Dnsmasq 2.86 has a heap-based buffer overflow in answer_request (called from FuzzAnswerTheRequest and fuzz_rfc1035.c).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-935

summary: Heap-buffer-overflow in answer\_request

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35920

Crash type: Heap-buffer-overflow WRITE 1

Crash state:

answer\_request

FuzzAnswerTheRequest

fuzz\_rfc1035.c

modified: '2021-07-09T00:00:11.077111Z'

published: '2021-07-09T00:00:11.076648Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35920

affected:

\- package:

name: dnsmasq

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: git://thekelleys.org.uk/dnsmasq.git

events:

\- introduced: 96f6444958c29a670f4254722d787f328153605c

versions:

\- v2.86

\- v2.86rc1

\- v2.86rc2

\- v2.86rc3

\- v2.86test5

\- v2.86test6

\- v2.86test7

\- v2.87test1

\- v2.87test2

\- v2.87test3

\- v2.87test4

ecosystem\_specific:

severity: HIGH

CVE-2021-45957: oss-fuzz-vulns/OSV-2021-935.yaml at main · google/oss-fuzz-vulns

Dnsmasq 2.86 has a heap-based buffer overflow in print_mac (called from log_packet and dhcp_reply).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-933

summary: Heap-buffer-overflow in print\_mac

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35887

Crash type: Heap-buffer-overflow WRITE 4

Crash state:

print\_mac

log\_packet

dhcp\_reply

modified: '2021-10-09T00:07:27.426059Z'

published: '2021-07-08T00:01:26.369555Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35887

affected:

\- package:

name: dnsmasq

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: git://thekelleys.org.uk/dnsmasq.git

events:

\- introduced: 96f6444958c29a670f4254722d787f328153605c

versions:

\- v2.86

\- v2.86rc1

\- v2.86rc2

\- v2.86rc3

\- v2.86test5

\- v2.86test6

\- v2.86test7

\- v2.87test1

\- v2.87test2

\- v2.87test3

\- v2.87test4

ecosystem\_specific:

severity: HIGH

CVE-2021-45956: oss-fuzz-vulns/OSV-2021-933.yaml at main · google/oss-fuzz-vulns

Dnsmasq 2.86 has a heap-based buffer overflow in resize_packet (called from FuzzResizePacket and fuzz_rfc1035.c).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-932

summary: Heap-buffer-overflow in resize\_packet

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35898

Crash type: Heap-buffer-overflow WRITE {\*}

Crash state:

resize\_packet

FuzzResizePacket

fuzz\_rfc1035.c

modified: '2021-10-08T00:05:03.400974Z'

published: '2021-07-08T00:01:25.139349Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35898

affected:

\- package:

name: dnsmasq

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: git://thekelleys.org.uk/dnsmasq.git

events:

\- introduced: 96f6444958c29a670f4254722d787f328153605c

versions:

\- v2.86

\- v2.86rc1

\- v2.86rc2

\- v2.86rc3

\- v2.86test5

\- v2.86test6

\- v2.86test7

\- v2.87test1

\- v2.87test2

\- v2.87test3

\- v2.87test4

ecosystem\_specific:

severity: HIGH

CVE-2021-45955: oss-fuzz-vulns/OSV-2021-932.yaml at main · google/oss-fuzz-vulns

Dnsmasq 2.86 has a heap-based buffer overflow in check_bad_address (called from check_for_bogus_wildcard and FuzzCheckForBogusWildcard).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-924

summary: Heap-buffer-overflow in check\_bad\_address

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868

Crash type: Heap-buffer-overflow WRITE 1

Crash state:

check\_bad\_address

check\_for\_bogus\_wildcard

FuzzCheckForBogusWildcard

modified: '2021-10-08T00:05:23.820623Z'

published: '2021-07-08T00:00:12.086205Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868

affected:

\- package:

name: dnsmasq

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: git://thekelleys.org.uk/dnsmasq.git

events:

\- introduced: 96f6444958c29a670f4254722d787f328153605c

versions:

\- v2.86

\- v2.86rc1

\- v2.86rc2

\- v2.86rc3

\- v2.86test5

\- v2.86test6

\- v2.86test7

\- v2.87test1

\- v2.87test2

\- v2.87test3

\- v2.87test4

ecosystem\_specific:

severity: HIGH

CVE-2021-45951: oss-fuzz-vulns/OSV-2021-924.yaml at main · google/oss-fuzz-vulns

LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called from dwg_free_BLOCK and dwg_free_object).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-814

summary: UNKNOWN WRITE in dwg\_free\_BLOCK\_private

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34766

Crash type: UNKNOWN WRITE

Crash state:

dwg\_free\_BLOCK\_private

dwg\_free\_BLOCK

dwg\_free\_object

modified: '2021-10-12T00:09:35.151092Z'

published: '2021-05-30T00:00:24.550464Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34766

affected:

