Persistent XSS via image metadata

Joomla SIGE is a popular extension for creating image galleries within the Joomla CMS. An injection vulnerability was discovered that enables execution of a Cross Site Scripting (XSS) attack. The extension does not sanitize the text that it retrieves from the image header. Once published online the the image will cause the browser to load malicious content.

Exploiting the HooToo TM6 router

Part 4: Finding vulnerabilities in a router is cool. But, what’s cooler is exploiting them. The vendor has been informed of the vulnerabilities and they were recorded in the CVE database (CVE-2017-9026 and CVE-2017-9025). So, hopefully they are no longer a major threat. These vulnerabilities could be exploited in many different ways, even from an Android phone [0]. I wanted to follow through and see what useful things we could do from an attacker perspective.

HooToo TM6 vulnerabilities

Part 3: In the course of reverse engineering the HooToo TM-06 Travel router, there were two interesting vulnerabilities discovered. Both are in the IOOS (vshttpd) web service. This is not shocking because the web service appears to be a custom implementation specific to the device. That’s not to say the developers weren’t good, rather it is that custom code tends to be the one that receives the least scrutiny. One vulnerability is a stack overflow. Another, a heap overflow. In this article we’ll see how to fully exploit the heap buffer overflow vulnerability.

Reverse Engineering of an Embedded Webserver

Part 2: In this article we look into the implementation of the embedded webserver that runs on the HooToo Travel Mate 6 router (the device). The webserver is at the core of the TM-06 user interface. It is also the best attack surface to start with. It is best due to the complexity of processing web requests and a historical precedent of web software being susceptible to memory corruption vulnerabilities.