ASUS router command execution vulnerability CVE-2014-9583

ASUS router command execution vulnerability CVE-2014-9583

A serious security vulnerability exists in the firmware of the ASUS router, allowing unauthenticated command execution.

CVE

CVE-2014-9583.

Affected Versions

Currently, all known router firmware versions (RT-AC66U, RT-N66U, etc.) are affected. The actual measurement is performed in 3.0.0.376.2524-g0013f52.

Technical details

The following code is extracted from the ASUSWRT-Merlin project, which is an enhanced fork of the Asus code.

After receiving the INFO_PDU_LENGTH (512 bytes) packet, the ProcessPacket function is called. The specific vulnerability code path is main-> processReq-> procesPacket. This service then takes the data packet to a structure and checks that the ServiceID and PacketType fields match the expected values.

The following code snippet contains the root cause of the vulnerability:

This code segment starts from executing several OpCode values, but the design does not require authentication. It then calls memcpy and performs a suspicious check on the return value that is not zero. This indicates that the Code author intends to use memcmp instead. That is to say, even if the check is correctly executed, the MAC address of the device is insufficient for full authentication.

 

Although the following code segment has been commented out, it shows that the author has tried to check the password at some time. In the current situation, the code is hard-coded as "admin ".

The following switch statement allocates processes based on the provided OpCode:

If the attacker specifies the OpCode value of net_assist_id_manu_cmd, the previous program block puts the data packet into the PKT_SYSCMD structure to process the data packet. In this way, all components of syscmd are completely controlled by attackers. Before terminating the command string, the author executed the command in the 514th line code. Then, the output result can be read from the temporary file and sent back to the source address of the initiating data packet.

Suggestions

Delete the remote command execution function.

 

Temporary solution

We recommend that you disable port 9999 of the firewall. In addition, after each startup, The infosvr service is disabled by deleting the process. What's more interesting or ironic is that exp is used to achieve this goal:

$ ./asus-cmd "killall -9 infosvr"[...]

Exploitation

$ ./asus-cmd "nvram show | grep -E '(firmver|buildno|extendno)'"[*] sent command: nvram show | grep -E '(firmver|buildno|extendno)'[!] received 512 bytes from 10.0.0.2:37625    0c 15 0033 54ab7bc4 41:41:41:41:41:41    0031 nvram show | grep -E '(firmver|buildno|extendno)'[!] received 512 bytes from 10.0.0.1:9999    0c 16 0033 54ab7bc4 xx:xx:xx:xx:xx:xx    004e buildno=376extendno_org=2524-g0013f52extendno=2524-g0013f52firmver=3.0.0.4