check at \[4\] compares the incremented value index to cLevels, ending with success or failure if it’s superior or equal to it. We can notice here that cLevels is not compared against 0x0005, as documented in Microsoft’s Documentation.

Inside our loop we can see at \[5\] two main parsing functions named DfvPptReaderNS::PFStyle::parse and DfvPptReaderNS::CFStyle::parse which are reading binary data to fill in data accordingly. The interesting point is the presence of the constant value 96*index and 32*index respectively, typically demonstrating the usage of indexed tables. Once data is read, checks is performed again at \[6\] branching directly into \[4\]. Remember the index incremented at \[4\], data was previously read at \[5\] and is recopied at \[8\] and \[9\] into the next element of the relevant table. Then the execution continues with a direct branch at \[10\], until index surpasses cLevels \[4\].

    fvPptReaderNS::PPTDocument *__fastcall DfvPptReaderNS::PPTDocument::PPTDocument(DfvPptReaderNS::PPTDocument *this)
    {
      [...]
      *(_QWORD *)v6 = &`vtable for'DfvPptReaderNS::TxMasterStyleAtom + 2;
      *(_WORD *)&v25[v7 - 16] = 0;
      *(_WORD *)&v25[v7 - 8] = 0;
      *(_WORD *)&v25[v7 - 2] = 0;
      *(_WORD *)&v25[v7 - 6] = 8226;
      *(_WORD *)&v25[v7 - 4] = 0;
      *(_WORD *)&v25[v7 + 4] = 0;
      *(_WORD *)&v25[v7 + 6] = 100;
      *(_WORD *)&v25[v7 + 12] = 0;
      *(_QWORD *)&v25[v7 - 24] = vtable_PFStyle;                                                                                                    [11]
      *(_WORD *)&v25[v7 + 8] = 0;
      *(_WORD *)&v25[v7 + 10] = 0;
      *(_WORD *)&v25[v7 + 14] = 0;
      *(_WORD *)&v25[v7 + 16] = 576;
      *(_DWORD *)&v25[v7 - 12] = 0;
      *(_DWORD *)&v25[v7] = 0x1000000;
      *((_QWORD *)v6 + 9) = vtable_TabStops;
      v8 = v6 - v5;
      *((_QWORD *)v6 + 10) = 0LL;
      *(_WORD *)&v5[v8 + 104] = 0;
      *(_WORD *)&v5[v8 + 106] = 0;
      *(_QWORD *)&v5[v8 + 88] = 0LL;
      *(_QWORD *)&v5[v8 + 96] = 0LL;
      *(_WORD *)&v25[v7 + 64] = 0;
      *(_WORD *)&v25[v7 + 66] = 7;
      *(_WORD *)&v25[v7 + 68] = 0;
      v9 = v21 - v5;
      *(_QWORD *)&v1[v9 - 120] = vtable_PFStyle;                                                                                                    [12]
      *(_WORD *)&v1[v9 - 112] = 0;
      *(_WORD *)&v1[v9 - 104] = 0;
      *(_WORD *)&v1[v9 - 102] = 8226;
      *(_WORD *)&v1[v9 - 100] = 0;
      *(_WORD *)&v1[v9 - 98] = 0;
      *(_WORD *)&v1[v9 - 92] = 0;
      *(_WORD *)&v1[v9 - 90] = 100;
      *(_WORD *)&v1[v9 - 88] = 0;
      *(_WORD *)&v1[v9 - 86] = 0;
      *(_WORD *)&v1[v9 - 84] = 0;
      *(_WORD *)&v1[v9 - 82] = 0;
      *(_WORD *)&v1[v9 - 80] = 576;
      *(_DWORD *)&v1[v9 - 108] = 0;
      *(_DWORD *)&v1[v9 - 96] = 0x1000000;
      *((_QWORD *)v6 + 21) = vtable_TabStops;
      *((_QWORD *)v6 + 22) = 0LL;
      *(_WORD *)&v5[v8 + 200] = 0;
      [...]
    }
    

We can easily understand that there is an overflow, which is happening due to the missing check against 0x0005 at \[4\], but we need to get into the constructor named DfvPptReaderNS::PPTDocument::PPTDocument to understand why. Without describing the whole function DfvPptReaderNS::PPTDocument::PPTDocument, we can see at \[11\] and \[12\] the construction of objects related to PFStyle. This function is preparing all objects related to the complete PowerPoint document and is reserving fixed space for objects and their corresponding vtables entries. The overflow is overwriting the vtable objects in the record, which can be used by an attacker to arbitrarily alter the execution flow of the program and thus execute arbitrary code.

**Timeline**

2019-03-20 - Vendor Disclosure  
2019-05-14 - Vendor Patched  
2019-05-14 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2019-5030: TALOS-2019-0792 || Cisco Talos Intelligence Group

D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in the SMB service allowing symbolic links to be created to locations outside of the Samba share.

**Introduction**

ISE researchers have discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. We define a critical security vulnerability in a router as one that allows a remote attacker to take full control of the router's configuration settings, or one that allows a local attacker to bypass authentication and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

*   All 13 routers evaluated can be taken over from the local network
    *   4 of these attacks require no active management session.
*   11 of 13 routers evaluated can be taken over from the WAN
    *   2 of these attacks require no active management session.