\- package:

name: libredwg

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/LibreDWG/libredwg

events:

\- introduced: b37f533870d4921888cbbd633a738d3e6e95109e

versions:

\- 0.12.4.4313

\- 0.12.4.4317

\- 0.12.4.4321

\- 0.12.4.4324

\- 0.12.4.4331

\- 0.12.4.4338

\- 0.12.4.4343

\- 0.12.4.4348

\- 0.12.4.4362

\- 0.12.4.4364

\- 0.12.4.4367

ecosystem\_specific:

severity: null

CVE-2021-45950: oss-fuzz-vulns/OSV-2021-814.yaml at main · google/oss-fuzz-vulns

Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from EvaluateExpression and InitDataSegments).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-689

summary: UNKNOWN WRITE in Runtime\_Release

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33689

Crash type: UNKNOWN WRITE

Crash state:

Runtime\_Release

EvaluateExpression

InitDataSegments

modified: '2021-04-27T00:01:03.314516Z'

published: '2021-04-27T00:01:03.314259Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33689

affected:

\- package:

name: wasm3

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/wasm3/wasm3

events:

\- introduced: 64a22dcdc3e4239cb91b153d25c8b5bb2fac430e

versions:

\- v0.5.0

ecosystem\_specific:

severity: HIGH

CVE-2021-45947: oss-fuzz-vulns/OSV-2021-689.yaml at main · google/oss-fuzz-vulns

Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Compile_LoopOrBlock and CompileBlockStatements).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-678

summary: UNKNOWN WRITE in CompileBlock

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33555

Crash type: UNKNOWN WRITE

Crash state:

CompileBlock

Compile\_LoopOrBlock

CompileBlockStatements

modified: '2021-04-23T00:00:13.901043Z'

published: '2021-04-23T00:00:13.900793Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33555

affected:

\- package:

name: wasm3

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/wasm3/wasm3

events:

\- introduced: ef7c7f3a7578b9ed362cfbd0d1c6f065678df531

versions:

\- v0.5.0

ecosystem\_specific:

severity: HIGH

CVE-2021-45946: oss-fuzz-vulns/OSV-2021-678.yaml at main · google/oss-fuzz-vulns

NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site Scripting (XSS) vulnerability. An attacker can steal the user's session by injecting malicious JavaScript codes which leads to session hijacking.

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-45812: NUUO – Google Drive

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_web_app.cgi and use of Import Config File.

As a part of my 5G home internet offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same device seems to be shipped by T-Mobile for their 5G offering and is passionately known as the 'trashcan' in r/tmobileisp.

![](https://eddiez.me/content/images/2021/10/ResrcID22518_GW_bottom.png)

Nokia Fastmile Stock Photo

Naturally, the first thing I tried to do is to obtain root access on it.

**Finding a Privilege Escalation Bug**

EDIT: This has been assigned CVE-2021-45896.

Immediately, the first thing I noticed is that the provided userAdmin credentials printed on the bottom of the device seem to be a low level account.

Taking a peak at the requests going on when logging in immediately reveals an authenticated privilege escalation vulnerability. This likely also affects other Nokia devices. My firmware version: 3TG00118ABAD52.

When logging in, a call is made to POST /login\_web\_app.cgi.

If you intercept the response you will see that there is a variable called "is\_ctc\_admin".

![](https://eddiez.me/content/images/2021/10/image-2.png)

Change "is\_ctc\_admin" to 1

If you change this in the response to 1 you get access to additional functionality and full admin. The vulnerability is a classic access control issue where authorisation is handled only on the client side.

Now we have access to an additional tab but also more functionality in some existing tabs.

![](https://eddiez.me/content/images/2021/10/image-3.png)

SPAN Ports!

![](https://eddiez.me/content/images/2021/10/image-7.png)

QOS

![](https://eddiez.me/content/images/2021/10/image-4.png)

Backup and Restore Configuration

**Modifying the Configuration**

Doing some Googling I came across this smart guy who figured out the format of Nokia's configuration file format and wrote a tool to unpack, and pack configuration files so that you can make changes that aren't available through the web interface.

