Tenda AC6 v15.03.05.19 is vulnerable to Buffer Overflow as the Index parameter does not verify the length.

CVE-2023-40830

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC\_TUNABLES environment variable. We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. It’s likely that other distributions are similarly susceptible, although we’ve noted that Alpine Linux remains an exception due to its use of musl libc instead of glibc. This vulnerability was introduced in April 2021. 

Considering the identified vulnerability in the GNU C Library’s dynamic loader and its potential impact on systems, the Qualys Threat Research Unit advises security teams to prioritize patching this issue.

****About GNU C Library’s dynamic loader****

The GNU C Library, commonly known as glibc, is the C library in the GNU system and in most systems running the Linux kernel. It defines the system calls and other basic functionalities, such as open, malloc, printf, exit, etc., that a typical program requires. The GNU C Library’s dynamic loader is a crucial component of glibc responsible for preparing and running programs. When a program is initiated, this loader first examines the program to determine the shared libraries it requires. It then searches for these libraries, loads them into memory, and links them with the executable at runtime. In the process, the dynamic loader resolves symbol references, such as function and variable references, ensuring that everything is set for the program’s execution. Given its role, the dynamic loader is highly security-sensitive, as its code runs with elevated privileges when a local user launches a set-user-ID or set-group-ID program.

**GLIBC\_TUNABLES Environment Variable:**

The GLIBC\_TUNABLES environment variable was introduced in glibc to offer users the ability to modify the library’s behavior at runtime, eliminating the need to recompile either the application or the library. By setting GLIBC\_TUNABLES, users can adjust various performance and behavior parameters, which are then applied upon application startup.

****Potential Impact of Looney Tunables****

The presence of a buffer overflow vulnerability in the dynamic loader’s handling of the GLIBC\_TUNABLES environment variable poses significant risks to numerous Linux distributions. This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security.

Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature. Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits. This could put countless systems at risk, especially given the extensive use of glibc across Linux distributions. While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future.

****Disclosure Timeline****

*   2023-09-04: Advisory and exploit sent to secalert@redhat.
*   2023-09-19: Advisory and patch sent to linux-distros@openwall.
*   2023-10-03: Coordinated Release Date (17:00 UTC).

****Technical Details****

You can find the technical details of these vulnerabilities at:  

https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

****Conclusion****

In conclusion, the recent discovery by the Qualys Threat Research Unit of a buffer overflow in the GNU C Library’s dynamic loader is a pressing concern for many Linux distributions. With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it’s imperative for system administrators to act swiftly. While Alpine Linux users can breathe a sigh of relief, others should prioritize patching to ensure system integrity and security.

CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so – Qualys Security Blog

Ubuntu Security Notice 6405-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Andrew McCreight discovered that Thunderbird did not properly manage during the worker lifecycle. An attacker could potentially exploit this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6405-1October 03, 2023thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2023-4057, CVE-2023-4577,CVE-2023-4578, CVE-2023-4583, CVE-2023-4585, CVE-2023-5169, CVE-2023-5171,CVE-2023-5176)Andrew McCreight discovered that Thunderbird did not properly manage duringthe worker lifecycle. An attacker could potentially exploit this issue tocause a denial of service. (CVE-2023-3600)Harveer Singh discovered that Thunderbird did not store push notificationsin private browsing mode in encrypted form. An attacker could potentiallyexploit this issue to obtain sensitive information. (CVE-2023-4580)Clément Lecigne discovered that Thunderbird did not properly manage memorywhen handling VP8 media stream. An attacker-controlled VP8 media streamcould lead to a heap buffer overflow in the content process, resulting in adenial of service, or possibly execute arbitrary code. (CVE-2023-5217)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:thunderbird 1:115.3.1+build1-0ubuntu0.23.04.1Ubuntu 22.04 LTS:thunderbird 1:115.3.1+build1-0ubuntu0.22.04.2Ubuntu 20.04 LTS:thunderbird 1:115.3.1+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6405-1CVE-2023-3600, CVE-2023-4057, CVE-2023-4577, CVE-2023-4578,CVE-2023-4580, CVE-2023-4583, CVE-2023-4585, CVE-2023-5169,CVE-2023-5171, CVE-2023-5176, CVE-2023-5217Package Information:https://launchpad.net/ubuntu/+source/thunderbird/1:115.3.1+build1-0ubuntu0.23.04.1https://launchpad.net/ubuntu/+source/thunderbird/1:115.3.1+build1-0ubuntu0.22.04.2https://launchpad.net/ubuntu/+source/thunderbird/1:115.3.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6405-1

