Red Hat Security Advisory 2023-1179-01 - Red Hat OpenShift Serverless Client kn 1.27.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.27.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. This release includes security and bug fixes, and enhancements.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless Client kn 1.27.1  
Advisory ID:       RHSA-2023:1179-01  
Product:           RHOSS  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1179  
Issue date:        2023-03-09  
CVE Names:         CVE-2022-41717  
====================================================================  
1. Summary:

Release of OpenShift Serverless 1.27.1  
The References section contains CVE links providing detailed severity  
ratings  
for each vulnerability. Ratings are based on a Common Vulnerability Scoring  
System (CVSS) base score.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Serverless Client kn 1.27.1 provides a CLI to interact  
with Red Hat OpenShift Serverless 1.27.1. The kn CLI is delivered as an RPM  
package for installation on RHEL platforms, and as binaries for non-Linux  
platforms.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests(CVE-2022-41717)

For more details about the security issues, including the impact; a CVSS  
score; acknowledgments; and other related information refer to the CVE  
pages linked in the References section.

4. Solution:

See the Red Hat OpenShift Container Platform 4.8 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.9 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.10 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.11 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.12 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

5. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:  
openshift-serverless-clients-1.6.1-2.el8.src.rpm

ppc64le:  
openshift-serverless-clients-1.6.1-2.el8.ppc64le.rpm

s390x:  
openshift-serverless-clients-1.6.1-2.el8.s390x.rpm

x86_64:  
openshift-serverless-clients-1.6.1-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZApNXtzjgjWX9erEAQiPzw/9Gbco/43S6fsbOzj07PB/sHGgN3bIGSP4  
RH0CtriGf38oXVLNVxC7x+N448qZJWhBP3j3WTX3t6IHkI7IuMlV495js+bsiOxZ  
ueCzk+tJyhHLGZNoI36XxZotOMIW2UChJzRkmvLmMlQs7ZwiORdGVZwv7KxihWlC  
jvK1r059qfRitggGgLUxDnrGvcPo4oCseM0KesI6yQG6pPnk8DMwIZc2mL4fYpzS  
wJ/JnaAfpgSpLy17WB8qghvzW1dDNlr386t53n77H32j3wpMndI9uKX8leZXv2iA  
EqHyBtF5zo4y1Rc7JTO0sG9AwYoks/1BKUHqi00kjZBSj3DY9yU1aJLzeyKwpKFt  
YNzlYMF7tfzkANJ3VVCLOHgWImK9+kSSIlQG54y1swi/ttsSOOD5m2f9hA2nGFzp  
4BB++293FSKMVASmkzHOlYbOq4N/1Mw9qCQaRKiRVN6XHmz3gs6BuoqzRl95SjW+  
4J/QCo6K8s0/5Fbyx0pqkFiZ1IwlQahspZsIZU/wjYi/cZSSo5PNJqBhhqk1qdi1  
T7VB1JU6h46jswceN/9mqtah37xcLlomihwmzF4owApxDeFpnPBP7P+4atzWXBSi  
kbTWsXjCi4PsJdRPrHGcW/jZHSBUFHbQB+JbtZXgQ3hOww0xorsttwXrk+tp5Kw7  
fBdPcm6EH0M=dtaN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1179-01

Debian Linux Security Advisory 5371-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5371-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
March 09, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216  
                 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220  
                 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224  
                 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227 CVE-2023-1228  
                 CVE-2023-1229 CVE-2023-1230 CVE-2023-1231 CVE-2023-1232  
                 CVE-2023-1233 CVE-2023-1234 CVE-2023-1235 CVE-2023-1236

