CVE-2013-4659
published 2017-03-14CVE-2013-4659: Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.92%
96.1th percentile
Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of multiple vendors including ASUS RT-AC66U and TRENDnet TEW-812DRU.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32\x41\x61\x33
- →Monitor for inbound TCP connections to port 5916 on router/embedded devices; any traffic to this port targeting Broadcom ACSD should be treated as suspicious and inspected for oversized payloads indicative of a buffer overflow attempt. ↗
- →Detect exploit payloads by inspecting TCP/5916 traffic for the string 'autochannel¶m=' followed by a large junk buffer (~510+ bytes of repeated characters such as 0x42). ↗
- →Alert on the presence of the 80-byte MIPS shellcode signature (starting \x6c\x6e\x08\x3c\x74\x65\x08\x35) in network streams on TCP/5916, which spawns a root telnetd shell. ↗
- →Post-exploitation indicator: monitor for unexpected spawning of 'telnetd' with arguments '-l /bin/sh' on affected router devices, indicating successful code execution via CVE-2013-4659. ↗
- →The exploit also uses 'autochannel&data' and 'csscan&ifname' as vulnerable command variants against the acsd service; monitor TCP/5916 for any of these command strings. ↗
- ·The exploit and shellcode were developed and tested specifically against firmware version 3.0.0.4.266 of the ASUS RT-AC66U; ROP gadget offsets are hardcoded to libc_base 0x2ab25000 and may not apply to other firmware versions or vendors (e.g., TRENDnet TEW-812DRU). ↗
- ·The Broadcom ACSD component is shared across multiple vendor routers; the CVE affects at minimum ASUS RT-AC66U and TRENDnet TEW-812DRU, so detection rules should not be scoped to a single vendor. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.linux-magazine.com/Issues/2014/161/Security-and-SOHO-Routershttps://packetstormsecurity.com/files/122562/ASUS-RT-AC66U-ACSD-Remote-Root-Buffer-Overflow.htmlhttp://www.linux-magazine.com/Issues/2014/161/Security-and-SOHO-Routershttps://packetstormsecurity.com/files/122562/ASUS-RT-AC66U-ACSD-Remote-Root-Buffer-Overflow.html
2017-03-14
Published