Argus Proof of Possession

MongoDB - Pre-auth Remote ████ ████████████ out-of-bounds read

2026-06-14T00:00:00-07:00

Report digest

6a3a54c36db743b91211cd7953a0af06d19788e3d3179490ff4e5ddf08ca3c74  adv-041-poc.py

OpenBSD - Remote Kernel PAP Authentication Bypass

2026-06-12T00:00:00-07:00

Executive Summary

The sppp_pap_input function in sys/net/if_spppsubr.c uses the attacker-controlled name_len and passwd_len fields from the incoming PAP frame directly as the comparison length for bcmp against configured credentials. Sending both as zero causes bcmp to return 0 unconditionally, bypassing authentication entirely.

Details

The credential check compares the peer-supplied name and password against stored values using bcmp(..., name_len) and bcmp(..., passwd_len). When bcmp is called with length 0, it always returns 0 regardless of the buffer contents. The existing > AUTHMAXLEN guard allows zero through, so a PAP Auth-Request with name_len=0 and passwd_len=0 passes validation and triggers a PAP_ACK.

A secondary issue arises from the same root cause: supplying a name_len larger than the allocated credential string causes bcmp to read past the heap object, producing a kernel heap over-read.

Reachability

Both issues are reachable via the PPPoE data path (pppoe_data_input → sppp_input → sppp_pap_input) on systems configured as a PAP authenticator. No credentials need to be known by the attacker.

Impact

An attacker on the same network segment can authenticate to a PPPoE interface without knowing any configured credentials, establishing a full network-layer link. This enables traffic interception when OpenBSD acts as a PPPoE client with mutual authentication.

Timeline

2026-06-12 — Reported to OpenBSD with proof of concept
2026-06-14 — Fix committed openbsd/src@076e2b1

OpenBSD - Pre-auth Remote Kernel ███ Heap Over-Read

2026-06-12T00:00:00-07:00

Report digest

8283dd68745507b7cea499def75301fbcdd0446b2e76210fc706456cf5855738  poc-001-pap-bypass.py

OpenBSD - Pre-auth Remote Kernel ████ Stack Disclosure

2026-06-12T00:00:00-07:00

Report digest

0107e0e12dbd466d7c5077bfc51be4d5f80d52b0211c22367b003925ace8aaf8  poc-008-stack-leak.py

MongoDB - Pre-auth Remote ████ ████████████ out-of-bounds read

2026-06-11T00:00:00-07:00

Report digest

127de65d6b73d1c679187b5a3fb19a34f1ac80206fb1ec68189b3eb3b344efe5  poc-029.py

MongoDB - Pre-auth Remote ████ ███████ out-of-bounds read

2026-06-11T00:00:00-07:00

Report digest

fd77e56aac83a8a3d7a97d8eec8636008c739ec74b112b1e071682a58f7755a2  H1-report.md

IDOR in Report Test — Low-Privilege User Can Access Any User's Dashboard Reports

2026-06-10T00:00:00-07:00

Summary

The report.test trapper endpoint accepts a data.userid field that controls which user's dashboard is rendered. An authenticated User-role account can set this to any other user's ID, including the Super Admin. The report manager creates a live database session for the victim, renders their dashboard using the victim's cookie, and emails the resulting PDF to an attacker-controlled address. No authorization check is performed.

Affected Versions

Zabbix Server 8.0.0beta2 (commit 31eccf9ddaf7adf129f9cd611c85b7451b188eb9)

Details

The call chain is:

trapper_server.c:68 authenticates the caller via session ID and obtains the authenticated user.userid.
It calls zbx_report_test(&jp_data, user.userid, &j), passing the authenticated userid.
report_protocol.c:370–394 deserializes data.userid from the attacker-controlled JSON into viewer_userid (internally access_userid). The authenticated userid is passed along but never compared to access_userid.
report_manager.c:654 calls rm_session_start(manager, access_userid), inserting a real row into the sessions table for the victim user.
The web service receives a rendering request with the victim's session cookie and fetches their dashboard.

The fix is a single equality check — access_userid == authenticated_userid — that is absent from the entire call chain.

Impact

Any authenticated user can receive a PDF rendering of any other user's dashboards, including those of the Super Admin. Dashboards may display sensitive monitoring data, credentials stored as macros, or infrastructure topology. The attack is also a session-creation primitive: a live sessions row is inserted for the victim user as a side effect.

