以下内容均摘自互联网,由于传播、利用此文所提供的信息而造成的任何直接或间接的后果和损失,均由使用者本人负责,银弹实验室以及文章作者不承担任何责任。
1. Kyocera 打印机XSS漏洞
2. SUS RT-AX88U 路由器未授权远程代码执行漏洞
3. Foscam R2C IP 摄像头授权远程代码执行漏洞
1. Kyocera 打印机XSS漏洞
漏洞编号:
CVE-2022-25344
漏洞介绍:
Kyocera d-COLOR MF3555 2XD_S000.002
.271设备上发现XSS问题。Web应用程序在保存参数到服务器之前,没有正确检查通过/dvcset/sysset/set.cgi 接口POST请求上传的arg01.Hostname参数。此外,JavaScript恶意内容随后会反射回最终用户,并由web浏览器执行。
An XSS issue was discovered on Kyocera d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.
影响范围:
Kyocera d-COLOR MF3555 2XD_S000.002.271
厂商修复状态:
厂商暂没有发布修复方案
漏洞类型:
XSS漏洞
漏洞危害:
攻击者可以让受害者执行任意JS代码
漏洞数据来源:
NVD,MITRE
漏洞详情链接:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25344
CVE 编号分配日期: 2022-02-18
漏洞发布日期: 2022-04-20
漏洞信息更新日期: 2022-04-20
2. InHand NetworASUS RT-AX88U 路由器未授权远程代码执行漏洞
漏洞编号:
CVE-2022-26674
漏洞介绍:
华硕RT-AX88U存在格式字符串漏洞,未经身份验证的远程攻击者可以通过该漏洞写入任意内存地址,导致远程任意代码执行、任意系统操作或中断服务。
ASUS RT-AX88U has a Format String vulnerability, which allows an unauthenticated remote attacker to write to arbitrary memory address and perform remote arbitrary code execution, arbitrary system operation or disrupt service.
影响范围:
ASUS RT-AX88U firmware pre v3.0.0.4.386.4606
厂商修复状态:
Update RT-AX88U firmware version to 3.0.0.4.386.46065
漏洞类型:
未授权远程代码执行漏洞
漏洞危害:
未授权攻击者可以远程执行任意代码、任意系统操作或中断服务
漏洞数据来源:
NVD,MITRE
漏洞详情链接:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26674
CVE 编号分配日期:2022-03-08
漏洞发布日期:2022-04-22
漏洞信息更新日期:2022-04-22
3. Foscam R2C IP 摄像头授权远程代码执行漏洞
漏洞编号:
CVE-2022-28743
漏洞介绍:
Foscam R2C IP摄像头运行系统FW<=1.13.1.6和应用程序FW<=2.91.2.66中的Time-of-check、Time-of-use(TOCTOU)竞争条件漏洞允许具有管理员权限的经过身份验证的远程攻击者通过恶意固件补丁执行任意远程代码。此漏洞会导致远程攻击者可以通过root权限获得对IP摄像头和底层Linux系统的完全远程访问。通过对摄像头Linux操作系统的root访问,攻击者可以有效地更改正在运行的代码,添加后门访问,或通过访问实时摄像头流侵犯用户隐私。
Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Foscam R2C IP camera running System FW <= 1.13.1.6, and Application FW <= 2.91.2.66, allows an authenticated remote attacker with administrator permissions to execute arbitrary remote code via a malicious firmware patch. The impact of this vulnerability is that the remote attacker could gain full remote access to the IP camera and the underlying Linux system with root permissions. With root access to the camera's Linux OS, an attacker could effectively change the code that is running, add backdoor access, or invade the privacy of the user by accessing the live camera stream.
影响范围:
Foscam R2C IP camera System FW <= 1.13.1.6,Application FW <= 2.91.2.66
厂商修复状态:
厂商暂没有发布修复补丁
漏洞类型:
授权远程代码执行漏洞
漏洞危害:
具有管理员权限的攻击者可以对摄像头的完全系统控制权限
漏洞数据来源:
NVD,MITRE
漏洞详情链接:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2022-28743
CVE 编号分配日期: 2022-04-06
漏洞发布日期:2022-04-21
漏洞信息更新日期: 2022-04-22
