A heap-based buffer overflow vulnerability exists in the CreateDIBfromPict functionality of Accusoft ImageGear 20.1. A specially crafted file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2023-23567: TALOS-2023-1729 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the dcm_pixel_data_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds write vulnerability exists in the dcm\_pixel\_data\_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Accusoft ImageGear 20.1

**PRODUCT URLS**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-191 - Integer Underflow (Wrap or Wraparound)

**DETAILS**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed Dicom, we end up in the following situation:

    eax=00004000 ebx=00000008 ecx=00000000 edx=00000000 esi=ffffcfdf edi=136b1000
    eip=75059a65 esp=0019fa50 ebp=0019fad0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igMED20d!CPb_MED_init+0x169c5:
    75059a65 897cb58c        mov     dword ptr [ebp+esi*4-74h],edi ss:002b:001939d8=????????
    

The crash happens in LINE16 below in a function identified as dcm_pixel_data_decode:

    LINE1  8b45ec             mov     eax, dword [ebp-0x14 {l_value}]
    LINE2  68db100000         push    0x10db {var_88_3}
    LINE3  0fb700             movzx   eax, word [eax]
    LINE4  68a0c40775         push    data_7507c4a0 {var_8c_3}{"..\..\..\..\Common\Components\ME…"}
    LINE5  57                 push    edi {var_90_3}
    LINE6  be0f000000         mov     esi, 0xf
    LINE7  6a00               push    0x0 {ptr_var34}
    LINE8  2bf0               sub     esi, eax
    LINE9  ff15c0130b75       call    dword [AF_memm_alloc]
    LINE10 8bf8               mov     edi, eax
    LINE11 8b45e4             mov     eax, dword [ebp-0x1c {l_buffer_size_1}]
    LINE12 99                 cdq     
    LINE13 2bc2               sub     eax, edx
    LINE14 d1f8               sar     eax, 0x1
    LINE15 33c9               xor     ecx, ecx  {0x0}
    LINE16 897cb58c           mov     dword [ebp+esi*4-0x74 {obj_str_sz_0x40}], edi
    LINE17 85c0               test    eax, eax
    LINE18 7e0e               jle     0x75059a7b
    

The register esi is a very big value, as result of an integer underflow. We can see at LINE6, it was set to a constant 0xf and subtracted by the register eax LINE8.  
There is no check on the value of register eax, causing the very large number. eax gets its value at LINE1, which is under our control into the malformed file.  
At LINE16 we can influence the stack pointer ebp with esi, as that depends on the content of the file, which means we can choose where in the stack to write edi. The value pointed by the register edi is a result of AF_memm_alloc, which is some kind of wrapper of malloc.

By controlling the eax register an attacker can overwrite anywhere in the stack, possibly leading to code execution.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    Unable to load image E:\ImageGearFuzzing\bin\igCore20d.dll, Win32 error 0n2
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 375
    
        Key  : Analysis.Elapsed.mSec
        Value: 2704
    
        Key  : Analysis.IO.Other.Mb
        Value: 0
    
        Key  : Analysis.IO.Read.Mb
        Value: 0
    
        Key  : Analysis.IO.Write.Mb
        Value: 0
    
        Key  : Analysis.Init.CPU.mSec
        Value: 4061
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 65613
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 179
    
        Key  : Failure.Bucket
        Value: INVALID_POINTER_WRITE_AVRF_c0000005_igMED20d.dll!Unknown
    
        Key  : Failure.Hash
        Value: {7bd32a5f-d13c-5070-0693-11be1df9b256}
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 440574
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 75059a65 (igMED20d!CPb_MED_init+0x000169c5)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 001939d8
    Attempt to write to address 001939d8
    
