Hiby R3 PRO firmware v1.5 to v1.7 was discovered to contain a file upload vulnerability via the file upload feature.

**Arbitrary File Upload****Supported Files**

The web application allows users to upload files based in their extensions, the majority of them related to sound formats (MP3,FLAC, AIF, etc)

Extensions allowed

When a file that doesn't match the allowing formats is uploaded to the application, it is shown a warning message

Failed File Upload

**JavaScript Analysis**

A Javascript analyzes was done to confirm the file extension verification is peformed during file uploading, this function was found in **index.js** file.

At line 40, the **\_validFileTypes** variable is initialized, the variable contains an array with allowed formats:

Allowed Extensions

As shown in the image below, this variable is used in **\_isValidFileType** function, the function verifies the file extension agains the **\_validFileTypes** content. With this information, it's possible to bypass the validation mechanism by adding an arbitrary extension to the JavaScript, another approach would be tampering the request and modify it on the fly the file extension, personally, I prefere the first approach.

JavaScript extension validation

The following image show the **SH** extension has been added to the allowed extensions

Adding SH extension

**Static Analysis**

A simple way to take advantage of file uploading is to replace a file used by the system and inject malicious code; for this Proof of Concept, I searched for SH files in the file system and found several potential targets. I chose the wifi scripts for this.

SH files

The next step is to find where the selected script is used, i have performed a simple string search using grep and found the sys\_server binary contains the string "wifi\_off.sh"

Binary file matching the pattern

As shown in the following image, both wifi\_on.sh and wifi\_off.sh are passed as argument to system function

Binary file matching the pattern

**Running commands**

A simple echo command was added to **wifi\_off.sh** file:

echo command added

As shown below, the file has been uploaded to the File system:

File uploaded

Next step is to move the file into /sbin/ path, this can be done through the application interface, the request sent to the application is shown below:

File uploaded

This could confirm by accessing to /sbin/ through the web interface

File uploaded

Next step is exchaning the original and new script names

Renaming file request

New filename

Renaming modified file

Once done, there is no more action than turning off the Wifi connection, the script is executed and the file /tmp/hello.txt should be created as shown below

The following image shows the files existing in /tmp/ folder before running the script

Content in /tmp/ folder

hello.txt file in /tmp/

Finally, when reading the content of hello.txt file, it contains the expected String as shown below:

hello.txt content

CVE-2022-34496: Findings/Hiby/Web Server/File uploading at main · feric/Findings

Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release.

CVE-2022-1799: Release Notes  |  Google Play services  |  Google Developers

By Owais Sultan
The advent of the digital age is a source of blessing in a way that makes life easier…
This is a post from HackRead.com Read the original post: Ways Hackers Can Steal Information from Your Device

****The advent of the digital age is a source of blessing in a way that makes life easier yet, it comes with some challenges including malicious hackers and cyber attacks.****

The threats posed by hackers to organizations and individuals have become a major concern as those fraudulent elements keep on increasing and devising new methods of perpetrating their sinister acts.

According to research by a software testing firm, not less than 30,000 websites are hacked daily worldwide and every 39 seconds there is a new cyber-attack launched at someone on the web. 

Let’s dig deeper into how hackers operate and how you can protect yourself from cyber attacks and scams.

Social engineering is a tricky one! Hackers can manipulate you by posing as someone you know and compel you to take action if they want to steal your information. For example, they may send you a link from a hacked social media profile, and create urgency by asking you to take some action.

After you click the link, you will be taken to a page that will require you to sign in to your Google or Apple, or similar account. But the form does not login to your account, it will instead be a fake login page created by crooks to steal your login credentials.

A recent example of a successful social engineering attack includes the Singaporean identity fraud scammer Ho Jun Jia (a/k/a Matthew Ho, a/k/a, Prefinity a/k/a Ethereum Vendor) who is now in prison for scamming in the name of the co-founder and co-chairman of Riot Games Mr. Marc Merrill.

