Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows attackers to cause a denial of service via crafted authenticattion file.

**Tested On:**

memcached 1.6.9

**PoC:**

a.txt

**./memcached --auth-file=input/a.txt -u root -m 1024 -p 11211**

\==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778  
WRITE of size 15 at 0x60200000009e thread T0  
#0 0x7fae5a305f9c (/lib/x86\_64-linux-gnu/libasan.so.5+0x53f9c)  
#1 0x55bca5ccaf23 in fgets /usr/include/x86\_64-linux-gnu/bits/stdio2.h:265  
#2 0x55bca5ccaf23 in authfile\_load /home/constantine/test/memcached/authfile.c:50  
#3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639  
#4 0x7fae597010b2 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x270b2)  
#5 0x55bca5c45d9d in \_start (/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region \[0x602000000090,0x60200000009e)  
allocated by thread T0 here:  
#0 0x7fae5a3bfdc6 in calloc (/lib/x86\_64-linux-gnu/libasan.so.5+0x10ddc6)  
#1 0x55bca5ccaedd in authfile\_load /home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86\_64-linux-gnu/libasan.so.5+0x53f9c)  
Shadow bytes around the buggy address:  
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00  
\=>0x0c047fff8010: fa fa 00\[06\]fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1061115==ABORTING

CVE-2021-37519: Heap buffer overflow · Issue #805 · memcached/memcached

Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers to crash the application via crafted command.

CVE-2021-36493: Stack overflow bugs in pdfimages of xpdf 4.03

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf.

**Built:**

Jun 30 2021

**Details:**

heap-based buffer overflow **mjs.c:7617** in **mjs\_set\_errorf**

**Command:**

./mjs -f Heap\_Buffer\_Overflow.js

**Result:**

\==2419050==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000178 at pc 0x55555557f3ed bp 0x7fffffffcf40 sp 0x7fffffffcf30  
READ of size 8 at 0x604000000178 thread T0  
#0 0x55555557f3ec in mjs\_set\_errorf /home/constantine/mjs/mjs.c:7617  
#1 0x555555598395 in parse\_literal /home/constantine/mjs/mjs.c:12166  
#2 0x55555559861b in parse\_call\_dot\_mem /home/constantine/mjs/mjs.c:12175  
#3 0x5555555990d3 in parse\_postfix /home/constantine/mjs/mjs.c:12209  
#4 0x55555559932c in parse\_unary /home/constantine/mjs/mjs.c:12228  
#5 0x5555555995d1 in parse\_mul\_div\_rem /home/constantine/mjs/mjs.c:12241  
#6 0x555555599ba8 in parse\_plus\_minus /home/constantine/mjs/mjs.c:12246  
#7 0x55555559a1c1 in parse\_shifts /home/constantine/mjs/mjs.c:12251  
#8 0x55555559a648 in parse\_comparison /home/constantine/mjs/mjs.c:12255  
#9 0x55555559a9bb in parse\_equality /home/constantine/mjs/mjs.c:12259  
#10 0x55555559ae46 in parse\_bitwise\_and /home/constantine/mjs/mjs.c:12264  
#11 0x55555559b3ec in parse\_bitwise\_xor /home/constantine/mjs/mjs.c:12269  
#12 0x55555559b992 in parse\_bitwise\_or /home/constantine/mjs/mjs.c:12274  
#13 0x55555559bf38 in parse\_logical\_and /home/constantine/mjs/mjs.c:12279  
#14 0x55555559c4de in parse\_logical\_or /home/constantine/mjs/mjs.c:12284  
#15 0x7fffffffdc0f (\[stack\]+0x1fc0f)

Address 0x604000000178 is a wild pointer.  
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/constantine/mjs/mjs.c:7617 in mjs\_set\_errorf  
Shadow bytes around the buggy address:  
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00  
0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]  
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==2419050==ABORTING

**PoC:**

Heap\_Buffer\_Overflow.js.tar.gz

CVE-2021-36535: Heap-based Buffer Overflow Vulnerability · Issue #175 · cesanta/mjs

Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0 fixed in v1.1.1 allows an attacker to execute arbitrary code via the json_value_parse function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-23088: heap-buffer-overflow at json_value_parse · Issue #7 · Barenboim/json-parser

Buffer OverFlow Vulnerability in MojoJson v1.2.3 allows an attacker to execute arbitrary code via the SkipString function.

CVE-2023-23086: heap-buffer-overflow in func SkipString · Issue #2 · scottcgi/MojoJson

Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.

