Red Hat Security Advisory 2024-6027-03 - An update for git is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6027.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git security updateAdvisory ID:        RHSA-2024:6027-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6027Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-32002====================================================================Summary: An update for git is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.Security Fix(es):* git: Recursive clones RCE (CVE-2024-32002)* git: RCE while cloning local repos (CVE-2024-32004)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32002References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2280421https://bugzilla.redhat.com/show_bug.cgi?id=2280428

Red Hat Security Advisory 2024-6027-03

Red Hat Security Advisory 2024-6020-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6020.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:15 security updateAdvisory ID:        RHSA-2024:6020-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6020Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-4317====================================================================Summary: An update for the postgresql:15 module is now available for Red Hat EnterpriseLinux 9.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)* postgresql: PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks (CVE-2024-4317)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4317References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279935

Red Hat Security Advisory 2024-6020-03

Red Hat Security Advisory 2024-6018-03 - An update for the postgresql:13 module is now available for ed Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6018.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:13 security updateAdvisory ID:        RHSA-2024:6018-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6018Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-7348====================================================================Summary: An update for the postgresql:13 module is now available for ed Hat EnterpriseLinux 8.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7348References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6018-03

Red Hat Security Advisory 2024-6001-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6001.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:15 security updateAdvisory ID:        RHSA-2024:6001-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6001Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-4317====================================================================Summary: An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)* postgresql: PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks (CVE-2024-4317)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4317References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279935

Red Hat Security Advisory 2024-6001-03

Online Appointment System version 1.0 suffers from an ignored default credential vulnerability.

**Online Appointment System 1.0 Insecure Settings**

Posted Aug 29, 2024

Authored by indoushka

Online Appointment System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | d5e851d5d33d2e7f80f5f84bed4e54f5abf704b307cd6b2d6284ec6e7d940a3c

Download | Favorite | View

**Online Appointment System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Online Appointment System v1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,590)
*   Arbitrary (16,908)
*   BBS (2,859)
*   Bypass (1,880)
*   CGI (1,034)
*   Code Execution (7,844)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,413)
*   DoS (25,127)
*   Encryption (2,389)
*   Exploit (53,324)
*   File Inclusion (4,266)
*   File Upload (1,001)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,244)
*   Local (14,809)
*   Magazine (587)
*   Overflow (13,180)
*   Perl (1,435)
*   PHP (5,228)
*   Proof of Concept (2,397)
*   Protocol (3,733)
*   Python (1,649)
*   Remote (31,707)
*   Root (3,639)
*   Rootkit (529)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,033)
*   Shell (3,282)
*   Shellcode (1,217)
*   Sniffer (903)
*   Spoof (2,279)
*   SQL Injection (16,630)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,027)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,270)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,941)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,657)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,783)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,679)
*   Other

Online Appointment System 1.0 Insecure Settings

Multi-Vendor Online Groceries Management System version 1.0 suffers from an ignored default credential vulnerability.

**Multi-Vendor Online Groceries Management System 1.0 Insecure Settings**

Posted Aug 29, 2024

Authored by indoushka

Multi-Vendor Online Groceries Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | cd8e33861bcd681954a3b899d067996fd35799bcecc9ac6f0764304867a5ecb8

Download | Favorite | View

**Multi-Vendor Online Groceries Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Multi-Vendor Online Groceries Management System v1.0 Insecure Settings Vulnerability                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,590)
*   Arbitrary (16,908)
*   BBS (2,859)
*   Bypass (1,880)
*   CGI (1,034)
*   Code Execution (7,844)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,413)
*   DoS (25,127)
*   Encryption (2,389)
*   Exploit (53,324)
*   File Inclusion (4,266)
*   File Upload (1,001)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,244)
*   Local (14,809)
*   Magazine (587)
*   Overflow (13,180)
*   Perl (1,435)
*   PHP (5,228)
*   Proof of Concept (2,397)
*   Protocol (3,733)
*   Python (1,649)
*   Remote (31,707)
*   Root (3,639)
*   Rootkit (529)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,033)
*   Shell (3,282)
*   Shellcode (1,217)
*   Sniffer (903)
*   Spoof (2,279)
*   SQL Injection (16,630)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,027)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,270)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,941)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,657)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,783)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,679)
*   Other

Multi-Vendor Online Groceries Management System 1.0 Insecure Settings

Red Hat Security Advisory 2024-6000-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.10.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6000.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:12 security updateAdvisory ID:        RHSA-2024:6000-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6000Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-7348====================================================================Summary: An update for the postgresql:12 module is now available for Red Hat EnterpriseLinux 8.10.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7348References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6000-03

Red Hat Security Advisory 2024-5999-03 - An update for the postgresql is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5999.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2024:5999-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5999Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-7348====================================================================Summary: An update for the postgresql is now available for Red Hat EnterpriseLinux 9.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7348References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-5999-03

Red Hat Security Advisory 2024-5982-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5982.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: linux-firmware security updateAdvisory ID:        RHSA-2024:5982-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5982Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2023-31315====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: amd: SMM Lock Bypass (AMD-SB-7014,CVE-2023-31315)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-31315References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279283

Red Hat Security Advisory 2024-5982-03

This time, I’ll discuss why this approach is more challenging than simply substituting a socket file descriptor with a typical file descriptor.

Wednesday, August 28, 2024 12:00

So far in this series, I’ve developed a fuzzer for the µC/HTTP-server. As described in the previous post, this fuzzer reads from a file to enable compatibility with AFL++. That implementation only fuzzes a single request at a time. Although that single request fuzzer uncovered a few security vulnerabilities, there are complex and interesting object interactions and internal state transitions that occur when multiple requests are received in a single session. 

