### Impact
Heap buffer overflow in `libwebp` allows a remote attacker to perform an out of bounds memory write via a crafted webp image.

### References
- https://github.com/advisories/GHSA-j7hp-h8jx-5ppr
- https://blog.isosceles.com/the-webp-0day/


**@napi-rs/image affected by libwebp CVE**

High severity GitHub Reviewed Published Sep 27, 2023 in Brooooooklyn/Image • Updated Sep 27, 2023

GHSA-4vjr-crvh-383h: @napi-rs/image affected by libwebp CVE

 Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.


**Summary**

I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm\_imx.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm\_mcux.c

**Details**

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm\_imx.c:

static int imx\_mu\_ipm\_send(const struct device \*dev, int wait, uint32\_t id,
			   const void \*data, int size)
{
	const struct imx\_mu\_config \*config \= dev\->config;
	MU\_Type \*base \= MU(config);
	uint32\_t data32\[IMX\_IPM\_DATA\_REGS\];
#if !IS\_ENABLED(CONFIG\_IPM\_IMX\_REV2)
	mu\_status\_t status;
#endif
	int i;

	if (id \> CONFIG\_IPM\_IMX\_MAX\_ID\_VAL) {
		return \-EINVAL;
	}

	if (size \> CONFIG\_IPM\_IMX\_MAX\_DATA\_SIZE) { /\* VULN: ineffective check if size is negative \*/
		return \-EMSGSIZE;
	}

	/\* Actual message is passing using 32 bits registers \*/
	memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
...

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm\_mcux.c:

static int mcux\_mailbox\_ipm\_send(const struct device \*d, int wait,
				 uint32\_t id,
				 const void \*data, int size)
{
	const struct mcux\_mailbox\_config \*config \= d\->config;
	MAILBOX\_Type \*base \= config\->base;
	uint32\_t data32\[MCUX\_IPM\_DATA\_REGS\]; /\* Until we change API
					   \* to uint32\_t array
					   \*/
	unsigned int flags;
	int i;

	ARG\_UNUSED(wait);

	if (id \> MCUX\_IPM\_MAX\_ID\_VAL) {
		return \-EINVAL;
	}

	if (size \> MCUX\_IPM\_DATA\_REGS \* sizeof(uint32\_t)) { /\* VULN: ineffective check if size is negative \*/
		return \-EMSGSIZE;
	}

	flags \= irq\_lock();

	/\* Actual message is passing using 32 bits registers \*/
	memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

CVE-2023-5184: Signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver

Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Wednesday, September 27, 2023 12:09

Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Four of the vulnerabilities included in today’s Vulnerability Roundup that affect the Accusoft ImageGear development toolkit have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Google Chrome web browser**

TALOS-2023-1751 (CVE-2023-3421) is a use-after-free vulnerability that affects the Google Chrome web browser. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

The vulnerability arises when an adversary manipulates a specific function in Chrome to cause an out-of-bounds heap memory access, which could lead to a heap use-after-free or heap overflow.

**Multiple vulnerabilities in Accusoft ImageGear**

Talos researchers recently discovered eight vulnerabilities in Accusoft ImageGear, a document-imaging developer toolkit that allows users to convert, edit and create images.

Three of the vulnerabilities — TALOS-2023-1802 (CVE-2023-32653), TALOS-2023-1830 (CVE-2023-39453) and TALOS-2023-1760 (CVE-2023-35002) are heap-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code on the targeted machine. Another issue, TALOS-2023-1836 (CVE-2023-40163), also has a critical severity score of 9.8 out of 10, but in this case, a specially crafted file could lead to memory corruption.

TALOS-2023-1729 (CVE-2023-23567) can also lead to arbitrary code execution, though this vulnerability is considered less severe. An attacker could also exploit this vulnerability by supplying the target with a malformed file.

There are three other vulnerabilities Talos discovered in this software that could cause a heap-based buffer overflow condition or memory corruption if the attacker sends a specially crafted file to the target.

