cbcvebase.
CVE-2014-9583
published 2015-01-08

CVE-2014-9583: common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does…

PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.73%
99.6th percentile
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.

Affected

3 ranges
VendorProductVersion rangeFixed in
asuswrt_firmware
asuswrt_firmware
t-mobiletm-ac1900

Detection & IOCsextracted from sources · hover to see the quote

portUDP/9999
ip78.128.92.137
urlhttp://78.128.92.137/.nttpd,17-mips-le-t1
filename.nttpd
filenamenmlt1.sh
hashc44f2d8ad37c18ea84a99db584d6992d
portUDP/5143
portTCP/4543
path/tmp/.nttpd
bytes
0C 15 33 00 [4 random bytes] 00*38 <LE word: cmd_len> <cmd>
sigma
1130327 EXPLOIT ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution (CVE-2014-9583)
  • Detect UDP packets to port 9999 with the NET_CMD_ID_MANU_CMD opcode. The exploit packet starts with bytes 0x0C 0x15 0x33 0x00 and is padded to 512 bytes total.
  • The exploit response packet has PacketType byte == 0x16 (22 decimal) at offset 1 and total length of 512 bytes; filter for UDP/9999 responses matching this signature.
  • Monitor for the TheMoon bot dropping and executing a hidden file named '.nttpd' in /tmp on MIPS Linux devices; the file is fetched via wget from an attacker-controlled HTTP server.
  • After compromise, the TheMoon bot installs iptables rules to block other attackers from re-exploiting CVE-2014-9583 (UDP/9999) and opens UDP/5143 for P2P C2 communication; anomalous iptables modifications on ASUS routers are a strong post-exploitation indicator.
  • The Metasploit module for this CVE launches a BusyBox Telnet daemon on port 4444 (default TelnetPort option) after exploitation; detect unexpected telnet listeners on ASUS routers.
  • The MAC address field in the infosvr packet is not properly validated (memcpy instead of memcmp); any crafted packet with a zeroed or arbitrary MAC field targeting UDP/9999 should be treated as an exploitation attempt.
  • The TheMoon bot communicates with peers over TCP/4543 to download and execute additional payloads; monitor for outbound TCP/4543 connections from ASUS router IPs.
  • ·The exploit only works from the LAN side by default; the infosvr service listens on the LAN bridge interface, so external internet-facing detection may not be applicable unless the router is misconfigured.
  • ·Command payload is limited to 237 usable bytes; strings longer than 237 bytes cause a buffer overflow and may crash the infosvr service rather than executing the command.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.