A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of Cymulate's blue team.
What upset me was that my friend could not grasp the idea

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of Cymulate's blue team.

What upset me was that my friend could not grasp the idea that I wanted to keep working as a blue teamer because, as far as he was concerned, the only natural progression is to move to the red team.

Red teams include many roles ranging from penetration testers to attackers and exploit developers. These roles attract most of the buzz, and the many certifications revolving around these roles (OSCP, OSEP, CEH) make them seem fancy. Movies usually make hackers the heroes, while typically ignoring the defending side, the complexities and challenges of blue teamers' roles are far less known.

While blue teams' defending roles might not sound as fancy and gather little to no buzz, they include essential and diverse titles that cover exciting and challenging functions and, finally, pay well. In fact, Hollywood should look into it!

**Defending is more complex than attacking, and it is more crucial**

Consider that you are a cyber security defender and that your assigned job is to protect your IT Infrastructure.

*   As a defender, you need to learn all sorts of attack mitigation techniques to protect your IT infrastructure. Conversely, an attacker can settle for gaining proficiency in exploiting just one vulnerability and keep exploiting that single vulnerability.
*   As a defender, you must be alert 24/7/365 to protect your infrastructure. As an attacker, you either choose a specific time/date to launch an attack or run boring brute force attacks across many potential targets.
*   As a defender, you must protect all weak links in your infrastructure - xerox, machine printer, attendance system, surveillance system, or endpoint used by your receptionist - whereas attackers can select any system connected to your infrastructure.
*   As a defender, you must comply with your local regulator while performing your daily work. Attackers have the liberty to mess up with laws and regulations.
*   As a defender, you are prepared by the red team that assists your work by creating attack scenarios to test your capabilities.

**Blue teams include complex, challenging, and research-intensive disciplines, and the related roles are not filled.**

In the conversation mentioned above, my friend assumed that defending roles mainly consist of monitoring SIEMs (Security Information and Event Management) and other alerting tools, which is correct for SOC (Security Operations Center) analyst roles. Here are some atypical Blue Team roles:

*   **Threat Hunters** – Responsible for proactively hunting for threats within the organization
*   **Malware Researchers** – Responsible for reverse engineering malware
*   **Threat Intelligence Researchers** – Responsible for providing intelligence and information regarding future attacks and attributing attacks to specific attackers
*   **DFIR** – Digital Forensics and Incident Responders are responsible for containing and investigating attacks when they happen

These roles are challenging, time intensive, complex, and demanding. Additionally, they involve working together with the rest of the blue team to provide the best value for the organization.

According to a recent CSIS survey of IT decision makers across eight countries: "82 percent of employers report a shortage of cybersecurity skills, and 71 percent believe this talent gap causes direct and measurable damage to their organizations." According to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), the United States faced a shortfall of almost 314,000 cybersecurity professionals as of January 2019. To put this in context, the country's total employed cybersecurity workforce is just 716,000. According to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015. By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions."

**C Level executives are disconnected from reality when it comes to Internal Blue Teams**

The above graph is from an excellent talk called "How to Get Promoted: Developing Metrics to Show How Threat Intel Works - SANS CTI Summit 2019". It illustrates the disconnect between the high-level executives and "on-the-ground" employees and how high-level executives think that their defensive teams are much more mature than their team self-assessment.

**Solving the Problem****Strive to teach SOC analyst's new craft**

Bringing new and experienced researchers is expensive and complicated. Perhaps organizations should strive to promote and encourage entry analysts to learn and experiment with new skills and technologies. While SOC managers might fear that this might interfere with experienced analysts' daily missions or result in people leaving the company but, paradoxically, it will encourage analysts to stay and take a more active part in maturing the organization's security at almost no extra cost.

**Cycle employees through positions**

People get tired of doing the same thing every day. Perhaps a clever way to keep employees engaged and strengthen your organization is to let people cycle across distinct roles, for example, by teaching threat hunters to conduct threat intelligence work by giving them easy assignments or sending them off to courses. Another promising idea is to involve low-tier SOC analysts with real Incident Response teams and thus advance their skills. Both organizations and employees benefit from such undertakings.

Let our employees see the results of their demanding work

Whether low-tier SOC analysts or Top C-level executives, people need motivation. Employees need to understand whether they are doing their job well, and executives need to understand their job's value and the quality of its execution.

Consider ways to measure your Security Operations Center:

*   How effective is the SOC at processing important alerts?
*   How effectively is the SOC gathering relevant data, coordinating a response, and taking action?
*   How busy is the security environment, and what is the scale of activities managed by the SOC?
*   How effectively are analysts covering the maximum possible number of alerts and threats?
*   How adequate is the SOC capacity at each level, and how heavy is the workload for different analyst groups?

The table below contains more examples and measures taken from Exabeam.

And, of course, validate your blue team's work with continuous security validation tools such as those on Cymulate's XSPM platform where you can automate, customize and scale up attack scenarios and campaigns for a variety of security assessments.

Seriously, validating your blue team's work both increases your organization's cyber resilience and provides quantified measures of your blue team's effectiveness across time.

_Note: This article is written and contributed by by Dan Lisichkin, Threat Hunter and Threat Intelligence Researcher at Cymulate._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The Benefits of Building a Mature and Diverse Blue Team

Pwn stars

Hacker Summer Camp is only days away, so in order to whet your appetite, The Daily Swig has compiled a list of some of the best talks of years past.

Over the years there’s been thrills, spills, and (of course) ‘sploits, as the top researchers in the security world have descended on Las Vegas for Black Hat USA and DEF CON – a security double bill that’s hard to beat.

This year’s Black Hat – which is again taking place as a hybrid event – and DEF CON offerings are sure to add to the already impressive roster of ground-breaking talks from years gone by.

Now that Covid-related restrictions have largely been lifted, the 2022 edition promises to be something of a grand reopening of arguably the single most important event in the infosec calendar.

Without further ado (and in no particular order) here are our top picks from past Black Hat and DEF CON events…

**Panic in the Cisco**

Michael Lunn’s 2005 talk on the security shortcomings of Cisco’s networking technology was important not only because of the potential impact of his discovery, but because it served as an example of an attempt to suppress security research.

Lunn resigned from his employment with Internet Security Systems in order to deliver a talk on a critical vulnerability in router technology from Cisco.

The security researcher demonstrated an exploit – which opened the door to a range of attacks from eavesdropping to disabling the compromised device – while withholding any details. Cisco issued a security fix to its firmware prior to the talk, but not many organizations had applied it by the time it rolled around.

Cisco initially gave the go-ahead for the talk but had second thoughts with the event imminent. ISS agreed to a request from the networking giant, but Lunn disagreed. This prompted his decision to resign in order to present his findings.

**Cache from chaos**

Dan Kaminsky’s reveal of a cache poisoning flaw affecting the software of multiple DNS vendors back in 2008 remains a landmark event in networking security.