Remediation

Enforce access_userid == authenticated_userid before calling rm_session_start in report_manager.c. The authenticated userid is already present at the call site; the check is a single conditional.

SQL Injection via OAuth2 Token Refresh Response

2026-06-09T00:00:00-07:00

Summary

When an Email media type is configured with OAuth2 authentication, Zabbix server automatically POSTs to the configured token endpoint to refresh expired tokens. The access_token and refresh_token values parsed from the JSON response are passed directly to zbx_db_execute() with no escaping, allowing an attacker who controls the OAuth endpoint to inject arbitrary SQL.

Affected Versions

Zabbix Server 8.0.0beta2 (commit 31eccf9ddaf7adf129f9cd611c85b7451b188eb9)

Details

The injection is in src/libs/zbxalerter/oauth.c, oauth_db_update(), lines 301–317. Both the if and else branches build the SQL string by interpolating data->access_token and data->refresh_token directly:

zbx_db_execute("update media_type_oauth set"
        " access_token='%s',access_token_updated=" ZBX_FS_TIME_T ","
        "access_expires_in=%d,refresh_token='%s',tokens_status=%hhu"
        " where mediatypeid="ZBX_FS_UI64,
        data->access_token, data->access_token_updated, data->access_expires_in,
        data->refresh_token, data->tokens_status,
        mediatypeid);

These values are parsed directly from the OAuth server's JSON response (oauth.c:248–264) with no call to zbx_db_dyn_escape_string(), which is used everywhere else in the database layer for exactly this purpose.

The MySQL connection is opened with CLIENT_MULTI_STATEMENTS, so stacked queries are fully supported.

The call chain is automatic and requires no user interaction:

An alert is queued for an Email media type using OAuth2
The alerter detects the access token is expired (oauth.c:400)
Zabbix POSTs to the configured token_url (oauth.c:408)
The JSON response is parsed and tokens are stored as-is (oauth.c:242–264)
oauth_db_update() interpolates the unescaped values into SQL (oauth.c:301–307)

Proof of concept: a hostile OAuth server returning a crafted access_token with a stacked INSERT statement created a backdoor admin account in the users table without any Zabbix credentials.

Impact

Arbitrary SQL execution as the Zabbix database user, triggerable by any party that can influence the response from the configured OAuth token endpoint (e.g., provider compromise, DNS hijack, network interception). Full database read/write on a monitoring server that already holds credentials and network reach into the monitored fleet.

Remediation

No fix — Zabbix declined to treat this as a security issue on the basis that configuring the OAuth media type requires administrator privileges. That reasoning gates the endpoint selection, not the content of the server's response.

The one-line fix is to pass access_token and refresh_token through zbx_db_dyn_escape_string() before interpolation, in both branches of oauth_db_update().

Timeline

2026-06-06 — Reported to Zabbix with proof of concept
2026-06-08 — Zabbix responds: not a security vulnerability
2026-06-09 — Public disclosure

SSH Connection Reuse Authentication-Context Bypass

2026-06-08T00:00:00-07:00

Executive Summary

SSH connection reuse matching in libcurl does not verify SSH authentication context (selected private/public key files). A request can reuse an existing authenticated SSH channel established with different SSH key settings, causing operations to execute under an unintended SSH identity.

Affected Versions

libcurl with SSH/SFTP support (libssh2 and libssh backends)

Details

The reuse flow (Curl_connect -> url_find_or_create_conn -> url_attach_existing -> Curl_cpool_find -> url_match_conn) calls url_match_proto_config at lib/url.c:918, which only checks HTTP/FTP-specific protocol config and has no SSH-equivalence checks.

SSH key identity is loaded later from per-request options in lib/vssh/libssh2.c (ssh_state_pkey_init) and lib/vssh/libssh.c (myssh_in_AUTH_PKEY_INIT). Reused connections skip protocol connect/auth in lib/multi.c:2523-2529, so authentication is never re-evaluated for the new request context.

An application performing back-to-back SSH/SFTP requests with different CURLOPT_SSH_PRIVATE_KEYFILE / CURLOPT_SSH_PUBLIC_KEYFILE settings to the same destination will have the second request silently reuse the first connection's SSH identity.

Impact

Cross-request authentication-context confusion. Operations can execute under a prior SSH identity rather than the intended one, potentially granting unauthorized access to resources.

