Dnsmasq 2.86 has a heap-based buffer overflow in check_bad_address (called from check_for_bogus_wildcard and FuzzCheckForBogusWildcard).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-924

summary: Heap-buffer-overflow in check\_bad\_address

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868

Crash type: Heap-buffer-overflow WRITE 1

Crash state:

check\_bad\_address

check\_for\_bogus\_wildcard

FuzzCheckForBogusWildcard

modified: '2021-10-08T00:05:23.820623Z'

published: '2021-07-08T00:00:12.086205Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868

affected:

\- package:

name: dnsmasq

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: git://thekelleys.org.uk/dnsmasq.git

events:

\- introduced: 96f6444958c29a670f4254722d787f328153605c

versions:

\- v2.86

\- v2.86rc1

\- v2.86rc2

\- v2.86rc3

\- v2.86test5

\- v2.86test6

\- v2.86test7

\- v2.87test1

\- v2.87test2

\- v2.87test3

\- v2.87test4

ecosystem\_specific:

severity: HIGH

CVE-2021-45951: oss-fuzz-vulns/OSV-2021-924.yaml at main · google/oss-fuzz-vulns

LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called from dwg_free_BLOCK and dwg_free_object).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-814

summary: UNKNOWN WRITE in dwg\_free\_BLOCK\_private

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34766

Crash type: UNKNOWN WRITE

Crash state:

dwg\_free\_BLOCK\_private

dwg\_free\_BLOCK

dwg\_free\_object

modified: '2021-10-12T00:09:35.151092Z'

published: '2021-05-30T00:00:24.550464Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34766

affected:

\- package:

name: libredwg

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/LibreDWG/libredwg

events:

\- introduced: b37f533870d4921888cbbd633a738d3e6e95109e

versions:

\- 0.12.4.4313

\- 0.12.4.4317

\- 0.12.4.4321

\- 0.12.4.4324

\- 0.12.4.4331

\- 0.12.4.4338

\- 0.12.4.4343

\- 0.12.4.4348

\- 0.12.4.4362

\- 0.12.4.4364

\- 0.12.4.4367

ecosystem\_specific:

severity: null

CVE-2021-45950: oss-fuzz-vulns/OSV-2021-814.yaml at main · google/oss-fuzz-vulns

Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from EvaluateExpression and InitDataSegments).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-689

summary: UNKNOWN WRITE in Runtime\_Release

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33689

Crash type: UNKNOWN WRITE

Crash state:

Runtime\_Release

EvaluateExpression

InitDataSegments

modified: '2021-04-27T00:01:03.314516Z'

published: '2021-04-27T00:01:03.314259Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33689

affected:

\- package:

name: wasm3

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/wasm3/wasm3

events:

\- introduced: 64a22dcdc3e4239cb91b153d25c8b5bb2fac430e

versions:

\- v0.5.0

ecosystem\_specific:

severity: HIGH

CVE-2021-45947: oss-fuzz-vulns/OSV-2021-689.yaml at main · google/oss-fuzz-vulns

Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Compile_LoopOrBlock and CompileBlockStatements).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-678

summary: UNKNOWN WRITE in CompileBlock

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33555

Crash type: UNKNOWN WRITE

Crash state:

CompileBlock

Compile\_LoopOrBlock

CompileBlockStatements

modified: '2021-04-23T00:00:13.901043Z'

published: '2021-04-23T00:00:13.900793Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33555

affected:

\- package:

name: wasm3

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/wasm3/wasm3

events:

\- introduced: ef7c7f3a7578b9ed362cfbd0d1c6f065678df531

versions:

\- v0.5.0

ecosystem\_specific:

severity: HIGH

CVE-2021-45946: oss-fuzz-vulns/OSV-2021-678.yaml at main · google/oss-fuzz-vulns

NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site Scripting (XSS) vulnerability. An attacker can steal the user's session by injecting malicious JavaScript codes which leads to session hijacking.

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-45812: NUUO – Google Drive

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_web_app.cgi and use of Import Config File.

As a part of my 5G home internet offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same device seems to be shipped by T-Mobile for their 5G offering and is passionately known as the 'trashcan' in r/tmobileisp.

![](https://eddiez.me/content/images/2021/10/ResrcID22518_GW_bottom.png)

Nokia Fastmile Stock Photo

Naturally, the first thing I tried to do is to obtain root access on it.

**Finding a Privilege Escalation Bug**

EDIT: This has been assigned CVE-2021-45896.

Immediately, the first thing I noticed is that the provided userAdmin credentials printed on the bottom of the device seem to be a low level account.

