An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

When testing #706 (closed), we found the bug is not completely patched in pdfunite. To reproduce the bug, run pdfunite t.pdf poc 2.pdf.

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x000000000040d7a1 in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfunite.cc:200

uni.zip

Edited Jul 28, 2022 by

CVE-2022-37051: SIGABRT at poppler/Object.h:435 (pdfunite) (#1276) · Issues · poppler / poppler · GitLab

A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.

We are currently migrating away from gitlab hosting cloud for the registry. There will be a final maintenance down time on Sunday 27th August, from approx 8-12am UTC. See the tracker issue for more informations. Note that the registry will see a brief outage, and potentially lag between uploads and availability during that window.

CVE-2022-37052: pdfseparate: Account for XRef::add failing because we run out of memory (86775003) · Commits · poppler / poppler · GitLab

In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.

Hi, we found a bug in the latest version of poppler (commit b9643712), the bug causes the program to crash with the following backtrace.

To reproduce it, run pdfseparate poc 1.pdf

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7bee76f in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  PDFDoc::savePageAs (this=0x466e10, name=..., pageNo=1)
        at /home/users/chluo/poppler/poppler/PDFDoc.cc:889
    #4  0x0000000000408659 in extractPages (srcFileName=<optimized out>,
        destFileName=0x7fffffffe6eb "./1.pdf")
        at /home/users/chluo/poppler/utils/pdfseparate.cc:123
    #5  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfseparate.cc:156

sep.zip

Seems that this bug is related to #706 (closed). 7b4e372d partially fixes #706 (closed) yet it is incomplete.

Edited Jul 27, 2022 by

CVE-2022-37050: SIGABRT at poppler/Object.h:435 (#1274) · Issues · poppler / poppler · GitLab

Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.

We are currently migrating away from gitlab hosting cloud for the registry. There will be a final maintenance down time on Sunday 27th August, from approx 8-12am UTC. See the tracker issue for more informations. Note that the registry will see a brief outage, and potentially lag between uploads and availability during that window.

*   poppler
*   poppler
*   Issues
*   #936

I find an overflow in XRef, which is caused by mutual recursive call.

./pdfinfo ./xref.pdf

xref.zip

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2020-23804: Overflow in Xref (#936) · Issues · poppler / poppler · GitLab

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.

Hi, we found a bug in poppler/PDFDoc.cc:1755. When the bug is triggered, the program would crash with the following backtrace.

To reproduce, run pdfunite t.pdf poc 2.pdf

    (gdb) bt
    #0  0x00007ffff745f8c1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7449546 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7a5eb18 in Object::getDict (this=0x7fffffffe0c8)
        at /home/users/chluo/pop/poppler/Object.h:435
    #3  PDFDoc::replacePageDict (this=0x5555555bb430, pageNo=<optimized out>,
        rotate=90, mediaBox=0x5555555e3b50, cropBox=0x5555555e3b70)
        at /home/users/chluo/pop/poppler/PDFDoc.cc:1755
    #4  0x000055555555c9fa in main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/pop/utils/pdfunite.cc:290

The bug is relevant to #706 (closed) and #1276 (closed).

poc.zip

CVE-2022-38349: SIGABRT at poppler/PDFDoc.cc:1755 (#1282) · Issues · poppler / poppler · GitLab

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

    ~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
    Syntax Error (738): Dictionary key must be a name object
    Syntax Error (751): Dictionary key must be a name object
    Syntax Error (758): Illegal character '>'
    Syntax Error (763): Dictionary key must be a name object
    Syntax Error (769): Dictionary key must be a name object
    Syntax Error (798): Illegal character ')'
    Syntax Error (798): Dictionary key must be a name object
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (820): Illegal character '{'
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (849): Illegal character '{'
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (899): Illegal character ')'
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (916): Dictionary key must be a name object
    Syntax Error (926): Dictionary key must be a name object
    Syntax Error (933): Dictionary key must be a name object
    Syntax Error (935): Dictionary key must be a name object
    Syntax Error (937): Dictionary key must be a name object
    Syntax Error (941): Dictionary key must be a name object
    Syntax Error (943): Dictionary key must be a name object
    Syntax Error (950): Dictionary key must be a name object
    I/O Error: Couldn't open html file '/dev/null.html'
    I/O Error: Couldn't open html file '/dev/null_ind.html'
    ASAN:SIGSEGV
    =================================================================
    ==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
    ffc717cbd00 T0)
        #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
        #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
        #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
        #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
        #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
    ==49519==ABORTING 