*   TALOS-2023-1750 (CVE-2023-32284)
*   TALOS-2023-1742 (CVE-2023-28393)
*   TALOS-2023-1749 (CVE-2023-32614)

Hancom Office is one of the most popular software packages in South Korea, offering word processing and other services similar to Microsoft Office 365.

Talos discovered a use-after-free vulnerability in HWord, the package’s word processing software. TALOS-2023-1759 (CVE-2023-32541) can be manipulated in a way that will eventually allow the attacker to execute arbitrary code if they trick the target into opening a specially crafted, malicious .doc file.

10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

Ubuntu Security Notice 6398-1 - It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks. A remote attacker could possibly use this issue to trick the local DLNA server to leak information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that ReadyMedia incorrectly handled certain HTTP requests using chunked transport encoding. A remote attacker could possibly use this issue to cause buffer overflows, resulting in out-of-bounds reads and writes.

==========================================================================  
Ubuntu Security Notice USN-6398-1  
September 27, 2023

minidlna vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in ReadyMedia.

Software Description:  
- minidlna: lightweight DLNA/UPnP-AV server targeted at embedded systems

Details:

It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks.  
A remote attacker could possibly use this issue to trick the local DLNA  
server to leak information. This issue only affected Ubuntu 16.04 LTS,  
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-26505)

It was discovered that ReadyMedia incorrectly handled certain HTTP requests  
using chunked transport encoding. A remote attacker could possibly use this  
issue to cause buffer overflows, resulting in out-of-bounds reads and writes.  
(CVE-2023-33476)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   minidlna                        1.3.0+dfsg-2.2ubuntu0.1

Ubuntu 22.04 LTS:  
   minidlna                        1.3.0+dfsg-2.1ubuntu0.1

Ubuntu 20.04 LTS:  
   minidlna                        1.2.1+dfsg-1ubuntu0.20.04.2

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   minidlna                        1.2.1+dfsg-1ubuntu0.18.04.1+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   minidlna                        1.1.5+dfsg-2ubuntu0.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6398-1  
   CVE-2022-26505, CVE-2023-33476

Package Information:  
   https://launchpad.net/ubuntu/+source/minidlna/1.3.0+dfsg-2.2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/minidlna/1.3.0+dfsg-2.1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/minidlna/1.2.1+dfsg-1ubuntu0.20.04.2

Ubuntu Security Notice USN-6398-1

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.




**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Bluetooth subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/tbs.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/mcc.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/media\_controller.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/conn.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/beacon.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/prov\_device.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/provisioner.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/shell/rpr.c

**Details**

Static buffer overflows in /subsys/bluetooth/audio/tbs.c:

int bt\_tbs\_remote\_incoming(uint8\_t bearer\_index, const char \*to,
			   const char \*from, const char \*friendly\_name)
{
	struct tbs\_service\_inst \*inst;
	struct bt\_tbs\_call \*call \= NULL;
	size\_t local\_uri\_ind\_len;
	size\_t remote\_uri\_ind\_len;
	size\_t friend\_name\_ind\_len;
...
	inst \= &svc\_insts\[bearer\_index\];
...
	if (friendly\_name) {
		inst\->friendly\_name.call\_index \= call\->index;
		(void)strcpy(inst\->friendly\_name.uri, friendly\_name); /\* VULN \*/
		friend\_name\_ind\_len \= strlen(from) + 1;
...
	if (IS\_ENABLED(CONFIG\_BT\_GTBS)) {
...
		if (friendly\_name) {
			gtbs\_inst.friendly\_name.call\_index \= call\->index;
			(void)strcpy(gtbs\_inst.friendly\_name.uri, friendly\_name); /\* VULN \*/
			friend\_name\_ind\_len \= strlen(from) + 1;
...