**Motivation**

Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers. Yet, these devices facilitate the connectivity and protection (we hope) of millions of end-systems. The critical vulnerabilities that persist in these widely used devices demonstrate an urgent need for deeper scrutiny.

ISE initially set out to evaluate the security of ten popular, off-the-shelf SOHO wireless routers. The final scope of the research project was expanded to include thirteen unique devices. Our research indicates that a moderately skilled adversary with LAN or WLAN access can exploit all thirteen routers. We also found that nearly all devices had critical security vulnerabilities that could be exploited by a remote adversary, resulting in router compromise and unauthorized remote control. At least half of the routers that provided network attached storage (NAS) were found to be accessible by a remote adversary (full details will be disclosed in a future article).

We further categorize these remotely and locally accessible vulnerabilities by indicating their associated attack requirements:

*   Trivial attacks can be launched directly against the router with no human interaction or access to credentials.
*   Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials.
*   Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used—an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.

We considered client-side attacks to be in scope, so long as they consist entirely of HTML and JavaScript code running in a web browser.

**Impact; new threats**

SOHO router vulnerabilities impact consumers in a number of ways that differ from the vulnerabilities that typically afflict end-systems, and through those vulnerabilities new threats arise. The number of parties affected by an individual or widespread router compromise is expanded, there could be lasting damage to users or soho networking device vendors, and detecting or recovering from an exploit of this type can be difficult.

**Affected parties: who is the victim?**

A typical end-system compromise pegs the end-user as the victim. Certainly, advanced threats leverage end-system compromise to gain a network foothold and attempt to compromise lateral systems, but in general there is one victim, and one party responsible for cleaning up the mess.

A SOHO router compromise not only affects that device, but the many end-systems it supports, the infrastructure of which it is a part, the community of sites visited by the end-users, and even the soho networking device vendor.

**Implications**

The impact of these routers' security flaws is exacerbated by the fact that unauthenticated attacks can target not only the administrator of a victim router's (W)LAN, but any user on the (W)LAN. A parent or child in the case of the home, any or all students behind a university router, or any guest or untrained user of a small office or enterprise network can be targeted and leveraged to gain full control of the SOHO networking device, which may also lead to additional attacks being launched against other users.

**Significance of compromise**

Once compromised, any router—SOHO or otherwise—may be used by an adversary to secure a man-in-the-middle position for launching more sophisticated attacks against all users in the router's domain. This includes sniffing and rerouting all non-SSL protected traffic, poisoning DNS resolvers, performing denial of service attacks, or impersonating servers. Worse still, is that these routers are also firewalls, and often represent the first (and last) line of defense for protecting the local network. Once compromised, the adversary has unfettered access to exploit the vulnerabilities of local area hosts that would be otherwise unreachable if the router were enforcing firewall rules as intended.

**Difficult Recovery; Persistent issue**

The overall community impact could be much worse. Considering that many soho networking device administrators are not computer or security savvy, default settings are undoubtedly prevalent. Even in the case where the vulnerabilities identified here and elsewhere are addressed by the vendor, it may not be reasonable to expect that SOHO networking device owners know about these issues, or will upgrade/patch their routers' firmware, which is the predominant distribution mechanism for SOHO networking device updates. In such cases, the vulnerabilities may remain unresolved indefinitely.

"Bricking" of SOHO networking devices could also become an issue due to the cumbersome and unauthenticated nature of the firmware upgrade process. As we've identified, in all routers evaluated a remote adversary can replace a vendor's firmware with their own. If such firmware were (intentionally) faulty, it could render a device unusable. The damage to users and vendors could be significant depending upon the number of devices in the field, the rate at which they can be compromised or "bricked," and the cost to replace or repair them.

**Large-scale threats**

So far we have acknowledged that users belonging to an affected router's domains are at risk, but if any ISP deploys a router at scale with these types of vulnerabilities—or has many customers using routers with these types of vulnerabilities—an adversary may leverage the vulnerabilities to directly attack the provider, core infrastructure, or other organizational targets, e.g., corporations and nation-states. This also presents a large surface for new botnet deployment or command and control (C2) strategies to facilitate DDoS attacks and cybercrime activities.

**Mitigations**

Unfortunately, there is little the average end-user can do to fully mitigate these attacks. Successful mitigation often requires a level of sophistication and skill beyond that of the average user (and beyond that of the most likely victims).

**Recommendations for Vendors**

SOHO networking device VENDORS should take the following actions to help mitigate these issues.

*   Prepare and make available firmware upgrades that address these issues.
*   Notify registered users of these vulnerabilities, and distribute instructions on how to upgrade device firmware.
*   Regularly audit devices for security vulnerabilities, produce and distribute security patches in a timely manner, and notify registered customers.

SOHO networking device VENDORS should incorporate the following design changes in to their product lines.

*   Using authenticated (digitally signed, and verifiable by the router) firmware updates.
*   Designing a method for automatic firmware updates, that can be opted out of by users.
*   Perform regular security audits to ensure devices are as hardened as possible.

**Recommendations for Device Administrators**

SOHO networking device ADMINISTRATORS should take the following actions to help mitigate these issues.

