Vulnerabilities > CVE-2018-6000 - Missing Authorization vulnerability in Asus Asuswrt 3.0.0.4.378/3.0.0.4.380.7743/3.0.0.4.384.20308
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
description AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution. CVE-2018-5999,CVE-2018-6000. Remote exploit for Hardware platform file exploits/hardware/remote/43881.txt id EDB-ID:43881 last seen 2018-01-25 modified 2018-01-22 platform hardware port published 2018-01-22 reporter Exploit-DB source https://www.exploit-db.com/download/43881/ title AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution type remote description AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit). CVE-2018-5999,CVE-2018-6000. Remote exploit for Hardware platform. Tags: Metasploit Framewo... file exploits/hardware/remote/44176.rb id EDB-ID:44176 last seen 2018-02-26 modified 2018-02-26 platform hardware port 9999 published 2018-02-26 reporter Exploit-DB source https://www.exploit-db.com/download/44176/ title AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit) type remote
Metasploit
| description | The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. |
| id | MSF:EXPLOIT/LINUX/HTTP/ASUSWRT_LAN_RCE |
| last seen | 2020-06-10 |
| modified | 2019-08-15 |
| published | 2018-01-22 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/asuswrt_lan_rce.rb |
| title | AsusWRT LAN Unauthenticated Remote Code Execution |
Packetstorm
data source https://packetstormsecurity.com/files/download/146102/asuswrt3-exec.txt id PACKETSTORM:146102 last seen 2018-01-26 published 2018-01-26 reporter Pedro Ribeiro source https://packetstormsecurity.com/files/146102/AsusWRT-Router-Remote-Code-Execution.html title AsusWRT Router Remote Code Execution data source https://packetstormsecurity.com/files/download/146560/asuswrt_lan_rce.rb.txt id PACKETSTORM:146560 last seen 2018-02-24 published 2018-02-23 reporter Pedro Ribeiro source https://packetstormsecurity.com/files/146560/AsusWRT-LAN-Unauthenticated-Remote-Code-Execution.html title AsusWRT LAN Unauthenticated Remote Code Execution
References
- https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb
- https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt
- https://blogs.securiteam.com/index.php/archives/3589
- https://www.exploit-db.com/exploits/43881/
- https://www.exploit-db.com/exploits/44176/