    FAULTING_THREAD:  00001a78
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  001939d8 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  001939d8
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019fad0 750592f0     0019fc3c 10694fa0 1000001e igMED20d!CPb_MED_init+0x169c5
    0019fb04 750567e0     0019fc3c 10694fa0 1000001e igMED20d!CPb_MED_init+0x16250
    0019fbb4 755a15b9     0019fc3c 10680fb8 00000001 igMED20d!CPb_MED_init+0x13740
    0019fbec 755e08bc     00000000 10680fb8 0019fc3c igCore20d!IG_image_savelist_get+0xb29
    0019fe68 755e0239     00000000 05c26fd0 00000001 igCore20d!IG_mpi_page_set+0x1479c
    0019fe88 75575bc7     00000000 05c26fd0 00000001 igCore20d!IG_mpi_page_set+0x14119
    0019fea8 00402399     05c26fd0 0019febc 75c6fb80 igCore20d!IG_load_file+0x47
    0019fec0 004026c0     05c26fd0 05c28fe0 05b8cf50 Fuzzme!fuzzme+0x19
    0019ff28 00408407     00000005 05b86f78 05b8cf50 Fuzzme!fuzzme+0x340
    0019ff70 75c700c9     002d4000 75c700b0 0019ffdc Fuzzme!fuzzme+0x6087
    0019ff80 77cc7b4e     002d4000 65bf4f61 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77cc7b1e     ffffffff 77ce8c7f 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     0040848f 002d4000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igMED20d+169c5
    
    MODULE_NAME: igMED20d
    
    IMAGE_NAME:  igMED20d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igMED20d.dll!Unknown
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 8
    
    IMAGE_VERSION:  20.1.0.117
    
    FAILURE_ID_HASH:  {7bd32a5f-d13c-5070-0693-11be1df9b256}
    
    Followup:     MachineOwner
    ---------
    

**VENDOR RESPONSE**

Release notes from the vendor can be found here:

https://help.accusoft.com/ImageGear/v20.3/Windows/DLL/webframe.html#release-notes.html

https://help.accusoft.com/ImageGear/v20.3/Linux/webframe.html#release-notes.html

**TIMELINE**

2023-07-18 - Vendor Disclosure  
2023-09-20 - Vendor Patch Release  
2023-09-25 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2023-32653: TALOS-2023-1802 || Cisco Talos Intelligence Group

Teedy v1.11 has a vulnerability in its text editor that allows events

to be executed in HTML tags that an attacker could manipulate. Thanks

to this, it is possible to execute malicious JavaScript in the webapp.





**teedy.io**

© {{ currentDate | date: 'yyyy' }} {{ 'index.copyright' | translate }}

CVE-2023-4892: {{ $title }}

The FileOrganizer WordPress plugin through 1.0.2 does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

CVE-2023-3664

The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

CVE-2023-4490

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL.

This issue affects Docker Desktop: before 4.23.0.



CVE-2023-5166: Docker Desktop release notes

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog.

This issue affects Docker Desktop: before 4.12.0.



CVE-2023-0625: Docker Desktop release notes

A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-5158: cve-details

A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.

'2240541?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-5156: Invalid Bug ID

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

**About the Application**

This Service Provider Management System v.1.0 is a sort of Content Management System (CMS) that is built specifically for companies that provide different services. The project is a company website that allows the management to dynamically manage the site information and other data on the front end. This project has 2 modules which are the Public and Management site.

The Management Site is the side of the system where accessible to the company staff or system-registered users only. On this site, users are required to log in with their valid system credentials to gain access to the features and functionalities. Users have 2 different roles which are the Administrator and the Staff. The Administrator users have the privilege to manage and access all the features and functionalities of the said site while the Staff users only have limited permissions. Here, system users can manage the list of services that their company provided. They can also update the dynamic page content of the public website on this side.

