Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability

CVE-2023-24940

U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors.
The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.
The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services

Cyber Crime / DDoS Attack

U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors.

The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest.

This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ).

Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year.

"In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity," DoJ said in a press release on Monday.

"In addition to harming victims by disrupting or degrading access to the internet, attacks from booter services can also completely sever internet connections for other customers served by the same internet service provider via a shared connection point."

Parallel to the domain seizures, the DoJ also said that four of the six individuals who were charged in December 2022 in connection with operating the services have entered into a guilty plea.

The defendants – Jeremiah Sam Evans Miller, 23, of San Antonio, Texas; Angel Manuel Colon Jr., 37, of Belleview, Florida; Shamar Shattock, 19, of Margate, Florida; and Cory Anthony Palmer, 23, of Lauderhill, Florida – are expected to be sentenced later this year.

**Try2Check Card-Checking Service Goes Down**

The announcement comes days after the disruption of Try2Check (aka Try2Services) following a decade-long investigation, an illegal online platform that enabled threat actors to check the status of stolen credit card numbers in their possession and determine if they were valid and active.

The DoJ also charged a 43-year-old Russian national, Denis Gennadievich Kulkov, for his role in creating and turning the service into a "primary tool of the illicit credit card trade," with the State Department offering a $10 million reward for information leading to his arrest.

The department is further extending a separate bounty of up to $1 million for any specifics that will help to identify other key leaders of the Try2Check cybercrime group.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The fraudulent platform, per the indictment, allegedly misused the systems of a prominent U.S.-based payment processing firm to perform the card checks by exploiting its preauthorization service. The name of the company was not disclosed.

Try2Check, which launched in 2005, is estimated to have processed tens of millions of credit card checks every year and facilitated the operations of several major card shops like Joker's Stash that specialized in bulk trafficking of stolen credit cards. As of February 2022, a single card check cost $0.20.

"Through the illegal operation of his websites, the defendant made at least $18 million in bitcoin (as well as an unknown amount through other payment systems), which he used to purchase a Ferrari, among other luxury items," the DoJ noted.

The indictment against Kulkov also arrives weeks after Denis Mihaqlovic Dubnikov, who pleaded guilty to charges of money laundering for the Ryuk ransomware gang earlier this year, was sentenced to time served and ordered to forfeit $2,000 in illegal profits.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services

Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.

CVE-2023-30086

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.

**Describe the bug**

*   Did you check if this is a duplicate issue?
*   Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp\_capability\_llgr that it length check is wrong. In the draft document it has 7 bytes as shown in the following figure.

The capability value consists of zero or more tuples <AFI, SAFI,  
Flags, Long-lived Stale Time> as follows:

      +--------------------------------------------------+
      | Address Family Identifier (16 bits)              |
      +--------------------------------------------------+
      | Subsequent Address Family Identifier (8 bits)    |
      +--------------------------------------------------+
      | Flags for Address Family (8 bits)                |
      +--------------------------------------------------+
      | Long-lived Stale Time (24 bits)                  |
      +--------------------------------------------------+
    

While, in the code it only check 4 bytes.

    while (stream_get_getp(s) + 4 <= end) {
    	afi_t afi;
    	safi_t safi;
    	iana_afi_t pkt_afi = stream_getw(s);
    	iana_safi_t pkt_safi = stream_getc(s);
    	uint8_t flags = stream_getc(s);
    	uint32_t stale_time = stream_get3(s);
    