*   Upgrade your firmware regularly.
*   Disable (or do not enable) remote administration.
*   Disable (or do not enable) network services that are not utilized within the LAN, e.g., FTP, SMB, UPnP.
*   Log out from, and restart, your SOHO networking device after logging in for administrative tasks.
*   Clear browser cookies and active logins after logging out from your router.
*   Choose a non-standard (W)LAN IP address range (subnet), which will make generic automated attacks less effective against your network.
*   If possible, enable HTTPS for all administrative connections. For all of the routers we evaluated that had this feature, it was disabled by default.
*   Make sure your WLAN is protected using WPA2 encryption and is not left as an open WiFi network or protected with the outdated WPA or WEP standards.
*   ONLY install firmware from the router manufacturers website.
*   Choose a secure router administration password consisting of upper/lowercase alphanumeric and special characters that is at least 12 characters in length.
*   If your SOHO device is behind an additional firewall, restrict inbound access to this device from the greater WAN.

**Recommendations for End Users**

END-USERS behind SOHO networking devices should take the following actions to help mitigate these issues.

*   Do not discount browser or other software warnings of potential MITM attacks.
*   Do not follow links sent through email or by other means, especially ones that are directed to what could potentially be a SOHO networking device (e.g., 192.168.2.1).
*   Be diligent, and browse safely.

**Disclosures**

For all vulnerabilities identified in this research, ISE has disclosed the issues to the product vendors through their typical vulnerability reporting mechanism, as well as any other channels for which we had access. We've given what we believe is adequate time to address the issues disclosed, and to the extent it has been reasonable, we've helped those vendors develop or implement mitigations. We welcome all vendor feedback, and are happy to assist with any additional information that may facilitate a quick resolution to any of these vulnerabilities.

Beyond the vulnerabilities listed in this case study, our research has brought to light 17 issues that have received Common Vulnerabilities and Exposure (CVE) numbers, and 21 CVE submissions pending.

*   CVE-2013-0126: Cross-Site Request Forgery
*   CVE-2013-2644: FTP Directory Traversal
*   CVE-2013-2645: Cross-Site Request Forgery
*   CVE-2013-2646: Denial of Service
*   CVE-2013-3064: Unvalidated URL Redirect
*   CVE-2013-3065: DOM Cross-Site Scripting
*   CVE-2013-3066: Information Disclosure
*   CVE-2013-3067: Cross-Site Scripting
*   CVE-2013-3068: Cross-Site Request Forgery
*   CVE-2013-3069: Cross-Site Scripting
*   CVE-2013-3070: Information Disclosure
*   CVE-2013-3071: Authentication Bypass
*   CVE-2013-3072: Unauthenticated Hardware Linking
*   CVE-2013-3073: SMB Symlink Traversal
*   CVE-2013-3074: Media Server Denial of Service
*   CVE-2013-3083: Cross-Site Request Forgery
*   CVE-2013-3084: Cross-Site Scripting
*   CVE-2013-3085: Authentication Bypass
*   CVE-2013-3086: Cross-Site Request Forgery
*   CVE-2013-3087: Cross-Site Scripting
*   CVE-2013-3088: Authentication Bypass
*   CVE-2013-3089: Cross-Site Request Forgery
*   CVE-2013-3090: Cross-Site Scripting
*   CVE-2013-3091: Authentication Bypass
*   CVE-2013-3092: Failure to Validate HTTP Authorization Header
*   CVE-2013-3095: Cross-Site Request Forgery
*   CVE-2013-3096: Unauthenticated Hardware Linking
*   CVE-2013-3097: Cross-Site Scripting

**Related Work**

As stated earlier in this article, there has been little research published in the area of SOHO router security, however some interesting results have been disclosed by security researchers in recent years.

In March, 2013, Michael Messner disclosed vulnerabilities ranging from minor to critical in D-Link, TP-Link, Netgear, and Linksys routers. The vulnerabilities disclosed included authenticated and unauthenticated arbitrary command injection, information disclosure, unencrypted password storage, directory traversal, and persistent cross-site scripting.

In January, 2013, HD Moore disclosed that numerous home routers exposed UPnP services, including SSDP Discovery and SOAP, to the Internet (WAN) side of the device. This could lead to remote attackers modifying firewall rules or accessing private media files using DLNA. Worse, many of the UPnP implementations had numerous buffer overflow vulnerabilities.

Also in January, 2013, DefenseCode released an advisory describing a remote, unauthenticated format string vulnerability in the Broadcom UPnP software that escalated to root shell access.

At BlackHat 2012, Phil Purviance (Superevr) demonstrated a cross-site file upload vulnerability in the Linksys WRT54GL. In early 2013, Purviance researched the Linksys EA2700 and found numerous vulnerabilities, including cross-site scripting, directory and file traversal, unauthenticated password changes, and source code disclosure vulnerabilities.

In May, 2012, it was disclosed that WiFi Protected Setup (WPS) uses an eight-digit PIN for authentication, and an attacker can determine if the first four digits of an attempted PIN are correct, without regard to the last four. Worse, as this CERT vulnerability disclosed, many home routers fail to implement any rate limiting after successive incorrect PIN attempts.

At BlackHat 2009, Felix Lindner explored the feasibility and techniques that could be used to attack commercial grade routers. He found very few public vulnerabilities in this class of equipment.

**Future work**

Six months after releasing the advisories for the 13 routers, ISE will upgrade the firmware on all 13 routers and perform a reassessment to determine what—if any—impact deeper scrutiny from the security community has brought to the SOHO router industry. ISE may also expand the scope of the next study to include additional routers.