The security researcher worked with DNS vendors for months to fix the critical vulnerability before laying the problem bare during Black Hat 2008.

It remains a testament to the late security researcher, who sadly passed away in April 2021, prompting an outpouring of tributes to a true infosec great characterized by “kindness, boundless energy, and positivity”.

**Hitting the Jackpot**

Barnaby Jack’s live hack demo on an ATM set the benchmark for spectacular hacks and cutting-edge security research. Jackpotting – as the attack later became known – involved a targeted assault on the software running on ATMs.

The end result involved injecting malware into the operating system of cash dispensing machines, causing them to dish out bank notes fraudulently. Either exploitable vulnerabilities in an ATM’s remote management system or unauthorised physical access to a machine (perhaps facilitated by a corrupt insider) might be used to carry out an attack.

Prior to Jack’s research, embedded systems such as ATMs were widely (but incorrectly) thought to be beyond the scope of potential hack attacks. The research paved the road to follow-up studies into the security of medical devices such as pacemakers and insulin pumps.

**Up in the air**

Interest in the security of air traffic control systems took off with Andrei Costin’s presentation on the issue during Black Hat 2012. Costin’s talk focused on security aspects of ADS-B (Automatic Dependent Surveillance-Broadcast), a satellite-based aircraft tracking technology, and other flight technologies.

The presentation looked at ADS-B (in)security from a practical perspective, presenting the “feasibility and techniques of how potential attackers could play with generated/injected air traffic, and as such potentially opening new attack surface” into air traffic control systems.

**Don’t look up**

Shifting the focus from airborne planes to satellites in orbit, a well-received 2014 talk by Ruben Santamarta reviewed the security of satellite communication terminals.

IOActive found that all the devices they accessed were potentially open to abuse. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, or weak encryption algorithms.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products,” IOActive warned at the time. “In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.”

**Policy forum**

Black Hat and DEF CON have never been the forum for technical discussions and hacking demos alone. Policy issues are often in play too, as evidenced by talks from the likes of Dan Geer and Jennifer Granick.

Geer, CISO for In-Q-Tel, a not-for-profit venture capitalist firm that looks for tech that supports the US intelligence community, spoke about cyberspace as a domain for conflict between nations and on power politics in 2014.

Granick, director of civil liberties at the Stanford Center for Internet and Society, looked forward to the next phases of the development of the internet in 2015.

More recently Parisa Tabriz, director of engineering at Google, used her 2018 Black Hat keynote to give a practical perspective on secure development. And last year Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), outlined how hackers, the government, and the private sector can work together to confront cyber threats.

**Kettle reinvents HTTP request smuggling**

PortSwigger’s James Kettle reinvented the long-neglected topic of request smuggling with his presentation on HTTP desync attacks at DEF CON in 2019.

Kettle showed how it was possible to manipulate web requests in order to poison web caches. The hack allowed Kettle to compromise PayPal’s login page, among other targets, and claim $70K in bug bounties.

The hack relied in exploiting flaws in how web systems pass web-based requests between front end and back end system, as explained in a Daily Swig article published at the time of the talk.

**A new era in SSRF**

Noted web security researcher Orange Tsai used a 2017 Black Hat talk to outline an exploit technique variant that might be harnessed to bypass server-side request forgery (SSRF) protections.

The technique relied on fuzzing to unearth previously undiscovered vulnerabilities in the libraries of programming languages including Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL.

The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Flaws in web applications such as WordPress, vBulletin, MyBB, and GitHub have also been uncovered using the same approach, the security researcher told Black Hat USA attended in 2017.

**Hasta la Vista**

Polish security researcher Joanna Rutkowska became well known in the security community following her demonstration of an attack against Windows Vista’s kernel protection mechanism at Black Hat USA 2006.

During the same presentation, she also demonstrated a technique called ‘Blue Pill’ that involved hacking the operation of a virtual machine to plant stealthy malware.

**Gone in 40ms**

Hacking took to the roads in 2015 after security researchers Charlie Millar and Chris Valasek demonstrated how to launch a remote cyber-attack against an unaltered factory vehicle.

The security researchers hacked into a Jeep Cherokee through a mobile connection to its entertainment system via a technique that allowed them to send messages on the CAN bus to critical electronic control units. This, in turn, allowed them to control the braking, steering, and acceleration of the car.

That’s our round-up of the best-ever talks at Hacker Summer Camp – but what are your picks?

Have we failed to mention any unmissable talks? What are your favourite hacks? Let us know on Twitter at @DailySwig.

You can also watch more talks from previous Hacker Summer Camps on YouTube, ranked by numbers of views, via the DEF CON and Black Hat archives.  

YOU MAY ALSO LIKE ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications

The best Black Hat and DEF CON talks of all time

Categories: Explained
A hack tool called KMSPico is hailed as the go-to tool when it comes to activiating Windows. But is it safe?



(Read more...)




The post KMSpico explained: No, KMS is not "kill Microsoft" appeared first on Malwarebytes Labs.

_Thanks to Pieter Arntz and the Threat Intelligence Team who contributed to the research._

A hack tool is a program that allows users to activate software even without a legitimate, purchased key. Hack tools are often used to root devices in order to (among others) remove barriers that stop users from using apps from other markets. This is why the term “hack tool” is often interchanged with “crack tool” and “rooting program.”

Many seek such tools in the hopes of getting more control over their devices, or out of necessity if the software they want to use requires them. In this post, we’ll focus on one hack tool that has been a trusted tool for activating pirated copies of Microsoft products for free: KMSPico.

**What is KMSPico?**

KMSPico (often stylized as KMSPICO or KMS Pico) uses an unofficial key management services (KMS) server to activate Microsoft products—although several hack tools already do the same. Here are some of Malwarebytes’ detection of such tools:

*   RiskWare.AutoKMS
*   AutoKMS.HackTool.Patcher.DDS
*   RiskWare.KMS
*   HackTool.KMS
*   HackTool.Agent.KMS
*   HackTool.IdleKMS
*   HackTool.AutoKMS
*   HackTool.WinActivator

KMSPico is one of the most (if not _the_ most) popular software activation tools for Windows and Office Suite, with millions of global users and endorsers. Funnily enough, it also seems to have a lot of "official websites."

Searching for “official KMSpico site” on your favorite search engine will yield thousands of results, including pages of posts from various portals warning internet users not to download KMSPico from Website A or Website B as its malware. And they’re right.

Whatever KMSPico “official” website you find in your search results is undoubtedly fake, which leaves people wondering—or probably even believing—that KMSPico is a myth. This tool, however, is far from mythical. It does exist, and the latest version, **10.2.0**, can only be downloaded from a members-only forum posted almost a decade ago.

**How does it work?**

To understand how KMSPico works, we should first understand how a KMS activation works.

KMS is a legitimate way to activate Windows licenses in client computers, especially en masse (volume activation). There is even a Microsoft document on creating a KMS activation host.