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/mcc.c:

#ifdef CONFIG\_BT\_MCC\_OTS
static int cmd\_mcc\_send\_search\_raw(const struct shell \*sh, size\_t argc,
				   char \*argv\[\])
{
	int result;
	struct mpl\_search search;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	result \= bt\_mcc\_send\_search(default\_conn, &search);
	if (result) {
		shell\_print(sh, "Fail: %d", result);
	}
	return result;
}

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/media\_controller.c:

#ifdef CONFIG\_BT\_OTS
static int cmd\_media\_set\_search(const struct shell \*sh, size\_t argc, char \*argv\[\])
{
	/\* TODO: Currently takes the raw search as input - add parameters
	 \* and build the search item here
	 \*/

	struct mpl\_search search;
	int err;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	err \= media\_proxy\_ctrl\_send\_search(current\_player, &search);
	if (err) {
		shell\_error(ctx\_shell, "Search send failed (%d)", err);
	}

	return err;
}

Heap-based buffer overflow in /subsys/bluetooth/host/conn.c:

#if defined(CONFIG\_BT\_SMP)
...
int bt\_conn\_le\_start\_encryption(struct bt\_conn \*conn, uint8\_t rand\[8\],
				uint8\_t ediv\[2\], const uint8\_t \*ltk, size\_t len)
{
	struct bt\_hci\_cp\_le\_start\_encryption \*cp;
	struct net\_buf \*buf;

	buf \= bt\_hci\_cmd\_create(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, sizeof(\*cp));
	if (!buf) {
		return \-ENOBUFS;
	}

	cp \= net\_buf\_add(buf, sizeof(\*cp));
	cp\->handle \= sys\_cpu\_to\_le16(conn\->handle);
	memcpy(&cp\->rand, rand, sizeof(cp\->rand));
	memcpy(&cp\->ediv, ediv, sizeof(cp\->ediv));

	memcpy(cp\->ltk, ltk, len); /\* VULN \*/
	if (len < sizeof(cp\->ltk)) {
		(void)memset(cp\->ltk + len, 0, sizeof(cp\->ltk) \- len);
	}

	return bt\_hci\_cmd\_send\_sync(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, buf, NULL);
}

Ineffective size check due to assert and buffer overflow in /subsys/bluetooth/mesh/beacon.c:

void bt\_mesh\_beacon\_priv\_random\_get(uint8\_t \*random, size\_t size)
{
	\_\_ASSERT(size <= sizeof(priv\_random.val), "Invalid random value size %u", size);
	memcpy(random, priv\_random.val, size); /\* VULN \*/
}

Static buffer overflow in /subsys/bluetooth/mesh/prov\_device.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/
	notify\_input\_complete();

	send\_confirm();
}

Static buffer overflow in /subsys/bluetooth/mesh/provisioner.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	if (!memcmp(data, bt\_mesh\_prov\_link.conf, conf\_size)) {
		LOG\_ERR("Confirm value is identical to ours, rejecting.");
		prov\_fail(PROV\_ERR\_CFM\_FAILED);
		return;
	}

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/

	send\_random();
}

Stack-based buffer overflow in /subsys/bluetooth/mesh/shell/rpr.c:

static void rpr\_scan\_report(struct bt\_mesh\_rpr\_cli \*cli,
			    const struct bt\_mesh\_rpr\_node \*srv,
			    struct bt\_mesh\_rpr\_unprov \*unprov,
			    struct net\_buf\_simple \*adv\_data)
{
	char uuid\_hex\_str\[32 + 1\];

	bin2hex(unprov\->uuid, 16, uuid\_hex\_str, sizeof(uuid\_hex\_str));

	shell\_print(bt\_mesh\_shell\_ctx\_shell,
		    "Server 0x%04x:\\n"
		    "\\tuuid:   %s\\n"
		    "\\tOOB:    0x%04x",
		    srv\->addr, uuid\_hex\_str, unprov\->oob);

	while (adv\_data && adv\_data\->len \> 2) {
		uint8\_t len, type;
		uint8\_t data\[31\];

		len \= net\_buf\_simple\_pull\_u8(adv\_data) \- 1;
		type \= net\_buf\_simple\_pull\_u8(adv\_data);
		memcpy(data, net\_buf\_simple\_pull\_mem(adv\_data, len), len); /\* VULN \*/
		data\[len\] \= '\\0';

		if (type \== BT\_DATA\_URI) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tURI:    \\"\\\\x%02x%s\\"",
				    data\[0\], &data\[1\]);
		} else if (type \== BT\_DATA\_NAME\_COMPLETE) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tName:   \\"%s\\"", data);
		} else {
			char string\[64 + 1\];

			bin2hex(data, len, string, sizeof(string));
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\t0x%02x:  %s", type, string);
		}
	}
}