Remediation

Fix PR: curl/curl#21899 — Revert "url: remove ssh_config_matches"

MFA Bypass via Federated Login Paths

2026-06-08T00:00:00-07:00

Summary

Zabbix's MFA enforcement is configured per user group, not per authentication method. The HTTP auth (index_http.php) and SAML SSO (index_sso.php) login paths call CUser::loginByUsername() which hardcodes ZBX_SESSION_ACTIVE, ignoring the user's mfaid entirely. This grants a fully active session with no MFA challenge using the same user account and password.

Affected Versions

Zabbix (all versions with MFA support)

Details

Both CUser::login() and CUser::loginByUsername() compute mfaid from the same user group membership via addUserGroupFields(). However, loginByUsername() unconditionally passes ZBX_SESSION_ACTIVE to createSession(), discarding the MFA requirement:

login()           → mfaid respected → createSession(CONFIRMATION_REQUIRED) ✓
loginByUsername() → mfaid ignored   → createSession(ACTIVE)              ✗

The root cause is in CUser.php:2416. The HTTP auth and SAML SSO entry points contain no references to mfaid or index_mfa.php.

Preconditions: - HTTP auth or SAML SSO enabled alongside internal auth - Victim user is in a group with MFA required - Global MFA enabled

Impact

Complete MFA bypass, provided HTTP auth or SAML is configured.

Remediation

No fix — Zabbix considers this not a security vulnerability.

Timeline

2026-06-06 — Disclosed to Zabbix
2026-06-08 — Zabbix responds: not a security vulnerability

Stack Buffer Overflow in ASP Handler

2026-06-05T18:00:00-07:00

Executive Summary

A binary analysis of the web CGI/ASP handling paths identified 1 confirmed vulnerability The issue is a critical stack out-of-bounds write in the wlscan ASP handler, caused by an unchecked copy length derived from parsed input. The path is marked reachable from network, so remote exploitation is feasible.

Binary Profile

Security Flags: PIE absent, NX absent, stack_canary absent, RELRO absent
Risk Level: Critical

Findings

1. Stack OOB Write in wlscan ASP Handler — Critical

Function: sub_415370 (wlscan ASP handler entry) @ 0x415370
CWE: CWE-787 — Out-of-bounds Write (also CWE-121 — Stack-based Buffer Overflow)
Category: memory_corruption
Reachability: reachable_from_network

Description

The handler performs strncpy(&str_1, &var_744, len) at 0x415730, where str_1 is only 0x80 bytes. The copy length is computed from pointer arithmetic ($s2_1 - &var_744) at 0x415734, based on parsed data from an input line buffer, with no upper-bound check against the destination size. If len exceeds 0x80, adjacent stack data can be overwritten. This creates a controllable memory-corruption primitive in a network-reachable code path.

Taint Chain

fgets @ 0x4156a0 (up to 0x200 bytes into &var_748)
→ strrchr(&var_748, ':') @ 0x415710
→ $s2_1 = strrchr_result - 0xe @ 0x415718
→ len = $s2_1 - &var_744 @ 0x415734 (no len <= 0x80 guard)
→ strncpy(&str_1, &var_744, len) @ 0x415730

Mitigations

Present: none
Absent: bounds_check, stack_canary, NX, PIE, RELRO

Race Condition in Temporary File Handling

2026-06-05T17:00:00-07:00

Executive Summary

A targeted review of five candidate functions identified 1 confirmed vulnerability in open_ssl_error_file. The issue is a high-severity TOCTOU race condition on a fixed path in /var/tmp, enabling unsafe file writes via symlink substitution. While the vulnerable path is reachable from network-driven logic, practical exploitation requires a local race precondition (filesystem namespace control), so purely remote-only exploitation is not directly feasible.

Binary Profile

Security Flags: PIE (absent), NX (absent), stack_canary (absent), RELRO (absent)
Risk Level: High

Findings

1. TOCTOU Race on Fixed `/var/tmp/https.error` Path — High

Function: open_ssl_error_file @ 0x41bb58
CWE: CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition
Category: other
Reachability: reachable_from_network

Description

The function performs a non-atomic check-then-use sequence on the same pathname: stat("/var/tmp/https.error"), conditional unlink("/var/tmp/https.error"), then fopen("/var/tmp/https.error", "a+"). Because /var/tmp is attacker-writable, an attacker can swap the path to a symlink between these operations. This race can redirect file writes to an attacker-chosen target file.

