A heap-based buffer overflow vulnerability exists in the CreateDIBfromPict functionality of Accusoft ImageGear 20.1. A specially crafted file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2023-23567: TALOS-2023-1729 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the dcm_pixel_data_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds write vulnerability exists in the dcm\_pixel\_data\_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Accusoft ImageGear 20.1

**PRODUCT URLS**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-191 - Integer Underflow (Wrap or Wraparound)

**DETAILS**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed Dicom, we end up in the following situation:

    eax=00004000 ebx=00000008 ecx=00000000 edx=00000000 esi=ffffcfdf edi=136b1000
    eip=75059a65 esp=0019fa50 ebp=0019fad0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igMED20d!CPb_MED_init+0x169c5:
    75059a65 897cb58c        mov     dword ptr [ebp+esi*4-74h],edi ss:002b:001939d8=????????
    

The crash happens in LINE16 below in a function identified as dcm_pixel_data_decode:

    LINE1  8b45ec             mov     eax, dword [ebp-0x14 {l_value}]
    LINE2  68db100000         push    0x10db {var_88_3}
    LINE3  0fb700             movzx   eax, word [eax]
    LINE4  68a0c40775         push    data_7507c4a0 {var_8c_3}{"..\..\..\..\Common\Components\ME…"}
    LINE5  57                 push    edi {var_90_3}
    LINE6  be0f000000         mov     esi, 0xf
    LINE7  6a00               push    0x0 {ptr_var34}
    LINE8  2bf0               sub     esi, eax
    LINE9  ff15c0130b75       call    dword [AF_memm_alloc]
    LINE10 8bf8               mov     edi, eax
    LINE11 8b45e4             mov     eax, dword [ebp-0x1c {l_buffer_size_1}]
    LINE12 99                 cdq     
    LINE13 2bc2               sub     eax, edx
    LINE14 d1f8               sar     eax, 0x1
    LINE15 33c9               xor     ecx, ecx  {0x0}
    LINE16 897cb58c           mov     dword [ebp+esi*4-0x74 {obj_str_sz_0x40}], edi
    LINE17 85c0               test    eax, eax
    LINE18 7e0e               jle     0x75059a7b
    

The register esi is a very big value, as result of an integer underflow. We can see at LINE6, it was set to a constant 0xf and subtracted by the register eax LINE8.  
There is no check on the value of register eax, causing the very large number. eax gets its value at LINE1, which is under our control into the malformed file.  
At LINE16 we can influence the stack pointer ebp with esi, as that depends on the content of the file, which means we can choose where in the stack to write edi. The value pointed by the register edi is a result of AF_memm_alloc, which is some kind of wrapper of malloc.

By controlling the eax register an attacker can overwrite anywhere in the stack, possibly leading to code execution.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    Unable to load image E:\ImageGearFuzzing\bin\igCore20d.dll, Win32 error 0n2
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 375
    
        Key  : Analysis.Elapsed.mSec
        Value: 2704
    
        Key  : Analysis.IO.Other.Mb
        Value: 0
    
        Key  : Analysis.IO.Read.Mb
        Value: 0
    
        Key  : Analysis.IO.Write.Mb
        Value: 0
    
        Key  : Analysis.Init.CPU.mSec
        Value: 4061
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 65613
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 179
    
        Key  : Failure.Bucket
        Value: INVALID_POINTER_WRITE_AVRF_c0000005_igMED20d.dll!Unknown
    
        Key  : Failure.Hash
        Value: {7bd32a5f-d13c-5070-0693-11be1df9b256}
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 440574
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 75059a65 (igMED20d!CPb_MED_init+0x000169c5)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 001939d8
    Attempt to write to address 001939d8
    
