Ubuntu Security Notice 5583-2 - USN-5583-1 fixed vulnerabilities in systemd. Unfortunately this caused a regression by introducing networking problems for some users. This update fixes the problem. It was discovered that systemd incorrectly handled certain DNS requests, which leads to user-after-free vulnerability. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5583-2  
September 14, 2022

systemd regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

USN-5583-1 caused a regression in systemd

Software Description:  
- systemd: system and service manager

Details:

USN-5583-1 fixed vulnerabilities in systemd. Unfortunately this caused a   
regression by introducing netowrking problems for some users. This update fixes  
the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that systemd incorrectly handled certain DNS requests,   
 which leads to user-after-free vulnerability. An attacker could possibly use   
 this issue to cause a crash or execute arbitrary code. (CVE-2022-2526)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
  systemd                         237-3ubuntu10.56

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5583-2  
  https://ubuntu.com/security/notices/USN-5583-1  
  https://launchpad.net/bugs/1988119

Package Information:  
  https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.56

Ubuntu Security Notice USN-5583-2

Ubuntu Security Notice 5609-1 - Graham Esau discovered that .NET 6 incorrectly parsed certain payloads during model binding. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5609-1September 13, 2022dotnet6 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:.NET 6 could be made to crash if it parsed a specially crafted file.Software Description:- dotnet6: dotNET CLI tools and runtimeDetails:Graham Esau discovered that .NET 6 incorrectly parsed certain payloadsduring model binding. An attacker could possibly use this issue tocause a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   aspnetcore-runtime-6.0          6.0.109-0ubuntu1~22.04.1   dotnet-host                             6.0.109-0ubuntu1~22.04.1   dotnet-hostfxr-6.0                   6.0.109-0ubuntu1~22.04.1   dotnet-runtime-6.0                  6.0.109-0ubuntu1~22.04.1   dotnet-sdk-6.0                        6.0.109-0ubuntu1~22.04.1   dotnet6                                   6.0.109-0ubuntu1~22.04.1In general, a standard system update will make all the necessary changes. A restart may be required after the update if any affected files are being used.References:   https://ubuntu.com/security/notices/USN-5609-1   CVE-2022-38013Package Information:   https://launchpad.net/ubuntu/+source/dotnet6/6.0.109-0ubuntu1~22.04.1

Ubuntu Security Notice USN-5609-1

Ubuntu Security Notice 5608-1 - It was discovered that DPDK incorrectly handled certain Vhost headers. A remote attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5608-1  
September 13, 2022

dpdk vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

DPDK could be made to stop responding if it received specially crafted  
network traffic.

Software Description:  
- dpdk: set of libraries for fast packet processing

Details:

It was discovered that DPDK incorrectly handled certain Vhost headers. A  
remote attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  dpdk                            21.11.2-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  dpdk                            19.11.13-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  dpdk                            17.11.10-0ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5608-1  
  CVE-2022-2132

Package Information:  
  https://launchpad.net/ubuntu/+source/dpdk/21.11.2-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/dpdk/19.11.13-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/dpdk/17.11.10-0ubuntu0.2

Ubuntu Security Notice USN-5608-1

Ubuntu Security Notice 5607-1 - It was discovered that GDK-PixBuf incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code or cause a crash.

=========================================================================  
Ubuntu Security Notice USN-5607-1  
September 13, 2022

gdk-pixbuf vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

GDK-PixBuf could be made do execute arbitrary code or  
crash if it received a specially crafted image.

Software Description:  
- gdk-pixbuf: GDK Pixbuf library

Details:

It was discovered that GDK-PixBuf incorrectly handled certain images.  
An attacker could possibly use this issue to execute arbitrary code  
or cause a crash.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libgdk-pixbuf-2.0-0             2.42.8+dfsg-1ubuntu0.1

Ubuntu 20.04 LTS:  
  libgdk-pixbuf2.0-0              2.40.0+dfsg-3ubuntu0.4

After a standard system update you need to restart your session to make all  
the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5607-1  
  CVE-2021-44648

Package Information:  
  https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.42.8+dfsg-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.40.0+dfsg-3ubuntu0.4

Ubuntu Security Notice USN-5607-1

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

"In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months," Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.

