(CVE-2021-30845) macOS smbfs Out-of-Bounds Read

CVE: CVE-2021-30845 Tested Versions: macOS BigSur 11.0 - 11.2.3 Product URL(s): https://apple.com/ Description of the vulnerability smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows an attacker to leak kernel memory to achieve further exploitation. The vulnerability exists in the smbfs_mount function, which can be triggered via mount syscall. mount syscall will take data from user input and pass it to smbfs_mount....

September 13, 2021 · 3 min · Peter Nguyễn Vũ Hoàng

(CVE-2021-30868) macOS smbfs Race Condition leading to Use-After-Free Vulnerability

CVE: CVE-2021-30868 Tested Versions: macOS BigSur 11.0 - 11.2.3 Product URL(s): https://apple.com/ Description of the vulnerability smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows attacker can escalate from user permission into root privilege. smbfs kext was implemented with chardev device styles. User can interact with smbfs kext via ioctl syscall to do some task....

June 18, 2021 · 12 min · Peter Nguyễn Vũ Hoàng

(CVE-20221-35400) Prolink PRC2402M mesh.cgi get_extender_page Un-authenticated Command Injection Vulnerability

CVE: CVE-2021-35400 Tested Versions: Prolink PRC2402M 20190909 Product URL(s): https://prolink2u.com/ Description of the vulnerability This vulnerability is present as there are no checks on user input taken by mesh.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router. No authentication is required to exploit this vulnerability. The router makes GET requests to interact with the cgi scripts....

June 10, 2021 · 2 min · Daniel Lim Wee Soong (@daniellimws)

(CVE-20221-35401) Prolink PRC2402M login.cgi sys_login Un-authenticated Command Injection Vulnerability

CVE: CVE-2021-35401 Tested Versions: Prolink PRC2402M 20190909 Product URL(s): https://prolink2u.com/ Description of the vulnerability This vulnerability is present as there are no checks on user input taken by login.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router. No authentication is required to exploit this vulnerability. The router makes POST requests through HTML forms to interact with the cgi scripts....

June 10, 2021 · 2 min · Daniel Lim Wee Soong (@daniellimws)

(CVE-20221-35403) Prolink PRC2402M touchlist_sync.cgi main Un-authenticated Command Injection Vulnerability

CVE: CVE-2021-35403 Tested Versions: Prolink PRC2402M 20190909 Product URL(s): https://prolink2u.com/ Description of the vulnerability This vulnerability is present as there are no checks on user input taken by touchlist_sync.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router. No authentication is required to exploit this vulnerability. The router makes GET requests to interact with the cgi scripts....

June 10, 2021 · 2 min · Daniel Lim Wee Soong (@daniellimws)

(CVE-20221-35404) Prolink PRC2402M applogin.cgi sys_login1 Authenticated Command Injection Vulnerability

CVE: CVE-2021-35404 Tested Versions: Prolink PRC2402M 20190909 Product URL(s): https://prolink2u.com/ Description of the vulnerability This vulnerability is present as there are no checks on user input taken by applogin.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router. Authentication is required to exploit this vulnerability. The router makes GET requests through HTML forms to interact with the cgi scripts....

June 10, 2021 · 2 min · Daniel Lim Wee Soong (@daniellimws)

(CVE-20221-35406) Prolink PRC2402M login.cgi sys_login1 Authenticated Command Injection Vulnerability

CVE: CVE-2021-35406 Tested Versions: Prolink PRC2402M 20190909 Product URL(s): https://prolink2u.com/ Description of the vulnerability This vulnerability is present as there are no checks on user input taken by applogin.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router. Authentication is required to exploit this vulnerability. The router makes POST requests through HTML forms to interact with the cgi scripts....

June 10, 2021 · 2 min · Daniel Lim Wee Soong (@daniellimws)