An issue was discovered in the Linux kernel before 6.3.4. A use-after-free was found in r592_remove in drivers/memstick/host/r592.c.

CVE-2023-35825

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.

From: Hans Verkuil <hverkuil@xs4all.nl>
To: Linux Media Mailing List <linux-media@vger.kernel.org>
Cc: "Milen Mitkov (Consultant)" <quic\_mmitkov@quicinc.com>,
	"Niklas Söderlund" <niklas.soderlund+renesas@ragnatech.se>
Subject: \[GIT PULL FOR v6.4\] Various fixes/enhancements
Date: Tue, 21 Mar 2023 16:17:47 +0100	\[thread overview\]
Message-ID: <49bb0b6a-e669-d4e7-d742-a19d2763e947@xs4all.nl> (raw)

The following changes since commit 71937240a472ee551ac8de0e7429b9d49884a388:

  media: ov2685: Select VIDEO\_V4L2\_SUBDEV\_API (2023-03-20 16:32:18 +0100)

are available in the Git repository at:

  git://linuxtv.org/hverkuil/media\_tree.git tags/br-v6.4g

for you to fetch changes up to dacc09862467123c7e5ac45b131e77aafa54fe96:

  media: au0828: remove unnecessary (void\*) conversions (2023-03-21 15:49:12 +0100)

----------------------------------------------------------------
Tag branch

----------------------------------------------------------------
Milen Mitkov (4):
      media: camss: sm8250: Virtual channels for CSID
      media: camss: vfe: Reserve VFE lines on stream start and link to CSID
      media: camss: vfe-480: Multiple outputs support for SM8250
      media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels

Niklas Söderlund (3):
      media: i2c: adv748x: Fix lookup of DV timings
      media: i2c: adv748x: Write initial DV timings to device
      media: i2c: adv748x: Report correct DV timings for pattern generator

Oliver Neukum (1):
      usbtv: usbtv\_set\_regs: the pipe is output

Yang Li (1):
      media: atmel: atmel-isc: Use devm\_platform\_ioremap\_resource()

Yu Zhe (1):
      media: au0828: remove unnecessary (void\*) conversions

Zheng Wang (2):
      media: dm1105: Fix use after free bug in dm1105\_remove due to race condition
      media: saa7134: fix use after free bug in saa7134\_finidev due to race condition

 drivers/media/i2c/adv748x/adv748x-hdmi.c                   | 21 +++++++++++++++------
 drivers/media/pci/dm1105/dm1105.c                          |  1 +
 drivers/media/pci/saa7134/saa7134-ts.c                     |  1 +
 drivers/media/pci/saa7134/saa7134-vbi.c                    |  1 +
 drivers/media/pci/saa7134/saa7134-video.c                  |  1 +
 drivers/media/platform/qcom/camss/camss-csid-gen2.c        | 54 ++++++++++++++++++++++++++++++++++--------------------
 drivers/media/platform/qcom/camss/camss-csid.c             | 44 +++++++++++++++++++++++++++++++-------------
 drivers/media/platform/qcom/camss/camss-csid.h             | 11 +++++++++--
 drivers/media/platform/qcom/camss/camss-vfe-170.c          |  4 ++--
 drivers/media/platform/qcom/camss/camss-vfe-480.c          | 61 ++++++++++++++++++++++++++++++++++++++++---------------------
 drivers/media/platform/qcom/camss/camss-vfe-gen1.c         |  4 ++--
 drivers/media/platform/qcom/camss/camss-vfe.c              |  1 +
 drivers/media/platform/qcom/camss/camss-video.c            | 21 ++++++++++++++++++---
 drivers/media/platform/qcom/camss/camss.c                  |  2 +-
 drivers/media/usb/au0828/au0828-core.c                     |  2 +-
 drivers/media/usb/au0828/au0828-dvb.c                      |  4 ++--
 drivers/media/usb/usbtv/usbtv-core.c                       |  2 +-
 drivers/staging/media/deprecated/atmel/atmel-sama5d2-isc.c |  4 +---
 drivers/staging/media/deprecated/atmel/atmel-sama7g5-isc.c |  4 +---
 19 files changed, 163 insertions(+), 80 deletions(-)

next             reply	other threads:\[~2023-03-21 15:18 UTC|newest\]