Taint Chain

filesystem namespace control in /var/tmp before stat @ 0x41bb80 -> size check on stat result (var_74) @ 0x41bb90/0x41bb94 -> conditional unlink on same path @ 0x41bbcc -> fopen("/var/tmp/https.error", "a+") @ 0x41bba8

Mitigations

Present: none
Absent: O_NOFOLLOW, fd_post_open_fstat_validation, PIE, NX, stack_canary, RELRO

Signedness Error in Network Read Path

2026-06-05T16:00:00-07:00

Executive Summary

The analyzed binary’s Explorer-flagged read/write paths were reviewed for, and 2 high-severity findings were confirmed. Both issues are signedness flaws where an error sentinel (0xffffffff) from web_read is propagated into an unsigned size parameter for f_write, creating oversized memory operations. Overall risk is High; exploitation appears remotely reachable via network input, but requires the read-error precondition to trigger the sentinel path.

Binary Profile

Security Flags: PIE: absent, NX: absent, stack_canary: absent, RELRO: absent
Risk Level: High

Findings

1. Signed Error Sentinel Used as `f_write` Length in `sub_41a6ac` — High

Function: sub_41a6ac @ 0x41a6ac
CWE: CWE-195 — Signed to Unsigned Conversion Error; CWE-196 — Unsigned to Signed Conversion Error
Category: memory_corruption
Reachability: reachable_from_network

Description

sub_41a6ac allocates a bounded heap buffer and then uses the return value of web_read directly as the length argument to f_write. In web_read, the error path returns 0xffffffff (0x4196b4). Without a positivity/error check before the sink, this sentinel is interpreted as a very large unsigned size, causing oversized read behavior from the heap buffer with crash or potential information disclosure impact.

Taint Chain

web_read/fread error sentinel 0xffffffff @ 0x4196b4 →
$v0_4#4 = web_read(...) @ 0x41a798 → $s0_1#3 = $v0_4#4 @ 0x41a7a8 → $a2_1#1 = $s0_1#3 @ 0x41a818 →
f_write(..., $a2_1#1, ...) @ 0x41a814

Mitigations

Present: none
Absent: bounds_check, stack_canary, PIE, NX, RELRO

2. Repeated Signedness Length Propagation in `sub_41ab84` — High

Function: sub_41ab84 @ 0x41ab84
CWE: CWE-195 — Signed to Unsigned Conversion Error; CWE-196 — Unsigned to Signed Conversion Error
Category: memory_corruption
Reachability: reachable_from_network

Description

sub_41ab84 repeats the same pattern: it stores web_read’s return value and forwards it directly to f_write as size. If web_read returns 0xffffffff on read failure, the sink consumes it as a huge unsigned length. This enables an oversized operation against the allocated input buffer and can lead to memory safety failures.

Taint Chain

web_read/fread error sentinel 0xffffffff @ 0x4196b4 →
$v0_5#5 = web_read(...) @ 0x41ac68 → $s0_1#3 = $v0_5#5 @ 0x41ac78 → $a2_1#1 = $s0_1#3 @ 0x41acbc →
f_write(..., $a2_1#1, ...) @ 0x41acb8

Mitigations

Present: none
Absent: bounds_check, stack_canary, PIE, NX, RELRO

Recommendation

At the call site in sub_41ab84, gate f_write on successful, non-negative read lengths and clamp to the buffer’s allocated size before passing a2 at 0x41acb8. Centralize this check in a shared helper to prevent recurrence across similar read/write paths.

Path Traversal in File Handler

2026-06-05T15:00:00-07:00

Executive Summary

One high-severity vulnerability was confirmed in the analyzed binary The issue is a CWE-22 path traversal in sub_40fa90, where attacker-controlled input reaches filesystem APIs without normalization or confinement checks. Exploitation is remotely reachable via network input.

Binary Profile

Security Flags: PIE: absent, NX: absent, stack_canary: absent, RELRO: absent
Risk Level: High

Findings

1. Unsanitized User Path Reaching File APIs (Path Traversal) — High

Function: sub_40fa90 @ 0x40fa90
CWE: CWE-22 — Path Traversal
Category: other
Reachability: reachable_from_network

Description

The handler reads attacker-controlled filename from webcgi_get("filename") and uses it directly in file-operation sinks. The value flows into fopen and multiple unlink calls without realpath-style canonicalization or root-directory confinement checks. This allows traversal inputs (for example ../../...) or absolute paths to access or delete unintended files. Because the input is network-reachable, this creates a high-risk arbitrary file access/deletion condition.