Ho also used social engineering skills to trick Google and Amazon Web Services (AWS) into providing $5.4 million worth of cloud computing services by using personal details of Merrill.

**Keylogger**

Keylogger is designed to secretly spy on victims and can capture everything you type on your keyboard and every command you execute. It captures your passwords, credit card numbers, keystrokes, and browsing history.

It is worth noting that a keylogger can be software or a hardware device such as a malicious USB.

Software Keyloggers sneak into your computer system via harmful links or attachments. A hardware-based keylogger can be installed on your device if attackers have physical access to your computer.

**Public Wi-Fi Eavesdropping**

Wi-Fi eavesdropping can be defined as the act whereby your vital data is stolen by a hacker after exploiting an unsecured public Wi-Fi network. Because some public Wi-Fi allow unsecured transmission of data, your vital information, and files that are unencrypted are at the risk of hackers.

One of the gimmicks used by hackers is that they would name their hotspot after the name of the business premises or shopping mall etc. The Wi-Fi will probably be free and without a password so you are tempted to go for freebies. 

Once you connect to the hacker’s Wi-Fi, the hacker can see everything you do and steal your personal information including passwords. You can avoid this by not using public Wi-Fi, using your own hotspot device plus enabling your VPN at all times.

**SIM Swap Fraud**

A SIM swap attack is when a cybercriminal(s) calls your network provider and impersonates you. They claim that your SIM card is lost and they want to port your number to a new hacker-controlled SIM card.

Of course, your network provider will ask some questions to identify the person requesting the swap. These questions can be easily answered based on the Infomation you have provided about yourself on your social media accounts. (Don’t share your personal information on social media).

In this age of two-factor authentication (2FA) and USSD banking, your SIM card is coveted by hackers. This is because when they get your SIM card, they can bypass 2FA and intercept OTP (one-time password) as the verification code is sent to your swapped phone number.

Equity and forex trading brokerages also offer online trading apps that use 2FA to verify and authenticate users. When your SIM has been swapped, this verification code goes straight to the hacker who now controls your phone number.

Once the attacker has the verification code, they can link a new account to your investment, crypto wallet, or trading app and wire funds out. They can also use the funds in your account to buy worthless shares from other scammers thus enriching them and impoverishing you.

**Browser Hijacking**

An attacker can install malware right into your internet browser without you even knowing. This can happen when you click on an unknown link or download an app from a 3rd-party store. Most of the apps available in such stores are Trojans meaning they are not what they claim to be. By installing them, you could install a virus into your browser as well.

The virus in your browser then begins to redirect you to hacker-controlled sites that resemble legitimate sites. From there, your passwords are collected and used to access your accounts. 

**IP Spoofing**

This is the act whereby a hacker hijacks your browsing connection through the usage of a fake Internet Protocol (IP) address. A publication by Dell Technologies shows that there are over 30,000 spoofing attacks every day around the world.

IP spoofing scams mostly occur at a location where internal systems trust one another in a way that users can have access without any username or password, provided they are connected with the network.

It involves the act of masquerading as a fake computer IP address in a way that would look like a legitimate one. In the course of IP spoofing, attackers convey a message to a computer system with a fake IP address which shows that the message is coming from a different IP address. 

**Domain Name System (DNS) Spoofing/ Poisoning**

The term ‘spoofing’ has to do with impersonation. In this case, a hacker’s computer is impersonating a legitimate computer on a network. A domain name is simply a website name like ‘www.google.com’

DNS spoofing, let’s assume you want to visit Twitter and you type the domain name ‘www.twitter.com’ into your browser’s URL bar. This domain name is sent to a DNS server which converts the domain name of Twitter into an IP address example 172.28.213.15 which is supposed to be the IP address of Twitter’s official computer server.

The hacker spoofs it by deceiving the DNS server to convert Twitter’s domain name into a **different** hacker-controlled IP address which takes you to the hacker’s server instead of Twitter’s server.

