CVE-2022-36586 Tenda G3 US_G3V3.0 has a buffer overflow vulnerability due to strcpy in the httpd binary.

This one can be exploited by a remote attacker to execute arbitrary code on the affected device. In order to exploit this issue, an attacker needs to trick a victim into visiting a maliciously crafted website. As we know that Android devices do not support https out-of-the-box. So in order to exploit this issue an attacker must have a server with a https port that can be accessed by the victim.

Once the attacker has setup a server with a https port, the next step is to setup a fake certificate on the server with the same name as the hostname of the server.

Now connect to the server with the fake certificate, in order to setup the https connection, the victim’s device will ask the server to present a certificate.

Once the connection is setup, the attacker’s server will serve the malicious httpd binary. This binary will have its buffer overflow vulnerability.

Google Android XML Core Services (Android.XML)

This vulnerability is a buffer overflow in the Android XML Core Services library. This library provides functionality for serializing/deserializing XML data, and for parsing and generating XML content. The vulnerability exists in the libxml2 version used by default on all Android devices, including those with custom ROMs (such as CyanogenMod).

The vulnerability can be exploited via a specially crafted HTML document which, when opened, will result in a crash of the browser process.

Once this occurs the attacker will have full control of the device and can execute their own malicious code to gain root access.

HttpServer Page httpd can be accessed from the hostname of the server or from the IP address of the server. So an attacker could either setup a fake https certificate on their server with that hostname, or use an http proxy to access it.


This vulnerability is present in pre-4.4 versions of the Android device firmware.

Android-based attacks – Device fingerprinting

One of the most popular targets for an attacker is Android devices because they have so many vulnerabilities. These vulnerabilities can range from bypassing the lockscreen, to exploiting software bugs, to using a man-in-the-middle attack.
A vulnerability that has recently been discovered affects Android devices and allows an attacker to identify a device by sending it a web page with JavaScript code. The exploit works by taking advantage of the Android Webview component which is used in browsers as well as in apps like Chrome, Microsoft Edge and Firefox.
The vulnerability becomes exploitable only if the device has JavaScript support enabled. If a victim visits a maliciously crafted website, the script will execute and call home. This will serve up a fingerprint for the device and send back information about what OS version is installed on the device along with other information like screen resolution and network configuration.

Timeline

Published on: 09/08/2022 00:15:00 UTC
Last modified on: 09/09/2022 15:08:00 UTC

References