A KMS client connects to a KMS server (the activation host), which contains the host key the client uses for activation. Once KMS clients are validated, the Microsoft product on those clients contacts the server every 180 days (6 months) to maintain its validity. However, a KMS set-up is only viable for large organizations with Volume Licensed (VL) Microsoft products.

This is what KMSPico is trying to exploit. Once installed onto user clients, it changes a user’s retail version of their Microsoft to a “Volume Licensed” one by simply changing the key into a generic VL key. KMSPico then changes the default KMS server to an unofficial KMS server set up by the hack tool’s developer. 

Note that if the KMSPico developer decides to kill the server, then whoever their users are would no longer have an activated version of their Microsoft product.

**Why we don’t recommend it**

Hack tools can be qualified as riskware, a category of software that may be risky to install on your computer or device. This is because a legitimate copy of the software may be bundled with adware, or it’s actually malware named after popular software. Such is the case for KMSPico.

On top of that, using KMSPico violates Microsoft’s ToS (terms of service) for its products.

Our 2021 State of Malware report found that hack tools plagued our consumer and enterprise clients for the previous two years. 

Perhaps the most critical data we have of KMS hack tools are that they are ranked as a top threat for consumers (with a 2,118 percent growth) and enterprises (with a 2,251 percent growth). We attributed this to the sudden change in work life due to many moving to a work-from-home (WFH) set up during the COVID-19 pandemic. Many employees—and potentially even employers—resorted to using cracked versions of Microsoft products.

Finally, regarding software updates or patching, it’s also likely that KMSPico blocks any activated Microsoft product from “calling home.” If it does, then that would stop these products from getting updates or patches, and KMSPico users would be left with very vulnerable Microsoft software.

**Does Malwarebytes detect KMSPico?**

Yes. We detect components from the same toolset. So if you have downloaded the KMSPico tool, expect your Malwarebytes product to alert you of files detected as **HackTool.KMSpico**, **CrackTool.KMSPico**, or both.

KMSpico explained: No, KMS is not "kill Microsoft"

By Waqas
Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying…
This is a post from HackRead.com Read the original post: Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

****Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying malware dubbed SHARPEXT.****

**Gmail** users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.

**Campaign Details**

SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.

The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that **in Jun 2021**, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. **In March 2015**, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.

As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.

The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.

**How the Attack Occurs?**

The victims are lured into opening a document that contains the malware. The malware is distributed through **social engineering** and spear phishing scams.

> “Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.”
> 
> Paul Rascagneres, Thomas Lancaster – Volexity Threat Research

According to Volexity’s **blog post**, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.

For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.

Process workflow of SHARPEXT malware (Image: Volexity)

1.  **Gmail wittingly storing your online purchase data for years**
2.  **Google vulnerability allowed sending spoofed emails with Gmail ID**
3.  **Hackers using malicious Firefox extension to phish Gmail credentials**
4.  **Popular Android Zombie game phishing users to steal Gmail credentials**
5.  **Microsoft MSHTML flaw exploited in Gmail and Instagram phishing scam**

**How to Stay Protected?**

Volexity has published a list of IoCs (indicators of compromise) on **Github** to help you identify if the device has been infected already. You may also inspect all the browser extensions installed and check if all of them can be found on Chrome Web Store.

Furthermore, Remove any extensions that look suspicious, or you downloaded from an unreliable source. Always use the best antivirus solutions to keep your device protected.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

Plus: A crypto-heist extravaganza, a peek at an NSO spyware dashboard, and more.

Cryptocurrency tracing has become a key tool for police investigating everything from fraud and ransomware to child abuse. But its accuracy may soon be put to the test.

This week, we reported on new court filings from the legal team representing Roman Sterlingov, who’s been in jail for 15 months, accused of laundering $336 million in cryptocurrency as the alleged owner and operator of dark-web crypto mixer Bitcoin Fog. Sterlingov not only maintains he is innocent, but his defense attorney claims that the blockchain analysis that served as evidence that Sterlingov set up Bitcoin Fog is flawed.

Elsewhere, we highlighted Microsoft’s newly bolstered Morse bug-hunting team, which aims to catch flaws in the company’s software before they cause problems for the company’s 1 billion users. We dove into the spectacular failure of a new post-quantum encryption algorithm. We listed all the big security updates you need to be on top of from July, and we detailed all the data that Amazon’s Ring cameras collect about you.

Finally, a new report from cybersecurity company Mandiant found an attack on Albania’s government has the hallmarks of state-sponsored Iranian hacking—a notable moment of escalation in the history of cyberwar, given that Albania is a NATO member. And we got into the weeds of a Slack error that exposed hashed passwords for five years.

But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

This is not a test. Software used to transmit US government-issued emergency alerts on television and radio contains flaws that could allow an attacker to broadcast false messages, according to the Federal Emergency Management Agency and the security researcher who found the vulnerabilities. The company that makes the software, Digital Alert Systems, has issued patches, and FEMA has alerted the TV and radio networks that use the software to update their devices immediately. Of course, patches may not be universally adopted, leaving the system at risk. There’s no evidence that an attacker has exploited the flaws so far. But considering the mayhem false emergency alerts can cause, we’ll just have to hope that it stays that way.

One major theft of cryptocurrency in a week would be bad, and this week saw two. First, thanks to a flaw in the Nomad bridge—a type of application that lets users move digital tokens across blockchains that are prime hacker targets—“hundreds” of people were able to steal a collective $190 million in cryptocurrencies. Nomad now says that anyone who returns 90 percent of the funds they swiped will be considered a “white hat” and can keep the remaining 10 percent as a bounty. Some $22 million of the stolen funds had been recovered so far.

The second crypto hack of the week came just a day later, on Tuesday night, with hackers draining around 8,000 “hot” wallets (cryptocurrency storage apps that are connected to the internet) connected to the Solana ecosystem, allowing them to steal around $5 million worth of crypto. Solana said in a tweet that the exploit was due to a bug in “software used by several software wallets popular among users of the network,” not the Solana network or its cryptography.

It’s one thing to be told what NSO Group’s spyware can do, but it’s quite another to see it for yourself. Reporters at Israel’s _Haaretz_ got their hands on never-before-seen screenshots of Syaphan, a prototype of NSO’s now-infamous Pegasus spyware, which has retained much of the look and functionality of its precursor. The screenshots show that operators have the ability to access call logs and messages and remotely enable cameras and microphones to turn an infected device into a real-time spying tool.

Government use of Pegasus and other spyware has resulted in a growing number of scandals, particularly in Europe. Yesterday, Panagiotis Kontoleon, the head of Greece’s intelligence service, and Grigoris Dimitriadis, general secretary of the prime minister’s office, resigned. Their departures follow a complaint filed by Nikos Androulakis, the head of the socialist PASOK party, who alleged that his phone had been targeted by Predator spyware created by Cytrox, which is based in neighboring North Macedonia. Greece’s prime minister’s office maintains, however, that the resignations and the spyware allegations are unconnected. “In no case does it have anything to do with Predator (spyware), to which neither he nor the government are in any way connected, as has been categorically stated,” it said in a statement.

