The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

**Information**

Advisory

XSA-140

Public release

2015-08-03 12:00

Updated

2015-08-03 12:37

Version

2

CVE(s)

CVE-2015-5165

Title

QEMU leak of uninitialized heap memory in rtl8139 device model

**Files**advisory-140.txt (signed advisory file)  
xsa140-qemuu-unstable-1.patch  
xsa140-qemuu-unstable-2.patch  
xsa140-qemuu-unstable-3.patch  
xsa140-qemuu-unstable-4.patch  
xsa140-qemuu-unstable-5.patch  
xsa140-qemuu-unstable-6.patch  
xsa140-qemuu-unstable-7.patch  
xsa140-qemuu-4.3-1.patch  
xsa140-qemuu-4.3-2.patch  
xsa140-qemuu-4.3-3.patch  
xsa140-qemuu-4.3-4.patch  
xsa140-qemuu-4.3-5.patch  
xsa140-qemuu-4.3-6.patch  
xsa140-qemuu-4.3-7.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-5165 / XSA-140
                              version 2

    QEMU leak of uninitialized heap memory in rtl8139 device model

UPDATES IN VERSION 2
====================

CVE assigned.

Public release.

Updated status of the patches.

ISSUE DESCRIPTION
=================

The QEMU model of the RTL8139 network card did not sufficiently
validate inputs in the C+ mode offload emulation. This results in
uninitialised memory from the QEMU process's heap being leaked to the
domain as well as to the network.

IMPACT
======

A guest may be able to read sensitive host-level data relating to
itself which resides in the QEMU process.

Such information may include things such as information relating to
real devices backing emulated devices or passwords which the host
administrator does not intend to share with the guest admin.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured with an emulated RTL8139 driver model (which is the
default) are vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device\_model\_stubdomain\_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional ("qemu-xen-traditional") or upstream-based
("qemu-xen") qemu device models are potentially vulnerable.

Systems running only PV guests are NOT vulnerable.

ARM systems are NOT vulnerable.

QEMU-XEN-TRADITIONAL
====================

The patches supplied by the Qemu Project are of course against recent
versions of qemu.  They cannot be applied directly to
qemu-xen-traditional.  The Xen Project Security Team do not feel we
have the resources to backport and qualify these substantial and
intrusive patches.

Users using qemu-xen-traditional with stub domains are not vulnerable,
because the stub dm is a deprivileged qemu guest instance.

Users using qemu-xen-traditional for compatibility with old guests can
avoid the vulnerability by switching to using a stub device model.

The Xen Project Security Team encourages users and downstreams who are
using qemu-xen-traditional and able to backport the patches to share
those patches with us, so that we may distribute them with an updated
advisory.

We will encourage the community to have a conversation, when this
advisory is released, about the continuing security support status of
qemu-xen-traditional in non-stub-dm configurations.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the RTL8139 device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
information leak to only information belonging to the service domain.

qemu-dm stubdomains are only available with the "qemu-xen-traditional"
device model version.

CREDITS
=======

This issue was discovered by Donghai Zhu of Alibaba.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

