A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

Released March 27, 2023

**AMD**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27968: ABC Research s.r.o.

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2023-23532: Mohamed Ghannam (@\_simo36)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Archive Utility**

Available for: macOS Ventura

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated May 1, 2023

**Calendar**

Available for: macOS Ventura

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu - twitter.com/rizasabuncu

**Camera**

Available for: macOS Ventura

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**Carbon Core**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

**CommCenter**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**CoreCapture**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2022-43551

CVE-2022-43552

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: A memory initialization issue was addressed.

CVE-2023-27934: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to cause a denial-of-service

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-28180: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

**Display**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-27965: Proteas of Pangu Lab

**FaceTime**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed by moving sensitive data to a more secure location.

CVE-2023-28190: Joshua Jones

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: macOS Ventura

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**iCloud**

Available for: macOS Ventura

Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.

CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

**Identity Services**

Available for: macOS Ventura

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Ventura

Impact: Files downloaded from the internet may not have the quarantine flag applied

Description: This issue was addressed with improved checks.

CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev

**LaunchServices**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2023-23525: Mickey Jin (@patch1t)

**Mail**

Available for: macOS Ventura

Impact: An app may be able to view sensitive information

Description: The issue was addressed with improved checks.

CVE-2023-28189: Mickey Jin (@patch1t)

Entry added May 1, 2023

**Model I/O**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23538: Mickey Jin (@patch1t)

CVE-2023-27962: Mickey Jin (@patch1t)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: A logic issue was addressed with improved restrictions.

CVE-2023-23523: developStorm

**Podcasts**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**Safari**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A race condition was addressed with improved locking.

CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved validation.

CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

**SharedFileList**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-27966: an anonymous researcher

Entry added May 1, 2023

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: an anonymous researcher

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Vim**

Available for: macOS Ventura

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0049

CVE-2023-0051

CVE-2023-0054

CVE-2023-0288

CVE-2023-0433

CVE-2023-0512

**WebKit Web Inspector**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun) and crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

CVE-2023-27954: an anonymous researcher

**XPC**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

CVE-2023-28190: About the security content of macOS Ventura 13.3

LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. 



(Read more...)




The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit's macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit's work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Known ransomware attacks by gang, April 2023

Known ransomware attacks by country, April 2023

Known ransomware attacks by industry sector, April 2023

**Cl0p** ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they've set their sights on PaperCut. So, if you're using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

**Vice Society**, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs "living off the land" (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the **Play** ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims' systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization's defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The **education sector** has its highest number of attackers (21) since January. Meanwhile, the **healthcare sector** saw a huge surge in attacks (37) in April, the highest it's been all year.

**New players****Akira**

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

**CrossLock**

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

**Trigona**

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

**Dunghill Leak**

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company's data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

**Money Message**

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called "money\_message.log." 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: May 2023

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated users via a crafted POST request.

**Visit the European website**

To get information relevant for your region, we recommend visiting our European website instead.

  

**Privacy and Cookie Information:**  
This website uses cookies for tracking visitor behavior, for linking to social media icons and displaying videos. More information on how we deal with your privacy, please check our Privacy & Cookies statement.  
Please remember that if you do choose to disable cookies, you may find that certain sections of our website do not work properly.

CVE-2023-2575: Page Not Found - Advantech

A buffer overflow in the component /proc/ftxxxx-debug of FiiO M6 Build Number v1.0.4 allows attackers to escalate privileges to root.

CVE-2023-30257: Rooting the FiiO M6 - Part 2 - Writing an LPE Exploit For Our Overflow Bug

There is an integer overflow in Shannon Baseband leading to a heap buffer overflow when reassembling IPv4 fragments. According to the debug strings, this corresponding functionality is implemented in SmdtIp4Rx::ProcessFragments function and its callees.

Shannon Baseband Integer Overflow

illumos illumos-gate before 676abcb has a stack buffer overflow in /dev/net, leading to privilege escalation via a stat on a long file name in /dev/net.