Remember a few months ago when everyone was mad at DuckDuckGo? Well, that thing you were angry about has now been (mostly) fixed, according to the company. Back in May, security researcher Zach Edwards found that DuckDuckGo’s privacy browsers—not its search engine, for which the company is better known—allowed some third-party Microsoft tracking scripts. DuckDuckGo, which has a partnership with Microsoft, says it has expanded its 3rd-Party Tracker Loading Protection to include 21 more domains, thus blocking the bulk of Microsoft tracking scripts on websites accessed via its mobile DuckDuckGo Privacy Browser or while using its Privacy Essentials extension, which can be used with all major browsers. However, DuckDuckGo will still allow advertisers to track clicks from DuckDuckGo through scripts from the bat.bing.com domain. Is it perfect? No—even DuckDuckGo admits that. But it’s still a privacy improvement over mainstream browsers and search engines.

The US Emergency Alert System Has Dangerous Flaws

An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the confsrv ucloud\_add\_node functionality of TCL LinkHub Mesh Wi-Fi MS1G\_00\_01.00\_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

TCL LinkHub Mesh Wifi MS1G\_00\_01.00\_14

**PRODUCT URLS**

LinkHub Mesh Wifi - https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack

**CVSSv3 SCORE**

9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.

The LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the ucloud binary and is dispatched to the appropriate handler.

In this case, the handler is confsrv, which handles many message types. In this case we are interested in MxpManageList.

    message MxpManage {
        required string serialNum = 1;              [1]
        required int32 opt = 2;
    }
    message MxpManageList {
        repeated MxpManage mxp = 1;    //This is not optional, so it must be resolved by hand to compile to .proto    //This is not optional, so it must be resolved by hand to compile to .proto
        optional uint64 timestamp = 2;
    } 
    

Using \[1\] we have control over the serialNum in the packet. The parsing of the data within the protobuffer is ucloud_add_node.

    00428478  int32_t ucloud_add_node(int32_t arg1, int32_t arg2, int32_t arg3)  
    00428498      arg_0 = arg1
    004284a4      int32_t $a3
    004284a4      arg_c = $a3
    004284a8      int32_t var_12c = 0
    004284ac      int32_t var_130 = 0
    004284cc      void var_128
    004284cc      memset(&var_128, 0, 0x100)
    004284d8      int32_t var_28 = 0
    004284dc      int32_t var_24 = 0
    004284e0      int32_t var_20 = 0
    004284e4      int32_t var_1c = 0
    004284e8      int32_t var_18 = 0
    004284ec      int32_t var_14 = 0
    004284f0      int32_t var_10 = 0
    004284f4      int32_t var_c = 0
    004284fc      int32_t $v0_1
    004284fc      if (arg2 == 0) {
    00428524          _td_snprintf(3, "api/map_manage.c", 0x737, "    in is null !     \n", 0x4ae4b0)
    00428530          $v0_1 = 0xffffffff
    00428530      } else {
    00428558          struct MxpManageList* $v0_3 = mxp_manage_list__unpack(0, arg3, arg2)
    0042856c          if ($v0_3 == 0) {
    00428594              _td_snprintf(3, "api/map_manage.c", 0x73d, "     unpack failed !     \n", 0x4ae4b0)
    004285a0              $v0_1 = 0xffffffff
    004285a0          } else {
    004286b0              for (uint32_t var_130_1 = 0; var_130_1 u< $v0_3->mxp_manage_count; var_130_1 = var_130_1 + 1) {
    004285d0                  if (confctl_module_debug_en(module_id: 9) != 0) {
    00428618                      printf("\x1b[1;32m[%s][%d] : \x1b[0m\x1b…", "ucloud_add_node", 0x743, *(*($v0_3->p_mxp + (var_130_1 << 2)) + 0xc), 0x4ae4b0)
    00428494                  }
    0042864c                  update_add_node_list(serial_number: *(*($v0_3->p_mxp + (var_130_1 << 2)) + 0xc))
    00428688                  doSystemCmd("echo %s >> /proc/mesh/authorized", *(*($v0_3->p_mxp + (var_130_1 << 2)) + 0xc))       [2]
    00428670              }
    004286c0              if ($v0_3->is_timestamp_present != 0) {
    004286f0                  sprintf(&var_28, "%llu", $v0_3->timestamp.d, $v0_3->timestamp:4.d, 0x4ae4b0)
    00428714                  SetValue(name: "sys.cfg.stamp", input_buffer: &var_28)
    00428708              }
    00428728              CommitCfm()
    00428744              mxp_manage_list__free_unpacked($v0_3, 0)
    00428750              $v0_1 = 0
    00428750          }
    00428750      }
    00428764      return $v0_1 
    

At \[2\] the serialNum is used directly in doSystemCmd.

    000209b0  int32_t doSystemCmd(int32_t arg1, int32_t arg2)  
    000209d0      arg_4 = arg2
    000209d4      int32_t $a2
    000209d4      arg_8 = $a2
    000209d8      int32_t $a3
    000209d8      arg_c = $a3
    000209fc      void var_408
    000209fc      memset(&var_408, 0, 0x400)
    00020a30      log_debug_print("doSystemCmd", &data_1b8d, 0, 0x80, 0x55500)  {"function entry!"}
    00020a64      vsnprintf(&var_408, 0x400, arg1, &arg_4)
    00020a80      int32_t $v0_1 = system(&var_408)
    00020ab8      log_debug_print("doSystemCmd", &data_1b93, 0, 0x80, 0x55510)  {"function exit!"}
    00020ad8      return $v0_1 
    

With a quick look at doSystemCmd we can see that no special escaping is happening here and thus this is a simple command injection using serialNum directly.

**TIMELINE**

2022-04-27 - Vendor Disclosure  
2022-08-01 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-22140: TALOS-2022-1458 || Cisco Talos Intelligence Group

A buffer overflow vulnerability exists in the confsrv ucloud_set_node_location functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

A buffer overflow vulnerability exists in the confsrv ucloud\_set\_node\_location functionality of TCL LinkHub Mesh Wi-Fi MS1G\_00\_01.00\_14. A specially-crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

TCL LinkHub Mesh Wifi MS1G\_00\_01.00\_14

**PRODUCT URLS**

LinkHub Mesh Wifi - https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.

The LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the ucloud binary and is dispatched to the appropriate handler.

In this case, the handler is confsrv which handles many message types. In this case we are interested in NodeLocation

    message NodeLocation {
        required string serialNum = 1;
        required string location = 2;           [1]
        optional uint64 timestamp = 3;
    }
    

Using \[1\] we have control over location in the packet. The parsing of the data in the protobuf is done in ucloud_set_node_location.