xsa140-qemuu-unstable-?.patch        qemu-upstream, xen-unstable, Xen 4.5.x,
                                     Xen 4.4.x
xsa140-qemuu-4.3-?.patch             qemu-upstream, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa140\*.patch
12d0dc1a31449288ed5e562a1e9415c437b7a2799e8afa0b251e3957a0d8ab23  xsa140-qemuu-unstable-1.patch
c91a60b7d7e18ea95b31eca0ba940d53c14730fae1e50802375c9e5ab7d0f109  xsa140-qemuu-unstable-2.patch
99062a9cbf4b96de8f0aa8555291cf6e296a9dbdf22ad4e9285912ba02de9261  xsa140-qemuu-unstable-3.patch
82d2214a0bd42b03b72b26170e4c80699d74bc691b6e223780a693ad2e9c267a  xsa140-qemuu-unstable-4.patch
b728ae69e4a1d838bb1b4c5e6135e84fe8f6fc7e97fdc99915e7fc908edb4fd2  xsa140-qemuu-unstable-5.patch
6fb23646e05ef9a4b010d2a2c0235b6ee58a293f39ed40b6b1611115c948a79a  xsa140-qemuu-unstable-6.patch
ebcadb69110ea4672795b52472222ed1ffe67a83e37c5b7d401530f43137c587  xsa140-qemuu-unstable-7.patch
f33046ad9f29878a6d6cc7fbd5f58959b26aa1f5fb5be3ff0c933a11d7ed51d8  xsa140-qemuu-4.3-1.patch
2d43b2de5152623d8beb4e304330c09bc6bd338343e4398d74ae256623d00007  xsa140-qemuu-4.3-2.patch
54a9d5b64e3562ba68a68178a292a125ca7c73edd24ec4fc3cb5908728ff75c9  xsa140-qemuu-4.3-3.patch
b803887acb91ae52c90ef478068bd588e06c84a4ef4b92a8bfb776b79ac8f318  xsa140-qemuu-4.3-4.patch
bb4130ae38ca515e76dcac0fcb895d2e8780bab75576096372292d1707d3134e  xsa140-qemuu-4.3-5.patch
e1acc11ef537c747c118da758cf160d738576ff9efce950eed3c71c889f843f4  xsa140-qemuu-4.3-6.patch
6fabe8336e8d847366d51670b356c70a994eaf286733043209ef9ac51d67384c  xsa140-qemuu-4.3-7.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Deployment of any of the mitigations described above is NOT
permitted (except on systems used and administered only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because in all cases the configuration
change may be visible to the guest.

Also, Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVv2B5AAoJEIP+FMlX6CvZTFwIAKg6BkayXEBbQK0xqwoCLRXR
QlCI0IvisTLOeDnT0b0H4rLP8a9+q0HOXaRAswQK9+jQmZOqplwK1aVHrEU/HW/Q
3VPJvgJVHign3EPXMVpRzRElEVBdsR+D+bV5Wn43RHJPH2DwIbUxzLQq7rZ46wlE
Na5BoJne5xzJTjIAQPDbtE7tEkJwYbc7M4eD+IeY1I2GnmCEtf+x8xmrQdCXLbqW
nabIymX+eoaYxcdWDIq3WJY5Gi42gXt+xp4rWY0qb+lAXK6NAGx4tptDuewMNFJE
v356gsWqNXAh7jTTn8olR8S8zKGJ3z4g1EAIz/xHpc66uNUcExVPiaReFiEXE1w=
=viOO
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2015-5165: 140 - Xen Security Advisories

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.

**Information**

Advisory

XSA-135

Public release

2015-06-10 13:10

Updated

2015-06-10 13:10

Version

3

CVE(s)

CVE-2015-3209

Title

Heap overflow in QEMU PCNET controller, allowing guest->host escape

**Files**advisory-135.txt (signed advisory file)  
xsa135-qemut-1.patch  
xsa135-qemut-2.patch  
xsa135-qemuu-unstable.patch  
xsa135-qemuu-4.2-1.patch  
xsa135-qemuu-4.2-2.patch  
xsa135-qemuu-4.3-1.patch  
xsa135-qemuu-4.3-2.patch  
xsa135-qemuu-4.5-1.patch  
xsa135-qemuu-4.5-2.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-3209 / XSA-135
                              version 3

 Heap overflow in QEMU PCNET controller, allowing guest->host escape

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The QEMU security team has predisclosed the following advisory:

    pcnet\_transmit loads a transmit-frame descriptor from the guest into the
    /tmd/ local variable to recover a length field, a status field and a
    guest-physical location of the associated frame buffer. If the status
    field indicates that the frame buffer is ready to be sent out (i.e. by
    setting the TXSTATUS\_DEVICEOWNS, TXSTATUS\_STARTPACKET and
    TXSTATUS\_ENDPACKET bits on the status field), the PCNET device
    controller pulls in the frame from the guest-physical location to
    s->buffer (which is 4096 bytes long), and then transmits the frame.

    Because of the layout of the transmit-frame descriptor, it is not
    possible to send the PCNET device controller a frame of length > 4096,
    but it /is/ possible to send the PCNET device controller a frame that is
    marked as TXSTATUS\_STARTPACKET, but not TXSTATUS\_ENDPACKET. If we do
    this - and the PCNET controller is configured via the XMTRL CSR to
    support split-frame processing - then the pcnet\_transmit functions loops
    round, pulling a second transmit frame descriptor from the guest. If
    this second transmit frame descriptor sets the TXSTATUS\_DEVICEOWNS and
    doesn't set the TXSTATUS\_STARTPACKET bits, this frame is appended to
    the s->buffer field.