**Thread overview:** 2+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2023-03-21 15:17 Hans Verkuil \[this message\]**
2023-03-21 15:57 \` \[GIT PULL FOR v6.4\] Various fixes/enhancements (#90583) Jenkins

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=49bb0b6a-e669-d4e7-d742-a19d2763e947@xs4all.nl \\
    --to=hverkuil@xs4all.nl \\
    --cc=linux-media@vger.kernel.org \\
    --cc=niklas.soderlund+renesas@ragnatech.se \\
    --cc=quic\_mmitkov@quicinc.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-35824: [GIT PULL FOR v6.4] Various fixes/enhancements

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

CVE-2023-35826

\* **\[PATCH\] media: cedrus: fix use after free bug in cedrus\_remove due to race condition**
**@ 2023-03-08  3:23 Zheng Wang**
  0 siblings, 0 replies; only message in thread
From: Zheng Wang @ 2023-03-08  3:23 UTC (permalink / raw)
  To: mchehab
  Cc: wens, jernej.skrabec, samuel, linux-media, linux-staging,
	linux-arm-kernel, linux-sunxi, linux-kernel, hackerzheng666,
	1395428693sheep, alex000young, Zheng Wang

In cedrus\_probe, dev->watchdog\_work is bound with cedrus\_watchdog function.
In cedrus\_device\_run, it will started by schedule\_delayed\_work. If there is
unfinished work in cedrus\_remove, there may be a race condition and trigger
UAF bug.

CPU0                  CPU1

                    |cedrus\_watchdog
cedrus\_remove       |
  v4l2\_m2m\_release  |
  kfree(m2m\_dev)    |
                    |
                    | v4l2\_m2m\_get\_curr\_priv
                    |   m2m\_dev //use

Fix it by canceling the worker in cedrus\_remove.

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/staging/media/sunxi/cedrus/cedrus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
index a43d5ff66716..c95d011c0817 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -546,7 +546,7 @@ static int cedrus\_probe(struct platform\_device \*pdev)
 static int cedrus\_remove(struct platform\_device \*pdev)
 {
 	struct cedrus\_dev \*dev = platform\_get\_drvdata(pdev);
\-
+	cancel\_delayed\_work(&dev->watchdog\_work);
 	if (media\_devnode\_is\_registered(dev->mdev.devnode)) {
 		media\_device\_unregister(&dev->mdev);
 		v4l2\_m2m\_unregister\_media\_controller(dev->m2m\_dev);
-- 
2.25.1


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	\[**flat**|nested\] only message in thread

only message in thread, other threads:\[~2023-03-08  3:24 UTC | newest\]

**Thread overview:** (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-08  3:23 \[PATCH\] media: cedrus: fix use after free bug in cedrus\_remove due to race condition Zheng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35826: fix use after free bug in cedrus_remove due to race condition

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.

\* **\[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in  renesas\_usb3\_remove due to race condition**
**@ 2023-03-16 18:08 Zheng Wang**
  2023-03-16 19:07 \` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Zheng Wang @ 2023-03-16 18:08 UTC (permalink / raw)
  To: gregkh
  Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh, Zheng Wang

In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
renesas\_usb3\_start will be called to start the work.

If we remove the driver which will call usbhs\_remove, there may be
an unfinished work. The possible sequence is as follows:

Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.

Note that removing a driver is a root-only operation, and should never
happen.

