Vulnerabilities (Page 35)

[Netgear R6700v3] Scanf into Fixed-Size Buffer

Two issues, the first simply being that the update check would make an HTTPS request but not validate the certificate, enabling some attack surface for a Man-in-the-Middle, second was in parsing the file downloaded a checksum would be copied from the file into a fixed size stack buffer. As an attacker can control the response file, the attack can overflow the stack buffer.

 

Unsigned to Signed Conversion Leading to filter_var Bypass

Cool trick impacting php’s filter_var which is actually a bit of a binary-level issue, if you provide a long enough string as the argument to filter_vareventually some code for (FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME) will mistakenly believe the size is much smaller than it actually is (negative).

 

[GitLab] Arbitrary file read via the bulk imports UploadsPipeline

The bulk import API when importing a group would, if the group had any uploads, download the uploads.tar.gz and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.

 

An Odd Authentication Bypass

I’m not even too sure why this one works, but basically by changing the JSON object sent in results in being able to login in as (presumably) arbitrary accounts.