**Attribution and acknowledgments**

This research was conducted by Jacob Holcomb of Independent Security Evaluators and directed by Stephen Bono and Sam Small. Jacob Thomspon, Kedy Liu, Ali Jad Khalil, and Vincent Faires made additional contributions.

**References**

Messner, Michael. Multiple Vulnerabilities in D-Link DIR-600 and DIR-300. Revision B. February 2013.

Beardsley, Tom. Weekly Update: Consumer-Grade Hacking, Attribution and Testing, and Msfupdate updates. Rapid7 Metasploit Blog. March 28, 2013.

Moore, HD. Security Flaws in Universal Plug and Play. Rapid7, Inc., January 2013.

Broadcom UPnP Remote Preauth Code Execution Vulnerability. January 31, 2013.

Allar, Jared. WiFi Protected Setup (WPS) PIN brute force vulnerability. US CERT Vulnerability #723755. May 10, 2012.

Lindner, Felix. Router Exploitation. Black Hat 2009.

Purviance, Phil. Don't Use Linksys Routers. Superevr. April 5, 2013.

Mimoso, Michael. Serious Vulnerabilities Found in Popular Home Wireless Routers. threatpost. April 8, 2013

CVE-2013-4855: Exploiting SOHO Routers

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

@@ -35,7 +35,7 @@

#include "file.h"

  

#ifndef lint

FILE\_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")

FILE\_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")

#endif

  

#include <assert.h\>

@@ -1027,8 +1027,9 @@ cdf\_read\_property\_info(const cdf\_stream\_t \*sst, const cdf\_header\_t \*h,

goto out;

}

nelements = CDF\_GETUINT32(q, 1);

if (nelements == 0) {

DPRINTF(("CDF\_VECTOR with nelements == 0\\n"));

if (nelements > CDF\_ELEMENT\_LIMIT || nelements == 0) {

DPRINTF(("CDF\_VECTOR with nelements == %"

SIZE\_T\_FORMAT "u\\n", nelements));

goto out;

}

slen = 2;

@@ -1070,8 +1071,6 @@ cdf\_read\_property\_info(const cdf\_stream\_t \*sst, const cdf\_header\_t \*h,

goto out;

inp += nelem;

}

DPRINTF(("nelements = %" SIZE\_T\_FORMAT "u\\n",

nelements));

for (j = 0; j < nelements && i < sh.sh\_properties;

j++, i++)

{

CVE-2019-18218: Limit the number of elements in a vector (found by oss-fuzz) · file/file@46a8443

Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

$nostromo: ChangeLog,v 1.241 2022/12/15 19:18:41 hacki Exp $ 2.1 === - Fix a vulnerability reported by Riccardo Krauter @ SoterITSecurity: If nostromo runs non-chrooted, and with the 'homedirs' configuration option enabled (disabled by default), an attacker can exploit a vulnerability to access files or execute programs (as CGI) outside of the server root directory. For that a specific request URL needs to be crafted by the attacker. 2.0 === - Fix compiling on NetBSD by suppressing the -Wall compiler option. Otherwise compiling breaks due to snprintf() truncate warnings. - Fix sizeof(http\_url) to sizeof(http\_urls) for the http\_urls buffer. Had no impact since both buffers anyway have the same size. - Replace SSL\_CTX\_use\_certificate\_file() with SSL\_CTX\_use\_certificate\_chain\_file(), so that the full certificate chain can be verified. - Update to libmy-2.1, which makes libbsd obsolete, and fixes compiling on FreeBSD. 1.9.9 ===== - Stupid me, forgot to bump the version in the last release! 1.9.8 ===== - Fix a potential segfault which can happen during nhttpd startup when reading a malformed comment line in the nhttpd.conf file. This was was caused by a buffer overflow in the libmy-1.8 fparse() function. Therefore upgraded to libmy-1.9 which contains a fix for fparse(). The issue was reported by Christoffer Jerkeby. 1.9.7 ===== - Fix for CVE-2019-16278 discovered by sp0re. Issue: Due to the missing accounting of the '\\r' character in the libmy-1.7 strcutl() function, an attacker can bypass the directory traversal check in the http\_verify() function in a non-chrooted nhttpd server and thus remote execute unauthorized code. Solution: Fix the strcutl() function in libmy-1.8 as described in the libmy ChangeLog: - strcutl(): take account of the '\\r' character when it appears within a string instead of ignoring it. Improved logic and performance diff by Adrian Steinmann Therefore the injected '\\r' characters will now generate an invalid path resulting in a HTTP 404 response. - Fix for CVE-2019-16279 discovered by sp0re. Issue: The missing header count functionality in the http\_header\_comp() function allowed an attacker to transmit more headers than accepted by nhttpd resulting in a buffer overflow in the header array leading to DoS. Solution: Add the missing header count functionality to the http\_header\_comp() function. Transmission of too many headers will now result in a HTTP 413 response as initially intended. - Close the connection after an HTTP 413 response as we are allowed according to RFC 2626 HTTP/1.1 10.4.14. 1.9.6 ===== - Restore original errno value after handling SIGCHLD. Otherwise this could lead to a break out of the main select(2) loop and therefore of unexpected termination of nostromo. Spotted by Adam Wozniak, nice catch! - Change the crypt(3) API, which is used for basic authentication, to accept all supported algorithms not just DES. - Check crypt(3) for returning NULL to prevent the nhttpd process to core dump in this case. - Add server cache for basic authentication credentials to speed up performance. This will save us filesystem access to htpasswd and additional password encryption cpu cycles for crypt(3). - Add MD5, Blowfish-a, and Blowfish-b algorithm to the crypt(1) tool. - Replace rand(3) with arc4random(3) in the crypt(1) tool for OpenBSD, NetBSD, and FreeBSD. - Fix broken BSD authentication method for basic authentication. - Fix several bites to make nostromo compile cleanly on the tested platforms again which are OpenBSD, NetBSD, FreeBSD, and Linux. - Rewrote printenv CGI from perl to shell script. - Add support for SIGHUP configuration reload. - Make a child process use the default signals instead inheriting the parent process signal handler. This fixes some odd issues. - Update copyright year to 2004 - 2016 and add nostromo CVS Id to all files. 1.9.5 ===== - Handle "Location:" field correctly when passed by a CGI. Bug reported by Axel Gonzalez. 1.9.4 ===== - Update copyright year to 2004 - 2011. - Make nostromo compile again by default; Remove -Werror in src/nhttpd makefiles and #include to src/nhttpd/main.c. - Fix a bug where when nostromo doesn't run in chroot mode somebody can access files beyond our htdocs environment by using specific encoded characters in the request URI (security issue). Issue found and reported by RedTeam Pentesting GmbH. - Fix a bug where in certain conditions garbage is written into the access\_log user agent field. - Do proper handling of max. file descriptors and allow to bump the select(2) max. file descriptors limit (FD\_SETSIZE) via the CON define in config.h by dynamically allocating the fd\_sets. 1.9.3 ===== - Fix two err(3) calls which are lacking an \`%s' modifier (security issue). Patch from Simon Kuhnle. - Fix wrong select() / send\_file() looping (resulting in high process load occasionally), by fixing bogus EAGAIN error handling in sys\_write\_a(). - Fix missing \`\`.Ed'' in nhttpd.8 man page. 1.9.2 ===== - Fix a bug where a 403 response is returned instead of a 404 response. Patch from Szabolcs Nagy. - Style diff which fixes spacing from Daniel Ouellet. - Add optional \`\`homedirs\_public'' configuration parameter to restrict access within the home directories. Suggested by Simon Kuhnle. - Add mandatory \`\`serverlisten'' configuration parameter to allow specific interface binding. - Replaced libmy with latest version libmy-1.7. 1.9.1 ===== - Replace off\_t with intmax\_t integer type since problems have been reported with compiling on some 64bit Linux systems. Therefore we remove the GNU compiler option '-D\_FILE\_OFFSET\_BITS=64'. Initial diff received from Kurt Roeckx. - For unused, string based configuration options, use '\\0' instead strlcpy() '0' into the array. It's less disturbing and more straight. Diff received from Szabolcs Nagy. - Don't leave some alias specific buffers uninitialized, because it can happen that we access those later. Bug reported by Szabolcs Nagy. - According to RFC 3875 set the SERVER\_NAME environment variable dynamicly dependend on the "Host:" request header field instead setting it staticly to the configured servername. Bug reported by Szabolcs Nagy. - Fix a bug where a CGI "Status:" request for 403 or 404 caused a corrupt response header. Bug reported by Szabolcs Nagy. - The header field "Host:" is mandatory for HTTP/1.1 client requests. If it doesn't exist return 400 Bad Request instead of further processing the request. Bug reported by Szabolcs Nagy. - Drop MacOSX support. Too many tweaks with recent MacOSX versions for compiling. - Update copyright year to 2004 - 2009. - Fix sys\_log() by replacing syslog() with vsyslog() so the string arguments get passed. While here move from LOG\_DEBUG to LOG\_INFO. - Replaced libmy with latest version libmy-1.6. 