cbcvebase.
CVE-2013-4659
published 2017-03-14

CVE-2013-4659: Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.92%
96.1th percentile
Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of multiple vendors including ASUS RT-AC66U and TRENDnet TEW-812DRU.

Detection & IOCsextracted from sources · hover to see the quote

portTCP/5916
commandautochannel&param=
processacsd
commandtelnetd -l /bin/sh
bytes
\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32\x41\x61\x33
  • Monitor for inbound TCP connections to port 5916 on router/embedded devices; any traffic to this port targeting Broadcom ACSD should be treated as suspicious and inspected for oversized payloads indicative of a buffer overflow attempt.
  • Detect exploit payloads by inspecting TCP/5916 traffic for the string 'autochannel&param=' followed by a large junk buffer (~510+ bytes of repeated characters such as 0x42).
  • Alert on the presence of the 80-byte MIPS shellcode signature (starting \x6c\x6e\x08\x3c\x74\x65\x08\x35) in network streams on TCP/5916, which spawns a root telnetd shell.
  • Post-exploitation indicator: monitor for unexpected spawning of 'telnetd' with arguments '-l /bin/sh' on affected router devices, indicating successful code execution via CVE-2013-4659.
  • The exploit also uses 'autochannel&data' and 'csscan&ifname' as vulnerable command variants against the acsd service; monitor TCP/5916 for any of these command strings.
  • ·The exploit and shellcode were developed and tested specifically against firmware version 3.0.0.4.266 of the ASUS RT-AC66U; ROP gadget offsets are hardcoded to libc_base 0x2ab25000 and may not apply to other firmware versions or vendors (e.g., TRENDnet TEW-812DRU).
  • ·The Broadcom ACSD component is shared across multiple vendor routers; the CVE affects at minimum ASUS RT-AC66U and TRENDnet TEW-812DRU, so detection rules should not be scoped to a single vendor.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.