**illumos-gate**

This is the core illumos source tree.

**Building**

The illumos build must be run on an illumos-based operating system. See the Building illumos section of our documentation for detailed instructions.

**Contributing**

Code changes must be reviewed and tested. If you'd like to submit a change for inclusion in the project, please see the Contributing to illumos guide in our documentation.

**Community**

The illumos community is small but active. We welcome everybody who would like to use the software and participate in the community -- whether you've decades of experience in systems software, or you're just getting started; whether you work for a company that uses illumos, or you just find it personally interesting.

Our Community guide includes details about our Mailing Lists and IRC channels.

**Code of Conduct**

Participation in our community spaces, and in the project in general, are covered by our Code of Conduct. By participating in the project you agree to abide by its terms.

**License**

Most of the existing code is licensed under the CDDL and we expect new code will generally be under this license as well. Modifications of existing code may not alter the original license terms. Integrations of code from upstream sources that use another open source license are permissible, subject to approval of the advocates.

CVE-2023-31284: GitHub - illumos/illumos-gate at 16b76d3cb933ff92018a2a75594449010192eacb

In NanoMQ v0.15.0-0, Heap overflow occurs in read_byte function of mqtt_code.c.

**Describe the bug**  
Heap overflow occurred in read\_byte function of mqtt\_code.c Confirmed with address sanitizer

    =================================================================
    ==104134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000010b2f at pc 0x55e80f3d0747 bp 0x7f98a11f28b0 sp 0x7f98a11f28a0
    READ of size 1 at 0x60f000010b2f thread T13
        #0 0x55e80f3d0746 in read_byte /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/supplemental/mqtt/mqtt_codec.c:2712
        #1 0x55e80f3d68f1 in decode_buf_properties /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/supplemental/mqtt/mqtt_codec.c:3754
        #2 0x55e80f398540 in conn_handler /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:616
        #3 0x55e80f47ca51 in tcptran_pipe_nego_cb /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:349
        #4 0x55e80f37ba2f in nni_taskq_thread /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:50
        #5 0x55e80f37cde7 in nni_thr_wrap /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:94
        #6 0x55e80f385f9c in nni_plat_thr_main /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:266
        #7 0x7f98aaac8b42 in start_thread nptl/pthread_create.c:442
        #8 0x7f98aab5a9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
    
    0x60f000010b2f is located 0 bytes to the right of 175-byte region [0x60f000010a80,0x60f000010b2f)
    allocated by thread T13 here:
        #0 0x7f98aad34867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x55e80f381604 in nni_alloc /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_alloc.c:20
        #2 0x55e80f35076b in nng_alloc /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/nng.c:60
        #3 0x55e80f47c765 in tcptran_pipe_nego_cb /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:331
        #4 0x55e80f37ba2f in nni_taskq_thread /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:50
        #5 0x55e80f37cde7 in nni_thr_wrap /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:94
        #6 0x55e80f385f9c in nni_plat_thr_main /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:266
        #7 0x7f98aaac8b42 in start_thread nptl/pthread_create.c:442
    
    Thread T13 created by T0 here:
        #0 0x7f98aacd8685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
        #1 0x55e80f3860cc in nni_plat_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:279
        #2 0x55e80f37d093 in nni_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:121
        #3 0x55e80f37bd51 in nni_taskq_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:95
        #4 0x55e80f37cab1 in nni_taskq_sys_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:294
        #5 0x55e80f366a57 in nni_init_helper /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:35
        #6 0x55e80f386471 in nni_plat_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:422
        #7 0x55e80f366ad8 in nni_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:58
        #8 0x55e80f3aa85c in nni_proto_mqtt_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol.c:37
        #9 0x55e80f3a6c00 in nng_nmq_tcp0_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1258
        #10 0x55e80f34b744 in broker /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:865
        #11 0x55e80f34fc72 in broker_start /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:1592
        #12 0x55e80f31a3bf in main /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/nanomq.c:142
        #13 0x7f98aaa5dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/supplemental/mqtt/mqtt_codec.c:2712 in read_byte
    Shadow bytes around the buggy address:
      0x0c1e7fffa110: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1e7fffa120: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x0c1e7fffa130: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1e7fffa140: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1e7fffa160: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==104134==ABORTING
    