1.9 === - Replace server log parameter entries in the man page by syslog(3). 1.8.9 ===== - send all server log messages to syslog(3) instead to our own log file The configuration parameter "logserver" is obsolete therefore and has been removed from nhttpd.conf. Suggested by Matthias-Christian Ott - Make "logpid" and "logaccess" configuration parameters optional, which allows it to disable pid and access log creation. Suggested by Matthias-Christian Ott. - Remove the whole BSD authentication code on non-OpenBSD systems. Diff received from Matthias-Christian Ott. 1.8.8 ===== - Fix a bug where a requested file with size 0 caused us to send an HTTP repsonse in a loop. Bug reported by Kai Hendry. - Fix a bug where a directory request without trailing "/" to a virtual host URL returned a wrong 301-Location field value. Bug reported by Kai Hendry. - Change mime types parsing to the default syntax; extensions are separated by spaces instead by commas. Our default mime types file (conf/mimes) has been changed to the new syntax therefore. - Also check if HTTPS requests do match to our default URL before searching for virtual hosts. 1.8.7 ===== - Fix security issue for none chroot environments reported by Ben Hutchings: Disallow any direct access to upper level directories (..). On occurrence of a "/../" string in the request URI we return 400 Bad Request now. This prevents access to files beyond of the serverroot directory. - Fix a bug reported by Szabolcs Nagy: If a CGI option ends with a "/" don't apply the docindex to it. - If the PID file can't be created also report about the full filename in the error log. Requested by Kai Hendry. 1.8.6 ===== - Handle POST requests with content length 0 correctly, diff received from Georg Wendenburg. 1.8.5 ===== - Added support for SSLv3. - Replaced a strlcpy() with memcpy() because at this point binary data could be involved. Pointed out by Georg Wendenburg. - Added CONTENT\_TYPE CGI env, diff received from Georg Wendenburg. - Quiet down error messages in the server log file by moving some common error messages to the debug mode output. 1.8.4 ===== - If a select(2) error in the main loop is not EINTR, we shutdown the server. EFAULT, EBADF, and EINVAL are not acceptable. - When a connection gets closed FD\_CLR() the write set also in either case. this fix should finally let get us rid from the select(2) EBADF error, and overwrites the EBADF workaround fix from version 1.8.3. 1.8.3 ===== - Fix a Linux tweak with off\_t by adding -D\_FILE\_OFFSET\_BITS=64 to the compiler options. - If a select(2) error in the main loop is not EINTR, close the connection. this avoids endless looping e.g. when EBADF occurs. - Typo corrections for nhttpd.conf-dist and nhttpd.8 from Will Maier. 1.8.2 ===== - Fix wrong version numbers. 1.8.1 ===== - Fixed gcc3 tweak with variable array definition which caused compiliation error on gcc2 platforms. - Replaced libmy with latest version libmy-1.5. 1.8 === - Added homedirs support. - Added basic authentication via BSD authentication. - Moved variable type for filesizes from int to off\_t to enable proper transfers of very large files. - Directory listing files are sorted alphabetical now. - Make our HTML output HTML 4.01 transitional. - Fixed man page typos. 1.7.9 ===== - The rewritten http\_header\_comp() function implemented in version 1.7.7 could lead to a buffer overflow in some circumstances because the arrived header sequence was not checked for its minimum size. On my machines this effect ended up in a immediately process termination. Nasty bug fixed now. While we are at this function we also get rid of strlen() because we already have the current header size saved in our connection structure; safer and faster. - Fixed man page typos. 1.7.8 ===== - CGIs are no longer determined by a CGI alias. nhttpd checks now if a file has the world executable flag set, and if yes the file is handled as a CGI. this allows you to place CGIs anywhere in your document root, and also to use CGIs as index. the cgiroot and cgiindex config options are obsolete therefore and where removed from the configfile. cgi-bin has moved to htdocs/cgi-bin - Use stat(2) S\_IROTH instead of access(2) to check for file permissions, as we have that information already. - Added HTTP\_ACCEPT\_ENCODING CGI env - Simplified debug logging. - Fixed broken permissions checking on directories. - Fixed another binary data handling issue in CGI main loop. - Improved error handling for select(2) in CGI main loop. - On a fatal error at CGI execution send a 500 before exit(3). - Extended man page. 1.7.7 ===== - http\_header\_comp() which checks if a complete header sequence arrived got unreliable because of our new asynchronous connection handling since version 1.7.6. The function is fixed now and as a side effect much more simplified using less resources. 1.7.6 ===== - Rewrote nostromo to handle connections fully asynchronous over one single select(2) now. This change also fixes the problem that slow connections walked into a connection timeout. - The socket send buffer size is now kept to the operating system value by default. It can be changed optional in config.h by the SBS define. - Added debug mode option. - Added IF\_MODIFIED\_SINCE CGI env, diff received from Daniel Hartmeier. - Fixed unterminated childs leftover when parent is killed. - Fixed broken pipeline connection handling. - Fixed http\_chunk() to handle also binary data now. - Fixed double printing of server port in the signature. - Fixed double creation of Location header field for CGIs. - Fixed wrong Location string for 301 responses over SSL non-default port. - Fixed access log variable which could be used uninitialized. - Fixed broken custom responses. on large custom response files, the transfer was aborted. - Disabled chunking for HTTP/1.0 clients. - Disabled case sensitivy for HTTP protocol. - Reorderd configuration file. - Removed a unnecessary getpid(2) when daemonizing. - Replaced signal handlers SIGTERM code with a volatile sig\_atomic\_t flag. - Extended man page. - Improved style / KNF. 1.7.5 ===== - Set SO\_SNDBUF size on accepted client socket, not on the listener socket, because not every tcp/ip implementation supports inheritance. - Set sockets to O\_NONBLOCK to prevent any possible blocks. 