Unlocking IAM’s Nokia G-240W-A router (Part 1) · 0x41.cf

![](https://0x41.cf/favicon.png)

![](https://i.0x41.cf/b/nokia-g-240w-a.png)

The tool he wrote also works for the Nokia Fastmile: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Following the write-up gets us all the way to SSH/Telnet access to the device however we are stopped by this annoying password prompt for shell access.

None of the passwords in the configuration file work for this shell password.

![](https://eddiez.me/content/images/2021/10/image-8.png)

???

Some other comments mention changing LimitAccount\_ONTUSER to false and logging in with ONTUSER:SUGAR2A041 however this doesn't seem to work for the Fastmile.

**Giving Up and Moving to Looking at Hardware**

randomsrvapps over at Whirlpool seems to have managed to get a trivial root shell via UART/ADB revealing that the device is Android based? Lets verify this.

Flipping the device over we see some ports that seem to be covered (circled in yellow on the photo).

![](https://eddiez.me/content/images/2021/11/4032-3024-resize.jpg)

These stickers can only be uncovered from the rear as the stickers they used are quite strong. By undoing circled bolts in red (Torx T15H) and removing the sim card, the feet come off and we can poke out the stickers.

This reveals a USB-C port and two RJ12 ports.

![](https://eddiez.me/content/images/2021/11/3024-4032-resize-crop.jpg)

USB-C is Top Right

**It runs Android?**

As per the thread, plugging into the USB-C port and running ADB shell gives us an immediate root shell on the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-16-50-43.png)

Interestingly it has a Snapdragon 855 in it, the same processor that was in previous generation flagships like the Google Pixel 4.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-20-22-43-15.png)

Snapdragon 855

I also confirmed that you can get this same console access by plugging into the pins outlined in the thread. These terminals are 1.8v logic level and the pins from inside to out are RX, TX, and ground with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/3024-4033-resize-canvas.jpg)

Having a poke around via ADB shell reveals some oddities.

The most noteworthy being that the IP addressing scheme of my local network configured via the WEB-UI (172.10.0.0/24) is non-existent and some random private subnet 192.168.85.0/24 shows up.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-14-26.png)

Performing a traceroute from my local machine we see traffic get routed through this 192.168.85.0/24 subnet as well.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-24-13.png)

The First Hop Is My pfsense Firewall (I'm Running Double NAT)

This can also be verified by performing a tcpdump with a filter on the Fastmile whilst pinging 9.9.9.9.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-23-56.png)

Why is our IP address 192.168.85.6??

I immediately copied over a precompiled binary of busybox onto the Fastmile to try to run ARP.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-28-12.png)

Then the realisation came.

**It's Two Devices in One Box!**

Nokia have basically taped a 5G capable phone to one of their old Alcatel-Lucent routers and shipped it in a cylindrical box. This also explains why the configuration modification tool earlier worked flawlessly.

![](https://eddiez.me/content/images/2021/11/Nokia-Fastmile.jpg)

Having root on the Android side doesn't help at all with getting root on the router side!

Using this knowledge we can also enable remote Android debugging by first adding a firewall rule.

    iptables -I INPUT 1 -s 192.168.85.6 -j ACCEPT

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-38-34.png)

Enabling remote debugging on a port.

    adb tcpip 5555 //While connected via USB.
    

Then connecting remotely without having to be tethered to the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-43-12.png)

Looking back at the physical device again you can even see two different PCB types.

![](https://eddiez.me/content/images/2021/11/4032-3026-resize-annotated-2.jpg)

UART pins are also provided for the router side that are easily accessible. These pins are 3.3v logic level and the pins from inside out are ground, RX, TX with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/4032-3027-resize.jpg)

Letting it boot whilst connected via UART drops us into the same restricted shell that we had earlier via SSH where we don't know the 'shell' password. Not helpful.

Interrupting boot drops us in CFE but I don't have the patience to dump the image over serial as that would take ~4 days. Otherwise, I'm not too familiar with CFE and am not super keen on turning my Fastmile into a $400 brick.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-14-00-39-45.png)

Changing the GPON Password Board Parameter Doesn't Do Anything

If anyone else has any advice/knowledge feel free to ping me at email, we still aren't root after all this.

**Teardown**

Out of curiosity, I took the device apart a bit more as I hadn't seen any other write-ups detailing this.

Tracing back to the step where we'd removed the bottom of the device, the next step of disassembly is to bend back the clips around the perimeter circled in red. I've also circled the UART pins in yellow for clarity.

![](https://eddiez.me/content/images/2021/11/clips_resize.jpg)

Now you can flip the device and lift up the white shell to reveal the antennas.