CPU0                  			CPU1

                    			| renesas\_usb3\_role\_work
renesas\_usb3\_remove 			|
usb\_role\_switch\_unregister|
device\_unregister   			|
kfree(sw)  	     					|
free usb3->role\_sw  			|
                    			| usb\_role\_switch\_set\_role
                    			| //use usb3->role\_sw

This bug was found by static analysis.

Fixes: 39facfa01c9f ("usb: gadget: udc: renesas\_usb3: Add register of usb role switch")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
v7:
- add more details about how the bug was found suggested by Shuah
v6:
- beautify the format and add note suggested by Greg KH
v5:
- fix typo
v4:
- add Reviewed-by label and resubmit v4 suggested by Greg KH
v3:
- modify the commit message to make it clearer suggested by Yoshihiro Shimoda
v2:
- fix typo, use clearer commit message and only cancel the UAF-related work suggested by Yoshihiro Shimoda
---
 drivers/usb/gadget/udc/renesas\_usb3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/gadget/udc/renesas\_usb3.c b/drivers/usb/gadget/udc/renesas\_usb3.c
index bee6bceafc4f..a301af66bd91 100644
--- a/drivers/usb/gadget/udc/renesas\_usb3.c
+++ b/drivers/usb/gadget/udc/renesas\_usb3.c
@@ -2661,6 +2661,7 @@ static int renesas\_usb3\_remove(struct platform\_device \*pdev)
 	debugfs\_remove\_recursive(usb3->dentry);
 	device\_remove\_file(&pdev->dev, &dev\_attr\_role);
 
+	cancel\_work\_sync(&usb3->role\_work);
 	usb\_role\_switch\_unregister(usb3->role\_sw);
 
 	usb\_del\_gadget\_udc(&usb3->gadget);
-- 
2.25.1

^ permalink raw reply related	\[**flat**|nested\] 3+ messages in thread

\* **Re: \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in  renesas\_usb3\_remove due to race condition**
  2023-03-16 18:08 \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition Zheng Wang
**@ 2023-03-16 19:07 \` Greg KH**
  2023-03-17  3:59   \` Zheng Hacker
  0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2023-03-16 19:07 UTC (permalink / raw)
  To: Zheng Wang
  Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh

On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
\> In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
> renesas\_usb3\_start will be called to start the work.
> 
> If we remove the driver which will call usbhs\_remove, there may be
> an unfinished work. The possible sequence is as follows:
> 
> Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.
> 
> Note that removing a driver is a root-only operation, and should never
> happen.
> 
> CPU0                  			CPU1
> 
>                     			| renesas\_usb3\_role\_work
> renesas\_usb3\_remove 			|
> usb\_role\_switch\_unregister|
> device\_unregister   			|
> kfree(sw)  	     					|
> free usb3->role\_sw  			|
>                     			| usb\_role\_switch\_set\_role
>                     			| //use usb3->role\_sw
This still isn't working :(

^ permalink raw reply	\[**flat**|nested\] 3+ messages in thread

\* **Re: \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition**
  2023-03-16 19:07 \` Greg KH
**@ 2023-03-17  3:59   \` Zheng Hacker**
  0 siblings, 0 replies; 3+ messages in thread
From: Zheng Hacker @ 2023-03-17  3:59 UTC (permalink / raw)
  To: Greg KH
  Cc: Zheng Wang, skhan, p.zabel, biju.das.jz, phil.edworthy,
	linux-usb, linux-kernel, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh

Greg KH <gregkh@linuxfoundation.org> 于2023年3月17日周五 03:07写道：
\>
> On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
> > In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
> > renesas\_usb3\_start will be called to start the work.
> >
> > If we remove the driver which will call usbhs\_remove, there may be
> > an unfinished work. The possible sequence is as follows:
> >
> > Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.
> >
> > Note that removing a driver is a root-only operation, and should never
> > happen.
> >
> > CPU0                                          CPU1
> >
> >                                       | renesas\_usb3\_role\_work
> > renesas\_usb3\_remove                   |
> > usb\_role\_switch\_unregister|
> > device\_unregister                     |
> > kfree(sw)                                             |
> > free usb3->role\_sw                    |
> >                                       | usb\_role\_switch\_set\_role
> >                                       | //use usb3->role\_sw
>
> This still isn't working :(
>
Sorry I haven't read your advice when submiting this version of patch.