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the stable distribution (bullseye), these problems have been fixed in  
version 111.0.5563.64-1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQKMPAACgkQEMKTtsN8  
TjYhlg/8CfPNklE4eO+wy0otR3hUK3XNeXJqOKSUFybRmZ9223lANRVwBHHTudqh  
1Xi/PxnSDVHNH2hqVQZQwnIiTVPXedT8fgS50eoR0RfJjDSy79rL+oLNXbqb8F3/  
jY07r1McfUUIjVzg8H/jSVN0fKQG0z53RSx9eX8jITb4r4N1Wy8DQ0XzVGFTxzuR  
ao3e7kM/TW8Z/hsHSrLTJiMnqha15GGn9d8IOK5ecqEgWNIOeeDM0WQGoITuIgYq  
GqEufHOhgEDbaty6kMzYWPqeVFq/7jkTwBiMTSi6Grjwb+2KroMJPQhg5jkfslpL  
bXAom3Sr3lArp88cNR0g8p41G7MjbP1fq5STUxT056zKFGO+cySaxhn4ryMfcPFx  
dKqXSHxDSpPjLz1qFTPZovU+x0O6HIazoa4MupAhIxlLvkcdYC2/35DrCr6098HR  
X+v8psjeczukkBBzA8eIQGH07f2jWwXxSlLoNr4ClePnsk6YLvZTg0ua/snF/x5i  
NmDs2tQkhHKCkLzsu1L0uyImBuiIihBNLasNUpIinjf4iLOtSrl+vsSzOipvIwaW  
FL5LYoOPao4n+zBGjOQwUceQ9SJsB1hljk8YUfvgbotzwup5YCqRF6FwAXvlR9kh  
Eo/izaErx3FvokrfaifufKAeOrSn+AP9LsHrm2fkuCBNXqz3Z1c=gwSp  
-----END PGP SIGNATURE-----

Debian Security Advisory 5371-1

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as NetWire.
Coinciding with the seizure of the sales website www.worldwiredlabs[.]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative

Cyber Crime / Cyber Threat

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as **NetWire**.

Coinciding with the seizure of the sales website www.worldwiredlabs\[.\]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative journalist Brian Krebs identified Mario Zanko as the owner of the domain.

"NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities," Europol's European Cybercrime Center (EC3) said in a tweet.

Advertised since at least 2012, the malware is typically distributed via malspam campaigns and gives a remote attacker complete control over a Windows, macOS, or Linux system. It also comes with password-stealing and keylogging capabilities.

The U.S. Department of Justice (DoJ) said an investigation into the malware operation was launched by the Federal Bureau of Investigation (FBI) in 2020, with the agency creating an account on the site and paying for a subscription to create a custom NetWire RAT instance.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

NetWire, over the past year, has been used by multiple threat actors, including TA2541 and OPERA1ER, to break into targets of interest and harvest sensitive information. According to Avast, it also emerged as one of the most prevalent RATs during Q4 2022.

"By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem," Donald Alway, the assistant director in charge of the FBI's Los Angeles field office, said in a statement.

"The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT

The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.

**Security Vulnerabilities in Feburary 2023**

_published Feburary 3,2023_  
_updated Feburary 3,2023_

Vulnerability ID

related Vulnerability

Vulnerability Description

Vulnerability Impact

CVSS3.1 Base Score

affected versions

affected projects

fix link

reference

OpenHarmony-SA-2023-0201

CVE-2023-0083

The ArkUI framework subsystem doesn't check the input parameter,causing type confusion and invalid memory access.

Local attackers can exploit this vulnerability to send malicious data, causing the current application to crash.

4.0

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

arkui\_ace\_engine

3.1.x  
3.0.x

Reported by researchers

OpenHarmony-SA-2023-0202

CVE-2023-22301

The kernel subsystem hmdfs has a arbitrary memory accessing vulnerability.

Network attackers can launch a remote attack to obtain kernel memory data of the target system.

6.5

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

kernel\_linux\_5.10

3.1.x

Reported by researchers

OpenHarmony-SA-2023-0203

CVE-2023-22436

The kernel subsystem function check\_permission\_for\_set\_tokenid has an UAF vulnerability.

Local attackers can exploit this vulnerability to escalate the privilege to root.

7.8

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

kernel\_linux\_5.10

3.1.x

Reported by researchers

**The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.**

CVE

severity

affected OpenHarmony versions

fix link

CVE-2022-2347

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-4135

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4186

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4438

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4437

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4436

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-41218

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3424

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-4129

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-42328

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3643

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3105

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3104

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3115

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3113

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3112

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3111

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3108

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3107

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3106

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-47519

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-43551

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS  
OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.5-LTS

3.1.x  
3.0.x  
1.1.x

CVE-2022-43552

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS  
OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.5-LTS

3.1.x  
3.0.x  
1.1.x

CVE-2022-47518

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-47520

Low

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-47521

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3109

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS  
OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.5-LTS

3.1.x  
3.0.x  
1.1.x

CVE-2022-4662

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3890

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-20568

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2023-22436: en/security-disclosure/2023/2023-02.md · OpenHarmony/security - Gitee.com

radare2 v5.8.3 was discovered to contain a segmentation fault via the component wasm_dis at p/wasm/wasm.c.

**Description**

When parsing the wasm file with r2, using the pd command may result in a segmentation fault, because NULL was incorrectly passed to strdup.

**Environment**

# date
Mon Feb 20 02:38:13 AKST 2023
# r2 -v
radare2 5.8.3 0 @ linux-x86-64 git.5.8.3
commit: 5.8.3 build: 2023-02-16\_\_23:25:48
# uname -ms
Linux x86\_64

Commit : 39f4292

**Proof of concept**

poc.wasm

**Stack dump**

    pwndbg> r /pwn/poc.wasm
    Starting program: /usr/local/bin/r2 /pwn/poc.wasm
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    ERROR: unknown section id: 13
    ERROR: unknown section id: 109
     -- Check your IO plugins with 'r2 -L'
    [0x000000be]> pd
    
    Program received signal SIGSEGV, Segmentation fault.
    __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    65	../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
    pwndbg> context
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
     RAX  0x0
    *RBX  0x555555555640 (__libc_csu_init) ◂— endbr64
     RCX  0x0
     RDX  0x0
     RDI  0x0
    *RSI  0x555555680729 ◂— 0x1000005555550000
    *R8   0x7ffff6df5852 (wasm_decode) ◂— endbr64
    *R9   0x1f
    *R10  0x555555559010 ◂— 0x6000700070007
    *R11  0x7ffff7d95be0 (main_arena+96) —▸ 0x55555582bd80 ◂— 0x0
    *R12  0x5555555551c0 (_start) ◂— endbr64
    *R13  0x7fffffffe6d0 ◂— 0x2
     R14  0x0
     R15  0x0
     RBP  0x0
    *RSP  0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1]
    *RIP  0x7ffff7d316e5 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
    ──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
     ► 0x7ffff7d316e5 <__strlen_avx2+21>     vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
       0x7ffff7d316e9 <__strlen_avx2+25>     vpmovmskb eax, ymm1
       0x7ffff7d316ed <__strlen_avx2+29>     test   eax, eax
       0x7ffff7d316ef <__strlen_avx2+31>     jne    __strlen_avx2+272                <__strlen_avx2+272>
        ↓
       0x7ffff7d317e0 <__strlen_avx2+272>    tzcnt  eax, eax
       0x7ffff7d317e4 <__strlen_avx2+276>    add    rax, rdi
       0x7ffff7d317e7 <__strlen_avx2+279>    sub    rax, rdx
       0x7ffff7d317ea <__strlen_avx2+282>    vzeroupper
       0x7ffff7d317ed <__strlen_avx2+285>    ret
    
       0x7ffff7d317ee <__strlen_avx2+286>    nop
       0x7ffff7d317f0 <__strlen_avx2+288>    tzcnt  eax, eax
    ────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1]
    01:0008│     0x7fffffffcb50 —▸ 0x555555680729 ◂— 0x1000005555550000
    02:0010│     0x7fffffffcb58 —▸ 0x7fffffffcca0 —▸ 0x7fffffffcd00 —▸ 0x7fffffffcd40 —▸ 0x7fffffffcda0 ◂— ...
    03:0018│     0x7fffffffcb60 —▸ 0x5555555551c0 (_start) ◂— endbr64
    04:0020│     0x7fffffffcb68 —▸ 0x7ffff6df4574 (wasm_dis+4394) ◂— mov rdx, rax
    05:0028│     0x7fffffffcb70 ◂— 0x0
    06:0030│     0x7fffffffcb78 —▸ 0x7ffff7d95b80 (main_arena) ◂— 0x0
    07:0038│     0x7fffffffcb80 —▸ 0x555555782140 ◂— '       dd '
    ──────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────
     ► f 0   0x7ffff7d316e5 __strlen_avx2+21
       f 1   0x7ffff7c48383 strdup+19
       f 2   0x7ffff6df4574 wasm_dis+4394
       f 3   0x7ffff6df5906 wasm_decode+180
       f 4   0x7ffff6da22dd r_arch_decode+136
       f 5   0x7ffff64ed2e1 r_anal_op+580
       f 6   0x7ffff7827c22 r_core_print_disasm+2478
       f 7   0x7ffff7772b54 cmd_print+15553
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1  0x00007ffff7c48383 in __GI___strdup (s=0x0) at strdup.c:41
    #2  0x00007ffff6df4574 in wasm_dis (op=0x7fffffffcce0, buf=0x555555680630 "\375\240\001\375d\v", buf_len=249, txt=true) at p/wasm/wasm.c:1112
    #3  0x00007ffff6df5906 in wasm_decode (s=0x555555677b10, op=0x555555781c10, mask=R_ARCH_OP_MASK_ALL) at p/wasm/plugin.c:366
    #4  0x00007ffff6da22dd in r_arch_decode (a=0x55555559a320, op=0x555555781c10, mask=31) at arch.c:225
    #5  0x00007ffff64ed2e1 in r_anal_op (anal=0x55555559c910, op=0x555555781c10, addr=197, data=0x555555559937 "\375\240\001\375d\v", len=249, mask=R_ARCH_OP_MASK_ALL) at op.c:113
    #6  0x00007ffff7827c22 in r_core_print_disasm (core=0x7ffff5dea010, addr=190, buf=0x555555559930 "A\205\376\377w\375\017\375\240\001\375d\v", len=256, count=64, pdu_condition_type=pdu_instruction, pdu_condition=0x0, count_bytes=false, json=false, pj=0x0, pdf=0x0) at disasm.c:5727
    #7  0x00007ffff7772b54 in cmd_print (data=0x7ffff5dea010, input=0x55555574ff61 "d") at cmd_print.c:6708
    #8  0x00007ffff77ef9dc in r_cmd_call (cmd=0x5555555e6ff0, input=0x55555574ff60 "pd") at cmd_api.c:520
    #9  0x00007ffff778ca90 in r_core_cmd_subst_i (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd", colon=0x0, tmpseek=0x7fffffffe114) at cmd.c:4930
    #10 0x00007ffff77882cb in r_core_cmd_subst (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd") at cmd.c:3760
    #11 0x00007ffff778fcd2 in run_cmd_depth (core=0x7ffff5dea010, cmd=0x55555574ef30 "pd") at cmd.c:5829
    #12 0x00007ffff779017b in r_core_cmd (core=0x7ffff5dea010, cstr=0x55555574eef0 "pd", log=true) at cmd.c:5913
    #13 0x00007ffff76ab199 in r_core_prompt_exec (r=0x7ffff5dea010) at core.c:3556
    #14 0x00007ffff76aa6ea in r_core_prompt_loop (r=0x7ffff5dea010) at core.c:3374
    #15 0x00007ffff7dc7c9f in r_main_radare2 (argc=2, argv=0x7fffffffe6d8) at radare2.c:1700
    #16 0x0000555555555638 in main (argc=2, argv=0x7fffffffe6d8) at radare2.c:104
    #17 0x00007ffff7bcd083 in __libc_start_main (main=0x5555555555e0 <main>, argc=2, argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8) at ../csu/libc-start.c:308
    #18 0x00005555555551ee in _start ()
    

**Credit**

Q1IQ(@Q1IQ)

CVE-2023-27114: Segmentation fault in wasm_dis at p/wasm/wasm.c:1112 · Issue #21363 · radareorg/radare2

WebAssembly v1.0.29 was discovered to contain a heap overflow via the component component wabt::Node::operator.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc-2.wasm.zip

**Stack dump**

    =================================================================
    ==1704949==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000010 at pc 0x0000005f2828 bp 0x7ffc769a3c60 sp 0x7ffc769a3c58
    READ of size 4 at 0x610000000010 thread T0
        #0 0x5f2827 in wabt::Node::operator=(wabt::Node&&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:67:17
        #1 0x5dc955 in wabt::Node::Node(wabt::Node&&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:65:28
        #2 0x5f54b0 in std::enable_if<__and_<std::__not_<std::__is_tuple_like<wabt::Node>>, std::is_move_constructible<wabt::Node>, std::is_move_assignable<wabt::Node>>::value, void>::type std::swap<wabt::Node>(wabt::Node&, wabt::Node&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/move.h:197:19
        #3 0x5f501e in void std::iter_swap<__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_algobase.h:182:7
        #4 0x5f46ed in __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>> std::_V2::__rotate<__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, std::random_access_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_algo.h:1394:5
        #5 0x5dd60f in __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>> std::_V2::rotate<__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_algo.h:1439:14
        #6 0x5dd066 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool)::'lambda'(unsigned long)::operator()(unsigned long) const /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:279:11
        #7 0x5c8556 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:307:13
        #8 0x5ee577 in void wabt::AST::Block<(wabt::ExprType)8>(wabt::BlockExprBase<(wabt::ExprType)8> const&, wabt::LabelType) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:159:5
        #9 0x5dc2fd in wabt::AST::Construct(wabt::Expr const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:212:9
        #10 0x5c7b64 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:248:7
        #11 0x5c281f in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:795:13
        #12 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #13 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #14 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #15 0x7f9cae44d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #16 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)
    
    0x610000000010 is located 48 bytes to the left of 192-byte region [0x610000000040,0x610000000100)
    allocated by thread T0 here:
        #0 0x4edc5d in operator new(unsigned long) /home/build-user/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
        #1 0x5f05c8 in __gnu_cxx::new_allocator<wabt::Node>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
        #2 0x5f0570 in std::allocator_traits<std::allocator<wabt::Node>>::allocate(std::allocator<wabt::Node>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
        #3 0x5effaf in std::_Vector_base<wabt::Node, std::allocator<wabt::Node>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
        #4 0x5f3462 in void std::vector<wabt::Node, std::allocator<wabt::Node>>::_M_realloc_insert<wabt::Node>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, wabt::Node&&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:440:33
        #5 0x5f3124 in wabt::Node& std::vector<wabt::Node, std::allocator<wabt::Node>>::emplace_back<wabt::Node>(wabt::Node&&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:121:4
        #6 0x5dcbdc in std::vector<wabt::Node, std::allocator<wabt::Node>>::push_back(wabt::Node&&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:1204:9
        #7 0x5de429 in wabt::AST::InsertNode(wabt::NodeType, wabt::ExprType, wabt::Expr const*, unsigned int) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:104:15
        #8 0x5dc5d0 in wabt::AST::Construct(wabt::Expr const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:230:9
        #9 0x5c7b64 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:248:7
        #10 0x5ee577 in void wabt::AST::Block<(wabt::ExprType)8>(wabt::BlockExprBase<(wabt::ExprType)8> const&, wabt::LabelType) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:159:5
        #11 0x5dc2fd in wabt::AST::Construct(wabt::Expr const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:212:9
        #12 0x5c7b64 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:248:7
        #13 0x5c281f in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:795:13
        #14 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #15 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #16 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #17 0x7f9cae44d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:67:17 in wabt::Node::operator=(wabt::Node&&)
    Shadow bytes around the buggy address:
      0x0c207fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c207fff8000: fa fa[fa]fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==1704949==ABORTING

CVE-2023-27117: heap overflow in wabt::Node::operator=(wabt::Node&&) · Issue #1989 · WebAssembly/wabt

WebAssembly v1.0.29 discovered to contain an abort in CWriter::MangleType.

**Title**

Aborted in CWriter::MangleType at wasm2c

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc.wasm2c-2.wasm  
poc\_wasm2c-2.wasm.zip

**Stack dump**

    gdb /wabt/out/clang/Debug/asan/wasm2c
    pwndbg> r  --enable-multi-memory ./poc.wasm2c-2.wasm
    context:
     LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff7a357c0 ◂— 0x7ffff7a357c0
    *RCX  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff9a90 ◂— 0x0
     R8   0x0
    *R9   0x7fffffff9a90 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x43e420 (_start) ◂— endbr64
    *R13  0x7fffffffe070 ◂— 0x3
     R14  0x0
     R15  0x0
    *RBP  0x7fffffff9df0 —▸ 0x7fffffffa270 —▸ 0x7fffffffa3c0 —▸ 0x7fffffffa690 —▸ 0x7fffffffc3c0 ◂— ...
    *RSP  0x7fffffff9a90 ◂— 0x0
    *RIP  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7ffff7a7b00b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7a7b013 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff7a7b01c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff7a7b044 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff7a7b049                nop    dword ptr [rax]
       0x7ffff7a7b050 <killpg>       endbr64
       0x7ffff7a7b054 <killpg+4>     test   edi, edi
       0x7ffff7a7b056 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff7a7b058 <killpg+8>     neg    edi
       0x7ffff7a7b05a <killpg+10>    jmp    kill                <kill>
    
       0x7ffff7a7b05f <killpg+15>    nop
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff9a90 ◂— 0x0
    01:0008│            0x7fffffff9a98 ◂— 0xfffffffffffffffb
    02:0010│            0x7fffffff9aa0 —▸ 0x757525 ◂— cli
    03:0018│            0x7fffffff9aa8 ◂— 0x0
    ... ↓               4 skipped
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0   0x7ffff7a7b00b raise+203
       f 1   0x7ffff7a5a859 abort+299
       f 2         0x5074f0
       f 3         0x52cebf
       f 4         0x545a44
       f 5         0x535a2f
       f 6         0x528543
       f 7         0x51dd51
    ────────────────────────────────────────────────────────────────────────────────
    backtrace_msg:
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7a5a859 in __GI_abort () at abort.c:79
    #2  0x00000000005074f0 in wabt::(anonymous namespace)::CWriter::MangleType (type=...) at ../../../../src/c-writer.cc:427
    #3  0x000000000052cebf in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, sv=...) at ../../../../src/c-writer.cc:701
    #4  0x0000000000545a44 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::StackVar, char const (&) [4], char const*, char const (&) [2], wabt::(anonymous namespace)::Name<2>, char const (&) [9], wabt::(anonymous namespace)::StackVar> (this=0x7fffffffce30, t=..., u=..., args=..., args=..., args=..., args=..., args=...) at ../../../../src/c-writer.cc:204
    #5  0x0000000000535a2f in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, expr=warning: RTTI symbol not found for class 'wabt::LoadStoreExpr<(wabt::ExprType)47>'
    ...) at ../../../../src/c-writer.cc:2752
    #6  0x0000000000528543 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:2043
    #7  0x000000000051dd51 in wabt::(anonymous namespace)::CWriter::Write<wabt::intrusive_list<wabt::Expr> const&, wabt::(anonymous namespace)::LabelDecl> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:204
    #8  0x000000000051bd15 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, func=...) at ../../../../src/c-writer.cc:1423
    #9  0x000000000051b647 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::Func const&, wabt::(anonymous namespace)::Newline> (this=0x7fffffffce30, t=..., u=..., args=...) at ../../../../src/c-writer.cc:205
    #10 0x000000000051182d in wabt::(anonymous namespace)::CWriter::WriteFuncs (this=0x7fffffffce30) at ../../../../src/c-writer.cc:1393
    #11 0x0000000000500bf4 in wabt::(anonymous namespace)::CWriter::WriteCSource (this=0x7fffffffce30) at ../../../../src/c-writer.cc:2794
    #12 0x00000000004ffcd7 in wabt::(anonymous namespace)::CWriter::WriteModule (this=0x7fffffffce30, module=...) at ../../../../src/c-writer.cc:2807
    #13 0x00000000004ff48d in wabt::WriteC (c_stream=0x7fffffffdaa0, h_stream=0x7fffffffdaa0, header_name=0x7ccce0 <str> "wasm.h", module=0x7fffffffd2b0, options=...) at ../../../../src/c-writer.cc:2819
    #14 0x00000000004f11b4 in ProgramMain (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:179
    #15 0x00000000004f37f2 in main (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:190
    #16 0x00007ffff7a5c083 in __libc_start_main (main=0x4f37d0 <main(int, char**)>, argc=3, argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
    #17 0x000000000043e44e in _start ()

CVE-2023-27116: Aborted in CWriter::MangleType at wasm2c · Issue #1984 · WebAssembly/wabt

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::cat_compute_size.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc-5.wasm.zip

**Stack dump**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1681910==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f858ec47234 bp 0x7ffce2314ff0 sp 0x7ffce2314ef8 T0)
    ==1681910==The signal is caused by a READ memory access.
    ==1681910==Hint: address points to the zero page.
        #0 0x7f858ec47234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::operator std::basic_string_view<char, std::char_traits<char>>() const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x186234)
        #1 0x61d4eb in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:27
        #2 0x61d39d in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
        #3 0x61d235 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
        #4 0x61d005 in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
        #5 0x60f57f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> wabt::cat<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:75:13
        #6 0x5d137d in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:530:20
        #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #8 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
        #9 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #10 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #11 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #12 0x7f858e754082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x186234) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::operator std::basic_string_view<char, std::char_traits<char>>() const
    ==1681910==ABORTING

CVE-2023-27115: SEGV in wabt::cat_compute_size · Issue #1992 · WebAssembly/wabt

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::Decompiler::WrapChild.

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1814123==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe8 (pc 0x7f12f2723bfe bp 0x7ffe034681e0 sp 0x7ffe03467e18 T0)
    ==1814123==The signal is caused by a READ memory access.
        #0 0x7f12f2723bfe in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe)
        #1 0x609269 in wabt::Decompiler::WrapChild(wabt::Decompiler::Value&, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:125:18
        #2 0x619663 in wabt::Decompiler::BracketIfNeeded(wabt::Decompiler::Value&, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:143:11
        #3 0x60ce08 in wabt::Decompiler::WrapBinary(std::vector<wabt::Decompiler::Value, std::allocator<wabt::Decompiler::Value>>&, std::basic_string_view<char, std::char_traits<char>>, bool, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:153:5
        #4 0x5cfb8b in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:473:16
        #5 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #6 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #8 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #9 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #10 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
        #11 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #12 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #13 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #14 0x7f12f2272082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long)
    ==1814123==ABORTING

CVE-2023-27119: SEGV in wabt::Decompiler::WrapChild · Issue #1990 · WebAssembly/wabt

IceFire has changed up its OS target in recent cyberattacks, emblematic of ransomware actors increasingly targeting Linux enterprise networks, despite the extra work involved.

In recent weeks, hackers have been deploying the "IceFire" ransomware against Linux enterprise networks, a noted shift for what was once a Windows-only malware.

A report from SentinelOne published today suggests that this may represent a budding trend. Ransomware actors have been targeting Linux systems more than ever in cyberattacks in recent weeks and months, notable not least because "in comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale," Alex Delamotte, security researcher at SentinelOne, tells Dark Reading.

But why, if Linux makes their job more difficult, would ransomware actors be moving increasingly toward it?

**The IceFire M.O.**

IceFire, first discovered last March, is standard-fare ransomware aligned with other "'big-game hunting' (BGH) ransomware families," Delamotte wrote. BGH ransomware is characterized by "double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files."

But where IceFire was once an exclusively Windows-based malware, its recent attacks have taken place against Linux-based enterprise networks.

The attack flow is straightforward. Having breached a target network, the IceFire attackers steal copies of any valuable or otherwise interesting data on target machines. Only then comes the encryption. What IceFire primarily looks for are user and shared directories, as these are important yet "unprotected parts of the file system that do not require elevated privileges to write or modify," Delamotte explained.

The attackers are careful, though. "IceFire ransomware doesn't encrypt all files on Linux: It avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational."

IceFire tags encrypted files with an ".ifire" extension, as many IT admin have since discovered for themselves. It also automatically drops a no-frills ransom note — "All your important files have been encrypted. Any attempts to restore your files...." The note includes a unique hardcoded username and password the victim can use to log into the attackers' Tor-based ransom payment portal. Once the job is complete, IceFire deletes itself.

Source: SentinelOne

**How IceFire Is Changing**

Most of these details have remained consistent since IceFire's first entry onto the scene. However, some important details have changed in recent weeks, including the victimology.

Where IceFire was once primarily used in campaigns against the healthcare, education, and technology sectors, recent attacks have focused around entertainment and media organizations, primarily in Middle Eastern countries — Iran, Pakistan, Turkey, the United Arab Emirates, and so on.

Other changes to IceFire's M.O. derive from its operating system shift towards Linux. For example, SentinelOne has noted in the past that cyberattackers would distribute IceFire via phishing and spear-phishing emails, then use third-party, pen-test tools like Metasploit and Cobalt Strike to help it spread.

But "many Linux systems are servers," Delamotte points out, "so typical infection vectors like phishing or drive-by download are less effective." So instead, recent IceFire attacks have exploited CVE-2022-47986 — a critical remote code execution (RCE) vulnerability in the IBM Aspera data transfer service, with a CVSS rating of 9.8.

**Why Hackers Are Targeting Linux**

Delamotte posits a few reasons for why more ransomware actors are choosing Linux as of late. For one thing, she says, "Linux-based systems are frequently utilized in enterprise settings to perform crucial tasks such as hosting databases, Web servers, and other mission-critical applications. Consequently, these systems are often more valuable targets for ransomware actors due to the possibility of a larger payout resulting from a successful attack, compared to a typical Windows user."

A second factor, she guesses, "is that some ransomware actors may perceive Linux as an unexploited market that could yield a higher return on investment."

Finally, "the prevalence of containerization and virtualization technologies in enterprise environments has expanded the potential attack surface for ransomware actors," she says. Many of these technologies are Linux-based, so "as ransomware groups exhaust the supply of 'low-hanging fruit,' they will likely prioritize these higher effort targets."

Whatever the primary motive, if more threat actors follow in this same path, enterprises running Linux-based systems need to be ready.

Defending against ransomware requires "a multi-faceted approach," Delamotte says, prioritizing visibility, education, insurance, multi-layered security, and patching, all at once.

"By taking a proactive approach to cybersecurity," she says, "enterprises can increase their chances of successfully defending against ransomware attacks."

Tag

#linux