The attackers could have designed a fake Twitter page and hosted it on his spoofed server. Once you attempt to log in, they can steal your password and use it to access your account. 

The result of DNS poisoning is that any information you send is routed through the hacker before it gets to the web. This allows them to steal your passwords and access your accounts. 

**Domain Spoofing**

This online fraud, also known as a homograph attack occurs when a hacker makes use of a domain name that greatly resembles the website you are trying to visit.  Perpetrating this act, the hacker replaces the characters in the fake domain name with other non-ASCII characters that look much alike in appearance.

It will be designed in such a way that you may not notice the difference, as you would be assured about the secure connection of the browser. To begin the process of HTTP spoofing, the cyber attacker’s first step is to register a domain name that resembles yours.

The scammer would then proceed to send a link to you, and you may likely not notice that you are visiting a fake version of the site you planned to go to because the majority of browsers display puny code host names in their address bar. One such example is:

It’s Google.com not ɢoogle.com

This scamming system is designed to even prove to you that the website’s SSL certificate is real, thereby preventing you from detecting the fraud.

**Session Hijacking**

When you visit a website, you might notice a popup prompting you to allow cookies. Cookies refer to your personal information stored temporarily in your computer’s cache memory and are deleted after you leave the site. _(Here’s how to disable Cookies notice for good)_.

Cookies contain a unique ‘session ID’ number which if gotten by a hacker, will enable them to take over your session. An attacker can steal your cookies using different means such as phishing scams where they send you an email containing a malicious link. When you click on the link, it will install malware for session hijacking.

The point here is, that once an attacker steals your cookie or gets your session ID, they can take over your browsing session and if you were visiting a bank website, they can steal your funds. You may notice the page freeze, or some technical difficulty while this is going on and when it’s over, your money is gone. 

**Don’t Be Caught Off Guard**

*   Never download files from suspicious emails, messages, or contacts. Also, never click a link shared by an unknown source, or enter your account details and password on websites that you don’t trust.
*   Ensure that your two-factor authentication is enabled. Or you can also use token-based logins.
*   Don’t send PINs, passwords, and your financial details via text or email.
*   To guard against IP Spoofing, ensure you use a Virtual Private Network (VPN). Or use anti-malware software with web protection, that blocks unknown websites.

Ways Hackers Can Steal Information from Your Device

By Deeba Ahmed
Researchers have identified as many as eleven critical vulnerabilities in different versions of Nuki Smart Locks. The IT…
This is a post from HackRead.com Read the original post: Critical Vulnerabilities Exposed Nuki Smart Locks to a Plethora of Attack Options

****Researchers have identified as many as eleven critical vulnerabilities in different versions of Nuki Smart Locks.****

The IT security researchers at Manchester, England-based NCC Group have released a technical advisory explaining how Nuki Smart Locks were vulnerable to a plethora of attack possibilities.

It is worth noting that Nuki Home Solutions is a Graz, Austria-based supplier of smart home solutions in Europe. Here is a detailed overview of the eleven flaws in Nuki’s locks.

**Lack of Certificate Validation on TLS Communications**

This flaw is tracked as CVE-2022-32509 and affects Nuki Smart Lock version 3.0. As per the NCC Group research, the company didn’t implement SSL/TLS certificate validation on its Smart lock and Bridge devices. Without SSL/TLS certificate validation, attackers can perform man-in-the-middle attacks and access network traffic sent through an encrypted channel.

**Stack Buffer Overflow Parsing JSON Responses**

Tracked as CVE-2022-32504, this vulnerability affects Nuki Smart Lock 3.0. The issue can allow an attacker to get arbitrary code execution privilege on the device. The flaw is found in the code that implements the JSON objects parsing received from the SSE WebSocket, leading to a stack buffer overflow.

**Stack Buffer Overflow Parsing HTTP Parameters**

As per NCC Group’s technical writeup, the code responsible for overseeing the HTTP API parameter parsing logic causes a stack buffer overflow. It could be exploited to perform arbitrary code execution. This flaw is tracked as CVE-2022-32502 and was discovered in Nuki Bridge version 1.