Best Regards,
Zheng

^ permalink raw reply	\[**flat**|nested\] 3+ messages in thread

end of thread, other threads:\[~2023-03-17  4:00 UTC | newest\]

**Thread overview:** 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-16 18:08 \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition Zheng Wang
2023-03-16 19:07 \` Greg KH
2023-03-17  3:59   \` Zheng Hacker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35828: Fix use after free bug in renesas_usb3_remove due to race condition

CVE-2023-35828

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.

\* **\[PATCH\] media: rkvdec: fix use after free bug in rkvdec\_remove**
**@ 2023-03-07 17:39 Zheng Wang**
  0 siblings, 0 replies; only message in thread
From: Zheng Wang @ 2023-03-07 17:39 UTC (permalink / raw)
  To: ezequiel
  Cc: mchehab, gregkh, linux-media, linux-rockchip, linux-staging,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	Zheng Wang

In rkvdec\_probe, rkvdec->watchdog\_work is bound with
rkvdec\_watchdog\_func. Then rkvdec\_vp9\_run may
be called to start the work.

If we remove the module which will call rkvdec\_remove
 to make cleanup, there may be a unfinished work.
 The possible sequence is as follows, which will
 cause a typical UAF bug.

Fix it by canceling the work before cleanup in rkvdec\_remove.

CPU0                  CPU1

                    |rkvdec\_watchdog\_func
rkvdec\_remove       |
 rkvdec\_v4l2\_cleanup|
  v4l2\_m2m\_release  |
    kfree(m2m\_dev); |
                    |
                    | v4l2\_m2m\_get\_curr\_priv
                    |   m2m\_dev->curr\_ctx //use

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/staging/media/rkvdec/rkvdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
index 7bab7586918c..6b14655a8e2c 100644
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -1066,6 +1066,7 @@ static int rkvdec\_remove(struct platform\_device \*pdev)
 {
 	struct rkvdec\_dev \*rkvdec = platform\_get\_drvdata(pdev);
 
+	cancel\_delayed\_work(&rkvdec->watchdog\_work);
 	rkvdec\_v4l2\_cleanup(rkvdec);
 	pm\_runtime\_disable(&pdev->dev);
 	pm\_runtime\_dont\_use\_autosuspend(&pdev->dev);
-- 
2.25.1

^ permalink raw reply related	\[**flat**|nested\] only message in thread

only message in thread, other threads:\[~2023-03-07 17:46 UTC | newest\]

**Thread overview:** (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-07 17:39 \[PATCH\] media: rkvdec: fix use after free bug in rkvdec\_remove Zheng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35829: fix use after free bug in rkvdec_remove

By Waqas
According to researchers, these fake accounts on GitHub and Twitter are spreading malware that infects both Windows- and Linux-based systems.
This is a post from HackRead.com Read the original post: Warning: Fake GitHub Repos Delivering Malware as PoCs

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

Supply chain attacks could be highly destructive if the target is as high-profile and widely used as GitHub. Cybersecurity researchers at VulnCheck have discovered a supply chain attack targeting GitHub and Twitter.

According to their report, multiple accounts on GitHub and Twitter claim to distribute PoC (proof-of-concept) exploits for zero-day exploits in popular software. However, these are fake accounts, and the PoCs deliver malware.

****Campaign Discovery****

VulnCheck discovered this campaign in May 2023 when it checked a GitHub repository hosting code that the author claimed was a zero-day for the Signal app. The next day, they discovered another account offering a WhatsApp zero-day.

Researchers kept finding bogus accounts throughout May 2023, all offering zero-day exploits for apps such as Google Chrome, Signal, Microsoft Exchange Server, and Discord. Later in May, researchers came across similar accounts on Twitter.