1.7.4 ===== - Fixed POST content size limitation of 8KB. POST content can now be unlimited and is handled in the forked CGI process itself. - Removed all setenv(3) and unsetenv(3) functions and set CGI environment vars with execve(2) instead. This has increased the CGI serving performance about the factor 8. - The DOCUMENT\_ROOT CGI environment variable was set wrong in some cases. Bug fixed now. - In some cases the GMT offset was wrong calculated in the access log. Bug fixed now 1.7.3 ===== - Optimized performance and memory usage by source code optimization. - If a CGI post body included binary data the processing was aborted because we could not handle the binary part. Bug fixed now. - If a CGI post body was terminated with '\\r\\n' and some browsers count that to its content length (and some do not, what a mess!) the post was ignored. Bug fixed now - If the defined setuid user was not found, output a custom error instead the getpwnam(3) errno which almost says nothing. - Removed -ansi compile option to follow OpenBSD. - Fixed -pedantic compile option source code quirks. - Replaced libmy with latest version libmy-1.4. - Changed logo URL. - Applied typo diff for man page received from Marc Balmer@. 1.7.2 ===== - Added custom 401, 403, and 404 responses, requested by Marc Winiger. - Added nph CGI support. - Close all file descriptors which do not belong to the child after fork(2). - Replaced recv(2) with read(2) as we do not use flags. - Replaced send(2) with write(2) as we do not use flags. - Check more system calls for EINTR. - If a CGI post body was terminated with '\\r\\n', we did not parsed that and the post was ignored. Bug fixed now. - In some cases we had wrong data transmission because write(2) was not checked for short writes. Bug fixed now. - Fixed SSL memory leak. 1.7.1 ===== - Implemented HEAD method. - If on basic authentication the realm option in a htaccess file could not be parsed, we just kept the last value in the realm variable instead of overwriting it with "unknown realm". Bug fixed now. 1.7 === - Added 206 Partial Content. Forced by Delta. - Added example lines to configuration file how to change default port 80. - Excluded sin6\_len for Linux. - Imported new nostromo logo. - It is possible now to run IPv6 only. - Deny to run nhttpd as root. - Improved SSL handshake. - Main select(2) checks now writefds to cleanly serve partial file sends - Fixed typos and reviewed source code for BSD style. - If 301 Moved Permanently was called with https, we switched back to http because we did not check for the https flag. Bug fixed now. 1.6 === - Added IPv6 support. - Added pid file creation. - Set listener sockets to SO\_REUSEADDR. - Moved a bunch of static environment variables to dynamic ones, because of SSL and IPv6 introduction. - CGI https environment variable was set wrong because asking the wrong ssl flag variable. Bug fixed now. - If running in chroot mode, virtual hosts and aliases where not found because we accessed the full path to the config file. Bug fixed now. - If returning 500 on file send errors, open files where not closed. Bug fixed now. 1.5.1 ===== - chroot mode caused process hang if /dev/null where not found in the chroot environment. Bug fixed now. 1.5 === - Added SSL support. - Added 403 Forbidden, what means that files are checked for read permissions now instead returning 500 Internal Server Error if no access. - Added TODO file. - Corrected and extended man page. - If the content type was unknown the previous content type was sent, which is wrong. Now the html content type will be send per default on unknown content types. - select(2) for header and body read where using the same readset as the master select(2) which is wrong. Using now own readset. 1.4 === - Corrected the man page. - One of three access\_log functions was still logging with two lines per hit. Bug fixed now. 1.3 === - Makefiles have been ported to compile also on NetBSD, FreeBSD, Linux and MacOSX. - Reduced access\_log to one line per hit instead of two. - Filenames including spaces in directory listing wasn't found, because the href entry had no quotes. Bug fixed now. 1.2 === - If a CGI was called which didn't exist, the last called CGI was executed because the responsible variable, which holds the full executable path, wasn't overwritten. bug fixed now. - Replaced libmy with latest version libmy-1.3 (fixes important security issues). - Replaced last strcpy(3) with strlcpy(3). 1.1 === - Increased socket send buffer to avoid send(2) blocking when buffer is full. - In server log removed unnecessary log messages, made the existing ones more specific and added new log messages. - Removed pre-compiler debug informations because they made the source code hard to read and where not really usable in action. 1.0 === - Fixed memory leak. 0.9 === - A wrong if-condition caused the nhttpd parent process to exit(0) if a CGI was called which didn't exist. Bug fixed now. 0.8 === - Nostromo has been rewritten from a fork(2) server to a select(2) server. with this new method no more child forking for file requests is necessary and the server performance increases therefore. - Increased performance by optimizing source code. - Replaced libmy with latest version libmy-1.2 (faster). - Added pre-compiler debug option to config.h. 0.7 === - Sometimes a child process still hung because not all recv(2) was checked for connection timeout. placed select(2) in front of all recv(2) to check timeout. - Fixed wrong version numbering at several places. - Added install script (Install). 0.6 === - Sometimes a child process hung because of blocking recv(2). bug fixed now. - Replaced libmy with latest version libmy-1.1. - Added timestamps to server log file. - Added version option. 0.5 === - nhttpd didn't chroot(2) because chroot(2) where placed before all configuration files could be read. bug fixed now. 0.4 === - libmy had missing #include in flog.c, nsend.c, strlower.c some architectures (e.g. sparc64) complained and stopped at compiling. bug fixed now. 0.3 === - nhttpd didn't handle http control characters (\\r\\n\\r\\n) in POSTs body entity, and blocked at recv(2). bug fixed now. 0.2 === - Changed default configfile path to /var/nostromo/conf/nhttpd.conf. - chdir/chroot will directly done after reading the configfile successfully. - SIGPIPE, SIGHUP, SIGQUIT, SIGALRM will be silently ignored now and don't generate a server log anymore. 0.1 === - Initial version.