Taint Chain

webcgi_get("filename") @ 0x40faec
→ filename#2 assigned from web input
→ $s1_1 propagated into branch-specific sink arguments
→ fopen @ 0x410068 (also 0x410380) and unlink @ 0x40fe88 (also 0x40fe4c/0x40fd98/0x410278/0x4104d4)

Mitigations

Present: none
Absent: stack_canary, PIE, NX, RELRO, path_canonicalization, path_confinement_check

OS Command Injection via Web Interface

2026-06-05T12:00:00-07:00

Executive Summary

A firmware binary was analyzed for command-execution weaknesses The analysis confirmed 2 high-severity findings, both involving user-influenced network input embedded into shell command strings and executed via system/popen. Overall risk is High; remote exploitation is feasible from network-reachable paths.

Binary Profile

Security Flags: PIE (absent), NX (absent), stack_canary (absent), RELRO (absent)
Risk Level: High

Findings

1. CGI `user` Parameter Reaches `system` Command — High

Function: sub_407bcc @ 0x407bcc
CWE: CWE-78 — OS Command Injection
Category: command_injection
Reachability: reachable_from_network

Description

The function reads CGI parameter user using webcgi_get("user") and formats it into pam_tally2 -u %s -r with snprintf. The resulting string is executed with system, creating a direct shell injection surface. No strict allowlist validation of the substituted user value is performed in this function, so shell metacharacters can alter command behavior.

Taint Chain

webcgi_get("user") @ 0x407c10 -> $s1 <- result @ 0x407c20 -> snprintf(&var_110, 0x100, 0x4206e4, $s1) @ 0x407c68 -> system(&var_110) @ 0x407c78

Mitigations

Present: none
Absent: PIE, NX, stack_canary, RELRO, strict_input_allowlist

2. Captive Portal Request Slice Injected into `system`/`popen` — High

Function: get_captive_portal_auth @ 0x41b6c0
CWE: CWE-78 — OS Command Injection
Category: command_injection
Reachability: reachable_from_network

Description

A request-derived buffer (arg1) is offset (arg1 + 4) and inserted as %s into shell templates chilli_query list |grep %s and chilli_query authorize ip %s. These commands are executed by popen and system, respectively. Although credential checks exist (portal_lo_un/portal_lo_pw), the shell-substituted argument itself is not strictly validated, enabling command injection via crafted input.

Taint Chain

request-derived arg1 buffer ($s0 <- arg1 @ 0x41b6fc) -> $s2_1 <- $s0 + 4 @ 0x41b8f8 / 0x41b844 -> snprintf(..., 0x4252d4, $s2_1) @ 0x41b90c and snprintf(..., 0x425340, $s2_1) @ 0x41b860 -> system(command) @ 0x41b8c8 and popen(command) @ 0x41b924

Mitigations

Present: none
Absent: PIE, NX, stack_canary, RELRO, command_argument_validation

Hardcoded Default Credentials

2026-06-05T11:00:00-07:00

Executive Summary

A binary analysis of authentication-related code paths identified 1 security finding: a high-severity CWE-798 hardcoded/default credential pattern. The issue is located in sub_4072ec, where an embedded password literal ("123456") is used in an admin-password comparison flow.

Binary Profile

Security Flags: PIE (absent), NX (absent), stack_canary (absent), RELRO (absent)
Risk Level: High

Findings

1. Hardcoded Default Admin Password Literal — High

Function: sub_4072ec (passwd_risk handler) @ 0x4072ec
CWE: CWE-798 — Use of Hard-coded Credentials
Category: info_leak
Reachability: unknown

Description

The binary embeds a fixed admin password literal "123456" at 0x42046c and uses it in nvram_default_match("adm_passwd", "123456", 0) at 0x407318. This creates a hardcoded/default credential condition that can be recovered through static binary analysis. If deployed devices retain default credentials, an attacker can attempt authentication using this known value.