       }
    

**To Reproduce**  
If I construct a packet only has 6 bytes of the llgr, the frrrouting will crash.

BGP: in thread bgp\_process\_packet scheduled from bgpd/bgp\_io.c:269 bgp\_process\_reads()  
core\_handler: showing active allocations in memory group libfrr  
core\_handler: memstats: Buffer : 2 \* 24  
core\_handler: memstats: Host config : 8 \* (variably sized)  
core\_handler: memstats: Command Tokens : 12082 \* 72  
core\_handler: memstats: Command Token Text : 8746 \* (variably sized)  
core\_handler: memstats: Command Token Help : 8746 \* (variably sized)  
core\_handler: memstats: Command Argument Name : 2052 \* (variably sized)  
core\_handler: memstats: RCU thread : 2 \* 128  
core\_handler: memstats: FRR POSIX Thread : 4 \* (variably sized)  
core\_handler: memstats: POSIX sync primitives : 4 \* (variably sized)  
core\_handler: memstats: Graph : 40 \* 8  
core\_handler: memstats: Graph Node : 14266 \* 32  
core\_handler: memstats: Hash : 573 \* (variably sized)  
core\_handler: memstats: Hash Bucket : 2340 \* 32  
core\_handler: memstats: Hash Index : 287 \* (variably sized)  
core\_handler: memstats: Link List : 36 \* 40  
core\_handler: memstats: Link Node : 334 \* 24  
core\_handler: memstats: Temporary memory : 15 \* (variably sized)  
core\_handler: memstats: Bitfield memory : 2 \* (variably sized)  
core\_handler: memstats: Northbound Node : 240 \* 1192  
core\_handler: memstats: Northbound Configuration : 2 \* 16  
core\_handler: memstats: Privilege information : 3 \* (variably sized)  
core\_handler: memstats: Ring buffer : 6 \* (variably sized)  
core\_handler: memstats: Skip List : 2 \* 56  
core\_handler: memstats: Skip Node : 2 \* 160  
core\_handler: memstats: Skiplist Counters : 2 \* 68  
core\_handler: memstats: Socket union : 2 \* 112  
core\_handler: memstats: Stream : 12 \* (variably sized)  
core\_handler: memstats: Stream FIFO : 6 \* 64  
core\_handler: memstats: Route table : 100 \* 56  
core\_handler: memstats: Thread : 15 \* 160  
core\_handler: memstats: Thread master : 12 \* (variably sized)  
core\_handler: memstats: Thread Poll Info : 6 \* 8388608  
core\_handler: memstats: Thread stats : 18 \* 96  
core\_handler: memstats: Typed-hash bucket : 5 \* (variably sized)  
core\_handler: memstats: Typed-heap array : 1 \* 576  
core\_handler: memstats: Vector : 28613 \* 24  
core\_handler: memstats: Vector index : 28613 \* (variably sized)  
core\_handler: memstats: VRF : 1 \* 216  
core\_handler: memstats: VTY server : 3 \* 32  
core\_handler: memstats: Work queue : 3 \* 152  
core\_handler: memstats: Work queue name string : 3 \* (variably sized)  
core\_handler: memstats: YANG module : 5 \* 48  
core\_handler: memstats: Zclient : 2 \* 3144  
core\_handler: memstats: Redistribution instance IDs : 6 \* 2  
core\_handler: memstats: log thread-local buffer : 2 \* 24608  
core\_handler: showing active allocations in memory group logging subsystem  
core\_handler: memstats: log file target : 2 \* 88  
core\_handler: memstats: log file name : 1 \* 14  
core\_handler: showing active allocations in memory group bgpd  
core\_handler: memstats: BGP instance : 2 \* (variably sized)  
core\_handler: memstats: BGP listen socket details : 2 \* 144  
core\_handler: memstats: BGP peer : 3 \* 740824  
core\_handler: memstats: BGP peer hostname : 4 \* (variably sized)  
core\_handler: memstats: BGP peer af : 2 \* 80  
core\_handler: memstats: BGP attribute : 1 \* 312  
core\_handler: memstats: BGP aspath : 1 \* 40  
core\_handler: memstats: BGP aspath str : 1 \* 1  
core\_handler: memstats: BGP table : 87 \* 56  
core\_handler: memstats: BGP node : 2 \* 192  
core\_handler: memstats: BGP route : 1 \* 112  
core\_handler: memstats: BGP static : 1 \* 144  
core\_handler: memstats: BGP synchronise : 63 \* 72  
core\_handler: memstats: community-list handler : 1 \* 120  
core\_handler: memstats: BGP nexthop : 1 \* 184  
core\_handler: memstats: BGP EVPN MH Information : 1 \* 56  
core\_handler: memstats: BGP PBR Context : 1 \* 32  
core\_handler: memstats: BGP EVPN instance information : 1 \* 56  
core\_handler: showing active allocations in memory group rfapi  
core\_handler: memstats: NVE Configuration : 1 \* 2984  
core\_handler: memstats: RFAPI Generic : 1 \* 296  
core\_handler: memstats: RFAPI Import Table : 1 \* 208  
Aborted (core dumped)

**Expected behavior**

**Screenshots**

**Versions**

*   OS Version:

*   Kernel:

*   FRR Version:

**Additional context**

CVE-2023-31489: bgpd: the length check of bgp_capability_llgr is not correct · Issue #13098 · FRRouting/frr

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**Describe the bug**

*   Did you check if this is a duplicate issue?
*   Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp\_attr\_psid\_sub, there is a missing check of the type = BGP\_PREFIX\_SID\_SRV6\_L3\_SERVICE when using stream\_getc to get reseverd field.

