Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remote attacker to execute arbtirary code via the yr_execute_cod function in the exe.c component.

**Describe the bug**  
AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code

**To Reproduce**  
Steps to reproduce the behavior:  
1, compile yara with asan: ./configure CC=gcc CXX=g++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-g -O0 -fsanitize=address"  
2, run this command: ./yara -C PoC binFile

**Please complete the following information:**

*   OS: ubuntu 20.04
*   YARA version: 4.3.2

****Additional context**  
ASAN reprot:**

\==1855158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000248 at pc 0x7f168933dfaf bp 0x7ffd229d5530 sp 0x7ffd229d5520  
READ of size 8 at 0x604000000248 thread T0  
#0 0x7f168933dfae in yr\_execute\_code libyara/exec.c:1426  
#1 0x7f16893a1cd8 in yr\_scanner\_scan\_mem\_blocks libyara/scanner.c:526  
#2 0x7f16893a27a0 in yr\_scanner\_scan\_mem libyara/scanner.c:670  
#3 0x7f16893a2b3e in yr\_scanner\_scan\_fd libyara/scanner.c:706  
#4 0x55aa2e6ed11a in scan\_file cli/yara.c:736  
#5 0x55aa2e6f1444 in main cli/yara.c:1654  
#6 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308  
#7 0x55aa2e6e9ced in \_start (/home/root/latestFiles/yara-4.3.2/.libs/yara+0x7ced)

0x604000000248 is located 8 bytes to the left of 48-byte region \[0x604000000250,0x604000000280)  
allocated by thread T0 here:  
#0 0x7f1689535a06 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cc:153  
#1 0x7f168936db41 in yr\_calloc libyara/mem.c:127  
#2 0x7f168939fe48 in yr\_scanner\_create libyara/scanner.c:242  
#3 0x55aa2e6f12af in main cli/yara.c:1640  
#4 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code  
Shadow bytes around the buggy address:  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8030: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
\=>0x0c087fff8040: fa fa 00 00 00 00 00 00 fa\[fa\]00 00 00 00 00 00  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1855158==ABORTING

CVE-2023-40857: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code · Issue #1945 · VirusTotal/yara

Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via a crafted packet.

Hello,

I would like to report an issue related to the incorrect format in the rmr library (ric-plt-lib-rmr).

When RMR service receives a packet in an incorrect format, it crash during the packet parsing process

*   First, the header is extracted from the received packet. Due to the packet's incorrect format, the header value becomes abnormal.
*   Then, a memory location is calculated, leading to an illegal access in **d1**, as shown in the attached image.

This is my initial analysis, and there might be errors. Please kindly forgive any mistakes.

Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

This problem can be found in components that utilize the RMR library.

CVE-2023-40997: [RIC-991] RMR: Crashes caused by improperly formatted packets

Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via the packet size component.

Hello,

I would like to report an issue related to the packet size in the rmr library (ric-plt-lib-rmr).

When processing received packets, the library decodes the first 4 bytes as the packet size.

However, if the decoding result is a negative value, it leads to a subsequent core dump during the memcpy operation.

Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

This problem can be found in components that utilize the RMR library. For example, in the e2term, when receiving a packet with a decoded negative packet size on port 4561, it triggers this crash.

I have attached images of the packets that led to the crash and the decoded packets.

CVE-2023-40998: [RIC-989] RMR: Negative Packet Size Causes Crash

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function sub_90998.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40846: Digging/Tenda/AC6/bof/9/9.md at main · XYIYM/Digging

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++.

CVE-2023-40036: GHSL-2023-112, GHSL-2023-102, GHSL-2023-103, GHSL-2023-092: Buffer Overflows in Notepad++ - CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166

Tenda AX3 v16.03.12.11 has a stack buffer overflow vulnerability detected at function form_fast_setting_wifi_set. This vulnerability allows attackers to cause a Denial of Service (DoS) via the ssid parameter.

CVE-2023-40915: IoT_vuln/Tenda/AX3/form_fast_setting_wifi_set.md at main · Korey0sh1/IoT_vuln

giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.

Notify CVE about a publication

\[CVE ID\]

CVE-2023-39741

\[Vulnerability Type\]

\> Buffer Overflow

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> the development group

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> lrzip - 0.651

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> lrzip 0.651

\>

\> ------------------------------------------

\>

\> \[Impact Denial of Service\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> a crafted file

\> \[Suggested description\]

\>lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp.

This vulnerability allows attackers to cause a Denial of Service (DoS)> via a crafted file.

\>\[CVE ID\]

\>CVE-2023-39742

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Buffer Overflow

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> the development group

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> giflib - 5.2.1

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> giflib

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Denial of Service\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> invalid args

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://sourceforge.net/p/giflib/bugs/166/

\>

\> ------------------------------------------

\> \[Suggested description\]

\> giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.

\>

\[CVE ID\]

CVE-2023-39743

\> ------------------------------------------

\>

\> \[VulnerabilityType Other\]

\> Access Violation

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> the development group

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> lrzip-next - LZMA 23.01

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> lrzip-next

\>

\> ------------------------------------------

\>

\> \[Impact Denial of Service\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> a crafted lrz file

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://github.com/huanglei3/lrzip-next-poc/tree/main

\> https://github.com/pete4abw/lrzip-next/issues/132

\>

\> ------------------------------------------

\> \[Suggested description\]

\> lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3\_decode\_block src/libbz3.c.

