Vulnerabilities > CVE-2018-5999 - Unspecified vulnerability in Asus Asuswrt 3.0.0.4.378/3.0.0.4.380.7743/3.0.0.4.384.20308
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 |
Exploit-Db
description AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution. CVE-2018-5999,CVE-2018-6000. Remote exploit for Hardware platform file exploits/hardware/remote/43881.txt id EDB-ID:43881 last seen 2018-01-25 modified 2018-01-22 platform hardware port published 2018-01-22 reporter Exploit-DB source https://www.exploit-db.com/download/43881/ title AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution type remote description AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit). CVE-2018-5999,CVE-2018-6000. Remote exploit for Hardware platform. Tags: Metasploit Framewo... file exploits/hardware/remote/44176.rb id EDB-ID:44176 last seen 2018-02-26 modified 2018-02-26 platform hardware port 9999 published 2018-02-26 reporter Exploit-DB source https://www.exploit-db.com/download/44176/ title AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit) type remote
Metasploit
| description | The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. |
| id | MSF:EXPLOIT/LINUX/HTTP/ASUSWRT_LAN_RCE |
| last seen | 2020-06-10 |
| modified | 2019-08-15 |
| published | 2018-01-22 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/asuswrt_lan_rce.rb |
| title | AsusWRT LAN Unauthenticated Remote Code Execution |
Packetstorm
data source https://packetstormsecurity.com/files/download/146102/asuswrt3-exec.txt id PACKETSTORM:146102 last seen 2018-01-26 published 2018-01-26 reporter Pedro Ribeiro source https://packetstormsecurity.com/files/146102/AsusWRT-Router-Remote-Code-Execution.html title AsusWRT Router Remote Code Execution data source https://packetstormsecurity.com/files/download/146560/asuswrt_lan_rce.rb.txt id PACKETSTORM:146560 last seen 2018-02-24 published 2018-02-23 reporter Pedro Ribeiro source https://packetstormsecurity.com/files/146560/AsusWRT-LAN-Unauthenticated-Remote-Code-Execution.html title AsusWRT LAN Unauthenticated Remote Code Execution
Saint
| description | ASUSWRT vpnupload.cgi authentication bypass |
| title | asuswrt_vpnupload_auth_bypass |
| type | remote |
References
- https://blogs.securiteam.com/index.php/archives/3589
- https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt
- https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb
- https://www.exploit-db.com/exploits/43881/
- https://www.exploit-db.com/exploits/44176/