"However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021 which patched 1,200 CVEs in total."

The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.

"An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system," Microsoft said in an advisory.

The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.

CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.

It's not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows -

*   **CVE-2022-34718** (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability
*   **CVE-2022-34721** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34722** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34700** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
*   **CVE-2022-35805** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

"An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation," Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions.

Lastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that came to light earlier this March.

"This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening," Jogi said. "If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information."

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Apple
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro
*   VMware, and
*   WordPress (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

LIEF commit 5d1d643 was discovered to contain a heap-buffer overflow in the component /core/CorePrPsInfo.tcc.

**version**

    latest master [5d1d643](https://github.com/lief-project/LIEF/commit/5d1d643a0c46437b57d35654690e03d26d189070)
    

**Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step**

    cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
    

**Run**

    ./build/examples/c/elf_reader poc
    

poc.zip

**AddressSanitizer output**

    Can't access the content of section #0
    Can't access the content of section #1
    Can't access the content of section #2
    =================================================================
    ==2292604==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000000268 at pc 0x7f5b35470a7d bp 0x7ffe10d8f4c0 sp 0x7ffe10d8ec68
    READ of size 109 at 0x60d000000268 thread T0
        #0 0x7f5b35470a7c in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354
        #1 0x55a087822aa7 in std::char_traits<char>::length(char const*) /usr/include/c++/9/bits/char_traits.h:342
        #2 0x55a087822aa7 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*) /usr/include/c++/9/bits/basic_string.h:1443
        #3 0x55a087822aa7 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(char const*) /usr/include/c++/9/bits/basic_string.h:709
        #4 0x55a087822aa7 in void LIEF::ELF::CorePrPsInfo::parse_<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.tcc:41
        #5 0x55a087822aa7 in LIEF::ELF::CorePrPsInfo::parse() /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.cpp:156
        #6 0x55a0878260de in LIEF::ELF::CorePrPsInfo::make(LIEF::ELF::Note&) /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.cpp:44
        #7 0x55a0877383f3 in LIEF::ELF::Note::details() /home/wcc/LIEF/src/ELF/Note.cpp:150
        #8 0x55a08773bbe0 in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:92
        #9 0x55a08767077d in std::_MakeUniq<LIEF::ELF::Note>::__single_object std::make_unique<LIEF::ELF::Note, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> >, LIEF::ELF::Binary*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE&&, std::vector<unsigned char, std::allocator<unsigned char> >&&, LIEF::ELF::Binary*&&) /usr/include/c++/9/bits/unique_ptr.h:857
        #10 0x55a08767077d in LIEF::ELF::Parser::parse_notes(unsigned long, unsigned long) /home/wcc/LIEF/src/ELF/Parser.cpp:568
        #11 0x55a0876ec34e in boost::leaf::result<LIEF::ok_t> LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/Parser.tcc:296
        #12 0x55a08767371e in LIEF::ELF::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/wcc/LIEF/src/ELF/Parser.cpp:323
        #13 0x55a087674f03 in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::DYNSYM_COUNT_METHODS) /home/wcc/LIEF/src/ELF/Parser.cpp:342
        #14 0x55a087383c06 in elf_parse /home/wcc/LIEF/api/c/ELF/Binary.cpp:67
        #15 0x55a087342c96 in main /home/wcc/LIEF/examples/c/elf_reader.c:16
        #16 0x7f5b34eef0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #17 0x55a08738373d in _start (/home/wcc/LIEF/build/examples/c/elf_reader+0x31c73d)
    
    0x60d000000268 is located 0 bytes to the right of 136-byte region [0x60d0000001e0,0x60d000000268)
    allocated by thread T0 here:
        #0 0x7f5b35518587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55a08773b79b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
        #2 0x55a08773b79b in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:443
        #3 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
        #4 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358
        #5 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/9/bits/stl_vector.h:302
        #6 0x55a08773b79b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/9/bits/stl_vector.h:552
        #7 0x55a08773b79b in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:89
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354 in __interceptor_strlen
    Shadow bytes around the buggy address:
      0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1a7fff8010: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
      0x0c1a7fff8020: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8030: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
    =>0x0c1a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
      0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2292604==ABORTING