    An attacker can then exploit this vulnerability by sending a first
    packet of length 4096 to the device controller, and a second frame
    containing N-bytes to trigger an N-byte heap overflow.

    On 64-bit QEMU, a 24-byte overflow allows the guest to take control of
    the phys\_mem\_write function pointer in the PCNetState\_st structure, and
    this is called when trying to flush the updated transmit frame
    descriptor back to the guest. By specifying the content of the second
    transmit frame, the attacker therefore gets reliable fully-chosen
    control of the host instruction pointer, allowing them to take control
    of the host.

IMPACT
======

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured to use the PCNET emulated driver model are
vulnerable.

The default configuration is NOT vulnerable (because it does not
emulate PCNET NICs).

Systems running only PV guests are NOT vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device\_model\_stubdomain\_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional "qemu-xen" or upstream qemu device models are
potentially vulnerable.

ARM systems are NOT vulnerable.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the PCNET device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"
version.

CREDITS
=======

This issue was discovered by Matt Tait of Google and reported to us
via the QEMU security team.

RESOLUTION
==========

Applying the appropriate attached patch(es) resolves this issue.

xsa135-qemuu-unstable.patch  qemu-upstream, Xen unstable
xsa135-qemuu-4.5-\*.patch     qemu-upstream, Xen 4.5.x, Xen 4.4.x
xsa135-qemuu-4.3-\*.patch     qemu-upstream, Xen 4.3.x
xsa135-qemuu-4.2-\*.patch     qemu-upstream, Xen 4.2.x
xsa135-qemut-\*.patch         qemu-xen-traditional, Xen unstable, 4.5.x, 4.4.x, 4.3.x, 4.2.x

Note that the second patch for qemu-xen-traditional (all versions),
and qemu-upstream 4.3.x and 4.2.x are identical. Likewise
xsa135-qemuu-unstable.patch is the same as
xsa135-qemuu-4.5-2.patch. They are presented separately for
convenience.

$ sha256sum xsa135\*.patch
a40897166f5de84c11b5d547191cd0375c7052edb0f44940eec7b78d839e447b  xsa135-qemut-1.patch
d98452d4c42fae1f11e887537a4638694de8a4bf00835daac6e51801297e4091  xsa135-qemut-2.patch
099693483d468a7fdecbf825635d3595ebeecc91c496624cbe109dcb4dd235da  xsa135-qemuu-unstable.patch
12ca5521f6bb1227934a1711d8adee11138a84c080a217f250efe34b3cb25b10  xsa135-qemuu-4.2-1.patch
d98452d4c42fae1f11e887537a4638694de8a4bf00835daac6e51801297e4091  xsa135-qemuu-4.2-2.patch
ad32c0ac145bc02b901c061fcbef83965f443fe89fcae9efc3b1dfd1e1d70bc8  xsa135-qemuu-4.3-1.patch
d98452d4c42fae1f11e887537a4638694de8a4bf00835daac6e51801297e4091  xsa135-qemuu-4.3-2.patch
baf9e0a960693b246ff01bb6210c5fee7713999d1e1b00a5b4e29d9ebd3c0ce8  xsa135-qemuu-4.5-1.patch
099693483d468a7fdecbf825635d3595ebeecc91c496624cbe109dcb4dd235da  xsa135-qemuu-4.5-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except on
systems used and administered only by organisations which are members
of the Xen Project Security Issues Predisclosure List).  Specifically,
deployment on public cloud systems is NOT permitted.

The decision not to permit deployment was made by the group that, at
their discretion, disclosed the issue to the Xen Project Security
Team.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVeDc3AAoJEIP+FMlX6CvZFBoIAJw/FxeABrdms6CzoxZxFQRp
It9eoMcmP+cxjMuAJyO771s+wYZy/X+ZDM2+CmzDWdBOzst3/YVw0ePbNH1T86y6
23Miqm5zupJ30xQGIXledrd/S23tmRlmzylytJcI9UQktuAOnL50l+wovKwhxVtO
x2Dg4P6RZ51twfbYLueIjBe2YSGGrck0kugpDtD6dH6kONNFgA+30i11Unwip18b
FzKm54b5HIvSoOkXCggCdgaCOmAuz3LpAt7FfB1324dPblxlfrDyRxWABxn47qoL
lgTJa7DPRTdxYM7EmnpMHKakgqzhD+Vu2Jnz8RELXt+AQH3TxRYXS2kT22QpfxY=
=cx83
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2015-3209: 135 - Xen Security Advisories

dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

**Full Disclosure mailing list archives**

_From_: Portcullis Advisories <advisories () portcullis-security com>  
_Date_: Wed, 23 Apr 2014 11:29:56 +0100  