CVE-2021-37501: Something_Found/HDF5_v1.13.0_h5dump_heap_overflow.md at main · ST4RF4LL/Something_Found

Ubuntu Security Notice 5841-1 - It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. This issue was only fixed in Ubuntu 14.04 ESM. It was discovered that LibTIFF was incorrectly accessing a data structure when processing data with the tiffcrop tool, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5841-1February 02, 2023tiff vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in LibTIFF.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF incorrectly handled certain malformedimages. If a user or automated system were tricked into opening aspecially crafted image, a remote attacker could crash the application,leading to a denial of service, or possibly execute arbitrary code withuser privileges. This issue was only fixed in Ubuntu 14.04 ESM.(CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,CVE-2022-3970)It was discovered that LibTIFF was incorrectly acessing a data structurewhen processing data with the tiffcrop tool, which could lead to a heapbuffer overflow. An attacker could possibly use this issue to cause adenial of service or execute arbitrary code. (CVE-2022-48281)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libtiff-tools                   4.0.6-1ubuntu0.8+esm9   libtiff5                        4.0.6-1ubuntu0.8+esm9Ubuntu 14.04 ESM:   libtiff-tools                   4.0.3-7ubuntu0.11+esm6   libtiff5                        4.0.3-7ubuntu0.11+esm6In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5841-1   CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,   CVE-2022-3970, CVE-2022-48281

Ubuntu Security Notice USN-5841-1

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

'30068?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-25139: Invalid Bug ID

All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.

CVE-2022-4634

The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes TRENDnet TV-IP651WI Network Camera firmware version v1.07.01 and earlier vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware image and bypass the checksum verification.

*   TWG-431BR VPN ROUTER AND TEW-740APBO V3.XR WIRELESS ACCESS POINT AUTHENTICATED COMMAND INJECTION VULNERABILITY AND KNOWN VULNERABILITIES IN CLI  
    1/26/2023
*   TRENDnet is aware of the command injection vulnerability and known vulnerabilities in CLI with TWG-431BR and TEW-740APBO hardware version 3.xR. To exploit these vulnerabilities, the attacker would need to know the device's management interface login user name and password. When exploited successfully, the attacker can compromise the device.
    
    TRENDnet has released firmware updates to address these vulnerabilities
    

*   TEW-820AP WIRELESS AC EASY-UPGRADER BUFFER OVERFLOW VULNERABILITIES  
    11/2/2022
*   TRENDnet is aware of the possible buffer overflow vulnerabilities involving the TEW-820AP Wireless AC Easy-Upgrader that could allow a malicious cyber attacker to take over the device and gain access to its operating system; however, this product has reached its End of Life (EoL) and End of Support, and TRENDnet is unable to provide support to verify or resolve these vulnerabilities.
    
    TRENDnet recommends customers to retire this product to prevent the risk of devices possibly connecting to it.
    

*   FRAGMENT and FORGE VULNERABILITIES (FRAGATTACKS) AGAINST SOME WI-FI DEVICES  
    8/17/2021
*   TRENDnet is aware of a series of published vulnerabilities known as FragAttacks in IEEE 802.11 standard Wi-Fi devices. The affected products are mainly wireless Access Points and Wireless Routers. To exploit these vulnerabilities, the attacker would need to connect to your Wi-Fi network. When exploited successfully, the attacker can extract data from the network, which can lead to additional exploits of your other network devices.
    
    TRENDnet has released firmware updates to address these vulnerabilities for the following products, please click on the link to go to the corresponding product’s download page.
    

*   TEW-714TRU TRAVEL ROUTER AUTHENTICATION BYPASS, HARD-CODED CREDENTIALS, AND UNRESTRICTED FILE WRITE VULNERABILITIES  
    8/17/2021
*   TRENDnet is aware of the vulnerabilities involving the TEW-714TRU Wireless Travel Router that could allow a malicious cyber attacker to take over the router and gain access to its operating system; however, this product has reached its End of Life (EoL) and End of Support, and TRENDnet is unable to provide support to resolve these vulnerabilities.
    
    TRENDnet recommends customers to retire this product to prevent the risk of devices possibly connecting to it.
    

*   WEB SERVER DIRECTORY TRAVERSAL ARBITRARY FILE ACCESS VULNERABILITY IN WEB SMART SWITCH TEG-30284 HARDWARE VERSION: 1.0R  
    7/22/2021
*   TRENDnet recently received a report stating a possible Web Server Directory Traversal Arbitrary File Access vulnerability in the 28-Port Gigabit Web Smart Switch, model TEG-30284, Hardware Version: 1.0R. An attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.

Tag

#buffer_overflow