Ubuntu Security Notice 6404-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Ronald Crane discovered that Firefox did not properly manage memory when non-HTTPS Alternate Services is enabled. An attacker could potentially exploit this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6404-1October 03, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-5169,CVE-2023-5170, CVE-2023-5171, CVE-2023-5172, CVE-2023-5175, CVE-2023-5176)Ronald Crane discovered that Firefox did not properly manage memory whennon-HTTPS Alternate Services (network.http.altsvc.oe) is enabled. Anattacker could potentially exploit this issue to cause a denial of service.(CVE-2023-5173)Clément Lecigne discovered that Firefox did not properly manage memory whenhandling VP8 media stream. An attacker-controlled VP8 media stream couldlead to a heap buffer overflow in the content process, resulting in adenial of service, or possibly execute arbitrary code. (CVE-2023-5217)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         118.0.1+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6404-1  CVE-2023-5169, CVE-2023-5170, CVE-2023-5171, CVE-2023-5172,  CVE-2023-5173, CVE-2023-5175, CVE-2023-5176, CVE-2023-5217Package Information:  https://launchpad.net/ubuntu/+source/firefox/118.0.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6404-1

Apple Security Advisory 09-26-2023-2 - macOS Sonoma 14 addresses buffer overflow, bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 09-26-2023-2

Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files.

WHAT'S HERE:

This source distribution includes the vorbis-tools and nothing else.
The audio codec libraries for use with Ogg bitstreams are contained in
other modules: vorbis, speex and flac.


DIRECTORIES:

debian/		debian packaging stuff
include/	header files shared between the tools
intl/		GNU gettext library from gettext-0.10.40 (for i18n support)
ogg123/		an ogg vorbis command line audio player
oggenc/		the ogg vorbis encoder
oggdec/		a simple, portable command line decoder (to wav and raw)
ogginfo/	provides information (tags, bitrate, length, etc.) about
		an ogg vorbis file
po/		translations for non-English languages
share/		code shared between the tools
vcut/		cuts an ogg vorbis file into two parts at a particular point
vorbiscomment/	edits the comments in an ogg vorbis file
win32/		Win32 build stuff


DEPENDENCIES:

All of the tools require libogg and libvorbis to be installed (along
with the header files).  Additionally, ogg123 requires libao, libcurl,
and a POSIX-compatible thread library.  Ogg123 can optionally compiled
to use libFLAC, and libspeex.  Oggenc can be optionally compiled with
libFLAC, and libkate.  The libraries libogg, libvorbis, and libao are
all available at
  https://xiph.org/vorbis/

The libcurl library is packaged with most Linux distributions.  The
source code can also be downloaded from:
  http://curl.haxx.se/libcurl/

FLAC is available at:
  https://xiph.org/flac/

Speex is available at:
  https://www.speex.org/

libkate is available at:
  http://libkate.googlecode.com/

CONTACT:

The Ogg Vorbis homepage is located at 'https://xiph.org/vorbis/'. Up to
date technical documents, contact information, source code and
pre-built utilities may be found there.

Developer information is available from http://www.xiph.org/. Check
there for bug reporting information, mailing lists and other resources.


BUILDING FROM SUBVERSION (see the file HACKING for details):

./autogen.sh
make 

and as root if desired :

make install

This will install the tools into /usr/local/bin and manpages into
/usr/local/man.


BUILDING FROM TARBALL DISTRIBUTIONS:

./configure
make

and as root if desired :

make install

BUILDING RPMS:

RPMs may be built by:

after autogen.sh or configure

make dist
rpm -ta vorbis-tools-<version>.tar.gz


KNOWN BUGS:

#1321
  First noticed in non-English versions of the application, ogg123 has a major
  bug when it comes to status messages in the shell: any output bigger than
  the console's width will break and start spamming that message infinitely
  until the console is resized.

  Different attempts to fix this bug have ended up causing bigger problems,
  leading to the conclusion that it simply can't be fixed without a large
  re-write of the application, which will not happen any time soon.  If you
  come across this issue, please augment your terminal window size.

CVE-2023-43361: GitHub - xiph/vorbis-tools: Command-line tools for creating and playing Ogg Vorbis files.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.

CVE-2023-5344

Buffer Overflow vulnerability in baramundi software GmbH EMM Agent 23.1.50 and before allows an attacker to cause a denial of service via a crafted request to the password parameter.