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

****Beware of Fake Accounts on GitHub, Twitter****

According to VulnCheck, unidentified threat actors have created a network of fake accounts on GitHub and Twitter that appear to be associated with cybersecurity researchers. To generate credibility for these accounts, the threat actors have used profile pictures of actual security researchers.

Researchers have noted that these fake repositories are promoted as part of a non-existent firm called High Sierra Cyber Security. Each account features a headshot, Twitter handle, associated organization, followers, a link to the company’s website, and a hidden, malicious repository.

Greg and 6 other fake profiles on GitHub (Left) – Fake account on Twitter (Right) – VulnCheck

****Malicious Objectives Behind Fake Accounts****

These fake accounts distribute a Python script through which a malicious binary is downloaded and executed on the device. It is worth noting that the malware can work on both Windows and Linux-based systems. GitHub accounts have been suspended, but Twitter accounts remain online.

****What are the Dangers?****

Researchers believe that this supply chain attack is very elaborate and can have serious consequences. The SolarWinds attack is one of the most devastating supply chain attacks, affecting many public and private sector agencies and causing extensive damage. A malware-infected software was responsible for this attack.

Considering that GitHub is the world’s largest open-source code repository, the consequences of this particular supply chain attack could be even more drastic. Injecting malicious code into a repository or compromising it can impact various software used by countless endpoints. Attackers can deploy malware to steal sensitive data, perform identity theft, or launch ransomware attacks and wire frauds.

Researchers are unclear whether this is an experiment or a campaign. Nevertheless, it is essential to be cautious when accessing untrusted sources for executing code. Check the full list of fake accounts here.

**RELATED ARTICLES**

1.  Portion of Twitter’s proprietary source code leaked on GitHub
2.  Commit metadata spoofed to create false GitHub repositories
3.  SolarWinds Hackers Use Post-Exploitation Backdoor ‘MagicWeb’

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Warning: Fake GitHub Repos Delivering Malware as PoCs

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks.
"The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. "In addition,

Cryptojacking / Network Security

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named **Diicot**, revealing its potential for launching distributed denial-of-service (DDoS) attacks.

"The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. "In addition, artifacts from the group's campaigns contain messaging and imagery related to this organization."

Diicot (née Mexals) was first documented by Bitdefender in July 2021, uncovering the actor's use of a Go-based SSH brute-forcer tool called Diicot Brute to breach Linux hosts as part of a cryptojacking campaign.

Then earlier this April, Akamai disclosed what it described as a "resurgence" of the 2021 activity that's believed to have started around October 2022, netting the actor about $10,000 in illicit profits.

"The attackers use a long chain of payloads before eventually dropping a Monero cryptominer," Akamai researcher Stiv Kupchik said at the time. "New capabilities include usage of a Secure Shell Protocol (SSH) worm module, increased reporting, better payload obfuscation, and a new LAN spreader module."

The latest analysis from Cado Security shows that the group is also deploying an off-the-shelf botnet referred to as Cayosin, a malware family that shares characteristics with Qbot and Mirai.

The development is a sign that the threat actor now possesses the ability to mount DDoS attacks. Other activities carried out by the group include doxxing of rival hacking groups and its reliance on Discord for command-and-control and data exfiltration.

"Deployment of this agent was targeted at routers running the Linux-based embedded devices operating system, OpenWrt," the cybersecurity company said. "The use of Cayosin demonstrates Diicot's willingness to conduct a variety of attacks (not just cryptojacking) depending on the type of targets they encounter."

Diicot's compromise chains have remained largely consistent, leveraging the custom SSH brute-forcing utility to gain a foothold and drop additional malware such as the Mirai variant and the crypto miner.

