Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.
An out of bounds access bug in the netatalk open source library for the Apple Filing Protocol (AFP) that could be exploited on WD PR4100 NAS for pre-auth RCE.The bug happens when parsing resource fork file headers, which can be reached through the `afp_openfork` handler over AFP or SMB without authentication...
The vulnerability here is a fairly straightforward overflow in the esp6 crypto module.When receiving messages, an 8-page buffer is allocated for the incoming data, but it's possible for messages to be sent that exceed 8 pages in size...
Two issues, the first simply being that the update check would make an HTTPS request but not validate the certificate, enabling some attack surface for a Man-in-the-Middle, second was in parsing the file downloaded a checksum would be copied from the file into a fixed size stack buffer. As an attacker can control the response file, the attack can overflow the stack buffer.
Cool trick impacting php's `filter_var` which is actually a bit of a binary-level issue, if you provide a long enough string as the argument to `filter_var`eventually some code for (`FILTER_VALIDATE_DOMAIN` and `FILTER_FLAG_HOSTNAME`) will mistakenly believe the size is much smaller than it actually is (negative).
Two logic bugs that cause memory corruption in the handling of TLS packets due to unhandled error / return values when using the nanoSSL library, and a higher level design flaw with the firmware update system.
We have [previously](https://dayzerosec.com/vulns/2022/03/02/linux-kernel-heap-out-of-bounds-write-in-nfdupnetdevc-since-54.html) covered this bug, its an out-of-bounds access due to a broken assumption in every `dup` command having an associated immediate. When that assumption is broken by manually crafting netfilter rules `nft_fwd_dup_netdev_offload` function will perform an out of bounds access as it increments too far.
Out of bounds read in Chrome's PDFium Engine in the `RequestThumbnail()` method.The `page_index` parameter is used to index into a vector of pages to call that page's `RequestThumbnail()` callback, however the `page_index` isn't validated in production builds...
We have [previously discussed](https://dayzerosec.com/vulns/2021/09/29/iouring-vulnerability-resulting-in-freeing-wrong-kernel-buffer.html) this vulnerability, which provides a primitive to free adjacent memory.
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a `memcpy` into a fixed size destination buffer on the stack.
The core problem is an integer truncation due to a difference in the size of the `long` primitive type between Windows and Linux systems.On Linux and BSD systems, `sizeof(long)` will return 8, but on Windows this value is 4...
This is one of those cases where assumptions about state are made that can be violated.In `nft_fwd_dup_netdev_offload` when offloading a `dup` or `fwd` rule to hardware the `num_actions` value is used to index the `actions` array and incremented...
Off-by-one issue in computing the `bits_required` value. This computation was performed with a while loop, right-shifting the vlaue by 1 until it is zero, number of shifts is the number of bits needed.