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x10 
    RCX: 0xbebebebebebebebe 
    RDX: 0x10 
    RSI: 0x1 
    RDI: 0xacd440 ("</body>\n</html>\n")
    RBP: 0x611000009950 --> 0xbebebebebebebebe 
    RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
    R8 : 0x0 
    R9 : 0xc220000132a --> 0x0 
    R10: 0x62c 
    R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
    R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R13: 0xc2200001329 --> 0x0 
    R14: 0x611000009948 --> 0x0 
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
       0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
       0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
    => 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
       0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
       0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
       0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
       0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
    0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
    0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
    0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
    0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
    0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    37      iofwrite.c: No such file or directory.
    gdb-peda$ bt 10
    #0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    #1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
        at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
        at ../csu/libc-start.c:291
    #5  0x0000000000508819 in _start ()
    
    
    [----------------------------------registers-----------------------------------]                           [23/9786]
    RAX: 0x0 
    RBX: 0xffffffffaa2 --> 0x0 
    RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RDX: 0xc2200001318 --> 0x0 
    RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
    RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RBP: 0x7fffffffd510 --> 0x41b58ab3 
    RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
    RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R8 : 0x1c77ea 
    R9 : 0x1c80b 
    R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R11: 0x1c7856 
    R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    R13: 0xef4140 --> 0x0 
    R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    
      0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
    0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
    0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
    0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
    0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
    0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
    0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    
    Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
    1201    HtmlOutputDev::~HtmlOutputDev() {
    gdb-peda$ p page
    $1 = (FILE *) 0xbebebebebebebebe
    gdb-peda$ list
    1196        delete htmlEncoding;
    1197      }
    1198      ok = true; 
    1199    }
    1200
    1201    HtmlOutputDev::~HtmlOutputDev() {
    1202        delete Docname;
    1203        delete docTitle;
    1204
    1205        for (auto entry : *glMetaVars) {

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

By Habiba Rashid
TP-Link Tapo L530E Smart Bulb found vulnerable, putting user WiFi credentials at risk.
This is a post from HackRead.com Read the original post: TP-Link Smart Bulb Users at Risk of WiFi Password Theft

The vulnerabilities of the smart bulb were identified by cybersecurity researchers from Italy and the United Kingdom.

**Summary**

*   Security researchers have found vulnerabilities in the TP-Link Tapo L530E smart bulb and the corresponding Tapo app.

*   These vulnerabilities could allow attackers to steal users’ WiFi passwords and gain unauthorized access to their networks.

*   The vulnerabilities are rated as high and medium severity, and affect both the hardware and software of the smart bulb.

*   TP-Link has acknowledged the vulnerabilities and is working on a fix.

*   In the meantime, users are advised to update the firmware of their smart bulbs and use strong passwords.

In the era of expanding home automation, the convenience of controlling devices remotely and optimizing energy consumption is met with an emerging concern: the security of interconnected smart devices.

A recent investigation by security researchers from Italy and the UK has illuminated potential vulnerabilities in the popular TP-Link Tapo L530E smart bulb and the corresponding Tapo app, exposing users to the risk of having their WiFi passwords stolen by malicious actors.

The TP-Link Tapo L530E smart bulb, a common sight in homes and available on major marketplaces such as Amazon, has become a focal point for researchers due to its extensive adoption. The study (PDF), conducted by experts from the Universita di Catania and the University of London, talks about broader security risks prevalent in the expansive world of Internet of Things (IoT) devices, many of which exhibit subpar authentication safeguards and insecure data transmission practices.

The following four distinct vulnerabilities have been identified within the TP-Link Tapo L530E smart bulb and the Tapo app, each presenting its unique security implications:

**Improper Authentication: **

The primary vulnerability is rooted in improper authentication during the session key exchange process. This flaw permits attackers in close proximity to the device to impersonate it, resulting in the compromise of Tapo user passwords and control over Tapo devices. With a high-severity CVSS v3.1 score of 8.8, this exploit represents a substantial risk.

**Hard-coded Weakness:**

The second vulnerability, also high-severity with a CVSS v3.1 score of 7.6, is a result of a hardcoded short checksum shared secret. Malicious actors can exploit this flaw by engaging in brute-forcing techniques or by decompiling the Tapo app. 

**Predictable encryption_:_**

The third flaw, rated with a medium severity, pertains to the predictable nature of symmetric encryption due to a lack of randomness in its application. 

**Replay Attacks:**

Lastly, the fourth vulnerability allows attackers to conduct replay attacks, effectively replicating previously intercepted messages to manipulate device functions.

Keeping in mind the vulnerabilities above, the researchers showcased several scenarios which a malicious actor may be inclined to employ. In the first scenario, an attacker exploits the first and second vulnerabilities to impersonate the smart bulb and compromise a user’s Tapo account.