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main: #60465

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-08-19

CVE-2023-4264: Buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

Possible buffer overflow  in Zephyr mgmt subsystem when asserts are disabled



**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp\_cp.c

**Details**

Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:

void \*smp\_alloc\_rsp(const void \*req, void \*arg)
{
	const struct net\_buf \*req\_nb;
	struct net\_buf \*rsp\_nb;
	struct smp\_transport \*smpt \= arg;

	req\_nb \= req;

	rsp\_nb \= smp\_packet\_alloc();
	if (rsp\_nb \== NULL) {
		return NULL;
	}

	if (smpt\->functions.ud\_copy) {
		smpt\->functions.ud\_copy(rsp\_nb, req\_nb);
	} else {
		memcpy(net\_buf\_user\_data(rsp\_nb),
		       net\_buf\_user\_data((void \*)req\_nb),
		       req\_nb\->user\_data\_size); /\* VULN \*/
	}

	return rsp\_nb;
}

Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp\_cp.c:

static int cp\_build\_command(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	struct osdp\_cmd \*cmd \= NULL;
	int len \= 0;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif

	buf += data\_off;
	max\_len \-= data\_off;
	if (max\_len <= 0) {
		return OSDP\_CP\_ERR\_GENERIC;
	}

	switch (pd\->cmd\_id) {
...
	case CMD\_TEXT:
		cmd \= (struct osdp\_cmd \*)pd\->ephemeral\_data;
		assert\_buf\_len(CMD\_TEXT\_LEN + cmd\->text.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->cmd\_id;
		buf\[len++\] \= cmd\->text.reader;
		buf\[len++\] \= cmd\->text.control\_code;
		buf\[len++\] \= cmd\->text.temp\_time;
		buf\[len++\] \= cmd\->text.offset\_row;
		buf\[len++\] \= cmd\->text.offset\_col;
		buf\[len++\] \= cmd\->text.length;
		memcpy(buf + len, cmd\->text.data, cmd\->text.length); /\* VULN: buffer overflow \*/
		len += cmd\->text.length;
		break;

Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp\_pd.c:

static int pd\_build\_reply(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	int ret \= OSDP\_PD\_ERR\_GENERIC;
	int i, len \= 0;
	struct osdp\_cmd \*cmd;
	struct osdp\_event \*event;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif
	buf += data\_off;
	max\_len \-= data\_off;

	switch (pd\->reply\_id) {
...
	case REPLY\_KEYPPAD:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_KEYPAD\_LEN + event\->keypress.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->keypress.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->keypress.length;
		memcpy(buf + len, event\->keypress.data, event\->keypress.length); /\* VULN: buffer overflow \*/
		len += event\->keypress.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	case REPLY\_RAW: {
		int len\_bytes;

		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		len\_bytes \= (event\->cardread.length + 7) / 8;
		assert\_buf\_len(REPLY\_RAW\_LEN + len\_bytes, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.format;
		buf\[len++\] \= BYTE\_0(event\->cardread.length);
		buf\[len++\] \= BYTE\_1(event\->cardread.length);
		memcpy(buf + len, event\->cardread.data, len\_bytes); /\* VULN: buffer overflow \*/
		len += len\_bytes;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	}
	case REPLY\_FMT:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_FMT\_LEN + event\->cardread.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.direction;
		buf\[len++\] \= (uint8\_t)event\->cardread.length;
		memcpy(buf + len, event\->cardread.data, event\->cardread.length); /\* VULN: buffer overflow \*/
		len += event\->cardread.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

CVE-2023-4262: Buffer overflow vulnerabilities in the Zephyr Mgmt subsystem

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.