    00429390  int32_t ucloud_set_node_location(int32_t arg1, int32_t arg2, int32_t arg3)
    
    004293b0      arg_0 = arg1
    004293bc      int32_t $a3
    004293bc      arg_c = $a3
    004293c0      int32_t var_12c = 0
    004293c4      int32_t var_128 = 0
    004293c8      int32_t var_124 = 0
    004293cc      int32_t var_120 = 0
    004293d0      int32_t var_11c = 0
    004293d4      int32_t var_118 = 0
    004293d8      int32_t var_114 = 0
    004293dc      int32_t var_110 = 0
    004293e0      int32_t var_10c = 0
    004293e4      int32_t var_130 = 0
    00429404      void var_108
    00429404      memset(&var_108, 0, 0x100)
    00429428      GetValue(name: "serial.number", output_buffer: &var_128)
    00429450      struct NodeLocationDescriptor* pkt = node_location__unpack(0, arg3, arg2)
    00429464      int32_t $v0_2
    00429464      if (pkt == 0) {
    0042948c          _td_snprintf(3, "api/map_manage.c", 0x83a, "   unpack failed !     \n", 0x4ae4b0)
    00429498          $v0_2 = 0xffffffff
    00429498      } else {
    004294b8          void* $v0_5 = client_sn_lkup(sn: pkt->serial_number)
    004294cc          if ($v0_5 != 0) {
    004294f4              strcpy($v0_5 + 0x30, pkt->location)                              [2]
    0042950c              if (sx.d(*($v0_5 + 0x30)) == 0) {
    00429544                  *($v0_5 + 4) = *($v0_5 + 4) & 0xfffffffd
    0042953c              } else {
    00429524                  *($v0_5 + 4) = *($v0_5 + 4) | 2
    0042951c              }
    0042951c          }
    ...
    

At \[2\] we can clearly see that a strcpy is performed without any validation of buffer or input length, which can lead to a buffer overflow. Below we can verify the issue in ASM:

    004294a4  1c00c28f   lw      $v0, 0x1c($fp) {var_12c_1}
    004294a8  0c00428c   lw      $v0, 0xc($v0) {NodeLocationDescriptor::serial_number}
    004294ac  21204000   move    $a0, $v0
    004294b0  4883828f   lw      $v0, -0x7cb8($gp)  {client_sn_lkup}  {data_4a67f8}
    004294b4  21c84000   move    $t9, $v0  {client_sn_lkup}
    004294b8  09f82003   jalr    $t9  {client_sn_lkup}
    004294bc  00000000   nop
    
    004294c0  1000dc8f   lw      $gp, 0x10($fp) {var_138}
    004294c4  1800c2af   sw      $v0, 0x18($fp) {var_130_1}                                   [3]
    004294c8  1800c28f   lw      $v0, 0x18($fp) {var_130_1}
    004294cc  1e004010   beqz    $v0, 0x429548
    004294d0  00000000   nop
    
    004294d4  1800c28f   lw      $v0, 0x18($fp) {var_130_1}                                   [4]
    004294d8  30004324   addiu   $v1, $v0, 0x30
    004294dc  1c00c28f   lw      $v0, 0x1c($fp) {var_12c_1}
    004294e0  1000428c   lw      $v0, 0x10($v0) {NodeLocationDescriptor::location}            [5]
    004294e4  21206000   move    $a0, $v1
    004294e8  21284000   move    $a1, $v0
    004294ec  7c86828f   lw      $v0, -0x7984($gp)  {strcpy}
    004294f0  21c84000   move    $t9, $v0
    004294f4  09f82003   jalr    $t9                                                        [6]
    004294f8  00000000   nop
    

At \[3\] we see the return value of client_sn_lkup being saved onto the stack that is loaded at \[4\] to be the destination argument of strcpy. At \[5\] the location is loaded from the protobuf data and used as the source for the strcpy. At \[6\] we see that strcpy is called with no further validation or verification that the buffer is large enough to hold the data, or that the source is small enough to fit in the buffer. This leads to a simple buffer overflow using strcpy.

The destination buffer for the overflow is retrieved from client_sn_lkup, seen below.

    00422c30  void* client_sn_lkup(char* sn)
    
    00422c54      int32_t var_10 = 0
    00422c60      uint32_t var_10_1 = g_online_map_head
    00422cb8      uint32_t $v0_4
    00422cb8      while (true) {
    00422cb8          if (var_10_1 == 0) {
    00422cc0              $v0_4 = 0
    00422cc0              break
    00422cc0          }
    00422c94          if (strncmp(sn, var_10_1 + 8, 0x20) == 0) {
    00422c9c              $v0_4 = var_10_1
    00422ca0              break
    00422ca0          }
    00422cb0          var_10_1 = *var_10_1
    00422cac      }
    00422cd4      return $v0_4    
    

g_online_map_head is located within the BSS section of the binary. This means that with this buffer overflow we can target any other statically allocated variable within the binary, which can lead to remote code execution.

**Crash Information**

    Program received signal SIGSEGV, Segmentation fault.
    0x779493f0 in strncmp () from target:/lib/libc.so.0
    [ Legend: Modified register | Code | Heap | Stack | String ]
    ───────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
    $zero: 0x0
    $at  : 0x806f0000
    $v0  : 0x32
    $v1  : 0x41
    $a0  : 0x004ba150  →  "21012304710"
    $a1  : 0x41414149 ("IAAA"?)
    $a2  : 0x20
    $a3  : 0x7
    $t0  : 0x0
    $t1  : 0x0
    $t2  : 0x200
    $t3  : 0x100
    $t4  : 0x807
    $t5  : 0x800
    $t6  : 0x400
    $t7  : 0x8
    $s0  : 0x7fddaaa8  →  0x82031107
    $s1  : 0x7fddaaa8  →  0x82031107
    $s2  : 0x77d7aa60  →  "uc_api_lib.c"
    $s3  : 0x0
    $s4  : 0x77d7bbe4  →  "_session_read_and_dispatch"
    $s5  : 0x77d61090  →  0x3c1c0003
    $s6  : 0x1018
    $s7  : 0x10
    $t8  : 0x0
    $t9  : 0x779493d0  →  0x2cc20004
    $k0  : 0x0
    $k1  : 0x0
    $s8  : 0x7fdda6d0  →  0x00000000
    $pc  : 0x779493f0  →  0x1040001d
    $sp  : 0x7fdda6d0  →  0x00000000
    $hi  : 0x169
    $lo  : 0x25512
    $fir : 0x0
    $ra  : 0x00422c90  →  <client_sn_lkup+96> lw gp, 16(s8)
    $gp  : 0x004ae4b0  →  0x00000000
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7fdda6d0│+0x0000: 0x00000000   ← $s8, $sp
    0x7fdda6d4│+0x0004: 0x00000000
    0x7fdda6d8│+0x0008: 0x00000000
    0x7fdda6dc│+0x000c: 0x00000000
    0x7fdda6e0│+0x0010: 0x004ae4b0  →  0x00000000
    0x7fdda6e4│+0x0014: 0x00000000
    0x7fdda6e8│+0x0018: "AAAA"
    0x7fdda6ec│+0x001c: 0x00000000
    ────────────────────────────────────────────────────────────────────────────────────────────────── code:mips:MIPS32 ────
       0x779493e4 <strncmp+20>     move   v0, zero
       0x779493e8 <strncmp+24>     lbu    v0, 0(a0)
       0x779493ec <strncmp+28>     addiu  a3, a3, -1    
    

