In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.

![Openwall](https://www.openwall.com/logo.png)

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2022-27950: security - Memory leak in Linux HID-elo driver

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

Back to top

Edit this page

Toggle table of contents sidebar

**Security#**

This release addresses several security problems.

CVE-2022-24303: If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This has been present since PIL.

CVE-2022-22817: While Pillow 9.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted.

**Other Changes#**

Pillow 9.0 added support for xdg-open as an image viewer, but there have been reports that the temporary image file was removed too quickly to be loaded into the final application. A delay has been added.

CVE-2022-24303: 9.0.1

**Security¶**

This release addresses several security problems.

CVE-2022-24303: If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after `im.show()` (and related actions), and potentially remove an unrelated file. This been present since PIL.

CVE-2022-22817: While Pillow 9.0 restricted top-level builtins available to `PIL.ImageMath.eval()`, it did not prevent builtins available to lambda expressions. These are now also restricted.

**Other Changes¶**

Pillow 9.0 added support for `xdg-open` as an image viewer, but there have been reports that the temporary image file was removed too quickly to be loaded into the final application. A delay has been added.

Technitium Installer v4.4 was discovered to allow attackers to execute arbitrary code or escalate privileges via placing a crafted DLL in the same directory as the current installer.

**DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4**

![image](https://user-images.githubusercontent.com/21979646/155652696-751b0227-004a-4928-b663-aea9178c38d2.png)

**Vulnerable Software and Version**:  

1.  Technitium Installer v4.4

**Vulnerable software download link**:  
https://technitium.com/tmac/

**Date discovered and reported**:  
25 Feb 2022  

**Description**:  
**Technitium Installer v4.4** is suffering from **CWD DLL Hijacking** by placing x86 **SXS.dll** in the same directory as the installer , which could cause **arbitrary code execution and privilege escalation** since the installer requires admin right to run by design.

The installer is actually looking for below DLLs in the current directory as the installer but then only SXS.dll is tested and hijacked successfully

1.  SXS.dll
2.  MSVBVM60.dll
3.  VCRUNTIME140.dll

**Attack vector**:  
Taking SXS.dll as an example, placing the malicious crafted dll in the current directory as the installer and whenever a user click the installer, **arbitrary code execution and privilege escalation** could be achieved.

PoC code of dll can be found in my repository

**Attack steps**:  

1.  Craft and drop a malicious DLL named as "SXS.dll" with entry point DllMain ![image](https://user-images.githubusercontent.com/21979646/155653240-ef58e64b-802e-4268-a9a6-cc8e74c576c0.png)
    
2.  Double click the executable, administrator privilege is required to run
    
3.  Malicious DLL has been called and an admin shell can be obtained as PoC ![image](https://user-images.githubusercontent.com/21979646/155653291-16145a65-ccdc-4461-a328-f6dc277e4d54.png)

CVE-2022-26200: GitHub - ScriptIdiot/DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

*      
    
    {{ skuObj.title.length < 15 ? skuObj.title : skuObj.title.substring(0,14) + "..." }}

CVE-2022-22995: WDC-22005 Netatalk Security Vulnerabilities | Western Digital

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 25 Jan 2022 17:55:25 +0000
From: Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>
To: oss-security@...ts.openwall.com
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
 Dave Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>,
 Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Marian Rehak <mrehak@...hat.com>
Subject: Linux kernel: Security sensitive bug in the i915 kernel driver​ (CVE-2022-0330)


\[This is a public disclosure of an issue reported 7 days ago to 
linux-distros at openwall. CVE-2022-0330 has been assigned to the 
issue since.\]

Hi all,

A missing GPU TLB flush has been discovered in the i915 kernel driver 
which could be exploited by malicious userspace and can manifest in two 
flavours, depending on whether the GPU is running behind an active IOMMU 
(address translation) or not:

1. IOMMU with address translation - malicious userspace can trigger DMAR 
read/write faults getting logged to the kernel log.