    FAULTING_THREAD:  00001a78
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  001939d8 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  001939d8
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019fad0 750592f0     0019fc3c 10694fa0 1000001e igMED20d!CPb_MED_init+0x169c5
    0019fb04 750567e0     0019fc3c 10694fa0 1000001e igMED20d!CPb_MED_init+0x16250
    0019fbb4 755a15b9     0019fc3c 10680fb8 00000001 igMED20d!CPb_MED_init+0x13740
    0019fbec 755e08bc     00000000 10680fb8 0019fc3c igCore20d!IG_image_savelist_get+0xb29
    0019fe68 755e0239     00000000 05c26fd0 00000001 igCore20d!IG_mpi_page_set+0x1479c
    0019fe88 75575bc7     00000000 05c26fd0 00000001 igCore20d!IG_mpi_page_set+0x14119
    0019fea8 00402399     05c26fd0 0019febc 75c6fb80 igCore20d!IG_load_file+0x47
    0019fec0 004026c0     05c26fd0 05c28fe0 05b8cf50 Fuzzme!fuzzme+0x19
    0019ff28 00408407     00000005 05b86f78 05b8cf50 Fuzzme!fuzzme+0x340
    0019ff70 75c700c9     002d4000 75c700b0 0019ffdc Fuzzme!fuzzme+0x6087
    0019ff80 77cc7b4e     002d4000 65bf4f61 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77cc7b1e     ffffffff 77ce8c7f 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     0040848f 002d4000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igMED20d+169c5
    
    MODULE_NAME: igMED20d
    
    IMAGE_NAME:  igMED20d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igMED20d.dll!Unknown
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 8
    
    IMAGE_VERSION:  20.1.0.117
    
    FAILURE_ID_HASH:  {7bd32a5f-d13c-5070-0693-11be1df9b256}
    
    Followup:     MachineOwner
    ---------
    

**VENDOR RESPONSE**

Release notes from the vendor can be found here:

https://help.accusoft.com/ImageGear/v20.3/Windows/DLL/webframe.html#release-notes.html

https://help.accusoft.com/ImageGear/v20.3/Linux/webframe.html#release-notes.html

**TIMELINE**

2023-07-18 - Vendor Disclosure  
2023-09-20 - Vendor Patch Release  
2023-09-25 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2023-32653: TALOS-2023-1802 || Cisco Talos Intelligence Group

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL.

This issue affects Docker Desktop: before 4.23.0.



CVE-2023-5166: Docker Desktop release notes

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog.

This issue affects Docker Desktop: before 4.12.0.



CVE-2023-0625: Docker Desktop release notes

A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-5158: cve-details

Debian Linux Security Advisory 5504-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5504-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
September 22, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : bind9  
CVE ID         : CVE-2023-3341 CVE-2023-4236  
Debian Bug     : 1052416 1052417

Several vulnerabilities were discovered in BIND, a DNS server  
implementation.

CVE-2023-3341

    A stack exhaustion flaw was discovered in the control channel code  
    which may result in denial of service (named daemon crash).

CVE-2023-4236

    Robert Story discovered that a flaw in the networking code handling  
    DNS-over-TLS queries could cause named to terminate unexpectedly due  
    to an assertion failure, resulting in denial of service when under  
    high DNS-over-TLS query load conditions.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:9.16.44-1~deb11u1. The oldstable distribution (bullseye) is  
only affected by CVE-2023-3341.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:9.18.19-1~deb12u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUN9DFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Si0hAAjg9Fdxt8ff9UUBfI5B5KhE2hba1+PlJAroM9NHZUzKNNHVb+/0atqxsI  
gJ/6NhFtp2DRWlzHbgFt/lcToOOnzXs7R9RQ3iL3QwXx1vsCq0MGLjR3tsk+hzSC  
vwP02KSo5CcVdyOuHVh7NB9wS+j9ePsBIsEQh+howtIxWZFGd2lE2AxCF0DYU/Gf  
rMjiwt3SWZ+giYJHIehdn8sqdozQhV/WirKYjdXyAWADPIwQoWacHpPU7Du8aT3d  
KeknO34OnaWUVRF7NTxCsYkagTrT40lPaLZuPSeh1dm4U6ODF0Lgv4HOc+rHIaqw  
6a3rkvXtcXvHbzQ+CREWAMN7l50WjpPV1gUwGRj38huF7zI2JAWY8595e8d1J08S  
1i911UzW1diMGLXeV/2Q/8K03LjWMegFJm+4DmUya/lvAW8syxclsIuvl3yHSnXX  
8WSNEQLXjJKB4cX+aB2L/zyYHSbO9+rc19u0c/7/I+n2YuDHXTzsrdlEGDR9p51v  
UqLe7BAN5tUxv0Z+BV0cflFfA5pS1twuKZtjIZztJUSOOQIkmR7Pi8auiV8W+r4V  
pIHyzuq3BC4d5pzaN3H7xNLgqqLn8bk2i8kEp3ApoObtKP6Pozw6NjT3eW0AXaBi  
FYI+LWlEA3c+xONpYx6+G1O26dnNksQ0p1aSl2FSfKBF5rgwVVg=  
=Q0Oq  
-----END PGP SIGNATURE-----

Debian Security Advisory 5504-1

An issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

*   gevent version: 23.7.0 (pypi)
*   Python version: 3.8.15
*   Operating System: Linux

CVE-2023-41419 has been assigned to this issue. Fixed in 23.9.0.