By infiltrating the Tapo app, the attacker can extract critical WiFi information, including the SSID and password, enabling unauthorized access to all devices linked to the same network. Though this attack requires the device to be in setup mode, attackers can easily disrupt the bulb’s functionality and prompt a reset, thus enabling the execution of the attack.

For the second scenario, the researchers delved into Man-in-the-Middle (MITM) attacks, showcasing the potential for attackers to intercept and manipulate communications between the Tapo app and the bulb.

By exploiting the first vulnerability, attackers can capture RSA encryption keys, which are then exploited to decode further data exchanges. Moreover, unconfigured Tapo devices can be utilized in MITM attacks to extract sensitive information during the setup process.

TP-Link Tapo L530E smart bulb on Amazon – The data extracted by researchers

In a comment to Hackread.com, Andrew Bolster, Senior R&D Manager for Data Science at Synopsys Software Integrity Group told Hackread.com that, “These new vulnerability notices demonstrate again that while consumers want to believe that the smart devices that we bring into our homes and make part of our lives are somehow completely isolated and secure, security is not that simple.”

Andrew warned that “As Synopsys previously demonstrated with last year’s Vulnerability Advisory on IKEA smart bulbs, these assistive and clever devices can be the weak-link into the trusted home environment; A beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall. And as we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc, opportunity for security failures to spread expands exponentially.”

“As with any modern security threat model, defence-in-depth and trust-but-verify stand; smart devices should be kept on separate WiFi networks from personal devices where possible, and the inbound/outbound connections into this network should be heavily restricted,” he emphasised.

The findings of this investigation have been responsibly disclosed to TP-Link, prompting acknowledgement from the vendor. Assurances have been made that fixes for the vulnerabilities will be implemented in both the app and the bulb’s firmware. However, specific details about the availability of these fixes and the versions still susceptible remain undisclosed.

Here are some additional safety guidelines that users should follow:

*   Only connect your smart bulbs to trusted networks.
*   Keep your smart bulbs up to date with the latest firmware.
*   Be careful about what information you share with smart bulb apps.
*   Use strong passwords and enable multi-factor authentication for your smart bulb accounts.
*   If you think your smart bulb has been compromised, change your passwords and reset your devices.

In light of these vulnerabilities and the expanding realm of IoT devices, isolating such devices from critical networks, updating firmware and app versions, and bolstering account protection through strong passwords and multi-factor authentication remains the recommended practices.

**RELATED ARTICLES**

1.  IoT devices could help authorities solve criminal cases
2.  Hackers can use flaw in Philips smart light bulbs to spread malware
3.  Hackers can clone your lock keys by recording clicks from smartphone
4.  Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels
5.  Lamphone attack recovers secretive conversations via hanging light bulb

TP-Link Smart Bulb Users at Risk of WiFi Password Theft

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the IV component in the AES128-CBC function.

%PDF-1.5 %� 150 0 obj << /Filter /FlateDecode /Length 4293 >> stream xڍZKs����W���D���w�M)�I�X�j7��A����\_���{�!nR�����{�=n�o��?�.ʐ����&�?N�4M�4�o�û\_��1�j��8�Y4#o��w���nk��:~����?삛���Ax��t;���4��,Jnꛟ��g�v��R����7�x�-�<�R�)���������o��=�i>$���wY�a�-Vioq�A,�NM�6c95�\* C��m�z���a�/A��qM-�㫔6 \`�(j��@W/i���m��4�M��r��G{��Q���G�"���ǉ�Xm��֔�^��?N\]SكP�ь#\*+�� F!\\)��tϭ�H� ��1jA����uh����gt��?ʳ�E��Y���\]���<�#wf(�����y�y OJw;wX��p��h��OO�a�\[��M2�wu�3�� ���8�̸�U�v�#�v~B̨sodT��L�m$��|�L:}���'"DNT�0O�?߆D��t��hn�T�j����e�\_LC,1H���o��z��7����� ՚ñ5��(u�q�CSN�4% ��i0�<�RV{S}Y\[h���4X��=���b�}9Y��دRLe����x%��z�����<� ��;�}3Y֎r�%j�3RW��xb��n\_�j�v�͡ﶫԜ�\]�P��Fj�j�Ө�i\*�T�A0/�^ծeT� ����90k�J\[�F�xt"�)�����7 �����ۛ��q�P�D��M������\*�94����{����}:�DG�/r��f,�O�����:�껎t��7���N��^�Ӳ����e�8���(����An$�b��Q�����(�C)�e��JHar�.w�4$\]f�����%��,�XQ�Ax����H��%����Q�LMlN�j\\�M�,�b�V�s�L�����t����x����e ��{���d#G��#7�Fڅ�p��j��8I�GmǕ��t:j��6��B����-)��l�drR���^ �E�}�t��};��.׹����F'x�RhS��^4��e;��~\]��,�3i\`X�l�&�f�~�By#�����R�Pӡ?�"�\\R�l�$ʽ~rjS�����\]C��\[:OӍ��e#gW��%\`��)y;�\]��n�.F����%�d���u����8�q���qd�ȝ��$��k�Y�^�4��o���(\_��{A��$��֔؃�r4�\]�f= ��iz�yZ�)�x1I\[�-W���h�N51�3���,6��ǉ(�\*U;�Bi��1�W�d���F ��.bH ��-rE9U��\[���v>�S�"D�a�kT1E�j!dSA!����÷ǣ�¨-�^'�����Q8>�9\[�i��q\[S{t��I�(U���:c$4�'l����z�F+�

CVE-2023-38909

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message.