2. Without an active IOMMU malicious userspace can gain access (from the 
code executing on the GPU) to random memory pages.

Second case is therefore the serious one.

It is currently not known whether specific memory could be targeted, but 
random memory corruption or data leaks are a known possibility.

Underlying reason for the access to memory not owned is a missing TLB 
flush upon releasing memory which used to back a GPU buffer object back 
to the system.

Flawed assumption was that flushing the TLB at the start of every 
userspace GPU execution is sufficient, given the programming model where 
userspace is expected to declare which graphics virtual memory address 
ranges it will be accessing at the start of every execution. However 
what was not considered is that userspace can legitimately (it is 
allowed in uapi) \_not\_ declare those accesses.

This allows userspace to continue GPU access to memory, while the kernel 
driver (i915) is unaware of it being in use, and therefore is allowed to 
release the backing store back to the system. Should the system then 
give out those pages back for a different use, the exploit situation can 
arise.

Return of the pages back to the system can either be specifically 
engineered by the malicious software, or can happen innocently via 
system memory pressure.

All Intel integrated and discrete GPUs starting from Gen8 (Broadwell) 
are affected.

Fix has already been developed and consists of explicitly flushing the 
TLBs before releasing memory back to the system for any GPU buffer 
objects which were in use from the GPU.

Note that this will have a varying performance impact depending on the 
specific GPU, GPU workload and overall system workload.

Fix for the issue has been provided to the Linus distributions and Linux 
kernel maintainers and is expected to be merged to top of the tree and 
stable and LTS releases shortly. Fix carries the title of "drm/i915: 
Flush TLBs before releasing backing store".

Kind regards,

Tvrtko

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-0330: security - Linux kernel: Security sensitive bug in the i915 kernel driver​ (CVE-2022-0330)

A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 10 Feb 2022 14:16:41 +0000
From: Samuel Page <samuel.page@...gate.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2022-0435: Remote Stack Overflow in Linux Kernel TIPC Module
 since 4.8 (net/tipc)


Immunity Security Advisory

CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel


========================================================================
Contents
========================================================================

Summary
Analysis
Further Information
Remediation
Acknowledgements
Disclosure Timeline


========================================================================
Summary
========================================================================

We discovered a remotely & locally reachable stack overflow in the Linux
kernel networking module for the Transparent Inter-Process
Communication (TIPC) protocol.

While the module can be found in most major distributions, it must be
loaded in order to be exploited. Furthermore, for remote exploitation
the target would need to have a TIPC bearer set up already i.e.
vulnerability extends to systems using TIPC.

Exploitation is trivial and can lead to denial of service via kernel
panic. In the absence, or bypass, of stack canaries/KASLR the
vulnerability can lead to control flow hijacking with an arbitrary
payload.

The vulnerability has been present since the introduction of the TIPC
monitoring framework in kernel version 4.8.

- Introduced: commit 35c55c9877f8 ("tipc: add neighbor monitoring framework")
- Fixed: https://github.com/torvalds/linux/commit/9aa422ad326634b76309e8ff342c246800621216

========================================================================
Analysis
========================================================================

Transparent Inter Process Communication (TIPC) is an IPC mechanism
designed for intra-cluster communication. Cluster topology is managed
around the concept of nodes and the links between these nodes.

One of the many features of the TIPC module is its monitoring framework.
Introduced into the kernel in June 2016 (commit 35c55c9), the framework
allows nodes to monitor network topology and share their view with other
nodes in the same domain.

