[FD] ODR violation in Redis Raft

2024-01-17 Thread Meng Ruijie 
[Suggested description]
Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR 
violation via the component hiredisAllocFns at 
/opt/fs/redisraft/deps/hiredis/alloc.c.

[VulnerabilityType Other]
AddressSanitizer: odr-violation

[Vendor of Product]
Redis

[Affected Product Code Base]
raft - master-1b8bd86 to master-7b46079

[Affected Component]
affected executable

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Attack Vectors]
run redis with redisraft

[Reference]
https://github.com/RedisLabs/redisraft/issues/600

[Has vendor confirmed or acknowledged the vulnerability?]
true

[Discoverer]
jerrytesting
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Incorrect handshake in TinyDTLS

2024-01-17 Thread Meng Ruijie 
About CVE-2021-42141:

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One 
incorrect handshake could complete with different epoch numbers in the packets 
Client_Hello, Client_key_exchange, and Change_cipher_spec, which may cause 
denial of service.

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Impact Information Disclosure]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/27

[Discoverer]
jerrytesting
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Mishandle epoch number in TinyDTLS servers

2024-01-17 Thread Meng Ruijie 
About CVE-2021-42142:

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. DTLS servers 
mishandle the early use of a large epoch number. This vulnerability allows 
remote attackers to cause a denial of service and false-positive packet drops.

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Impact Information Disclosure]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/24

[Discoverer]
jerrytesting


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Infinite loop leading to buffer overflow in TinyDTLS

2024-01-17 Thread Meng Ruijie 
[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. An infinite 
loop bug exists during the handling of a ClientHello handshake message. This 
bug allows remote attackers to cause a denial of service by sending a malformed 
ClientHello handshake message with an odd length of cipher suites, which 
triggers an infinite loop (consuming all resources) and a buffer over-read that 
can disclose sensitive information.

[VulnerabilityType Other]
infinite loop

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/22

[Discoverer]
jerrytesting

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2021-42143 to this vulnerability.


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Buffer over-read in TinyDTLS

2024-01-17 Thread Meng Ruijie 
[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. Incorrect 
handling of over-large packets in dtls_ccm_decrypt_message() causes a buffer 
over-read that can expose sensitive information.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/23

[Discoverer]
jerrytesting

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2021-42144 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Assertion failure in check_certificate_request() of TinyDTLS

2024-01-17 Thread Meng Ruijie 
[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. An assertion 
failure in check_certificate_request() causes the server to exit unexpectedly 
(a denial of service).

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Impact Information Disclosure]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/26

[Discoverer]
jerrytesting

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2021-42145 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Misues same epoch number within TCP lifetime in TinyDTLS

2024-01-17 Thread Meng Ruijie 
[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. DTLS servers 
allow remote attackers to reuse the same epoch number within two times the TCP 
maximum segment lifetime, which is prohibited in RFC6347. This vulnerability 
allows remote attackers to obtain sensitive application (data of connected 
clients).

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Information Disclosure]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/25

[Discoverer]
jerrytesting

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2021-42146 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Buffer over-read in dtls_sha256_update of TinyDTLS

2024-01-17 Thread Meng Ruijie 
[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. A buffer 
over-read exists in the dtls_sha256_update function. This bug allows remote 
attackers to cause a denial of service (crash) and possibly read sensitive 
information by sending a malformed packet with an over-large fragment length 
field, due to servers incorrectly handling malformed packets.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Denial of Service]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/21

[Discoverer]
jerrytesting

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2021-42147 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Legends of IdleOn - I Reject Your RNG And Substitute My Own

2024-01-17 Thread Soatok Dreamseeker 
Hello Full Disclosure mailing list!

Legends of IdleOn is a popular free-to-play game on Android, iOS, Steam,
and Web. While playing around with it last year, I got curious and noticed
a trivial way to manipulate the random number generator.

After six months of radio silence from the developer, including asking the
Discord moderators for help getting the developer's attention, I've decided
to publish this publicly:

https://gist.github.com/soatok/3cbf09501d1fd9e67e552c7165b0e81a

Disclosure Timeline

Note: All dates are in -MM-DD format (as per ISO 8601 and other
standards).
*Date* *Action*
2023-07-06 Emailed lava at lavaflame2 dot com with these details and a
recommended fix.
2023-08-06 A month later, I follow up just asking if Lava has received my
messages.
2023-11-15 Additional follow-up email
2023-11-15 Mentioned knowing an exploit in Discord, passed details onto
moderator (*Hotair*)
2023-11-15 Additional follow-up email (as I cannot DM lava)
2024-01-16 Given a lack of repsonse after more than 6 months, public
disclosure.

Screenshots are also available  for some
of my outreach attempts.

Exploit

This is easiest to do in the browser version of the game. You can use a
Google Account for both Steam and Web in order to load an existing account
in the web mode. Easy peasy.

Press F12 to open your developer tools. Run the following code:

// Make a native copy of your browser's Math.random
functionMath.originalRandom = Math.random
// Now replace itMath.random = () => Math.originalRandom() / 1000;

Open the Arcade. Press Launch. Notice all of the balls always fall to the
right. You can score unlimited jackpots.

There are some other use cases where you want high numbers. There are yet
others where you want to pingpong between high and low numbers for the
desired effect.

Math.originalRandom = Math.random;Math.lowRandom = function() {
return Math.originalRandom() / 1000;}
Math.highRandom = function() {
return 1 - Math.lowRandom();}

let breakCycle = false;function luckyCycle() {
  return setTimeout(function() {
if (breakCycle) return;
// console.log('rng on');
Math.random = Math.lowRandom;
return setTimeout(function() {
  //console.log('rng off');
  Math.random = Math.highRandom;
  return setTimeout(luckyCycle, 3);
}, 3);
  });}

Then you can just Math.random = /* desired other function, such as
Math.lowRandom */ your way to winning big.

Impact

   - Millions of Gems 
   - See https://soatok.idleonefficiency.com for what controlling RNG
   outputs looks like on an account


Mitigation

Lava could mitigate this risk with one line of code, followed by a search
and replace:

+ const LavaMath = Object.freeze(Math)

And then replace any calls to Math.random with LavaMath.random, and then
this would no longer be possible.

(Yes, I included this one-liner in my email to Lava in July 2023.)
Advanced
Exploit

Compile Chromium with a custom RNG that returns a low value (less than
0.01) 9/10 times, then defers to the normal LCG the rest of the time.
You'll win most luck-based things (Arcade Balls, Gaming Plants, etc.).

The mitigation I suggest doesn't defend against this, but using a secure
RNG instead of Math.random would likely generate farier numers *anyway*.

Update

The /r/idleon mods censored the link to this Gist from their subreddit

(Archive

).

The actual exploit code that makes this an easy win is not included in this
disclosure, but a clever mind can concoct their own with minimal iteration.

After this disclosure, their community response has been limited to:

   1. Censoring my post from Reddit
   2. Falsely flagging my Steam Community post as an advertisement
   3. Angry Discord PMs from people who think my goal is to "enable
   cheating"

That does not include:

   1. Mitigating the issue
   2. Acknowledging the receipt of any of my attempts to disclose privately
   3. Any communication whatsoever

They have not succeeded in censoring my GitHub Gist, nor my review on the
Steam store that links to my Gist, but that may be in the works.

Thus, I thought I'd share it with Full Disclosure (with additional
context). All URLs are also archived on archive.org and archive.today,
should they attempt to invoke the Streisand Effect.

Happy hacking,
Soatok
___