Taint Chain

embedded credential literal "123456" @ 0x42046c
→ "adm_passwd" key literal @ 0x420460
→ comparison result branches to passwd_risk=1/0 output @ 0x420474 / 0x420484
→ nvram_default_match @ 0x407318

Mitigations

Present: none
Absent: PIE, NX, stack_canary, RELRO

Sensitive Data Exposure in Logs

2026-06-05T10:00:00-07:00

Executive Summary

An authentication-related binary path was analyzed (including get_captive_portal_auth), and 1 vulnerability was confirmed. The issue is a medium-severity CWE-532 information leak where configured portal credentials are written to syslog in plaintext on auth failure.

Binary Profile

Security Flags: PIE absent / NX absent / stack_canary absent / RELRO absent
Risk Level: Medium

Findings

1. Sensitive Portal Credentials Logged on Authentication Failure — Medium

Function: get_captive_portal_auth @ 0x41b6c0
CWE: CWE-532 — Insertion of Sensitive Information into Log File
Category: info_leak
Reachability: reachable_from_network

Description

At 0x41b998, the function calls syslog with format string "portal auth failed [%s] [%s]" and includes values derived from authentication fields and stored portal credentials. SSA evidence shows values from nvram_safe_get("portal_lo_un") and nvram_safe_get("portal_lo_pw") flow into syslog arguments without redaction. This can expose plaintext configured username/password values in logs when authentication fails. Because the code path is network-reachable, remote requests can trigger repeated sensitive log entries.

Taint Chain

nvram_safe_get("portal_lo_pw") @ 0x41b7d8
→ str2#6 = phi(str2_1,str2_2) @ 0x41b990
→ $a3_3#7 = str2#6 @ 0x41b994
(+ parallel input str1#7 from arg1 offsets +0x14/+0x94 via phi @ 0x41b990)
→ syslog(6, "portal auth failed [%s] [%s]", ...) @ 0x41b998

Mitigations

Present: none
Absent: credential_redaction, stack_canary, PIE, NX, RELRO

Argus Proof of Possession

MongoDB - Pre-auth Remote ████ ████████████ out-of-bounds read

Report digest

OpenBSD - Remote Kernel PAP Authentication Bypass

Executive Summary

Details

Reachability

Impact

Timeline

OpenBSD - Pre-auth Remote Kernel ███ Heap Over-Read

Report digest

OpenBSD - Pre-auth Remote Kernel ████ Stack Disclosure

Report digest

MongoDB - Pre-auth Remote ████ ████████████ out-of-bounds read

Report digest

MongoDB - Pre-auth Remote ████ ███████ out-of-bounds read

Report digest

IDOR in Report Test — Low-Privilege User Can Access Any User's Dashboard Reports

Summary

Affected Versions

Details

Impact

Remediation

SQL Injection via OAuth2 Token Refresh Response

Summary

Affected Versions

Details

Impact

Remediation

Timeline

SSH Connection Reuse Authentication-Context Bypass

Executive Summary

Affected Versions

Details

Impact

Remediation

MFA Bypass via Federated Login Paths

Summary

Affected Versions

Details

Impact

Remediation

Timeline

Stack Buffer Overflow in ASP Handler

Executive Summary

Binary Profile

Findings

1. Stack OOB Write in wlscan ASP Handler — Critical

Race Condition in Temporary File Handling

Executive Summary

Binary Profile

Findings

1. TOCTOU Race on Fixed /var/tmp/https.error Path — High

Signedness Error in Network Read Path

Executive Summary

Binary Profile

Findings

1. Signed Error Sentinel Used as f_write Length in sub_41a6ac — High

2. Repeated Signedness Length Propagation in sub_41ab84 — High

Path Traversal in File Handler

Executive Summary

Binary Profile

Findings

1. Unsanitized User Path Reaching File APIs (Path Traversal) — High

OS Command Injection via Web Interface

Executive Summary

Binary Profile

Findings

1. CGI user Parameter Reaches system Command — High

2. Captive Portal Request Slice Injected into system/popen — High

Hardcoded Default Credentials

Executive Summary

Binary Profile

Findings

1. Hardcoded Default Admin Password Literal — High

Sensitive Data Exposure in Logs

Executive Summary

Binary Profile

Findings

1. Sensitive Portal Credentials Logged on Authentication Failure — Medium

1. TOCTOU Race on Fixed `/var/tmp/https.error` Path — High

1. Signed Error Sentinel Used as `f_write` Length in `sub_41a6ac` — High

2. Repeated Signedness Length Propagation in `sub_41ab84` — High

1. CGI `user` Parameter Reaches `system` Command — High

2. Captive Portal Request Slice Injected into `system`/`popen` — High