Peer state is tracked via \`struct tipc\_peer\`:

...
    /\* struct tipc\_peer: state of a peer node and its domain
     \* @addr: tipc node identity of peer
     \* @head\_map: shows which other nodes currently consider peer 'up'
     \* @domain: most recent domain record from peer
     \* @hash: position in hashed lookup list
     \* @list: position in linked list, in circular ascending order by 'addr'
     \* @applied: number of reported domain members applied on this monitor list
     \* @is\_up: peer is up as seen from this node
     \* @is\_head: peer is assigned domain head as seen from this node
     \* @is\_local: peer is in local domain and should be continuously monitored
     \* @down\_cnt: - numbers of other peers which have reported this on lost
     \*/
    struct tipc\_peer {
        u32 addr;
        struct tipc\_mon\_domain \*domain;
        struct hlist\_node hash;
        struct list\_head list;
        u8 applied;
        u8 down\_cnt;
        bool is\_up;
        bool is\_head;
        bool is\_local;
    };
...

\`struct tipc\_mon\_domain\` referends a domain record, used to define that
peers view of the TIPC topology:

...
    #define MAX\_MON\_DOMAIN       64
    ...

    /\* struct tipc\_mon\_domain: domain record to be transferred between peers
     \* @len: actual size of domain record
     \* @gen: current generation of sender's domain
     \* @ack\_gen: most recent generation of self's domain acked by peer
     \* @member\_cnt: number of domain member nodes described in this record
     \* @up\_map: bit map indicating which of the members the sender considers up
     \* @members: identity of the domain members
     \*/
    struct tipc\_mon\_domain {
        u16 len;
        u16 gen;
        u16 ack\_gen;
        u16 member\_cnt;
        u64 up\_map;
        u32 members\[MAX\_MON\_DOMAIN\];
    };
...

These records are transferred between peers, with each node keeping a
copy of the most up-to-date domain record received from each of its
peers in the \`tipc\_peer->domain\` field.

Records are processed by the function \`tipc\_mon\_rcv\`, which check
\`STATE\_MSG\` received from peers, to see if the message body contains a
valid \`struct tipc\_mon\_domain\`:

...
    /\* tipc\_mon\_rcv - process monitor domain event message
     \*
     \* @data: STATE\_MSG body
     \* @dlen: STATE\_MSG body size (taken from TIPC header)
     \*/
    void tipc\_mon\_rcv(struct net \*net, void \*data, u16 dlen, u32 addr,
        struct tipc\_mon\_state \*state, int bearer\_id)
    {
        ...
        struct tipc\_mon\_domain \*arrv\_dom = data;
        struct tipc\_mon\_domain dom\_bef;
        ...

        /\* Sanity check received domain record \*/                        \[0\]
        if (dlen < dom\_rec\_len(arrv\_dom, 0))                             \[1\]
            return;
        if (dlen != dom\_rec\_len(arrv\_dom, new\_member\_cnt))               \[2\]
            return;
        if (dlen < new\_dlen || arrv\_dlen != new\_dlen)                    \[3\]
            return;
        ...

        /\* Drop duplicate unless we are waiting for a probe response \*/
        if (!more(new\_gen, state->peer\_gen) && !probing)                 \[4\]
            return;
        ...

        /\* Cache current domain record for later use \*/
        dom\_bef.member\_cnt = 0;
        dom = peer->domain;
        if (dom)                                                         \[5\]
            memcpy(&dom\_bef, dom, dom->len);                             \[6\]

        /\* Transform and store received domain record \*/
        if (!dom || (dom->len < new\_dlen)) {
            kfree(dom);
            dom = kmalloc(new\_dlen, GFP\_ATOMIC);                         \[7\]
            peer->domain = dom;
            if (!dom)
                goto exit;
        }
...

The function does some basic sanity checks \[0\] to make sure that a) the
message body actually contains a domain record and b) does it contain a
valid \`struct tipc\_mon\_domain\`.

Where \`data\` is the message body and \`dlen\` is the length of the \`data\`
taken from the message header, the function checks:

- the length of \`data\` is enough to at least hold an empty record \[1\]
- the length of \`data\` matches the expected size of a domain record
  given the provided \`member\_cnt\` field \[2\]
- the length of \`data\` matches the provided \`len\` field \[3\]

Later we fetch the sending peers \`struct peer\` to see if we've already
received a domain record from them \[5\]. If we have, we want to
temporarily cache a copy of the old record to do a comparison later \[6\].