Vulnerability title: Arbitrary file read in dompdf
CVE: CVE-2014-2383
Vendor: dompdf
Product: dompdf
Affected version: v0.6.0
Fixed version: v0.6.1 (partial fix)
Reported by: Alejo Murillo Moyas

Details:
An arbitrary file read vulnerability is present on dompdf.php file that
allows remote or local attackers to read local files using a special
crafted argument. This vulnerability requires the configuration flag
DOMPDF\_ENABLE\_PHP to be enabled (which is disabled by default).

Using PHP protocol and wrappers it is possible to bypass the dompdf's
"chroot" protection (DOMPDF\_CHROOT) which prevents dompdf from accessing
system files or other files on the webserver. Please note that the flag
DOMPDF\_ENABLE\_REMOTE needs to be enabled.

Command line interface:
php dompdf.php
php://filter/read=convert.base64-encode/resource=<PATH\_TO\_THE\_FILE>

Web interface:
   
http://example/dompdf.php?input\_file=php://filter/read=convert.base64-encode/resource=<PATH\_TO\_THE\_FILE>
        

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **CVE-2014-2383 - Arbitrary file read in dompdf** _Portcullis Advisories (Apr 23)_

CVE-2014-2383: Full Disclosure: CVE-2014-2383 - Arbitrary file read in dompdf

Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.

CVE-2014-2706

Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010.
This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update.

Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010.

This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild.

**Mitigations and Workaround**

The in the wild exploit takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass, which depends by a module loaded at predictable memory address.

First, our tests showed that EMET default configuration can block the exploits seen in the wild. In this case, EMET’s mitigations such as “Mandatory ASLR” and anti-ROP features effectively stop the exploit. You can find more information about EMET at http://www.microsoft.com/emet. The exploit code seems to target Word 2010 and it deeply relies on the specific ASLR bypass mentioned. We were glad to see in our tests that this exploit fails (resulting in a crash) on machines running Word 2013, due to the ASLR enforcement introduced for this product.

In addition to EMET mitigations, users may consider to apply stronger protections by blocking the root cause of the issue with one of the following suggested workarounds:

*   disable opening of RTF files;
*   enforce Word to open RTF files always in _Protected View_ in Trust Center settings.

To facilitate deployment of the first workaround, we are providing a Fix it automated tool. The Fix it uses Office’s file block feature and adds few registry keys to prevent opening of RTF files in all Word versions. After the Fix it is installed, opening RTF file will result in the following message:

\](https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/61/47/3124.pic1.png)

If blocking RTF files is not an option, enterprise could enforce “_Open selected file types in Protected View_” instead of “_Do not open selected file types_” in Trust Center settings. The “Protected View” mode in Office 2010/2013 does not allow ActiveX controls to load. This will mitigate the attack we observed. Once the workaround is enabled, Word will prompt the _Protected View_ gold bar, but will still allow the preview of the document.

\](https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/61/47/0118.pic2.png)

Enterprise admins may also consider to make their own custom protection using Trust Center features of Office instead of the Fix it, since these settings can be managed and deployed through GPO. For more details, please refer to: http://office.microsoft.com/en-us/word-help/what-is-file-block-HA010355927.aspx#\_File\_Block\_settings.

\](https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/61/47/1212.pic3.png)

**Theoretical Outlook attack vector**

There is a theoretical Outlook attack vector for RTF vulnerabilities through the preview pane. The reduced functionality of the preview pane makes this attack vector extremely hard to carry, and to date we have never seen exploits leveraging this mechanism.

**Technical details of the exploit**

The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets. The structure of the malicious document and the individual blocks is described in the picture below.

\](https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/61/47/pic4.png)

When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.