CVE-2022-38306: heap-buffer-overflow in elf_reader · Issue #763 · lief-project/LIEF

LIEF commit 365a16a was discovered to contain a heap-buffer overflow via the function print_binary at /c/macho_reader.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

CCWANG19 opened this issue

Aug 10, 2022

· 1 comment

Assignees

**Comments**

**Version****Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step****Run**

    ./build/examples/c/macho_reader poc
    

poc.zip

**Output**

    Can't read the state data
    Can't read the raw data of the load command
    Binary Name: poc
    Header
    ========
    Magic: 0xcefaedfe
    CPU Type: ARM64
    CPU SubType: 0x0
    File type: OBJECT
    Number of commands: 0x13a
    Commands size: 0x0
    flags: 0x0
    reserved: 0x0
    Commands
    ========
    THREAD               0x4040000f 0x00001c 
    =================================================================
    ==3241437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000152 at pc 0x555c3f7df416 bp 0x7ffc25ef7040 sp 0x7ffc25ef7030
    READ of size 1 at 0x602000000152 thread T0
        #0 0x555c3f7df415 in print_binary /home/wcc/LIEF/examples/c/macho_reader.c:39
        #1 0x555c3f7dff11 in main /home/wcc/LIEF/examples/c/macho_reader.c:150
        #2 0x7fe3286cb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #3 0x555c3f7debfd in _start (/home/wcc/LIEF/build/examples/c/macho_reader+0x280bfd)
    
    0x602000000152 is located 1 bytes to the right of 1-byte region [0x602000000150,0x602000000151)
    allocated by thread T0 here:
        #0 0x7fe328cf2808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x555c3f8e3d36 in LIEF::MachO::init_c_commands(Macho_Binary_t*, LIEF::MachO::Binary*) /home/wcc/LIEF/api/c/MachO/LoadCommand.cpp:31
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcc/LIEF/examples/c/macho_reader.c:39 in print_binary
    Shadow bytes around the buggy address:
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa 00 fa
      0x0c047fff8010: fa fa fd fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
    =>0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa 00 fa
      0x0c047fff8030: fa fa 00 fa fa fa 00 fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3241437==ABORTING
    
    

Thank you again for reporting these issues!

2 participants

CVE-2022-38495: heap-buffer-overflow in macho_reader.c · Issue #767 · lief-project/LIEF

LIEF commit 365a16a was discovered to contain a segmentation violation via the component CoreFile.tcc:69.

**version****Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step****Run**

    ./build/examples/c/elf_reader poc
    

poc.zip

**Output**

    Can't access the content of section #0
      Can't parse section #01
    Binary doesn't have a program header
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3230843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x559aec0a79de bp 0x0fffef333808 sp 0x7fff7999c000 T0)
    ==3230843==The signal is caused by a WRITE memory access.
    ==3230843==Hint: address points to the zero page.
        #0 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long) /usr/include/c++/9/bits/basic_string.h:187
        #1 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_set_length(unsigned long) /usr/include/c++/9/bits/basic_string.h:220
        #2 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/9/bits/basic_string.h:756
        #3 0x559aec0a79dd in void LIEF::ELF::CoreFile::parse_<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.tcc:69
        #4 0x559aec09aa70 in LIEF::ELF::CoreFile::parse() /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.cpp:114
        #5 0x559aec09aa8d in LIEF::ELF::CoreFile::make(LIEF::ELF::Note&) /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.cpp:38
        #6 0x559aebfdeb66 in LIEF::ELF::Note::details() /home/wcc/LIEF/src/ELF/Note.cpp:156
        #7 0x559aebfe14ee in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:92
        #8 0x559aebf183ac in std::_MakeUniq<LIEF::ELF::Note>::__single_object std::make_unique<LIEF::ELF::Note, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> >, LIEF::ELF::Binary*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE&&, std::vector<unsigned char, std::allocator<unsigned char> >&&, LIEF::ELF::Binary*&&) /usr/include/c++/9/bits/unique_ptr.h:857
        #9 0x559aebf183ac in LIEF::ELF::Parser::parse_notes(unsigned long, unsigned long) /home/wcc/LIEF/src/ELF/Parser.cpp:568
        #10 0x559aebf8c11c in boost::leaf::result<LIEF::ok_t> LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/Parser.tcc:296
        #11 0x559aebf1bad5 in LIEF::ELF::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/wcc/LIEF/src/ELF/Parser.cpp:323
        #12 0x559aebf1bf8d in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::DYNSYM_COUNT_METHODS) /home/wcc/LIEF/src/ELF/Parser.cpp:342
        #13 0x559aebc1f3ae in elf_parse /home/wcc/LIEF/api/c/ELF/Binary.cpp:67
        #14 0x559aebc1ce4f in main /home/wcc/LIEF/examples/c/elf_reader.c:16
        #15 0x7f49b9b990b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #16 0x559aebc1cc3d in _start (/home/wcc/LIEF/build/examples/c/elf_reader+0x281c3d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/basic_string.h:187 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long)
    ==3230843==ABORTING

