AsusWRT LAN Unauthenticated Remote Code Execution

Posted by deepcore on February 24, 2018 – 3:45 pm

The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« CloudMe Sync 1.10.9 Buffer Overflow Groupon Clone Script 3.0.2 Cross Site Scripting »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

AsusWRT LAN Unauthenticated Remote Code Execution

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL