Heap buffer overflow in PDF in Google Chrome prior to 118.0.5993.70 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)

CVE-2023-5474

Touted for days as potentially catastrophic, the curl flaws only impact a narrow set of deployments.

For days now, the cybersecurity community has waited anxiously for the big reveal about two security flaws that, according to curl founder Daniel Stenberg, included one that was likely "the worst curl security flaw in a long time."

Curl is an open source proxy resolution tool used as a "middle man" to transfer files between various protocols, which is present in literally billions of application instances. The suggestion of a massive open source library flaw evoked memories of the catastrophic log4j flaw from 2021. As Alex Ilgayev, head of security research at Cycode, worried, "the vulnerability in the curl library might prove to be more challenging than the Log4j incident two years ago."

But following today's unveiling of patches and bug details, neither vulnerability lived up to the hype. However, it's still important for organizations to uncover whether the bugs are present in their environments (Dark Reading's latest Tech Tip covers how to scan environments for the curl vulnerabilities), and remediate accordingly.

**Impacting a Limited Number of Curl Deployments**

The first vuln, a heap-based buffer overflow flaw tracked under CVE-2023-38545, was assigned a rating of "high" due to the potential for data corruption or even remote code execution (RCE). The issue lies in the SOCKS5 proxy handoff, according to the advisory.

"When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes," the advisory stated. "If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy."

The bug could allow the wrong value to be handed off during the SOCKS5 handshake.

"Due to a bug, the local variable that means 'let the host resolve the name' could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there," the advisory added.

However, the high severity designation only applies to a fraction of deployments, cybersecurity expert Jake Williams says.

"This is only high severity in very limited circumstances," Williams says. "I think it's just an issue that when you have a library vulnerability, you know know how the library is being used. You have to assign the CVE assuming a worst case scenario for implementation."

The second curl bug, tracked under CVE-2023-38546, is a low-severity cookie injection flaw that only impacts the libcurl library, not curl itself.

"I think this is a bigger problem for security devices, and appliances (which fetch untrusted content and often use curl under the hood)," Andy Hornegold, vice president of product at Intruder, said in a statement in reaction to the release of the curl bug details. "I don't see it being a huge problem for standalone usage."

**Dangers of Hyping Up a Fix**

Beyond heartburn for cybersecurity teams, hyping up a fix before technical details are released can hand over an easy win to threat actors. In this instance, Williams points out that RedHat updated its change log ahead of the official curl release, which could have given cyberattackers important intel on unpatched targets, had the vulnerability been as dangerous as previously assumed.

Indeed, Mike McGuire with Synopsys saw the dangers of the amped up attention on the curl update and wrote about it in an Oct. 9 blog.

"Despite having no additional details about the vulnerability, threat actors will undoubtedly begin exploit attempts," McGuire wrote. "Additionally, it's not unheard of for attackers to post bogus 'fixed' versions of a project riddled with malware to take advantage of teams scrambling to patch vulnerable software."

Curl Bug Hype Fizzles After Patching Reveal

Debian Linux Security Advisory 5523-1 - Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5523-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 11, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-38545 CVE-2023-38546

Two security issues were found in Curl, an easy-to-use client-side URL  
transfer library and command line tool:

CVE-2023-38545

    Jay Satiro discovered a buffer overflow in the SOCKS5 proxy handshake.

CVE-2023-38546

    It was discovered that under some circumstances libcurl was  
    susceptible to cookie injection.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7.74.0-1.3+deb11u10.

For the stable distribution (bookworm), these problems have been fixed in  
version 7.88.1-10+deb12u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUmR4AACgkQEMKTtsN8  
TjbtKBAAtJ6fPT/1ZwS+elK/8gzKI3xJFgfS6k/F5o5go30i82fFGK8k7aZNzTrw  
NQAPQ+DdWN4Nvm65qHXf8ME6jSNpnfmSSJ7k/RWVet8BJ3gMxOyBUOqAzK8CP5y1  
xW4Dnma3+EfA4g+f0fiJ8d5xTie29P+uo7qvKeUg1eCAbsUhoEortvkOtKSm/9wh  
hHq6h12LXFrDArEuOzKJZk58bo9xeMe/1BV3YdGh63lrRsz/RR/zFd51OLqn5Dgl  
eJRGwHe7pXIbaCI3mncEa0y6PHQMCZWrKdQxQC5BL4Ggut+Y2nVRMexZKzLD83Rl  
nrrD8LknLAr9QSNBjoMdf1s1rR7vboKNxYFtXcGf6nqFECQuSL4VihbJMIltUzpc  
LE4ppZxmrOs0Q78SFP+Xq5w1zMHg+2NIRx7EHDaGObvv4t3l/PoOXWI81wPxioKa  
zzxLAEVDI2Sfc6Qw/a1GmiIkEbEjhCW+LBUeOhLEfzd56W/7enCGrRFzrS6hKsbz  
Ibp2lPt6755ixpFsJ8PsVTEZ8C9jV41n8tL06BEG8+wSAc+1cHMJQ+0ceQxuXiTF  
Lrorm4rKgx76o8naAG+wPeg3rUawadAkhQzyUXKC1HqEDqcdIJhM+GL4qNI+ErPr  
E2w1K1Qo0g+1CUcYHdNTP6O3IklUwBiyJJeSn5q/AWZYH8aKdKc=  
=+znC  
-----END PGP SIGNATURE-----

Debian Security Advisory 5523-1

Red Hat Security Advisory 2023-5610-01 - The GNU tar program can save multiple files in an archive and restore files from an archive. Issues addressed include a buffer overflow vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5610.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: tar security updateAdvisory ID:        RHSA-2023:5610-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5610Issue date:         2023-10-10Revision:           01CVE Names:          CVE-2022-48303====================================================================Summary: An update for tar is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The GNU tar program can save multiple files in an archive and restore files from an archive.Security Fix(es):* tar: heap buffer overflow at from_header() in list.c via specially crafted checksum (CVE-2022-48303)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48303References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-5610-01

A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0\_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the gwcfg.cgi/get* endpoints uses a specific function to parse the incoming data; this API is probably a left over debug code. This API uses the httpd’s gwcfg_cgi_get_manage_post_data function to parse the incoming data:

    void gwcfg_cgi_get_manage_post_data(undefined4 URL_path,undefined4 client_FD,undefined4 content_length)
    
    {
      [...]
    
      memset(post_data,0,0x400);
      APP_TRACE("do_get_cfg_post url:%s,len:%d\n",URL_path,content_length);
      abc_var = websGetVar(client_FD,"abc","0");
      if (abc_var != 0) {
        APP_TRACE("abc:%s\n",abc_var);
      }
      read_n = wfread(post_data,1,content_length,client_FD);                                                        [1]
      APP_TRACE("wfread ret:%d\n",read_n);
      APP_TRACE("do_get_cfg_post buf:%s\n",post_data);
      return;
    }
    

The function reads, at [1], the data of the request using the provided Content-Length. Because the content length is not checked against the length of the post_data static buffer, there is a stack-base buffer overflow at [1]. This function is reachable prior to authentication.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-34346: TALOS-2023-1764 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd do_wds functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd do\_wds functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the Wireless_WDS* endpoints uses the httpd’s do_wds function:

    void do_wds(undefined4 param_1,char* URL_path,undefined4 fd)
    {
        [...]
        dash_in_URL = indexof(URL_path,L'-');                                                                       [1]
        strcpy(filename,URL_path + dash_in_URL + 1);                                                                [2]
        [...]
    } The `URL_path` parameter is the request's URL path without the leading slash. This function takes, at `[1]`, the index of the first `-` in `URL_path`; if there is no such character, the function `indexof` will return -1. At `[2]` the result of the `indexof` function is used to copy either the whole `URL_path` string if no `-` is present, or only the string after the `-` if it is. The string is copied into a static buffer. Because the function used to copy the string is `strcpy` and no check is performed on the length of what is copied, the `do_wds` function is vulnerable to a stack-based buffer overflow. This vulnerability can be reached without authentication.
    

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-31272: TALOS-2023-1765 || Cisco Talos Intelligence Group

Two heap-based buffer overflow vulnerabilities exist in the gwcfg_cgi_set_manage_post_data functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.

**SUMMARY**

Two heap-based buffer overflow vulnerabilities exist in the gwcfg\_cgi\_set\_manage\_post\_data functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the gwcfg.cgi/set* endpoints uses the httpd’s gwcfg_cgi_set_manage_post_data function to parse the POST data:

    void gwcfg_cgi_set_manage_post_data(undefined4 URL,FILE **fd,int content_length)
    
    {
      [...]
    
      APP_TRACE("do_set_cfg_post,url:%s,len:%d\n",URL);
      if (POST_DATA == (char *)0x0) {
        POST_DATA = (char *)malloc(content_length + 1);                                                             [1]
      }
      else {
        POST_DATA = (char *)realloc(POST_DATA,content_length + 1);                                                  [2]
      }
      if (POST_DATA != (char *)0x0) {
        read_len = wfread(POST_DATA,1,content_length,fd);                                                           [3]
        [...]
      }
      return;
    }
    

The first thing checked is if the POST_DATA has already been initialized. Based on the answer, a malloc or a realloc is called to accommodate the actual request’s Content-Length.

The Content-Length is parsed in the manage_request function:

    void manage_request(void)
    {
      [... receive and parse the request until the start of the headers ...]
      [... peforms some checks and parse on the received data ... ]
      
      while( true ) {
        [... tmp_buff is a buffer just after current_header buffer ...]
        read_len = wfgets(current_header,(int)tmp_buff - (int)current_header,(char *)CLIENT_REQUEST_FD);
        if (((is_equal == 0) || (is_equal = strcmp(current_header,"\n"), is_equal == 0)) ||
            (is_equal = strcmp(current_header,"\r\n"), is_equal == 0)) break;
        is_equal = strncasecmp(current_header,"Authorization:",0xe);
        if (is_equal == 0) {
          [...]
        }
        else {
          is_equal = strncasecmp(current_header,"Referer:",8);
          if (is_equal == 0) {
            [...]
          }
          else {
            is_equal = strncasecmp(current_header,"Host:",5);
            if (is_equal == 0) {
              [...]
            }
            else {
              is_equal = strncasecmp(current_header,"Content-Length:",0xf);                                         [4]
              if (is_equal == 0) {
                content_length_value_ptr = current_header + 0xf;
                [...]
                content_length_empty_space = strspn(content_length_value_ptr," \t");
                content_length = content_length_value_ptr + content_length_empty_space;
                CONTENT_LENGTH = strtoul(content_length,(char **)0x0,0);
        [...]
      while( true ) {                                                                                               [5]
        URL_path_pattern = (code *)API_entry_cursor->URL_path_pattern;
        [... find the correct API entry based on the URL path pattern ...]
      }
      [...]
      post = 0;
      is_equal = strcasecmp(request_method,"post");
      if (is_equal == 0) {
        post = 1;
      }
      if ((code *)API_entry_cursor->manage_request_data != (code *)0x0) {
        (*(code *)API_entry_cursor->manage_request_data)
                  (request_URL+1,CLIENT_REQUEST_FD,CONTENT_LENGTH,boundary);                                        [6]
      }
      [...]
    }
    

The function will eventually parse, at [4], the Content-Length. Then, at [5], based on the URL path, the correct API entry struct to use is located. At [6], the manage_request_data function of the located API entry, if not null, is called. The manage_request_data struct field, for the gwcfg.cgi/set* API, corresponds to the gwcfg_cgi_set_manage_post_data function.

**CVE-2023-35967 - malloc integer overflow**

At [1] for the malloc function the requested size is content_length + 1. The + 1 is allegedly used to ensure there is enough space for the null terminator. Because the content_length value is never checked, an integer overflow vulnerability exists at [1] that can lead to a heap buffer overflow at [3].

**CVE-2023-35968 - realloc integer overflow**

At [2] for the realloc function the requested size is content_length + 1. The + 1 is allegedly used to ensure there is enough space for the null terminator. Because the content_length value is never checked, an integer overflow vulnerability exists at [2] that can lead to a heap buffer overflow at [3].

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-35967: TALOS-2023-1788 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd manage_request functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd manage\_request functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The initial function that parses the request before dispatching it to the right function, based on the requested API, is manage_request:

    void manage_request(void)
    
    {
        [...]
        memset(request_method,0,10000);
        is_equal = wfgets(request_method,10000,(char *)CLIENT_REQUEST_FD);
        [... performs some checks and parse the received data ...]
    
        URL_path = request_method;
        strsep(&URL_path," ");
        [... performs some checks and parse the received data ...]
        URL_path_no_root = URL_path + 1;
        [...]
        is_equal = strncmp(URL_path_no_root,"tmp/sd",6);
        if (is_equal == 0) {                                                                                        [1]
            memset(tmp_buff,0,0x80);
            sprintf(tmp_buff,"/%s",URL_path_no_root);                                                               [2]
            strcpy(URL_path_no_root,tmp_buff);                                                                      [3]
        }
        [...]
    }
    

This function receives and parses the head of the request. The manage_request function navigates through an array of API structures, each of which contain the URL endpoints that the API manages. Once matched with the correct URL, the request will be dispatched to the matching API. However, for some URL paths, there is a “pre-processing” part. For instance, at [1], there is the code block used to manage the requests that starts with /tmp/sd. The variable URL_path_no_root corresponds to the request’s URL path without the first /.

The block of code that manages the request that has a URL path that starts with tmp/sd will, at [2], copy the URL_path_no_root into tmp_buff, a static buffer, to add the previously removed first /. Then at [3] the tmp_buff is copied into URL_path_no_root to complete the process. This process is performed because later on the the URL_path_no_root, for this specific case, is going to be used to fetch a file from the filesystem. This “pre-processing” is performed using using sprintf to add the a slash as first character and store the result in a temporary buffer. Because no checks are performed on the length of the URL path provided, the manage_request function is vulnerable to a buffer overflow that can occur at [2]. This code is reached prior to authentication.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-34426: TALOS-2023-1766 || Cisco Talos Intelligence Group

A buffer overflow vulnerability exists in the httpd next_page functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.This buffer overflow is in the next_page parameter in the gozila_cgi function.

**SUMMARY**

A buffer overflow vulnerability exists in the httpd next\_page functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 offers several APIs. A few of them offer the possibility of redirecting the client to a specific page after the API is performed. The piece of code that does this is the following:

    [...]
    next_page = (char *)websGetVar(fd,"next_page",0);
    if (next_page != (char *)0x0) {
      strcpy(URL_path,next_page);
    }
    [...]
    

The URL_path is a char pointer to a static buffer that lives in the stack of the first function that receives the HTTP request.

Because the next_page is fetched from the request’s data and then used directly in a strcpy, this pattern is vulnerable to a stack buffer overflow.

**CVE-2023-35055 - gozila\_cgi**

The gozila_cgi function is affected by this vulnerable pattern. Following the API function that calls the gozila_cgi function:

    void cgi_handler(undefined mime,char *URL_path,dword fd,char *query_string)
    
    {
      [...]
    
      if (post == 1) {
        request_data = POST_DATA;
      }
      else {
        request_data = URL_path;
        query_string = strsep(&request_data,"?");
        if (query_string != (char *)0x0) {
          URL_path = query_string;
        }
        init_cgi(request_data);
      }
      request_data_ = request_data;
      need_reboot = (char *)websGetVar(fd,"need_reboot","0");
      need_rebot_value = atoi(need_reboot);
      change_action = (char *)websGetVar(fd,"change_action","");
      if ((change_action != (char *)0x0) && (is_gozila = strcmp(change_action,"gozila_cgi"), is_gozila == 0)) {
        gozila_cgi(fd,0,URL_path);                                                                                  [1]
        goto RET;
      }
      [...]
    }
    

At [1] the gozila_cgi function is called, and eventually the pattern shown above is reached:

    int gozila_cgi(undefined4 fd,undefined param_2,char *URL_path)
    
    {
        [...]
    
        nvram_set("gozila_action","1");
        next_page = '\0';
        submit_button = websGetVar(fd,"submit_button",0);
        submit_type = websGetVar(fd,"submit_type",0);
        godzila_ptr = (godzila_object *)handle_gozila_action(submit_button,submit_type);
        [...]
        next_page = (char *)websGetVar(fd,"next_page",0);
        if (next_page != (char *)0x0) {
          strcpy(URL_path,next_page);
        }
        [...]
    }
    

This vulnerability can be reached without authentication.

**CVE-2023-35056 - cgi\_handler**

The cgi_handler function is the entry point for different APIs. This function is affected by this vulnerable pattern:

    void cgi_handler(undefined mime,char *URL_path,dword fd,char *query_string)
    
    {
      [...]
    
      if (post == 1) {
        request_data = POST_DATA;
      }
      else {
        request_data = URL_path;
        query_string = strsep(&request_data,"?");
        if (query_string != (char *)0x0) {
          URL_path = query_string;
        }
        init_cgi(request_data);
      }
      request_data_ = request_data;
      need_reboot = (char *)websGetVar(fd,"need_reboot","0");
      need_rebot_value = atoi(need_reboot);
      change_action = (char *)websGetVar(fd,"change_action","");
      if ((change_action != (char *)0x0) && (is_gozila = strcmp(change_action,"gozila_cgi"), is_gozila == 0)) {
        gozila_cgi(fd,0,URL_path);
        goto RET;
      }
      [...]
      next_page = (char *)websGetVar(fd,"next_page",0);
      if (next_page != (char *)0x0) {
        strcpy(URL_path,next_page);
      }
      [...]
    }
    

This vulnerability can be reached without authentication.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-35055: TALOS-2023-1761 || Cisco Talos Intelligence Group

Two heap-based buffer overflow vulnerabilities exist in the httpd manage_post functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.

**SUMMARY**

Two heap-based buffer overflow vulnerabilities exist in the httpd manage\_post functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. Many of those APIs, which expect to receive a POST request, use the manage_post function to manage the received POST data:

    void manage_post(undefined4 param_1,FILE **fd,int content_length)
    
    {
      [...]
      if (post == 1) {
        if (POST_DATA == (char *)0x0) {
          POST_DATA = (char *)malloc(content_length + 1U);                                                          [1]
        }
        else {
          POST_DATA = (char *)realloc(POST_DATA,content_length + 1U);                                               [2]
        }
        if ((POST_DATA != (char *)0x0) &&
           (data_end = wfread(POST_DATA,1,content_length,fd), [...])) {                                             [3]
          [...]
        }
      }
      [...]
    }
    

The first thing checked, after confirming that the request is actually a POST, is if the POST_DATA global variable has already been initialized. Based on the answer, a malloc or a realloc is called to accommodate the actual request’s Content-Length.

The Content-Length is parsed in the manage_request function:

    void manage_request(void)
    {
      [... receive and parse the request until the start of the headers ...]
      [... peforms some checks and parse on the received data ... ]
      
      while( true ) {
        [... tmp_buff is a buffer just after current_header buffer ...]
        read_len = wfgets(current_header,(int)tmp_buff - (int)current_header,(char *)CLIENT_REQUEST_FD);
        if (((is_equal == 0) || (is_equal = strcmp(current_header,"\n"), is_equal == 0)) ||
            (is_equal = strcmp(current_header,"\r\n"), is_equal == 0)) break;
        is_equal = strncasecmp(current_header,"Authorization:",0xe);
        if (is_equal == 0) {
          [...]
        }
        else {
          is_equal = strncasecmp(current_header,"Referer:",8);
          if (is_equal == 0) {
            [...]
          }
          else {
            is_equal = strncasecmp(current_header,"Host:",5);
            if (is_equal == 0) {
              [...]
            }
            else {
              is_equal = strncasecmp(current_header,"Content-Length:",0xf);                                         [4]
              if (is_equal == 0) {
                content_length_value_ptr = current_header + 0xf;
                [...]
                content_length_empty_space = strspn(content_length_value_ptr," \t");
                content_length = content_length_value_ptr + content_length_empty_space;
                CONTENT_LENGTH = strtoul(content_length,(char **)0x0,0);
        [...]
      while( true ) {                                                                                               [5]
        URL_path_pattern = (code *)API_entry_cursor->URL_path_pattern;
        [... find the correct API entry based on the URL path pattern ...]
      }
      [...]
      post = 0;
      is_equal = strcasecmp(request_method,"post");
      if (is_equal == 0) {
        post = 1;
      }
      if ((code *)API_entry_cursor->manage_request_data != (code *)0x0) {
        (*(code *)API_entry_cursor->manage_request_data)
                  (request_URL+1,CLIENT_REQUEST_FD,CONTENT_LENGTH,boundary);                                        [6]
      }
      [...]
    }
    

The function will eventually parse, at [4], the Content-Length. Then, at [5], based on the URL path, the correct API entry struct to use is located. At [6], the manage_request_data function of the located API entry, if not null, is called. The manage_request_data struct field, for several APIs, corresponds to the manage_post function.

**CVE-2023-35965 - malloc integer overflow**

Many API URL paths will eventually call the manage_post function. At [1] for the malloc function the requested size is content_length + 1. The + 1 is used to ensure there is enough space for the null terminator. Because the content_length value is never checked, it could correspond to the max unsigned integer, so, an integer overflow vulnerability exists at [1] that can lead to a heap buffer overflow at [3].

**CVE-2023-35966 - realloc integer overflow**

Many API URL paths will eventually call the manage_post function. At [2] for the realloc function the requested size is content_length + 1. The + 1 is used to ensure there is enough space for the null terminator. Because the content_length value is never checked, it could correspond to the max unsigned integer, so, an integer overflow vulnerability exists at [2] that can lead to a heap buffer overflow at [3].

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#buffer_overflow