**TIMELINE**

2022-03-16 - Vendor Disclosure  
2022-08-01 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-26342: TALOS-2022-1484 || Cisco Talos Intelligence Group

An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the confsrv ucloud\_add\_new\_node functionality of TCL LinkHub Mesh Wifi MS1G\_00\_01.00\_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

TCL LinkHub Mesh Wifi MS1G\_00\_01.00\_14

**PRODUCT URLS**

LinkHub Mesh Wifi - https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack

**CVSSv3 SCORE**

9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.

The LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the ucloud binary and is dispatched to the appropriate handler.

In this case, the handler is confsrv, which handles many message types. In this case we are interested in ManualNodeInfo

    message ManualNodeInfo {
        required string serialNumMd5 = 1;        [1]
        optional uint64 timestamp = 2;
    } 
    

At \[1\] we have control over serialNumMd5 in the packet. The parsing of the protobuffer data occurs in ucloud_add_node_new

    0042876c  int32_t ucloud_add_node_new(int32_t arg1, int32_t arg2, int32_t arg3)
    
    0042878c      arg_0 = arg1
    00428798      int32_t $a3
    00428798      arg_c = $a3
    004287bc      printf("%s(%d)\n", "ucloud_add_node_new", 0x756)
    004287c8      int32_t var_b0 = 0
    004287cc      int32_t var_ac = 0
    004287d0      int32_t var_a8 = 0
    004287d4      int32_t var_a4 = 0
    004287d8      int32_t var_a0 = 0
    004287dc      int32_t var_9c = 0
    004287e0      int32_t var_98 = 0
    004287e4      int32_t var_94 = 0
    004287e8      int32_t var_90 = 0
    00428808      void var_8c
    00428808      memset(&var_8c, 0, 0x80)
    00428818      int32_t $v0_1
    00428818      if (arg2 == 0) {
    00428840          printf("ManualNodeInfo is NULL%s(%d)\n", "ucloud_add_node_new", 0x75d)
    0042884c          $v0_1 = 0xffffffff
    0042884c      } else {
    00428874          struct ManualNodeInfo* pkt = manual_node_info__unpack(0, arg3, arg2)
    00428888          if (pkt == 0) {
    004288b0              printf("manual_node_info__unpack error%s…", "ucloud_add_node_new", 0x766)
    004288bc              $v0_1 = 0xffffffff
    004288bc          } else {
    004288d0              if (pkt->serialNumberMd5 == 0) {
    00428938                  printf("[arainc][NodeInfo->serialnummd5 …", "ucloud_add_node_new", 0x76f)
    0042892c              } else {
    00428904                  printf("[arainc][NodeInfo->serialnummd5 …", pkt->serialNumberMd5, "ucloud_add_node_new", 0x76d, 0x4ae4b0)
    00428788              }
    00428958              update_add_node_list(serial_number: pkt->serialNumberMd5)
    00428988              sprintf(&var_8c, "echo %s >> /proc/mesh/authorized", pkt->serialNumberMd5)                                      [2]
    004289bc              printf("[arainc][cmd_tmp = %s]%s(%d)\n", &var_8c, "ucloud_add_node_new", 0x773, 0x4ae4b0)
    004289d8              doSystemCmd(&var_8c)                                                                                          [3]
    004289ec              if (pkt->__offset(0x10).d != 0) {
    00428a1c                  sprintf(&var_ac, "%llu", pkt->timestamp.d, pkt->timestamp:4.d)
    00428a40                  SetValue(name: "sys.cfg.stamp", input_buffer: &var_ac)
    00428a34              }
    00428a54              CommitCfm()
    00428a70              manual_node_info__free_unpacked(pkt, 0)
    00428a7c              $v0_1 = 0
    00428a7c          }
    00428a7c      }
    00428a90      return $v0_1 
    

At \[2\] the command is built using sprintf. The data used is directly from the user packet, then passed into doSystemCmd at \[3\].

    000209b0  int32_t doSystemCmd(int32_t arg1, int32_t arg2)  
    000209d0      arg_4 = arg2
    000209d4      int32_t $a2
    000209d4      arg_8 = $a2
    000209d8      int32_t $a3
    000209d8      arg_c = $a3
    000209fc      void var_408
    000209fc      memset(&var_408, 0, 0x400)
    00020a30      log_debug_print("doSystemCmd", &data_1b8d, 0, 0x80, 0x55500)  {"function entry!"}
    00020a64      vsnprintf(&var_408, 0x400, arg1, &arg_4)
    00020a80      int32_t $v0_1 = system(&var_408)
    00020ab8      log_debug_print("doSystemCmd", &data_1b93, 0, 0x80, 0x55510)  {"function exit!"}
    00020ad8      return $v0_1 
    

With a quick look at doSystemCmd, we can see that no special escaping is happening here and thus this is a simple command injection using serialNumMd5 directly.

**TIMELINE**

2022-04-27 - Vendor Disclosure  
2022-08-01 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-21178: TALOS-2022-1457 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the confsrv set_port_fwd_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the confsrv set\_port\_fwd\_rule functionality of TCL LinkHub Mesh Wifi MS1G\_00\_01.00\_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

TCL LinkHub Mesh Wifi MS1G\_00\_01.00\_14

**PRODUCT URLS**

LinkHub Mesh Wifi - https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The LinkHub Mesh WiFi system is a node-based mesh system designed for wifi deployments across large homes. These nodes include most features standard in current WiFi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application and the routers have no web-based management console.

The LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the WiFi provided by the LinkHub Mesh in order to issue commands much like the phone application would. Once the protobuffer is received, it is routed internally starting from the ucloud binary and is dispatched to the appropriate handler.