**Description**

Previously, carefully crafted invalid trailers in chunked requests on keep-alive connections might appear as two requests to gevent.pywsgi. Because this was handled exactly as a normal keep-alive connection with two requests, the WSGI application should handle it normally. However, if you were counting on some upstream server to filter incoming requests based on paths or header fields, and the upstream server simply passed trailers through without validating them, then this embedded second request would bypass those checks. (If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.) (source - docs/changes/1989.bugfix)

**Payload**

POST /path1 HTTP/1.1
Host: a.com
Transfer-Encoding: chunked
Connection: keep-alive

2
a2
0
Header: value
POST /path2?a=:123 HTTP/1.1
Host: a.com
Connection: close

**Credit**

Fixed by @jamadden.  
Reported by Keran Mu (@mukeran) and Jianjun Chen (@chenjj), from Tsinghua University and Zhongguancun Laboratory.

CVE-2023-41419: Vulnerability in gevent.pywsgi.WSGIServer · Issue #1989 · gevent/gevent

MultiBit HD before 0.1.2 allows attackers to conduct bit-flipping attacks that insert unspendable Bitcoin addresses into the list that MultiBit uses to send fees to the developers. (Attackers cannot realistically steal these fees for themselves.) This occurs because there is no message authentication code (MAC).

**Multibit is Deprecated - Do Not Use**

Wednesday, July 26, 2017

Dear Bitcoin Community,

It is time for us to let Multibit go.

KeepKey acquired Multibit a little over 1 year ago. At the time, the engineers who originally built and supported Multibit had announced that they would no longer be working on it or providing support. Multibit played an important role in the Bitcoin infrastructure. We felt that it was important for Multibit to continue and hoped that with our existing support and development teams, we would be able to keep Multibit alive.

The reality is that Multibit is in need of a lot of work. It has stubborn bugs that have caused us and Multibit users much grief. Additionally, Bitcoin has gone through a fundamental change in regards to the way fees work. The addition of SegWit in the coming weeks will mean the Multibit software has fallen still further behind.

Unfortunately, KeepKey simply does not have the resources to support the current issues, nor to rebuild Multibit to ensure ideal user experience. By focusing our attention on the KeepKey device, we will continue building and improving the best hardware wallet available.

Thus, KeepKey will discontinue support and maintenance of Multibit, effective immediately.

We recommend that all Multibit users discontinue using it and you move your keys to other wallet software of your choosing.

**Next Steps for Multibit Users**

Videos that demonstrate how to move your wallet to Electrum are available on YouTube.

*   Multibit HD: https://youtu.be/E-KcY6KUVnY
*   Multibit Classic: https://youtu.be/LaijbTcxsv8

Please note that the version of Electrum available for download today (version 2.8.3) doesn’t fully support the importing Multibit HD wallet words. The version shown in the Multibit HD video is the soon-to-be-released next version.

Multibit was a fantastic piece of software in its time, and we want to thank the Multibit developers for such an important contribution to Bitcoin’s history.

Sincerely,

Ken Heutmaker

CTO, KeepKey

**Introduction**

MultiBit is a Simplified Payment Verification (SPV) Bitcoin desktop client.

MultiBit is now in maintenance mode as it has largely been replaced by MultiBit HD. To avoid confusion we refer to MultiBit Classic and MultiBit HD to keep them separate.

MultiBit Classic relies on the following technologies:

*   Maven as the build system, so the usual Maven processes apply. If you're not familiar with Maven then download it first and follow their installation instructions.
*   ZXing ("Zebra Crossing") for QR codes
*   Bitcoinj for access to the Bitcoin network
*   Install4j for creating installers for Windows, Mac, Linux
*   Bitcoinj Enforcer Rules to prevent dependency chain attacks
*   XChange for access to several Bitcoin exchanges

**The Bitcoinj "Alice" dependency**

MultiBit Classic depends on a special fork of Bitcoinj for its Bitcoin support. This is due to legacy wallet serialization issues and the MultiBit team are working towards a complete integration through the MultiBit HD project.