CVE-2023-39742: Notify CVE about a publication

A stack-based buffer overflow exists in Juplink RX4-1500, a WiFi router, in versions 1.0.2 through 1.0.5. An authenticated attacker can exploit this vulnerability to achieve code execution as root.



**EIP-b5185f25**

A stack-based buffer overflow exists in Juplink RX4-1500, a WiFi router. An authenticated attacker can exploit this vulnerability to achieve code execution as root.

Vulnerability Identifiers

*   Exodus Intelligence: EIP-b5185f25
*   MITRE: CVE-2023-41028

**Vulnerability Metrics**

*   CVSSv2 Vector: AV:A/AC:L/Au:S/C:C/I:C/A:C
*   CVSSv2 Score: 7.7

**Vendor References**

*   The affected product is end-of-life and no patches are available.

**Discovery Credit**

*   Exodus Intelligence

**Disclosure Timeline**

*   Vendor response to disclosure: August 21, 2021
*   Disclosed to public: August 23, 2023

**Further Information**

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0day and Nday can work with us through our Research Sponsorship Program (RSP).

CVE-2023-41028: Juplink RX4-1500 Stack-based Buffer Overflow Vulnerability - Exodus Intelligence

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass.This issue affects "Standalone" and "Application" versions of Gecko Bootloader.



CVE-2023-4041

Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.

we found wild-addr-write by fuzzing flac-master:

    ==217==ERROR: AddressSanitizer: SEGV on unknown address 0xb6029a2c (pc 0x0822a2ae bp 0xffeb31e8 sp 0xffeb30a0 T0)
    ==217==The signal is caused by a WRITE memory access.
    SCARINESS: 30 (wild-addr-write)
        #0 0x822a2ad in FLAC__bitwriter_write_raw_uint32_nocheck /src/flac/src/libFLAC/bitwriter.c
        #1 0x8229a42 in FLAC__bitwriter_write_raw_uint32 /src/flac/src/libFLAC/bitwriter.c:369:9
        #2 0x8218ec3 in FLAC__frame_add_header /src/flac/src/libFLAC/stream_encoder_framing.c:227:6
        #3 0x820557b in process_subframes_ /src/flac/src/libFLAC/stream_encoder.c:3365:7
        #4 0x81d940f in process_frame_ /src/flac/src/libFLAC/stream_encoder.c:3096:6
        #5 0x81f3770 in FLAC__stream_encoder_process_interleaved /src/flac/src/libFLAC/stream_encoder.c:2298:9
        #6 0x81bfa80 in FLAC::Encoder::Stream::process_interleaved(int const*, unsigned int) /src/flac/src/libFLAC++/stream_encoder.cpp:370:29
        #7 0x81ac167 in LLVMFuzzerTestOneInput /src/flac-fuzzers/fuzzer_encoder.cpp:141:46
        #8 0x80ac766 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
        #9 0x8098c13 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
        #10 0x809e318 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
        #11 0x80c3167 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
        #12 0xf7539636 in __libc_start_main (/lib32/libc.so.6+0x18636)
        #13 0x8073c38 in _start (/out/flac/fuzzer_encoder+0x8073c38)
    

here is my debug info:  
bw->buffer was realloc here

    bitwriter_grow_ (bw=0xf5a00a90, bits_to_add=62914562) at bitwriter.c:128
    128		if(new_buffer == 0)
    (gdb) n
    130		bw->buffer = new_buffer;
    (gdb) l
    125		FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
    126
    127		new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
    128		if(new_buffer == 0)
    129			return false;
    130		bw->buffer = new_buffer;
    131		bw->capacity = new_capacity;
    132		return true;
    133	}
    134
    (gdb) p new_buffer
    $1 = (bwword *) 0x7abd7800
    (gdb) p new_capacity
    $2 = 250956800
    

later, bw->buffer was freed but it's value NOT set to 0

    156	static inline void *safe_realloc_(void *ptr, size_t size)
    157	{
    158		void *oldptr = ptr;
    159		void *newptr = realloc(ptr, size);
    160		if(size > 0 && newptr == 0)
    161			free(oldptr);
    162		return newptr;
    (gdb) n
    159		void *newptr = realloc(ptr, size);
    (gdb) n
    160		if(size > 0 && newptr == 0)
    (gdb) p newptr
    $4 = (void *) 0x0
    (gdb) p size
    $5 = 1006448640
    (gdb) n
    161			free(oldptr);
    (gdb) p oldptr
    $6 = (void *) 0x7abd7800
    (gdb) n
    162		return newptr;
    (gdb) n
    safe_realloc_mul_2op_ (ptr=0x7abd7800, size1=4, size2=251612160) at ../../include/share/alloc.h:206
    206	}
    (gdb) n
    bitwriter_grow_ (bw=0xf5a00a90, bits_to_add=20971521) at bitwriter.c:128
    128		if(new_buffer == 0)
    (gdb) l
    123		FLAC__ASSERT(0 == (new_capacity - bw->capacity) % FLAC__BITWRITER_DEFAULT_INCREMENT);
    124		FLAC__ASSERT(new_capacity > bw->capacity);
    125		FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
    126
    127		new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
    128		if(new_buffer == 0)
    129			return false;
    130		bw->buffer = new_buffer;
    131		bw->capacity = new_capacity;
    132		return true;
    (gdb) p bw->buffer
    $7 = (bwword *) 0x7abd7800
    (gdb) p bw->capacity
    $8 = 250956800
    (gdb) n
    129			return false

Tag

#buffer_overflow