Some of the other tools used by the actor are as follows -

*   **Chrome** - An internet scanner based on Zmap that can write the results of the operation to a text file ("bios.txt").
*   **Update** - An executable that fetches and executes the SSH brute-forcer and Chrome if they don't exist in the system.
*   **History** - A shell script that's designed to run Update

The SSH brute-forcer tool (aka aliases), for its part, parses the text file output of Chrome to break into each of the identified IP addresses, and if successful, establishes remote connection to the IP address.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

This is then followed by running a series of commands to profile the infected host and using it to either deploy a cryptominer or make it act as a spreader if the machine's CPU has less than four cores.

To mitigate such attacks, organizations are recommended to implement SSH hardening and firewall rules to limit SSH access to specific IP addresses.

"This campaign specifically targets SSH servers exposed to the internet with password authentication enabled," Cado Security said. "The username/password list they use is relatively limited and includes default and easily-guessed credential pairs."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 7 Jun 2023 11:32:31 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: off-by-one in fl\_set\_geneve\_opt

Hi guys,

I find a off-by-one bug in linux kernel's Flower
classifier(NET\_CLS\_FLOWER). It can cause denial-of-service and privilege 
escalation.

# Details:

static int fl\_set\_geneve\_opt(const struct nlattr \*nla, struct 
fl\_flow\_key \*key,
      int depth, int option\_len,
      struct netlink\_ext\_ack \*extack)
{
struct nlattr \*tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_MAX + 1\];
struct nlattr \*class = NULL, \*type = NULL, \*data = NULL;
struct geneve\_opt \*opt;
int err, data\_len = 0;

if (option\_len > sizeof(struct geneve\_opt))
data\_len = option\_len - sizeof(struct geneve\_opt);

opt = (struct geneve\_opt \*)&key->enc\_opts.data\[key->enc\_opts.len\]; <--- \[1\]
memset(opt, 0xff, option\_len);
opt->length = data\_len / 4;
opt->r1 = 0;
opt->r2 = 0;
opt->r3 = 0;

...
if (tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_DATA\]) {
int new\_len = key->enc\_opts.len;

data = tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_DATA\];
data\_len = nla\_len(data);
if (data\_len < 4) {
NL\_SET\_ERR\_MSG(extack, "Tunnel key geneve option data is less than 4
bytes long");
return -ERANGE;
}
if (data\_len % 4) {
NL\_SET\_ERR\_MSG(extack, "Tunnel key geneve option data is not a
multiple of 4 bytes long");
return -ERANGE;
}

new\_len += sizeof(struct geneve\_opt) + data\_len;
BUILD\_BUG\_ON(FLOW\_DIS\_TUN\_OPTS\_MAX != IP\_TUNNEL\_OPTS\_MAX);
if (new\_len > FLOW\_DIS\_TUN\_OPTS\_MAX) { <--- \[2\]
NL\_SET\_ERR\_MSG(extack, "Tunnel options exceeds max size");
return -ERANGE;
}
opt->length = data\_len / 4;
memcpy(opt->opt\_data, nla\_data(data), data\_len); <--- \[3\]
}
...
}

We can see that opt use key->enc\_opts.len to get its pointer from
key->enc\_opts.data\[\] in \[1\]. Then length will be set to "data\_len /
4". The bug is that if we send two TCA\_FLOWER\_KEY\_ENC\_OPTS\_GENEVE
packets and their total size is 252 bytes(key->enc\_opts.len = 252)
then key->enc\_opts.len = opt->length = data\_len / 4 when the third
TCA\_FLOWER\_KEY\_ENC\_OPTS\_GENEVE packet enters fl\_set\_geneve\_opt. This
can bypass the check in \[2\] and cause out of bound write in
\[3\](opt->opt\_data = key->enc\_opts.data\[257\]).

# Patch

I already contacted the linux security team and made a patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sched?id=4d56304e5827c8cc8cc18c75343d283af7c4825c

# CVE

Pending

# EXP

In order to avoid confusion i will publish it after I get CVE.

Thanks,
Hangyu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#linux