\](https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/61/47/pic5.png)

One peculiar aspect of the main shellcode is the fact that it employs multiple consecutive layers of decryption and well-known anti-debugging tricks, such as test of debugging flags an, RDTSC timing checks and jump-hops over hooks, possibly to defeat automated sandbox, analysis tools and researchers. The shellcode has also been programmed with a special date-based deactivation logic. In fact, it parses the content of “_C:\\Windows\\SoftwareDistribution\\ReportingEvents.log_” file and it scans all the available Microsoft updates installed on the machine. The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014. This means that even after a successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named ‘svchost.exe’ and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components.

**Detection and indicators for defenders**

We are providing a good list of IOCs (Indicator of Compromise) hoping to facilitate defensive efforts and to help security vendors and professionals to stay protected from this specific attack. The remote C&C server used by the current backdoor in the file uses encrypted SSL traffic with a static self-signed certificate that can be easily detected.

**YARA RULE (RTF)**

rule SA2953095\_RTF { meta: description = “MS Security Advisory 2953095” strings: $badHdr = “{\\\\rt{” $ocxTag = “\\\\objocx\\\\” $mscomctl = “MSComctlLib.” $rop = “?\\\\u-554"condition: filesize > 100KB and filesize < 500KB and $badHdr and $ocxTag and $mscomctl and #rop>8 }

**SAMPLE HASHES**

Filename: %TEMP%\\svchost.exeMD5: af63f1dc3bb37e54209139bd7a3680b1 SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828

**C&C SERVER AND** PROTOCOL

C&C Server: h ps://185.12.44.51 Port: 443\*NOTE: on port 80 the C&C host serves a webpage mimicking the content of “http://www.latamcl.com/” website GET request example: h ps://185.12.44.51/\[rannd\_alpa\_chars\].\[3charst\]?\[encodedpayload\] User-Agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64;2\*Uuhgco}%7)1”

**C&C SSL CERTIFICATE** (self-signed)

Issuer: CN=\* O=My Company Ltd S=Berkshire C=NW NotBefore: 1/1/2013 3:33 AM NotAfter: 1/1/2014 3:33 AMPublic Key Length: 1024 bits Public Key: UnusedBits = 00000 30 81 89 02 81 81 00 dc 72 fc af 8f 51 de 2d 27 0010 3e de ad 21 ae 25 11 b6 b0 6e ce 6d 79 e4 d3 81 0020 4e 73 11 44 51 63 09 3b 1c e7 79 1f 85 82 94 c1 0030 e1 f1 83 b3 1c 6d 53 58 28 07 b5 80 86 30 51 2d 0040 78 c0 48 e8 b2 8d fb 84 e1 d1 59 ff d5 4e 1f 8f 0050 ff 60 44 56 6b 7b 4d 72 42 d6 da 6a 4c d4 6b 7d 0060 f1 68 4d 2c 62 58 53 e7 cd cc a1 a4 a2 7a 29 7d 0070 63 eb 42 30 af 24 eb 20 4c 86 f5 9e 6f 48 1c bd 0080 28 aa 47 13 4b cc 53 02 03 01 00 01Cert Hash(md5): f0 82 aa f8 16 0e 83 8c 20 d7 95 f0 9d d2 01 57 Cert Hash(sha1): df 72 40 fb 9b cd 53 12 eb a5 f9 c2 dd e7 a2 9a 1d c8 f3 55

**CRASH INDICATORS**

Faulting application name: WINWORD.EXE, version: 14.0.7113.5001, time stamp: 0x52866c04 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 Exception code: 0xc0000005 Fault offset: 0x40002??? Faulting process id: n/a Faulting application start time: n/a Faulting application path: C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE Faulting module path: unknown

**REGISTRY INDICATORS**

Registry key added: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Windows Startup Helper=”%windir%\\system32\\wscript.exe %TEMP%\\\[malicious.vbs\]”Service name (possibly) created: “WindowsNetHelper”

\- Chengyun Chu and Elia Florio, MSRC Engineering

Security Advisory 2953095: recommendation to stay protected and for detections

Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.