import time 
import socket

def check\_input(input, sleep\_time \= 0.01):
	s \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
	while True:
		try:
			s.connect(('127.0.0.1', 1883))
			s.send(input)      
			s.close()
			break
		except ConnectionResetError:
			continue
		except ConnectionRefusedError:
			break

	time.sleep(sleep\_time)

def check\_crash\_log(crash\_log):
	for c in reversed(crash\_log):
		c\_bytes \= bytearray.fromhex(c)
		status \= check\_input(c\_bytes, 0.25)
		if status \== False:
			print('\[+\] A crash was detected')
			return c\_bytes
	print('\[-\] No crash..')
	exit(\-1)

with open('target-1675832337.790905.txt', 'r') as f:
	crash\_log \= f.readlines()

check\_crash\_log(crash\_log)

CVE-2023-29994: [Bug] Heap-based Buffer Overflow in `mqtt_code.c`(`read_byte`) · Issue #1042 · emqx/nanomq

In NanoMQ v0.15.0-0, a Heap overflow occurs in copyn_utf8_str function of mqtt_parser.c

\==88333==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 168 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7c0f6b in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387  
#3 0x564ecfb348d4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:766  
#4 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#5 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#6 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#7 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Direct leak of 168 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7c0f6b in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387  
#3 0x564ecf80390a in nano\_pipe\_start /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/protocol/mqtt/nmq\_mqtt.c:616  
#4 0x564ecf7cdc88 in nni\_listener\_add\_pipe /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/socket.c:1601  
#5 0x564ecf7be3c1 in listener\_accept\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/listener.c:357  
#6 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#7 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#8 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#9 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Direct leak of 168 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7c0f6b in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387  
#3 0x564ecfb33fa4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:670  
#4 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#5 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#6 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#7 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Indirect leak of 66 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7bfd46 in nni\_chunk\_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158  
#3 0x564ecf7c0fbb in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397  
#4 0x564ecfb33fa4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:670  
#5 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#6 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#7 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#8 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7bfd46 in nni\_chunk\_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158  
#3 0x564ecf7c0fbb in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397  
#4 0x564ecfb348d4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:766  
#5 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#6 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#7 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#8 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7bfd46 in nni\_chunk\_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158  
#3 0x564ecf7c0fbb in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397  
#4 0x564ecf80390a in nano\_pipe\_start /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/protocol/mqtt/nmq\_mqtt.c:616  
#5 0x564ecf7cdc88 in nni\_listener\_add\_pipe /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/socket.c:1601  
#6 0x564ecf7be3c1 in listener\_accept\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/listener.c:357  
#7 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#8 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#9 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#10 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

SUMMARY: AddressSanitizer: 698 byte(s) leaked in 6 allocation(s).

CVE-2023-29995: [Bug] Heap-based Buffer Overflow in `mqtt_parser.c` - `copyn_utf8_str()` · Issue #1043 · emqx/nanomq

Gentoo Linux Security Advisory 202305-20 - A buffer overflow vulnerability has been discovered in libapreq2 which could result in denial of service. Versions less than 2.17 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libapreq2: Buffer Overflow  
     Date: May 03, 2023  
     Bugs: #866536  
       ID: 202305-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow vulnerability has been discovered in libapreq2 which  
could result in denial of service.

Background  
==========

libapreq is a shared library with associated modules for manipulating  
client request data via the Apache API.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-apache/libapreq2       < 2.17                        >= 2.17

Description  
===========

TODO

Impact  
======

An attacker could submit a crafted multipart form to trigger the buffer  
overflow and cause a denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libapreq2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.17"

References  
==========

[ 1 ] CVE-2022-22728  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22728

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-20

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.

Tag

#buffer_overflow