**Summary**

I spotted an off-by-one buffer overflow vulnerability at the following location in the Zephyr FS subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/fs/fuse\_fs\_access.c

**Details**

If the string passed to the following function via the path parameter is PATH\_MAX chars long (including the NUL terminator), the insecure sprintf() function call marked below writes one NUL byte off the stack variable mount_path:

static int fuse\_fs\_access\_readdir(const char \*path, void \*buf,
			      fuse\_fill\_dir\_t filler, off\_t off,
			      struct fuse\_file\_info \*fi)
{
	struct fs\_dir\_t dir;
	struct fs\_dirent entry;
	int err;
	struct stat stat;

	ARG\_UNUSED(off);
	ARG\_UNUSED(fi);

	if (strcmp(path, "/") \== 0) {
		return fuse\_fs\_access\_readmount(buf, filler);
	}

	fs\_dir\_t\_init(&dir);

	if (is\_mount\_point(path)) {
		/\* File system API expects trailing slash for a mount point
		 \* directory but FUSE strips the trailing slashes from
		 \* directory names so add it back.
		 \*/
		char mount\_path\[PATH\_MAX\];

		sprintf(mount\_path, "%s/", path); /\* VULN \*/
		err \= fs\_opendir(&dir, mount\_path);
	} else {
		err \= fs\_opendir(&dir, path);
	}
...

**PoC**

I haven't tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

**Impact**

If the unchecked input above is attacker-controlled and crosses a security boundary, depending on stack layout, the off-by-one buffer overflow vulnerability could be exploited to cause a denial of service or even achieve arbitrary code execution.

CVE-2023-4260: Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.

CVE-2023-23495: About the security content of macOS Sonoma 14

Categories: Android
Categories: Apple
Categories: Exploits and vulnerabilities
Tags: Pegasus

Tags:  spyware

Tags:  nso

Tags:  webp

Tags:  libwebp

Tags:  buffer overflow

The company behind the infamous Pegasus spyware used a vulnerability in almost every browser to plant their malware on victim's devices.



(Read more...)




The post Pegasus spyware and how it exploited a WebP vulnerability appeared first on Malwarebytes Labs.

Recent events have demonstrated very clearly just how persistent and wide-spread the Pegasus spyware is. For those that have missed the subtle clues, we have tried to construct a clear picture. We attempted to follow the timeline of events, but have made some adjustments to keep the flow of the story alive.

On September 12, 2023 we published two blogs urging our readers to urgently patch two Apple issues which were added to the catalog of known exploited vulnerabilities by the Cybersecurity & Infrastructure Security Agency (CISA), and to apply an update for Chrome that included one critical security fix for an actively exploited vulnerability.

The vulnerabilities were discovered as zero-days by CitizenLab, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. The exploit chain based on these vulnerabilities was capable of compromising devices without any interaction from the victim and were reportedly used by the NSO Group to deliver its infamous Pegasus spyware.

Both of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a heap buffer overflow in Libwebp, the code library used to encode and decode images in the WebP format. This library can be used in other programs, such as web browsers, to add WebP support.

Security expert Ben Hawkes figured out that the vulnerability was to be found in the "lossless compression" support for WebP, sometimes known as VP8L. A lossless image format can store and restore pixels with 100% accuracy, and WebP does this using an algorithm called Huffman coding.

As we saw in the vulnerability descriptions, both vulnerabilities were buffer overflow issues. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

The vulnerable versions of libwebp use memory allocations based on pre-calculated buffer sizes from a fixed table, and then construct the necessary Huffman tables directly into that allocation. By creating specially crafted image files that tricked libwebp into creating tables that were too small to contain all the values, the data would overflow into other memory locations.

Even a weathered security expert like Ben Hawkes, who figured out where the problem was, had a hard time finding a way to exploit this issue. Let alone how hard it must have been when there was no clue that a vulnerability even existed. It helps that libwebp is an open source library, so anyone interested can review the code. Ben explained that even extensive fuzzing had never revealed the problem.

