Author name: SSD Secure Disclosure technical team

SSD Advisory – NVMS9000 Information Disclosure

Summary The NVMS9000 product by TVT has a critical security flaw that allows remote unauthenticated attackers a wealth of information on the device including, but not limited to, username and passwords, network configuration, etc. This security flaw can be easily exploited, all that is required is access to its open port (depending on configuration the …

SSD Advisory – NVMS9000 Information Disclosure Read More »

SSD Advisory – IP.Board ‘nexus’ RCE and Blind SQLi

Summary IP.Board e-commerce plugin ‘nexus’ contains two security vulnerabilities that when combined can be used to trigger a pre-auth RCE in AdminCP. Credit An independent security researcher, Egidio Romano from Karma(In)Security, working with SSD Secure Disclosure. Vendor Response The vendor has released a new version of IP.Board with appropriate fixes: https://invisioncommunity.com/release-notes/4716-r128/ Affected Versions IP.Board version …

SSD Advisory – IP.Board ‘nexus’ RCE and Blind SQLi Read More »

SSD Advisory – Uniview IPC2322LB Auth Bypass and CLI escape

Summary The Uniview IPC2322LB processes authentication requests allows remote attackers to bypass the authentication process and gain unauthorized access. If this is combined with a CLI escape, the Uniview device’s security can be completely compromised. Credit Yoseop Kim working for SSD Labs Korea Vendor Response The vendor has released an advisory that addresses this issue: …

SSD Advisory – Uniview IPC2322LB Auth Bypass and CLI escape Read More »

SSD Advisory – TP-Link NCXXX Authentication Bypass

Summary A vulnerability exists in TP-Link NCXXX family of devices, the vulnerability allows accessing the device without credentials – this chained with well known and currently unpatched post-auth vulnerabilities allow for the complete compromise of the device. Credit An independent security researcher working with SSD Secure Disclosure. Affected Versions TP-Link NC200TP-Link NC210TP-Link NC220TP-Link NC230TP-Link NC250TP-Link …

SSD Advisory – TP-Link NCXXX Authentication Bypass Read More »

SSD Advisory – TOTOLINK LR1200GB Auth Bypass

Summary A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. Additional post-auth vulnerabilities in the product allow for command injection and their execution with elevated privileges – allowing the compromise of the device – these are not shown in the analysis below …

SSD Advisory – TOTOLINK LR1200GB Auth Bypass Read More »

SSD Advisory – Zyxel VPN Series Pre-auth Remote Command Execution

Summary Chaining of three vulnerabilities allows unauthenticated attackers to execute arbitrary command with root privileges on Zyxel VPN firewall (VPN50, VPN100, VPN300, VPN500, VPN1000). Due to recent attack surface changes in Zyxel, the chain described below broke and become unusable – we have decided to disclose this even though it is no longer exploitable. Credit …

SSD Advisory – Zyxel VPN Series Pre-auth Remote Command Execution Read More »

SSD Advisory – WifiKey AC Gateway Pre-auth RCE

Summary A vulnerability exists in WifiKey’s AC Gateway allowing remote attackers to trigger a pre-auth RCE vulnerability in the product allowing complete compromise of the device. Credit An independent security researcher working with SSD Secure Disclosure. Affected Versions WifiKey AC Gateway Vendor Response We have emailed the vendor and again after 30 days, but have …

SSD Advisory – WifiKey AC Gateway Pre-auth RCE Read More »

SSD Advisory – Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation

Summary A vulnerability exists in processing IRP_MJ_CREATE requests in driver clfs.sys. This occurs during the processing of blf files that are parsed in kernel. Credit An independent security researcher working with SSD Secure Disclosure. CVE CVE-2023-36424 Affected Versions Windows systems running 64-bit clfs.sys with version 10.0.22621.1555 Vendor Response The vendor has released a patch for …

SSD Advisory – Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation Read More »

SSD Advisory – QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE

Summary QTS’s JSON parsing functionality is vulnerable to type confusion due to a failure to properly check the type of the json-object->data field. The bug allows an attacker to hijack control flow, and is accessible via the /cgi-bin/qid/qidRequestV2.cgi binary. Successful exploitation would allow an unauthenticated attacker to execute arbitrary code as the admin user (equivalent …

SSD Advisory – QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE Read More »

SSD Advisory – File History Service (fhsvc.dll) Elevation of Privilege

Summary A vulnerability in Windows’s File History Service allows local users to gain elevated privileges on the Windows operating system. Credit An independent security researcher working with SSD Secure Disclosure, the vulnerability was one of the winners of TyphoonCon’s TyphoonPWN 2023 – in the category of Windows PE. CVE CVE-2023-35359 Vendor Response The vendor has …

SSD Advisory – File History Service (fhsvc.dll) Elevation of Privilege Read More »

SSD Advisory –  TP-Link TL-WR840N Stack Buffer Overflow DoS

Summary A vulnerability in TP-Link’s TL-WR840N allows remote attackers to trigger a stack overflow vulnerability allowing remote attackers to cause a denial of service in httpd. Credit An independent security researcher, @delsploit, working with SSD Secure Disclosure. Affected Devices Vendor Response The vendor has released a new firmware (TL-WR840N(KR)_V6.2_230702) available at: https://www.tp-link.com/kr/support/download/tl-wr840n/#Firmware The vendor has …

SSD Advisory –  TP-Link TL-WR840N Stack Buffer Overflow DoS Read More »

SSD Advisory –  EdgeRouters and AirCube miniupnpd Heap Overflow

Summary A vulnerability in EdgeRouters’s and AirCube’s miniupnpd allows LAN attackers to cause the service to overflow an internal heap and potentially execute arbitrary code. Credit An independent security researcher working with SSD Secure Disclosure. CVE CVE-2023-31998 Affected Devices EdgeRouters 2.0.9-hotfix.6 and earlier AirCube firmware version 2.8.8 and earlier Vendor Response The vendor has issued …

SSD Advisory –  EdgeRouters and AirCube miniupnpd Heap Overflow Read More »

?

Get in touch