I wanted to be able to fuzz those interactions and transitions by providing a single test case file containing multiple requests. So, this time, I’ll discuss why this approach is more challenging than simply substituting a socket file descriptor with a typical file descriptor, and I’ll describe the feature I added to the open-source library libdesock to support multiple requests.

**Reading from a socket vs. reading from a file**

It’s a bit confusing thinking about solving this problem because socket communication is two-way communication with a request-response pattern, while reading from a file occurs one way. In a networking client/server model, the client will typically make a request of the server, and the server will respond before the client sends another request. 

The µC/HTTP-server works in a single thread so it completely processes and responds to the first request before ever reading from the socket descriptor for a second time. 

Our goal is to simulate multiple requests from the client using a single test case file. But what happens if we include two requests within the same test case file? The server code will read the available data from the file until it reaches EOF or fills the buffer.

For instance, suppose a test case file contains two complete HTTP requests. The buffer size of the µC/HTTP-server is 1,460 bytes and the length of our two requests combined are only 841 bytes. This means the entire test case fits within the buffer and is read into memory at once. The µC/HTTP-server will process the first HTTP request and then discard the remaining data in the buffer. Then, when the server code reads from the test case file again, it will have reached EOF while only actually processing the first request. 

To address this, we need a way to instruct the server to stop reading the file after processing the first request. This can be achieved by using a delimiter in the test case file. The delimiter should be a unique value that is unlikely to appear anywhere else in the request.

**libdesock **

To implement this strategy of using a delimiter to indicate where one request ends and another begins, I added a feature to an existing library called libdesock. The purpose of this library is to de-socket a network application to enable fuzzing. This is because fuzzers typically provide their test inputs via stdin while network applications expect their inputs from network connections. Typically, a network server application will call the libc functions socket, listen, accept and then read/recv. 

Libdesock operates by leveraging the Linux dynamic linker feature, LD_PRELOAD. When the LD_PRELOAD environment variable is set to the path of a shared object file, it instructs the dynamic linker to load that shared object before all others. As a result, when the dynamic linker searches for a symbol being called in the executable, it will first look in the shared object specified by the LD_PRELOAD environment variable. Normally, the symbols for the functions socket, listen, accept and read/recv are found within libc.so and executed from there. However, when LD_PRELOAD is set to libdesock.so, those symbols are found within the libdesock library and executed there instead. This allows libdesock to alter the behavior of those calls. By intercepting these calls, libdesock cleverly redirects recv/read to stdin rather than a network socket.

**Multiple request feature**

Originally, the libdesock code would read up to the size of the buffer used from stdin. This leads to the same issue as mentioned above when attempting to read multiple requests from an input file (stdin in this case): 

> “For instance, suppose a test case file contains two complete HTTP requests. The buffer size of the µC/HTTP-server is 1460 bytes and the length of our two requests combined are only 841 bytes. This means the entire test case fits within the buffer and is read into memory at once. The µC/HTTP-server will process the first HTTP request and then discard the remaining data in the buffer. Then, when the server code reads from the test case file again it will have reached EOF while only actually processing the first request.” 

To address this, I added a feature to the libdesock read code to look for a request delimiter while reading. If the delimiter is found, it returns all the data read before encountering the delimiter. On the next call to read, it will begin reading after the delimiter and search for another delimiter. This approach works for fuzzing multiple requests in most networked applications because these applications typically run a processing loop where read/recv is called, the data is processed, and then read/recv is called again. This loop continues until the connection is closed. As mentioned in the first blog post, it was necessary to modify the executable for fuzzing so that it would exit when read returns 0. This is crucial for fuzzing, as it indicates the executable has finished processing the test case and has exited normally. If you’d like to see the code, you can check out libdesock here.

**Vulnerability highlight**

This version of the µC/HTTP-server fuzzer, which supports multiple requests per test case, uncovered two additional vulnerabilities. In both instances, a vulnerability in the processing of the first request is exploited by the second request.

When disclosing these vulnerabilities, I discovered that much of the µC/HTTP-server codebase is shared across multiple products. The other affected products are the Silicon Labs Gecko Platform and Weston Embedded Cesium NET. All the vulnerabilities discussed here have been reported to the manufacturers in accordance with our Coordinated Disclosure Policy. Each of these vulnerabilities in the affected products has been patched by the corresponding manufacturer.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 119:203:1 and 119:282:1. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Below is an overview of each vulnerability.

**TALOS-2023-1726**

When processing the protocol version portion of an HTTP request, an integer underflow occurs, which leads to an extremely large value within the connection object’s buffer length p_conn->RxBufLenRem. In the next iteration of the processing loop, that large value is used as an argument when calling receive. This means that the next request wouldn’t be limited by the max buffer size (1,460 bytes), and an attacker could overflow the receive buffer directly with the second request. 

**TALOS-2023-1732**

In this vulnerability, a buffer overflow of one byte occurs when handling the header fields in an HTTP request. This one-byte overflow is significant because the µC/HTTP-server heap implementation stores a pointer to a free chunk of memory in the first four bytes of an allocation. This means that the one byte overwrite can modify the free chunk address which will be used as an allocation sometime in the future. Abusing this vulnerability required four requests. The first two were innocuous and caused specific heap allocations to occur (a technique known as “heap grooming”). The one-byte overwrite is triggered by the third request, while the fourth request leads to an improper allocation in the heap.

Both vulnerabilities involved modifications to global objects between requests. These types of interactions can be difficult to understand with static code analysis because it is not always obvious the order that functions will be called under specific circumstances. There are more of these types of complex vulnerabilities out there that could be revealed with multi-request fuzzing and I hope that using this file delimiter technique will lead to more of them being found and fixed. 

In Part 3, I write a TAP device driver to fuzz the µCOS TCP/IP implementation.

Tag

#linux