Taking a peak at the requests going on when logging in immediately reveals an authenticated privilege escalation vulnerability. This likely also affects other Nokia devices. My firmware version: 3TG00118ABAD52.

When logging in, a call is made to POST /login\_web\_app.cgi.

If you intercept the response you will see that there is a variable called "is\_ctc\_admin".

![](https://eddiez.me/content/images/2021/10/image-2.png)

Change "is\_ctc\_admin" to 1

If you change this in the response to 1 you get access to additional functionality and full admin. The vulnerability is a classic access control issue where authorisation is handled only on the client side.

Now we have access to an additional tab but also more functionality in some existing tabs.

![](https://eddiez.me/content/images/2021/10/image-3.png)

SPAN Ports!

![](https://eddiez.me/content/images/2021/10/image-7.png)

QOS

![](https://eddiez.me/content/images/2021/10/image-4.png)

Backup and Restore Configuration

**Modifying the Configuration**

Doing some Googling I came across this smart guy who figured out the format of Nokia's configuration file format and wrote a tool to unpack, and pack configuration files so that you can make changes that aren't available through the web interface.

Unlocking IAM’s Nokia G-240W-A router (Part 1) · 0x41.cf

![](https://0x41.cf/favicon.png)

![](https://i.0x41.cf/b/nokia-g-240w-a.png)

The tool he wrote also works for the Nokia Fastmile: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Following the write-up gets us all the way to SSH/Telnet access to the device however we are stopped by this annoying password prompt for shell access.

None of the passwords in the configuration file work for this shell password.

![](https://eddiez.me/content/images/2021/10/image-8.png)

???

Some other comments mention changing LimitAccount\_ONTUSER to false and logging in with ONTUSER:SUGAR2A041 however this doesn't seem to work for the Fastmile.

**Giving Up and Moving to Looking at Hardware**

randomsrvapps over at Whirlpool seems to have managed to get a trivial root shell via UART/ADB revealing that the device is Android based? Lets verify this.

Flipping the device over we see some ports that seem to be covered (circled in yellow on the photo).

![](https://eddiez.me/content/images/2021/11/4032-3024-resize.jpg)

These stickers can only be uncovered from the rear as the stickers they used are quite strong. By undoing circled bolts in red (Torx T15H) and removing the sim card, the feet come off and we can poke out the stickers.

This reveals a USB-C port and two RJ12 ports.

![](https://eddiez.me/content/images/2021/11/3024-4032-resize-crop.jpg)

USB-C is Top Right

**It runs Android?**

As per the thread, plugging into the USB-C port and running ADB shell gives us an immediate root shell on the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-16-50-43.png)

Interestingly it has a Snapdragon 855 in it, the same processor that was in previous generation flagships like the Google Pixel 4.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-20-22-43-15.png)

Snapdragon 855

I also confirmed that you can get this same console access by plugging into the pins outlined in the thread. These terminals are 1.8v logic level and the pins from inside to out are RX, TX, and ground with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/3024-4033-resize-canvas.jpg)

Having a poke around via ADB shell reveals some oddities.

The most noteworthy being that the IP addressing scheme of my local network configured via the WEB-UI (172.10.0.0/24) is non-existent and some random private subnet 192.168.85.0/24 shows up.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-14-26.png)

Performing a traceroute from my local machine we see traffic get routed through this 192.168.85.0/24 subnet as well.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-24-13.png)

The First Hop Is My pfsense Firewall (I'm Running Double NAT)

This can also be verified by performing a tcpdump with a filter on the Fastmile whilst pinging 9.9.9.9.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-23-56.png)

Why is our IP address 192.168.85.6??

I immediately copied over a precompiled binary of busybox onto the Fastmile to try to run ARP.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-28-12.png)

Then the realisation came.

**It's Two Devices in One Box!**

Nokia have basically taped a 5G capable phone to one of their old Alcatel-Lucent routers and shipped it in a cylindrical box. This also explains why the configuration modification tool earlier worked flawlessly.

![](https://eddiez.me/content/images/2021/11/Nokia-Fastmile.jpg)

Having root on the Android side doesn't help at all with getting root on the router side!

Using this knowledge we can also enable remote Android debugging by first adding a firewall rule.

    iptables -I INPUT 1 -s 192.168.85.6 -j ACCEPT

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-38-34.png)

Enabling remote debugging on a port.

    adb tcpip 5555 //While connected via USB.
    

Then connecting remotely without having to be tethered to the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-43-12.png)

Looking back at the physical device again you can even see two different PCB types.