    /* Placeholder code for the SRv6 L3 Service type */
    else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
    	if (STREAM_READABLE(peer->curr) < length) {
    		flog_err(
    			EC_BGP_ATTR_LEN,
    			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
    			length, STREAM_READABLE(peer->curr));
    		return bgp_attr_malformed(args,
    			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
    			 args->total);
    	}
    
    	/* ignore reserved */
    	stream_getc(peer->curr);
    

**To Reproduce**

When I construct a psid\_sub TLV, Type = 5 and Length = 0, Frrouting will crash.  
**Expected behavior**

**Screenshots**

**Versions**

*   OS Version:

*   Kernel:

*   FRR Version:

**Additional context**

I pushed a PR for this back in December but it's been stalled due to me being busy with some other stuff  
#12454

I'll get back to it today and get this in

> **Describe the bug**
> 
> *   Did you check if this is a duplicate issue?
> *   Did you test it on the latest FRRouting/frr master branch?
> 
> Hello, I have find a bug in bgp\_attr\_psid\_sub, there is a missing check of the type = BGP\_PREFIX\_SID\_SRV6\_L3\_SERVICE when using stream\_getc to get reseverd field.
> 
>     /* Placeholder code for the SRv6 L3 Service type */
>     else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
>     	if (STREAM_READABLE(peer->curr) < length) {
>     		flog_err(
>     			EC_BGP_ATTR_LEN,
>     			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
>     			length, STREAM_READABLE(peer->curr));
>     		return bgp_attr_malformed(args,
>     			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
>     			 args->total);
>     	}
>     
>     	/* ignore reserved */
>     	stream_getc(peer->curr);
>     
> 
> **To Reproduce**
> 
> When I construct a psid\_sub TLV, Type = 5 and Length = 0, Frrouting will crash. **Expected behavior**
> 
> **Screenshots**
> 
> **Versions**
> 
> *   OS Version:
>     
> *   Kernel:
>     
> *   FRR Version:
>     
> 
> **Additional context**

Hi Melissa,

Could you please share with us on how to construct a message that can reproduce this crash?

I tried to use scappy but I'm not sure how to construct such a message.

Thank you!

can you share the PoC and the bgp configuration? thanks!

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue

Jul 31, 2023

 

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp\_attr\_psid\_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
\[Fixup so patch would apply\]
Signed-off-by: Armin Kuster <akuster808@gmail.com>

jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue

Aug 9, 2023

 

Source: meta-openembedded
MR: 127624
Type: Integration
Disposition: Merged from meta-openembedded
ChangeID: 8ab74be
Description:

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp\_attr\_psid\_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
\[Fixup so patch would apply\]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>

CVE-2023-31490: bgpd: Missing  length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE · Issue #13099 · FRRouting/frr

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the newVar_N in util/decompile.c.

Heap buffer overflow in the latest version of libming at function newVar\_N in util/decompile.c:654.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_heap-buffer-overflow\_decompile654.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_heap-buffer-overflow_decompile654.swf 
    header indicates a filesize of 0 but filesize is 166
    <?php
    $m = new SWFMovie(0);
    
    ming_setscale(1.0);
    $m->setRate(0.000000);
    $m->setDimension(0, 1);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(0);
    
    /* SWF_DOACTION */
        16:SWFACTION_FSCOMMAND2
      Can't get int for type: 10
    =================================================================
    ==60490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x000000439494 bp 0x7ffd310a9d90 sp 0x7ffd310a9540
    READ of size 1025 at 0x619000001880 thread T0
        #0 0x439493 in __interceptor_strlen.part.36 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
        #1 0x5022e5 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:654:11
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
    allocated by thread T0 here:
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x502330 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:657:18
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
    Shadow bytes around the buggy address:
      0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==60490==ABORTING

CVE-2023-30083: Heap buffer overflow in newVar_N() at decompile.c:654 · Issue #266 · libming/libming

An issue found in libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the stackVal function in util/decompile.c.

Invalid memory read in the latest version of libming at function stackVal in util/decompile.c:1238.

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_invalid-memory-read_decompile1238.swf 
    header indicates a filesize of 4278191411 but filesize is 166
    <?php
    $m = new SWFMovie();
    
    ming_setscale(1.0);
    
    /* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */
    
    $m->setRate(64.855469);
    $m->setDimension(66, 327);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(7440);
     Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 124 but expecting 58.
    
    /* SWF_PROTECT */
    $m->protect("\tJ�A�\n�=�b��h"�BAH���CU���!�����М{/��R���z��W:�6$QSՖ�;owf޼�0]x�\r�������\)���
                                                                                                ��Qp(#}�m�\_");
     Stream out of sync after parse of blocktype 9 (SWF_SETBACKGROUNDCOLOR). 63 but expecting 119.
    
    /* SWF_SETBACKGROUNDCOLOR */
    $m->setBackground(0x2f, 0xed, 0xd1);
     Stream out of sync after parse of blocktype 11 (SWF_DEFINETEXT). 165 but expecting 125.
    
    /* SWF_DEFINETEXT */
    $character24412 = new SWFText(1);
    $character24412->setFont($f392);
    $character24412->setHeight(30910);
    $character24412->setColor(0x79, 0x9d, 0xb2);
    $character24412->moveTo(0, -15327);
    $character24412->addString("X");
    Failed to find branch target!!!
    Looking for: -28887
    
     Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 138 but expecting 134.
    