CVE-2022-38497: SEGV in CoreFile.tcc:69 · Issue #766 · lief-project/LIEF

Ubuntu Security Notice 5606-1 - It was discovered that poppler incorrectly handled certain PDF. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-5606-1  
September 12, 2022

poppler vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

poppler could be made to crash or execute arbitrary code if  
received a specially crafted PDF.

Software Description:  
- poppler: PDF rendering library

Details:

It was discovered that poppler incorrectly handled certain  
PDF. An attacker could possibly use this issue to cause a  
denial of service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libpoppler118                   22.02.0-2ubuntu0.1  
  poppler-utils                   22.02.0-2ubuntu0.1

Ubuntu 20.04 LTS:  
  libpoppler97                    0.86.1-0ubuntu1.1  
  poppler-utils                   0.86.1-0ubuntu1.1

Ubuntu 18.04 LTS:  
  libpoppler73                    0.62.0-2ubuntu2.13  
  poppler-utils                   0.62.0-2ubuntu2.13

Ubuntu 16.04 ESM:  
  libpoppler58                    0.41.0-0ubuntu1.16+esm1  
  poppler-utils                   0.41.0-0ubuntu1.16+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5606-1  
  CVE-2022-38784

Package Information:  
  https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.1  
  https://launchpad.net/ubuntu/+source/poppler/0.86.1-0ubuntu1.1  
  https://launchpad.net/ubuntu/+source/poppler/0.62.0-2ubuntu2.13

Ubuntu Security Notice USN-5606-1

Academy Learning Management System version 5.7 suffers from a remote shell upload vulnerability.

    # Exploit Title: Academy Learning Management System 5.7 Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/academy-course-based-learning-management-system/22703468# Version: 5.7# Tested on Ubuntu 18.04Totally wrong architecture for uploading zip files on install addon ---Vulnerable Source Code ---$zipped_file_name = $_FILES['addon_zip']['name'];    if (!empty($zipped_file_name)) {      // Create update directory.      $dir = 'uploads/addons';      if (!is_dir($dir))      mkdir($dir, 0777, true);      $path = "uploads/addons/".$zipped_file_name;      if (class_exists('ZipArchive')) {        move_uploaded_file($_FILES['addon_zip']['tmp_name'], $path);        //Unzip uploaded update file and remove zip file.        $zip = new ZipArchive;        $zip->open($path);        $zip->extractTo('uploads/addons');        $zip->close();        unlink($path);      }else{        $this->session->set_flashdata('error_message', get_phrase('your_server_is_unable_to_extract_the_zip_file').'. '.get_phrase('please_enable_the_zip_extension_on_your_server').', '.get_phrase('then_try_again'));        redirect(site_url('admin/addon'), 'refresh');      }---Exploit------get request route "/admin/addon/add" at admin panel.And then for example download "certificate addon" nulled version.in addons config.json file add""" {            "root_directory"    : "uploads/addons/certificate/others/shell.php",            "update_directory"  : "uploads/certificates/shell.php"        },"""add your webshell to others folder in addon.click install addon button.And ta daa !->get request https://your-url/uploads/certificates/shell.php

Tag

#ubuntu