![](https://eddiez.me/content/images/2021/11/4032-3026-resize-annotated-2.jpg)

UART pins are also provided for the router side that are easily accessible. These pins are 3.3v logic level and the pins from inside out are ground, RX, TX with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/4032-3027-resize.jpg)

Letting it boot whilst connected via UART drops us into the same restricted shell that we had earlier via SSH where we don't know the 'shell' password. Not helpful.

Interrupting boot drops us in CFE but I don't have the patience to dump the image over serial as that would take ~4 days. Otherwise, I'm not too familiar with CFE and am not super keen on turning my Fastmile into a $400 brick.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-14-00-39-45.png)

Changing the GPON Password Board Parameter Doesn't Do Anything

If anyone else has any advice/knowledge feel free to ping me at email, we still aren't root after all this.

**Teardown**

Out of curiosity, I took the device apart a bit more as I hadn't seen any other write-ups detailing this.

Tracing back to the step where we'd removed the bottom of the device, the next step of disassembly is to bend back the clips around the perimeter circled in red. I've also circled the UART pins in yellow for clarity.

![](https://eddiez.me/content/images/2021/11/clips_resize.jpg)

Now you can flip the device and lift up the white shell to reveal the antennas.

![](https://eddiez.me/content/images/2021/11/antenna-resized.jpg)

Every bolt from here on is a Torx T8H. Looking at the top there are 5 bolts to undo which loosen the LED indicator board.

![](https://eddiez.me/content/images/2021/11/top-resized.jpg)

With the top LED indicator board off we can see where all the antenna's terminate. If you wanted to attach an external antenna, this is where you'd do it.

![](https://eddiez.me/content/images/2021/11/antenna-resized-1.jpg)

Unfortunately, accessibility to the connectors is very limited as some snake under the heatsink. I did try removing the heatsink later but it was pretty solidly bound to the PCB so I'm not sure if it's held together with a thermal epoxy or if I missed some bolts.

Next up, looking at the side of the device with the smaller heatsink (Android side), there are two more bolts on the diagonal face to loosen.

![](https://eddiez.me/content/images/2021/11/phone-side-resized.jpg)

This allows you to lift up 2/5 sides of the antenna assembly revealing the Android device.

![](https://eddiez.me/content/images/2021/11/phone-resized.jpg)

Removing the 4 bolts that hold the Android side in allows you to lift and fold the device over like we've done with the antenna panels.

![](https://eddiez.me/content/images/2021/11/phone-flipped-resized.jpg)

This also reveals the backside of the Alcatel-Lucent router and the only electrical interconnect between the two devices in the bottom right.

![](https://eddiez.me/content/images/2021/11/router-backside-resized-3.jpg)

I didn't go any further as the router side is mostly covered up by it's heatsink and if it's anything like the Android side then it was likely to also be difficult to remove.

CVE-2021-45896: WIP: Hacking the Nokia Fastmile

basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier.

@@ -7,10 +7,7 @@ import com.nexblocks.authguard.service.exceptions.ServiceAuthorizationException; import com.nexblocks.authguard.service.exceptions.ServiceException; import com.nexblocks.authguard.service.exceptions.codes.ErrorCode; import com.nexblocks.authguard.service.model.AccountBO; import com.nexblocks.authguard.service.model.AuthRequestBO; import com.nexblocks.authguard.service.model.CredentialsBO; import com.nexblocks.authguard.service.model.EntityType; import com.nexblocks.authguard.service.model.\*; import com.google.inject.Inject; import io.vavr.control.Either; import org.slf4j.Logger; @@ -86,7 +83,14 @@ public BasicAuthProvider(final CredentialsService credentialsService, final Acco private Either<Exception, AccountBO\> verifyCredentialsAndGetAccount(final String username, final String password) { final Optional<CredentialsBO\> credentials \= credentialsService.getByUsernameUnsafe(username);  
// TODO replace this with Either mapping if (credentials.isPresent()) { final Optional<Exception\> validationError \= checkIdentifier(credentials.get(), username);  
if (validationError.isPresent()) { return Either.left(validationError.get()); }  
if (securePassword.verify(password, credentials.get().getHashedPassword())) { return getAccountById(credentials.get().getAccountId()); } else { @@ -103,13 +107,38 @@ public BasicAuthProvider(final CredentialsService credentialsService, final Acco final Optional<CredentialsBO\> credentials \= credentialsService.getByUsernameUnsafe(username);  
if (credentials.isPresent()) { final Optional<Exception\> validationError \= checkIdentifier(credentials.get(), username);  
if (validationError.isPresent()) { return Either.left(validationError.get()); }  
return getAccountById(credentials.get().getAccountId()); } else { return Either.left(new ServiceAuthorizationException(ErrorCode.CREDENTIALS\_DOES\_NOT\_EXIST, "Identifier " + username + " does not exist")); } }  
private Optional<Exception\> checkIdentifier(final CredentialsBO credentials, final String identifier) { final Optional<UserIdentifierBO\> matchedIdentifier \= credentials.getIdentifiers() .stream() .filter(existing \-\> identifier.equals(existing.getIdentifier())) .findFirst();  
if (matchedIdentifier.isEmpty()) { return Optional.of(new IllegalStateException("No identifier matched but credentials were returned")); }  
if (!matchedIdentifier.get().isActive()) { return Optional.of(new ServiceAuthorizationException(ErrorCode.INACTIVE\_IDENTIFIER, "Identifier is not active", EntityType.ACCOUNT, credentials.getAccountId())); }  
return Optional.empty(); }  
private Either<Exception, AccountBO\> getAccountById(final String accountId) { final Optional<AccountBO\> account \= accountsService.getById(accountId);