In this case, the handler is confsrv which handles many message types, in this case we are interested in PortFwdLIst

    message PortFwdCfg {
        required string ethaddr = 1;
        required int32 protocol = 2;
        required int32 in_port = 3;
        required int32 ext_port = 4;
        optional string ipadr = 5;                  [1]
        optional string name = 6;                   [2]
        optional int32 in_port_end = 7;
        optional int32 ext_port_end = 8;
        optional int32 wan_interface = 9;
    }
    message PortFwdList {
        repeated PortFwdCfg rule = 1;    //This is not optional, so it must be resolved by hand to compile to .proto
        optional uint64 timestamp = 2;
    }     
    

Using \[1\] and \[2\] we have control over both ipadr and name in the packet, the parsing of the data within the protobuffer is conf_set_port_fwd_cfg

    00415a44  int32_t conf_set_port_fwd_cfg(int32_t arg1, int32_t arg2, int32_t arg3)
    
    00415a64      arg_0 = arg1
    00415a70      int32_t $a3
    00415a70      arg_c = $a3
    00415a90      void var_108
    00415a90      memset(&var_108, 0, 0x80)
    00415ab8      void var_88
    00415ab8      memset(&var_88, 0, 0x80)
    00415adc      struct PortFwdList* pkt = port_fwd_list__unpack(0, arg3, arg2)                             [3]
    00415af0      int32_t $v0_2
    00415af0      if (pkt == 0) {
    00415b1c          printf("[%s][%d][niuwu] Unpack failed %d…", "conf_set_port_fwd_cfg", 0x145, arg3)
    00415b28          $v0_2 = 0xffffffff
    00415b28      } else {
    00415b3c          clear_all_port_fwd_mib()
    00415b54          set_port_fwd_rule(pkt: pkt)                                                            [4]
    ... 
    

At \[3\] the protobuffer is unpacked into a structure and then at \[4\] the structure is passed into set_port_fwd_rule

    004148c0  int32_t set_port_fwd_rule(struct PortFwdList* pkt)
    
    004148e4      int32_t var_170 = 0
    004148e8      int32_t var_16c = 0
    004148ec      int32_t var_168 = 0
    004148f0      int32_t var_164 = 0
    004148f4      int16_t var_160 = 0
    004148f8      int32_t var_15c = 0
    004148fc      int32_t var_158 = 0
    00414900      int32_t var_154 = 0
    00414904      int32_t var_150 = 0
    00414908      int16_t var_14c = 0
    00414928      uint8_t var_148[0x40]
    00414928      memset(&var_148, 0, 0x40)
    00414950      uint8_t var_108[0x80]
    00414950      memset(&var_108, 0, 0x80)
    00414978      uint8_t var_88[0x80]
    00414978      memset(&var_88, 0, 0x80)              [5]
    00414984      int32_t var_174 = 0
    00414988      int32_t var_180 = 0
    0041498c      int32_t var_184 = 0
    00414990      int32_t var_188 = 0
    00414d20      int32_t pkt_in_port
    00414d20      int32_t pkt_in_port_end
    00414d20      char* pkt_ipAddr
    00414d20      int32_t pkt_protocol
    00414d20      char* pkt_name
    00414d20      for (int32_t var_174_1 = 0; var_174_1 u< pkt->rule_count; var_174_1 = var_174_1 + 1) {
    004149b4          struct PortFwdCfg* $v0_5 = *(pkt->rules + (var_174_1 << 2))
    004149d0          if ($v0_5 != 0 && $v0_5->ipAddr != 0) {
    004149e0              if ($v0_5->is_in_port_end_present == 0) {
    004149f4                  $v0_5->in_port_end = $v0_5->in_port
    004149ec              }
    00414a00              if ($v0_5->is_ext_port_end_present == 0) {
    00414a14                  $v0_5->ext_port_end = $v0_5->ext_port
    00414a0c              }
    00414a5c              pkt_in_port = $v0_5->in_port
    00414a60              pkt_in_port_end = $v0_5->in_port_end
    00414a64              pkt_ipAddr = $v0_5->ipAddr
    00414a68              pkt_protocol = $v0_5->protocol
    00414a6c              pkt_name = $v0_5->name
    00414a80              sprintf(&var_88, "0;%d-%d;%d-%d;%s;%d;1;%s;", $v0_5->ext_port, $v0_5->ext_port_end, pkt_in_port, pkt_in_port_end, pkt_ipAddr, pkt_protocol, pkt_name)                    [6]
    ... 
    

At \[5\] we can see that the static buffer used for sprintf is 0x80 bytes. At \[6\] (below in ASM) we can see that the user provided data from the protobuf packet is being used directly in the sprintf which can result in a simple stack-based buffer overflow.

    00414a18  b480828f   lw      $v0, -0x7f4c($gp)  {data_4a6564}
    00414a1c  30b94524   addiu   $a1, $v0, -0x46d0  {data_47b930, "0;%d-%d;%d-%d;%s;%d;1;%s;"}       [8]
    00414a20  4000c28f   lw      $v0, 0x40($fp) {var_178_1}
    00414a24  1800438c   lw      $v1, 0x18($v0) {PortFwdCfg::ext_port}
    00414a28  4000c28f   lw      $v0, 0x40($fp) {var_178_1}
    00414a2c  3000428c   lw      $v0, 0x30($v0) {PortFwdCfg::ext_port_end}
    00414a30  4000c48f   lw      $a0, 0x40($fp) {var_178_1}
    00414a34  14008a8c   lw      $t2, 0x14($a0) {PortFwdCfg::in_port}
    00414a38  4000c48f   lw      $a0, 0x40($fp) {var_178_1}
    00414a3c  2800898c   lw      $t1, 0x28($a0) {PortFwdCfg::in_port_end}
    00414a40  4000c48f   lw      $a0, 0x40($fp) {var_178_1}
    00414a44  1c00888c   lw      $t0, 0x1c($a0) {PortFwdCfg::ipAddr}                                 [9]
    00414a48  4000c48f   lw      $a0, 0x40($fp) {var_178_1}
    00414a4c  1000878c   lw      $a3, 0x10($a0) {PortFwdCfg::protocol}
    00414a50  4000c48f   lw      $a0, 0x40($fp) {var_178_1}
    00414a54  2000868c   lw      $a2, 0x20($a0) {PortFwdCfg::name}                                   [10]
    00414a58  3001c427   addiu   $a0, $fp, 0x130 {var_88}                                            [7]
    00414a5c  1000aaaf   sw      $t2, 0x10($sp) {pkt_in_port}
    00414a60  1400a9af   sw      $t1, 0x14($sp) {pkt_in_port_end}
    00414a64  1800a8af   sw      $t0, 0x18($sp) {pkt_ipAddr}
    00414a68  1c00a7af   sw      $a3, 0x1c($sp) {pkt_protocol}
    00414a6c  2000a6af   sw      $a2, 0x20($sp) {pkt_name}
    00414a70  21306000   move    $a2, $v1
    00414a74  21384000   move    $a3, $v0
    00414a78  0088828f   lw      $v0, -0x7800($gp)  {sprintf}
    00414a7c  21c84000   move    $t9, $v0
    00414a80  09f82003   jalr    $t9
    00414a84  00000000   nop    
    

Here we can see at \[7\] that the stack buffer is the first argument of sprintf, \[8\] shows the format string that is being used, while \[9\] and \[10\] show both controllable inputs into the format string with the %s formatter. Both ipAddr and name can be used to trigger this stack-based buffer overflow.