**Broken Access Controls in the BLE Protocol**

The flaw is tracked as CVE-2022-32507 and affects Nuki Smart Lock 3.0. Research revealed that inadequate access control measures were used in the Bluetooth Low Energy Nuki API implementation, which could allow users to send out high-privilege commands to the Keyturner without being authorized for it.

1.  The Most Commonly Hacked Smart Home Tech
2.  Hackers can unlock a smartphone with fingerprints on glass of water
3.  Smart Lock vulnerability can give hackers full access to Wi-Fi network
4.  Hackers can clone your lock keys by recording clicks from smartphone
5.  Vulnerable smart alarms allowed hackers to track & turn off car engine

**TAG Exposed via Test Points**

This flaw is classified as CVE-2022-32503 and impacts Nuki Keypad. The TAG Exposed issue exposed the JTAG hardware interfaces on the affected devices.

Exploiting this flaw can allow an attacker to use the JTAG boundary scan feature to control code execution on the processor, debug the firmware, and read/alter the internal/external flash memory content. However, the attacker must have physical access to the circuit board to exploit the scan feature.

**Sensitive Information Sent Over an Unencrypted Channel**

This vulnerability is assigned CVE-2022-32510 and impacts Nuki Bridge version 1. The Bridge exposes the HTTP API using an unencrypted channel to access an administrative interface. The attacker can passively gather communication between the HTTP API and a client after accessing any device connected to the local network. A malicious actor can conveniently impersonate a legit user and access the full set of API endpoints.

**WD Interfaces Exposed via Test Points**

Tracked as CVE-2022-32506, the flaw exposed SWD hardware interfaces and was identified in Nuki smart lock 3.0. The attacker can use the SWD debug feature after having physical access to the circuit board, control the processor’s code execution, and debug the firmware.

SWD test points exposed (Image: Ncc Group)

**Denial of Service via Unauthenticated HTTP API Messages**

This flaw is classified as CVE-2022-32508 and impacts Nuki Bridge version 1. The flaw made devices vulnerable to denial of service (DoS) attacks if the attacker used specially crafted HTTP packets. Thus, impacting access to the Bridge and rendering the device unstable.

**Denial of Service via Unauthenticated BLE packets**

Tracked as CVE-2022-32505, this flaw made the impacted devices vulnerable to DoS attack through specially crafted Bluetooth Low energy packets. This could affect Keyturner’s availability and make the device unstable. Most BLE characteristics were found to be vulnerable to this issue.

**Insecure Invite Keys Implementation**

This flaw impacts the Nuki Smart Lock app version 2.22.5.5 (661). The invite token created for identifying a user during an invitation process is used to encrypt/decrypt the invite keys on the Nuki servers. A threat actor can easily take full control of the servers through this flaw and leak sensitive data.

**Opener Name Could Be Overwritten Without Authentication**

The Nuki Opener is impacted by this vulnerability that emerged from an insecure Opener Bluetooth Low energy implementation, allowing malicious actors to change the BLE device name. The device allowed an unauthenticated attacker to change the BLE device name.

**Current status**

The NCC Group informed Nuki about these flaws on 20th April 2022, and the company quickly responded. On 6th May 2022, Nuki contacted NCC Group regarding the progress on fixes. On 9th June 2022, patches were released for all vulnerabilities, after which NCC Group released a technical advisory.

Critical Vulnerabilities Exposed Nuki Smart Locks to a Plethora of Attack Options

By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'.

**Zero Trust Secure Web Gateway policies bypass using WARP client subcommands**

**Package**

Cloudflare WARP Client (Windows)

**Affected versions**

<2022.5.341.0

**Patched versions**

2022.5.341.0

Cloudflare WARP Client (Linux)

Cloudflare WARP Client (MacOS)

**Description**

**Impact**

By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'.  
The issue concerns WARP clients enrolled in Zero Trust organisation mode.