CVE-2021-45890: Prevent authentication with inactive identifiers · AuthGuard/AuthGuard@9783b11

An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.

CVE-2021-45480

An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted.

Investing in Mutual Funds is now easy with the UTI MF (UTI Mutual Funds) App. It gives you a hassle-free experience to invest in any mutual fund scheme of your choice from anywhere, anytime with just a few clicks. The paperless transactions allow new investors to start a SIP or invest a lumpsum with ease.

With UTI MF app, our existing customers can invest, track and manage their mutual fund investments, get statement of account and enjoy a host of other features that makes their investing a pleasant experience.

Why Choose UTI MF app for mutual fund investment?  
Heralding a new era of mobile-ready investments, the UTI MF app is intuitive, easy to use and specially designed to give you to a one-of-kind experience that is simple, fast and hassle-free. With the UTI MF app, you can perform all financial transaction on the go. You can register for a new scheme, invest in a scheme of your choice, redeem, track performance, and accomplish all your financial goals.

Features and Benefits of Investing in Mutual Fund with UTI MF App :  
The UTI MF app is designed in a way to offer you a one-stop solution for all your investment needs.  
You can enjoy a wide range of exciting new features and benefits, such as –  
1\. It promotes 100% paperless transactions.  
2\. You can easily sign up and sign in into your account using PAN card or folio number.  
3\. Explore and know the details of various UTI mutual funds and check the fund-related latest and historic data, including NAVs.  
4\. The One Click Investment is a NIFTY tool that allows you to purchase/sell units with click of a button.  
5\. The e-Smart features allow you to make payment for all your transactions with a single click without the hassles of accessing internet banking or entering debit card details.  
6\. The easy-to-use calculators allows you to plan your investments, including setting a goal, purchasing an SIP. You can also email the results to yourself for posterity.  
7\. The factsheet gives easy access to fund details and quarterly performance to all investors.  
8\. uSAVE allows you to make smart investment decisions and grow your savings through investment in liquid funds. It also allows you to instantly Redeem up to Rs. 50,000 into your bank account through IMPS.  
9\. You can mark and save your transactions as favourite for easy and quick reference in the future.  
10\. The Learn and invest sections is specially crafted to give you the best information content and be a master at investment and make smarter decisions. The information can also be saved and shared through social media.

Start investing in UTI Mutual Fund Regular as well as Direct Plans with UTI MF App :  
● The switch option allows you to easily switch your investment in equity fund to debt fund and vice-versa with ease.  
● Start investing in a new systematic investment plan through monthly or quarterly SIP with minimum investment amount as low as Rs. 500 for period of six months or more to suit your needs.  
● The investing in mutual funds through SIP is an excellent way to invest a small and grow your capital.  
● Get professional support to manage your investment portfolio.

Invest in Mutual Fund for Free with UTIMF App :  
● Create your mutual fund investment account within few minutes.  
● Invest in mutual funds schemes of your choice by starting an SIP or invest a lump sum with just a few clicks.  
● Carry out the transaction without any paperwork.  
● Use the UTI MF app, a one-stop solution for all your mutual fund investment needs.  
● One of the leading and most popular investment apps in India.

Select from a wide range of our Mutual Fund schemes :  
● Debt Category Funds  
● Equity Category Funds  
● Hybrid Category Funds  
● Overnight & Liquid Funds  
● Solution Based Funds  
● ETFs

CVE-2020-35398: UTI Mutual Fund Invest in Mutual Fund Online – Apps on Google Play

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS High Sierra 10.13. An application may be able to execute arbitrary code with elevated privileges.

Tag

#google