    /* SWF_DOACTION */
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==60499==ERROR: AddressSanitizer: SEGV on unknown address 0x601fffffffb0 (pc 0x000000502876 bp 0x7ffe6a2faa50 sp 0x7ffe6a2faa50 T0)
    ==60499==The signal is caused by a READ memory access.
        #0 0x502876 in stackVal /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41
        #1 0x4fe03d in decompileIF /root/compiler1804/libming-ming-0_4_8/util/decompile.c:2395:7
        #2 0x4facdc in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3242:10
        #3 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #4 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #5 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #6 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #7 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #8 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #9 0x7f6f2645dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41 in stackVal
    ==60499==ABORTING

CVE-2023-30084: Invalid memory read in stackVal() at decompile.c:1238 · Issue #268 · libming/libming

An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30088: Invalid memory read in mjs_execute() at mjs.c:9320 · Issue #243 · cesanta/mjs

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the cws2fws function in util/decompile.c.

Allocation size overflow in the latest version of libming at function cws2fws in util/main.c:111.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_allocation-size-overflow\_main111.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_allocation-size-overflow_main111.swf 
    =================================================================
    ==60493==ERROR: AddressSanitizer: requested allocation size 0xffffffffff000533 (0xffffffffff001538 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x4f9334 in cws2fws /root/compiler1804/libming-ming-0_4_8/util/main.c:111:15
        #2 0x4f99dd in readMovieHeader /root/compiler1804/libming-ming-0_4_8/util/main.c:198:18
        #3 0x4f97ee in main /root/compiler1804/libming-ming-0_4_8/util/main.c:346:5
        #4 0x7f6a64b67c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==60493==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164 in realloc
    ==60493==ABORTING

CVE-2023-30085: Allocation size overflow in cws2fws() at main.c:111 · Issue #267 · libming/libming

OX App Suite has patched for sensitive information disclosure, cross site scripting, improper access control, authorization bypass, and resource consumption vulnerabilities. Some of the issues affect OX App Suite frontend version 7.10.6-rev23 and some affect OX App Suite backend version 7.10.6-rev36.

Internal reference: OXUIB-2130  
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24597  
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:  
Remote resources are loaded in print view. When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent.

Risk:  
Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour. No publicly available exploits are known.

Solution:  
We now apply the same setting for loading external content when generating the E-Mail print content.

---

Internal reference: OXUIB-2034  
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2022-11-02  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24601  
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:  
XSS with non-app deeplinks like "registry". The "registry" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We made the relevant jslob path read-only for users.

---

Internal reference: OXUIB-2033  
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2022-02-11  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24602  
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:  
XSS at Tumblr portal widget due to missing content sanitization. External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed. No publicly available exploits are known.

Solution:  
We now insert untrusted external content as plain-text.

---

Internal reference: MWB-1998  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-10  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24600  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Details:  
"Read own/delete all" permissions allows moving other users contacts to own address book. Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected to read.

Risk:  
Moving objects to folders with read access effectively bypassed the "read own" restriction. No publicly available exploits are known.

Solution:  
Permission checks have been updated and include checking for read permissions when performing move operations.

---

Internal reference: MWB-1997  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-10  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24605  
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Details:  
API access not fully restricted when requiring 2FA. When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor.

Risk:  
Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens. No publicly available exploits are known.

Solution:  
We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.

---

Internal reference: MWB-1995  
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-09  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24598  
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Details:  
Distribution lists allow discovering private contacts of other users. Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access.

Risk:  
Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders. No publicly available exploits are known.

Solution:  
We improved permission checks when editing distribution lists to restrict access.

---

Internal reference: MWB-1983  
Type: CWE-400 (Uncontrolled Resource Consumption)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24604  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:  
Header length does not get limited for external content. HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers.

Risk:  
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers. No publicly available exploits are known.

Solution:  
We introduced a limitation for HTTP header length and reject processing if a threshold is hit.

---

Internal reference: MWB-1981  
Type: CWE-400 (Uncontrolled Resource Consumption)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24603  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:  
Size limits for external content are not considered for data transfer. HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits.

Risk:  
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it would be fully downloaded before applying size checks. While this could not be used to lock up the system, its a plausible amplification vector for denial of service attacks to other services. No publicly available exploits are known.

Solution:  
We improved the limitation for content length and immediately stop downloading if a threshold is hit.

---

Internal reference: MWB-1978  
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-01  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24599  
CVSS: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)

Details:  
Users can change arbitrary appointments by ID confusion. Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request.

Risk:  
Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders. No publicly available exploits are known.

Solution:  
We improved permission checks when updating appointments to restrict access.

Tag

#dos