CVE-2023-37605

Debian Linux Security Advisory 5510-1 - Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5510-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libvpxCVE ID         : CVE-2023-5217Debian Bug     : 1053182Clement Lecigne discovered a heap-based buffer overflow in libvpx, amultimedia library for the VP8 and VP9 video codecs, which may result inthe execution of arbitrary code if a specially crafted VP8 media streamis processed.For the oldstable distribution (bullseye), this problem has been fixedin version 1.9.0-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.12.0-1+deb12u1.We recommend that you upgrade your libvpx packages.For the detailed security status of libvpx please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libvpxFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUXPQxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RFDA/9GmZkMOfqEBNeItASvUeQAbPu9w7hh/Ah/Ox9gSFZMvD5QmGTs6Zp8lZYTmOKS2Ls1rgQnfM/c+dm6Le4H9e+EtGYvLI0P6KjIk3T+rA+55os3WoUE99KJsZrj0AZM0jsmaQVuV1MbJIJSGo6a49qRkSIF4eS7/rws8xImu73EgcPQiWep70kF8/idqnYYqFEKJwT3Oxp2h4zYLM8Jqt8ji4caTHle20rcQ1tdOBCcqDWH87aNk1kqhWELe281K7sDVYlpyIGSZRsvHbTusESlvp+92sRIQPRDdpMMkSgACBDcHpfCHiJDofDDn+6Z4zA5XRxHOKlHvYvrg9lDSA1eu9V7oaR2YoBRfIcwd4HxB535FjJRNDGtt+0thJnuv+zjiA2yK/GTBju52q+96qGcXhPrGOZiQeth4SdxVnK3FKc3lB6HbMgs4ZERZNhs7AJ4I7pnyX6d8Zux3kPjejrdvBOFT8L+gNYzYn0tkcKHdpK2Xj0OMKboDLFxw26i8GgNb9RUht6Seb1dk2bnel2fJ+rqgxkltpVuTIFjQ942YtHm/a9xj6FLK3D6CtX1masIZ53uo51k2qWAGJWUqovasIQQHBUeOHgFHw+lHNHNlSsiblu6xc9y4B42vpozR449Q3volOr7t7oWv/pmsqrd48ByYXj7NESzD/bm4uOo9E==NrxQ-----END PGP SIGNATURE-----

Debian Security Advisory 5510-1

Debian Linux Security Advisory 5509-1 - A buffer overflow in VP8 media stream processing has been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5509-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-5217A buffer overflow in VP8 media stream processing has been found in theMozilla Firefox web browser, which could potentially result in theexecution of arbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 115.3.1esr-1~deb11u1.For the stable distribution (bookworm), this problem will be fixedvia the libvpx source package, Firefox ESR in Bookworm links dynamicallyagainst libvpx.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUXDYAACgkQEMKTtsN8TjbJSRAAsv7xfSOoUGua0jPwrm84IUtEhshl1L3KhatogD2HbIIVZzDOBjcpR4oQwXGtLUjJJTnwZPwey9tNQQAzIBtPA+u/0Eow2eeUyqtUSEIqBUImdMH6m8GYqQ+ZuGdyvSa+IvbffJqPf4LzzCIZoxo9qQyz6F6K0xQ6c0kv2CCRYpDQHAgP4/E/VNfdOGhoTYhgRinAjeVY/I91hxfYm4783EMoc7L7vXgjOWxXNiPllmAIddCKlIdtgW02fq0lsqOljRfPYsAbc9xe1aVZlCVi+6nJj/jDxhqENn4XLAVJYdZr6W8hevQLADGuwzrTyACeusDaSHdW64X15TDnY8z5wOP/Vj4T9CpRhkQ396fn1eq+x4HF/iUim4ofpDBtb1xa/jAT+OuejqATdku8XvNzZ4l6KkJ7PuotMHvIXxsduNtesPmPUvFWeprCumojh6SbVhlf8YnM6c0c6spMyp3nKqHS59vDkzhKYbz50eFnNw0/q3OvZHndXZOiEjMxCR2GcElaejC8MAei4NuZm57VM5sfSqAUOCOZ1RJNRwsP6HkohmKNfklryjDjBMNudjRuPjVYX6d3Qoi1krDszjvRa+ui6ZljoKrKQFLg2SDEhbxt9akey/ZBr1lqEYNj6QubPNMlkVHYySVcv+IsEK2yww2S9CmCifLrKbNeOoE9o6I==CrEb-----END PGP SIGNATURE-----

Tag

#buffer_overflow