CVE-2019-16278

In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       linux-wireless
Subject:    \[PATCH 2/2\] cfg80211: wext: Reject malformed SSID elements
From:       Will Deacon <will () kernel ! org>
Date:       2019-10-04 9:51:32
Message-ID: 20191004095132.15777-2-will () kernel ! org
\[Download RAW message or body\]**

Ensure the SSID element is bounds-checked prior to invoking memcpy()
with its length field.

Cc: <stable@vger.kernel.org>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Kees Cook <keescook@chromium.org>
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Will Deacon <will@kernel.org>
---
 net/wireless/wext-sme.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index c67d7a82ab13..3fd2cc7fc36a 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -201,6 +201,7 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 			       struct iw\_request\_info \*info,
 			       struct iw\_point \*data, char \*ssid)
 {
+	int ret = 0;
 	struct wireless\_dev \*wdev = dev->ieee80211\_ptr;
 
 	/\* call only for station! \*/
@@ -219,7 +220,10 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 		if (ie) {
 			data->flags = 1;
 			data->length = ie\[1\];
-			memcpy(ssid, ie + 2, data->length);
+			if (data->length > IW\_ESSID\_MAX\_SIZE)
+				ret = -EINVAL;
+			else
+				memcpy(ssid, ie + 2, data->length);
 		}
 		rcu\_read\_unlock();
 	} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid\_len) {
@@ -229,7 +233,7 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 	}
 	wdev\_unlock(wdev);
 
-	return 0;
+	return ret;
 }
 
 int cfg80211\_mgd\_wext\_siwap(struct net\_device \*dev,
-- 
2.23.0.581.g78d2f28ef7-goog

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2019-17133: '[PATCH 2/2] cfg80211: wext: Reject malformed SSID elements'

The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely

get\_next\_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \\0. This caused an out-of-bounds read and could cause a
write. Add the missing check.

This vulnerability was discovered by Brian Carpenter & Geeknik Labs.

*   Loading branch information

Showing **1 changed file** with **4 additions** and **2 deletions**.

6 changes: 4 additions & 2 deletions tcpdump.c

Expand Up

@@ -699,13 +699,15 @@ static char \*

get\_next\_file(FILE \*VFile, char \*ptr)

{

char \*ret;

size\_t len;

  

ret \= fgets(ptr, PATH\_MAX, VFile);

if (!ret)

return NULL;

  

if (ptr\[strlen(ptr) \- 1\] \== '\\n')

ptr\[strlen(ptr) \- 1\] \= '\\0';

len \= strlen (ptr);

if (len \> 0 && ptr\[len \- 1\] \== '\\n')

ptr\[len \- 1\] \= '\\0';

  

return ret;

}

Expand Down

**0 comments on commit 9ba9138**

Please sign in to comment.

CVE-2018-14879: (for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely · the-tcpdump-group/tcpdump@9ba9138

An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       linux-wireless
Subject:    \[PATCH 1/2\] nl80211: validate beacon head
From:       Johannes Berg <johannes () sipsolutions ! net>
Date:       2019-09-20 19:54:17
Message-ID: 1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef () changeid
\[Download RAW message or body\]**

From: Johannes Berg <johannes.berg@intel.com>

We currently don't validate the beacon head, i.e. the header,
fixed part and elements that are to go in front of the TIM
element. This means that the variable elements there can be
malformed, e.g. have a length exceeding the buffer size, but
most downstream code from this assumes that this has already
been checked.

Add the necessary checks to the netlink policy.

Cc: stable@vger.kernel.org
Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/nl80211.c | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index fd05ae1437a9..932854a0c38b 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -201,6 +201,38 @@ cfg80211\_get\_dev\_from\_info(struct net \*netns, struct genl\_info \*info)
 	return \_\_cfg80211\_rdev\_from\_attrs(netns, info->attrs);
 }
 
+static int validate\_beacon\_head(const struct nlattr \*attr,
+				struct netlink\_ext\_ack \*extack)
+{
+	const u8 \*data = nla\_data(attr);
+	unsigned int len = nla\_len(attr);
+	const struct element \*elem;
+	const struct ieee80211\_mgmt \*mgmt = (void \*)data;
+	unsigned int fixedlen = offsetof(struct ieee80211\_mgmt,
+					 u.beacon.variable);
+
+	if (len < fixedlen)
+		goto err;
+
+	if (ieee80211\_hdrlen(mgmt->frame\_control) !=
+	    offsetof(struct ieee80211\_mgmt, u.beacon))
+		goto err;
+
+	data += fixedlen;
+	len -= fixedlen;
+
+	for\_each\_element(elem, data, len) {
+		/\* nothing \*/
+	}
+
+	if (for\_each\_element\_completed(elem, data, len))
+		return 0;
+
+err:
+	NL\_SET\_ERR\_MSG\_ATTR(extack, attr, "malformed beacon head");
+	return -EINVAL;
+}
+
 static int validate\_ie\_attr(const struct nlattr \*attr,
 			    struct netlink\_ext\_ack \*extack)
 {
@@ -322,8 +354,9 @@ const struct nla\_policy nl80211\_policy\[NUM\_NL80211\_ATTR\] = {
 
 	\[NL80211\_ATTR\_BEACON\_INTERVAL\] = { .type = NLA\_U32 },
 	\[NL80211\_ATTR\_DTIM\_PERIOD\] = { .type = NLA\_U32 },
-	\[NL80211\_ATTR\_BEACON\_HEAD\] = { .type = NLA\_BINARY,
-				       .len = IEEE80211\_MAX\_DATA\_LEN },
+	\[NL80211\_ATTR\_BEACON\_HEAD\] =
+		NLA\_POLICY\_VALIDATE\_FN(NLA\_BINARY, validate\_beacon\_head,
+				       IEEE80211\_MAX\_DATA\_LEN),
 	\[NL80211\_ATTR\_BEACON\_TAIL\] =
 		NLA\_POLICY\_VALIDATE\_FN(NLA\_BINARY, validate\_ie\_attr,
 				       IEEE80211\_MAX\_DATA\_LEN),
-- 
2.20.1

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

Tag

#buffer_overflow