Then, satisfied it's a new and valid record, we'll update the
\`struct peer->domain\` field with the new info. If it's the first domain
record, we'll make a new \`kmalloc\`ation for this \[7\], or if it's larger
than the last one we'll reallocate it.

-----------------
The Vulnerability
-----------------

The vulnerability lies in the fact that during the initial sanity
checks, the function doesn't check that \`member\_cnt\` is below
MAX\_MON\_DOMAIN which defines the maximum size of the \`members\` array.

By pretending to be a peer node and establishing a link with the target,
locally or remotely, we're able to first submit a malicious domain
record containing an arbitrary payload; so long as the len/member\_cnt
fields match up for the sanity checks, this will be kmallocated fine.

Next, we can send a newer domain record which will cause the previous
malicious record to be memcpy'd into a 272 bytes local
\`struct tipc\_mon\_domain\` &dom\_bef \[6\] triggering a stack overflow.

This allows us to overwrite the contents of the stack following
&dom\_bef with our arbitrary members buffer from the malicious domain
record submitted first; the size of which is constrained by the media
MTU (Ethernet, UDP, Inifiband)


========================================================================
Further Information
========================================================================

For a more in-depth analysis, including additional TIPC background, we
will be posting up a follow-up blog to compliment this advisory.

Regarding exploitation, after time has been given for patching and
remediation we will also release a further post discussing exploitation.

Further information will be posted over at https://twitter.com/immunityinc/

========================================================================
Remediation
========================================================================

This vulnerability has been present since the monitoring framework was
first introduced in June 2016, impacting versions 4.8 forward.

The patch below was introduced in commit 9aa422ad3266, so updating your
system to include this patch is the best way to mitigate CVE-2022-0435,
including an additional u16 overflow spotted by Eric Dumazet.

The TIPC module must be loaded for the system to be vulnerable,
furthermore to be targeted remotely the system needs to have a TIPC
bearer enabled. If you don't need to use TIPC or are unsure if you are,
you can take the following steps:

- \`$ lsmod | grep tipc\` will let you know if the module is currently
  loaded,
- \`modprobe -r tipc\` may allow you unload the module if loaded,
  however you may need to reboot your system
- \`$ echo "install tipc /bin/true" >> /etc/modprobe.d/disable-tipc.conf\`
  will prevent the module from being loaded, which is a good idea if you
  have no reason to use it

If you need to use TIPC and can't immediately patch your system, look to
enforce any configurtions that prevent or limit the ability for
attackers to imitate nodes in your cluster. Options include TIPC
protocol level encryption, IPSec/MACSec, network seperation etc.

It's also worth noting that the current \`CONFIG\_FORTIFY\_SRC=y\` is a hard
mitigation to leveraging CVE-2022-0435 for control-flow hijacking, as it
does a bounds check on the size of the offending memcpy and causes a
kernel panic.


========================================================================
Acknowledgements
========================================================================

I'd like to thank the maintainers of the TIPC module, as well as members
of the security@...nel.org and linux-distros@...openwall.org for their
help and work throughout the disclosure process.

I would also like to mention the vulnerability research done on TIPC
previously by SentinelLabs with their work on CVE-2021-43267 and other
security researchers for publishing their findings on TIPC exploitation.

- https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/
- https://haxx.in/posts/pwning-tipc/

========================================================================
Disclosure Timeline
========================================================================

- 27/01/2022: Vulnerability & fix suggestion reported
- 05/02/2022: The patch is finalised
- 10/02/2022: Coordinated release date (14:00 GMT)

The information contained in this electronic mail is confidential information intended only for the use of the individual(s) or entity(s) named. If the reader of the message is not the addressee (or authorized to receive for the addressee), you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and/or by telephone and destroy the original message.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-0435: security - CVE-2022-0435: Remote Stack Overflow in Linux Kernel TIPC Module since 4.8 (net/tipc)

Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/vod/data.html via the repeat parameter.