**Vulnerability Description**

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

**Vulnerable Code**

**Filename:** /php-spms/admin/user/index.php

**Vulnerable Endpoint:** /php-spms/admin/?page=user

**Vulnerable Parameter:** firstname, middlename, lastname

**Code:**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<form action="" id="manage-user">	
	<input type="hidden" name="id" value="<?php echo $_settings->userdata('id') ?>">
		<div class="form-group">
			<label for="name">First Name</label>
			<input type="text" name="firstname" id="firstname" class="form-control" value="<?php echo isset($meta['firstname']) ? $meta['firstname']: '' ?>" required>
		</div>
		<div class="form-group">
			<label for="name">Middle Name</label>
			<input type="text" name="middlename" id="middlename" class="form-control" value="<?php echo isset($meta['middlename']) ? $meta['middlename']: '' ?>">
		</div>
		<div class="form-group">
			<label for="name">Last Name</label>
			<input type="text" name="lastname" id="lastname" class="form-control" value="<?php echo isset($meta['lastname']) ? $meta['lastname']: '' ?>" required>
		</div>
		<div class="form-group">
			<label for="username">Username</label>
			<input type="text" name="username" id="username" class="form-control" value="<?php echo isset($meta['username']) ? $meta['username']: '' ?>" required  autocomplete="off">
		</div>
		<div class="form-group">
			<label for="password">Password</label>
			<input type="password" name="password" id="password" class="form-control" value="" autocomplete="off"><small><i>Leave this blank if you dont want to change the password.</i></small>
		</div>
		<div class="form-group">
			<label for="" class="control-label">Avatar</label>
			<div class="custom-file">
				<input type="file" class="form-control" id="customFile" name="img" onchange="displayImg(this,$(this))" accept="image/png, image/jpeg">
			</div>
		</div>
		<div class="form-group d-flex justify-content-center">
			<img src="<?php echo validate_image(isset($meta['avatar']) ? $meta['avatar'] :'') ?>" alt="" id="cimg" class="img-fluid img-thumbnail">
		</div>
</form>

When users input their names, such as their firstname, middlename, and lastname, the website neglects the critical step of sanitizing this information to ensure it’s free from potentially harmful characters before storing it in the backend. This oversight creates a security vulnerability known as ‘Stored Cross-Site Scripting’ (Stored XSS), especially concerning these name parameters.

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs in web applications when user input, often in the form of text or other content, is not properly sanitized or validated before being stored on the server and then later displayed to other users. This vulnerability allows attackers to inject malicious scripts, typically in the form of JavaScript code, into the application’s data storage. When other users retrieve and view this data, the injected script code is executed within their browsers, potentially leading to a range of malicious actions.

**Impact of Stored Cross-Site Scripting**

The impacts of Stored Cross-Site Scripting (Stored XSS) are mentioned below:

**Session Hijacking**: Attackers can hijack user sessions, gaining unauthorized access to accounts and allowing them to perform actions on behalf of users or access confidential data.

**Manipulation of Web Pages**: Stored XSS can alter the appearance and functionality of web pages, potentially tricking users into executing unintended actions, clicking on malicious links, or downloading malware.

**Attack Scenario**

*   Go to http://application ip/php-spms/admin/?page=user.

*   Provide payload as "><script>alert("XSS on Firstname"), "><script>alert("XSS on Middlename"), "><script>alert("XSS on Lastname") on parameter such as firstname, middlename and lastname respectively.

_User Details_

*   Click on Update.
    
*   You will observe the popup of each payload we provided.
    

_XSS on Firstname_

_XSS on Middlename_

_XSS on Lastname_

Mitigating stored cross-site scripting (XSS) vulnerabilities is crucial for securing web applications. To prevent stored XSS, follow these best practices:

*   **Whitelist Input**: Only allow specific, safe characters and patterns in user input. Reject any input that doesn’t conform to this whitelist.
    
*   **Data Sanitization**: Filter and clean user input to remove or encode any potentially malicious characters. Use libraries like OWASP’s Java Encoder, PHP’s htmlspecialchars, or equivalent functions in other languages.
    
*   **Sanitization Libraries**: Use security libraries and frameworks that provide built-in XSS prevention mechanisms, such as Ruby on Rails, Django, or AngularJS.
    
*   **Use HTTP-Only Cookies**: Mark cookies as HTTP-only to prevent JavaScript from accessing them, reducing the impact of XSS attacks.
    
*   **Session Management**: Implement secure session management to ensure that session cookies and tokens are properly protected and rotated.
    
*   **Security Headers**: Use security headers like X-XSS-Protection and X-Content-Type-Options to instruct browsers to mitigate certain types of attacks.
    

That’s all in this writeup.

Thanks for reading this far. If you enjoyed the writeup, do support me **here**.

Source

CVE