CVE-2011-4623: rsyslog/ChangeLog at master · rsyslog/rsyslog

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Name Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Systems Affected nginx 0.7.64 Varnish 2.0.6 Cherokee 0.99.30 mini\_httpd 1.19 thttpd 2.25b0 WEBrick 1.3.1 Orion 2.0.7 AOLserver 4.5.1 Yaws 1.85 Boa 0.94.14rc21 Severity Medium Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vendor http://www.nginx.net/ http://varnish.projects.linpro.no/ http://www.cherokee-project.com/ http://www.ruby-lang.org/ http://www.acme.com/software/thttpd/ http://www.acme.com/software/mini\_httpd/ http://www.orionserver.com/ http://www.aolserver.com/ http://yaws.hyber.org/ http://www.boa.org/ Advisory http://www.ush.it/team/ush/hack\_httpd\_escape/adv.txt Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it) Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Date 20100110 I. BACKGROUND nginx is a HTTP and reverse proxy server written by Igor Sysoev. Varnish is a state-of-the-art, high-performance HTTP accelerator. Cherokee is a very fast, flexible and easy to configure Web Server. thttpd is a simple, small, portable, fast, and secure HTTP server. mini\_httpd is a small HTTP server. WEBrick is a Ruby library providing simple HTTP web server services. Orion Application Server is a pure java application-server. AOLserver is America Online's Open-Source web server. Yaws is a HTTP high perfomance 1.1 webserver. Boa is a single-tasking HTTP server. II. DESCRIPTION Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa are subject to logs escape sequence injection vulnerabilites. Escape sequences are special characters sequences that are used to instruct the terminal to perform special operations like executing commands \[4, 5\] or dumping the buffer to a file \[6, 7\]. When the webserver is executed in foreground in a pty or when the logfiles are viewed with tools like "cat" or "tail" such control chars reach the terminal and are executed. III. ANALYSIS Summary: A) "nginx" log escape sequence injection (Affected versions: 0.7.64 and probably earlier versions) B) "Varnish" log escape sequence injection (Affected versions: 2.0.6 and probably earlier versions) C) "Cherokee" log escape sequence injection (Affected versions: 0.99.30 and probably earlier versions) D) "thttpd" log escape sequence injection (Affected versions: thttpd/2.25b and probably earlier versions) E) "mini\_httpd" log escape sequence injection (Affected versions: 1.19 and probably earlier versions) F) "WEBrick" log escape sequence injection (Affected versions: 1.3.1 and probably earlier versions) G) "Orion" log escape sequence injection (Affected versions: 2.0.7 and probably earlier versions) H) "AOLserver" log escape sequence injection (Affected versions: 4.5.1 and probably earlier versions) I) "Yaws" log escape sequence injection (Affected versions: 1.85 and probably earlier versions) L) "Boa" log escape sequence injection (Affected versions: 0.94.14rc21 and probably earlier versions) A) "nginx" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload B) "Varnish" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. xterm varnishlog echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload C) "Cherokee" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a D) "thttpd" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload E) "mini\_httpd" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload F) "WEBrick" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload G) "Orion" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload H) "AOLserver" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload I) "Yaws" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload L) "Boa" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a IV. DETECTION Services like Shodan (shodan.surtri.com) or Google can be used to get an approximate idea on the usage of the products. Some examples: - http://shodan.surtri.com/?q=nginx - http://www.google.com/search?q="powered+by+Cherokee" - curl -kis http://www.antani.gov | grep -E "Server: Orion/2.0.8" V. WORKAROUND Cherokee and WEBrick (Ruby) released related security fixes and releases as detailed below. Cherokee issued a public patch that resolved the issue but caused some issues (http://svn.cherokee-project.com/changeset/3944) and has been later replaced (http://svn.cherokee-project.com/changeset/3977) by a better fix that both resolve the issue and doesn't affect the normal webserver behavior. Use the second patch or a safe release like 0.99.34 or above. If you are using Cherokee 0.99.32 please note that your build uses the first patch. Webrick (Ruby) sent us the following patch and issued a release that fixes the issues. Detailed informations are available at the following url: http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection The patch we reviewed is the following but please refer to the vendor's article for exact informations. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Index: lib/webrick/httpstatus.rb =================================================================== --- lib/webrick/httpstatus.rb (revision 26065) +++ lib/webrick/httpstatus.rb (working copy) @@ -13,5 +13,15 @@ module WEBrick module HTTPStatus - class Status < StandardError; end + class Status < StandardError + def initialize(message, \*rest) + super(AccessLog.escape(message), \*rest) + end + class << self + attr\_reader :code, :reason\_phrase + end + def code() self::class::code end + def reason\_phrase() self::class::reason\_phrase end + alias to\_i code + end class Info < Status; end class Success < Status; end @@ -69,4 +79,5 @@ module WEBrick StatusMessage.each{|code, message| + message.freeze var\_name = message.gsub(/\[ \\-\]/,'\_').upcase err\_name = message.gsub(/\[ \\-\]/,'') @@ -80,16 +91,10 @@ module WEBrick end - eval %- - RC\_#{var\_name} = #{code} - class #{err\_name} < #{parent} - def self.code() RC\_#{var\_name} end - def self.reason\_phrase() StatusMessage\[code\] end - def code() self::class::code end - def reason\_phrase() self::class::reason\_phrase end - alias to\_i code - end - - - - CodeToError\[code\] = const\_get(err\_name) + const\_set("RC\_#{var\_name}", code) + err\_class = Class.new(parent) + err\_class.instance\_variable\_set(:@code, code) + err\_class.instance\_variable\_set(:@reason\_phrase, message) + const\_set(err\_name, err\_class) + CodeToError\[code\] = err\_class } Index: lib/webrick/httprequest.rb =================================================================== --- lib/webrick/httprequest.rb (revision 26065) +++ lib/webrick/httprequest.rb (working copy) @@ -267,9 +267,5 @@ module WEBrick end end - begin - @header = HTTPUtils::parse\_header(@raw\_header.join) - rescue => ex - raise HTTPStatus::BadRequest, ex.message - end + @header = HTTPUtils::parse\_header(@raw\_header.join) end Index: lib/webrick/httputils.rb =================================================================== --- lib/webrick/httputils.rb (revision 26065) +++ lib/webrick/httputils.rb (working copy) @@ -130,9 +130,9 @@ module WEBrick value = $1 unless field - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end header\[field\]\[-1\] << " " << value else - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end } Index: lib/webrick/accesslog.rb =================================================================== --- lib/webrick/accesslog.rb (revision 26065) +++ lib/webrick/accesslog.rb (working copy) @@ -54,5 +54,5 @@ module WEBrick raise AccessLogError, "parameter is required for \\"#{spec}\\"" unless param - params\[spec\]\[param\] || "-" + param = params\[spec\]\[param\] ? escape(param) : "-" when ?t params\[spec\].strftime(param || CLF\_TIME\_FORMAT) @@ -60,8 +60,16 @@ module WEBrick "%" else - params\[spec\] + escape(params\[spec\].to\_s) end } end + + def escape(data) + if data.tainted? + data.gsub(/\[\[:cntrl:\]\\\\\]+/) {$&.dump\[1...-1\]}.untaint + else + data + end + end end end --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- VI. VENDOR RESPONSE We contacted the vendors of eleven affected webservers, counting the previous advisory \[1\] for Jetty. Three fixed the issue (Cherokee, WEBrick/Ruby and Jetty), one will not fix the issue (Varnish) and one acknowledged the issue (AOLserver). Nginx NO-RESPONSE Cherokee FIXED thttpd NO-RESPONSE mini-httpd NO-RESPONSE WEBrick FIXED Orion NO-RESPONSE AOLserver ACK Yaws NO-RESPONSE Boa NO-RESPONSE Varnish WONT-FIX The response was overall good and it was nice to work with them, in particular we want to thank Cherokee's staff, Ruby's staff, Raphael Geissert (Debian) and Steven M. Christey (Mitre) for the support. Poul-Henning Kamp (Varnish) replied to our contact email with the following email that we quote as-is. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The official Varnish response, which I ask that you include in its entirety in your advisory, if you list Varnish as "vulnerable" in it: This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely. This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed. The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology. I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense. Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- We would like to punctuate the following facts: 1) We totally agree that the root of the problem is an unwise design in the terminal emulators. If in 70' controls were sent out of band on a secondary channel we would not have the equivalent of Blue Boxing in the terminal. This is a known issue from years. We didn't invented this attack vector and never claimed so. We don't think that design changes will happen in the short or mid term so it's better to have a proactive approach and sanitize outputs where functionalities are likely to not be affected at all like in this case. Security in complex systems requires some synergy. 2) Varnish is the only program that doesn't need a "cat" program as logs are stored in memory and displayed using the "varnishlog" utility. 2) Apache fixed a similiar bug (CVE-2003-0020), "Low: Error log escape filtering", in 2004 (six years ago). The bug was affecting Apache up to 1.3.29 \[8\] or 2.0.48 \[9\] depending on the branch. Take you conclusion, criticize if you want. In the meantime things are a little safer. VII. CVE INFORMATION CVE-2009-4487 nginx 0.7.64 CVE-2009-4488 Varnish 2.0.6 CVE-2009-4489 Cherokee 0.99.30 CVE-2009-4490 mini\_httpd 1.19 CVE-2009-4491 thttpd 2.25b0 CVE-2009-4492 WEBrick 1.3.1 CVE-2009-4493 Orion 2.0.7 CVE-2009-4494 AOLserver 4.5.1 CVE-2009-4495 Yaws 1.85 CVE-2009-4496 Boa 0.94.14rc21 VIII. DISCLOSURE TIMELINE 20091117 Bug discovered 20091208 First vendor contact 20091209 Cherokee team confirms vulnerability (Alvaro Lopez Ortega) 20091209 Alvaro Lopez Ortega commits Cherokee patch 20091210 Ruby team confirms vulnerability (Shugo Maeda) 20091211 Shugo Maeda sends us webrick patch for evaulation 20091211 AOLserver confirms vulnerability (Jim Davidson) 20091221 Contacted Raphael Geissert (Debian Security) 20091223 Contacted Steven M. Christey (mitre.org) 20091230 Raphael Geissert forwards to Redhat, Debian, Ubuntu and Mitre 20091230 CVEs assigned by Steven M. Christey 20100105 Poul-Henning (Varnish) Kamp said WONT-FIX 20100105 Ruby team is ready for commit (Urabe Shyouhei) 20100106 Second vendor contact 20100110 Advisory release IX. REFERENCES \[1\] Jetty 6.x and 7.x Multiple Vulnerabilities http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt \[2\] Apache does not filter terminal escape sequences from error logs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020 \[3\] Apache does not filter terminal escape sequences from access logs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083 \[4\] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability http://www.milw0rm.com/exploits/7681 \[5\] Terminal Emulator Security Issues http://marc.info/?l=bugtraq&m=104612710031920&w=2 \[6\] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6936/discuss \[7\] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6938/discuss \[8\] Apache httpd 1.3 vulnerabilities http://httpd.apache.org/security/vulnerabilities\_13.html \[9\] Apache httpd 2.2 vulnerabilities http://httpd.apache.org/security/vulnerabilities\_22.html X. CREDIT Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi and Francesco "ascii" Ongaro are credited with the discovery of this vulnerability. Giovanni "evilaliv3" Pellerano web site: http://www.ush.it/, http://www.evilaliv3.org/ mail: evilaliv3 AT ush DOT it Alessandro "jekil" Tanasi web site: http://www.tanasi.it/ mail: alessandro AT tanasi DOT it Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it X. LEGAL NOTICES Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