Vulnerability name：Reflective XSS

Vulnerability level：Medium risk

Affected version：v2021.1000.1081<=v2022.1000.3029

Vulnerability location：Many places，Here are some places I found  
1、url：http://127.0.0.1/maccms10/admin.php/admin/art/data.html?select=&input=&type=&status=&level=&lock=&pic=&order=&wd= Affected parameters：select & input  
2、url：http://127.0.0.1maccms10/admin.php/admin/website/data.html?select=&input=&type=&status=&level=&lock=&pic=&order=&wd= Affected parameters：select & input  
3、url：http://127.0.0.1maccms10/admin.php/admin/plog/index.html?type=&wd= Affected parameters：wd  
4、url：http://127.0.0.1maccms10/admin.php/admin/ulog/index.html?mid=&type=&wd= Affected parameters：wd  
5、url：http://127.0.0.1maccms10/admin.php/admin/vod/data.html?repeat= Affected parameters：repeat

Verification process：  
Get administrator cookies through reflective XSS：  
First, the user logs in to the background  
![image](https://user-images.githubusercontent.com/59214809/156299814-e0f84147-53a1-4ed0-96a9-2b1dfa2fe833.png)  
Then we make a payad that can get cookies by using the vulnerable URL，Send it to the victim or make it run by other means.  
For example, here I choose this URL：\[http://127.0.0.1/maccms10/admin123.php/admin/vod/data.html?repeat=%22%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E\]  
After the victim clicks, the cookie pops up successfully. Here, the XSS platform can also be used to accept the cookie.  
![image](https://user-images.githubusercontent.com/59214809/156300247-fccf0c41-bec5-4f3b-b981-95922bdcb97f.png)  
Other URLs are the same：  
![image](https://user-images.githubusercontent.com/59214809/156300313-f204f505-c000-4d34-80d6-08a03135e951.png)  
![image](https://user-images.githubusercontent.com/59214809/156300373-05372764-6b7c-4912-a22c-56850ebf49f5.png)

Repair method：  
【1】HTML escape the input data so that it is not recognized as an executable script  
【2】Filter the data according to the tags and attributes of the whitelist to clear the executable script (such as script tag, oneror attribute of img tag, etc.)

CVE-2022-27887: There are multiple reflective XSS vulnerabilities in the website · Issue #840 · magicblack/maccms10

An Buffer Overflow vulnerability leading to remote code execution was discovered in MEX01. Remote attackers can use this vulnerability by using the property that the target program copies parameter values to memory through the strcpy() function.

**Security Advisory**

 

CVE-2021-26621 | Netis Korea MEX01 Buffer overflow vulnerability2022.03.25

□ Overview  
 o NetU Corp. (Netis Systems Co., Ltd Branch in Korea) released security update to address buffer overflow vulnerability in MEX01.

Vulnerability

Vulnerability Type

Impact

Severity

CVSS Score

CVE ID

Buffer Overflow

Remote code execution

High

8.1

CVE-2021-26621

  
□ Description  
 o An Buffer Overflow vulnerability leading to remote code execution was discovered in MEX01.  
 o Remote attackers can use this vulnerability by using the property that the target program copies parameter values to memory through the strcpy() function.

□ Affected Product

Affected Product

Product

Version

Platform

MEX01

prior of v1.9.18

Windows, Mac OS and etc.

  
□ Solution  
 o Update software over MEX01 Firmware v1.9.19 version or higher.

□ Reference  
 \[1\] https://netu.co.kr/

□ Etc  
 o Thanks to Dohyun Kim for reporting this vulnerability.

□ 작성 : 침해사고분석단 취약점분석팀

트위터 페이스북

Tag

#mac