**Patches**

Fixed versions:

*   Windows: 2022.5.341.0
*   Linux: 2022.5.346
*   MacOS: 2022.5.227.0

**References**

*   Cloudflare WARP releases for Linux
*   Cloudflare WARP releases for MacOS
*   Cloudflare WARP releases for

CVE-2022-2225

An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the key information of the device via accessing fctest.shtml.

Permalink

Cannot retrieve contributors at this time

**0x01 Vulnerability description**

A vulnerability is in the 'fctest.shtml' page of the Wavlink-WiFi-Repeater,Firmware package version RPTA2-77W.M4300.01.GD.2017Sep19,Information about the repeater can be obtained by accessing the constructed URL.

Unauthorized users can obtain the key information of the router by visiting:

    http://xxx.xxx.xxx.xxx/fctest.shtml
    

**0x02 Affected version****0x03 Vulnerability**

When the router is running, all the operations of the user are stored in the syslog.shtml page, and the identity verification process is not performed

**0x04 PoC verification**

**0x05 Acknowledgement**

Penwei.Huang

CVE-2022-34575: CVE_Request/WiFi-Repeater_fctest.md at main · pghuanghui/CVE_Request

An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to arbitrarily configure device settings via accessing the page mb_wifibasic.shtml.

**0x01 Vulnerability description**

A vulnerability is in the 'mb\_wifibasic.shtml' page of the Wavlink-WiFi-Repeater,Firmware package version RPTA2-77W.M4300.01.GD.2017Sep19,Visit the constructed page to get the Wi-Fi Basic Setting, and you can set the WiFi at the same time.

Unauthorized users can obtain the key information of the router by visiting:

    http://xxx.xxx.xxx.xxx/mb_wifibasic.shtml
    

**0x02 Affected version****0x03 Vulnerability**

This page does not have access permissions set

**0x04 PoC verification**

**0x05 Acknowledgement**

Penwei.Huang

CVE-2022-34573: CVE_Request/WiFi-Repeater_mb_wifibasic.md at main · pghuanghui/CVE_Request

An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the telnet password via accessing the page tftp.txt.

Permalink

Cannot retrieve contributors at this time

**0x01 Vulnerability description**

A vulnerability is in the 'tftp.txt' page of the Wavlink-WiFi-Repeater,Firmware package version RPTA2-77W.M4300.01.GD.2017Sep19,The attacker can access the constructed page to obtain the telnet account password.

Unauthorized users can obtain the key information of the router by visiting:

    http://xxx.xxx.xxx.xxx/tftp.txt
    

**0x02 Affected version****0x03 Vulnerability**

The txt text does not set reasonable access rights.

**0x04 PoC verification**

**0x05 Acknowledgement**

Penwei.Huang

CVE-2022-34572: CVE_Request/WiFi-Repeater_tftp.md at main · pghuanghui/CVE_Request

An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the system key information and execute arbitrary commands via accessing the page syslog.shtml.

**0x01 Vulnerability description**

A vulnerability is in the 'syslog.shtml' page of the Wavlink-WiFi-Repeater,Firmware package version RPTA2-77W.M4300.01.GD.2017Sep19,Attackers can use this page to configure various functions of the repeater.

Unauthorized users can obtain the key information of the router by visiting:

    http://xxx.xxx.xxx.xxx/syslog.shtml
    

**0x02 Affected version****0x03 Vulnerability**

When the router is running, all the operations of the user are stored in the syslog.shtml page, and the identity verification process is not performed

**0x04 PoC verification**

!\[(wavlink-WiFi-Repeater\_syslog.shtml.assets/image-20220623145655255.png)

**0x05 Acknowledgement**

Penwei.Huang

CVE-2022-34571: CVE_Request/WiFi-Repeater_syslog.shtml.md at main · pghuanghui/CVE_Request

An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the key information of the device via accessing Tftpd32.ini.

Tag

#wifi