![](https://eddiez.me/content/images/2021/11/antenna-resized.jpg)

Every bolt from here on is a Torx T8H. Looking at the top there are 5 bolts to undo which loosen the LED indicator board.

![](https://eddiez.me/content/images/2021/11/top-resized.jpg)

With the top LED indicator board off we can see where all the antenna's terminate. If you wanted to attach an external antenna, this is where you'd do it.

![](https://eddiez.me/content/images/2021/11/antenna-resized-1.jpg)

Unfortunately, accessibility to the connectors is very limited as some snake under the heatsink. I did try removing the heatsink later but it was pretty solidly bound to the PCB so I'm not sure if it's held together with a thermal epoxy or if I missed some bolts.

Next up, looking at the side of the device with the smaller heatsink (Android side), there are two more bolts on the diagonal face to loosen.

![](https://eddiez.me/content/images/2021/11/phone-side-resized.jpg)

This allows you to lift up 2/5 sides of the antenna assembly revealing the Android device.

![](https://eddiez.me/content/images/2021/11/phone-resized.jpg)

Removing the 4 bolts that hold the Android side in allows you to lift and fold the device over like we've done with the antenna panels.

![](https://eddiez.me/content/images/2021/11/phone-flipped-resized.jpg)

This also reveals the backside of the Alcatel-Lucent router and the only electrical interconnect between the two devices in the bottom right.

![](https://eddiez.me/content/images/2021/11/router-backside-resized-3.jpg)

I didn't go any further as the router side is mostly covered up by it's heatsink and if it's anything like the Android side then it was likely to also be difficult to remove.

CVE-2021-45896: WIP: Hacking the Nokia Fastmile

basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier.

@@ -7,10 +7,7 @@ import com.nexblocks.authguard.service.exceptions.ServiceAuthorizationException; import com.nexblocks.authguard.service.exceptions.ServiceException; import com.nexblocks.authguard.service.exceptions.codes.ErrorCode; import com.nexblocks.authguard.service.model.AccountBO; import com.nexblocks.authguard.service.model.AuthRequestBO; import com.nexblocks.authguard.service.model.CredentialsBO; import com.nexblocks.authguard.service.model.EntityType; import com.nexblocks.authguard.service.model.\*; import com.google.inject.Inject; import io.vavr.control.Either; import org.slf4j.Logger; @@ -86,7 +83,14 @@ public BasicAuthProvider(final CredentialsService credentialsService, final Acco private Either<Exception, AccountBO\> verifyCredentialsAndGetAccount(final String username, final String password) { final Optional<CredentialsBO\> credentials \= credentialsService.getByUsernameUnsafe(username);  
// TODO replace this with Either mapping if (credentials.isPresent()) { final Optional<Exception\> validationError \= checkIdentifier(credentials.get(), username);  
if (validationError.isPresent()) { return Either.left(validationError.get()); }  
if (securePassword.verify(password, credentials.get().getHashedPassword())) { return getAccountById(credentials.get().getAccountId()); } else { @@ -103,13 +107,38 @@ public BasicAuthProvider(final CredentialsService credentialsService, final Acco final Optional<CredentialsBO\> credentials \= credentialsService.getByUsernameUnsafe(username);  
if (credentials.isPresent()) { final Optional<Exception\> validationError \= checkIdentifier(credentials.get(), username);  
if (validationError.isPresent()) { return Either.left(validationError.get()); }  
return getAccountById(credentials.get().getAccountId()); } else { return Either.left(new ServiceAuthorizationException(ErrorCode.CREDENTIALS\_DOES\_NOT\_EXIST, "Identifier " + username + " does not exist")); } }  
private Optional<Exception\> checkIdentifier(final CredentialsBO credentials, final String identifier) { final Optional<UserIdentifierBO\> matchedIdentifier \= credentials.getIdentifiers() .stream() .filter(existing \-\> identifier.equals(existing.getIdentifier())) .findFirst();  
if (matchedIdentifier.isEmpty()) { return Optional.of(new IllegalStateException("No identifier matched but credentials were returned")); }  
if (!matchedIdentifier.get().isActive()) { return Optional.of(new ServiceAuthorizationException(ErrorCode.INACTIVE\_IDENTIFIER, "Identifier is not active", EntityType.ACCOUNT, credentials.getAccountId())); }  
return Optional.empty(); }  
private Either<Exception, AccountBO\> getAccountById(final String accountId) { final Optional<AccountBO\> account \= accountsService.getById(accountId);

Tag

#google