While it is possible to build MultiBit Classic using our staging repository you may want to review the modified Bitcoinj library for yourself. You can clone from this fork:

    https://code.google.com/r/jimburton618-bitcoinj-coinbase-tx/source/checkout
    

The branch you should use for the MultiBit master code is: bcj-0.11.2-mb-alice The branch you should use for the MultiBit develop code is: bcj-0.11.2-mb-alice

Once cloned, you should then install the custom Bitcoinj library using

**Branching strategy**

This loosely follows the "master-develop" or "Git flow" pattern.

There are 2 main branches: master and develop. The master branch is exclusively for releases, while the develop is exclusively for release candidates. The develop branch always has a Maven version of develop-SNAPSHOT.

Occasionally a feature branch will be made off develop to cover a long-running issue. This will then be merged back into develop

When develop is ready for release it is subjected to extensive testing (manual and automated). The final act is to update the pom.xml to remove the SNAPSHOT suffix and merge it into master.

The master branch is then tagged with the release number. Tags are in the format v1.2.3 to distinguish them from branch names.

An announcement is made on the MultiBit website and social media (Twitter, Reddit, Bitcointalk etc) to alert everyone that a new version is available.

**Maven build targets**

The important targets are:

After some processing, you will have the following artifacts in the target directory:

*   an executable jar: multibit-exe.jar

**Bitcoin Solutions staff**

Use the Install4j installer in the multibit-installers project to create your Mac/ Win/ Linux installers.

To run MultiBit from these artifacts you can follow the instructions provided on the main MultiBit website

**Custom configuration**

MultiBit Classic is quite flexible and has several features only accessible to power users through the configuration file. This is discussed in more detail in configuration.md

**Contributing**

All contributors must be OK with releasing their work under the MIT license.

CVE-2015-6964: GitHub - Multibit-Legacy/multibit: Deprecated Bitcoin Wallet

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  emergency

Tags:  update

Tags:  CVE-2023-41991

Tags:  CVE-2023-41992

Tags:  CVE-2023-41993

Apple has released patches for three zero-day vulnerabilities that may have been actively exploited.



(Read more...)




The post Emergency update! Apple patches three zero-days appeared first on Malwarebytes Labs.

Apple has released security updates for several products to address a handful of zero-day vulnerabilities that may already have been used by criminals. Updates are available for:

*   iOS 16.7 and iPadOS 16.7
*   iOS 17.0.1 and iPadOS 17.0.1
*   watchOS 9.6.3
*   watchOS 10.0.1
*   macOS Ventura 13.6
*   macOS Monterey 12.7
*   Safari 16.6.1

The updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

*   CVE-2023-41991, a certificate validation issue that could allow a malicious app to bypass signature validation.
*   CVE-2023-41992, a flaw that could be used by a local attacker to elevate their privileges.
*   CVE-2023-41993, a problem with processing web content that could be used for arbitrary code execution.

Apple states says that all these vulnerabilities may have been actively exploited against versions of iOS before iOS 16.7.

It’s important to note that CVE-2023-41993 is a vulnerability in WebKit. WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

All three vulnerabilities were credited to the same researchers—Bill Marczak of The Citizen Lab at The University of Toronto's Munk School, and Maddie Stone of Google's Threat Analysis Group. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security. It is renowned for its research of the use of spyware against journalists, activists, and dissidents.

About two weeks ago, we reported about two Apple issues that were added by CISA to its catalog of known exploited vulnerabilities. Those vulnerabilities were also discovered as zero-days by CitizenLab. Together, these two vulnerabilities were found to be used in an attack chain dubbed BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim and was reportedly used by the NSO Group to deliver the Pegasus spyware.

It is not hard to see how these three new vulnerabilities could be used to compromise a device just by viewing specially crafted malicious web content, so it’s highly recommended to install these updates at your earliest convenience, especially iPhone users with a high profile threat model.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

Emergency update! Apple patches three zero-days

Ftrace-based Linux loadable kernel module rootkit for Linux kernel versions 5.x and 6.x on x86_64. It hides files, hides process, hides a bind shell and reverse shell port, provides privilege escalation, and cleans up logs and bash history during installation.

Tag

#linux