**Crash Information**

    Program received signal SIGSEGV, Segmentation fault.
    0x00414d18 in set_port_fwd_rule ()
    [ Legend: Modified register | Code | Heap | Stack | String ]
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
    $zero: 0x0
    $at  : 0x771ee3ab  →  "anage][472][luminais] Login [0]\nfo [0]\ny = devic[...]"
    $v0  : 0x41414141 ("AAAA"?)
    $v1  : 0x1
    $a0  : 0x771eb1bc  →  0x00000000
    $a1  : 0x771ee3ab  →  "anage][472][luminais] Login [0]\nfo [0]\ny = devic[...]"
    $a2  : 0x0
    $a3  : 0x0
    $t0  : 0x0
    $t1  : 0x2
    $t2  : 0x1
    $t3  : 0xfffffff8
    $t4  : 0x807
    $t5  : 0x800
    $t6  : 0x0
    $t7  : 0x8
    $s0  : 0x7fdd2ba8  →  0x82011707
    $s1  : 0x7fdd2ba8  →  0x82011707
    $s2  : 0x775daa60  →  "uc_api_lib.c"
    $s3  : 0x0
    $s4  : 0x775dbbe4  →  "_session_read_and_dispatch"
    $s5  : 0x775c1090  →  0x3c1c0003
    $s6  : 0xa2
    $s7  : 0x10
    $t8  : 0x10
    $t9  : 0x771cb52c  →  0x3c1c0002
    $k0  : 0x0047b8d1  →  0x61000000
    $k1  : 0x0
    $s8  : 0x7fdd2798  →  0x004bc428  →  0x00000000
    $pc  : 0x00414d18  →  0x8c42000c ("
                                       "?)
    $sp  : 0x7fdd2798  →  0x004bc428  →  0x00000000
    $hi  : 0x0
    $lo  : 0x0
    $fir : 0x0
    $ra  : 0x00414b28  →  0x8fdc0028 ("("?)
    $gp  : 0x004ae4b0  →  0x00000000
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7fdd2798│+0x0000: 0x004bc428  →  0x00000000    ← $s8, $sp
    0x7fdd279c│+0x0004: 0x7fdd28c8  →  "0;8088-8088;8088-8088;;1;1;AAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7fdd27a0│+0x0008: 0x00000001
    0x7fdd27a4│+0x000c: 0x0047b949  →  0x31000000
    0x7fdd27a8│+0x0010: 0x00001f98
    0x7fdd27ac│+0x0014: 0x00001f98
    0x7fdd27b0│+0x0018: 0x004bc2d8  →  0x771f1500  →  0x00000000
    0x7fdd27b4│+0x001c: 0x00000001
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:mips:MIPS32 ────
         0x414d0c <set_port_fwd_rule+1100> sw     v0, 68(s8)
         0x414d10 <set_port_fwd_rule+1104> lw     v1, 68(s8)
         0x414d14 <set_port_fwd_rule+1108> lw     v0, 440(s8)
     →   0x414d18 <set_port_fwd_rule+1112> lw     v0, 12(v0)
         0x414d1c <set_port_fwd_rule+1116> sltu   v0, v1, v0
         0x414d20 <set_port_fwd_rule+1120> bnez   v0, 0x4149a0 <set_port_fwd_rule+224>
         0x414d24 <set_port_fwd_rule+1124> nop
         0x414d28 <set_port_fwd_rule+1128> lw     v0, -32588(gp)
         0x414d2c <set_port_fwd_rule+1132> addiu  v0, v0, -18220
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, stopped 0x414d18 in set_port_fwd_rule (), reason: SIGSEGV
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0x414d18 → set_port_fwd_rule()
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────-
    

**TIMELINE**

2022-02-08 - Initial Vendor Contact  
2022-02-09 - Vendor Disclosure  
2022-08-01 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-23399: TALOS-2022-1454 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

DD-WRT Revision 32270 - Revision 48599

**Product URLs**

DD-WRT - https://dd-wrt.com/

**CVSSv3 Score**

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

**CWE**

CWE-20 - Improper Input Validation

**Details**

DD-WRT is a Linux-based firmware for embedded systems. This open-source firmware offers several functionalities like: VPN integrations, ease of configuration through web browser, WLAN supports, etc.

The DD-WRT’s httpd component has a file named cgi.c that contains CGI helper functions. One of these functions is unescape:

    static void unescape(char *s)
    {
        unsigned int c;
    
        while ((s = strpbrk(s, "%+"))) {                                                                    [1]
            /* Parse %xx */
            if (*s == '%') {
                sscanf(s + 1, "%02x", &c);                                                                  [2]
                *s++ = (char)c;                                                                             [3]
                strncpy(s, s + 2, strlen(s) + 1);                                                           [4]
            }
            /* Space is special */
            else if (*s == '+')
                *s++ = ' ';
        }
    }
    

This function take as argument a string. If URL-encoded, this function will decode it. At [1], there is a loop that takes the next % or + in the string. If a % is found, then at [2], the two characters following it are converted from hex values to a single character. At [3] the converted character replaces the % character and the string pointer advance. At [4] the string after the already-parsed URL-encoded character is moved left by two positions. This will replace the parsed characters. A string like “A…B%41%42” would go through the following steps:

    |A|...|B|%|4|1|%|4|2|NULL|                       at    [1]/[2]
    |A|...|B|A|4|1|%|4|2|NULL|                       after [3]
    |A|...|B|A|%|4|2|NULL|NULL|NULL|                 after [4]
    

Eventually, after the second iteration of the loop, we would end up like this:

    |A|...|B|A|B|NULL|NULL|NULL|NULL|NULL|            after [4]
    

The unescape function assumes, wrongly, that after a % there are always at least two characters. If this is not the case, the instruction at [4] would cause an out-of bounds read and could cause also an out-of-bounds write. Let’s take for instance the following string “A…B%a”; this would go through the following steps:

    |A|...|B|%|a|NULL|Q|Q|Q|Q|Q|                      at    [1]/[2]
    |A|...|B|\n|a|NULL|Q|Q|Q|Q|Q|                     after [3]
                ^ s points to 'a'                     after [3]
    

Assuming that after the string there is other data, in this scenario the string “QQQQQ”, s+2, at [4], will point to the first Q. So after [4] the string will look like:

    |A|...|B|\n|a|NULL|Q|Q|Q|Q|Q|                     after [3]
                       ^ s+2 point to the first Q     at [4]
    |A|...|B|\n|Q|Q|Q|Q|Q|Q|Q|                        after [4]
    

The result would be the string “A…B\\nQQQQQQQ…”.

**Timeline**

2022-04-11 - Initial vendor contact  
2022-04-27 - Vendor Disclosure  
2022-05-06 - Talos - Follow-up Sent  
2022-06-07 - Talos - Follow-up Sent  
2022-07-14 - Talos - Follow-up Sent  
2022-07-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#intel