Download PDF

> Abstract: The IoT is getting more and more pervasive. Even the simplest devices, such as a light bulb or an electrical plug, are made "smart" and controllable by our smartphone. This paper describes the findings obtained by applying the PETIoT kill chain to conduct a Vulnerability Assessment and Penetration Testing session on a smart bulb, the Tapo L530E by Tp-Link, currently best seller on Amazon Italy. We found that four vulnerabilities affect the bulb, two of High severity and two of Medium severity according to the CVSS v3.1 scoring system. In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures. In consequence, an attacker who is nearby the bulb can operate at will not just the bulb but all devices of the Tapo family that the user may have on her Tapo account. Moreover, the attacker can learn the victim's Wi-Fi password, thereby escalating his malicious potential considerably. The paper terminates with an outline of possible fixes.

**Submission history**

From: Davide Bonaventura \[view email\]  
**\[v1\]** Thu, 17 Aug 2023 14:48:04 UTC (990 KB)

CVE-2023-38906: Smart Bulbs can be Hacked to Hack into your Household

Categories: News
Tags: QR codes

Tags:  attachment

Tags:  phishing

Tags:  Bing

Tags:  Microsoft

Tags:  credentials 

Researchers have been monitoring a phishing campaign that uses QR codes and Bing redirects to lead targets to phishing sites.



(Read more...)




The post QR codes used to phish for Microsoft credentials appeared first on Malwarebytes Labs.

Posted: August 21, 2023 by

Researchers have published details about a phishing campaign that uses QR codes to phish for Microsoft credentials.

A QR (Quick Response) code is a kind of two-dimensional barcode that holds encoded data in a graphical black-and-white pattern. The data that a QR code stores can include URLs, email addresses, network details, Wi-Fi passwords, serial numbers, etc.

While QR codes are generally safe, they can easily be manipulated by scammers because they all appear similar to the human eye. A malicious QR code may lead you to a spoofed website designed to drop different malware types or steal your sensitive data, like your password, credit card information, or money.

The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the pandemic. And because QR codes are images (sent as PNG or PDF attachments in the campaigns reported here) their content is more likely to make it past email filters.

The researchers have been monitoring a campaign since May of 2023 that, although it targeted users from a wide array of industries, seemed to focus on a major energy company based in the US. This undisclosed target received 29% of the over 1,000 emails containing malicious QR codes.

The links in the QR codes used open redirects from legitimate domains associated with Bing, Salesforce, and Cloudflare to send the targets to phishing sites that were after Microsoft credentials. Since the subject of the emails were often spoofed Microsoft security notifications the Bing URLs would not have looked out of place to any victims who noticed them.

The campaign has reportedly shown a significant growth since it was discovered with the volume increased by more than 2,400% since May 2023.

Example of a malicious QR code (courtesy of Cofense)

For cybercriminals, the use of QR codes usually has the disadvantage that they need to be scanned by a mobile device, which is more complex than simply giving targets a link to click on. But in a corporate environment this can also be an advantage as the mobile device might be outside of the protection of the enterprise environment.

The researchers showcase a Bing redirect URL which is likely to be seen as legitimate in light of the other Microsoft mimicry used in this campaign. Many search engines, social media, and other platforms use some form of open redirect, which cybercriminals use to make their links look legitimate. 

example of a Bing redirect URL (Courtesy of Cofense)

**Recommendations**

When it comes to QR codes they are nearly impossible to recognize as malicious by humans, so it takes some extra attention. Some pointers:

*   Treat QR codes like any other link in an unsolicited mail, or possibly even with more caution. If you receive a QR code either in the mail or sent to you by a friend, get in touch with them first and verify that they have indeed sent you the code.
*   When scanning a QR code your device should display the site it will take you to. Pay close attention to that link. Be wary of legitimate domains that are known to use redirects and URL shorteners.
*   Use the built-in scanner through your smartphone's camera to scan for QR codes. There is no need to download another one from the app store since there are fake QR code scanners and ones that come bundled with unwanted extras.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Tag

#pdf