Internet Bug Bounty: UAF in OpenSSL up to 3.0.7

A use-after-free vulnerability was found in OpenSSL up to version 3.0.7 following BIOnewNDEF calls. This could result in a crash when the BIOpop function is called after BIOnewNDEF fails and improperly cleans up the BIO chain. The vulnerability impacts the public API functions...

heap-use-after-free

Description Whilst experimenting with radare2, built from version 5.6.8, we are able to induce a vulnerability at newrbtree.c:411 in function rrbnodenext , using radare2 as a harness. 409: RAPI RRBNode rrbnodenextRRBNode node 410: rreturnvaliffail node, NULL; //use-after-free here 411: if...

Heap Buffer Overflow in parseDragons

Description heap buffer overflow in parseDragons function. ASAN report： ================================================================= ==2541037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065578 at pc 0x7f45488bde0d bp 0x7ffc08551b50 sp 0x7ffc085512f8 READ of size 4 at...

Heap Buffer Overflow in iterate_chained_fixups

Description heap buffer overflow in iteratechainedfixups function. ASAN report： ================================================================= ==2540511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065710 at pc 0x7f5b64ccb878 bp 0x7ffeab141380 sp 0x7ffeab141370 READ of siz...

Use After Free in op_is_set_bp

Description Heap use after free in opissetbp function. ASAN report： ================================================================= ==2367298==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000481a0 at pc 0x7f580c10da41 bp 0x7ffd53a17ed0 sp 0x7ffd53a17ec0 READ of size 8 at...

Use After Free in r_reg_get_name_idx

Description heap use after free in rreggetnameidx. ASAN report： ================================================================= ==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0 READ of size 1 at...

Heap-based Buffer Overflow in hoene/libmysofa

Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all Proof of Concept https://drive.google.com/file/d/1JbQAECcj5-SDRZVUsRWiaBgJQZ0nMiK/view?usp=sharing repro...

Heap-based Buffer Overflow in hoene/libmysofa

Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all repro ./mysofa2json -c ./libmyfofamysofacheck Proof of Concept...

Internet Bug Bounty: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c

This bug was reported to PHP last month and a fix was public last week:https://bugs.php.net/bug.php?id=76423 Heap OverFlow in exifthumbnailextract of exif.c This vulnerability can be triggered by exifreaddata in any 32-bit system. exif.c:2947: if ImageInfo-Thumbnail.offset +...

shopify-scripts: heap-use-after-free in OP_RESCUE

The following input demonstrates a crash: def e proc ensure z rescue yield end e Class def x new Class 0 ensure 0 = 00end rescue 0 rescue z ASAN report ./mruby/bin/mruby out.rb ================================================================= ==10040==ERROR: AddressSanitizer: heap-use-after-free ...

shopify-scripts: Null pointer dereference with send/method_missing

The following program triggers a null pointer dereference with mruby b200c747: ruby def methodmissingm ensure begin A rescue break rescue end end send '' ASAN report: text ASAN:DEADLYSIGNAL ================================================================= ==12116==ERROR: AddressSanitizer: SEGV on...

GNU binutils - aarch64_ext_ldst_reglist Buffer Overflow Exploit

Exploit for linux platform in category dos / poc Source: https://sourceware.org/bugzilla/showbug.cgi?id=21595 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...

GNU binutils - 'rx_decode_opcode' Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21587 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'disassemble_bytes' Heap Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21580 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'ieee_object_p' Stack Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21582 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'bfd_get_string' Stack Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21581 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - rx_decode_opcode Buffer Overflow Exploit

Exploit for linux platform in category dos / poc Source: https://sourceware.org/bugzilla/showbug.cgi?id=21587 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...

GNU binutils - ieee_object_p Stack Buffer Overflow

GNU binutils - ieeeobjectp Stack Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21582 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...

GNU binutils - print_insn_score16 Buffer Overflow

GNU binutils - printinsnscore16 Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21576 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...

GNU binutils - disassemble_bytes Heap Overflow

GNU binutils - disassemblebytes Heap Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21580 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...