CVE-2009-4492

flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.

This is flex, the fast lexical analyzer generator.

flex is a tool for generating scanners: programs which recognize
lexical patterns in text.

More information about flex as well as the latest official release of
flex can be found at:

http://flex.sourceforge.net/

Bug reports should be submitted using the SourceForge Bug Tracker
facilities which can be found from flex's SourceForge project page at:

http://sourceforge.net/projects/flex

There are several mailing lists available as well:

flex-announce@lists.sourceforge.net - where posts will be made
announcing new releases of flex.

flex-help@lists.sourceforge.net - where you can post questions about
using flex

flex-devel@lists.sourceforge.net - where you can discuss development of
flex itself

Note that flex is distributed under a copyright very similar to that of
BSD Unix, and not under the GNU General Public License (GPL).

This file is part of flex.

This code is derived from software contributed to Berkeley by
Vern Paxson.

The United States Government has rights in this work pursuant
to contract no. DE-AC03-76SF00098 between the United States
Department of Energy and the University of California.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.

THIS SOFTWARE IS PROVIDED \`\`AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.

The flex distribution contains the following files which may be of interest:

README - This file.

NEWS - current version number and list of user-visible changes.

INSTALL - basic installation information.

ABOUT-NLS - description of internationalization support in flex.

COPYING - flex's copyright and license.

doc/ - user documentation.

examples/ - containing examples of some possible flex scanners and a
few other things. See the file examples/README for more details.

TODO - outstanding bug reports, desired features, etc.

tests/ - regression tests. See TESTS/README for details.

po/ - internationalization support files.

Tag

#redis