Someone, or a group of people, must have taken it upon themselves to really dive into the code. Ben wrote:

> “In practice, I suspect this bug was discovered through manual code review. In reviewing the code, you  would see the huffman\_tables allocation being made during header parsing of a VP8L file, so naturally you would look to see how it's used. You would then try to rationalize the lack of bounds checks on the huffman\_tables allocation, and if you're persistent enough, you would progressively go deeper and deeper into the problem before realizing that the code was subtly broken. I suspect that most code auditors aren't that persistent though -- this Huffman code stuff is mind bending -- so I'm impressed.”

Then again, seeing the amount of money that one could cash in for a fully functional exploit chain, there should be more than enough people willing to put in the work and shove their conscience aside.

_20 million dollar for top-tier full-chain mobile exploits_

And although Google and Apple have issued updates to patch this vulnerability, libwebp is used in many other applications. And it may take a while before the Android update trickles down to every make and model. Regular readers may know that when there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users due to a patch gap. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android and the patches need to be tested before they can be rolled out on those versions.

The NSO group that markets the Pegasus spyware have shown they are interested in acquiring such exploits. As we wrote years ago, the Pegasus spyware has been around for years and we should not ignore its existence.

Our own David Ruiz wrote:

> “Pegasus is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.”

Pegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer just one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government clients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s investigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus. In 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.

After learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance whistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere.

> “When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products. They’re not providing any kind of protection, any kind of prophylactic.”

Snowden said.

> “They don’t make vaccines. The only thing they sell is the virus.”

**We don’t just report on Android and iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today. And keep threats off your iOS devices by downloading Malwarebytes for iOS today.

Pegasus spyware and how it exploited a WebP vulnerability

Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.

**Summary**

I spotted two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi\_core.c#L493  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi\_shell.c#L43

**Details**

Potential off-by-one buffer overflow in /drivers/wifi/eswifi/eswifi\_core.c:

int eswifi\_mgmt\_iface\_status(const struct device \*dev,
			     struct wifi\_iface\_status \*status)
{
	struct eswifi\_dev \*eswifi \= dev\->data;
	struct eswifi\_sta \*sta \= &eswifi\->sta;

	/\* Update status \*/
	eswifi\_status\_work(&eswifi\->status\_work.work);

	if (!sta\->connected) {
		status\->state \= WIFI\_STATE\_DISCONNECTED;
		return 0;
	}

	status\->state \= WIFI\_STATE\_COMPLETED;
	strcpy(status\->ssid, sta\->ssid); /\* VULN: off-by-one (sta->ssid\[33\] copied over status->ssid\[32\]) \*/ 
	status\->ssid\_len \= strlen(sta\->ssid);
	status\->band \= WIFI\_FREQ\_BAND\_2\_4\_GHZ;
	status\->channel \= 0;
...

Potential static buffer overflow in /drivers/wifi/eswifi/eswifi\_shell.c:

static int eswifi\_shell\_atcmd(const struct shell \*sh, size\_t argc,
			      char \*\*argv)
{
	int i;

	if (eswifi \== NULL) {
		shell\_print(sh, "no eswifi device registered");
		return \-ENOEXEC;
	}

	if (argc < 2) {
		shell\_help(sh);
		return \-ENOEXEC;
	}

	eswifi\_lock(eswifi);

	memset(eswifi\->buf, 0, sizeof(eswifi\->buf));
	for (i \= 1; i < argc; i++) {
		strcat(eswifi\->buf, argv\[i\]); /\* VULN: static buffer overflow \*/
	}
	strcat(eswifi\->buf, "\\r");

	shell\_print(sh, "> %s", eswifi\->buf);
	eswifi\_at\_cmd(eswifi, eswifi\->buf);
	shell\_print(sh, "< %s", eswifi\->buf);

	eswifi\_unlock(eswifi);

	return 0;
}

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

Tag

#buffer_overflow